Compulsory Black-Box Traceable CP-ABE with Outsourcing of Computation

Abstract

As an asymmetric encryption method capable of performing one-to-many encryption, the ciphertext-policy attribute-based encryption (CP-ABE) is widely recognized as an ideal cryptographic tool for cloud-based applications. It can empower data owners to independently and flexibly define and enforce access control policies for cloud-stored data. However, the practical implementation of CP-ABE-based cryptographic access control remains hindered by critical challenges. Firstly, malicious users may engage in key abuse by delegating attribute keys to unauthorized parties or exploiting their keys to construct decryption black-boxes for providing illegal decryption services. Consequently, a secure CP-ABE scheme must incorporate the capability to trace such malicious users who misuse their privileges. Secondly, for resource-constrained IoT devices, the substantial computational overhead of CP-ABE becomes prohibitive, making its deployment in scenarios like IoT-cloud services particularly challenging. In this paper, we propose a new CP-ABE scheme with black-box traceability and computational outsourcing capabilities. Our scheme can improve the tracing efficiency from $O\left(N^3\right)$ or $O\left(rlogN\right)$ (as seen in traditional schemes) to $O\left(1\right)$, where N is the number of system users. Furthermore, the proposed scheme features compulsory traceability and maintains outstanding performance in the aspects of encryption, decryption, and tracing operations.

1. Introduction

In recent years, with the continuous integrated development of the Internet of Things (IoT) and cloud computing, research on related security issues has also been constantly updated and iterated. Among these studies, there is emerging research on encryption and decryption algorithms that utilize complex dynamic mechanisms to achieve efficient and secure protection of data in IoT environments—such as the three-dimensional memristive hyperchaotic mapping applicable to image encryption [1,2] and the parallel color image encryption algorithm based on neural mapping [3]. There are also ABE (Attribute-Based Encryption) algorithms used to control data access permissions within systems; these algorithms can play a role in various aspects and solve various security issues emerging in new application scenarios. Due to conflicts of interest or other reasons, a Cloud Service Provider (CSP) sometimes cannot be fully trusted by its customers. Kamara et al. [4] proposed applying cryptographic access control in cloud data management to deal with the problem. The main idea lies in encrypting sensitive data before uploading it to the cloud. By controlling the distribution of keys, the access control policies defined by the data owner can be implemented, so that, under the condition that the CSP is semi-trusted, user-autonomous access control can be realized. A semi-trusted CSP refers to a CSP that will honestly execute all operations but may snoop on users’ data. Kamara proposed leveraging one-to-many encryption mechanisms like Attribute-Based Encryption (ABE) to achieve fine-grained access control, thereby reducing key distribution costs to a manageable level. Among such mechanisms, ABE—with CP-ABE (Ciphertext-Policy Attribute-Based Encryption) in particular—is regarded as an ideal cryptographic tool for data sharing. In a CP-ABE system, each user is associated with a set of attributes. During encryption, an access control policy—defined based on these attributes—is embedded within the ciphertext. Only users whose attributes meet this access control policy can successfully decrypt the ciphertext to retrieve the plaintext. As a result, data owners need not concern themselves with users’ specific identities; instead, they only need to specify the type of individuals authorized to access the data. Thanks to these advantages, since Bethencourt introduced the first CP-ABE scheme [5], the development of CP-ABE schemes has remained a central focus in research on cryptographic access control.

White-box traceability and black-box traceability. However, there are still some obstacles in the practical application of CP-ABE. One of the major issues is privilege abuse, that is, malicious users may abuse their keys and access privileges, leak them to unauthorized users in the form of new keys, or construct a Decryption Black-box (DB) to provide illegal decryption service for profits while hiding their private keys. In traditional CP-ABE schemes, it is almost impossible to track or obtain evidence for these violations. To tackle the issue of privilege misuse, Li et al. [6] pioneered an accountable CP-ABE scheme. In this approach, user-specific information is embedded into the private key during the key generation phase, enabling the identification of malicious users who engage in unauthorized key sharing through analysis of the key itself. However, the challenge of tracing the builder of a database (DB) persisted until Liu et al. [7] introduced the first CP-ABE scheme with black-box traceability. In their work [7], Liu and colleagues defined the concept of traceability explicitly and categorized it into two types: white-box traceability and black-box traceability. Notably, the scheme presented in [6] falls under the category of white-box traceability. However, it is generally believed that only black-box traceable schemes can achieve complete traceability because black-box traceability implies white-box traceability. Although the scheme in [7] achieves black-box traceability, it can only track the key-like black-box and is unable to track the policy-specific black-box. Subsequently, Liu put forward a scheme [8] that can track policy-specific black-box. Nevertheless, both of these schemes exhibit inefficiencies in encryption and decryption. Moreover, the length of the ciphertext is correlated with the number of users. Therefore, Ning et al. [9] proposed a scheme with a fixed ciphertext length to prevent the ciphertext length from expanding with the number of users. Liu proposed a scheme based on prime-order bilinear groups, which greatly reduces the computational cost and makes the application of the black-box tracing algorithm practical.

These schemes, together with subsequent black-box traceable schemes, employ the same tracing algorithm framework. Within this framework, encryption operations must be executed $O\left(N^3\right)$ times during a single tracing process, where N denotes the number of users in the system. Encryption itself carries relatively high computational costs, as it requires frequent bilinear pairing operations and exponentiation operations. To address this, Qiao et al. [10] proposed marker tracing to develop an efficient and lightweight tracing algorithm. In their work [10], the number of encryption operations is reduced to $O\left(N\right)$ or even $O\left(1\right)$, and this approach has also been adopted in subsequent studies such as [11,12,13,14] for tracing purposes.

Computation outsourcing capability. Another obstacle faced by CP-ABE in practical applications is the computational overhead of conventional encryption and decryption. This issue is particularly prominent in emerging scenarios such as IoT, smart healthcare, and edge computing, and has also become a core motivation for driving relevant research. From the perspective of these application scenarios, a large number of terminal devices (e.g., sensors and smart wearable devices) are limited by hardware costs and power consumption design, and they generally feature weak computing capabilities and limited storage resources. For instance, the processor frequency of a temperature monitoring sensor is usually lower than 1 GHz, and its memory is only a few MB. However, as a relatively complex asymmetric cryptographic algorithm, CP-ABE involves multiple rounds of bilinear pairing operations and attribute set matching in its encryption and decryption processes. A single device may take hundreds of milliseconds or even seconds to complete the decryption of a single ciphertext, which makes it difficult to meet the requirements of real-time data collection (e.g., industrial equipment status monitoring) and low-latency control (e.g., smart home command response). Green et al. [15] put forward a new approach for secure decryption outsourcing. By adding a blinding factor to generate the transform key for the proxy, the proxy server can perform the majority of decryption computation; meanwhile, it cannot pry into the content of the ciphertext. The user only needs to perform a simple ElGamal-type decryption at last to obtain the plaintext. Most of the later research [16,17,18,19] also adopted similar methods in [15] to transform the major workloads to the proxy server.

