Efficient Access Control for Video Anomaly Detection Using ABE-Based User-Level Revocation with Ciphertext and Index Updates

Abstract

With the widespread deployment of video surveillance systems, effective access control is essential to enhance the accuracy and security of video anomaly detection. This paper proposes a Searchable and Revocable Attribute-Based Encryption scheme (ABE-RS) that is specifically designed for dynamic video anomaly detection scenarios. By integrating a user management tree structure, attribute-based key distribution, and keyword grouping techniques, the proposed scheme enables efficient user-level revocation along with dynamic updates to ciphertexts and keyword indexes. Furthermore, an inverted index structure is introduced to accelerate keyword search, facilitating the rapid detection and retrieval of anomalous video events. Formal security analysis demonstrates that the scheme is secure against chosen plaintext attacks (CPAs) and chosen keyword attacks (CKAs). The experimental results demonstrate that the scheme maintains millisecond-level revocation efficiency in methodology involving 512 users and either 50 attributes or a thousand keywords.

1. Introduction

In modern data outsourcing systems, owing to the rapid development and popularization of video surveillance technology, video anomaly detection [1] and event recognition have become hot research directions in computer vision. These technologies are important in improving public safety and optimizing urban operations. However, with the dramatic increase in data volume and diversification of access requirements, ensuring the security and privacy of video data has become particularly critical [2]. Attribute-based encryption (ABE) and public key searchable encryption (PEKS) technologies have shown unique advantages in this context, enabling data owners to securely encrypt data based on specific user attributes [3] or predetermined access policies while ensuring the searchability of the encrypted content [4].

Although these encryption schemes offer flexible data access control, they face challenges in dynamic environments, especially when user attributes or permissions change frequently [5,6]. For example, in video surveillance, when abnormal behavior or significant events are detected [7], it is essential to rapidly update access rights and search conditions [8,9] so that only authorized users can access and analyze the relevant video clips. Traditional ABE and PEKS schemes often require re-encrypting data or updating encryption keys for all affected users, increasing system complexity [10] and reducing operational efficiency.

To address these issues, this paper proposes a new ciphertext and keyword index update mechanism, which could be especially important in the context of video anomaly detection and behavior understanding. We utilize a user-managed tree structure to efficiently handle attribute and keyword revocation and updates, allowing the methodology to respond quickly to dynamic needs without sacrificing security or flexibility. This approach mitigates the limitations of traditional ABE and PEKS schemes and enhances the search efficiency of encrypted video data using inverted indexing.

In addition, considering that video data may contain personal private and sensitive information [11], this paper also explores how to effectively protect video content and prevent unauthorized access and data leakage through fine-grained permission control and encryption technology. This is especially important for anomaly detection and behavior analysis in public safety fields [12,13,14] such as urban monitoring and traffic management systems.

The widespread use of video surveillance systems has intensified the need for effective video data access control and privacy protection. The increase in the use of cloud services further complicates this, as dynamic changes in user attributes and search permissions demand rapid responses. In this context, we face the following two primary challenges:

• Dynamic permission update. How do we update the ciphertext and keyword index in an efficient and timely manner without degrading the overall performance? In video surveillance systems, it is crucial to quickly adjust access rights after event detection.
• Data security and privacy protection. How do we maintain strong data security and privacy protection during user attribute or keyword revocation, especially in an untrusted third-party environment?

These challenges require us to not only optimize the encryption and index update mechanism but also ensure that we can handle the high-speed video data stream generated while protecting privacy.

Compared to existing ABE-based revocation schemes that typically support either attribute-level or keyword-level revocation independently, our approach integrates both of these mechanisms into a unified framework suitable for dynamic environments like video surveillance. Unlike prior works that rely on time synchronization, periodic re-encryption, or static policies, our scheme supports real-time revocation and efficient encrypted searching without significant computational overhead. Moreover, by combining a user management tree with an inverted index structure, we achieve fine-grained access control and improved revocation efficiency at both the attribute and keyword levels, which is rarely addressed in existing works.

The main contributions of this paper include the following:

• New revocation mechanism: We propose a new revocation method that combines the user management tree structure with attribute group key distribution and keyword grouping. This method is well-suited for dynamic access control in video surveillance systems, significantly reducing the overhead of attribute or keyword revocation.
• Improved search efficiency: By integrating an inverted index structure, we enhance the efficiency of searching encrypted video data. Additionally, the combination of the covering subset method and the user management tree simplifies user attribute management complexity.
• Enhanced security: The proposed fine-grained attribute and keyword revocation mechanism can quickly prevent unauthorized data access by revoked users, effectively strengthening data security in an untrusted third-party environment.

2. Related Work

In the domain of ABE, the dynamic and efficient revocation of users or attributes remains a significant challenge. Innovative CP-ABE schemes capable of immediate, rather than periodic, attribute revocation have been developed, as reported in [5,15]. The ABE framework is typically designed where attributes are shared among a group whose membership is in constant flux, underlining the need for robust revocation strategies.

In video data management [16], such attribute and keyword revocation mechanisms are particularly important for dynamically controlling access to video clips related to abnormal events [17,18,19], as seen in various surveillance applications including substations [7], remote monitoring via LoRaWAN [20], and smart home systems [21]. When a video analysis system detects a specific behavior pattern or an abnormal event, being able to quickly revoke or update permissions is critical to protecting the security and privacy of video content.

2.1. Attribute/User Revocation

The concept of attribute groups, introduced by Goyal et al. [22], enables fine-grained user revocation through a binary tree structure for managing group keys. Enhancements by Li et al. [15] and Cui et al. [23] improved efficiency. He et al. [24] addressed vulnerabilities in [22] related to collusion attacks and proposed a more secure scheme via binding user key segments. Fine-grained revocation is also supported by ABE with negation clauses, as seen in [25,26,27,28]. According to [5,29], even a single attribute group’s revocation can revoke access to the entire system. This is vital for applications like video anomaly detection and event recognition, where the dynamic control of video feed access is necessary. Efficient revocation that supports both attribute- and user-level revocations is crucial in real-world scenarios, as noted by Ghopur et al. [5], Chawla et al. [27], and Deng et al. [30].

2.2. Revocable Keyword Search

Revocable keyword search [31] is implemented in Scheme [32]; however, it requires time synchronization. To enhance flexibility and security, Wang et al. [33] proposed MD-AKS, which enabled revocable keyword search without trusted third parties or attribute-related overhead. This flexibility is critical in applications like video anomaly detection, where access to video segments needs rapid adjustment in response to real-time events. The techniques in [34,35] also involve re-encrypting the index, which requires synchronization between the owner and the user. Zhang et al. [36] introduced a public-key encryption scheme with ephemeral keyword search. This is especially relevant in video-based crowd analysis, where fast keyword updates are essential for monitoring crowd behaviors and detecting disruptive events. Ameri et al. [37] and others developed a time-controlled ABKS scheme for index encryption across multiple time intervals, though it does not prevent cloud servers from accessing the index without time information. Li et al. [38] introduced a DSSE scheme to enhance keyword search revocation with flexible shielding capabilities, ensuring robust privacy. Miao et al. [39] further enhanced keyword search revocation with a time-controlled scheme, which is vital for maintaining security in video surveillance systems.

2.3. Comparison with Existing Works

While many existing ABE schemes support revocation at either the user or attribute level, few provide a revocation for both attributes and keywords that simultaneously addresses dynamic ciphertext and index updates in applications such as video anomaly detection. Compared with schemes such as [24,31,35,37], which rely on time synchronization or re-encryption, our approach enables timely revocation and searchability without introducing heavy computational or synchronization overhead. Compared to revocation schemes using negation clauses [25,26,27,28], our approach achieves more efficient and flexible user-level revocation without modifying access policies. Compared with schemes that support user-level attribute revocation [15,23,30], our approach further introduces user-level keyword revocation. Under the post-search decryption model, our approach improves revocation efficiency and enhances security. In addition, few existing studies address revocable keyword searching, especially in combination with ABE techniques. Our approach introduces a novel use for the user management tree to revoke keyword index updates, while integrating an inverted index structure for efficient searching. This makes the proposed approach well-suited for accessing video surveillance data and revoking access to anomalies. The integration present in our methodology enables efficient user-level revocation and fine-grained keyword access control in dynamic security environments.

Organization: Section 3 covers the necessary preliminaries. Section 4 outlines the framework and security models. Section 5 provides a detailed construction of the proposed scheme. Section 6 presents the correctness and security analyses. Section 7 discusses the performance evaluation. Finally, Section 8 concludes the paper.

3. Preliminaries

3.1. Bilinear Pairings

Consider three cyclic groups ${\mathbb{G}}_1$, ${\mathbb{G}}_2$, and ${\mathbb{G}}_T$, each of prime order p. A bilinear map $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$ satisfies the following three conditions: (1) Bilinearity. For all elements $g_1\in {\mathbb{G}}_1$, $g_2\in {\mathbb{G}}_2$ and integers $a,b\in {\mathbb{Z}}_p$, The map must satisfy the following: $e({g_1}^a,{g_2}^b)=e{(g_1,g_2)}^{ab}$. (2) Non-degeneracy. The map is non-degenerate, meaning that $e(g_1,g_2)\ne 1$ for some pair $(g_1,g_2)$ in ${\mathbb{G}}_1\times {\mathbb{G}}_2$. (3) Computability. An efficient algorithm must exist to compute the pairing $e(g_1,g_2)$ in polynomial time.

