Implementation of an Attribute-Based Encryption Scheme Based on SM9

: In recent years, attribute-based encryption (ABE) has been widely applied in mobile computing, cloud computing, and the Internet of things, for supporting ﬂexible and ﬁne-grained access control of sensitive data. In this paper, we present a novel attribute-based encryption scheme that is based on bilinear pairing over Barreto and Naehrig curves (BN-curves). The identity-based encryption scheme SM9, which is a Chinese commercial cryptographic standard and a forthcoming part of ISO / IEC11770-3, has been used as the fundamental building block, and thus we ﬁrst introduce SM9 and present our SM9 implementation in details. Subsequently, we propose the design and implementation of the ABE scheme. Moreover, we also develop a hybrid ABE for achieving lower ciphertext expansion rate when the size of access structure or plaintext is large. The performance and energy consumption of the implementation of the proposed ABE and its hybrid version are evaluated with a workstation, a PC, a smart phone, and an embedded device. The experimental results indicated that our schemes work well on various computing platforms. Moreover, the proposed schemes and their implementations would beneﬁt developers in building applications that fulﬁll the regulatory compliance with the Chinese commercial cryptographic standard since there is no existing ABE scheme compatible with any Chinese cryptographic standard.


Introduction
There is an increasing requirement for data sharing and processing in the distributed computing environment with fine-grained access control with the development of cloud computing, mobile computing, and the Internet of things.Public key encryption is a powerful approach towards protecting the confidentiality of sensitive data.However, there are two limitations as follows.Firstly, a public key cryptosystem relies on the public key infrastructure (PKI), which requires huge overhead on certificate management and verification.Secondly, the resource provider needs to encrypt data with the public key of each user in the receiving group and separately send the ciphertext to the corresponding user, which results in large processing overhead and bandwidth consumption.
Shamir presented the first identity-based cryptosystem [1] in 1984 to mitigate the first issue.Lately, Boneh and Franklin [2] proposed the most well-known identity-based encryption (IBE) scheme that was based on bilinear pairing, leading to a new development on identity-based cryptography.The main feature of identity-based cryptosystems is that they do not need certificates for public keys.The identity string of a user, such as the email address or phone number, can be used as the user's public key.
To mitigate the second issue, Sahai and Waters [3] proposed a new category of encryption scheme, called attribute-based encryption (ABE), where the provider of the data can decide the access policy of the ciphertext, which implies that only the users who satisfy the specified attributes can decrypt the ciphertext.The resource providers only need to encrypt messages according to the decryptors' attributes, without taking care of their identities and the number of qualified decryptors.This feature significantly reduces the overhead of data encryption and enables resource providers to formulate flexible and scalable access control policies to manage the sharing range of data.The first ABE scheme [3] only supports threshold access control strategies.The community further proposed key-policy ABE [4] and ciphertext-policy ABE to support more flexible access control strategies [5].In recent years, a number of novel ABE schemes have been proposed with distinct security features [6][7][8][9].Moreover, specialized ABE schemes for various application scenarios such as cloud computing [10][11][12], social networks [13], Internet of things (IoT) [14][15][16], blockchains [17,18], and mobile computing [19,20], have been proposed.
In this paper, we propose an ABE scheme utilizing SM9 IBE as a building block.SM9 is a cryptography standard that defines a set of identity-based cryptographic schemes, including signature, encryption, and key agreement.It originates from a Chinese cryptographic standard [21], and then its signature scheme has been adopted by the International Organization for Standardization as ISO/IEC 14888-3:2018 [22].Currently, its encryption scheme and key agreement scheme have been formally reviewed as proposals for ISO/IEC 18033-5 [23] and ISO/IEC11770-3 [24], respectively.
There is no ABE scheme that is compatible with any Chinese cryptographic standard, as well as the forthcoming ISO standard.Therefore, the proposed ABE scheme is fully compatible with the Chinese standard and the forthcoming international standard to fulfill the regulatory compliance.The SM9 IBE is efficient and bandwidth-saving; for example, it performs better than the ISO/IEC 18033-5 [23] in terms of both computational efficiency and ciphertext size [25].Our ABE scheme inherits such features of SM9 IBE.The scheme is implemented in Java, and experimental results on PCs, smart phones, and embedded devices indicated that our scheme performs well on typical platforms.
As a building block, the SM9 IBE scheme, which is based on bilinear pairings over the prime order elliptic curves that were proposed in [26] (i.e., BN-curves), has been implemented at first.It is worth noting that our implementation is not trivial, because this is the first Java implementation of SM9 to the best of our knowledge, and we have implemented the fundamental mathematical structures from scratch, since there is no appropriate Java library that can be utilized.We have not found any Java library that implements the R-Ate pairing [27] and the extension field specified by the SM9 standard simultaneously.For example, the most widely-used Java library for pairing-based cryptography, i.e., JPBC [28], supports neither the R-Ate pairing nor the demanded extension field.Therefore, we have implemented the R-Ate pairing over a BN-curve and the specified extension finite field, and then integrated them with the interfaces that were provided by the JPBC library to support SM9 IBE and the proposed ABE schemes.
Our contributions are briefly summarized, as follows: (i) we have proposed an ABE scheme based on the SM9 IBE scheme; (ii) we have implemented the ABE scheme as well as the SM9 IBE; and, (iii) we have presented a hybrid ABE scheme as an optimization.The proposed schemes and implementations would benefit developers in building applications that fulfill the regulatory compliance with the Chinese commercial cryptographic standard and the forthcoming ISO standard.Additionally, the ABE schemes have advantages, such as optimized ciphertext expansion rate and anonymity of receivers.The experimental results regarding performance and energy consumption indicate that the proposed scheme works well on various platforms, such as PCs, smart phones, and embedded devices.
The remainder of this paper is organized, as follows.Section 2 briefly introduces the preliminaries and the overview of the software architecture.Section 3 introduces the implementation of SM9 IBE scheme and the experimental results on performance and energy consumption.Section 4 presents an ABE scheme based on the SM9 IBE scheme, as well as the experimental results on performance and energy consumption.Section 5 presents an optimization of the ABE scheme, i.e., a hybrid ABE scheme.Section 6 concludes the paper.[26] are pairing-friendly curves with prime order and the embedding degree k of 12, which present great efficiency and security in the pairing process.The equation of a BN-curve is