To achieve computational outsourcing and black-box traceability simultaneously, Yu et al. [20] proposed an accountable CP-ABE scheme with the ability of computational outsourcing, it is white-box traceable as well as the scheme in [21,22]. As far as we know, only a very few CP-ABE schemes [14,23] can achieve both black-box traceability and computational outsourcing at the same time. Zhang et al. [23] first put forward the scheme that meets the two requirements. They add operations of a subset cover algorithm [24] into encryption and decryption to meet the requirements of revocation and traceability. However, in a subset cover algorithm, encryption operations must be performed for each user subset in every data encryption. In the worst case, the number of user subsets can reach $N/2$, so that the corresponding ciphertext also contains $N/2$ ciphertext blocks, where N is the number of users. Therefore, it incurs additional costly overhead for the system. Moreover, similarly to the scheme of [7], their tracing algorithm also needs to issue a series of inquiries to gradually locate a certain subset, and then divide this subset to find the traitor within it. The tracing process is rather inefficient. Yin et al. [14] adopt the method of [10] to trace the black-box efficiently. However, in their system, the tracing algorithm can achieve successful tracking only if it obtains both the final decryption result output by the black-box and an intermediate result, which is the partially decrypted ciphertext, output by the Cloud Auxiliary Server. Thus, if the black-box completes all the decryption on its own and only outputs the final decryption result, the system will be unable to track the black-box.

Our contribution. To apply the CP-ABE system securely in scenarios with limited computation resources, such as IoT cloud, it is necessary to realize a practical black-box traceable CP-ABE scheme with outsourcing of computation (OC-BTCP-ABE). So far, in the few existing OC-BTCP-ABE schemes, issues such as low encryption and decryption computational efficiency, poor scalability, or limitations in the tracing algorithm can be observed. This makes it difficult to implement these schemes in reality, especially for those IoT systems with a large number of users. To obtain a secure and efficient scheme, we have proposed a new OC-BTCP-ABE scheme with the following characteristics.

• High practicality: Our scheme is constructed based on prime-order groups rather than composite prime-order groups, and a concise architecture similar to that of [11] is adopted, which makes the scheme highly efficient in computational operations such as encryption and decryption. Moreover, the scheme overcomes the problem that the tracing efficiency drops rapidly with the increase in the number of system users. In our proposed scheme, the computational load of the tracing algorithm is $O\left(N\right)$, and its complexity can be further optimized to $O\left(1\right)$ in efficient tracing mode. Compared with the existing OC-BTCP-ABE schemes, our solution has significant advantages in encryption and tracing efficiency.
• Compulsory traceability: Our scheme possesses the compulsory traceability proposed in [10], which makes it impossible for the adversary to identify the tracing ciphertext, thus unable to counter the tracing. This ensures that the effectiveness of the tracing results cannot be compromised.

2. Background

In this section, we begin by providing background details on Linear Secret Sharing Schemes (LSSSs). Next, we outline the security definitions specific to OC-BTCP-ABE. Lastly, we formulate the formal descriptions of the decisional q-parallel Bilinear Diffie-Hellman Exponent (BDHE) assumption and bilinear groups.

2.1. Access Structure

An access structure $\mathbb{A}$ refers to a collection composed of sets of attributes. And $\mathbb{A}$ is a monotone collection, that is, $\forall B,C: if B\in \mathbb{A}$ and $B\subseteq C$ then $C\in \mathbb{A}$. The sets in $\mathbb{A}$ are authorized sets, and the sets not belonging to $\mathbb{A}$ are unauthorized sets. The formal definition of access structure is given in [25]. It should be noted that this monotone access structure can also implement a general access structure. In this case, it becomes necessary to create a “not” counterpart for each attribute, which in turn doubles the total number of attributes within the system.

2.2. Linear Secret Sharing Scheme (LSSS)

A LSSS, which is proposed in [25], is applied to implement the access structure of ciphertexts in our scheme.

Definition 1. 

(Linear Secret-Sharing Scheme (LSSS)) A secret-sharing scheme Π over a set of parties $\mathcal{P}$ is called linear (over ${\mathbb{Z}}_p$) if the following hold:

1. 

The shares for each party form a vector over ${\mathbb{Z}}_p$.

2. 

There exists a matrix an M with ℓ rows and n columns called the share-generating matrix for Π. For all $i=1,\dots ,\ell ,$ the function ρ maps the each row $M_i$ of M to an associated attribute $\rho \left(i\right)$. For a vector $v=(s,r_2,\dots ,r_n)$, where $s\in {\mathbb{Z}}_p$ is the secret to be shared, and $r_2,\dots ,r_n\in {\mathbb{Z}}_p$ are randomly chosen, $Mv$ is the vector of ℓ shares of the secret s according to Π. The share ${\lambda }_i={\left(Mv\right)}_i$ belongs to attribute $\rho \left(i\right)$.

It is shown in [25] that a share-generating matrix M can enjoy the linear reconstruction property. Suppose that there is a corresponding share-generating matrix M for an access structure $\mathbb{A}$. For an attribute set S, let $I_S=\left\{i\right|\rho \left(i\right)\in S\}$. For every set $S\in \mathbb{A}$, the “target” vector $(1,0,0,\dots ,0)$ must lie within the span of the rows indexed by $I_S$. Specifically, for any $S\in \mathbb{A}$, there exist constants ${\{{\omega }_i\in {\mathbb{Z}}_p\}}_{i\in I_S}$, that can be computed in polynomial time, such that for any set of shares ${\left\{{\lambda }_i\right\}}_{i\in I_S}$ corresponding to a secret s, the equation ${\sum }_{i\in I_S}{\omega }_i{\lambda }_i=s$ holds. Conversely, for any unauthorized set $S^{\prime }\notin \mathbb{A}$, the target vector $(1,0,0,\dots ,0)$ does not lie within the span of the rows indexed by $I_{S^{\prime }}$.

