An Attribute-Based Proxy Re-Encryption Scheme Supporting Revocable Access Control

Abstract

In the deep integration process between digital infrastructure and new economic forms, structural imbalance between the evolution rate of cloud storage technology and the growth rate of data-sharing demands has caused systemic security vulnerabilities such as blurred data sovereignty boundaries and nonlinear surges in privacy leakage risks. Existing academic research indicates current proxy re-encryption schemes remain insufficient for cloud access control scenarios characterized by diversified user requirements and personalized permission management, thus failing to fulfill the security needs of emerging computing paradigms. To resolve these issues, a revocable attribute-based proxy re-encryption scheme supporting policy-hiding is proposed. Data owners encrypt data and upload it to the blockchain while concealing attribute values within attribute-based encryption access policies, effectively preventing sensitive information leaks and achieving fine-grained secure data sharing. Simultaneously, proxy re-encryption technology enables verifiable outsourcing of complex computations. Furthermore, the SM3 (SM3 Cryptographic Hash Algorithm) hash function is embedded in user private key generation, and key updates are executed using fresh random factors to revoke malicious users. Ultimately, the scheme proves indistinguishability under chosen-plaintext attacks for specific access structures in the standard model. Experimental simulations confirm that compared with existing schemes, this solution delivers higher execution efficiency in both encryption/decryption and revocation phases.

1. Introduction

As information technology becomes deeply integrated into all sectors of society, digital platforms and network connectivity have evolved into unremovable components of modern life. Cloud computing has extended its reach to critical domains such as healthcare, education and training, and transportation, delivering substantial efficiency gains across society.The swift advancement of cloud computing technology has fueled industrial demand for enhanced computational capabilities, streamlined workflows, and strict cost governance. This trend drives massive data migration to cloud infrastructures. However, this shift creates security vulnerabilities stemming from data sovereignty transfer. When data custody moves from enclosed on-premises environments to third-party platforms, security threat models undergo radical transformation. In response, academia and industry focus on pioneering cryptographic access control mechanisms. Critical approaches include the following: Granular authorization via functional encryption for precise data-access policies. Dynamic privilege management through proxy re-encryption enabling real-time permission updates without data decryption. Distributed trust frameworks using access control encryption ensuring multi-stakeholder consensus in cross-domain verification.

Proxy re-encryption (PRE) [1] overcomes limitations of traditional functional encryption in dynamic authority management by securely delegating ciphertext access rights through semi-trusted proxies. This process maintains zero-knowledge keys and end-to-end confidentiality while supporting fine-grained temporary authorization and cross-domain collaboration. Although evolving multi-hop and bidirectional features enhance flexibility, their associated risks render unidirectional single-hop schemes preferable [2]. Traditional “one-to-one” modes [3,4] are superseded by attribute-based PRE (AB-PRE), significantly optimizing one-to-many authorization efficiency and dynamic privacy protection in cloud environments. Conditional proxy re-encryption (CPRE) addresses heterogeneous scenarios by implementing predicate-bound, fine-grained transfer authorization through conditional triggers. Responding to deficiencies in CPA security models, the Honest Re-encryption Attack (HRA) security model was proposed, driving advances in attribute-based HRA schemes, threshold proxy mechanisms, and key privacy protection solutions. Current challenges focus on integrating attribute-based/identity-based mechanisms for dynamic access control, which requires blockchain integration to support real-time policy updates with on-chain verification while systematically mitigating sensitive information leakage risks in permission validation via attribute obfuscation, differential privacy, and secure multi-party computation.

Proxy re-encryption (PRE) technology in cloud environments demonstrates significant advantages in fine-grained permission management by combining identity-based and attribute-based encryption. However, when confronting dynamic access control requirements—such as real-time responses to user behavior characteristics, authentication states, and environmental variables—existing blockchain-based PRE solutions exhibit deficiencies in dynamic policy updating and on-chain verification. This necessitates mechanisms supporting real-time adjustment of access policies. Consequently, privacy protection mechanisms must be integrated during access control processes. These should systematically mitigate sensitive information leakage risks during permission verification through cryptographic techniques, including differential privacy and secure multi-party computation.

This paper addresses uncontrolled proxy authority boundaries in cross-domain ciphertext sharing scenarios by constructing an attribute-conditional functional proxy re-encryption scheme based on broadcast conditional proxy re-encryption. Targeting inherent limitations of traditional identity-based access models in fine-grained permission allocation and multi-dimensional attribute adaptation, we propose an attribute-based access control functional proxy re-encryption scheme. This framework allows access policies to be defined according to multiple user attributes, providing flexible authorization that triggers decryption only when user attributes fully satisfy access policies. A formal security verification framework supports the scheme’s security argumentation. Theoretical derivations and experimental results demonstrate precise constraints on proxy key conversion privileges and receiver decryption permissions.