3.2. LSSS

Let $U=\{u_1,u_2,\cdots ,u_n\}$ denote the set of attributes. A Linear Secret-Sharing Scheme (LSSS) $\Pi$ over the finite field ${\mathbb{Z}}_p$, where p is a prime number, is defined as follows:

(1) Each share linked to an attribute is represented as a vector in ${\mathbb{Z}}_p$.

(2) A matrix $\mathbb{M}\in {\mathbb{Z}}_p^{n\times h}$ exists, which generates the shares for $\Pi$. The mapping $\rho :\{1,\cdots ,n\}\to U$ associates each row of the matrix $\mathbb{M}$ with a specific attribute. Let the vector $\mathbf{v}={(s,r_2,\cdots ,r_h)}^{\top }$ represent the values, where $s\in {\mathbb{Z}}_p$ is the secret and $r_2,\cdots ,r_h\in {\mathbb{Z}}_p$ are randomly selected values. The shares of the secret s are obtained by computing the product $\mathbb{M}\mathbf{v}$. Each share ${\lambda }_i={\left(\mathbb{M}\mathbf{v}\right)}_i$ is assigned to the attribute corresponding to $\rho \left(i\right)$.

An LSSS is characterized by a fundamental linear reconstruction property [40]. Specifically, given an LSSS $\Pi$, an access structure A, and an authorized set $S\in A$, let $I=\{i:\rho (i)\in S\}$ represent the indices of the rows in $\mathbb{M}$ that correspond to the attributes in S, where $I\subset \{1,\dots ,n\}$. If the shares ${\lambda }_i$ are valid for the secret s, there exist constants ${\omega }_i\in {\mathbb{Z}}_p$ for each $i\in I$ such that the secret can be reconstructed by the following linear combination of shares: ${\sum }_{i\in I}{\omega }_i{\lambda }_i=s$.

3.3. BDH Assumption

The BDH problem in cryptography involves a bilinear group $\mathbb{G}$ with a generator g. Given $g^a,g^b,g^c\in {\mathbb{Z}}_p$, where $a,b,c$ are integers, The task is to compute $e{(g,g)}^{abc}$ in the target group ${\mathbb{G}}_T$. Alternatively, given $A=g^a,B=g^b,C=g^c$, compute $e{(A,B)}^c$.

An algorithm $\mathcal{A}$ is considered to have an advantage $\epsilon$ in solving the BDH problem if the success probability is defined by the following:

$$Pr[\mathcal{A}(p,\mathbb{G},{\mathbb{G}}_T,A,B,g^c)=e{(A,B)}^c]\ge \epsilon$$

(1)

The BDH assumption holds if, for all polynomial-time algorithms, $\epsilon$ is negligible, indicating the problem’s computational difficulty.

3.4. Attribute Group Key Distribution [41]

Consider $\mathcal{T}$ as a complete binary tree where each leaf node is assigned to a user from the set $\mathcal{U}=\{u_1,\cdots ,u_8\}$. As shown in Figure 1, The tree will be used to distribute attribute group keys to users in $\mathcal{U}$. Each user securely receives a path key from a leaf node to the root node of the tree. Given the set of revoked users $L=\{u_5,u_8\}$, we mark the nodes in $path\left(u_5\right)=\{v_1,v_3,v_6,v_{12}\}$ and $path\left(u_8\right)=\{v_1,v_3,v_7,v_{15}\}$. $Cover\left(L\right)$ is defined as $\{v_2,v_{13},v_{14}\}$. Unrevoked users are represented by the leaf nodes covered in $cover\left(L\right)$.

An example of the key revocation mechanism for attribute groups is as follows: if $u_1,u_2,u_3$ are associated with $\{x_1,x_2,x_3\}$, $\{x_2,x_3\}$, and $\{x_1,x_3\}$ ($x_i\in S_A$), respectively, The authority gives $G_{y_1}=\{u_1,u_3\}$, $G_{y_2}=\{u_1,u_2\}$, and $G_{y_3}=\{u_1,u_2,u_3\}$ to the data service manager.

4. Problem Formulation

In this section, we introduce the system model, define the proposed ABE-RS, and describe the security model. A summary of the commonly used notations can be found in

Table 1. Notations.

Notation	Description
$\mathcal{F}=\{M_1,M_2,M_3,\dots \}$	DO’s multiple video data.
$\mathit{uid}$	DU’s identity.
$S_A$	Attribute universe.
(${\mathit{ISK}}_{\mathit{uid}}$, ${\mathit{IPK}}_{\mathit{uid}}$)	$DU$’s ID key pair.
$S{K}_{S,uid}$	User–attributes secret key.
L	Revocation list.
${\mathit{CT}}_{\mathbb{M},L}$	Ciphertext of M encrypted by $DO$.
$C{T}_{\mathbb{M},L}^{\left(up\right)}$	Updated ciphertext.
$S_w$	Keywords set.
$I_w$	Index of keywords encrypted by $DO$.
$I_w^{\left(up\right)}$	Updated index.
${\mathit{AK}}_{\mathit{uid}}$	$DU$’s authorization key.
$T_w$	Trapdoor of keywords encrypted by $DU$.
$\mathsf{encode}$	Encoding algorithm $\mathbb{G}\to {\{0,1\}}^{lo{g}_p}$.
$\mathsf{decode}$	Decoding algorithm ${\{0,1\}}^{lo{g}_p}\to \mathbb{G}$.

.

4.1. System Model

As depicted in Figure 2, our system consists of the following four primary entities: Attribute Authority (AA), Data Owner (DO), Cloud Service Provider (CSP), and Data User (DU). A brief overview of each entity is provided as follows:

• AA: The AA is a trusted entity that generates both the public and private parameters required for the system. Additionally, it validates the user’s attribute set and issues the corresponding private key. The AA ensures that only legitimate users who satisfy the defined access control policies can access and process the video data, significantly enhancing both the accuracy and security of video anomaly detection.
• DO: The DO is responsible for uploading their data to the cloud service provided by the CSP. When uploading data, the DO clearly defines an access control policy tailored specifically to the video anomaly detection scenario and encrypts the data accordingly. A well-defined access control policy prevents unauthorized users from viewing sensitive anomalous events, thereby preserving the security and confidentiality of the anomaly detection process.
• CSP: The CSP stores the encrypted data uploaded by the DO. In this scheme, the CSP is assumed to be “curious but honest”, meaning it might have an interest in the stored video data but will strictly follow the defined access control protocol, ensuring no unauthorized decryption or data leakage occurs.
• DU: Each DU possesses a private key corresponding to its attribute set. Only when a non-revoked DU initiates a keyword-based query on video data can they successfully download and decrypt the latest encrypted video from the cloud, given their attributes precisely match the access control policy defined in the ciphertext.

4.2. Scheme Definitions

Consider $U=\{u_1,u_2,\cdots ,u_n\}$ as the set of users in the framework. Let $L=\{1,2,\cdots ,p\}$ represent the set of descriptive attributes. For each attribute i, define $G_i\subseteq U$ as the group of users possessing attribute i, which is called the attribute group. $G_i$ will serve as a list for granting or revoking access to attribute i. The collection of all such attribute groups is denoted by $G=\{G_1,G_2,\cdots ,G_p\}$. Finally, let $K_i$ be the key associated with the attribute group, shared by the users in $G_i$ who have not been revoked.

Definition 1.

• $\mathsf{Setup}(1^{\kappa },S_A)\to (\mathit{GP},\mathit{MSK})$. It takes the security parameter κ and the attribute universe $S_A$ as input, and it outputs a public parameter $\mathit{GP}$ and a master key $\mathit{MSK}$.
• $\mathsf{IdKgen}(\mathit{GP},\mathit{uid})\to ({\mathit{ISK}}_{\mathit{uid}},{\mathit{IPK}}_{\mathit{uid}})$. It takes as input the user identity uid with $GP$, and it outputs the id key pair $({\mathit{ISK}}_{\mathit{uid}},{\mathit{IPK}}_{\mathit{uid}})$.
• $\mathsf{AttKgen}(\mathit{GP},\mathit{MSK},S,\mathit{uid})\to S{K}_{S,uid}$. It takes an attributes set $S\subset S_A$, The uid, The GP, and the MSK as input, and it outputs the user–attributes secret key $S{K}_{S,\mathit{uid}}$.
• $\mathsf{EncML}(GP,m,\mathbb{M},L)\to C{T}_{\mathbb{M},L}$. It takes as input a message m, an access structure $\mathbb{M}$, and a revocation list L with GP, and it outputs the ciphertext $C{T}_{\mathbb{M},L}$
• $\mathsf{IdxEnc}(\mathit{GP},S_w)\to I_w$. It takes as input the keyword set $S_w$ with GP, and it outputs the keyword index set $I_w$.
• $\mathsf{AKgen}(\mathit{GP},\mathit{uid},{\mathit{ISK}}_{\mathit{uid}})\to {\mathit{AK}}_{\mathit{uid}}$. It takes as input the user identity $\mathit{uid}$ and secret key ${\mathit{ISK}}_{\mathit{uid}}$, together with $\mathit{GP}$, and it outputs an authorization key ${\mathit{AK}}_{\mathit{uid}}$.
• $\mathsf{Verify}({\mathit{AK}}_{\mathit{uid}},{\mathit{IPK}}_{\mathit{uid}})\to (0,1)$. It takes the authorization key ${\mathit{AK}}_{\mathit{uid}}$ and the public id key ${\mathit{IPK}}_{\mathit{uid}}$ as input; it returns 1 if the user’s authentication passes and 0 if it does not.
• $\mathsf{Trapdgen}(\mathit{GP},w^{\prime })\to T_w.$ It takes a search keyword $w^{\prime }$ with GP as input, and it outputs the trapdoor $T_w$.
• $\mathsf{Search}(T_w,I_w)\to (0,1)$. It takes the trapdoor $T_w$ and the index $I_w$ as input; it returns 1 if there is a match and 0 if there is not.
• $\mathsf{Dec}(\mathit{GP},{\mathit{CT}}_{\mathbb{M},L},{\mathit{SK}}_{S,\mathit{uid}})\to M$. It takes as input the ciphertext ${\mathit{CT}}_{\mathbb{M},L}$ and the secret key ${\mathit{SK}}_{S,\mathit{uid}}$ with GP, and it outputs the message M correctly if $S\in \mathbb{M}$ and $uid\notin L$.

