A Decentralised Multi-Authority Attribute-Based Encryption for Secure and Scalable IoT Access Control

Abstract

This study presents a decentralised ciphertext-policy attribute-based encryption (CP-ABE) scheme designed for secure and efficient access control in resource-constrained Internet-of-Things (IoT) environments. By utilising multi-authority architecture and outsourced computation, the scheme enhances scalability, simplifies key management by eliminating reliance on a certificate authority (CA), and ensures data confidentiality through randomised proxy keys. It is particularly suited for multi-scenario IoT applications involving information sharing, such as smart cities or industrial automation in strategic alliances or conglomerates. Demonstrating security against chosen-plaintext attacks under the decisional bilinear Diffie–Hellman assumption, the scheme offers a practical and scalable solution for decentralised access control.

1. Introduction

The Internet of Things (IoT) has become deeply integrated into everyday life and industrial applications. According to Ahsan et al. [1], the number of IoT devices is projected to exceed 60 billion, driven by advancements in wireless technology and the increasing demand for high-quality sensing. Machine-to-Machine (M2M) communication enables devices to autonomously exchange and control information.

Initially, M2M communication was combined with IoT for industrial purposes. However, it has since expanded into other domains, including medical, commercial, and residential application, bringing it closer to our lives and forming a smart city. The scope of smart cities is extensive, encompassing individuals, businesses, industries, and governments [2], with diverse applications. These environments generate vast amounts of big data through IoT’s capabilities in sensing, identification, and networking [3]. The integration of artificial intelligence, cloud computing, and machine learning further enhances these technologies, enabling efficient data analysis and autonomous city management.

Sensing devices in smart cities ubiquitously collect and analyse data. As these large amounts of data often contain confidential data [4,5,6], ensuring secure data transfer in smart city applications is imperative. In the past, various IoT applications stored collected and analysed data in the cloud [7] for use by related users. However, confidential data stored in the cloud may be accessed by interested insiders or external attackers without authorisation [8], posing a potential threat. Therefore, it is necessary to develop an access policy or encrypt data for the data stored in the cloud.

Accessing data through authentication and authorisation is not fully secure, as attackers may exploit malicious software [9] or forged identities [10] to access data; thus, using data encryption is essential. Encryption methods can be categorised into symmetric encryption and asymmetric cryptography [11]. Symmetric encryption is faster and requires fewer resources but uses the same key for encryption and decryption, creating security risks [12]. Key transmission keys between devices is challenging, and managing a large number of keys is cumbersome. Asymmetric encryption, which employs a public key for encryption and a private key for decryption, solves the key distribution issue. However, in IoT’s one-to-many and many-to-many communication scenarios, key management remains complex.

When a data user wants to decrypt the data, the encryption method must consider whether the user’s attributes comply with the access policy. As a solution, Goyal et al. [13] proposed a new encryption method called attributed-based encryption (ABE), which is an asymmetric encryption mechanism where the key and ciphertext are dependent on attributes that conform to the access policy and decrypt the ciphertext. Unlike traditional encryption methods, ABE is a one-to-many encryption mechanism, making it suitable for IoT environments by facilitating fine-grained access control and simplifying key management.

ABE is divided into two types: key-policy attribute-based encryption (KP-ABE) [13] and ciphertext-policy attribute-based encryption (CP-ABE) [14]. Among these, CP-ABE assigns attributes to the private key for data users. The data owner defines the access policy and attaches it to the ciphertext. The ciphertext can be correctly decrypted if the data user holds the attribute key that satisfies the access policy. Conversely, if an attacker does not possess the private attribute key that satisfies the access policy, they cannot decrypt the ciphertext. This fine-grained access control mechanism ensures that only authorised users with required attributes can access data, making CP-ABE suitable for secure data sharing in dynamic environments. Furthermore, fine-grained access control provides precise control over data sharing [15], enabling secure information exchange across various sectors, such as healthcare, finance, and smart cities, without exposing sensitive information. This mechanism enhances multi-party collaboration security, ensuring that different entities can interact with mutual trust while maintaining data confidentiality.

When CP-ABE is combined with the IoT, it faces the issue of limited resources [16,17]. IoT devices are often limited in computing power, storage space, and energy resources, and the number of IoT devices on the network and application can be vast. As such, the access tree construction for the access policy can become complicated, and the number of attributes will become large. The encryption and decryption time of CP-ABE is linearly positively correlated to the size of the key, the number of attributes, and access tree complexity. It is difficult for IoT devices to bear the burden of complex calculations and access space. Therefore, subsequent scholars have studied the lightweight CP-ABE [18,19] suitable for IoT.

In summary, IoT technology faces challenges in security and resource limitations. Optimising CP-ABE is crucial to address the constraints of IoT devices. Researchers are actively developing lightweight solutions to improve IoT security and operational efficiency while minimising the strain on device resources, ensuring that they meet the practical demands of IoT applications. The key contributions of this work are as follows:

• The proposed scheme eliminates reliance on a central certificate authority (CA), enabling fully decentralised key management. This enhances flexibility, reduces failure points, lowers costs, and suits multi-scenario IoT applications like smart cities and industrial automation.
• To improve security and efficiency in resource-constrained IoT environments, the scheme introduces a proxy key mechanism that allows partial decryption outsourcing without exposing the original attribute keys. This approach mitigates the risk of key leakage and misuse, ensuring that IoT devices can securely delegate computations while maintaining strict access control policies.
• The scheme is formally proven to be secure against chosen-plaintext attacks (CPAs) under the decisional bilinear Diffie—Hellman (DBDH) assumption. This ensures that an adversary lacking the required attributes cannot distinguish an encrypted ciphertext from a random element, thereby preserving strong data confidentiality and preventing unauthorised access.

This paper is structured as follows: Section 2 reviews related work, while Section 3 introduces the necessary preliminaries. Section 4 presents the system model, scheme definition, and notation. Section 5 provides a detailed description of the proposed scheme. Section 6 and Section 7 present the security analysis and performance evaluation, respectively. Finally, Section 8 concludes this paper.

2. Related Works

In IoT applications, where security and access control are critical, attribute-based encryption (ABE) schemes offer an effective solution for protecting sensitive data [20]. IoT environments often consist of interconnected devices with limited computational and storage capabilities, making traditional key management approaches inefficient and susceptible to security risks. ABE schemes provide fine-grained access control and a one-to-many key management mechanism. These features ensure that only authorised entities can access specific data, thereby enhancing security while minimising the overhead associated with key distribution and updates, which is particularly advantageous in dynamic IoT ecosystems.

Both KP-ABE and CP-ABE utilise an access tree, making them suitable for multi-device environments. In cloud-based scenarios, these schemes enable users to encrypt and decrypt data based on authorised attributes, effectively addressing the challenges of managing keys for multiple users [21,22,23]. When integrating IoT applications, such as smart cities, industrial automation, and healthcare for cross-domain collaboration, ABE schemes provide a robust and scalable framework for secure and efficient data sharing [15]. These schemes enable fine-grained access control, ensuring that only authorised users with the appropriate attributes can access sensitive information, thereby enhancing data security and privacy.

Furthermore, by ensuring data confidentiality and access control even for resource-constrained devices [16,17], ABE effectively addresses critical security challenges in IoT systems. This makes ABE particularly well suited for dynamic and distributed environments, where multiple entities must securely exchange and process data while preserving system integrity and trustworthiness.

In contexts where IoT systems integrate with cloud computing, the decryption of multi-attribute ciphertext using CP-ABE can be computationally demanding, owing to the limited resources of many terminal devices [24]. Research suggests that utilising external computing resources can help reduce the computational burden on these resource-constrained devices. This approach is often implemented through proxy re-encryption schemes [25], which enable partial decryption by an external entity, thereby reducing the computational workload on terminal devices while maintaining data security.