BN-curves
The trace (of Frobenius) of the curve [29], the curve order, and the characteristic of F q are parameterized as R-ate pairing [27] is a generalization of the Ate pairing.This pairing enables the loop length of Miller's algorithm [30] to be shorter than that of the Ate pairing.This makes the computation of pairing more efficient.
Let π q be the Frobenius endomorphism, and t be the trace (of Frobenius) of the curve.For input Q, P, the R-ate pairing algorithm on the BN-curves is shown in Algorithm 1.
We have implemented the proposed ABE scheme and the SM9 IBE scheme in Java.The program can be easily deployed on a variety of platforms because of the strong portability of Java.The structure of the software is shown in Figure 1.
The package api, package util, package pairing and package field are the packages provided by the Java Pairing-based Cryptography Library (JPBC).The package api provides interfaces that are related to pairing operations, such as the finite field, elliptic curves, and the pairing functions.The package util provides support for mathematical operations and so on.Package pairing and package field are the specific implementations of the interfaces that are exposed in package api.We construct extension of the finite field and the particular elliptic curve specified by the SM9 standard in the package pairing.We have also implemented the R-Ate pairing in this package.
Sm9Util is a static class, and it contains all of the supporting functions, such as KDF and H2RF i functions, which are detailed in Section 3.1.The supporting functions can be utilized by all other classes.
The KeyGeneratorCenter class is designed following the singleton pattern, where the system parameters are stored.Moreover, it generates the Sm9DecryptPrivateKey that corresponds to the user ID/attributes for decryption.The Sm9Engine implements the SM9 hybrid encryption scheme.It contains three interfaces for users: initEncrypt, initDecrypt, and processBlock.The initEncrypt/initDecrypt function sets the ID/key for encryption/decryption.The processBlock function encrypts/decrypts the message after the initialization.
Sm9ABEEngine implements an ABE scheme supporting AND-gate-only access structure, which will be introduced in Section 4, being based on the Sm9Engine.The AND-gate-only access structure can be uniquely transformed to a user identity.The encryption and decryption processes of SM9 ABE include: (i) transforming the AND-gate-only access structure into a user Identity; and, (ii) invoking the functions that were provided by Sm9Engine.
Sm9IBBEABEEngine implements the ABE scheme that is presented in Section 4. Different from Sm9ABEEngine, Sm9IBBEABEEngine supports the generic access structure.A generic access The Sm9Engine implements the SM9 hybrid encryption scheme.It contains three interfaces for users: initEncrypt, initDecrypt, and processBlock.The initEncrypt/initDecrypt function sets the ID/key for encryption/decryption.The processBlock function encrypts/decrypts the message after the initialization.
Sm9ABEEngine implements an ABE scheme supporting AND-gate-only access structure, which will be introduced in Section 4, being based on the Sm9Engine.The AND-gate-only access structure can be uniquely transformed to a user identity.The encryption and decryption processes of SM9 ABE include: (i) transforming the AND-gate-only access structure into a user Identity; and, (ii) invoking the functions that were provided by Sm9Engine.Sm9IBBEABEEngine implements the ABE scheme that is presented in Section 4. Different from Sm9ABEEngine, Sm9IBBEABEEngine supports the generic access structure.A generic access structure, which is introduced in Section 4, is a generalization of the AND-gate-only access structure.The Sm9IBBEABEEngine has two functions: Encrypt and Decrypt.The input of the Encrypt function includes a generic access structure A and the message that is to be encrypted.Users holding the private key corresponding to the attributes satisfying the access structure A through the Decrypt function can only successfully decrypt the output of the Encrypt function.
Sm9ABEHybridEngine implements the hybrid ABE scheme that is proposed in Section 5, which optimizes the ciphertext size of the ABE scheme that is presented in Section 4.