Correctness. The proposed ABE-RS scheme is correct if $\mathsf{Verify}$, $\mathsf{Search}$, and $\mathsf{Dec}$ are successfully performed to recover the desired message M.

4.3. Security Model

(1) Message Confidentiality:

-

Setup: Challenger $\mathcal{C}$ executes $\mathsf{Setup}\left(1^{\kappa }\right)$ to obtain $(GP,MSK)$, subsequently transmitting $GP$ to adversary $\mathcal{A}$.

-

Phase-1: Adversary $\mathcal{A}$ may repeatedly query the oracle ${\mathcal{O}}_{\mathit{KeyGen}}(S_x,{\mathrm{uid}}_x)$ for $x\in [1,{\mathcal{U}}_1]$. In responding, $\mathcal{C}$ generates $S{K}_{{\mathrm{uid}}_x,S_x}\leftarrow \mathsf{KeyGen}(GP,MSK,S_x,{\mathrm{uid}}_x)$ and supplies $S{K}_{{\mathrm{uid}}_x,S_x}$ to $\mathcal{A}$.

-

Challenge: $\mathcal{A}$ presents $\mathcal{C}$ with $(m_0^{*},m_1^{*})$, ${\mathbb{M}}^{*}$, and $L^{*}$. None of the identity–attribute pairs $({\mathrm{uid}}_x,S_x)$ queried in Phase-1 can meet the criteria $S_x\in {\mathbb{M}}^{*}$ and ${\mathrm{uid}}_x\notin L^{*}$ concurrently. $\mathcal{C}$ selects q randomly from ${\{0,1\}}^{*}$, encrypts via $C{T}^{*}\leftarrow \mathsf{Encrypt}(GP,m_q,{\mathbb{M}}^{*},L^{*})$, and forwards $C{T}^{*}$ to $\mathcal{A}$.

-

Phase-2: $\mathcal{A}$ can query the oracle ${\mathcal{O}}_{\mathrm{KeyGen}}(S_x,{\mathrm{uid}}_x)$ as in Phase-1, where $x\in [{\mathcal{U}}_1+1,\mathcal{U}]$. Any of the queried identity–attribute pairs $({\mathrm{uid}}_x,S_x)$ in Phase-2 cannot satisfy $S_x\in {\mathbb{M}}^{*}$ and ${\mathrm{uid}}_x\notin L^{*}$ simultaneously.

$\mathcal{A}$ continues to access ${\mathcal{O}}_{\mathit{KeyGen}}(S_x,{\mathrm{uid}}_x)$ for x ranging from [${\mathcal{U}}_1+1,\mathcal{U}]$. Again, no queried identity–attribute pair $({\mathrm{uid}}_x,S_x)$ should meet the criteria $S_x\in {\mathbb{M}}^{*}$ and ${\mathrm{uid}}_x\notin L^{*}$ concurrently.

-

Guess: $\mathcal{A}$ outputs a bit $q^{\prime }$.

If $q^{\prime }=q$, then $\mathcal{A}$ is deemed to have won the game. $\mathcal{A}$’s advantage is quantified as follows:

$${\mathrm{Adv}}_{\mathcal{A}}=\left|Pr[q^{\prime }=q]-{\displaystyle \frac{1}{2}}\right|.$$

(2)

Definition 2

(IND-CPA secure). An ABE-RS scheme achieves indistinguishability under chosen plaintext attacks if the advantage ${\mathrm{Adv}}_{\mathcal{A}}$, defined as the probability that any probabilistic polynomial-time (PPT) adversary $\mathcal{A}$ successfully distinguishes between encryptions of two chosen plaintexts, is negligible.

(2) Index Confidentiality: Our ABE-RS scheme ensures CKA security, guaranteeing that no index information is disclosed without the corresponding trapdoor, as detailed in reference [42]. The static corruption of the authority limits the adversary’s capacity to query any decryption keys crucial for decrypting the challenge ciphertext within a feasible timeframe.

The CKA security setup between a probabilistic polynomial-time (PPT) attacker, $\mathcal{A}$, and a challenger, $\mathcal{C}$, is structured as follows:

-

Setup: $\mathcal{C}$ initializes the system by running the $\mathsf{Setup}\left(\lambda \right)$ algorithm, generating the global parameters $GP$ that are then shared with $\mathcal{A}$.

-

First Query Phase: During this phase, $\mathcal{A}$ makes a polynomial number of queries, which include the following:

(a)

Hash oracle queries ($H_2$, $H_3$): $\mathcal{A}$ requests data from the hash oracles $H_2$ and $H_3$.

(b)

Trapdoor generation: $\mathcal{A}$ submits keywords to $\mathcal{C}$, who then uses $\mathsf{Trapdgen}(GP,w)$ to generate and return the corresponding trapdoors.

-

Challenge: $\mathcal{A}$ challenges $\mathcal{C}$ with a pair of previously unqueried keywords $(w_0^{*},w_1^{*})$, $\mathcal{C}$ randomly selects a bit $q\in \{0,1\}$ and uses $\mathsf{Idxgen}(GP,S_w)$ to produce the index $I_{w_q}^{*}$, which is conveyed back to $\mathcal{A}$.

-

Second query phase: $\mathcal{A}$ continues to query as before, following the receipt of $I_{w_q}^{*}$.

-

Guess: $\mathcal{A}$ attempts to guess the bit q, with the experiment deemed successful if $q^{\prime }=q$. The advantage of $\mathcal{A}$ in this scenario is defined as follows:

$${\mathsf{Adv}}_{\mathcal{A}}^{\mathrm{cka}}\left(n\right)\left[\left(1^{\lambda }\right)\right]=\left|Pr[q=q^{\prime }]-{\displaystyle \frac{1}{2}}\right|.$$

(3)

Definition 3.

A revocable ABE-RS scheme with fast search is considered CKA-secure if the advantage ${\mathsf{Adv}}_{\mathcal{A}}^{\mathrm{cka}}\left(1^{\lambda }\right)$ for any PPT adversary is negligible.

5. The Proposed Scheme

This section presents the formal definition and detailed construction of the proposed ABE-RS scheme.

5.1. Construction of ABE-RS

In this section, we outline our detailed scheme comprising ten algorithms. First, the AA executes the $\mathsf{setup}$ algorithm to initialize system parameters and establish essential access control structures for anomaly detection. Users run the $\mathsf{IdKgen}$ algorithm to obtain identity key pairs, enabling secure identity verification. The AA employs the $\mathsf{AttKgen}$ algorithm to generate attribute-based decryption keys, enforcing strict attribute-based access control over video surveillance data. The DO encrypts video data using the $\mathsf{EncML}$ algorithm, integrating a revocation list to swiftly deny access to malicious or anomalous users. The DO also employs the $\mathsf{IdxEnc}$ algorithm to construct a secure keyword index set $I_w$, facilitating controlled and efficient keyword searches within encrypted video data. Subsequently, The DU executes the $\mathsf{AKgen}$ algorithm to obtain authorization keys for authentication, and it then runs the $\mathsf{Trapdgen}$ algorithm to create trapdoors $T_w$ for keyword queries, uploading them to the cloud server. Upon receiving queries, The cloud server performs the $\mathsf{Verify}$ algorithm to authenticate users. It then executes the $\mathsf{Search}$ algorithm to locate and return matching encrypted video files only to authorized users. Finally, The DU decrypts the retrieved ciphertext using the $\mathsf{Dec}$ algorithm if their attributes satisfy the defined access permissions.

As shown in Figure 3, The proposed ABE-RS scheme is a cryptographic protocol composed of ten logically sequential algorithms. These algorithms are executed in a well-defined order across different entities (AA, DU, DO, and CSP) as part of a theoretical security framework. Unlike real-time systems, The workflow does not involve time-sensitive or concurrent execution. Therefore, issues such as temporization failure or algorithm rescheduling are not applicable. Furthermore, each algorithm operates on distinct cryptographic inputs and does not rely on shared stateful resources, thus avoiding resource contention. This design ensures predictable and secure execution in practical implementation.