In IoT architectures, cloud-based infrastructure is frequently utilised to assist with computations, reducing processing loads through techniques such as elliptic curve cryptography, bilinear mapping, and identity authentication. Wang et al. [18] emphasises the importance of ensuring that the CA does not generate proxy keys during outsourced encryption and decryption operations. This precaution mitigates privacy concerns and reduces the risks of proxy key leakage and misuse. To further address these issues, researchers [17] have proposed generating proxy keys to facilitate the partial decryption process, leaving users responsible for the final stage of decryption.

The reliance on a trusted third party, typically a CA, is a fundamental feature of ABE systems. The CA plays a crucial role in generating public parameters, public and private keys, and verifying user authenticity. However, managing updates to attribute keys imposes a significant burden on the CA [26], especially in systems with numerous end devices. To address this limitation and improve key management efficiency [27], multi-authority access control mechanisms have emerged as a promising solution. These mechanisms [23,26,28,29,30,31,32] distribute computational responsibilities among multiple authorities, ensuring the independent verification of data accuracy and integrity. By implementing a multi-authority framework, the CA is better equipped to manage updates to attribute keys and revocations, streamlining the process without disrupting users or compromising the security of encrypted data.

Even in CP-ABE systems with multi-authority access control, the CA continues to play a significant role, preventing complete decentralisation. Furthermore, although the CA is responsible for generating public parameters, it does not participate in subsequent communications, yet it incurs fixed maintenance costs. To address these challenges, we propose a decentralised CP-ABE scheme that eliminates the need for a CA entity, making it particularly suitable for small-scale, multi-context IoT applications, such as strategic alliances or conglomerates. This approach leverages external computation to verify the origin and authenticity of ciphertexts, thereby ensuring key confidentiality while overcoming the computational limitations of resource-constrained devices.

3. Preliminaries

This section presents the related preliminaries, along with a proposed IoT architecture suitable for decentralised CP-ABE.

3.1. Bilinear Map

Let $\mathbb{G}$ and ${\mathbb{G}}_T$ be two multiplicative cyclic groups with a prime order $p$, and let $g$ be a generator of $\mathbb{G}$. The map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ is a bilinear pairing if it satisfies the following properties:

• Bilinear: For all $u,v\in \mathbb{G}$ and $a,b\in {\mathbb{Z}}_p$, then $e\left(u^a,v^b\right)={e(u,v)}^{ab}$.
• Non-degeneracy: $e\left(g,g\right)\ne 1$.
• Computability: For all $u,v\in \mathbb{G}$, $e\left(u,v\right)$ is computable efficiently.

3.2. Joint-Shamir Random Secret Sharing

Joint-Shamir Random Secret Sharing (Joint-Shamir RSS) [33] enables the generation of the master secret value $\sigma$ without relying on a trusted third party. The master secret value is computed as the sum of the sub-secret values ${\sigma }_i$, which are independently generated by each participating entity. Each sub-secret value is calculated through the sub-shared value $s_{ij}$. Notably, individual entities are unable to access the sub-secret values generated by other participants. This subsection outlines the steps involved in the process.

• Each entity $P_i$ chooses a random sub-secret value ${\sigma }_i\in {\mathbb{Z}}_q$. Then, $P_i$ chooses a polynomial $f_i\left(z\right)$ over the ${\mathbb{Z}}_q$ of degree $t$. Let denote sub-secret value ${\sigma }_i=f_i\left(0\right)$. $P_i$ distributes to every entity $P_j$ a sub-share value $s_{i,j}=f_i\left(j\right)$, where $i, j=1, 2, \dots , n$, $i\ne j$.
• Each entity $P_j$ received $n$ sub-share value $s_{ij}$, where $i, j=1, 2, \dots , n$, $i\ne j$. Then, $P_j$ computes the master-share value $s_j^{\prime }$. Let $s_j^{\prime }={\sum }_{i=1}^n{s}_{i,j} mod q$.
• Each entity $P_j$ computes the final random master-secret value $\sigma$. With Shamir [34] knowledge, any $k$ master-share value $s_1^{\prime }, s_2^{\prime }, \dots , s_k^{\prime }$ can compute a random master-shared value $\sigma$. Using the Lagrange interpolating formula,

$$\begin{array}{ll}\sigma & ={\displaystyle \sum _{j=1}^k}{s}_j^{\prime }{L}_j\\ & ={\displaystyle \sum _{j=1}^k}\left({\displaystyle \sum _{i=1}^n}{s}_{i,j} mod q\times L_j\right)\\ & ={\displaystyle \sum _{i=1}^n}{s}_i,\end{array}$$

(1)

where $L_j={\prod }_{i\ne j}{\displaystyle \frac{-j}{i-j}}$.

3.3. CP-ABE

In CP-ABE [14], the access policy is represented as a tree structure defined over a set of attributes. The CP-ABE scheme comprises the following four algorithms:

• $Setup\left(1^{\lambda }\right)\to (PK, MSK)$: The setup phase takes the security parameter $\lambda$ as input to generate public keys and a master secret key pair $(PK, MSK)$.
• $KeyGen(MK, \mathbb{U})\to SK$: The key generation phase takes the master secret key $MSK$ and the universe of user’s attributes $\mathbb{U}$ as input to obtain the secret attribute key $SK$ as output.
• $Encrypt(PK, M, \mathcal{T})\to CT$: The encryption phase takes the public keys $PK$, a plaintext $M$, and an access policy $\mathcal{T}$ as input. It outputs the ciphertext $CT$, where the access policy $\mathcal{T}$ is implicitly embedded within $CT$.
• $Decrypt\left(CT, SK\right)\to M$ or $\perp$: The decryption phase takes the ciphertext $CT$ and the secret attribute key $SK$ as input. If $SK$ satisfies the access policy embedded in $CT$, the algorithm successfully recovers the plaintext $M$. Otherwise, it outputs an error, denoted as $\perp$.

3.4. Data Outsourcing

In IoT scenarios, most IoT devices lack the computational resources required for complex encryption and decryption operations. To address this limitation, Wang et al. [18] proposed offloading these operations to high-performance devices, referred to as compute nodes (CNs) in this paper, which assist the controller (CR). During the encryption phase, the CR performs an initial encryption and sends the data to the CN for secondary encryption. In the decryption phase, the CR generates proxy keys and transmits them to the CN for initial decryption to produce the intermediate decryption message ($IDM$). Finally, the $IDM$ is then returned to the CR for a second decryption to fully recover the plaintext. This process ensures that the CR’s attribute key remains secure and confidential, as it is never exposed to other devices.

4. Proposed Scheme

4.1. System Model

As shown in Figure 1, a decentralised CP-ABE architecture was introduced for multi-scenario IoT applications. The architecture consists of four primary entities: the attribute authority (AA), CN, CR, and network routing devices (e.g., routers, switches, firewalls, or gateways). These entities collectively form a group, with multiple groups potentially coexisting within a single application domain, facilitating scalable and adaptable security management.

For example, within a smart city, various interconnected smart scenarios may coexist, including traffic management, smart homes, emergency response, fire-fighting coordination, power grid optimisation, and industrial automation. In such environments, secure and efficient message access control is imperative. For instance, an ambulance system integrated with a smart transportation network can coordinate with traffic signals to optimise routes, ensuring the shortest arrival time while simultaneously enabling real-time medical data sharing during transit to support pre-hospital care [35]. Similarly, a smart grid can dynamically collaborate with industrial facilities to monitor energy consumption and adjust power distribution strategies in real time, thereby reducing peak loads and minimising energy waste [36].

In all these scenarios, highly efficient, decentralised, and fine-grained access control mechanisms are essential to ensure secure communication and data sharing among diverse entities. The specific functions of each entity within this architecture are detailed below.