To achieve secure data sharing, this paper proposes an Attribute-Based Revocable Access Control Function Proxy Re-Encryption scheme. The contributions are as follows:

(1)

The scheme uses attribute-based encryption to achieve fine-grained data access control. Each user attribute consists of an attribute name index and attribute value. By hiding attribute values and not transmitting them with ciphertext, access policy hiding is achieved to protect sensitive user information.

(2)

The scheme combines attribute-based encryption and proxy re-encryption, achieving fine-grained one-to-many encryption and secure ciphertext conversion. This resolves the limitations of immutable access policies and low decryption efficiency in attribute-based encryption. Verification algorithms are incorporated during the re-encryption phase to ensure ciphertext verifiability.

(3)

When revoking a user in this scheme, a private key is generated for the user using the SM3 hash function, and a random factor corresponding to the new version number is generated. The revocation of malicious user access permissions is completed when updating the keys of unreleased users.

(4)

The scheme resists collusion attacks from semi-trusted third parties and users. Security-wise, based on the decisional q-parallel Bilinear Diffie-Hellman hardness assumption, the scheme is proven to satisfy indistinguishability under chosen-plaintext attacks for specific access structures in the standard model. Performance analysis shows higher efficiency in encryption/decryption, revocation, and file download phases.

2. Related Work

Matt Blaze et al. first proposed the concept of Proxy Re-Encryption (PRE) in 1998 [1]. In the PRE cryptosystem, a semi-trusted proxy can convert ciphertext encrypted by the message owner into ciphertext decryptable by users without leaking information. However, it still has limitations in secure information sharing, failing to consider sensitive information protection and fine-grained access control of data.

To meet the requirements of multi-user scenarios, identity-based broadcast proxy re-encryption (IB-BPRE) is proposed. A data owner can generate a re-encryption key for an authorized user set, and the proxy uses this key to transform the data owner’s ciphertext into a re-encrypted ciphertext under the identity set of authorized users. Only users belonging to the authorized set can successfully decrypt this ciphertext to obtain the data; even if other users collude, they cannot access the content within the ciphertext [5]. The availability of PRE relies on the proxy honestly performing re-encryption operations. However, in practice, the proxy may generate incorrect re-encrypted ciphertexts to save local storage space and computational resources. To address the issue of untrusted proxies returning erroneous ciphertexts, Ohata et al. [6] introduced the concept of re-encryption verifiability, proposing a verifiable proxy re-encryption scheme to achieve correctness verification of re-encrypted ciphertexts. However, the verification phase in this scheme requires joint participation of the data owner and authorized users, leading to wastage of computational and communication resources. Additionally, it fails to resolve situations where the proxy is maliciously held accountable despite honestly converting ciphertexts. To tackle this problem, Ge et al. [7] introduced the concept of fairness based on verifiability, proposing a verifiable and fair attribute-based PRE scheme. This scheme utilizes the commitment concept, generating additional commitments for data and random numbers in the initial ciphertext through message-locked encryption technology to ensure re-encryption verifiability and fairness. Building on the ideas from [7], Sun et al. [8] and Jing et al. [9] proposed verifiable and fair schemes. However, in the correctness verification of re-encrypted ciphertexts in schemes [7,8,9], transmitting the original ciphertext and re-encryption key incurs additional communication overhead and risks leakage of the re-encryption key; moreover, if the proxy provides incorrect original ciphertexts or re-encryption keys, the scheme fails to satisfy verifiability. Furthermore, generating additional commitments during ciphertext generation increases computational costs.