5.1.1. Setup

$\mathsf{Setup}(1^{\kappa },S_A)\to (\mathit{GP},\mathit{MSK})$. The process begins by generating a tuple of bilinear groups through $\mathcal{G}\left(1^{\kappa }\right)\to \{\mathbb{G},{\mathbb{G}}_T,p,g,e\}$, which is referred to as $\mathbb{D}$, where $\mathbb{G}$ and ${\mathbb{G}}_T$ are two cyclic groups of prime order p under multiplication, a generator $g\in \mathbb{G}$, and a bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$. Subsequently, The AA selects the parameters ($\sigma ,\alpha ,\beta ,\gamma$) from ${\mathbb{Z}}_p^{*}$ using LSSS, which computes $g^{\sigma }$ as the master secret key MSK. For each $x\in S_A$, a random value $n_x\in {\mathbb{Z}}_p^{*}$ is chosen. The global parameter $\mathit{GP}$ is then defined as follows:

$$\mathit{GP}=\{\mathbb{D},H_1,H_2,H_3,{Q_x=g^{n_x}}_{x\in S_A},g^{\alpha },g^{\beta },g^{\gamma }\},$$

(4)

where $H_1:{\{0,1\}}^{*}\to {\mathbb{Z}}_p^{*}$, $H_2:{\{0,1\}}^{*}\to \mathbb{G}$ and $H_3:{\mathbb{G}}_T\to {\{0,1\}}^{{log}_p}$ are the chosen hash functions.

5.1.2. ID Key Generation

$\mathsf{IdKgen}(\mathit{GP},\mathit{uid})\to ({\mathit{ISK}}_{\mathit{uid}},{\mathit{IPK}}_{\mathit{uid}})$. Each DU is assigned a unique identity, denoted as $\mathit{uid}$, along with an associated attribute set $S_{\mathit{uid}}$. A random element $b\in {\mathbb{Z}}_p^{*}$ is selected to compute the identity-based key pair as follows:

$${\mathit{ISK}}_{\mathit{uid}}=b,{\mathit{IPK}}_{\mathit{uid}}={\left(g^{\mu }\right)}^{H_1(\mathit{uid}\Vert b)}.$$

(5)

To ensure the identity privacy, DUs submit the public identity key ${\mathit{IPK}}_{\mathit{uid}}$ for registration, rather than revealing their $\mathit{uid}$.

5.1.3. Attribute Key Generation

$\mathsf{AttKgen}(\mathit{GP},\mathit{MSK},S,\mathit{uid})\to S{K}_{S,uid}$. Given a path $\mathrm{path}\left(\mathit{uid}\right)=\{p_{\mathit{uid},0},\cdots ,p_{\mathit{uid},d}\}$ in the full binary tree T, where $p_{\mathit{uid},0}=\mathrm{root}$ and $p_{\mathit{uid},d}=\mathit{uid}$, a random selection of $t,u,u^{\prime }\in {\mathbb{Z}}_p$ is made. Additionally, elements $R,R^{\prime },R^{\prime \prime },R^{\prime \prime \prime },{\left\{R_x\right\}}_{x\in S}\in \mathbb{G}$ are chosen. The following computations are performed:

$$\begin{array}{cc}\hfill & {\{K_{1,y_x}=g^{\sigma }{g}^{\alpha t}{g}^{\beta u}{g}^{\gamma u^{\prime }{H}_1\left(y_x\right)}R\}}_{y_x\in path\left(uid\right)},\hfill \\ \hfill & {\{K_{2,x}=Q_x^t{R}_x\}}_{x\in S},\hfill \\ \hfill & K_3=g^u{R}^{\prime },K_4=g^{u^{\prime }}{R}^{\prime \prime },K_5=g^t{R}^{\prime \prime \prime }.\hfill \end{array}$$

(6)

The secret key $S{K}_{S,\mathit{uid}}$ corresponding to the user–attribute pair $(\mathit{uid},S)$ is then generated as $(S,{\left\{K_{1,y_x}\right\}}_{y_x\in path\left(uid\right)},{\left\{K_{2,x}\right\}}_{x\in S},K_3,K_4,K_5)$.

5.1.4. Revocable Encryption

$\mathsf{EncML}(GP,M,\mathbb{M},\mathcal{T})\to C{T}_{\mathbb{M},\mathcal{T}}$. The scheme $\mathbb{M}=(A,\zeta )$ represents an LSSS where $A\in {\mathbb{Z}}_p^{l\times n}$ is the share-generating matrix and $\zeta$ is a function mapping from $\left[l\right]$ to $S_A$. A random vector $\mathbf{v}=(s,v_2,\cdots ,v_n)$ is chosen from ${\mathbb{Z}}_p^n$, and a random value $r_j\in {\mathbb{Z}}_p$ is selected for each row $A_j$ of matrix A. The following computations are performed:

$$\begin{array}{cc}\hfill & C_0=M·e{(g,g)}^{\sigma s},C_1=g^s,C_2=g^{\beta s},\hfill \\ \hfill & C_{3,Root}={\left(g^{\gamma H_1\left(Root\right)}\right)}^s,\hfill \\ \hfill & {\left\{C_{4,j}={\displaystyle \frac{{\left(g^{\alpha }\right)}^{A_j·\mathbf{v}}}{Q_{\zeta \left(j\right)}^{r_j}}},C_{5,j}=g^{r_j}\right\}}_{j\in \left[l\right]}.\hfill \end{array}$$

(7)

The resulting ciphertext is given by $C{T}_{\mathbb{M},\mathcal{T}}=(\mathbb{M},\mathcal{T},C_0,C_1,C_2,C_{3,Root},{\{C_{4,j},C_{5,j}\}}_{j\in \left[l\right]})$.

The re-encrypted ciphertext is updated to $C{T}_{\mathbb{M},L}^{\left(up\right)}=(\mathbb{M},L,C_0,C_1,C_2,{\left\{C_{3,y_x}\right\}}_{y_x\in cover\left(L\right)},$ ${\{C_{4,j},C_{5,j}\}}_{j\in \left[l\right]})$, where L represents the user list of revocable attributes. The updated ciphertext for $C_{3,y_x}$ is calculated as follows:

$$\begin{array}{c}\hfill {\left\{C_{3,y_x}={\left(g^{\gamma H_1\left(y_x\right)}\right)}^s\right\}}_{y_x\in cover\left(L\right)}.\end{array}$$

(8)

5.1.5. Revocable Index Generation

$\mathsf{IdxEnc}(\mathit{GP},S_w)\to I_w$. The DO extracts the keyword set $S_w=\{w_1,w_2,\cdots ,w_{\iota }\}$ from the file collection $\mathcal{F}$. The AA randomly selects a value $\pi \in {\mathbb{Z}}_p^{*}$ and transmits it to the DU in the secure channel. For each keyword $w_j$ in message M, The DU randomly selects a value ${\xi }_j\in {\mathbb{Z}}_p^{*}$ and calculates the corresponding index component $I_w={\{I_0,I_{1,w_j}\}}_{w_j\in S_w}$ as follows:

$$\begin{array}{cc}\hfill & I_0=g^{{\xi }_j},I_{1,w_j}=H_3\left(e\left({g^{\beta }}^{{\xi }_j},{H_2\left(w_j\right)}^{\pi ·H_1\left(Root\right)}\right)\right).\hfill \end{array}$$

(9)

The re-encrypted index is updated to $I_w^{\left(up\right)}={\{I_0,{\left\{I_{1,w_j,y_w}^{\left(up\right)}\right\}}_{y_w\in cover\left(L^{\prime }\right)}\}}_{w_j\in S_w}$, where $L^{\prime }$ represents the user list of revocable keywords. The updated ciphertext for $I_{1,w_j,y_w}^{\left(up\right)}$ is calculated as follows:

$$\begin{array}{c}\hfill {\left\{I_{1,w_j,y_w}^{\left(up\right)}=H_3\left(e\left({g^{\beta }}^{{\xi }_j},{H_2\left(w_j\right)}^{\pi ·H_1\left(y_w\right)}\right)\right)\right\}}_{y_w\in cover\left(L^{\prime }\right)}.\end{array}$$

(10)

5.1.6. Authorization Key Generation

$\mathsf{AKgen}(\mathit{GP},\mathit{uid},{\mathit{ISK}}_{\mathit{uid}})\to {\mathit{AK}}_{\mathit{uid}}$. Before submitting a search query, The DU randomly selects a value $b^{\prime }\in {\mathbb{Z}}_p^{*}$. Using this, the DU computes $H_1\left(\mathit{uid}\right||b^{\prime })$, which generates the authentication key ${\mathit{AK}}_{\mathit{uid}}=({\mathit{AK}}_1,{\mathit{AK}}_2)$ as

$${\mathit{AK}}_1={\left(g^{\alpha }\right)}^{b^{\prime }}{\left(g^{\mu }\right)}^{H_1\left(\mathit{uid}\right|\left|b\right)},{\mathit{AK}}_2=g^{b^{\prime }}.$$

(11)

5.1.7. Verification

$\mathsf{Verify}({\mathit{AK}}_{\mathit{uid}},{\mathit{IPK}}_{\mathit{uid}})\to (0,1)$. The AA computes ${\left({\mathit{AK}}_2\right)}^{\alpha }$ and validates the following equation:

$$\begin{array}{c}\hfill MM{\mathit{AK}}_1/{\left({\mathit{AK}}_2\right)}^{\alpha }\stackrel{?}{=}{\mathit{IPK}}_{\mathit{uid}}.\end{array}$$

(12)

If the equation holds true, The user’s authenticity is verified and the AA sends a secret value $\pi \in {\mathbb{Z}}_p^{*}$ to the authenticated user via a secure channel to proceed to the subsequent search step. Otherwise, The request is discarded.