• AA: This device enables communication between groups, denoted as ${AA}_i$ (where $i$ represents the group number). In the proposed method, through trust-based principles such as alliance strategies or smart contracts, the AA established system parameters among devices and combined attributes from each group to create a unified multi-attribute set. Finally, it generated an attribute key $SK$ for the devices within its own group.
• CN: Given the resource constraints of IoT devices, the CR cannot perform complex encryption and decryption operations. To address this challenge, high-performance CNs were utilised to assist the CR in these operations. By offloading computationally intensive tasks to the CN, the CR was relieved of heavy processing demands, enabling it to efficiently manage access policies and generate proxy keys.
• CR: The CR serves as a central management unit for devices and data in the IoT ecosystem, enabling it to execute operations in the physical world—such as switching, adjusting, and moving—based on commands received from external systems. Within the IoT environment, the CR connects to end devices (e.g., sensors, actuators, drones) via various communication protocols, including Ethernet, TCP/IP-based protocols (such as HTTP, MQTT, and MODBUS TCP), Bluetooth, and wireless networks. In our scheme, the CR partially encrypted the collected information to generate ${CT}_1$, which was then transmitted to the CN for secondary encryption, producing ${CT}_2$. For decryption of messages received from other groups, the CR converted its attribute key $SK$ into a proxy key $tk$, ensuring that $SK$ remained secure and was not exposed to the CN. The CN uses $tk$ to perform decryption, generating an intermediate decryption message (IDM).
• Network routing (Router, Switch, Firewall, or Gateway): These devices transmit and receive network packets according to routing rules, serving as connection and data-flow management points within the IoT environment. Acting as bridges between different networks, they handle routing, filtering, forwarding, and firewall protection of data packets to ensure secure and efficient data transmission. This paper does not delve into the underlying principles of these devices but assumes they are configured and optimised for IoT application requirements.

4.2. Scheme Definition

In this section, we present the scheme definitions. The notations and their meanings, as used in this paper, are presented in

Table 1. Notation and description.

Notation	Description
$AA$	Attribute authority
$CN$	Compute node
$CR$	Controller
${CT}_1$	A ciphertext generated by CR in the encryption phase
${CT}_2$	A ciphertext generated by CN in the encryption phase
${SK}_{{CR}_j}$	$\mathrm{Attribute} \mathrm{key} \mathrm{of} \mathrm{the} {CR}_j$
${tk}_{{CR}_j}$	$\mathrm{One}-\mathrm{time} \mathrm{proxy} \mathrm{key} \mathrm{of} \mathrm{the} {CR}_j$
$IDM$	Intermediate decryption message
$key$	Encrypting and decrypting data with an asymmetric key
$M$	Plaintext
$𝒯$	An access tree
$PK$	Public parameter
${MK}_i$	$\mathrm{Master} \mathrm{keys} \mathrm{for} \mathrm{group} i$
${gpk}_i$	$\mathrm{Public} \mathrm{parameter} \mathrm{for} \mathrm{group} i$
$H$	One-way hash function
$HMAC$	Hash-based message authentication code
$t,r$	Transmitter and receiver, respectively

. Our scheme consists of eight algorithms, defined as follows:

• $Init\left(\lambda \right)⟼(PK, {MK}_i,{\mathbb{U}}_{mix})$: The AA devices participating in the communication of groups $a, b, \dots , n$ communicate with each other based on the principle of mutual trust. They generate public parameters $PK$ and master keys ${MK}_i$ then combine ${\mathbb{U}}_a, {\mathbb{U}}_b, \dots , {\mathbb{U}}_z$ to generate the attribute set ${\mathbb{U}}_{mix}$.
• $AA.KeyGen(PK, {MK}_i, {\mathbb{U}}_{mix})⟼\left({SK}_{{CR}_j}\right)$: This algorithm is executed by the AA device in each group, with inputs including the public parameters $PK$, the master key ${MK}_i$ for group $i$, and the attribute set ${\mathbb{U}}_{\mathit{m}\mathit{i}\mathit{x}}$. The output is the attribute key ${SK}_{{CR}_j}$ for ${CR}_j$.
• $CR.Encryption(PK, M, \mathcal{T},{SK}_{{CR}_j})⟼\left({CT}_1\right)$: This algorithm is executed by the CR, with inputs including the public parameters $PK$, the plaintext $M$, and the access tree $\mathcal{T}$. The output is the first stage of ciphertext ${CT}_1$.
• $CN.Encryption(PK,{CT}_1)⟼\left({CT}_2\right)$: This algorithm is executed by the CN device in the group, with inputs including the public parameters $PK$ and the first stage of ciphertext ${CT}_1$. The output is the second stage of ciphertext ${CT}_2$.
• $CN.VMS({gpk}_t, b)⟼true$ or $\perp$: This step ensures that the message originates from an authorised source, reducing the risks of tampering or forgery. CN selects a random number b, embeds it in the group public key ${gpk}_t$, and sends it to the recipient for verification. Conversely, if verification fails, the message is rejected.
• $CR.token({SK}_{{CR}_j}, t)⟼\left({tk}_{{CR}_j}\right)$: After verifying the message source, the CR executes this algorithm with inputs consisting of its attribute key ${SK}_{{CR}_j}$ and a random number $t\in {\mathbb{Z}}_p$. The output is a one-time proxy key ${tk}_{{CR}_j}$.
• $CN.Decryption({CT}_2, {tk}_{{CR}_j})⟼\left(IDM\right)$: The CN executes this algorithm using the second stage of ciphertext ${CT}_2$ and the one-time proxy key ${tk}_{{CR}_j}$ generated by the CR as inputs. The output is a partial decryption message $Mkey$.
• $CR.Decryption({CT}_2, IDM, t)⟼\left(M\right)$: The CR executes this algorithm with inputs consisting of the second stage of ciphertext ${CT}_2$, the partial decryption message $IDM$, and the random number $t$ used to generate the one-time proxy key ${tk}_{{CR}_j}$. The output is the plaintext $M$.

5. Construction

Table 1 outlines the descriptions for each symbol utilised within the system. In accordance with the scheme definition, the operational procedure is divided into eight phases: initial system communication, key generation, the first stage of encryption, the second stage of encryption, the verification of message source, proxy key generation, the first stage of decryption, and the second stage of decryption. The subsection provides a detailed explanation of each phase.

• System Setup: $Init\left(\lambda \right)⟼(PK,{MK}_i,{\mathbb{U}}_{mix})$

In this algorithm, each group’s AA provides an attribute set specific to its group, where ${\mathbb{U}}_i$ represents the attributes of each group. The attribute sets from all groups are then combined into ${\mathbb{U}}_{mix}={\bigcup }_{i\in L_c}{\mathbb{U}}_i$, where $L_c$ denotes the groups participating in the communication. The AAs collaborate to establish the public parameters $PK$ and the master key ${MK}_i$. Figure 2 shows the sequence diagram of this process, providing a step-by-step depiction of parameter generation, sharing, and collaboration among the AAs.

First, the Access Originator ${AA}_o$ generates the parameters $\mathbb{G},g, {\mathbb{Z}}_p$ and the hash function $H_1$. Using the Joint-Shamir RSS [33], ${AA}_o$ defines two secret polynomials and computes sub-secret value $f_{\alpha }\left(0\right)={\alpha }_o$ and $f_{\beta }\left(0\right)={\beta }_o$, where ${\alpha }_o, {\beta }_o\in {\mathbb{Z}}_p$. It then computes the sub-share value ${\gamma }_{o,i}=\left\{f_{\alpha }\left(i\right)={\gamma }_{o,i}^{\alpha }, {f_{\beta }\left(i\right)=\gamma }_{o,i}^{\beta }\right\}$, with ${\gamma }_{o,i}^{\alpha }, {\gamma }_{o,i}^{\beta }\in {\mathbb{Z}}_p$. ${AA}_o$ sends the attribute set ${\mathbb{U}}_o$, $L_c$, and these parameters to the other groups’ ${AA}_i$. Each ${AA}_i$ receives the parameters $(G_0,g, {\mathbb{Z}}_p, {\gamma }_{o,i}, {\mathbb{U}}_o, L_c, H_1)$.

After transmitting the parameters, each group’s AA defines two new secret polynomials and computes sub-secret values, ${\alpha }_i$ and ${\beta }_i$ in ${\mathbb{Z}}_p$, and sub-shares ${\gamma }_{i,j}=\{{\gamma }_{i,j}^{\alpha }, {\gamma }_{i,j}^{\beta }\}$. Based on $L_c$, ${AA}_i$ sends $({\gamma }_{i,j},{\mathbb{U}}_i)$, to the other groups, denoted as ${AA}_j$, including ${AA}_o$.

