Efficient Revocable Attribute-Based Encryption with Data Integrity and Key Escrow-Free

Abstract

Revocable attribute-based encryption (RABE) provides greater flexibility and fine-grained access control for data sharing. However, the revocation process for most RABE schemes today is performed by the cloud storage provider (CSP). Since the CSP is an honest and curious third party, there is no guarantee that the plaintext data corresponding to the new ciphertext after revocation is the same as the original plaintext data. In addition, most attribute-based encryption schemes suffer from issues related to key escrow. To overcome the aforementioned issues, we present an efficient RABE scheme that supports data integrity while also addressing the key escrow issue. We demonstrate the security for our system, which is reduced to the decisional q-parallel bilinear Diffie-Hellman exponent (q-PBDHE) assumption and discrete logarithm (DL) assumption. The performance analysis illustrates that our scheme is efficient.

1. Introduction

Cloud storage services provide major advantages in data management as data continues to grow and digitization processes accelerate, and more and more companies and individuals are choosing to employ cloud storage services to satisfy their data storage demands. Compared with traditional local storage, cloud storage has the advantages of high storage efficiency, high scalability, and low management overhead. However, cloud storage providers (CSP) may attempt to access sensitive data, which can lead to potential privacy risks [1,2,3]. The key to solving this problem is to store the data in ciphertext. The traditional method can only achieve one-to-one sharing. If the file is shared with several users, it must be encrypted multiple times, which lacks flexibility and fine-grained access control. Attribute-based encryption (ABE) [4] technology effectively solves this problem; it can provide file confidentiality and a one-to-many sharing mechanism over encrypted data. Data in an ABE scheme is encrypted using access policy. The user can decrypt and achieve plaintext when the user’s attributes match the access policy in the ciphertext. Therefore, the user fully utilizes cloud storage services to maintain data security and privacy. Ciphertext-policy attribute-based encryption (CP-ABE) [5] and key-policy attribute-based encryption (KP-ABE) [6] are two types of ABE. In CP-ABE, the user’s attribute set corresponds to the key, and the access policy corresponds to the ciphertext, while the opposite is true for KP-ABE. The user can decrypt only when the attributes match the access policy.

Currently, CP-ABE is widely used in healthcare, financial services, e-commerce, and other scenarios, but in many practical application scenarios, CP-ABE is still confronted with numerous challenges, such as user revocation [7] and key escrow issues. Revocable attribute-based encryption restricts access to data by controlling user attributes such as job titles or security clearance levels. It allows data owners to revoke access to certain users when necessary, thus providing greater flexibility and fine-grained control over data sharing, enabling greater data security and privacy.

1.1. Related Works

More and more programs are now focusing on the issue of revocation. Pirretti et al. [8] developed a revocable encryption scheme that supports indirect revocation, where each attribute in the scheme contains a valid time range and the authority periodically updates the attribute and redistributes the user’s key information. Li et al. [9] constructed a revocable scheme that introduces the concept of user groups to achieve efficient user revocation, where the group administrator updates the keys of unrevoked users when any user leaves, and the scheme outsources part of the computation to the CSP to reduce the user computation burden. In [10], an efficient direct RABE scheme was provided. In the scheme, a user revocation list and a time interval are added. The revoked users are added to the revocation list and can not decrypt the ciphertext after the key time expires, and the key of the unrevoked users will be updated. Xiang et al. [11] adopted version control technology to support real-time revocation and the private key for the unrevoked user is updated by the subset covering technique. In [12], the data owner does not need to be online during the revocation process, but the unrevoked user is required to update the decryption key frequently, and the data storage center needs to re-encrypt the ciphertext, which is computationally intensive and not suitable for resource-constrained environments. Xiong et al. [13] combined revocable encryption with cloud-assisted IoT, where the trusted authority center manages a user revocation list. The identities and current time nodes of these users will be added to the list once they have been deleted from the system. Using key update parameters generated by the trusted authority center, users who are not revoked will update their own decryption keys. Lan et al. [14] constructed an efficient revocable ABE scheme with rich attribute representation. The proxy server is in charge of partial decryption and receives a conversion key from the key generating center. When a user’s attributes change or he or she is deleted from the system, both the decryption key and the conversion key for unrevoked users need to be updated. The above scheme achieves revocation by maintaining a revocation list or updating the key periodically, but the length of the list increases with the rapid change of personnel flow, and this method requires the user to update the key frequently online at any time, which has a large computational overhead.

Sahai et al. [15] introduced the ciphertext delegation technique, in which the cloud server achieves user revocation by re-encrypting the ciphertext, but the scheme cannot be applied in CP-ABE. In [16], a server-assisted RABE scheme is constructed, in which the ciphertext should be converted by the CSP using the relevant conversion key, and if the user is removed from the system, the CSP will no longer be able to help him or her to convert the ciphertext. The CP-ABE scheme in [17] applied a modular ciphertext delegation method that allows third parties to convert ciphertexts under a stricter policy, enabling user revocation. Ma et al. [18] constructed a revocable, secure data deletion and authentication CP-ABE scheme. The scheme uses attribute association trees to reconstruct new access policy and re-encrypts ciphertext data when a user is deleted, so that the deleted user is unable to decrypt the new ciphertext. In [19], a traceable RABE scheme is constructed by uploading the revocation list along with the ciphertext to CSP. When a user revokes from the system, the CSP updates the ciphertext using the update key transmitted by the authorization center, and the user’s identity is related to the leaf node to achieve user tracking. In [20], the CSP re-encrypts the ciphertext by combining the original ciphertext with the updated material broadcast by the authority center using the ciphertext delegation algorithm. These schemes use the CSP to update the ciphertext to achieve revocation, which saves computing resources to a certain extent. However, since the proxy third-party server is honest and curious, there is no guarantee that the plaintext data corresponding to the new ciphertext after revocation is consistent with the original plaintext data, which is what we call the data integrity issue. Aiming to resolve this problem, Ge et al. [21] used a user-verifiable approach to construct a new RABE scheme that supports data integrity. Based on Waters’ scheme [22], they encrypted both the plaintext data and a random value, allowing the user to check the consistency for the plaintext data. However, the scheme has a key escrow problem.

In addition, ABE schemes also come with the key escrow problem. In the traditional ABE scheme, the key generation center (KGC) generates the decryption keys for the users, which means that the KGC has the ability to access and decrypt data. To overcome this issue, the schemes in [23,24] generate decryption keys for users by introducing multiple authorization centers, each of which can only calculate partial keys. The scheme in [25] used an unmanaged key issue protocol executed between the CSP and the KGC, but the computational cost is too high. The scheme in [26] used an unmanaged key issue protocol executed between the KGC and the user, solving the key escrow issue effectively. Recently, some novel ABE schemes were presented, such as CP-ABE with shared decryption [27], ABE with privacy protection and accountability [28], multi-authority CP-ABE [29,30], and revocable blockchain-aided ABE [31].