Supporting Functions
Here, we describe the supporting functions that are used in the schemes, including the key derivation function, which works as KDF2 in ISO/IEC 18033-2 [31], the hash-to-range function in [25], and the block cipher and the system parameters.

Key Derivation Function KDF (H v , Z, klen)
Given a hash function H v with output bit length v, bit string Z, and an integer klen (that denotes the required bit length of the secret keys, where klen < (2 32 −1) v).The output is a bit string K of length klen.The pseudocode for this function is given in Algorithm 2.

Hash to Range Function H2RF i (H v , Z, n)
Given a hash function H v with output bit length v, bit string Z, integer n, and integer index i.The output is an integer h i .Algorithm 3 gives the pseudocode.The SM9 standard requires SM3 [32] to be used as the hash function.
The block cipher includes the encryption algorithm Enc (K 1 , m) and decryption algorithm Dec (K 1 , c).Enc (K 1 , m) encrypts plaintext m with key K 1 and its output is a ciphertext bit string c.Dec (K 1 , c) decrypts ciphertext c using key K 1 and its output is either a plaintext bit string m or the message "error."The bit length of the key K 1 is denoted by K 1 _len.The SM9 standard requires SM4 [33] to be used as the block cipher.

Setup and Key Extraction
This section describes the algorithm that is used to set up the system and the extraction algorithm for the private decryption key.Given input k, the output of this algorithm is the master public key M pk and master secret key M sk .Algorithm 4 gives its pseudocode.
Given an identity string ID A ∈ {0.1} * of entity A, M pk and M sk , the operation outputs "error" if otherwise, it outputs decryption private key

KEM-DEM Algorithms
The SM9 encryption is a hybrid encryption scheme [25] that is built from an identity-based key encapsulation mechanism (KEM) and a data encapsulation mechanism (DEM).The encryption and decryption schemes are described, as follows.