Each $AA$ in $L_c$ receives sub-share values ${\gamma }_{i,j}$ and attributes ${\mathbb{U}}_i$ from other groups. Using Equation (1), the master-share value ${\gamma }_j=\{{\gamma }_j^{\alpha },{\gamma }_j^{\beta }\}$ is computed, where ${\gamma }_j={\sum }_{i=1}^n{\gamma }_{i,j} mod p$, and the combined attribute set ${\mathbb{U}}_{mix}={\bigcup }_{i\in L_c}{\mathbb{U}}_i$. The master-share value ${\gamma }_j$ is then distributed to each AA, enabling the calculation of the master-secret value ($\alpha , \beta$).

Finally, each AA selects a random number $u_i\in {\mathbb{Z}}_p$ and calculates ${gpk}_i=g^{u_i}$ as the group public key. Then, the system public parameters are set as $PK=(\mathbb{G},g, h=g^{\beta },f=g^{1/\beta }, {e\left(g,g\right)}^{\alpha },{\mathbb{U}}_{mix}, H_1)$, and the master key for ${AA}_i$ is defined as ${MK}_i=(\alpha , \beta ,u_i)$.

2.

Key Generation: $AA.KeyGen(PK,{MK}_i,{\mathbb{U}}_{mix})⟼\left({SK}_{{CR}_j}\right)$

The AA runs a KeyGen algorithm to generate an attribute key for each CR in a group. In this phase, ${\mathrm{A}\mathrm{A}}_j$ selects a random number $r_j\in {\mathbb{Z}}_p$ for ${CR}_j$ and a random number $r_k\in {\mathbb{Z}}_p$ for each attribute $k$ in the attribute set ${\mathbb{U}}_k$, where ${\mathbb{U}}_k\subseteq {\mathbb{U}}_{mix}$ for ${CR}_j$. Then, the attribute key ${SK}_{{CR}_j}$ is generated as follows:

$${SK}_{{CR}_j}=\left(D=g^{\left(\alpha +r_j\right)\beta }, \forall k\in {\mathbb{U}}_k: D_k=g^{r_j}{H_1\left(k\right)}^{r_k}, {D_k}^{\prime }=g^{r_k}\right).$$

3.

First Stage of Encryption: $CR.Encryption(PK,M,\mathcal{T},{SK}_{{CR}_j})⟼\left({CT}_1\right)$

The transmitting controller ${CR}_t$ performs the following operations:

• Access Policy Setup: An access policy $𝒯$ is established, and a polynomial $q_x$ is assigned to each node $x$ (including leaf nodes) in the tree. Starting from the root node $R$, these polynomials are set in a top-down manner. The degree of each polynomial $q_x$ is defined as $d_x=k_x-1$, where $k_x$ is the threshold value for node $x$.
• Polynomial Definition: The value of the root node is initialised to a random number $s\in {\mathbb{Z}}_p$, so that $q_R\left(0\right)=s$. Additional points are then selected at random to fully define each polynomial $q_x$ within the tree. For non-root nodes $x$, the value $q_x\left(0\right)$ is set to $q_{parent\left(x\right)}\left(index\right(x\left)\right)$. In the access policy $𝒯$, let $Y$ represent the set of leaf nodes, denoted by ${\left\{q_y\left(0\right)\right\}}_{y\in Y}$.
• Ciphertext Generation: ${CR}_t$ selects an encryption key $key\in G_T$ and encrypts the plaintext $M$, resulting in $\tilde{C}=Enc\left(M, key\right)$. Subsequently, it computes $C_1=key·{e\left(g,g\right)}^{\alpha s}$, hashes the $key$ and $\tilde{C}$ as $\sigma =HMAC(key, \tilde{C}|\left|timestamp\right)$, and calculates $C_2=f^s=g^{s/\beta }$. The initial ciphertext is thus constructed as follows:

$${CT}_1=\left(\mathcal{T}, \tilde{C}=Enc\left(M, key\right),C_1=key·{e\left(g,g\right)}^{\alpha s}, C_2=f^s, {\left\{q_y\left(0\right)\right\}}_{y\in Y}, \sigma , timestamp\right).$$

• Transmission to Compute Node: Finally, ${CT}_1$ is transmitted to the ${CN}_t$ in the group for the second stage of encryption.

4.

Second Stage of Encryption: $CN.Encryption\left(PK,{CT}_1\right)⟼\left({CT}_2\right)$

In this phase, ${CN}_t$ receives ${CT}_1$ from ${CR}_t$. It then computes $C_y=g^{q_y\left(0\right)}$ and ${C_y}^{\prime }={H\left(att\right(y\left)\right)}^{q_y\left(0\right)}$ for each $y\in Y$. The second stage of ciphertext ${CT}_2$ is generated as follows:

$${CT}_2=\left(\mathcal{T},\tilde{C}, C_1, C_2, \forall y\in Y:C_y=g^{q_y\left(0\right)}, {C_y}^{\prime }={H\left(att\left(y\right)\right)}^{q_y\left(0\right)}, \sigma , timestamp\right)$$

In this format, ${CT}_2$ is fully encrypted and ready for secure transmission to the receiving ${CR}_r$ or for storage in a data base.

5.

Verification of Message Source

First, ${CN}_r$ selects a random number $b\in {\mathbb{Z}}_p$ and retrieves the group public key ${gpk}_t$ of the transmitting group. It then computes $B={\left({gpk}_t\right)}^b=g^{b{u}_t}$ and sends $B$ to ${AA}_t$.

Next, ${AA}_t$ verifies whether a message has been sent to ${CN}_r$. If the verification is successful, ${AA}_t$ computes $C^{\prime }=B^{1/u_t}$ and returns $C^{\prime }$ to the ${CN}_r$. Upon receiving $C^{\prime }$, ${CN}_r$ calculates $C=g^b$ and verifies whether $C\stackrel{?}{=}{C}^{\prime }$. If $C=C^{\prime }$, the message is confirmed to originate from ${AA}_t$, and the decryption process proceeds. Otherwise, the message is rejected as $\perp$.

6.

Proxy Key Generation: $CR.token({SK}_{{CR}_r}, t)⟼\left({tk}_{{CR}_r}\right)$

After ${CN}_r$ verifies the authenticity of the message source, ${CR}_r$ generates a proxy key ${tk}_{{CR}_r}$ to facilitate secure decryption. ${CR}_r$ selects a random number $t\in {\mathbb{Z}}_p$, ensuring the uniqueness and confidentiality of the proxy key. The composition of ${tk}_{{CR}_r}$ is as follows:

$${tk}_{{CR}_r}=\left(D^t=g^{(\alpha +r_k)\beta t}, \forall l\in {\mathbb{U}}_l: {D_l}^t={\left({g^{r_k}H\left(l\right)}^{r_l}\right)}^t, {{D_l}^{\prime }}^t={\left(g^{r_l}\right)}^t\right)$$

Finally, ${tk}_{{CR}_r}$ is sent to ${CR}_r$ to perform the first stage of decryption.

7.

First Stage of Decryption: $CN.Decryption({CT}_2, {tk}_{{CR}_r})⟼\left(IDM\right)$

Using the proxy key ${tk}_{{CR}_r}$, which corresponds to the attribute set $S$, ${CN}_r$ executes this algorithm to decrypt ${CT}_2$. The decryption process is designed as a recursive algorithm.