Therefore, to address the integrity issue and the key escrow issue in revocation, we constructed an efficient revocable ABE scheme that supports data integrity and solves the key escrow issue. The specific contributions are as follows:

• Data integrity: Under the new access policy, when the CSP performs the revocation operation to generate the ciphertext, the user can check whether the plaintext corresponding to the new ciphertext is the same as the original encrypted plaintext.
• Key-escrow free: Attribute authority was introduced, and a secure 2PC protocol is executed between the key authority and the attribute authority to generate the user’s private key. Neither side can get the complete private key, which solved the key escrow problem.
• Security and efficiency: Based on the assumption of decisional q-PBDHE, our scheme is secure under chosen plaintext attacks. Performance analysis illustrates the practicability and effectiveness of the proposed scheme.

1.2. Organization

We review some knowledge about topics like bilinear maps and linear secret sharing in Section 2. We provide an overview of the security model and the system model in Section 3. We present an efficient RABE scheme based on the Waters’ scheme in Section 4. Section 5 and Section 6 discuss the safety and feasibility of our scheme, respectively. Finally, we summarize our work in Section 7.

2. Preliminaries

We focus on describing the specific construction of our RABE scheme, and the notation used in the paper is explained in Table 1.

Table 1. Symbols Definition.

Symbol	Description
$G,G_T$	Two multiplicative cyclic groups with prime order $p$
$g$	A generator in $G$
$\mathrm{U}$	Collection of all system attributes
$\left|\mathrm{U}\right|$	The number of elements of the set $\mathrm{U}$
$\mathbb{S}$	Collection of user attributes
$\mathbb{S}\subseteq \mathrm{U}$	$\mathbb{S}$ is a subset of $\mathrm{U}$
PPT	Probabilistic polynomial time
2PC	Two-party computing
$Param$	Public parameters
$MSK$	Master key
$SK$	User private key
$CT$	Ciphertext
$P=\{P_1,P_2,\cdots ,P_n\}$	Participant set
$M_{m\times n}$	A matrix with $m$ rows and $n$ columns
$M_j$	The $j$-th row of $M$
$\left(M_{m\times n},\rho \right)$	Access policy
$\left[1,m\right]$	A set of $1,2,\cdots ,m$

Bilinear maps The bilinear map $e:G\times G\to G_T$ has the following properties:

• Bilinear: $\forall a,b\in G,u,v\in Z_p^{\ast }$, $e\left(a^u,b^v\right)=e{\left(a,b\right)}^{uv}$ holds.
• Non-degeneracy: $e\left(a,b\right)\ne 1$.
• Computability: $e\left(a,b\right)$ can be effectively calculated.

Access policy The set $A\subseteq 2^{\left\{P_1,P_2,\cdots ,P_n\right\}}$ is called monotonous if $B\in A$ and $B\subseteq C$, we have $C\in A$. The access policy is the monotone set $A$ in all non-empty subsets for P, i.e., $A\subseteq 2^{\left\{P_1,P_2,\cdots ,P_n\right\}}\backslash \{\varnothing \}$. The sets are referred to as the authorization sets, otherwise, the sets are referred to as the unauthorized sets.

Linear secret sharing scheme (LSSS) A linear secret sharing scheme $\mathsf{\Pi }$ on $Z_p$ meets the following two conditions:

• Each participant’s share is the component of the vector on $Z_p$.
• Define a share generating matrix $M_{m\times n}$ and for all $j\in \left[1,m\right]$, we define a function $\rho (j):\left\{1,\cdots ,m\right\}\to \{P_1,P_2,\cdots ,P_n\}$, where $1,2,\cdots ,m$ is the number of rows in $M_{m\times n}$. Randomly choosing vector $\overrightarrow{u}=\left(r,u_2,\cdots ,u_n\right)$, where $r\in Z_p$ is a secret shared value, $u_2,\cdots u_n\in Z_p$ was picked randomly. $M·\overrightarrow{u}$ represents $m$ secret share values shared according to $\mathsf{\Pi }$.

LSSS satisfies the linear reconfiguration property that members in the authorization set $\mathbb{S}$ can recover secret as follows: For an access policy $A$, let $\mathbb{S}\in A$ be any authorized set, and let $Q=\left\{j:\rho (j)\in \mathbb{S}\right\}\subset \left\{1,\cdots ,m\right\}$, we can compute the constant set ${\left\{{\eta }_j\right\}}_{j\in Q}$ in polynomial time using the knowledge of linearity algebra such that ${\displaystyle \sum _{j\in Q}{\eta }_j{\zeta }_j}=r$, where ${\zeta }_j=\left(M_j·\overrightarrow{u}\right)$. In this paper, $(M_{m\times n},\rho )$ stands for access policy, and s can be recovered only when the attributes of the user meet $(M_{m\times n},\rho )$.

Discrete logarithm assumption (DL) Let $G$ be a group of prime order $p$, and $g$ be a generator. The DL assumption says, that given $\left(g,g^{\phi }\right)$ for randomly chosen $\phi \in Z_p^{\ast }$, for the PPT algorithm $\mathcal{A}$, $\mathrm{Pr}\left[A(g,g^{\phi })=\phi \right]\le \epsilon$ is negligible.

Decisional q-Parallel Bilinear Diffie-Hellman Exponent assumption (q-PBDHE) Let $a,d_1,\cdots ,d_q,r\in Z_p$ be chosen randomly, and $e:G\times G\to G_T$ be a bilinear map. Given tuple:

$$\begin{array}{c}\overrightarrow{y}=\{g,g^r,g^a,\cdots ,g^{a^q},g^a{}^{{}^{q+2}},\cdots ,g^a{}^{{}^{2q}},\\ {\forall }_{1\le i\le q}{g}^{r·d_i},g^{a/d_i},\cdots ,g^{a^q/d_i},g^{a^{q+2}/d_i},\cdots ,g^{a^{2q}/d_i}\\ {\forall }_{1\le i,l\le q,l\ne i}{g}^{a·r·d_l/d_i},\cdots ,g^{a^q·r·d_l/d_i}\}\end{array}$$

The decisional q-PBDHE assumption means that there is no PPT algorithm to distinguish the distribution of ${\mathbb{F}}_{q-PBDHE}=\left\{\left(\overrightarrow{y},e{(g,g)}^{a^{q+1}r}\right)\right\}$ and ${ℝ}_{q-PBDHE}=\left\{\left(\overrightarrow{y},\tilde{R}\right)\right\}$, where $\tilde{R}$ be a random element in $G_T$. The decisional q-PBDHE assumption was first defined and proved to be safe in [22].

3. System Model

We will give the roles of each entity, the formal definition, and the security model for the RABE scheme.