KEM-DEM-Encrypt (M pk , ID A , m)
Given an identity string ID A , plain text m (of bit length mlen), and master public key M pk , the operation runs, as shown in Algorithm 5.
The encryption algorithm is a combination of KEM and DEM.It first generates and encapsulates a random key, and then uses that key to encrypt the message while using different types of DEM.Finally, a message authentication code is created to ensure the integrity and authenticity of the ciphertext.The encapsulated key, encrypted message, and authentication code make up the ciphertext.Figure 2 shows the flow chart of the encryption algorithm.
Appl.Sci.2019, 9, x 7 of 20 ) The encryption algorithm is a combination of KEM and DEM.It first generates and encapsulates a random key, and then uses that key to encrypt the message while using different types of DEM.Finally, a message authentication code is created to ensure the integrity and authenticity of the ciphertext.The encapsulated key, encrypted message, and authentication code make up the ciphertext.Figure 2 shows the flow chart of the encryption algorithm.Given the master public key Mpk, an identity string IDA, the corresponding private key DEA, and cipher text (C1, C2, C3), and the operation runs, as shown in Algorithm 6.Given the master public key M pk , an identity string ID A , the corresponding private key DE A , and cipher text (C 1 , C 2 , C 3 ), and the operation runs, as shown in Algorithm 6. Upon receiving the ciphertext, the decryption algorithm decapsulates the secret key, then decrypts the message using the same type of DEM, as used by the encryption.Finally, it verifies the authentication code.Only when the integrity and authenticity of the ciphertext are confirmed is the plaintext output.Based on the algorithm, the flow chart of this process is shown in Figure 3. ( )

IF DEM e d is
Upon receiving the ciphertext, the decryption algorithm decapsulates the secret key, then decrypts the message using the same type of DEM, as used by the encryption.Finally, it verifies the authentication code.Only when the integrity and authenticity of the ciphertext are confirmed is the plaintext output.Based on the algorithm, the flow chart of this process is shown in Figure 3.

Performance Evaluation
We measured the runtime of the KEM-DEM-Encrypt and KEM-DEM-Decrypt algorithms on four devices, which ranged from a smart phone to a workstation.Table 1 lists the configurations of Output ⊥ and terminate Output ⊥ and terminate

Performance Evaluation
We measured the runtime of the KEM-DEM-Encrypt and KEM-DEM-Decrypt algorithms on four devices, which ranged from a smart phone to a workstation.Table 1 lists the configurations of the test devices.We ran the algorithm 100 times on these devices, recorded the total time, and then calculated the average value as the result.Two types of DEM were tested.Figure 4 shows the result of using a block cipher.Figure 5 shows the result of using a stream cipher.Note that the "Time" axis is logarithmic.For the detailed parameters, please refer to Table 2.

Parameter Value
Curve equation ID length 20 bytes Private key length 256 bits Plaintext length 1024 bytes DEM algorithm (block cipher) SM4 [33], a block cipher whose block size and key size are both 128 bits.
Appl.Sci.2019, 9, x 9 of 20 the test devices.We ran the algorithm 100 times on these devices, recorded the total time, and then calculated the average value as the result.Two types of DEM were tested.Figure 4 shows the result of using a block cipher.Figure 5 shows the result of using a stream cipher.Note that the "Time" axis is logarithmic.For the detailed parameters, please refer to Table 2.We can see that the performances of using two types of DEM are very close when comparing Figure 4 and Figure 5.This indicates that the encryption and decryption processes of the SM4 block cipher have approximately the same speed as the stream cipher.The execution time of decryption is approximately three times as much as that of the encryption.Through further comparison and analysis, we found that the pairing operation leads to such difference in the execution time.