5.1.8. Trapdoor Generation

$\mathsf{Trapdgen}(\mathit{GP},w^{\prime })\to T_w$. The DU constructs the trapdoor $T_w$ for searching the encrypted keyword dictionary $S_w$. The DU chooses a random value $\tau \in {\mathbb{Z}}_p^{*}$ and creates the trapdoor $T_w=\{T_1,T_2,T_3\}$. To search the encrypted keyword dictionary $S_w$, The DU generates the trapdoor $T_w$. This is performed by first selecting a random value $\tau \in {\mathbb{Z}}_p^{*}$ and then constructing the trapdoor as $T_w=\{T_1,T_2,T_3\}$.

$$\begin{array}{cc}\hfill & T_1=H_3\left(e(g^{\beta },{\left(g^{\alpha }\right)}^{\tau })\right),T_2=g^{\tau },\hfill \\ \hfill & {\left\{{T_{3,y_w}=H_2\left(w^{\prime }\right)}^{\pi ·H_1\left(y_w\right)}\right\}}_{y_w\in path\left(uid\right)},\hfill \end{array}$$

(13)

where $w^{\prime }$ denotes the target keyword.

5.1.9. Search

$\mathsf{Search}(T_w,I_w^{\left(up\right)})\to (0,1)$. Upon receiving the trapdoor $T_w$ from the DU, The AA initiates a search for a keyword in the encrypted keyword dictionary $S_w$, where the keyword $w_j$ is stored as $I_{1,w_j}$.

If a user $u_{\varkappa }$ has a valid keyword w (that is, $u_{\varkappa }\in G_{y_w}$), they can obtain the trapdoor component $T_{3,y_w}$ from the right $H_1\left(y_w\right)$ in Equation (13) using the unique intersection nodes $Y^{\prime }$. Since $u_{\varkappa }\notin L^{\prime }$, it identifies a node $Y^{\prime }\in (path\left(ui{d}_{u_{\varkappa }}\right)\cap cover\left(L^{\prime }\right))$. For example, if $cover\left(L^{\prime }\right)=\{u_1,u_2,u_3,u_4,u_6,u_7\}$ in Figure 1, $u_4$ can compute the right $T_{3,Y^{\prime }}$ using the unique path-intersection nodes $Y^{\prime }=v_2$.

The CSP then computes the values $\delta =H_3\left(e(T_2^{\alpha },g^{\beta })\right)$ and $\theta =\mathsf{encode}\left({\left(T_{3,Y^{\prime }}\right)}^{\beta }\right)\oplus T_1$ from the trapdoor and proceeds to compute the following:

$$H_3\left(e(I_0,\mathsf{decode}(\theta \oplus \delta ))\right)\stackrel{?}{=}{I}_{1,w_j,Y^{\prime }}^{\left(up\right)}.$$

(14)

The search proceeds by verifying the equation. The dictionary $S_w$ serves as the header for the inverted index table. If a match is found, as indicated in Equation (14), it then continues the decryption operation.

5.1.10. Decrypt

$\mathsf{Dec}(\mathit{GP},{\mathit{CT}}_{\mathbb{M},L},{\mathit{SK}}_{S,\mathit{uid}})\to m$. Let $S\in \mathbb{M}=(A,\zeta )$ and assume $uid\notin L$. The system computes $\mathcal{I}:\{i:\zeta (i)\in S\}$ and ${\{c_i\in {\mathbb{Z}}_p\}}_{i\in \mathcal{I}}$ and the set ${\{c_i\in {\mathbb{Z}}_p\}}_{i\in \mathcal{I}}$, such that ${\sum }_{i\in \mathcal{I}}{c}_i·A_i=(1,0,\dots ,0)$.

Similarly to the process of creating the trapdoor during Search (Section 5.1.9), if a user $u_{\varkappa }$ has a valid attribute x (that is, $u_{\varkappa }\in G_{y_x}$), they can decrypt the attribute group key $K_{1,y_x}$ from the right $H_1\left(y_x\right)$ in Equation (6) using the unique intersection nodes Y. Since $u_{\varkappa }\notin L$, it identifies a node $Y\in (path\left(ui{d}_{u_{\varkappa }}\right)\cap cover\left(L\right))$. For example, if $cover\left(L\right)=\{u_1,u_2,u_3,u_4,u_6,u_7\}$ in Figure 1, $u_4$ can compute the right $K_{1,Y}$ by using the unique path-intersection nodes $Y=v_2$. The decryption is calculated as follows:

$$\begin{array}{cc}\hfill & {\displaystyle \frac{e(K_{1,Y},C_1)}{e(K_3,C_2)·e(K_4,C_{3,Y})}}·\prod _{j\in \mathcal{I}}{\left(e(K_5,C_{4,j})·e(K_{2,\zeta \left(j\right)},C_{5,j})\right)}^{-c_j}\hfill \\ \hfill & =e{(g,g)}^{\sigma s}.\hfill \\ \hfill & M=C_0/e{(g,g)}^{\sigma s}.\hfill \end{array}$$

(15)

5.2. The Designed Fast Searchable Decryption Algorithm

As the core module of the ABE-RS framework, the FSD algorithm enables keyword-based search on encrypted data through the inverted index, as shown in Figure 4. The algorithm consists of InvertTable Initialization, Complete Inverted-Index Table, and Fast Searchable Decryption, which are shown in Algorithms 1 and 2.

• InvertTable Initialization. The IIT is initialized as

InvertTable ={

 LabelCipher(keyword): [] for keyword in keywordsList

}.

The DO extracts the keyword set $S_w$ and generates the encrypted tag cipher for each keyword $w_i$. This structure creates an empty linked list container for each encrypted keyword $I_{1,w_i}$, which serves as the foundation for storing the encrypted data index in the subsequent steps.

• Complete Inverted-Index Table. This process iterates through all encrypted keywords and constructs a comprehensive mapping between each keyword $I_w$ and its associated encrypted data $C{T}_{\mathbb{M},L}$, as outlined in Algorithm 1.

Algorithm 1: Complete IIT

Algorithm 2: Fast Searchable Decryption

• Fast Searchable Decryption. The fast searchable decryption of the FDS algorithm is shown in Algorithm 2. First, we verify the identity (line 1); then, based on $T_w$ , we find the entry in the InvertTable that matches the main key ${\mathit{Main}}_w$ (lines 2–3). If a matching ciphertext is found, we decrypt and verify the access rights, returning the decrypted message (lines 4–6); otherwise, the decryption fails or the search fails and it returns ⊥ (lines 7–10).

6. Analysis

In this section, we conduct correctness and security analyses.

6.1. Correctness Analysis

From $\mathsf{Verify}$’s Equation (12), we can obtain

$$\begin{array}{cc}\hfill A{K}_1/{\left(A{K}_3\right)}^{\alpha }& ={\left(g^{\alpha }\right)}^{b^{\prime }}{\left(g^{\mu }\right)}^{H_1\left(\mathit{uid}\right|\left|b\right)}/{\left(g^{b^{\prime }}\right)}^{\alpha }\hfill \\ \hfill & =g^{\mu H_1\left(\mathit{uid}\right|\left|b\right)}={\mathit{IPK}}_{\mathit{uid}}.\hfill \end{array}$$

(16)

From $\mathsf{Search}$’s Equation (14), we can obtain

$$\begin{array}{cc}\hfill & H_3\left(e(I_0,\mathsf{decode}(\theta \oplus \delta ))\right)\hfill \\ \hfill & =H_3\left(e(g^{{\xi }_j},\mathsf{decode}(\mathsf{encode}\left({\left(T_3\right)}^{\beta }\right)\oplus H_3\left(e(g^{\beta },\left({\left(g^{\alpha }\right)}^{\tau }\right))\right)\oplus H_3\left(e({\left(g^{\tau }\right)}^{\alpha },g^{\beta })\right)))\right)\hfill \\ \hfill & =H_3\left(e(g^{{\xi }_j},\mathsf{decode}\left(\mathsf{encode}\left({\left(T_3\right)}^{\beta }\right)\right))\right)\hfill \\ \hfill & =H_3\left(e(g^{\beta {\xi }_j},H_2{\left(w^{\prime }\right)}^{\pi ·H_1\left(Y^{\prime }\right)})\right)=I_{1,w_j,Y^{\prime }}^{\left(up\right)}.\hfill \end{array}$$

(17)