Our RABE system includes five entities: Data Owner (DO), Data User (DU), Cloud Service Provider (CSP), Key Authority (KA), and Attribute Authority (AA), which is illustrated in Figure 1.

Figure 1. System structure for RABE.

DO: The DO sets an access policy for the data, generates file ciphertext using a combination of symmetric encryption (AES) and the CP-ABE algorithm, and finally sends the complete ciphertext to the CSP.

CSP: The CSP stores ciphertext uploaded by the DO and performs the revocation operation.

DU: The DU downloads ciphertext from the CSP. If the attributes of the DU match the access policy embedded in the ciphertext, he or she can decrypt the data to obtain plaintext.

KA/AA: The KA and AA are responsible for system initialization and generating user private keys.

3.1. Formal Definition

The algorithms in the RABE scheme are as below:

(1)

$Setup\_KA(\lambda ,\mathrm{U})\to (Para{m}_1,MS{K}_1)$. This algorithm generates the public key $Para{m}_1$ and private key $MS{K}_1$ of the KA according to the security parameter $\lambda$ and system attribute set $\mathrm{U}$.

(2)

$Setup\_AA(Para{m}_1)\to (Para{m}_2,MS{K}_2)$. This algorithm generates the public key $Para{m}_2$ and private key $MS{K}_2$ of the AA according to $Para{m}_1$.

(3)

$Keygen(MS{K}_1,MS{K}_2,Param,\mathbb{S})\to SK$. This algorithm generates the user’s private key $SK$ through a secure 2PC protocol.

(4)

$Encrypt(Param,F,(M_{m\times n},\rho ))\to CT$. This algorithm encrypts data files $F$ and uploads the ciphertext to the CSP.

(5)

$Decryp{t}_{or}(SK,CT)\to F$. This algorithm inputs $SK$ and $CT$, and outputs a shared data file $F$ or a special symbol $\perp$.

(6)

$Revoke(CT,({\overline{M}}_{\overline{m}\times \overline{n}},\overline{\rho }))\to C{T}^{\prime }$. This algorithm inputs $CT$ and a revocation access policy $({\overline{M}}_{\overline{m}\times \overline{n}},\overline{\rho })$, and it outputs a revoked ciphertext $C{T}^{\prime }$.

(7)

$Decryp{t}_{re}(S{K}^{\prime },CT,C{T}^{\prime })\to F$. This algorithm inputs updated private key $S{K}^{\prime }$, $CT$ and $C{T}^{\prime }$, and outputs a shared data file $F$ or a special symbol $\perp$.

3.2. Security Model

We define two security models for the RABE scheme, namely the selective plaintext attack and the data integrity attack. These are described through the interactive attack games (Game-I and Game-II) between adversary $\mathcal{A}$ and challenger $\mathcal{C}$.

Game-I describes a security game under selective plaintext attack.

• Initialization: $\mathcal{A}$ chooses a challenge access policy $(M^{\ast }{}_{m^{\ast }\times n^{\ast }},{\rho }^{\ast })$ and sends it to challenger $\mathcal{C}$.
• Setup: $\mathcal{C}$ executes the $Setup$ algorithm to obtain the master public key $Param$ and returns it to $\mathcal{A}$.
• Private key query phase 1: $\mathcal{A}$ chooses a user attribute set $\mathbb{S}$, which requires that $\mathbb{S}$ cannot meet $(M^{\ast }{}_{m^{\ast }\times n^{\ast }},{\rho }^{\ast })$. $\mathcal{C}$ runs the $Keygen$, and generates the private key $SK$ and returns it to $\mathcal{A}$.
• Challenge: $\mathcal{A}$ chooses two data files $F_0$ and $F_1$ of equal length to $\mathcal{C}$. $\mathcal{C}$ chooses $\theta \in \left\{0,1\right\}$ randomly and encrypts $F_{\theta }$ to get the challenge ciphertext $C{T}^{\ast }$. $\mathcal{C}$ returns the ciphertext $C{T}^{\ast }$ to $\mathcal{A}$.
• Private key query phase 2: Similar to the previous stage, $\mathcal{C}$ continues to answer $\mathcal{A}$’s query.
• Guess: $\mathcal{A}$ outputs its guess ${\theta }^{\prime }\in \left\{0,1\right\}$ for $\theta$.

We define $\mathcal{A}$’s advantage in the above game as $Adv=\left|\mathrm{Pr}\left[{\theta }^{\prime }=\theta \right]-\frac{1}{2}\right|$.

Definition 1. 

Our RABE scheme is selective plaintext attack secure, if for all PPT adversary $\mathcal{A}$, the advantage $Adv=\left|\mathrm{Pr}\left[{\theta }^{\prime }=\theta \right]-\frac{1}{2}\right|$ is negligible.

Game-II describes a security game under data integrity attack.

• Setup: $\mathcal{C}$ executes $Setup$ algorithm to get public parameter $Param$ and returns it to $\mathcal{A}$.
• Private key query phase 1: $\mathcal{A}$ can perform the key extraction query on the user attribute set $\mathbb{S}$. $\mathcal{C}$ returns $SK$ to $\mathcal{A}$ by executing the $Keygen$ algorithm.
• Challenge: $\mathcal{A}$ sends the data file $F$ and a challenge access policy $\left(M_{m\times n},\rho \right)$ to $\mathcal{C}$. Then $\mathcal{C}$ sends challenge ciphertext $CT$ to $\mathcal{A}$ by executing the $Encrypt$ algorithm.
• Private key query phase 2: Similar with the previous stage, $\mathcal{C}$ continues to answer $\mathcal{A}$’s query.
• Guess: $\mathcal{A}$ outputs attribute set ${\mathbb{S}}^{\prime }$ and revoked ciphertext $C{T}^{\prime }$. $\mathcal{A}$ wins the integrity game if ${\mathit{Dec}}_{re}\left(S{K}_{{\mathbb{S}}^{\prime }},CT,C{T}^{\prime }\right)\notin \{F,\perp \}$.

We define $\mathrm{Pr}[\mathcal{A}wins]$ to represent the adversary $\mathcal{A}$’ s advantage in the above game.

Definition 2. 

The proposed scheme achieves the data integrity of ciphertext after revocation if for all PPT adversary $\mathcal{A}$, the advantage $\mathrm{Pr}[\mathcal{A}wins]$ is negligible.