• If a node $x$ is a leaf node, its attribute is assigned as $i=att\left(x\right)$. If $i\in S$, meaning that the attribute satisfies access policy for that leaf node, the decryption is computed as follows:

$$\begin{array}{ll}{F}_z& =DecryptNode\left({CT}_2,{tk}_{{CR}_r}, x\right)\\ & ={\displaystyle \frac{e\left({D_i}^t, C_x\right)}{e\left({{D_i}^{\prime }}^t, {C_x}^{\prime }\right)}}\\ & ={\displaystyle \frac{e\left({\left({g^{r_k}H\left(u_i\right)}^{r_i}\right)}^t, g^{q_x\left(0\right)}\right)}{e\left({\left(g^{r_i}\right)}^t, {H\left(u_i\right)}^{q_x\left(0\right)}\right)}}\\ & ={\displaystyle \frac{{e\left(g^{r_k}{H\left(u_i\right)}^{r_i}, g^{q_x\left(0\right)}\right)}^t}{{e\left(g, H\left(u_i\right)\right)}^{t{r}_i{q}_x\left(0\right)}}}\\ & ={\displaystyle \frac{{e\left(g^{r_k}, g^{q_x\left(0\right)}\right)}^t{e\left({H\left(u_i\right)}^{r_i}, g^{q_x\left(0\right)}\right)}^t}{{e\left(g, H\left(u_i\right)\right)}^{t{r}_i{q}_x\left(0\right)}}}\\ & ={\displaystyle \frac{{e\left(g,g\right)}^{t{r}_k{q}_x\left(0\right)}{e\left(H\left(u_i\right), g\right)}^{t{r}_i{q}_x\left(0\right)}}{{e\left(g, H\left(u_i\right)\right)}^{t{r}_i{q}_x\left(0\right)}}}\\ & ={e(g,g)}^{t{r}_k{q}_x\left(0\right)}.\end{array}$$

(2)

If $i\notin S$, the output is $\perp$, indicating that the node cannot be decrypted.

• For a non-leaf node $x$, the decryption of each child $z$ is computed recursively. For each child node $z$, the function $DecryptNode({CT}_2,{tk}_{{CR}_r},z)$ is called, and the result is stored as $F_z$. Define $S_x$ as a subset of child nodes of size $k_x$ for which $F_z\ne \perp$. If no such subset exists, set $F_x=\perp$. If a valid subset $S_x$ is found, compute $F_x$ using the Lagrange interpolation method as follows:

$$\begin{array}{ll}{F}_x& ={\displaystyle \prod _{z\in S_x}}{F_z}^{{∆}_{i,{s_x}^{\prime }}\left(0\right)}, where i=index\left(z\right), {s_x}^{\prime }=\left\{index\left(z\right): z\in S_x\right\}\\ & ={\displaystyle \prod _{z\in S_x}}{\left({e\left(g,g\right)}^{rt{q}_z\left(0\right)}\right)}^{{∆}_{i,{s_x}^{\prime }}\left(0\right)}\\ & ={\displaystyle \prod _{z\in S_x}}{\left({e\left(g,g\right)}^{r{tq}_{parent\left(z\right)}\left(index\left(z\right)\right)}\right)}^{{∆}_{i,{s_x}^{\prime }}\left(0\right)}\\ & ={\displaystyle \prod _{z\in S_x}}{e\left(g,g\right)}^{rt{q}_x\left(i\right)·{∆}_{i,{s_x}^{\prime }}\left(0\right)}={e\left(g,g\right)}^{{tr}_k{q}_x\left(0\right)}.\end{array}$$

(3)

Here, ${∆}_{i,{s_x}^{\prime }}\left(0\right)$ denotes the Lagrange interpolation coefficients. The result $F_x$ represents a partially decrypted value for the non-leaf node. At the root node $\mathit{R}$, if the attributes of CR satisfy the entire access structure, the $IDM$ is computed. This $IDM$ is subsequently returned to ${CR}_r$ to complete the recovery the plaintext.

$$\begin{array}{ll}IDM& =DecryptNode\left({CT}_2,{tk}_{{CR}_r},R\right)\\ & ={e\left(g,g\right)}^{rt{q}_R\left(0\right)}\\ & ={e(g,g)}^{t{r}_{k}s}.\end{array}$$

(4)

8.

Second Stage of Decryption: $CR.Decryption({CT}_2, IDM, t)⟼\left(M\right)$

After receiving the $IDM$, ${CR}_r$ proceeds with the algorithm to recover the plaintext $M$. First, it computes the inverse of the random number $t$, denoted as $1/t$, which was initially generated during the proxy key generation phase. Then, the $key$ recovery process is carried out as follows:

$$\begin{array}{ll}key& ={\displaystyle \frac{C_1}{e\left(C_2,D\right)/{{\left(e\right(g,g)}^{{tr}_{k}s})}^{\frac{1}{t}}}}\\ & ={\displaystyle \frac{key·{e(g,g)}^{\alpha s}}{e(g^{\frac{s}{\beta }},g^{(\alpha +r_k)\beta })/{e(g,g)}^{r_{k}s}}}.\end{array}$$

(5)

Using the $key$, ${CR}_r$ can decrypt the ciphertext and retrieve the plaintext $M$ by employing a symmetric decryption algorithm:

$$M=Dec\left(\tilde{C}, key\right).$$

Finally, ${CR}_r$ verifies the correctness of the decryption result using the following operation:

$$HMAC(key, \tilde{C}|\left|timestamp\right)\stackrel{?}{=}\sigma .$$

6. Analysis of Schemes

6.1. Proof of Correctness

The proposed scheme incorporates message verification, a decryption process, and the use of a proxy key to ensure data confidentiality and integrity. The correctness of the proposed scheme is demonstrated as follows.

6.1.1. Verification of Message Source

To ensure the authenticity of the message source, the receiving CN, labelled ${CN}_r$, initiates a verification process. First, ${CN}_r$ selects a random number $b\in {\mathbb{Z}}_p$ and retrieves the group public key ${gpk}_t$, which is generated during the System Setup phase. Then, ${CN}_r$ computes the value $B={\left({gpk}_t\right)}^b={\left(g^{u_t}\right)}^b=g^{b{u}_t}$. Next, ${CN}_r$ transmits $B$ to ${AA}_t$.

Upon receiving $B$, ${AA}_t$ verifies whether a message has been sent to ${CN}_r$. If so, it computes $C^{\prime }=B^{1/u_t}={{(g}^{b{u}_t})}^{1/u_t}=g^b$. This operation effectively reverses the exponentiation by $u_t$, thus isolating the original random value $g^b$.

Finally, ${CN}_r$ compares $C\stackrel{?}{=}{C}^{\prime }$. If the values match, then the message is confirmed as being sent by ${AA}_t$; otherwise, it is deemed unverified, and further actions are halted.

6.1.2. Ciphertext for the Second Stage of Decryption

In the $CR.Decryption$ algorithm, ${CN}_r$ computes $IDM={e\left(g,g\right)}^{t{r}_{k}s}$. In Equation (6), the $IDM$ contains both the desired decryption information and the random element $t$, which must be isolated to proceed with decryption. To separate $t$ from the $IDM$, ${CN}_r$ determines the inverse of $t$, denoted as $1/t$. By applying this inverse to the $IDM$, it is computed as follows:

$$\begin{array}{ll}{IDM}^{{\displaystyle \frac{1}{t}}}& ={{\left(e\right(g,g)}^{{tr}_{k}s})}^{{\displaystyle \frac{1}{t}}}\\ & ={e(g,g)}^{r_{k}s}.\end{array}$$

(6)

Then,

$$\begin{array}{ll}key& ={\displaystyle \frac{C_1}{e\left(C_2,D\right)/{IDM}^{\frac{1}{t}}}}\\ & ={\displaystyle \frac{key·{e\left(g,g\right)}^{\alpha s}}{e\left(g^{\frac{s}{\beta }},g^{\left(\alpha +r_k\right)\beta }\right)/{e\left(g,g\right)}^{r_{k}s}}}\\ & ={\displaystyle \frac{key·{e\left(g,g\right)}^{\alpha s}}{{e\left(g,g\right)}^{\frac{s}{\beta }\ast \left(\alpha +r_k\right)\beta }/{e\left(g,g\right)}^{r_{k}s}}}\\ & ={\displaystyle \frac{key·{e\left(g,g\right)}^{\alpha s}}{{e\left(g,g\right)}^{\alpha s+r_{k}s}/{e\left(g,g\right)}^{r_{k}s}}}\\ & ={\displaystyle \frac{key·{e\left(g,g\right)}^{\alpha s}}{{e\left(g,g\right)}^{\alpha s+r_{k}s-r_{k}s}}}\\ & ={\displaystyle \frac{key·{e(g,g)}^{\alpha s}}{{e(g,g)}^{\alpha s}}}.\end{array}$$

(7)

Therefore, the correctness of the second stage of ciphertext has been demonstrated.