From $\mathsf{Dec}$’s Equation (15), we can obtain

$$\begin{array}{cc}\hfill & {\displaystyle \frac{e(K_{1,Y},C_1)}{e(K_3,C_2)·e(K_4,C_{3,Y})}}\hfill \\ \hfill =& {\displaystyle \frac{e(g^{\sigma }{g}^{\alpha t}{g}^{\beta u}{g}^{\gamma u^{\prime }{H}_1\left(Y\right)}R,g^s)}{e(g^u{R}^{\prime },g^{\beta s})·e(g^{u^{\prime }}{R}^{\prime \prime },g^{s\gamma H_1\left(Y\right)})}}\hfill \\ \hfill =& {\displaystyle \frac{e{(g,g)}^{s\sigma }·e{(g,g)}^{s\alpha t}·e{(g,g)}^{s\beta u}·e{(g,g)}^{s\gamma u^{\prime }{H}_1\left(Y\right)}}{e{(g,g)}^{s\beta u}·e{(g,g)}^{u^{\prime }s\gamma H_1\left(Y\right)}}}\hfill \\ \hfill =& e{(g,g)}^{s\sigma }·e{(g,g)}^{s\alpha t};\hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill & \prod _{j\in \mathcal{I}}{\left(e(K_5,C_{4,j})·e(K_{2,\zeta \left(j\right)},C_{5,j})\right)}^{-c_j}\hfill \\ \hfill =& \prod _{j\in \mathcal{I}}{\left(e(g^t{R}^{\prime \prime \prime },{\displaystyle \frac{g^{\alpha A_j·\mathbf{v}}}{Q_{\zeta \left(j\right)}^{r_j}}})·e(Q_{\zeta \left(j\right)}^t{R}_{\zeta \left(j\right)},g^{r_j})\right)}^{-c_j}\hfill \\ \hfill =& \prod _{j\in \mathcal{I}}{\left({\displaystyle \frac{e{(g,g)}^{\alpha t{A}_j·\mathbf{v}}}{e{(g,Q_{\zeta \left(j\right)})}^{t{r}_j}}}·e{(g,Q_{\zeta \left(j\right)})}^{t{r}_j}\right)}^{-c_j}\hfill \\ \hfill =& e{(g,g)}^{{\sum }_{j\in \mathcal{I}}-\alpha t{c}_j{A}_j·\mathbf{v}}\hfill \\ \hfill =& e{(g,g)}^{-\alpha ts}.\hfill \end{array}$$

(19)

6.2. Security Analysis

In this section, we analyze the security of ABE-RS against chosen plaintext attacks (CPAs) and chosen keyword attacks (CKAs).

Theorem 1.

The ABE-RS scheme is secure under IND-CPA conditions.

Proof. 

To establish the IND-CPA security of our ABE-RS framework, we utilize the encryption technique detailed in [41]. Here, we focus on the definitions of keys and ciphertexts. □

Key generation: The $\mathsf{KeyGen}(GP,MSK,S,uid)$ algorithm is executed to generate $S{K}_{S,uid}$, which consists of $\left\{K_{1,y_x}\right\}{y}_x\in path\left(uid\right)$, $K_2$, $K_3$, and ${\left\{K_{4,x}\right\}}_{x\in S}$. Additionally, a random value $W\in \mathbb{G}$ is selected. The key generation process is described as follows:

For every user identified by $uid$ and associated with an attribute set S, the process $\mathsf{KeyGen}(GP,MSK,S,uid)$ generates a key $S{K}_{S,uid}$. This includes components ${\left\{K_{1,y_x}\right\}}_{y_x\in path\left(uid\right)}$, $K_2$, $K_3$, and ${\left\{K_{4,x}\right\}}_{x\in S}$. Additionally, a random element W from group $\mathbb{G}$ is integrated into each component to enhance the key’s complexity as follows:

$${\{K_{1,y_x}·W\}}_{y_x\in path\left(uid\right)},K_2,K_3,{\left\{K_{4,x}\right\}}_{x\in S}.$$

(20)

Ciphertexts Construction. Executing $\mathsf{Encrypt}(GP,m,\mathbb{M},L)$, we derive a ciphertext $C{T}_{\mathbb{M},L}^{\left(up\right)}$ that encapsulates $C_0$, $C_1$, and $C_2$ and structured data ${\{C_{3,j},C_{4,j}\}}_{j\in \left[l\right]}$ and ${\left\{C_{5,y_x}\right\}}_{y_x\in cover\left(L\right)}$. Random coefficients ${\alpha }^{\prime },{\beta }^{\prime },{\gamma }^{\prime }\in {\mathbb{Z}}_p^{*}$, along with vectors ${\mathbf{v}}^{\prime }=(s^{\prime },v_2^{\prime },\cdots ,v_n^{\prime })$ and sets ${\left\{{\eta }_x\right\}}_{x\in S_A}$, ${\left\{{ϵ}_j\right\}}_{j\in \left[l\right]}$ are chosen to form each encrypted component as follows:

$$\begin{array}{cc}\hfill & C_0,C_1·g^{s^{\prime }},C_2·g^{s^{\prime }{\beta }^{\prime }},{\{C_{3,y_x}·g^{c^{\prime }{H}_2\left(y_x\right)s^{\prime }}\}}_{y_x\in cover\left(L\right)},\hfill \\ \hfill & {\{C_{4,j}·g^{{\alpha }^{\prime }{A}_j·{\mathbf{v}}^{\prime }}{g}^{-{\eta }_{\delta \left(j\right)}{ϵ}_j},C_{5,j}·g_2^{{ϵ}_j}\}}_{j\in \left[l\right]}.\hfill \end{array}$$

(21)

Limiting the adversary to $\mathcal{U}$ key queries, a sequence of games from ${Game}_{real}$ to ${Game}_{final}$ is set. The initial k games involve specialized keys and ciphertexts, shifting gradually to standard forms until $\mathcal{U}$, where the ciphertext is encrypted with an arbitrary message.

This structured approach of transitioning through games illustrates the robustness of the encryption against distinguishing attacks, mimicking the methods established in Hur et al. [41].

Theorem 2.

Under the random oracle model and assuming the BDH assumption holds, the ABE-RS scheme is semantically secure against chosen keyword attacks.

Proof. 

$\mathcal{A}$, as the PPT adversary, and $\mathcal{C}$, as the challenger, are set to tackle the BDH problem with a determined advantage ${\epsilon }^{\prime }={\displaystyle \frac{2\epsilon }{e{q}_{H_3}{q}_T}}$. Here, $\epsilon$ represents $\mathcal{A}$’s advantage, e is the natural logarithm base, and $q_{H_3}$ and $q_T$ denote the maximum number of queries to the hash function $H_3$ and the trapdoor, respectively. □

-

Setup: $\mathcal{C}$ is given a BDH challenge consisting of the tuple $(u_1=g^a,u_2=g^b,$$u_3=g^d\in \mathbb{G})$ and is tasked with computing the value $e{(g,g)}^{abd}\in {\mathbb{G}}_T$. To initiate the process, $\mathcal{C}$ sets up the required cryptographic groups and parameters. Subsequently, $\mathcal{C}$ prepares the group $GP$, which includes the elements $\mathbb{D},H_2^{*},H_3^{*},g^{\alpha },g^{\beta }$, and shares these parameters with the adversary $\mathcal{A}$. This information is provided to $\mathcal{A}$ to ensure the transparency of the challenge setup.

-

Query Phase 1: In this phase, $\mathcal{A}$ is allowed to make several polynomially bounded queries, which are outlined as follows:

(a)

$H_2$ query: $\mathcal{A}$ is permitted to query the random oracle $H_2$ at any time. Initially, $\mathcal{C}$ creates an empty list to store entries for $H_2$, which consist of tuples in the form $(w_i,h_i,e_i,c_i)$. Upon receiving a query from $\mathcal{A}$ for a keyword $w_i\in {\{0,1\}}^{*}$, $\mathcal{C}$ checks whether this keyword is already present in the list. If the entry exists, the value $H_2\left(w_i\right)$ is returned as $h_i\in \mathbb{G}$. If the keyword is not yet listed, $\mathcal{C}$ randomly selects a value $c_i\in \{0,1\}$, where $Pr[c_i=0]=\left({\displaystyle \frac{1}{q_T}}+1\right)$. After this, $\mathcal{C}$ stores the entry $(w_i,h_i,e_i,c_i)$ in the list and returns $H_2\left(w_i\right)=h_i$ to $\mathcal{A}$.

(b)

$H_3$ query: $\mathcal{A}$ is also allowed to query the random oracle $H_3$ at any point during the interaction. To manage these queries, $\mathcal{C}$ initializes an empty list for $H_3$, which stores entries in the form $(t_i,V_i)$. When $\mathcal{A}$ queries $H_3$ with an element $t_i\in {\mathbb{G}}_T$, $\mathcal{C}$ checks whether $t_i$ is already present in the list. If the entry for $t_i$ exists, $\mathcal{C}$ returns the stored value $H_3\left(t_i\right)=V_i\in {\{0,1\}}^{{log}_p}$. If no such entry is found, $\mathcal{C}$ randomly selects a new value $V_i\in {\{0,1\}}^{{log}_p}$ and assigns it to $H_3\left(t_i\right)$. The tuple $(t_i,V_i)$ is then added to the list for future reference, and $V_i$ is returned to $\mathcal{A}$.

(c)

Trapdoor query: In this phase, $\mathcal{A}$ submits keywords $w_i\in {\{0,1\}}^{*}$ to $\mathcal{C}$, for which it seeks trapdoors. Initially, $\mathcal{C}$ queries the oracle $H_2$ to retrieve the value $H_2\left(w_i\right)=h_i\in \mathbb{G}$ and obtains the associated entry $(w_i,h_i,e_i,c_i)$.