4. Our RABE Construction

(1)

$Setup\_KA(\lambda ,\mathrm{U})\to (Para{m}_1,MS{K}_1)$. This algorithm inputs system security parameter $\lambda$, and attribute set $\mathrm{U}$, generates two cyclic groups $G$, $G_T$ with prime order $p$ and bilinear map $e:G\times G\to G_T$. Let $g$ be a generator in $G$. The KA randomly selects $g,\mu ,\nu \in G$, $a,b,{\alpha }_1\in Z_p^{\ast }$, hash function $\hat{H}:G_T\to Z_p^{\ast }$ and $h_1,h_2,\cdots ,h_{\left|\mathrm{U}\right|}$, then the algorithm outputs

$$Para{m}_1=\left(G,G_T,e,g,g^a,\mu ,\nu ,\left\{h_i|i=1,2,\cdots ,\left|\mathrm{U}\right|\right\},g^b,E^{{\alpha }_1},\widehat{H}\right),MS{K}_1=\left({\alpha }_1,b\right).$$

The KA publishes $Para{m}_1$ and keeps $MS{K}_1$ secretly, where $E=e(g,g)$.

(2)

$Setup\_AA(Para{m}_1)\to (Para{m}_2,MS{K}_2)$. The AA selects ${\alpha }_2\in Z_p^{\ast }$ randomly, outputs $Para{m}_2=\left(E^{{\alpha }_2}\right)$, $MS{K}_2=\left({\alpha }_2\right)$. The AA keeps $MS{K}_2$ secretly and publishes $Para{m}_2$. Then we have

$$Param=\left(G,G_T,e,g,g^a,\mu ,\nu ,\left\{h_i|i=1,2,\cdots ,\left|\mathrm{U}\right|\right\},g^b,E^{\alpha },\widehat{H}\right),MSK=({\alpha }_1,{\alpha }_2,b),$$

where $\alpha ={\alpha }_1+{\alpha }_2$.

(3)

$KeyGen(MS{K}_1,MS{K}_2,Param,\mathbb{S})\to SK$. In this algorithm, the KA and the AA use the secure 2PC protocol to generate the user’s private key. Firstly, the KA inputs $\left({\alpha }_1,b\right)$, the AA inputs ${\alpha }_2$, the protocol computes $\omega =({\alpha }_1+{\alpha }_2)b$ and returns $\omega$ to the AA, where the KA does not know ${\alpha }_2$ and the AA does not know $\left({\alpha }_1,b\right)$, then the AA and the KA interact to generate $S{K}_2$:

• The AA selects $t_1\in Z_p^{\ast }$ at random, the AA computes $X_1=g^{\omega /t_1}=g^{({\alpha }_1+{\alpha }_2)b/t_1}$, and generates the knowledge proof of $\omega ,t_1$, then sends $X_1$ and $PoK(\omega ,t_1)$ to the KA.
• The KA selects $s,\tau \in Z_p^{\ast }$ at random, computes $T_1=X_1{}^{\tau /b}=g^{({\alpha }_1+{\alpha }_2)\tau /t_1}$, $T_2=g^{s\tau ·a}$, then transmits $T_1,T_2$ and $PoK(\tau ,s,b)$ to the AA.
• The AA selects $t_2\in Z_p^{\ast }$ at random, computes $X_2={(T_1{}^{t_1}{T}_2)}^{t_2}={(g^{({\alpha }_1+{\alpha }_2)\tau }{g}^{s\tau a})}^{t_2}$, then sends $X_2$ and $PoK(t_2)$ to KA.
• The KA computes $T_3=X_2{}^{1/\tau }={(g^{({\alpha }_1+{\alpha }_2)}{g}^{sa})}^{t_2}$, sends $PoK(\tau )$ and $T_3$ to the AA.
• The AA calculates $D=T_3{}^{1/t_2}=g^{\alpha }{g}^{sa}$, and then the AA transmits $S{K}_2=\left\{D=g^{\alpha }{g}^{sa}\right\}$ to the DU.
• The KA computes $D_0=g^s,D_x=h_x{}^s,\forall x\in \mathbb{S}$ and sends $S{K}_1=\left\{D_0=g^s,D_x=h_x{}^s\right\}$ to the DU.
• The DU’s final private key is $SK=\left\{D=g^{\alpha }{g}^{sa},D_0=g^s,D_x=h_x{}^s(\forall x\in \mathbb{S})\right\}$. The above protocol is illustrated in Figure 2.
  

  Figure 2. The proposed key issuing protocol.

(4)

$Encrypt(Param,F,(M_{m\times n},\rho ))\to CT$. This algorithm inputs the shared data file $F$, $Param=\left(G,G_T,e,g,g^a,\mu ,\nu ,\left\{h_i|i=1,2,\cdots ,\left|\mathrm{U}\right|\right\},g^b,E^{\alpha },\widehat{H}\right)$ and access policy $(M_{m\times n},\rho )$, for each row of $M_{m\times n}$, the function $\rho$ associates rows of $M_{m\times n}$ to attributes, which is $\rho :\left\{1,2,\cdots ,m\right\}\to \mathrm{U}$. The algorithm encrypts the file $F$ using the AES algorithm, then gets the shared data ciphertext $CF=En{c}_{ck}(F)$, where $ck$ is a symmetric key. The DO selects a vector $\overrightarrow{u}=(r,u_2,\cdots ,u_n)\in Z_p^{\ast }$, $c_j\in Z_p$ randomly, computes ${\zeta }_j=\overrightarrow{u}·M_j$, $j\in \left[1,m\right]$. Then

$$C_1=ck·E^{\alpha r},C_2=g^r,C_{3,j}=h_{\rho (j)}^{-c_j}{g}^{a{\zeta }_j},C_{4,j}=g^{c_j},\forall j\in \left[1,m\right],C_5={\mu }^{\widehat{H}(F)}{\nu }^{\widehat{H}(ck)},$$

Let $C=\left((M_{m\times n},\rho ),C_1,C_2,C_{3,j},C_{4,j},C_5,j\in \left[1,m\right]\right)$, then the DO sends $CT=\left\{CF,C\right\}$ to the CSP for storage.

(5)

$Decryp{t}_{or}(SK,CT)\to F$. The DU runs the algorithm and decrypts the ciphertext $CT$. The algorithm inputs private key $SK=\left\{D,D_0,D_x(\forall x\in \mathbb{S})\right\}$, $CT=\left\{CF,C\right\}$. If the attribute set $\mathbb{S}$ satisfies $\left(M_{m\times n},\rho \right)$, lets $Q=\left\{j:\rho (j)\in \mathbb{S}\right\}\subset \left\{1,\cdots ,m\right\}$, calculates the constant ${\left\{{\eta }_j\right\}}_{j\in Q}$ such that ${\Sigma }_{j\in Q}{\eta }_j{M}_j=\left(1,0,0,\cdots ,0\right)$, the algorithm computes

$$ck=C_1/\frac{e(D,C_2)}{{({\mathsf{\Pi }}_{j\in Q}e(D_0,C_{3,j})·e(D_{\rho (j)},C_{4,j}))}^{{\eta }_j}}.$$

Then checks if $C_5={\mu }^{\widehat{H}(F)}{\nu }^{\widehat{H}(ck)}$, outputs $ck$ and decrypts the shared file $F$ further. Otherwise, outputs $\perp$. If $\mathbb{S}$ does not satisfy $\left(M_{m\times n},\rho \right)$, decryption fails.