Energy Consumption Evaluation
The energy consumption is a major concern when executing the algorithms on low-power devices.We have evaluated the energy consumption of SM9 IBE scheme on the Raspberry Pi 3 and the OnePlus A6000 smartphone.The power consumption (mAh) is shown in Figure 6, where Enc/Dec (0) represents the KEM-DEM algorithms while using stream cipher, and Enc/Dec (1) represents the algorithms using block cipher.Figure 6 shows that the energy consumptions of using two types of DEM are very similar.The decryption algorithms consume more energy than the encryption algorithms.OnePlus A6000 consumes more energy than Raspberry Pi 3 when executing the same algorithm.We can see that the performances of using two types of DEM are very close when comparing Figures 4 and 5.This indicates that the encryption and decryption processes of the SM4 block cipher have approximately the same speed as the stream cipher.The execution time of decryption is approximately three times as much as that of the encryption.Through further comparison and analysis, we found that the pairing operation leads to such difference in the execution time.

Energy Consumption Evaluation
The energy consumption is a major concern when executing the algorithms on low-power devices.We have evaluated the energy consumption of SM9 IBE scheme on the Raspberry Pi 3 and the OnePlus A6000 smartphone.The power consumption (mAh) is shown in Figure 6, where Enc/Dec (0) represents the KEM-DEM algorithms while using stream cipher, and Enc/Dec (1) represents the algorithms using block cipher.We can see that the performances of using two types of DEM are very close when comparing Figure 4 and Figure 5.This indicates that the encryption and decryption processes of the SM4 block cipher have approximately the same speed as the stream cipher.The execution time of decryption is approximately three times as much as that of the encryption.Through further comparison and analysis, we found that the pairing operation leads to such difference in the execution time.

Energy Consumption Evaluation
The energy consumption is a major concern when executing the algorithms on low-power devices.We have evaluated the energy consumption of SM9 IBE scheme on the Raspberry Pi 3 and the OnePlus A6000 smartphone.The power consumption (mAh) is shown in Figure 6, where Enc/Dec (0) represents the KEM-DEM algorithms while using stream cipher, and Enc/Dec (1) represents the algorithms using block cipher.Figure 6 shows that the energy consumptions of using two types of DEM are very similar.The decryption algorithms consume more energy than the encryption algorithms.OnePlus A6000 consumes more energy than Raspberry Pi 3 when executing the same algorithm.Figure 6 shows that the energy consumptions of using two types of DEM are very similar.The decryption algorithms consume more energy than the encryption algorithms.OnePlus A6000 consumes more energy than Raspberry Pi 3 when executing the same algorithm.

Generic Access Structure Conversion Algorithm.
Here, we present the transformation algorithm of generic access structure [36].Let P = {P 1 , P 2 , . . ., P n } be a set of attributes.A generic access structure is a collection A of non-empty subsets of {P 1 , P 2 , . . ., P n }, i.e., A ⊆ 2 {P 1 ,P 2 ,...,P n } \{∅}.The sets in A are called the authorized sets and the sets not in A are called the unauthorized sets.We can also represent the generic access structure as a disjunction of conjunctive clauses, i.e., disjunctive normal form (DNF).
The input of the conversion algorithm includes a generic access structure A = {A 1 , . . ., A n } ⊆ 2 u , as described before and the universe u of the attribute.It outputs a set of identities S = {ID 1 , ID 2 , . . ., ID n }, which is uniquely corresponding to the access structure A. Algorithm 8 presents the pseudocode.