If the value of $c_i$ is 0, $\mathcal{C}$ aborts. Otherwise, when $c_i=1$, $\mathcal{C}$ proceeds by setting $h_i=g^{e_i}\in \mathbb{G}$, where $e_i$ is the value from the entry. Next, $\mathcal{C}$ selects a random value $\tau \in {\mathbb{Z}}_p^{*}$ and queries the $H_3$ oracle with $H_3\left(e(g^{\beta },{\left(g^{\alpha }\right)}^{\tau })\right)$. Following this, $\mathcal{C}$ computes the components of the trapdoor as follows:

$$\begin{array}{cc}\hfill & T_1^{*}=H_3\left(e(g^{\beta },{\left(g^{\alpha }\right)}^{\tau })\right)=H_3\left(e{(g,g)}^{\beta \alpha \tau }\right),\hfill \\ \hfill & T_2^{*}=g^{\tau },T_{3,y_w}^{*}={H_2\left(w_i\right)}^{\pi ·H_1\left(y_w\right)}=g^{e_i\pi ·H_1\left(y_w\right)}.\hfill \end{array}$$

(22)

Finally, $\mathcal{C}$ returns the trapdoor tuple $T_w^{*}=(T_1^{*},T_2^{*},T_3^{*})$ to $\mathcal{A}$.

-

Challenge: In this phase, $\mathcal{A}$ presents a challenge consisting of a pair of keywords $(w_0^{*},w_1^{*})$, ensuring that neither of these keywords has been queried during the previous phase. Upon receiving the challenge pair, $\mathcal{C}$ proceeds by computing an index as follows:

$\mathcal{C}$ queries the oracle $H_2$ twice, obtaining the values $h_0$ and $h_1$ from the respective queries, such that $H_2\left(w_0\right)=h_0$ and $H_2\left(w_1\right)=h_1$. Subsequently, $\mathcal{C}$ adds the corresponding entries ${(w_i,h_i,e_i,c_i)}_{i=(0,1)}$ to the $H_2$ list. If both $c_0$ and $c_1$ are equal to 0 or 1, $\mathcal{C}$ aborts the process.

Since at least one of $c_0$ or $c_1$ must be 0, $\mathcal{C}$ can then randomly choose a bit $q\in \{0,1\}$ and set $c_q=0$. This ensures that $\mathcal{C}$ has control over one of the entries while maintaining the integrity of the challenge.

Next, $\mathcal{C}$ constructs the keyword index $I_w^{*}=(I_0^{*},I_{1,w_j}^{*})$ in the following two steps: (1) $\mathcal{C}$ randomly selects a value $t_2\in \mathbb{Z}{p}^{*}$ and computes $I_0^{*}={\left(u_3\right)}^{1/t_2}$, ensuring the implicit condition $(\xi =d/t_2)$ holds, where d remains unknown to the challenger. (2) $\mathcal{C}$ then randomly chooses a value $Z\in {\{0,1\}}^{{log}_p}$ and assigns it to $I_{1,w_j}^{*}=Z$. Thus, $\mathcal{C}$ ensures that the generated index $I_w^{*}$ is a valid index for the challenge keyword $w_q$, satisfying the necessary conditions for the cryptographic protocol.

-

Query Phase 2: After obtaining the challenge index $I_w^{*}$, $\mathcal{A}$ can perform polynomial additional queries, which are processed identically to the initial ones.

-

Guess: At the conclusion of the second query phase, $\mathcal{A}$ outputs a guess, denoted by $q^{\prime }$ for the bit q.

It is important to observe that in the query $H_2$, the value of $h_i=u_2^{e_i}$ is determined with a probability of $({\displaystyle \frac{1}{q_T}}+1)$. Similarly, in the query $H_3$, $\mathcal{A}$ determines the value with the same probability $({\displaystyle \frac{1}{q_T}}+1)$. The process can be represented as follows:

$$\begin{array}{cc}\hfill e\left(g^{\beta \xi },H_2\left(w_q\right)\right)& =e\left({\left(g^{a{t}_1}\right)}^{d/t_2},g^{b{e}_q}\right)\hfill \\ \hfill & =e{(g,g)}^{abd(e_q{t}_1/t_2)}.\hfill \end{array}$$

(23)

Next, $\mathcal{C}$ randomly picks a pair $(t_i,V_i)$ from the $H_3$ list. It then calculates $t^{e_q{t}_1/t_2}$ as its guess for the value $e{(g,g)}^{abd}$.

Probability Analysis: If the adversary $\mathcal{A}$ has a noticeable advantage in winning the experiment ${\mathrm{Exp}}_{\mathcal{A}}^{\mathrm{CKA}}\left(1^{\lambda }\right)$, then the challenger can solve the BDH problem with a probability of at least $(2\epsilon /e{q}_T{q}_{H_3})$. Based on the BDH assumption outlined in Section 3, the probability $(2\epsilon /e{q}_T{q}_{H_3})$ is considered negligible, leading to the following conclusion:

If the adversary $\mathcal{A}$ has a non-negligible advantage in the experiment ${\mathrm{Exp}}_{\mathcal{A}}^{\mathrm{CKA}}\left(1^{\lambda }\right)$, then the challenger $\mathcal{C}$ would be able to solve the BDH problem with a probability of at least $(2\epsilon /e{q}_T{q}_{H_3})$. Given the BDH assumption, the probability $(2\epsilon /e{q}_T{q}_{H_3})$ is considered negligible. This leads to the following conclusion:

$$\begin{array}{c}\hfill Pr\left[{\mathrm{Exp}}_{\mathcal{A}}^{\mathrm{CKA}}\left(1^{\lambda }\right)\right]=Pr\left[{\mathrm{Exp}}_{\mathcal{C}}^{\mathrm{BDH}}\left(1^{\lambda }\right)\right]={\displaystyle \frac{2\epsilon }{e{q}_T{q}_{H_3}}}\approx \epsilon .\end{array}$$

(24)

Thus, assuming the BDH assumption is valid, we conclude that the security of our scheme holds against CKAs.

7. Performance Evaluation

Based on both a theoretical analysis and the experimental tests, this section conducts an evaluation of ABE-RS.

7.1. Theoretical Analysis

In

Table 2. Comparisons of storage overhead.

Scheme	Public Key Size	Secret Key Size	Ciphertext Size	Trapdoor Size
Deng [30]	$({\mathcal{V}}_A+lo{g}_{{\mathcal{V}}_L})\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$lo{g}_{{\mathcal{V}}_{\mathcal{U}}}\left|\mathbb{G}\right|$	$({\mathcal{V}}_{\mathbb{M}}+lo{g}_{{\mathcal{V}}_{\mathcal{U}}})\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	–
Ghopur [26]	$(\iota +{\mathcal{V}}_A+4)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|+|{\mathbb{Z}}_p|$	$({\mathcal{V}}_L+\iota +2)\left|\mathbb{G}\right|$	$({\mathcal{V}}_{\mathbb{M}}+6)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|+|{\mathbb{Z}}_p|$	–
Liu [31]	–	${\mathcal{V}}_{\mathcal{U}}\left|\mathbb{G}\right|+{\mathcal{V}}_{\mathcal{U}}\left|{\mathbb{Z}}_p\right|$	$({\mathcal{V}}_{\mathcal{U}}+\iota +2{\mathcal{V}}_{L^{\prime }}+2)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(5+{\mathcal{V}}_q)\left|\mathbb{G}\right|$
Ours	$({\mathcal{V}}_A+3)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(lo{g}_{{\mathcal{V}}_{\mathcal{U}}}+{\mathcal{V}}_{A_u}+3)\left|\mathbb{G}\right|$	$(2{\mathcal{V}}_{\mathbb{M}}+lo{g}_{{\mathcal{V}}_{\mathcal{U}}}+2+\iota )\left|\mathbb{G}\right|$ $+|{\mathbb{G}}_T|+\iota |lo{g}_p|$	$(lo{g}_{{\mathcal{V}}_{\mathcal{U}}}+1)\left|\mathbb{G}\right|+|lo{g}_p|$

${\mathcal{V}}_A$: number of attributes in the system; ${\mathcal{V}}_L$: number of updates for the ciphertext; ${\mathcal{V}}_{\mathcal{U}}$: number of users in the system; $\iota$: number of keywords in the system; $V_{\mathbb{M}}$: number of rows of the LSSS matrix; ${\mathcal{V}}_{A_u}$: number of attributes in $S_{uid}$; $\left|\mathbb{G}\right|/|{\mathbb{G}}_T|/|{\mathbb{Z}}_p|$: length of the elements in $\mathbb{G}$, ${\mathbb{G}}_T$, and ${\mathbb{Z}}_p$, respectively; ${\mathcal{V}}_{L^{\prime }}$: number of revoked keywords; ${\mathcal{V}}_q$: number of query keywords.

, we compare our scheme with others [26,30,31] in terms of public key size, secret key size, ciphertext size, and trapdoor size. The main storage overhead of the data owner comes from the public key, and the storage overhead of the data user comes from the secret key. Our public key is smaller than those in [26,30]. The size of our secret key is comparable to that in [30], which is linear in $lo{g}_{{\mathcal{V}}_{\mathcal{U}}}$. Regarding ciphertext size, our scheme incurs additional storage costs of $({\mathcal{V}}_{\mathbb{M}}+2+\iota )\left|\mathbb{G}\right|+\iota |{log}_P|$ due to keyword encryption. This, however, facilitates more efficient search and decryption processes. In reference [31], the size of the trapdoor pertains to multiple keywords associated with a single user. In contrast, our scheme defines the size of the trapdoor in terms of a single keyword associated with multiple users.

We also compared our scheme with others [26,30,31] in terms of Setup, Keygen, Enc, ReEnc, Search, and Dec, as summarized in

Table 3. Comparisons of computational overhead.