6.2. Security Analysis

In this work, we provide a formal proof and analysis based on a defined security model. In this model, all AAs are fully trusted entities responsible for generating and distributing keys, as well as managing access attributes. Their trustworthiness is crucial to maintaining the integrity and security of the system. On the other hand, CNs are considered semi-trusted. While CNs are expected to accurately perform computational tasks outsourced by the CR, such as encryption and decryption, they may attempt to collect sensitive information during the process. This semi-trusted assumption reflects real-world scenarios where computational resources at the edge of the network might not be entirely under the system’s control.

To address these challenges, the proposed model incorporates the following:

• Data Confidentiality: Ensuring sensitive data remain secure, even if CNs attempt to extract information.
• Operational Integrity: Verifying the authenticity and correctness of CN operations without revealing critical private keys.
• Decentralisation: Reducing dependency on centralised authorities, such as a CA, thereby minimising single points of failure and enhancing system flexibility.

By addressing these considerations, the model provides a robust foundation for secure and efficient access control in resource-constrained IoT environments. In the following sections, we present the security analysis of the proposed scheme, demonstrating its resistance to potential attacks under CPA scenarios and the DBDH assumption.

Theorem 1. 

Assuming the DBDH assumption holds, the proposed decentralised CP-ABE scheme with key generation is secure against CPA. The ciphertext generated during the decentralised key generation process is indistinguishable from a random element in $G_T$ , as the adversary lacks the necessary attributes to satisfy the access policy, ensuring data confidentiality against unauthorised access.

Proof of Theorem 1. 

Suppose there exists an adversary $\mathcal{A}$ that can break the CPA security of the proposed decentralised CP-ABE scheme with key generation with a non-negligible advantage $\mathsf{ϵ}$. We construct a challenger $\mathcal{C}$ to break the DBDH assumption using $\mathcal{A}$’s advantage. □

Let $e: \mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ be a bilinear map, where $\mathbb{G}$ is a cyclic group of prime order $p$ with generator $g$. The challenger $\mathcal{C}$ begins by randomly selecting $a, b, c \in {\mathbb{Z}}_p$, $\mu \in \{0, 1\}$, and $R\in {\mathbb{G}}_T$. Based on the value of $\theta$, $\mathcal{C}$ constructs the tuple $\left(g, A, B, C, R\right)$ as follows:

• If $\mu =0$, then the tuple is set to $\left(g, A, B, C, R\right)=(g, g^a, g^b, g^c, {e(g,g)}^{abc})$, representing a valid DBDH instance.
• If $\mu =1$, then the tuple is set to $\left(g, A, B, C, R\right)=(g, g^a, g^b, g^c, R)$, where $R$ is a random element in ${\mathbb{G}}_T$.

• Setup

The challenger $\mathcal{C}$ selects two numbers $\rho , \theta \in {\mathbb{Z}}_p$ and defines $\alpha =\rho +ab$ and $\beta =\theta$. Then, $\mathcal{C}$ computes the public key as $PK={e(g,g)}^{\alpha }={e(g,g)}^{\rho }·{e(g,g)}^{ab}$, and $h=g^{\beta }=g^{\theta }$. Finally, $\mathcal{C}$ provides $PK$ to $\mathcal{A}$.

2.

Phase 1

$\mathcal{A}$ queries $\mathcal{C}$ for private keys corresponding to specific attribute sets $S$. For each queried attribute $i\in S$, $\mathcal{C}$ generates the private key $SK$ with the following components: $D=g^{(a+r)b}$, $D_i=g^r{H_1\left(i\right)}^{r_i}$, and ${D_i}^{\prime }=g^{r_i}$, where $r,r_i\in {\mathbb{Z}}_p$ are randomly selected values. After computing these components, $\mathcal{C}$ constructs $SK$ and provides it to $\mathcal{A}$.

3.

Challenge

$\mathcal{A}$ submits two equal-length plaintexts $M_0$ and $M_1$, along with an access policy $\mathcal{T}$, to $\mathcal{C}$. The submitted access policy $\mathcal{T}$ must not be satisfiable by any of the attribute sets for which $\mathcal{A}$ queried private keys in the previous phase. $\mathcal{C}$ randomly selects a bit $\mu \in \{0,1\}$, encrypts the plaintext $M_{\mu }$ under the access policy $\mathcal{T}$, and selects a random number $s\in {\mathbb{Z}}_p$, setting $c=s$. The challenge ciphertext ${CT}^{\ast }$ under ${\mathcal{T}}^{\ast }$ is then computed as $C_1=M_{\mu }·{e\left(g,g\right)}^{\alpha s}=M_{\mu }·{e\left(g,g\right)}^{\left(\rho +ab\right)c}=M_{\mu }·{e\left(g,g\right)}^{\rho c}·R$ and $C_2=f^s=f^c$. The goal of $\mathcal{A}$ in the subsequent phase is to determine the value of $\mu$, thereby distinguishing whether the ciphertext corresponds to $M_0$ or $M_1$.

4.

Phase 2

The phase is identical to Phase 1.

5.

Guess

$\mathcal{A}$ outputs a guess ${\mu }^{\prime }\in \{0,1\}$, attempting to determine whether the challenge ciphertext ${CT}^{\ast }$ corresponds to the plaintext $M_0$ or $M_1$. $\mathcal{C}$ uses $\mathcal{A}$’s guess ${\mu }^{\prime }$ to decide whether the input tuple $\left(g,A,B,C,R\right)$ provided during the setup corresponds to a valid DBDH instance $(\mu =0)$ or a random tuple $(\mu =1)$.

If $\mu =0$, then the tuple $\left(g,A,B,C,R\right)=(g,g^a,g^b,g^c,{e(g,g)}^{abc})$ represents a valid DBDH instance, and ${CT}^{\ast }$ is computed using $M_0$. The probability that $\mathcal{A}$ correctly identifies $\mu =0$ is as follows:

$$\mathit{Pr}\left[{\mu }^{\prime }=\mu | \mu =0\right]={\displaystyle \frac{1}{2}}+ϵ.$$

If $\mu =1$, then the tuple $\left(g,A,B,C,R\right)=(g,g^a,g^b,g^c,R)$, where $R$ is a random element in ${\mathbb{G}}_T$ and does not correspond to a valid DBDH instance, and ${CT}^{\ast }$ is computed using $M_1$. The probability that $\mathcal{A}$ correctly identifies $\mu =1$ is as follows:

$$\mathit{Pr}\left[{\mu }^{\prime }=\mu | \mu =1|\right]={\displaystyle \frac{1}{2}}+ϵ.$$

The overall probability of $\mathcal{A}$ successfully guessing $\mu$ is the average of these two cases:

$$\mathit{Pr}\left[{\mu }^{\prime }=\mu \right]={\displaystyle \frac{1}{2}}\left(\mathit{Pr}\left[{\mu }^{\prime }=\mu \right|\mu =0\right]+\mathit{Pr}\left[{\mu }^{\prime }=\mu \right|\mu =1])={\displaystyle \frac{1}{2}}+ϵ.$$

The advantage of $\mathcal{A}$ in distinguishing whether ${CT}^{\ast }$ corresponds to $M_0$ or $M_1$ is defined as follows:

$${Adv}_{\mathcal{A}}=\mathit{Pr}\left[{\mu }^{\prime }=\mu \right]-{\displaystyle \frac{1}{2}}=ϵ.$$

If $\mathcal{A}$ achieves a non-negligible advantage $ϵ$, then $\mathcal{C}$ can use $\mathcal{A}$’s output to distinguish between a valid DBDH instance and a random tuple. The probability of $\mathcal{C}$ successfully breaking the DBDH assumption is as follows:

$${Adv}_{\mathcal{C}}={\displaystyle \frac{{Adv}_{\mathcal{A}}}{2}}={\displaystyle \frac{ϵ}{2}}.$$

This concludes the proof that the proposed scheme is CPA-secure under the DBDH assumption.