ABE Scheme Based on SM9 IBBE
We slightly modify the SM9 IBE scheme into an IBBE (Identity-based Broadcast Encryption) [34,35] scheme to generalize our scheme, so that we can transform it into an ABE scheme that supports the generic access structure.The setup and key generation algorithms of IBBE are the same as the original SM9 IBE scheme.We propose the IBBE encrypt and decrypt algorithms based on the SM9's KEM-DEM-Encrypt and KEM-DEM-Decrypt algorithms.Taking the master public key M pk , a set of identities S = {ID 1 , ID 2 , . . ., ID n }, and the message M as input, the IBBEEncrypt algorithm proceeds as presented in Algorithm 9, and it outputs a set of ciphertexts C = {CT 1 , CT 2 , . . ., CT n }.Algorithm 9 IBBEEncrypt(M pk , S, M) 1 Let ID i be the i-th ID of S, and C be a null set.
Taking the master public key M pk , the user identity ID, the associated private key SK ID , and a set of ciphertexts C = {CT 1 , CT 2 , . . ., CT n } as input, we present the IBBEDecrypt algorithm.The pseudocode is presented in Algorithm 10. and SK ID ← SM9.Private − Key − Extract (M pk , M sk , ID) , then we can correctly decrypt the ciphertext with the IBBEDecrypt algorithm.
We construct the ABE scheme that supports the generic access structure based on the IBBE scheme, with the following four parts: Given a security parameter k, this algorithm calls the Setup algorithm of SM9 scheme and it sets the ABE scheme's master public key M pk and the master secret key M sk .
Given the master public key M pk , the master secret key M sk , and a set of attributes U, this algorithm converts the set of attributes U into an identity ID U ∈ {0, 1} |u| by running the algorithm ϕ, and then calls the Private-Key-Extract algorithm of SM9.It outputs the ABE's private key SK U .

.3. Encrypt (M pk , A, M)
Given the master public key M pk , an access structure A, and a message M, this algorithm converts the access structure A = {A 1 , A 2 , . . ., A n } into a set of identities by running the algorithm ξ, and then gets a set of ciphertexts C = {CT 1 , CT 2 , . . ., CT n } by calling the IBBEEncrypt algorithm.
4.2.4.Decrypt (M pk , U, SK U , C) Given the master public key M pk , a set of attributes U, the private key SK U , and the set of ciphertexts C, this algorithm converts the set of attributes U into an identity ID U ∈ {0, 1} |u| by running the algorithm ϕ and then gets the plaintext M by running the IBBEDecrypt algorithm.

Performance Evaluation
Here, we present the experimental results on different devices.The Figures 7 and 8 show how the size of the access structure produces an impact on the performance of the ABE encryption and decryption algorithms.The former experimental result in Section 4.3 shows that the performance of using two types of DEM is very similar, and thus we only present the experimental result of the ABE scheme using block cipher.The size of the universe of attributes is 20.
Given the master public key pk M , an access structure A , and a message M , this algorithm converts the access structure into a set of identities by running the algorithmξ , and then gets a set of ciphertexts ( )

Performance Evaluation
Here, we present the experimental results on different devices.The Figure 7 and Figure 8 show how the size of the access structure produces an impact on the performance of the ABE encryption and decryption algorithms.The former experimental result in Section 4.3 shows that the performance of using two types of DEM is very similar, and thus we only present the experimental result of the ABE scheme using block cipher.The size of the universe of attributes is 20.The experimental result shows that the execution time and the size of access structure have a linear correlation.In summary, the proposed ABE scheme's performance on MacBook Pro and workstation is reasonably well, and its performance on Raspberry Pi and OnePlus smart phone is acceptable.The experimental result shows that the execution time and the size of access structure have a linear correlation.In summary, the proposed ABE scheme's performance on MacBook Pro and workstation is reasonably well, and its performance on Raspberry Pi and OnePlus smart phone is acceptable.

Energy Consumption Evaluation
We have also evaluated the energy consumption of ABE scheme on a Raspberry Pi 3 and a OnePlus A6000 smartphone.Figure 9 shows the power consumption (mAh).The experimental result shows that the execution time and the size of access structure have a linear correlation.In summary, the proposed ABE scheme's performance on MacBook Pro and workstation is reasonably well, and its performance on Raspberry Pi and OnePlus smart phone is acceptable.

Energy Consumption Evaluation
We have also evaluated the energy consumption of ABE scheme on a Raspberry Pi 3 and a OnePlus A6000 smartphone.Figure 9 shows the power consumption (mAh).The battery capacity of a OnePlus A6000 is 3300 mAh.The ABE Decryption process, which is the most energy-consuming process, only takes approximately 0.13% of the capacity.