Schemes	Setup	Keygen	Enc	ReEnc	Search	Dec
Deng [30]	${\mathcal{V}}_A{t}_{\mathbb{G}}+t_P$	$({\mathcal{V}}_{\mathbb{M}}·lo{g}_{{\mathcal{V}}_{\mathcal{U}}})t_{\mathbb{G}}$	$({\mathcal{V}}_{\mathbb{M}}+lo{g}_{{\mathcal{V}}_L})t_{\mathbb{G}}$	${\mathcal{V}}_{\mathbb{M}}{t}_{\mathbb{G}}$	–	${\mathcal{V}}_D{t}_{\mathbb{G}}+{\mathcal{V}}_D{t}_P$
Ghopur [26]	$({\mathcal{V}}_A+\iota +6)t_{\mathbb{G}}$ $+t_{{\mathbb{G}}_T}+t_P$	$({\mathcal{V}}_A+\iota +3)t_{\mathbb{G}}$  $+2t_{m\mathbb{G}}$	$(2{\mathcal{V}}_{\mathbb{M}}+7)t_{\mathbb{G}}+t_P$  $+(2+2{\mathcal{V}}_{\mathbb{M}})t_{m\mathbb{G}}$	$(3+3{\mathcal{V}}_L)t_{\mathbb{G}}$  $+4t_{m\mathbb{G}}$	$\iota {\mathcal{V}}_L(({\mathcal{V}}_{\mathbb{M}}+1)(t_{m{\mathbb{G}}_T}+t_{{\mathbb{G}}_T})$ $+3t_P\left)\right)+({\mathcal{V}}_L+{\mathcal{V}}_D+1)t_{m{\mathbb{G}}_T}$ $+2({\mathcal{V}}_D+1)t_P$	$t_{{\mathbb{G}}_T}+2t_{m{\mathbb{G}}_T}$
Liu [31]	–	${\mathcal{V}}_{\mathcal{U}}{t}_{\mathbb{G}}$	$({\mathcal{V}}_{\mathcal{U}}+2\iota +3{\mathcal{V}}_{L^{\prime }}$  $+2)t_{\mathbb{G}}+t_{{\mathbb{G}}_T}$	–	$(3{\mathcal{V}}_q+3)t_P+2{\mathcal{V}}_q{\mathcal{V}}_{L^{\prime }}{t}_{\mathbb{G}}$	–
Ours	$({\mathcal{V}}_A+3)t_{\mathbb{G}}$  $+t_P$	$({\mathcal{V}}_{\mathbb{M}}+lo{g}_{{\mathcal{V}}_{\mathcal{U}}}$  $+6)t_{\mathbb{G}}$	$(3{\mathcal{V}}_{\mathbb{M}}+2lo{g}_{{\mathcal{V}}_{\mathcal{U}}}$  $+2+3\iota )t_{\mathbb{G}}+t_{{\mathbb{G}}_T}$ $+{\mathcal{V}}_{\mathbb{M}}{t}_{m\mathbb{G}}+\iota t_P$	$({\mathcal{V}}_L+\iota lo{g}_{{\mathcal{V}}_{L^{\prime }}})t_{\mathbb{G}}$  $+lo{g}_{{\mathcal{V}}_{L^{\prime }}}{t}_P$	$({\mathcal{V}}_q+1)t_{\mathbb{G}}+({\mathcal{V}}_q+1)t_P$	${\mathcal{V}}_D{t}_{{\mathbb{G}}_T}+(2{\mathcal{V}}_D+3)t_P$  $+({\mathcal{V}}_D+3)t_{m{\mathbb{G}}_T}$

$t_{\mathbb{G}}/t_{{\mathbb{G}}_T}$: time for one exponentiation in group $\mathbb{G}$ and ${\mathbb{G}}_T$, respectively; $t_P$: time for one pairing operation; $t_{m\mathbb{G}}/t_{m{\mathbb{G}}_T}$: time for one multiplication in group $\mathbb{G}$ and ${\mathbb{G}}_T$, respectively; $V_D$: number of attributes involved in decryption.

. As shown, scheme [26] incurs the highest setup overhead, while scheme [30] has the highest key generation cost. Moreover, our scheme supports a lower-overhead search compared to [31], allowing for the locating of ciphertexts containing the target keywords before decryption. Although the decryption cost per ciphertext is relatively high, the efficient search significantly reduces the overall cost and enables the precise decryption of the matched ciphertexts.

7.2. Experimental Tests

We implemented our ABE-RS scheme using the Charm-Crypto library (v0.5) [43] and the built-in SS512 elliptic curve with Python 3.8.10. Experiments were conducted on a server with an Intel Core i7 processor (2.11 GHz) and 11 GB RAM, running Ubuntu 20.04 LTS (64-bit). To ensure statistical stability and reliable performance evaluation, the results were averaged across 20 trials. Each trial was conducted independently, with the framework re-generating all relevant cryptographic elements—including public/private keys, ciphertexts, and index entries—using fresh random seeds.

First, we measured the execution time of the encryption, search, and decryption processes under varying numbers of attributes and keywords. The encryption time depends on the number of attributes defined by the data owner’s access policy and the number of extracted keywords. The search process, which is based on public-key searchable encryption, depends only on the size of the keyword dictionary. The decryption time is influenced solely by the number of attributes. As shown in Figure 5a, with the keyword dictionary size fixed at 500, both the encryption and decryption times increase with the number of attributes, while the search time remains approximately 676 ms. As shown in Figure 5b, with the number of attributes fixed at 50, the encryption and search times increase with the number of keywords, while the decryption time remains around 267 ms.

Figure 6 shows the computation time of attribute-group-based user revocation for different numbers of attributes. We set the number of system users to ${\mathcal{V}}_{\mathcal{U}}=512$ (with a tree depth of 10) and measured the revocation time when the user subset covered by the revoked attribute group contained 2 users. Deng et al. [30] pointed out in their experiments that, in certain scenarios, user-level revocation is more efficient than attribute-level revocation. In particular, when the number of users is fixed, revoking a single user is significantly faster than revoking all the attributes associated with that user. In our scheme, revoking the user subset covered by an attribute group achieves millisecond-level efficiency. Specifically, with 512 users and 50 attributes in the framework, revoking a single attribute group covering 2 users takes only 629 ms. Although the time required for a single ciphertext update and user revocation in our scheme is slightly higher than that in Deng’s scheme [30], our approach simultaneously revokes multiple users based on the attribute group coverage. Moreover, our scheme supports searchability and enables decryption after efficient keyword-group-based user revocation, resulting in improved overall revocation performance for the methodology.

Figure 7 shows the computation time of user revocation based on keyword groups under different numbers of keywords. We set the number of attributes in the framework to 10 and measured the revocation time when the user subset covered by the revoked keyword group contained two users. The results are compared with the two methods proposed by Liu [31]. For keyword-based user revocation, Liu’s RKS [31] method exhibits a relatively long running time, exceeding 10 s. In contrast, our method incurs lower computational overhead and performs comparably to Liu’s improved RKS+ method. Notably, when handling large-scale revocations, our scheme demonstrates better scalability and performance, achieving millisecond-level efficiency. Specifically, when the framework has 512 users and 1000 keywords, revoking a single keyword group covering 2 users takes approximately 1 s.

Through comparative analysis with the experiments of Deng [30] and Liu [31], it can be observed that our proposed scheme demonstrates superiority in user revocation based on both attribute and keyword group coverage. When dealing with different scenarios such as ciphertext (corresponding to user-level attribute revocation) and index updates (corresponding to keyword revocation), our scheme consistently maintains low computational overhead and exhibits strong scalability, making it well-suited for large-scale systems.

8. Conclusions

This paper proposes ABE-RS, a searchable and revocable attribute-based encryption scheme designed for dynamic video anomaly detection. By combining a user management tree with attribute and keyword revocation and incorporating an inverted index structure, ABE-RS enables fine-grained, flexible access control and an efficient encrypted search. The scheme is particularly effective in scenarios requiring frequent ciphertext and index updates, maintaining low computational overhead and strong scalability. Specifically, with 512 users in the system, revoking an attribute group covering two users takes only 629 ms, while revoking a keyword group covering two users among 1000 keywords requires approximately 1 s. Our scheme is well-suited for security-critical applications such as smart healthcare, video surveillance, urban public safety, intelligent transportation, and campus security, where rapid and secure access to sensitive content is essential.

Our framework demonstrates several strengths: (1) it supports both attribute- and keyword-level user revocation in a unified manner, which is rarely addressed in the existing literature; (2) it integrates a user management tree and an inverted index to enable efficient ciphertext and index updates, ensuring searchability even after revocation; and (3) it exhibits strong scalability and low computational overhead for both attribute and keyword revocation, as confirmed through comparative experiments with the methods from Deng et al. [30] and Liu et al. [31]. Specifically, when the dictionary contains 1000 keywords, the time required to revoke all users associated with a single keyword group remains at the millisecond level.

Nevertheless, the proposed approach has some limitations. These include the need for further optimization on resource-constrained devices (e.g., mobile or edge platforms), reliance on the random oracle model in the current security analysis, and the assumption of a single trusted authority. Additionally, the scheme has not yet been tested in real-world deployments.

Future work will address these limitations through the following: (1) improving efficiency for low-power environments; (2) extending the security model to standard cryptographic assumptions; (3) adopting a multi-authority ABE framework to reduce trust dependency; and (4) validating the system through real-world application testing.