Although the aforementioned schemes satisfy multi-user scenarios and verify re-encrypted ciphertexts, they also introduce additional computational overhead. In Attribute-based Proxy Re-Encryption (ABPRE) [10], a semi-trusted proxy server can convert ciphertext to generate new ciphertext, thereby solving problems such as immutable access policies, single data-sharing modes, and low efficiency in attribute-based encryption. Li et al. [11] proposed an ABPRE blockchain data-sharing scheme supporting policy hiding, achieving the distributed storage of ciphertext on the blockchain. Cui et al. [12] proposed an ABPRE scheme with partially hidden policies in 2018, implementing partial policy hiding in prime-order groups. In 2019, Feng et al. [13] proposed a CP-ABPRE scheme supporting outsourced computation in the cloud, which not only resists collusion attacks but also reduces user computational overhead through outsourced data computation. Zhai et al. [14] proposed a blockchain-based ABPRE data-sharing scheme using a dual-chain structure (ciphertext chain and index chain), achieving secure data storage and user decryption authorization. Subsequently, Liu et al. [10] proposed a multi-authority CP-ABE combined with PRE scheme for cloud storage; the proposed multi-authority CP-ABPRE scheme has five characteristics: unidirectionality, controllability, verifiability, non-interactivity, and repeatability. However, while these schemes achieve fine-grained data sharing, they cannot revoke malicious users. Yang et al. [15] proposed a dynamically updatable ABPRE scheme in the cloud in 2022, which revokes malicious users by updating user sets and attributes. Nevertheless, PRE consumes significant resources during ciphertext conversion, and malicious proxies may generate incorrect re-encrypted ciphertext during re-encryption operations, failing to achieve ciphertext verifiability in data sharing. To address this, Ge et al. proposed a Verifiable and Fair VF-ABPRE scheme, which not only achieves ciphertext verifiability but also ensures transaction fairness between users and cloud servers. Subsequently, they further proposed [16,17] an ABPRE-DR scheme with direct revocation mechanism, empowering cloud servers to directly revoke users from the original sharing set, significantly improving revocation efficiency.Furthermore, Yu et al. [18] introduced Chameleon Hash Functions into blockchain to update user attributes, thereby achieving user revocation and fine-grained access control. In Guo et al.’s [19] scheme, Chameleon Hash Functions are leveraged to generate user private keys without the need for key distribution, enabling the revocation of malicious users through updates to the attribute set and keys. Yan et al. [17] employed Chameleon Hash Functions to generate private keys for users; by updating the keys of non-revoked users, they completed the revocation of access permissions for malicious users. Currently, proposed revocable ABPRE schemes exhibit significant advantages but face security risks in practical applications, such as malicious insiders, key leakage, and collusion attacks, and suffer from issues such as sender repudiation and receiver framing. Particularly when revoked users collude, they combine attributes to attempt to satisfy updated access structures. Moreover, if revoked keys inadvertently leak information about non-revoked keys, the revocation becomes invalid.

Simultaneously, revocation mechanisms demonstrate broad applicability and critical importance, serving scenarios such as facial recognition template update protection, dynamic access control in vehicular networks, and malicious user key revocation in cloud computing. Zhang et al. [20] proposed an Identity-Based Broadcast Proxy Re-Encryption (IB-BPRE) scheme for data sharing in Vehicular Ad-hoc Networks (VANETs). Through pseudo-identity dynamic updates, Lagrange interpolation polynomial re-encryption, and constant-overhead decryption mechanisms, it resolved challenges including high encryption burdens for multi-receiver dynamic groups, historical data access difficulties for new members, and vehicle privacy leakage. However, it lacks expressive power for attribute-based complex policies, and its revocation targets entire identities/pseudo-identities rather than specific access permission attributes. Luo et al. [21] addressed key security vulnerabilities and insufficient template integrity in prior schemes by introducing a Chaos-based Index-of-Minimum (C-IoM) hashing scheme with chaotic random seed generation algorithms and sliding window selection mechanisms. Nevertheless, their authorization lacks complex user/environment-based attribute policies, hindering extension to fine-grained permission revocation in data sharing. Dai et al. [22] devised an LWE-based publicly traceable and revocable proxy re-encryption scheme integrating inner-product functional proxy re-encryption with dynamic vector revocation mechanisms. This tackled issues including piracy decryption risks from key abuse in traditional proxy re-encryption and inefficient user permission revocation. Yet it remains constrained by bounded user limitations and requires support for unbounded identity management. Consequently, for fine-grained attribute-specific data sharing in dynamic environments (e.g., cloud computing, IoT) and real-time revocation of user permissions meeting specific attribute conditions, Attribute-Based Revocable Proxy Re-Encryption (AB-RPRE) schemes incorporating Attribute-Based Encryption (ABE) principles emerge as the optimal choice. They deeply integrate user attributes, data access policies, and efficient proxy re-encryption capabilities, enabling flexible fine-grained access control while precisely and efficiently revoking decryption permissions for users with designated attributes. This overcomes traditional schemes’ limitations in policy expression and revocation precision.

In summary, existing schemes exhibit respective strengths in data sharing. While generally supporting unidirectionality, non-interactivity, and controllability, they show deficiencies in malicious user revocation, sensitive information protection, and fine-grained permission management. Within practical large-scale deployments, computational overhead and fine-grained access control limitations constrain their applicability. Against this backdrop, Attribute-Based Revocable Proxy Re-Encryption schemes offer superior solutions for enhanced security revocation and fine-grained access control.