Security Analysis
The security of the ABE scheme also relies on the security of the transformation technique because we have transformed the SM9 IBE scheme into the ABE scheme following the technique in [34,35].Theorem 4.1 in [35] claims that the ABE scheme derived from an IBBE scheme is secure against chosen ciphertext attacks (CCA) if the underlying IBBE scheme is CCA-secure, which is defined, as follows: The battery capacity of a OnePlus A6000 is 3300 mAh.The ABE Decryption process, which is the most energy-consuming process, only takes approximately 0.13% of the capacity.

Security Analysis
The security of the ABE scheme also relies on the security of the transformation technique because we have transformed the SM9 IBE scheme into the ABE scheme following the technique in [34,35].Theorem 4.1 in [35] claims that the ABE scheme derived from an IBBE scheme is secure against chosen ciphertext attacks (CCA) if the underlying IBBE scheme is CCA-secure, which is defined, as follows: An IBBE scheme is secure against CCA if there exists no probabilistic polynomial-time adversary who can win the following security game in a non-negligible advantage.
(i) Setup.The challenger C takes a unary security parameter 1 k as input, and returns the master public key M pk to the adversary A and keeps the master secret key M sk privately.
(ii) Learn 1.A submits a series of queries q 1 , . . ., q n , where Obviously, the proposed ABE scheme is derived from an underlying IBBE scheme that straightforwardly repeats the SM9 IBE for a limited number of times, and thus the IBBE scheme's security can be reduced to the security of SM9 IBE.As a cryptographic standard, we assume that the SM9 IBE is secure against CCA.

Optimization on the ABE Scheme
For the ABE scheme that is presented in Section 4, a plaintext has to be encrypted n times, where n is the size of the access structure.Therefore, it may be inefficient when the length of the plaintext or the size of the access structure is large.We further develop a hybrid encryption scheme, which uses the proposed ABE scheme for key encapsulation and the SM4 block cipher for data encapsulation to optimize the scheme.

Hybrid ABE Scheme
The hybrid scheme consists of four algorithms.The Setup algorithm and the KeyGen algorithm are the same as their counterparts in the ABE scheme.The encryption and decryption algorithms work, as follows.
Encrypt (M pk , A, M): Given the master public key M pk , an access structure A and a message M, this algorithm proceeds, as presented in Algorithm 11.The hybrid scheme is more space-economic than the scheme in the previous section.Let m be the length of plaintext and n be the access structure's size.The size of the ciphertext of this hybrid ABE scheme is m + n * (32 + 96) bytes, which is much smaller than before.For example, when the plaintext's length is 1 GB and the access structure's size is 8, the ciphertext's length is only 1 GB + 1 KB.

Performance Evaluation
Here, we present the experimental results on different devices.We set the default size of the universe of attributes as 20 and the plaintext's default length as 1 KB.The other parameters are inherited from the SM9 scheme.Figures 10 and 11 show the performance of the encryption and decryption.Figure 12 shows the relation between the ciphertext's size and the access structure's size.Figure 13 shows the relation between the ciphertext's size and the plaintext's length under the condition that the access structure's size is 10.inherited from the SM9 scheme.Figure 10 and Figure 11 show the performance of the encryption and decryption.Figure 12 shows the relation between the ciphertext's size and the access structure's size.Figure 13 shows the relation between the ciphertext's size and the plaintext's length under the condition that the access structure's size is 10.

Energy Consumption Evaluation
We have also evaluated the energy consumption of the hybrid ABE scheme on a Raspberry Pi 3 and a OnePlus A6000 smartphone.Figure 14 shows the power consumption (mAh).

Energy Consumption Evaluation
We have also evaluated the energy consumption of the hybrid ABE scheme on a Raspberry Pi 3 and a OnePlus A6000 smartphone.Figure 14 shows the power consumption (mAh).