7. Performance Analysis

This section provides a comparative analysis of the literature on decentralised and outsourced CP-ABE in terms of functionality and performance.

7.1. Property Comparison

A functional analysis of Refs. [18,29,30,31] is presented in

Table 2. Comparison of schemes properties.

Scheme	[18]	[29]	[30]	[31]	Ours
Outsourcing	✔	✔	✔	✔	✔
Secure Key Distribution	✘	✔	✔	✘	✔
Decentralisation	✘	✘	✘	✘	✔
Multi-Authority	✘	✔	✔	✘	✔

Note: “✔” indicates the presence of a property, while “✘” indicates its absence.

. To achieve decentralisation, these systems are designed without a central CA entity. Instead, the Joint-Shamir Random Secret Sharing method is used to issue $PK$ and each group’s ${MK}_i$. Each CR’s attribute key is generated by the AA of its respective group, thereby reducing both the computational load and the complexity involved in key generation and management.

In our proposed scheme, the absence of a CA enables message source verification through the Diffie–Hellman key exchange. If ${AA}_t$ cannot compute $C^{\prime }=B^{1/u_t}$, then this indicates that the message did not originate from ${AA}_t$.

Before transmission, the message is symmetrically encrypted with a key, which is then encapsulated by an access policy. During decryption, a proxy key is generated by the CR to prevent the exposure of the attribute key ${SK}_{{CR}_j}$ to other devices, thereby reducing the security risks associated with key delegation. The $IDM$ returned by ${CN}_r$ includes the random number $t$, which is computationally challenging to invert because of the discrete logarithm problem. This ensures that only the CR responsible for generating the proxy key can reconstruct it, effectively minimising the risk of information leakage.

7.2. Efficiency Analysis

7.2.1. Theoretical Analysis

To evaluate the performance of our proposed scheme, we compare it with Refs. [18,29,30,31]. These schemes utilise outsourced computation to assist resource-limited devices with encryption and decryption tasks. A summary of the relevant details is provided in

Table 3. Comparison of computation overhead.

Scheme	[18]	[29]	[30]	[31]	Ours
Key Generation	$(2\left|A_u\right|+5)G_0$	$\left(2\left|A_u\right|+3\right)G_0+G_T$	$(2\left|A_u\right|+4)G_0$	$(2\left|A_u\right|+4)G_0$	$(2\left|A_u\right|+3)G_0$
Encryption	$3G_0+G_T$	$G_T$	$4G_0\left(\left|A_C\right|+1\right)$	$\left(2\left|A_C\right|+4\right)G_0+G_T+C_e$	$G_0+G_T$
Outsourced Encryption	$2\left|A_C\right|G_0$	$\left(2\left|A_C\right|+1\right)G_0+G_T$	${5G}_0+G_T$	${3G}_0$	$2\left|A_C\right|G_0$
Proxy Key	$G_0$	$(2\left|A_u\right|+1)G_0$	-	-	$(2\left|A_u\right|+1{)G}_0$
Outsourced Decryption	$\left|S\right|\left(2C_e+G_T\right)+3C_e$	$\left|S\right|\left(3C_e+G_T\right)+C_e$	$2C_e\left(\left|S\right|+1\right)+\left|S\right|G_T$	$3C_e+2G_T$	$\left|S\right|(2C_e+G_T)$
Decryption	$G_T$	$G_T$	$C_e$	$\left|S\right|\left(2C_e+G_T\right)+C_e$	$C_e+G_T$

“-” indicates that the scheme is not applicable.

.

In Table 3, $C_e$ represents the bilinear pairing operation, $G_0$ denotes the exponentiation operation in ${\mathbb{G}}_0$, and $G_T$ denotes the exponentiation operation in ${\mathbb{G}}_T$, while addition, multiplication, and division operations are disregarded. $\left|A_u\right|$ indicates the number of attributes associated with a CR, $\left|A_C\right|$ represents the number of attributes in the ciphertext, and |S| denotes the minimum authorised set S that satisfies the access policy. The rows in Table 3 outline the computational overheads for the AA’s key generation, the CR’s encryption, the CN’s encryption, the CR’s token generation, the CN’s decryption, and the CR’s decryption. A dash (–) signifies cases where the corresponding algorithm is not available.

7.2.2. Simulation Experiments

The experiment was conducted using the IntelliJ IDE with code based on the Java pairing-based cryptography library. Simulations were performed on a system equipped with an i5-6500 CPU @3.2 GHz, 16 GB of memory, and Windows 10. The computation times, measured in seconds, were evaluated for the algorithms $AA.KeyGen$, $CR.Encryption$, $CN.Encryption$, $CR.token$, $CN.Decryption$, and $CR.Decryption$, excluding communication time. According to the theoretical analysis in Table 2, Refs. [18,29] include outsourcing and proxy key generation as critical components of their schemes. These features significantly influence computational overhead and efficiency, making them key subjects for comparison. As a result, the evaluation of proxy key generation is limited to these two schemes.

Figure 3 provides a detailed analysis of the computation overhead for key processes in our scheme. In Figure 3a, the computation time for key generation is depicted, where the x-axis represents the number of attributes, and the y-axis shows the computation overhead. Figure 3b illustrates the encryption process, with the x axis indicating the number of encrypted attributes and the y axis displaying the computational overhead. It is observed that the CR’s encryption time increases slightly as the number of attributes grows, mainly because of the additional time required to generate share values for access tree leaves, while Lagrange interpolation minimally affects the overall decryption time. Figure 3c shows the decryption time, including $CR.token$, $CN.Decryption$, and $CR.Decryption$. Notably, the CR’s decryption time remains constant rather than increasing linearly, highlighting the scheme’s efficiency and suitability for resource-constrained devices.

Figure 4 compares the time consumed for key generation, encryption, and decryption between our scheme and those in Refs. [18,29,30,31]. In Figure 4a, the key generation time of our scheme is higher than that of [29] but lower than those of [18,30,31]. Although the theoretical analysis in Table 3 predicts the lowest computation time for our scheme, the observed results reveal a slight discrepancy primarily caused by the hash operation. Each attribute undergoes a hash operation before exponentiation, with an average time of 21.752 ms per operation. As the number of attributes increases, the cumulative cost of these hash operations results in a slightly higher key generation time when compared to [29], which delegates most hash computations to the CA in order to reduce the computational burden on the attribute authority. Moreover, this analysis is further supported by

Table 4. Execution time of different cryptographic operations.

Operator	Hash	${\mathit{G}}_0$	${\mathit{G}}_{\mathit{T}}$	${\mathit{C}}_{\mathit{e}}$
Execution Time	21.752 ms	13.006 ms	1.088 ms	7.82 ms

, which presents the execution times of various cryptographic operations used in the scheme. The table demonstrates how the execution time of each operation—such as hashing, exponentiation, and bilinear pairing—impacts the overall performance.

In Figure 4b, a similar trend is observed for key generation: our scheme’s computation time is higher than that of [29] but lower than those of [18,30,31]. Theoretically, the combined time for encryption and outsourcing in our scheme should be faster than that in [29] by one $G_T$ operation. However, the inclusion of $H\left(att\right)$ calculations slightly increases the total time as the number of attributes grows, contributing to the observed performance differences. Reference [29] leverages the public parameter of the attribute to offload the majority of the computational workload to the CA. While this design effectively reduces the computational burden, it results in a high dependency on the CA, which may raise concerns regarding scalability and decentralisation in certain application scenarios.