2.3. Bilinear Map

Assuming $\mathcal{G}$ denotes a bilinear group generator and taking a security parameter $\lambda$, $\mathcal{G}$ produces $(p,g,\mathbb{G},{\mathbb{G}}_T,e)$ as the output, $\mathbb{G}$ and ${\mathbb{G}}_T$ are two multiplicative cyclic groups of prime order p, where p is a big prime, and g is a generator of $\mathbb{G}$. e denotes a bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$, and it has the following properties:

Let $\mathcal{G}$ represent a bilinear group generator. Given a security parameter $\lambda$, $\mathcal{G}$ outputs $(p,\mathbb{G},g,{\mathbb{G}}_T,e)$. Here, $\mathbb{G}$ and ${\mathbb{G}}_T$ are both multiplicative cyclic groups of prime order p, and g serves as a generator of $\mathcal{G}$. The symbol e denotes a bilinear map $e:\mathbb{G}\times \mathbb{G}\to \mathbb{G}$, which possesses the following properties:

• Computability: For any elements $u,v\in \mathbb{G}$, $e(u,v)$ is efficiently computable.
• Non-degeneracy: $e(g,g)\ne 1$.
• Bilinearity: For any elements $u,v\in \mathbb{G}$ and exponents $a,b\in {\mathbb{Z}}_p$, the property $e(u^a,v^b)=e{(u,v)}^{ab}$ holds.

The security of our proposed scheme relies on the decisional q-parallel BDHE assumption [26]. Due to space constraints, the formal definition of this assumption is not included herein.

2.4. OC-BTCP-ABE

An OC-BTCP-ABE construction functionality includes five algorithms: Setup, Encrypt, KeyGen, Transform and Decrypt.

• Setup$(U,\lambda )\to (PK,MK)$. This algorithm accepts security parameter $\lambda$ and the attribute universe U as inputs, and outputs the public parameter $PK$ and the master secret key $MK$.
• KeyGen$(MK,S)\to (TK,SK)$. The KeyGen algorithm takes the master key $MK$ as input and generates a transformation key $TK$ and a private key $SK$ according to the user’s attribute set S.
• Encrypt$(PK,\mathbb{A},M)\to \left(CT\right)$. This algorithm encrypts a message M using $PK$ under a specified access structure $\mathbb{A}$. It generates a ciphertext $CT$ that is decryptable only by users whose attribute sets satisfy the policy of $\mathbb{A}$.
• Transform$(CT,PK,TK)\to \left(C{T}^{\prime }\right)$. The Transform algorithm takes as input the ciphertext CT that was encrypted under $\mathbb{A}$, the public key $PK$ and the transformation key $TK$ according to the attribute set S. It outputs the partially decrypted ciphertext $C{T}^{\prime }$ if S satisfies $\mathbb{A}$, or it outputs ⊥.
• Decrypt$(C{T}^{\prime },SK)\to \left(M\right)$. The Decrypt algorithm decrypts the ciphertext $C{T}^{\prime }$ under the user’s secret key $SK$ and outputs the message M.

2.5. Security Model for OC-BTCP-ABE

Due to differences in structure from ordinary CP-ABE schemes, with the addition of public transformation keys and the requirement of going through two steps (transformation and decryption) during the decryption process, the security model for the OC-BTCP-ABE scheme also differs from that for ordinary CP-ABE schemes. This is typically characterized by a security game played between a challenger and the adversary $\mathcal{A}$.

Setup. The challenger performs Setup algorithm and sends the public parameter $PK$ to $\mathcal{A}$.

Phase 1. The challenger creates an empty table T, an empty set $KS$ and an index $i=0$. The adversary can adaptively make any of the following queries:

• $Create\left(S\right)$: The challenger sets $i:=i+1$, and performs KeyGen algorithms on the attribute set S. It outputs the pair $(SK,TK)$ and stores $(i,S,TK,SK)$ in table T. Then, it returns $TK$ to $\mathcal{A}$.
• $Corrupt\left(j\right)$: If the j-th entry exists in table T, the challenger gets the entry $(j,S,TK,SK)$, updates $KS$ as $KS:=KS\cup \left\{S\right\}$, and then returns the private key $SK$ to $\mathcal{A}$. In the absence of such an entry, it returns ⊥ instead.

Challenge. $\mathcal{A}$ chooses two messages $M_0,M_1$ of equal length and gives them to the challenger. In addition, $\mathcal{A}$ gives an access structure ${\mathbb{A}}^{*}$ such that none of the attribute sets S of $KS$ satisfy $\mathcal{A}$. The challenger flips a random coin to select $b\in \{0,1\}$. Subsequently, the challenger encrypts the message $M_b$ under the target access structure ${\mathbb{A}}^{*}$ and provides the resulting ciphertext to the adversary $\mathcal{A}$.

Phase 2. Phase 1 is repeated with the restriction that $\mathcal{A}$ cannot issue a Corrupt query that would result in an attribute sets S which satisfies ${\mathbb{A}}^{*}$.

Guess. Ultimately, the adversary $\mathcal{A}$ outputs a guess $b^{\prime }\in \{0,1\}$. The adversary $\mathcal{A}$ is deemed to win the game if $b^{\prime }=b$. Within this game, the advantage of $\mathcal{A}$ is defined as $Pr[b^{\prime }=b]-1/2$.

Definition 2. 

An OC-BTCP-ABE scheme is CPA secure (secure against chosen-plaintext attacks), if for any polynomial time adversary $\mathcal{A}$, the advantage is always negligible in the above game.

Note that a scheme is selectively secure if an Init stage is added before Setup where $\mathcal{A}$ submits structure ${\mathbb{A}}^{*}$ in advance. We will prove our construction secure under the selective security model.

2.6. Traceability for CP-ABE

The black-box traceability of CP-ABE refers to the ability to uniquely identify the user who created the black-box by analyzing the black-box’s output results, without being able to view the internal key of the black-box, and it should not incorrectly output a user who is not the creator. In contrast to the decryption black-boxes characterized as probabilistic devices in [7], we adopt a streamlined concept of the decryption black-box, as first proposed in [10]: A decryption black-box $\mathcal{D}$ linked to an attribute set $S_{\mathcal{D}}$ is capable of decrypting a ciphertext $CT$ and outputting the correct plaintext M if $S_{\mathcal{D}}$ satisfies the access structure of CT; otherwise, it returns ⊥. This formulation also simplifies the handling of collusion issues. Notably, when two malicious users collude to build a joint decryption black-box, ref. [10] shows that the decryption capability of this collusive device is no stronger than the sum of the individual decryption capabilities of the two separate black-boxes each user would construct independently. Therefore, we mainly consider the black-box independently constructed by a single malicious user.