(6)

$Revoke(CT,({\overline{M}}_{\overline{m}\times \overline{n}},\overline{\rho }))\to C{T}^{\prime }$. The CSP runs the algorithm. It inputs $CT=\left\{CF,C\right\}$, a revocation access policy $({\overline{M}}_{\overline{m}\times \overline{n}},\overline{\rho })$, and for each row of ${\overline{M}}_{\overline{m}\times \overline{n}}$, defines the function $\overline{\rho }:\left\{1,2,\cdots ,\overline{m}\right\}\to \mathrm{U}$. It outputs a revoked ciphertext $C{T}^{\prime }$ under a revoked access policy $\left({M^{\prime }}_{m^{\prime }\times n^{\prime }},{\rho }^{\prime }\right)$, where ${\rho }^{\prime }:\left\{1,2,\cdots ,m^{\prime }\right\}\to \mathrm{U}$, $m^{\prime }=m+\overline{m}$, $n^{\prime }=n+\overline{n}$. Then, it randomly selects $\tilde{\overrightarrow{u}}=(\tilde{r},{\tilde{u}}_2,\cdots ,{\tilde{u}}_{n^{\prime }})\in Z_p^{n^{\prime }}$ and ${\tilde{c}}_j\in Z_p$ for each $j\in [1,m^{\prime }]$, computes ${\tilde{\zeta }}_j=\tilde{\overrightarrow{u}}·M_j{}^{\prime }$, $j\in [1,m^{\prime }]$. The algorithm computes $\widehat{C}$:

$$L_1=C_1,L_2=C_2,L_{3,j}=C_{3,j},L_{4,j}=C_{4,j},j\in \left[1,m\right],L_{3,j}=1_G,L_{4,j}=1_G,j\in \left[m+1,m^{\prime }\right],$$

where $1_G$ is the identity element of $G$. Then the algorithm computes $\tilde{C}$:

$$K_1=E^{\alpha \tilde{r}},K_2=g^{\tilde{r}},K_{3,j}=g^{a{\tilde{\zeta }}_j}{h}_{\rho (j)}^{-{\tilde{c}}_j},K_{4,j}=g^{{\tilde{c}}_j},\forall j\in \left[1,m^{\prime }\right].$$

And computes $C^{\prime }$:

$$C_1^{\prime }=L_1·K_1,C_2^{\prime }=L_2·K_2,C_{3,j}^{\prime }=L_{3,j}·K_{3,j},C_{4,j}^{\prime }=L_{4,j}·K_{4,j},\forall j\in \left[1,m^{\prime }\right],C_5^{\prime }=C_5.$$

Let $C^{\prime }=\left(\left({M^{\prime }}_{m^{\prime }\times n^{\prime }},{\rho }^{\prime }\right),C_1^{\prime },C_2^{\prime },C_{3,j}^{\prime },C_{4,j}^{\prime },C_5^{\prime },j\in \left[1,m^{\prime }\right]\right)$, outputs $C{T}^{\prime }=\left\{C^{\prime },CF\right\}$.

(7)

$Decryp{t}_{re}(S{K}^{\prime },CT,C{T}^{\prime })\to F$. The algorithm inputs $S{K}^{\prime }$, $CT=\left\{CF,C\right\}$ and $C{T}^{\prime }=\left\{C^{\prime },CF\right\}$, verifies whether $C_5^{\prime }=C_5$, if not, outputs $\perp$. Then, if the set of attribute ${\mathbb{S}}^{\prime }$ of $S{K}^{\prime }$ meets $\left(M^{\prime },{\rho }^{\prime }\right)$, let $Q^{\prime }=\left\{j:{\rho }^{\prime }(j)\in {\mathbb{S}}^{\prime }\right\}\subset \left\{1,\cdots ,m^{\prime }\right\}$, and there is a constant ${\left\{{\eta }_j^{\prime }\right\}}_{j\in Q^{\prime }}$ such that ${\Sigma }_{j\in Q^{\prime }}{\eta }_j^{\prime }·M_j^{\prime }=\left(1,0,0,\cdots ,0\right)$. Then the DU computes:

$$ck=C_1^{\prime }/\frac{e(D,C_2^{\prime })}{{({\mathsf{\Pi }}_{j\in Q^{\prime }}e(D_0,C_{3,j}^{\prime })·e(D_{{\rho }^{\prime }(j)},C_{4,j}^{\prime }))}^{{\eta }_j^{\prime }}},$$

otherwise, outputs $\perp$. Finally, checks if $C_5^{\prime }={\mu }^{\widehat{H}(F)}{\nu }^{\widehat{H}(ck)}$, outputs $ck$, and decrypts the shared file $F$ further. Otherwise, outputs $\perp$.

Kim et al. [17] proved that $(M^{\prime },{\rho }^{\prime })$ is a valid access policy with respect to a LSSS scheme. Therefore $C{T}^{\prime }$ is a valid revoked ciphertext.

5. Scheme Analysis

5.1. Correctness Analysis

In $Decryp{t}_{or}$ algorithm:

$$\begin{array}{l}\hspace{1em}\hspace{1em}\frac{e(D,C_2)}{{({\mathsf{\Pi }}_{j\in Q}e(D_0,C_{3,j})·e(D_{\rho (j)},C_{4,j}))}^{{\eta }_j}}\\ =\frac{e(g^{\alpha }{g}^{sa},g^r)}{{({\mathsf{\Pi }}_{j\in Q}e(g^s,g^{a{\zeta }_j}{h}_{\rho (j)}^{-c_j})·e(h_{\rho (j)}^s,g^{c_j}))}^{{\eta }_j}}\\ =\frac{E^{\alpha r}·E^{sar}}{E^{sa·{\Sigma }_{j\in Q}{\zeta }_j{\eta }_j}}\\ =E^{\alpha r}\\ ck=C_1/E^{\alpha r}.\end{array}$$

5.2. Security Analysis

Theorem 1. 

Assuming that the decisional q-PBDHE assumption holds, then our RABE construction described above is semantic secure under chosen plaintext attack.

Proof. 

Assume a PPT adversary $\mathcal{A}$ exists with a non-negligible advantage to break the security for our RABE construction, so we construct a polynomial time simulator $\mathcal{S}$ using $\mathcal{A}$ to break the decisional q-PBDHE assumption.