In Figure 4c, we compare our scheme with the studies of [18,29], as the other schemes do not support proxy key generation. The proxy key generation time for our scheme falls within the middle range, influenced by variations in proxy key generation methods. Although scheme [18] achieves faster execution, requiring only a single $G_0$ operation, it does so by modifying only the $D$ component while keeping other components unchanged, which increases a potential risk of key leakage. In contrast, both our scheme and the study of [29] introduce randomness into each component, significantly enhancing security. This added security measure results in a decryption time that is higher than that of [18] but lower than that of [29], achieving a balance between performance and security.

In Figure 4d, our scheme exhibits superior efficiency in decryption time, achieving lower computational overhead compared to other schemes while maintaining strong security guarantees. Although its decryption time is comparable to that of scheme [18], as shown in Figure 3c, it is important to note that the decryption time includes both the CN’s and CR’s decryption processes. In our scheme, the majority of the decryption workload is offloaded to the CN, thereby significantly reducing the burden on resource-constrained devices. Moreover, our scheme optimises bilinear pairing operations, further enhancing decryption efficiency without compromising access control security. It is also observed that the decryption time of [29] increases sharply, primarily due to the introduction of an additional pairing computation for each element in the set $\left|S\right|C_e$. This extra operation, designed to enable outsourced decryption and enhance key security, results in a noticeably higher decryption overhead compared to our scheme.

Figure 5 illustrates the relationship between the number of attributes and the size of attribute keys across various schemes. As shown, our proposed scheme, along with [18,29,30], exhibits relatively low key storage overhead, maintaining compact key sizes as the number of attributes increases. In contrast, the study of [31] incurs notably higher storage overhead due to its key structure comprising two distinct components: one for attribute-based access control, and the other for the keyword matching key. This dual structure significantly increases the overall storage requirements.

In summary, although our scheme may not afford the fastest execution time, it offers significant advantages in terms of security, flexibility, and scalability. By incorporating randomness, it reduces the risk of key leakage, while its architecture, which is designed to operate without a CA, simplifies key management and reduces costs. Traditional CA-based systems often face challenges such as centralised control, single points of failure, scalability issues, and increased operational overhead, making them less suitable for dynamic and distributed environments. In contrast, our scheme eliminates these limitations, serving as an adaptable and efficient multi-scenario framework for strategic alliances or conglomerates. It enables secure and efficient access control and resource sharing across organisations. Under multi-attribute conditions, it effectively addresses the complexities of environments such as joint ventures and shared services, making it a robust solution for scenarios requiring both security and operational efficiency.

8. Conclusions and Future Work

In this paper, we proposed a decentralised CP-ABE scheme designed to achieve secure and efficient access control in resource-constrained IoT environments. By leveraging data outsourcing, our scheme assists IoT end devices with computationally intensive encryption and decryption tasks, ensuring data confidentiality and integrity. By eliminating a central certificate authority, our architecture simplifies key management, reduces dependency on centralised entities, and enhances system flexibility.

Although experimental results indicate that the proposed scheme does not achieve the shortest execution time across all phases, it offers significant advantages in security, scalability, and adaptability. The incorporation of randomisation within proxy keys effectively reduces the risk of key leakage, providing robust protection against potential attacks. Furthermore, the scheme performs exceptionally well in multi-attribute environments, making it highly suitable for complex IoT applications, such as smart cities, emergency rescue operations, and industrial automation.

Nonetheless, to ensure the scheme’s long-term viability in the face of evolving cryptographic challenges—particularly those posed by quantum computing—further attention to post-quantum resilience is imperative.

8.1. Quantum Threat Scenarios

Given the pace of quantum computing development, it is essential to assess the resilience of cryptographic schemes under various quantum threat models. Accordingly, we evaluate the potential impact on our proposed scheme across three-time horizons: short-term (0–5 years), mid-term (5–10 years), and long-term (10+ years), along with corresponding mitigation strategies.

• Short-Term (5 Years)

At present, quantum hardware remains limited in terms of qubit count, stability, and error correction. Consequently, quantum attacks such as those enabled by Shor’s algorithm remain computationally infeasible for breaking elliptic curve cryptography (ECC) or ABE [37,38]. Accordingly, the proposed is expected to remain secure throughout this period. Nonetheless, incremental progress in quantum computing merits close attention, as unforeseen breakthroughs could significantly alter this projection.

2.

Mid-Term (5–10 Years)

As quantum processors become increasingly viable, the practical implementation of Shor’s algorithm may begin to pose a genuine threat to classical public-key cryptographic schemes. This development could eventually enable the compromise of cryptographic protocols based on discrete logarithms and factoring assumptions. In parallel, Grover’s algorithm raises a separate concern for symmetric cryptography, as it offers a quadratic speed-up over classical brute-force search [39]. This reduction in complexity effectively lowers the security of symmetric algorithms, necessitating the use of longer symmetric keys to maintain adequate levels of protection [40].

During this transitional phase, the adoption of hybrid cryptographic frameworks is strongly recommended. Such frameworks may combine classical public-key algorithms (e.g., ECC) with post-quantum key encapsulation mechanisms. These hybrid designs facilitate a gradual migration towards quantum-resilient infrastructures while maintaining interoperability with existing systems and standards [41].

3.

Long-Term (10 Years+)

In a scenario where large-scale, fault-tolerant quantum computers become a reality, public-key schemes based on the discrete logarithm and factoring problems—such as bilinear pairings—will become obsolete. Ensuring long-term security will therefore require the migration to fully post-quantum attribute-based encryption schemes, including those constructed on lattice-based or code-based cryptographic [42,43,44]. System designs must therefore remain adaptable to accommodate emerging standards and algorithms, thus ensuring resilience against increasingly advanced quantum adversaries.

8.2. Transitioning Towards Post-Quantum Cryptography

In light of the threat scenarios outlined in Section 8.1, the integration of post-quantum cryptographic techniques constitutes a key aspect of our future work [41,42,43,44]. In particular, we aim to explore hybrid key encapsulation mechanisms, such as HQC [45] and CRYSTALS-Kyber [38], which have been selected by the National Institute of Standards and Technology (NIST) as part of its fourth-round and third-round post-quantum cryptography standardisation process, respectively. These mechanisms offer a practical pathway towards the implementation of fully post-quantum schemes once standardisation is complete and widespread adoption is achieved. This dual-layer encryption provides immediate protection against emerging quantum threats while preserving interoperability with existing systems.

As the standardisation of post-quantum cryptographic algorithms continues to progress under the guidance of the NIST, the ability to dynamically integrate or coexist with post-quantum cryptography components becomes increasingly critical for large-scale and long-term deployments. However, post-quantum schemes are often associated with increased computational and communication overhead [46]. Consequently, future research will investigate lightweight post-quantum cryptographic variants and explore offloading strategies to edge or fog nodes, thereby enhancing the practicality and sustainability of hybrid mechanisms in resource-constrained IoT devices.

8.3. Further Research Directions

Future work will concentrate on further reducing the computational overhead associated with both encryption and decryption, by adopting lightweight cryptographic primitives and exploring the use of hardware acceleration. These optimisations aim to enhance the practicality of the proposed scheme for large-scale IoT deployments. In addition, we plan to refine fine-grained access control mechanisms by supporting dynamic attribute revocation, context-aware access policies, and adaptive access strategies. Improvements to multi-authority key management will also be investigated, with the goal of streamlining key distribution and enhancing scalability in collaborative environments.

To evaluate real-world performance, the scheme will be implemented on representative IoT hardware platforms—such as Raspberry Pi and edge computing devices—providing insights into its operational feasibility under constrained conditions. In parallel, ongoing research will focus on the development and integration of quantum-resistant ABE schemes, ensuring that future iterations of the framework remain secure in the face of advancing quantum capabilities.

8.4. Final Remarks

In summary, our proposed decentralised CP-ABE scheme offers a balanced solution that combines security, adaptability, and scalability across diverse IoT ecosystems. By proactively addressing short-, mid-, and long-term quantum threats while continually refining system performance, the scheme presents a viable and future-proof foundation for secure IoT access control in the quantum era.