When tracing, the tracing algorithm always needs to interact with the black-box. Similarly to all existing BT-CP-ABE schemes, in our work, the tracing algorithm functions by sending specific ciphertexts to the black-box and endeavoring to identify the black-box’s creator using the information it returns. To facilitate this, we propose an additional encryption algorithm designed to generate such special ciphertexts, whose decryption results can be leveraged to pinpoint the black-box’s creator. This algorithm is defined as follows:

• Encrypt${}_{Trace}(PK,\mathbb{A},M)\to (TCT,trap)$. This algorithm takes as input the message M, the access structure $\mathbb{A}$ and the public key $PK$. It outputs the tracing ciphertext $TCT$ that can be decrypted under the keys whose corresponding attributes satisfy $\mathbb{A}$. When the decryption result is returned, the $trap$ will be used to search for the private key used in decryption.

2.7. Security Model of Compulsory Traceability

To trace a black-box, it is necessary to analyze the correct decryption results of tracing ciphertexts. However, if the black-box is capable of distinguishing between normal ciphertexts and tracing ciphertexts, it might intentionally output incorrect decryption results for the latter in an attempt to evade tracing while maintaining the ability to correctly decrypt normal ciphertexts. Therefore, it must be ensured that no adversary can distinguish between tracing ciphertexts and normal ciphertexts. When this condition is met, we term it as Compulsory Traceability. The original definition is presented in [10] using a security game between a challenger and an adversary. The main design intuition of this game is that a user, even if his attribute sets satisfy the access policy of the ciphertext, still cannot distinguish whether the ciphertext is a tracing ciphertext or a normal one. Due to the differences from the ordinary CP-ABE structure, we present the security model description of Compulsory Traceability for the OC-BTCP-ABE scheme as follows:

Setup. The challenger executes the Setup algorithm and transmits the public parameter $PK$ to the adversary $\mathcal{A}$.

Phase 1. The challenger initializes an empty set $KS$, an empty table T, and sets an index $i=0$. The adversary $\mathcal{A}$ is then allowed to adaptively issue any of the following types of queries:

• $Create\left(S\right)$: The challenger sets $i:=i+1$, and performs KeyGen algorithms on the attribute set S. It outputs the pair $(SK,TK)$ and stores $(i,S,TK,SK)$ in table T. Then, it returns $TK$ to $\mathcal{A}$.
• $Corrupt\left(j\right)$: If the j-th entry exists in table T, the challenger gets the entry $(j,S,TK,SK)$, updates $KS$ as $KS:=KS\cup \left\{S\right\}$, and then returns the private key $SK$ to $\mathcal{A}$. In the absence of such an entry, it returns ⊥ instead.

Challenge. The adversary $\mathcal{A}$ submits a target access structure ${\mathbb{A}}^{*}$ to the challenger. The challenger first selects a message $M\in {\mathbb{G}}_T$ uniformly at random and flips a random coin to determine $b\in \{0,1\}$. For $b=0$, the challenger executes the standard encryption algorithm: $\mathtt{Encrypt}(PK,{\mathbb{A}}^{*},M)\to C{T}_0$, and outputs $C{T}_0$. For $b=1$, it runs the tracing encryption algorithm instead: ${\mathtt{Encrypt}}_{\mathrm{Trace}}(PK,{\mathbb{A}}^{*},M)\to (C{T}_1,\mathrm{trap})$, and outputs $C{T}_1$. Finally, the challenger sends $C{T}_b$ to $\mathcal{A}$.

Phase 2. Phase 1 is repeated.

Guess. $\mathcal{A}$ outputs a guess $b^{\prime }$ of b.

Note that ${\mathbb{A}}^{*}$ can be satisfied by at least one of the attribute sets in $KS$.

If $b^{\prime }=b$, the adversary $\mathcal{A}$ wins the game. The advantage of $\mathcal{A}$ is defined as $Pr[b^{\prime }=b]-1/2$.

Definition 3. 

An OC-BTCP-ABE scheme is compulsorily traceable, if for any polynomial time adversary $\mathcal{A}$, the advantage is always negligible in the above game.

3. Our Construction

Our scheme is constructed by modifying the scheme of [11]. Note that U denotes the attribute universe of the system. To prevent collusion among users, we adopt the similar method of [26], assigning each user’s key a random exponent r, which is embedded in the main component D of the key and in the components corresponding to each attribute. This binds together all components of a user’s key, making them incompatible with the key components of other users. During decryption, each share must be computed using the same consistent exponent r to recover the shared secret and thus the plaintext, meaning components from different keys cannot be combined or used together.

3.1. Concrete Construction

• Setup$(U,\lambda )\to (PK,MK)$. The algorithm takes the security parameter $\lambda$ as input and outputs $(p,g,\mathbb{G},{\mathbb{G}}_T,e)$. It then randomly selects $\alpha ,\beta ,t\in {\mathbb{Z}}_p$. Furthermore, for each attribute $x\in U$, it randomly chooses $\{h_x,f_x\in \mathbb{G}\}$. The public key is published as follows:

  $$PK=(g,\mathbb{G},{\mathbb{G}}_T,g^t,e{(g,g)}^{\alpha },h=g^{\beta },{\{h_x,f_x\}}_{x\in U})$$
  The authority retains the master key $MK=(\beta ,g^{\alpha })$ in secrecy and initializes an empty table $LID$.
• KeyGen$(MK,S)\to (SK,TK,I{D}_{SK})$. Using the master key $MK$, the algorithm generates a private key $SK$ corresponding to the attribute set S. It randomly selects exponents $k,r,z,{\left\{r_j\right\}}_{j\in S}\in {\mathbb{Z}}_p$ and obtains the transformation key $TK=$

  $$(D=g^{{\displaystyle \frac{(\alpha +rt)/\beta }{k}}},\forall j\in S:D_j=g^{r/z}·f_j^{r_j/z},D_j^{\prime }=g^{r_j/z},D_j^{″}=h_j^{r/z},D_j^{‴}=h_j^{r_j/z})$$
  It then sets the private key $SK=\{k,z,TK\}$ and the key index $I{D}_{SK}=e(g^t,g^r)$. The authority records $I{D}_{SK}$ in table $LID$.
• Encrypt$(PK,\mathcal{M},(M,\rho \left)\right)\to \left(CT\right)$. The algorithm takes as input the public key $PK$ and encrypts the message $\mathcal{M}$ with an access control structure $(M,\rho )$. Here, M is an $l\times n$ LSSS matrix corresponding to the size of the ciphertext access policy, and each row of the matrix can be mapped to an attribute $\rho \left(i\right)$. The algorithm selects a random vector $v=(s,v_2,\dots ,v_n)\in {\mathbb{Z}}_p^n$. Then, it randomly selects values $a_i,b_i\in {\mathbb{Z}}_p$ for each row $M_i$ of M and performs calculations ${\mu }_i=M_i·v$. It computes and outputs the ciphertext as follows:

  $$CT=(C=\mathcal{M}e{(g,g)}^{\alpha s},\tilde{C}=h^s,$$

  $$\forall i\in \left[l\right]:C_i={\left(g^t\right)}^{u_i}{h}_{\rho \left(i\right)}^{a_i},C_i^{\prime }={\left(f_{\rho \left(i\right)}^t\right)}^{u_i}{h}_{\rho \left(i\right)}^{b_i},C_i^{″}=g^{a_i},C_i^{‴}=f_{\rho \left(i\right)}^{a_i},C_i^{⁗}=g^{b_i})$$
  $CT$ is published along with $(M,\rho )$. The notation $\left[l\right]$ herein represents the set $\{1,2,3,\dots l\}$.
• Transform$(PK,TK,CT)\to \left(C{T}^{\prime }\right)$. Using a transformation key $TK$ and the public key $PK$, the algorithm partially decrypts the ciphertext $CT$ that contains the access structure $(M,\rho )$. If S, where S is the attribute set associated with $TK$, does not satisfy the access structure, it outputs ⊥. Suppose a certain subset $I\subseteq S$ satisfiesthe access policy of $(M,\rho )$, the algorithm can obtain the set of constants $w_i\in {\mathbb{Z}}_p$ for which ${\sum }_{\rho \left(i\right)\in I}{w}_i{M}_i=\{1,0,\dots ,0\}$. It then proceeds to compute the following:

  $$T_0=e(D,\tilde{C})=e{(g,g)}^{(\alpha +rt)s/k},$$

  $$T_1=\prod _{\rho \left(i\right)\in I}{\left({\displaystyle \frac{e(D_{\rho \left(i\right)},C_i)e(D_{\rho \left(i\right)}^{‴},C_i^{⁗})}{e(D_{\rho \left(i\right)}^{\prime },C_i^{\prime })e(D_{\rho \left(i\right)}^{″},C_i^{″})e(D_{\rho \left(i\right)}^{‴},C_i^{‴})}}\right)}^{w_i}=e{(g,g)}^{rts/z}$$
  It then outputs the partially decrypted ciphertext $C{T}^{\prime }=(C,T_0,T_1)$.
• Decrypt$(SK,C{T}^{\prime })\to \left(M\right)$. The algorithm takes as input the private key $SK$. It computes $M=C{\displaystyle \frac{{T_1}^z}{{T_0}^k}}$ to finish the decryption. Noted that $C{T}^{\prime }$ must be the intermediate result generated by decrypting with $TK$ contained in $SK$; otherwise, the decryption result will be incorrect.

3.2. Tracing the Black-Box

In the process of black-box tracing, one must first send a tracing ciphertext to the black-box and then analyze the output of it to pinpoint the key employed in the decryption process, thereby exposing the identity of the black-box’s creator. In our scheme, the tracing algorithm is described as follows:

• Encrypt${}_{Trace}(\mathcal{M},(M,\rho ),PK)\to (trap,TCT)$. This algorithm encrypts the message $\mathcal{M}$ with the public key $PK$ and an access control structure $(M,\rho )$. The steps performed here are basically the same as those of the Encrypt algorithm. The main difference is that it selects two random numbers $s,s^{\prime }$ and uses $s^{\prime }$ to construct the vector $v=(s^{\prime },v_2,\dots ,v_n)\in {\mathbb{Z}}_p^n$. Thus, $s^{\prime }$ instead of s is distributed in the constants $u_i$ for $i=1,2,3,\dots ,l$. The algorithm outputs the tracing ciphertext as follows:

  $$TCT=(C=\mathcal{M}e{(g,g)}^{\alpha s},\tilde{C}=h^s,$$

  $$\forall i\in \left[l\right]:C_i={\left(g^t\right)}^{u_i}{h}_{\rho \left(i\right)}^{a_i},C_i^{\prime }={\left(f_{\rho \left(i\right)}^t\right)}^{u_i}{h}_{\rho \left(i\right)}^{b_i},C_i^{″}=g^{a_i},C_i^{‴}=f_{\rho \left(i\right)}^{a_i},C_i^{⁗}=g^{b_i})$$
  It outputs $TCT$ and $trap=s-s^{\prime }$.

To trace a black-box $\mathcal{D}$, the authority selects an access control structure $(M,\rho )$ that is satisfiable by the attributes set $S_{\mathcal{D}}$ of $\mathcal{D}$, as well as a message $\mathcal{M}$ randomly selected from the message space ${\mathbb{G}}_T$. It then runs the algorithm ${\mathtt{Encrypt}}_{Trace}$, sends the $TCT$ to $\mathcal{D}$, and saves the $trap$ at the same time. If  $\mathcal{D}$ performs the decryption correctly, it firstly runs Transform and obtains the following:

$$T_0=e(D,\tilde{C})=e{(g,g)}^{(\alpha +rt)s/k},$$

$$T_1=\prod _{\rho \left(i\right)\in I}{\left({\displaystyle \frac{e(D_{\rho \left(i\right)},C_i)e(D_{\rho \left(i\right)}^{‴},C_i^{⁗})}{e(D_{\rho \left(i\right)}^{\prime },C_i^{\prime })e(D_{\rho \left(i\right)}^{″},C_i^{″})e(D_{\rho \left(i\right)}^{‴},C_i^{‴})}}\right)}^{w_i}=e{(g,g)}^{rt{s}^{\prime }/z}$$

Then, $\mathcal{D}$ runs Decrypt as $M=C{\displaystyle \frac{{T_1}^z}{{T_0}^k}}=\mathcal{M}e{(g,g)}^{rt(s^{\prime }-s)}$ and outputs ${\mathcal{M}}^{\prime }$. When the authority receives the return ${\mathcal{M}}^{\prime }$, it computes $E=M^{\prime }/M=e{(g,g)}^{rt(s^{\prime }-s)}$. For each entry in $LID$, it computes ${\left(I{D}_{SK}\right)}^{trap}$ and compares it with E until a match is found. The  $\left(I{D}_{SK}\right)$ reveals which private key was used in the construction of the black-box. If the user ID corresponding to $\left(I{D}_{SK}\right)$ is also recorded during the key generation process, the authority can directly use it to expose the identity of the black-box $\mathcal{D}$’s builder.

Efficient tracing. If the parameter $s^{\prime }$ is fixed to $s+1$ instead of a randomly selected value, that is, the $trap$ is set to 1. Therefore, when searching $LID$, E can be directly compared with $I{D}_{SK}$. In this way, the step of performing exponentiation on $I{D}_{SK}$ can be omitted, thereby achieving efficient search and tracking.