• Init. $\mathcal{S}$ picks a bilinear map $e:G\times G\to G_T$, and $a,d_1,\cdots ,d_q,r\in Z_p$ randomly. $\mathcal{S}$ exposes:

  $$\begin{array}{c}\overrightarrow{y}=\{g,g^r,g^a,\cdots ,g^{a^q},g^a{}^{{}^{q+2}},\cdots ,g^a{}^{{}^{2q}},\\ {\forall }_{1\le i\le q}{g}^{r·d_i},g^{a/d_i},\cdots ,g^{a^q/d_i},g^{a^{q+2}/d_i},\cdots ,g^{a^{2q}/d_i}\\ {\forall }_{1\le i,l\le q,l\ne i}{g}^{a·r·d_l/d_i},\cdots ,g^{a^q·r·d_l/d_i}\}.\end{array}$$

  $\mathcal{S}$ randomly selects $\sigma \in \left\{0,1\right\}$, if $\sigma =0$, take $Z=E^{a^{q+1}r}$, let $T=\left(\overrightarrow{y},Z\right)$; if $\sigma =1$, take $Z\in G_T$ and let $T=\left(\overrightarrow{y},Z\right)$, $\mathcal{A}$ picks a challenge access policy $(M^{\ast }{}_{m^{\ast }\times n^{\ast }},{\rho }^{\ast })$ to $\mathcal{S}$.
• Setup. $\mathcal{S}$ picks ${\alpha }^{\prime }\in Z_p$ randomly, computes $E^{\alpha }=E^{a·a^q}·E^{{\alpha }^{\prime }}$. This implicitly sets $\alpha ={\alpha }^{\prime }+a^{q+1}$. $\mathcal{S}$ orchestrates group element $h_1,h_2,\cdots ,h_{\left|\mathrm{U}\right|}$ as follows: For attributes $1\le x\le \left|\mathrm{U}\right|$, $\mathcal{S}$ chooses a value $w_x$ at random, let $Y$ be the set of $j$ such that ${\rho }^{\ast }(j)=x$. $\mathcal{S}$ sets $h_x$ as

  $$h_x=g^{w_x}{\displaystyle \prod _{j\in Y}{\displaystyle \prod _{1\le k\le n^{\ast }}{g}^{\frac{a^k{M}_{j,k}^{\ast }}{d_j}}}}.$$

  Because of the randomness of $g^{w_x}$, $h_x$ is distributed randomly. If $Y=\varnothing$, then $h_x=g^{w_x}$. The simulator $\mathcal{S}$ chooses a hash function $\widehat{H}$ and $\mu ,v\in G$ randomly, returns the public parameters

  $$Param=\left\{G,G_T,e,g,g^a,\mu ,\nu ,\left\{h_x|1\le x\le \left|\mathrm{U}\right|\right\},g^b,E^{\alpha },\widehat{H}\right\}$$

  to $\mathcal{A}$.
• Private key query phase 1. $\mathcal{A}$ submits attribute set $\mathbb{S}$, where $\mathbb{S}$ does not satisfy $M^{\ast }{}_{m^{\ast }\times n^{\ast }}$. Simulator $\mathcal{S}$ chooses $t\in Z_p$ at random and finds the vector $\overrightarrow{\eta }=\left({\eta }_1,{\eta }_2,\cdots ,{\eta }_{n^{\ast }}\right)\in Z_p^{n\ast }$ such that ${\eta }_1=-1$. For $\left\{j:{\rho }^{\ast }(j)\in \mathbb{S}\right\}$, we have $\overrightarrow{\eta }·M_j^{\ast }=0$. $\mathcal{S}$ computes

  $$D_0=g^t{{\displaystyle \prod _{1\le j\le n^{\ast }}^{}\left(g^{a^{q+1-j}}\right)}}^{{\eta }_j}=g^s,$$

  thus, implicitly defining

  $$s=t+{\eta }_1{a}^q+{\eta }_2{a}^{q-1}+{\eta }_{n^{\ast }}{a}^{q-(n^{\ast }-1)}.$$

  By defining $s$ so that $g^{as}$ contains $g^{-a^{q+1}}$, the unknown term $g^{\alpha }$ can be eliminated when constructing $D$. $\mathcal{S}$ computes

  $$D=g^{{\alpha }^{\prime }}{g}^{at}{{\displaystyle \prod _{j=2}^{n^{\ast }}\left(g^{a^{q+2-j}}\right)}}^{{\eta }_j}.$$

  Now compute $D_x$ for $x\in \mathbb{S}$. If there is no $j$ that makes ${\rho }^{\ast }(j)=x$, then $D_x=D_0{}^{w_x}$; if there is multiple $j$ that makes ${\rho }^{\ast }(j)=x$, since $\mathcal{S}$ cannot simulate $g^{a^{q+1}/d_j}$, it is necessary to ensure that the expression for $D_x$ does not contain terms shaped like $g^{a^{q+1}/d_j}$. Because $\overrightarrow{\eta }·M_j^{\ast }=0$, everything in this form can be cancelled. Let $Y=\left\{j,{\rho }^{\ast }(j)=x\right\}$ and calculate

  $$D_x=D_0{}^{w_x}{{\displaystyle \prod _{j\in Y}{\displaystyle \prod _{i=1}^{n\ast }\left(g^{(a^i/d_j)t}{\displaystyle \prod _{\begin{array}{l}l=1,\cdots ,n\ast \\ l\ne i\end{array}}{(g^{a^{q+1+i-l}/d_j})}^{{\eta }_l}}\right)}}}^{M_{j,i}^{\ast }}.$$

  The simulator $\mathcal{S}$ returns $SK=\left\{D,D_0,D_x(\forall x\in \mathbb{S})\right\}$ to $\mathcal{A}$.
• Challenge. $\mathcal{A}$ selects two messages $F_0$ and $F_1$ of equal length. Simulator $\mathcal{S}$ chooses a coin $\theta \in \left\{0,1\right\}$ randomly and encrypts the file $F_{\theta }$ using the AES algorithm to generate the shared data ciphertext $CF=En{c}_{ck}(F_{\theta })$, where $ck$ is a symmetric key, then $C_1=ck·Z·e(g^r,g^{{\alpha }^{\prime }}),C_2=g^r$. $\mathcal{S}$ chooses

  $$\overrightarrow{u}=(r,ra+u_2^{\prime },r{a}^2+u_3^{\prime },\cdots ,r{a}^{n-1}+u_{n^{\ast }}^{\prime })\in Z_p^{n\ast },$$

  where $u_2^{\prime },\cdots ,u_{n^{\ast }}^{\prime }\in Z_p$ randomly, $r$ is the secret value to be shared. In addition, $\mathcal{S}$ chooses $t_1^{\prime },t_2^{\prime },\cdots ,t_m^{\prime }\in Z_p$, $C_5\in G$ at random, we define $R_j$ to be the set of all $l$ satisfying $l\ne j$ such that ${\rho }^{\ast }(j)={\rho }^{\ast }(l)$, $j=1,2,\cdots ,n^{\ast }$, compute

  $$\{\begin{array}{l}{C}_{3,j}=h_{{\rho }^{\ast }(j)}^{t_j^{\prime }}{\left(g^{d_j·r}\right)}^{-w_{{\rho }^{\ast }(j)}}\left({\displaystyle \prod _{2\le i\le n^{\ast }}^{}{\left(g^a\right)}^{M_{j,i}^{\ast }{y}_i^{\prime }}}\right)·\left({{\displaystyle \prod _{l\in R_j}{\displaystyle \prod _{1\le i\le n^{\ast }}^{}\left(g^{a^i·r·\left(d_j/d_l\right)}\right)}}}^{M_{l,i}^{\ast }}\right)\\ C_{4,j}=g^{-r{d}_j}{g}^{t_j^{\prime }}\end{array},$$