Conclusions
We present an ABE scheme that is based on the SM9 IBE scheme, which supports the generalized access structure.The proposed scheme complies with the Chinese commercial cryptographic standard and the forthcoming ISO standard.In terms of implementation, we first implement and embed the R-ate pairing on BN-curves, which is required by SM9, into the JPBC library; and, then implement SM9 as well as the proposed ABE.Moreover, we also develop a hybrid ABE for achieving lower ciphertext expansion rate when the size of access structure or plaintext is large.In general, the proposed schemes' performance is reasonably well on PCs, and is also acceptable on smart phones and embedded devices, according to our experimental results.

Conclusions
We present an ABE scheme that is based on the SM9 IBE scheme, which supports the generalized access structure.The proposed scheme complies with the Chinese commercial cryptographic standard and the forthcoming ISO standard.In terms of implementation, we first implement and embed the R-ate pairing on BN-curves, which is required by SM9, into the JPBC library; and, then implement SM9 as well as the proposed ABE.Moreover, we also develop a hybrid ABE for achieving lower ciphertext expansion rate when the size of access structure or plaintext is large.In general, the proposed schemes' performance is reasonably well on PCs, and is also acceptable on smart phones and embedded devices, according to our experimental results.

Figure 1 .
Figure 1.The structure of attribute-based encryption (ABE) and identity-based encryption (IBE) Java implementation.

Figure 1 .
Figure 1.The structure of attribute-based encryption (ABE) and identity-based encryption (IBE) Java implementation.

4 .
Decrypt (Mpk, U, SKU, C) Given the master public key pk M , a set of attributes U , the private key U SK , and the set of ciphertexts C , this algorithm converts the set of attributes U into an identity ϕ and then gets the plaintext M by running the IBBEDecrypt algorithm.
either a private key query or a decryption query.Note that in a private key query, A sends an identity to C, and then C returns the corresponding private key to A; in a decryption query, A sends a ciphertext and an identity to C, and then C decrypts the ciphertext for A. (iii) Challenge.A submits two equal-length messages M 0 , M 1 and a challenge set of identities ID * 1 , . . ., ID * n to C. Afterwards, C uniformly randomly selects b ∈ {0, 1}, encrypts M b under ID * 1 , . . ., ID * n , and finally sends the ciphertext C * to A. (iv) Learn 2. A repeats the steps in the Learn 1 phase except for querying the identities and the ciphertext involved in the challenge.(v) Guess.A outputs a guess b ∈ {0, 1} of b and wins the game if and only if b = b .A's advantage in the above game is defined as Pr[b = b ] − 1 2 .

Figure 13
Figure13shows the relation between the ciphertext's size and the plaintext's length under the condition that the access structure's size is 10.

Figure 12 .
Figure 12.Hybrid ABE's ciphertext's size with respect to the access structure's size (1 KB plaintext).Figure 12. Hybrid ABE's ciphertext's size with respect to the access structure's size (1 KB plaintext).

Figure 13 .
Figure 13.Hybrid ABE's ciphertext's size with respect to plaintext's length (the size of access structure is 10).

Figure 13 .
Figure 13.Hybrid ABE's ciphertext's size with respect to plaintext's length (the size of access structure is 10).

Author
Contributions: conceptualization, Y.S. and X.W.; methodology, Y.S.; software, Z.M., Y.S. and W.W.; validation, R.Q.; writing-original draft preparation, Z.M.; writing-review and editing, H.F. Funding: The National Natural Science Foundation of China (grant numbers 61772371, 61702374, and 61672128), the National Key Research and Development Program of China (grant number 2018YFC0830406), the National Critical Science and Technology Infrastructure Program (China National Seafloor Scientific Observatory, Tongji University), the Shanghai Sailing Program (grant number 17YF1420500), and the Fundamental Research Funds for the Central Universities.

Table 2 .
Detailed parameters in the experiment.

Table 2 .
Detailed parameters in the experiment.