4. Performance Analysis

4.1. Theoretical Performance

In general, the overall performance of a CP-ABE scheme can be measured by the cost of encryption and decryption, the length of keys and ciphertexts, and the security model. Thus, we present a brief feature comparison with the only two OC-BTCP-ABE schemes known to us in

Table 1. Theoretical performance analysis and comparison.

	Encrypt	Transform +Decrypt	Ciphertext Size	Key Size	Model	Compulsory Traceability
[23]	$T_P+(4l+5)T_E+(l+2)T_H+(l\times m)T_S$	$(3+2|I\left|\right)T_P+\left(\right|I|+1)T_E+2T_H+T_S$	$(2l+3)\left|\mathbb{G}\right|+2|{\mathbb{G}}_T|+(l\times m)|{\mathbb{Z}}_p|$	$\left(\right|S|+3\left)\right|\mathbb{G}|+({\displaystyle \frac{1}{2}}lo{g}^{2}N+{\displaystyle \frac{1}{2}}logN+1)\left|{\mathbb{Z}}_p\right|$	Random Oracle	×
[14]	$T_P+(10l+3)T_E+2l{T}_H$	$(1+2|I\left|\right)T_P+\left(\right|I|+1)T_E+2T_H$	$(2l+1)\left|\mathbb{G}\right|+2|{\mathbb{G}}_T|$	$\left(\right|S|+2)\left|\mathbb{G}\right|+2|{\mathbb{Z}}_p|$	Random Oracle	×
This work	$T_P+(7l+2)T_E$	$(1+5|I\left|\right)T_P+\left(\right|I|+2)T_E$	$5l\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$\left(4\right|S|+1)\left|\mathbb{G}\right|+|{\mathbb{Z}}_p|$	Standard	√

.

In Table 1, N stands for the total number of users in the system, l refers to the number of rows in the LSSS matrix M, $\left|S\right|$ is the number of attributes owned by users, and $\left|I\right|$ denotes the number of attributes involved in decryption, m is the number of subsets applied in the Subset Cover Method that is adopted in [23]. $T_P$, $T_E$, $T_H$,$T_S$ respectively represent the computational costs required for a pairing operation, an exponentiation operation, a hash operation and a symmetric encryption/decryption operation. $\left|\mathbb{G}\right|$, $|{\mathbb{G}}_T|$, $|{\mathbb{Z}}_p|$ refer to the size of elements in $\mathbb{G}$, ${\mathbb{G}}_T$, ${\mathbb{Z}}_p$ respectively.

Computational outsourcing capability. Similarly to the Green scheme, our scheme primarily focuses on how to securely outsource decryption computations. In our scheme, the Transform operation— which performs a major part of the decryption— can be delegated to a proxy server; this process outputs the transformed ciphertext $C{T}^{\prime }$, and the user only needs to complete the final Decrypt operation on their own to recover the plaintext from $C{T}^{\prime }$. In our scheme, the cost of the transform operation is $(1+5|I\left|\right)T_P+\left|I\right|·T_E$, while the cost of the decrypting operation is $2T_E$. Tests show that the computational cost of $T_E$ is generally about 10 times that of $T_P$. Therefore, in our scheme, most of the overhead in decryption computation can be outsourced. For example, if the decryption computation involves 20 attributes (i.e., $I=20$), the outsourceable Transform operations account for approximately 94% of the total cost of decryption computation, while users only need to bear about 6% of the computational cost.

Efficiency. By comparison, it can be found that in terms of encryption performance, our scheme is superior to the two existing schemes, but its decryption performance is lower than these two schemes. This is because in the encryption phase, the scheme in [23] actually performs a re-encryption, while the scheme in [14] requires users to interact with the Cloud Encryption Server (CES) using a method similar to the blind signature to complete the relatively complex calculations. The lower decryption efficiency of our scheme is due to that in order to meet the compulsory traceability requirements, the secret parameters must be hidden more deeply. However, the decryption efficiency of this work is the same as that of [11], so its computational efficiency is still sufficient to meet the practical application. Additionally, it is worth noting that both our scheme and the scheme of [14] need to store a list $LID$, which is used to compare and search for keys during tracing. This list needs to store each user’s $I{D}_{S}K$ (the $I{D}_{S}K$ mainly contains an element from group ${\mathbb{G}}_T$). In our tests, the $I{D}_{S}K$ length is 48 bytes, so the storage overhead during tracing is approximately $48N$ bytes, where N is the number of users in the system.

Traceability. In our scheme, the tracing algorithm ${\mathtt{Encrypt}}_{Trace}$ only needs to be executed once, and the computational cost is equivalent to that of an ordinary encryption algorithm Encrypt. Although one has to search through the $LID$ by running one exponentiation operation for each entry in $LID$ to find out the key of the malicious user, an exponentiation operation is much lighter than an Encrypt operation, and the number of such operations is at most $O\left(N\right)$. Moreover, if efficient tracing is adopted, the exponentiation operations in the searching of $LID$ can also be omitted, and in this case, the computational cost is $O\left(1\right)$, that is almost equivalent to that of a single encryption operation. Compared with our scheme, the two existing schemes have the following defects, respectively.

• Inefficiency of the scheme in [23]. The scheme of [23] is similar to the classic black-box tracing scheme, a series of tracing ciphertexts needs to be sent to gradually find out the secret key of the malicious user. It requires running $O\left(logN\right)$ rounds of tracing algorithms to identify a malicious user. In each round of the tracing algorithm, at most $2r-1$ encryptions (or an average of $1.25r$ encryptions) need to be executed. Therefore, the total number of encryptions in a tracing process is $O\left(rlogN\right)$, while the cost of each encryption is $T_P+(4l+5)T_E+(l+2)T_H+(l\times m)T_S$. Since r denotes the number of revoked users in the system, this indicates that when the number of revoked users increases, a rather high computational overhead will be incurred in the tracing process.
• Tracing failure of the scheme in [14]. For the scheme of [14], if the black-box performs the Transform and Decryption on its own instead of relying on the Cloud Auxiliary Server (CAS) to perform the Transform operation, the black-box will only output the final result, and in this case, the tracing will fail.

Finally, compared with the previous two schemes, our scheme further possesses the feature of compulsory traceability.

Security. The security of both existing OC-BTCP-ABE schemes and our scheme is based on the decisional q-parallel BDHE assumption. However, these two schemes are constructed under the random oracle model, whereas our scheme is constructed under the standard model.

4.2. Performance Measurements

For the CP-ABE system, encryption and decryption are the two most frequently executed operations; thus, the computational performance of the system mainly depends on the efficiency of these two operations. We implemented the scheme of [14,23], and our proposed scheme for testing, compared the test results, and presented the specific details in Figure 1.