  $C=\left(C_1,C_2,C_{3,j},C_{4,j},C_5,j\in \left[1,m\right]\right)$. The simulator returns $CT=\left\{CF,C\right\}$ to $\mathcal{A}$.
• Private key query phase 2. Similar with the previous stage, $\mathcal{S}$ continues to answer $\mathcal{A}$’s query.
• Guess. $\mathcal{A}$ outputs guess ${\theta }^{\prime }\in \left\{0,1\right\}$ of $\theta$. $\mathcal{S}$ outputs ${\sigma }^{\prime }=0$ when ${\theta }^{\prime }=\theta$, it means $T\in {\mathbb{F}}_{q-PBDHE}$; $\mathcal{S}$ outputs ${\sigma }^{\prime }=1$ when ${\theta }^{\prime }\ne \theta$, it means $T\in {ℝ}_{q-PBDHE}$.
  When $\sigma =1$, $\mathcal{A}$ does not obtain any information from $\theta$, so $\mathrm{Pr}\left[{\theta }^{\prime }\ne \theta |\sigma =1\right]=\frac{1}{2}$.
  When ${\theta }^{\prime }\ne \theta$, $\mathcal{S}$ guesses ${\sigma }^{\prime }=1$, $\mathrm{Pr}\left[{\sigma }^{\prime }=\sigma |\sigma =1\right]=\frac{1}{2}$.
  When $\sigma =0$, $\mathcal{A}$ knows the ciphertext of $F_{\theta }$, because the advantage of $\mathcal{A}$ is $\epsilon$, $\mathrm{Pr}\left[{\theta }^{\prime }=\theta |\sigma =0\right]=\frac{1}{2}+\epsilon$. When ${\theta }^{\prime }=\theta$, $\mathcal{S}$ guesses ${\sigma }^{\prime }=0$, $\mathrm{Pr}\left[{\sigma }^{\prime }=\sigma |\sigma =0\right]=\frac{1}{2}+\epsilon$.
  The advantages of $\mathcal{S}$ obtained from the above are

  $$\frac{1}{2}\mathrm{Pr}\left[{\sigma }^{\prime }=\sigma |\sigma =0\right]-\frac{1}{2}\mathrm{Pr}\left[{\sigma }^{\prime }=\sigma |\sigma =1\right]=\frac{1}{2}\left(\frac{1}{2}+\epsilon \right)-\frac{1}{2}\times \frac{1}{2}=\frac{\epsilon }{2}.$$

  Therefore, Theorem 1 holds. □

Theorem 2. 

The proposed scheme supports data integrity under the DL assumption.

Proof. 

Assume a PPT adversary $\mathcal{A}$ exists with a non-negligible advantage to break the security for our RABE construction, so we can construct a polynomial time simulator $\mathcal{S}$ using $\mathcal{A}$ to break the DL assumption.

• Setup. $\mathcal{S}$ obtains a discrete logarithmic tuple $\left(G,G_T,p,g,g^{\phi }\right)$, and $\mathcal{S}$ attempts to compute the value $\phi$. $\mathcal{S}$ generates public parameters through the following steps. $\mathcal{S}$ sets a bilinear map $e:G\times G\to G_T$, selects $h_1,\cdots ,h_{\left|\mathrm{U}\right|}\in G$, $\alpha ,a,b,\gamma \in Z_p$, and computes $g^a,g^b$, $E^{\alpha }$, $\mu =g^{\phi },\nu =g^{\gamma }$. $\mathcal{S}$ picks hash function $\widehat{H}:G_T\to Z_p$ at random, and returns

  $$Param=\left(G,G_T,e,g,g^a,\mu ,\nu ,\left\{h_i|i=1,2,\cdots ,\left|\mathrm{U}\right|\right\},g^b,E^{\alpha },\widehat{H}\right)$$

  to adversary $\mathcal{A}$.
• Private key query phase 1. $\mathcal{S}$ selects an attribute set $\mathbb{S}$, and executes $KeyGen(MSK,Param,\mathbb{S})\to SK$ and returns $SK$ to $\mathcal{A}$.
• Challenge. $\mathcal{A}$ submits $F$ and a challenge access policy $(M,\rho )$ to $\mathcal{S}$. $\mathcal{S}$ execute $Encrypt(Param,F,(M_{m\times n},\rho ))$$\to CT=\left\{CF,C\right\}$, where $C_5={\mu }^{\widehat{H}(F)}{\nu }^{\widehat{H}(ck)}$, $CF=Enc(F,ck)$, $C=((M_{m\times n},\rho ),C_1,C_2,$ $C_{3,j},C_{4,j},C_5,j\in \left[1,m\right])$. $\mathcal{S}$ returns $CT$ to $\mathcal{A}$.
• Private key query phase 2. Similar to the previous stage, $\mathcal{S}$ continues to answer $\mathcal{A}$’s query.
• Output. $\mathcal{A}$ outputs a revoked ciphertext $C{T}^{\prime }=\left\{C{F}^{\prime },C^{\prime }\right\}$, where $C{F}^{\prime }=Enc(F^{\prime },c{k}^{\prime })$, $C^{\prime }=\left(({M^{\prime }}_{m^{\prime }\times n^{\prime }},{\rho }^{\prime }),C_1^{\prime },C_2^{\prime },C_{3,j}^{\prime },C_{4,j}^{\prime },C_5^{\prime },j\in \left[1,m^{\prime }\right]\right)$. $\mathcal{A}$ wins if $F^{\prime }\notin \left\{F,\perp \right\}$ and $C_5=C_5^{\prime }$.