All experiments were conducted on a PC equipped with a Core i5-12400 processor and 8 GB RAM. We utilize an elliptic curve group of Type A defined by the equation $y^2=x^3+x$, where the element representations are 512 bits in length and the group has an order of 160 bits. The scheme is implemented based on the Java Pairing Based Cryptography (JPBC version 2.0.0) library [27].

In the experiment, we set the access control structure in the form $(A_1\mathrm{and}{A}_2\mathrm{and}\dots \mathrm{and}{A}_s)$, where $A_i$ is an attribute, in order to maintain the consistency of the decryption process and prevent potential differences that may arise when decrypting with different decryption keys. We tested all cases where the number of attributes s ranged from 1 to 50. For each test point, we experimented 100 times and then took the average value.

The experimental results are consistent with the performance expectations from theoretical analysis, and the computational costs of encryption and decryption are proportional to the number of attributes involved in the operations. It should be noted that although more pairing operations are performed in the decryption process of our scheme, the efficiency of decryption operations in our scheme does not show a significant decrease compared with existing schemes. It is because the efficiency of pairing operations is far higher than that of exponentiation operations. Our experimental tests show that the average time for one exponentiation operation in ${\mathbb{G}}_T$ is approximately 12 ms, while the time for one pairing operation is about 1 ms.

As can be seen from Figure 2, the time required for tracing in our scheme is basically independent of the scale of system users. This is because only one tracing ciphertext needs to be generated for each tracing process in our scheme. The scheme of [14] is similar to our scheme. However, the number of tracing ciphertexts generated by the scheme of [23] is $O\left(rlogN\right)$, where N represents the number of users in the system and r represents the number of revoked users in the system (r was set to 50 in the test). Therefore, the tracing cost of [23] is much higher than that of our scheme, and it will increase rapidly as the number of users and revoked users increases.

5. Security Proof

Theorem 1. 

Suppose the construction of [11] is a selectively CPA secure scheme. Then our scheme presented above is selectively CPA secure.

Proof of Theorem 1 

Suppose there is a polynomial-time adversary $\mathcal{A}$ that can win with non-negligible advantage $Ad{v}_{\mathcal{A}}$ in the selective security game against our scheme. Then we show how to build a simulator $\mathcal{B}$ that can win in the selective security game against the scheme of [11] with the advantage $Ad{v}_{\mathcal{A}}$. Since the scheme of [11] is selectively CPA-secure under the decisional q-parallel BDHE assumption, thus, a contradiction arises, and therefore the theorem is proven. The simulator operates as follows.

Init. The simulator $\mathcal{B}$ invokes the adversary $\mathcal{A}$. $\mathcal{A}$ gives the challenge access structure $(M^{*},{\rho }^{*})$, where $M^{*}$ is an $l\times n$ LSSS matrix. $\mathcal{B}$ then sends $(M^{*},{\rho }^{*})$ to the challenger of [11] as the access control structure it intends to challenge.

Setup. The simulator $\mathcal{B}$ queries the challenger of [11] and obtains the public key $PK=(g,\mathbb{G},{\mathbb{G}}_T,g^t,e{(g,g)}^{\alpha },h=g^{\beta },{\{h_x,f_x\}}_{x\in U}))$ It then sends $PK$ to $\mathcal{A}$.

Phase 1. The simulator $\mathcal{B}$ creates an empty table T, an empty set $KS$ and an index $i=0$. It responds to the adversary’s request as follows:

• $Create\left(S\right)$: $\mathcal{B}$ sets $i:=i+1$, and it continues to operate in one of the following two ways according to the situation.

  -

  If S satisfies the access policy contained in $(M^{*},{\rho }^{*})$, the simulator $\mathcal{B}$ forms the transformation key $TK$ as follows. $\mathcal{B}$ randomly chooses $z^{\prime },k^{\prime },r^{\prime },{\left\{r_j^{\prime }\right\}}_{j\in S}\in {\mathbb{Z}}_p$ and implicitly sets $k={\displaystyle \frac{\alpha }{\beta k^{\prime }}},r={\displaystyle \frac{r^{\prime }\alpha }{k^{\prime }}},z={\displaystyle \frac{r^{\prime }\alpha }{k^{\prime }{z}^{\prime }}},r_j={\displaystyle \frac{r_j^{\prime }{r}^{\prime }\alpha }{k^{\prime }{z}^{\prime }}}$ by generating

  $$TK=(D=g^{k^{\prime }}{\left(g^t\right)}^{r^{\prime }},\forall j\in S:D_j=g^{z^{\prime }}·f_j^{r_j^{\prime }},D_j^{\prime }=g^{r_j^{\prime }},D_j^{″}=h_j^{z^{\prime }},D_j^{‴}=h_j^{r_j^{\prime }}).$$

  It then sets $SK=(k^{\prime },z^{\prime },TK)$. Note that $SK$ is not a well-formed private key, but in the view of adversary $\mathcal{A}$, $TK$ is properly distributed at random.

  -

  Otherwise, $\mathcal{B}$ calls the key generation oracle of [11] to get

  $$S{K}^{\prime }=(D=g^{{\displaystyle \frac{\alpha +rt}{\beta }}},\forall j\in S:D_j=g^r·f_j^{r_j},D_j^{\prime }=g^{r_j},D_j^{″}=h_j^r,D_j^{‴}=h_j^{r_j}).$$

  It then randomly chooses $z,k,\in {\mathbb{Z}}_p$ and computes

  $$TK=(D=g^{{\displaystyle \frac{(\alpha +rt)/\beta }{k}}},\forall j\in S:D_j=g^{r/z}·f_j^{r_j/z},D_j^{\prime }=g^{r_j/z},D_j^{″}=h_j^{r/z},D_j^{‴}=h_j^{r_j/z}).$$

  $\mathcal{B}$ then sets $SK=(k,z,TK)$.

  The simulator $\mathcal{B}$ stores $(i,S,SK,TK)$ in table T and returns $TK$ to the adversary $\mathcal{A}$.
• $Corrupt\left(j\right)$: If there exists an jth entry in table T, the simulator $\mathcal{B}$ obtains the entry $(j,S,SK,TK)$ and sets $KS:=KS\cup \left\{S\right\}$. It then returns the private key $SK$ to $\mathcal{A}$. If no such entry exists, then it returns ⊥. Note that in the selective security game $\mathcal{A}$ cannot query for any key that satisfies the challenge structure $(M^{*},{\rho }^{*})$.