If $\mathcal{A}$ wins, the simulator $\mathcal{S}$ selects the attribute set ${\mathbb{S}}^{\prime }$ that meets access policy $({M^{\prime }}_{m^{\prime }\times n^{\prime }},{\rho }^{\prime })$. $\mathcal{S}$ generates the private key $S{K}_{{\mathbb{S}}^{\prime }}$, decrypts the ciphertext $C{T}^{\prime }$ to get the symmetric key $c{k}^{\prime }$, and then gets the $F^{\prime }$. According to $C_5=C_5^{\prime }\iff {\nu }^{\widehat{H}(ck)}{\mu }^{\widehat{H}(F)}=$${\nu }^{\widehat{H}(c{k}^{\prime })}{\mu }^{\widehat{H}(F^{\prime })}$, $\mathcal{S}$ computes $\phi ·(\widehat{H}(F)-\widehat{H}(F^{\prime }))=\gamma ·(\widehat{H}(c{k}^{\prime })-\widehat{H}(ck))$. Since $F^{\prime }\notin \left\{F,\perp \right\}$, so that means $\widehat{H}\left(F\right)\ne \widehat{H}\left(F^{\prime }\right)$. Finally, the simulator $\mathcal{S}$ gets $\phi$.

Therefore, Theorem 2 holds. □

6. Performance Analysis

The performance of our scheme is analyzed in terms of functionality, computational cost, and experimental perspectives.

6.1. Functional Analysis

The functional analysis between our scheme and the schemes in [21,24,26] is shown in Table 2. None of the comparison schemes can simultaneously meet the three functional requirements listed in the table, that is, cannot simultaneously meet integrity, key escrow, and revocation. The scheme in this paper can simultaneously meet the above three functional requirements and adopts LSSS with strong expression ability as the access policy. Therefore, from the perspective of functionality, our scheme is more suitable for practical application.

Table 2. Functionality.

Scheme	Integrity	Key-Escrow Free	User Revocation	Access Policy
[21]	√	×	√	LSSS
[24]	×	√	×	LSSS
[26]	×	√	√	Tree
Ours	√	√	√	LSSS

6.2. Computation Analysis

In this section, we compare our scheme with other schemes in terms of calculated costs, as shown in Table 3. It can be seen from Table 3, in the key generation phase, the computational cost required by our scheme is consistent with that in [21,24], and lower than that of [26]. In the encryption stage, our scheme has more advantages than those in [21,24,26]. At the decryption stage, the computational cost of our scheme is consistent with reference [24] and lower than [21,26]. In the revocation phase, the calculation cost of our scheme is lower than that of [21], which is almost the same as that of [26]. In general, the approach in this paper has a low computing overhead, where $m$ represents the number of rows of the matrix in LSSS, $y$ represents the number of leaf nodes in the access tree, both $m$ and $y$ correspond to the number of attributes, so their meanings in Table 3 are the same.

Table 3. Calculations cost.

Scheme	Key Generation	Encryption	Decryption	Revocation
[21]	$(u+3)E_1$	$(6m+4)E_1+2E_T+2P$	$10E_T+10P$	$(12m+6)E_1+4E_T+4P$
[24]	$(u+3)E_1$	$(4m+1)E_1+E_T+P$	$5E_T+5P$	$—$
[26]	$(2u+8)E_1$	$(2y+4)E_1+2E_T+2P$	$8E_T+8P$	$(2y+4)E_1+2E_T+2P$
Ours	$(u+3)E_1$	$(3m+3)E_1+E_T+P$	$5E_T+5P$	$(6m+4)E_1+2E_T+2P$

In Table 3, $u$ represents the number of attributes for the user, $m$ represents the number of rows of the matrix in LSSS, $y$ represents the number of leaf nodes in the access tree, $E_1$ represents exponential operations in group $G$, $E_T$ represents exponential operations in group $G_T$, $P$ represents bilinear pair operation.

6.3. Experimental Analysis

In this section, in order to better evaluate the performance of our scheme, we conducted simulation experiments between our scheme and the scheme in reference [21] (abbreviated as RI-CP-ABE). The experimental environment configuration is as follows: AMD Ryzen 5 5600U with Radeon Graphics 2.30 GHz, 16.0 GB RAM, Windows 10 operating system. Our scheme used the IntelliJIDEA2018 tool, jPBC2.0 open-source encryption library, and we selected a Type A elliptic curve with group order bit length of 512 bits for the experiment, the expression is $y^2=x^3+x$. We used JAVA language for programming, and the LSSS access matrix is programmed in the form of a binary tree.

We conducted simulation experiments in the aspects of system establishment time, key generation time, encryption time, decryption time, revocation time, and decryption after revocation time. Since only scheme RI-CP-ABE has integrity, therefore, we compared our scheme with RI-CP-ABE. The specific algorithm of reference in RI-CP-ABE is shown in Appendix A. Because our computer runs with limited memory, the number of attributes in the access policy is set to 4, 8, 16, and 32 (the number of attributes in the system). The experiment was conducted 100 times in total, and the average value of the experimental results of 100 times was taken as the final result of this experiment to ensure the accuracy of the experiment.

The time cost of system setup is shown in Figure 3, indicating that the calculation cost of the method in this article is basically the same as that described in the literature RI-CP-ABE. The system key generation time overhead is illustrated in Figure 4. The results of experimental simulations demonstrate that the calculation cost in our scheme is more than that of the literature in RI-CP-ABE. Because we introduced the 2PC protocol to solve the key escrow issue, which guards against the misuse of users’ private keys, it is more useful in real-world applications. The figure shows that the time growth rates of the two systems are nearly equal as the number of attributes increases. Furthermore, the key is generated only once, and the impact on the overall system efficiency can be ignored.

Figure 3. Setup time when the number of attributes increases [21].

Figure 4. Key generation time when the number of attributes increases [21].

The system encryption time and the initial decryption time overhead are shown in Figure 5 and Figure 6. The figures demonstrate that compared to the technique in RI-CP-ABE, ours takes much less encryption and decryption time. Therefore, our scheme significantly reduces the computing burden on users.

Figure 5. Encryption time when the number of attributes increases [21].

Figure 6. Original decryption time when the number of attributes increases [21].

The system revocation time and the decryption time after the user is revoked overhead are illustrated in Figure 7 and Figure 8, respectively. Our scheme requires less time calculation in the user revocation stage and the decryption step than RI-CP-ABE. As a result, our scheme has higher efficiency in practical applications.

Figure 7. Revocation time when the number of attributes increases [21].

Figure 8. Decryption time after revoking user when the number of attributes increases [21].

7. Conclusions and Prospect

In this article, we construct an efficient RABE scheme that supports data integrity and solves the key escrow problem. User revocation is achieved using the ciphertext delegation algorithm, and the user can check whether the plaintext corresponding to the new ciphertext is the same as the original plaintext. Compared with the previous scheme with integrity verification, our scheme is more efficient. In addition, we introduced an attribute authority, and the key authority and attribute authority jointly generate private keys for users, which solve the key escrow issue effectively. Finally, the safety of the scheme is proved under the standard model and we give a performance analysis of our scheme. The scheme in this paper only supports the integrity verification under user revocation. Our next research will address the question of how to support the integrity verification under attribute revocation.