Challenge. The adversary $\mathcal{A}$ chooses two messages $M_0,M_1$ of equal length and gives them to $\mathcal{B}$. $\mathcal{B}$ passes them to the challenger of [11] and obtains the returned ciphertext $CT=(C,\tilde{C},\forall i\in \left[l\right]:C_i,C_i^{\prime },C_i^{″},C_i^{‴},C_i^{⁗})$. It then gives $CT$ to $\mathcal{A}$.

Phase 2. Phase 1 is repeated.

Guess. $\mathcal{A}$ finally outputs a guess $b^{\prime }\in \{0,1\}$ of b. Then, the simulator $\mathcal{B}$ also outputs $b^{\prime }$ as its guess. The simulator $\mathcal{B}$ provides a perfect simulation. If $\mathcal{A}$ guesses correctly and wins the game, $\mathcal{B}$ will also win in the security game challenging scheme of [11]. Therefore, $\mathcal{B}$ wins the selective security game against the scheme of [11] with the non-negligible advantage $Ad{v}_{\mathcal{A}}$. So we complete the proof. □

Theorem 2. 

Suppose the scheme of [11] is compulsorily traceable. Then our scheme presented above is compulsorily traceable.

Proof of Theorem 2 

Suppose there exists a polynomial-time adversary $\mathcal{A}$ that can play the compulsory traceability security game against our scheme with a non-negligible advantage $TRAd{v}_{\mathcal{A}}$. Then we show how to build a simulator $\mathcal{B}$ that can win in the compulsory traceability security game against the scheme proposed in [11] with the same advantage. In [11], the advantage of any adversary is proved to be $O(n^2/p)$, where n denotes the total number of group elements that the adversary can obtain from its queries, and p is the group order. This indicates that if the group order p is sufficiently large, the adversary’s advantage is negligible, and in this case, our scheme is compulsorily traceable. The simulator operates as follows.

Setup. The simulator $\mathcal{B}$ queries the challenger of [11] and obtains the public key $PK=(g,\mathbb{G},{\mathbb{G}}_T,g^t,e{(g,g)}^{\alpha },h=g^{\beta },{\{h_x,f_x\}}_{x\in U})$ It then sends $PK$ to $\mathcal{A}$.

Phase 1. The simulator $\mathcal{B}$ creates an empty table T, an empty set $KS$ and an index $i=0$. It responds to the adversary’s request as follows:

• $Create\left(S\right)$: $\mathcal{B}$ sets $i:=i+1$, and it continues to operate in one of the following two ways according to the situation. $\mathcal{B}$ calls the key generation oracle of [11] to get

  $$S{K}^{\prime }=(D=g^{{\displaystyle \frac{\alpha +rt}{\beta }}},\forall j\in S:D_j=g^r·f_j^{r_j},D_j^{\prime }=g^{r_j},D_j^{″}=h_j^r,D_j^{‴}=h_j^{r_j}).$$
  It then randomly chooses $z,k,\in {\mathbb{Z}}_p$ and computes

  $$TK=(D=g^{{\displaystyle \frac{(\alpha +rt)/\beta }{k}}},\forall j\in S:D_j=g^{r/z}·f_j^{r_j/z},D_j^{\prime }=g^{r_j/z},D_j^{″}=h_j^{r/z},D_j^{‴}=h_j^{r_j/z}).$$
  $\mathcal{B}$ then sets $SK=(k,z,TK)$. The simulator $\mathcal{B}$ stores $(i,S,SK,TK)$ in table T and returns $TK$ to the adversary $\mathcal{A}$.
• $Corrupt\left(j\right)$: If there exists an jth entry in table T, the simulator $\mathcal{B}$ obtains the entry $(j,S,SK,TK)$ and sets $KS:=KS\cup \left\{S\right\}$. It then returns the private key $SK$ to $\mathcal{A}$. If no such entry exists, then it returns ⊥.

Challenge. $\mathcal{A}$ submits an access control structure $(M^{*},{\rho }^{*})$ to $\mathcal{B}$. $\mathcal{B}$ passes $(M^{*},{\rho }^{*})$ to the challenger of [11] and obtains the ciphertext $C{T}_b$ output by this challenger. $\mathcal{B}$ then sends $C{T}_b$ to $\mathcal{A}$.

Phase 2. Phase 1 is repeated.

Guess. $\mathcal{A}$ outputs a guess $b^{\prime }$ of b. $\mathcal{B}$ also outputs $b^{\prime }$ as its guess. The simulator $\mathcal{B}$ provides a perfect simulation. If $\mathcal{A}$ guesses correctly and wins the game, $\mathcal{B}$ will also win. Thus, the advantage of the simulator in its security game against the scheme in [11] is equal to that of the adversary $\mathcal{A}$ in the game against our scheme. So we complete the proof.

Note that in the same manner, we can prove that when $s^{\prime }$ is set to $s+1$, the adversary is also unable to distinguish whether the ciphertext is a tracing ciphertext or an ordinary ciphertext. Therefore, in the case of efficient tracing, the property of compulsory traceability also holds. □

6. Conclusions

Although CP-ABE is widely recognized as an optimal access control mechanism enabling user-centric autonomy in cloud data services, its practical deployment still necessitates addressing critical challenges related to security and efficiency. From a security perspective, preventing key abuse by users—particularly tracing malicious users who exploit their keys to establish a decryption black-box for providing illegal decryption services for profit—remains a focal point of relevant research. In terms of efficiency, due to the substantial computational overhead inherent in CP-ABE schemes, developing secure computation outsourcing solutions for resource-constrained devices (e.g., IoT devices) has also garnered significant attention. To the best of our knowledge, only a handful of existing CP-ABE schemes [14,23] currently achieve the simultaneous implementation of black-box traceability and computation outsourcing capabilities. However, among these schemes, there are still issues of low computational efficiency or potential failure of tracing. Therefore, we propose a new OC-BTCP-ABE scheme. This scheme not only achieves black-box traceability and secure outsourcing of decryption computations but also features high computational efficiency, with a significant improvement, particularly in the efficiency of the tracing algorithm. Additionally, we prove that the scheme possesses the property of compulsory traceability, which ensures that the tracing algorithm can always function effectively. Our scheme will be particularly suitable for access control applications in scenarios such as the IoT cloud and similar environments.

However, there are still aspects that need improvement for our scheme. For instance, the proposed scheme lacks support for efficient attribute revocation, and this practical barrier needs to be addressed in future research. Similarly, in terms of security, future studies should further consider and handle the following issues: how to defend against key compromise impersonation attacks when the authority issues attribute keys to users; how to realize policy-hiding; and how to assess the threats of quantum computing to the underlying primitives of the scheme.