3. Preliminaries

3.1. Elliptic Curve Discrete Logarithm Problem (ECDLP)

Elliptic Curve Cryptography (ECC) is built upon a public-key cryptosystem based on elliptic curves over finite fields. The elliptic curve $E\left(F_p\right)$ defined over the finite field $F_p$ is given by the following equation: $y^2=x^3+ax+b$, where $(4a^3+27b^2)modp\ne 0$. The group G consists of points on the elliptic curve and the point at infinity O. Let $Q_1=(x_1,y_1)$ and $Q_2=(x_2,y_2)$ be points on $E\left(F_p\right)$. The group operations are defined as follows: (1) $O+Q_1=Q_1+O$; (2) $-Q_1=(x_1,-y_1)$; (3) $k{Q}_1=\underset{\underset{k\mathrm{times}}{︸}}{Q_1+Q_1+\dots +Q_1}$; (4) If $Q_3=(x_3,y_3)\in G$ such that $Q_3=Q_1+Q_2$, then $x_3={\lambda }^2-x_1-x_2$ and $y_3=\lambda (x_1-x_2)-y_1$, where

$$\lambda =\left\{\begin{array}{cc}{\displaystyle \frac{3x_1^2+a}{2y_1}}\hfill & \mathrm{if}{x}_1=x_2\hfill \\ {\displaystyle \frac{y_2-y_1}{x_2-x_1}}\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

(1)

Definition 1.

(Elliptic Curve Discrete Logarithm Problem (ECDLP)) Let E be an elliptic curve defined over a finite field $F_p$. Given a base point $P\in E\left(F_p\right)$ and its scalar multiple $Q\in E\left(F_p\right)$, if there exists a non-trivial integer $k\in {\mathbb{Z}}_q^{*}$ satisfying $Q=\left[k\right]P$, solve for the integer k.

Under the hardness assumption of ECDLP, for any probabilistic polynomial-time algorithm $\mathcal{A}$, its success probability in solving for $k\in {\mathbb{Z}}_q^{*}$ is a negligible function $ϵ\left(\lambda \right)$. That is, for all sufficiently large security parameters $\lambda$, $ϵ\left(\lambda \right)\le {\displaystyle \frac{1}{p\left(\lambda \right)}}$ holds, where $p(·)$ is any polynomial function. This implies that $\mathcal{A}$ cannot break ECDLP with non-negligible advantage in polynomial time.

3.2. Provable Security

The theory of provable security played a crucial role in cryptography, providing a theoretical foundation for designing and analyzing encryption algorithms and protocols with robust security. This ensured that cryptographic designs were endowed with rigorous security guarantees, susceptibility to attacks was reduced, trust in security was enhanced, and the advancement of cryptographic technology was promoted. The provable security of cryptographic schemes generally involved the following components: First, formal definitions of the security objectives of the scheme were established. Second, adversarial models were constructed based on the attacker’s capabilities. Subsequently, the security of the scheme was formally defined, that is, its resistance against specified adversarial goals. Finally, reduction theory was employed to demonstrate the security of the cryptographic scheme within the defined security model. The fundamental concept utilized a proof-by-contradiction approach, reducing the security of the cryptographic scheme to a computational problem believed to be infeasible to solve within polynomial time. However, it is widely acknowledged that such difficult problems are unsolvable within polynomial time; consequently, no adversary $\mathcal{A}$ capable of breaking the cryptographic scheme within polynomial time could exist. A critically important concept here is indistinguishability, which is commonly used to characterize the security of cryptographic schemes under certain adversarial models. Specifically, indistinguishability defines the adversary’s inability to differentiate between two distinct scenarios, formally defined as follows:

Definition 2.

(Indistinguishability) For any algorithm $\mathcal{B}$ (called a distinguisher) that could interact with system X or system Y and produce a binary output (0 or 1), its distinguishing advantage under the security parameter λ satisfied (2)

$$\left|Pr\left[\mathcal{B}\left(X_{\lambda }\right)=1\right]-Pr\left[\mathcal{B}\left(Y_{\lambda }\right)=1\right]\right|\le negl\left(\lambda \right)$$

(2)

If the above condition was satisfied, systems X and Y were said to be (computationally) indistinguishable. Here, $negl\left(\lambda \right)$ represented a negligible function, asymptotically smaller than any inverse polynomial function.

Within provable security theory, two prevalent models are frequently employed: the random oracle model and the standard model. The random oracle model, an idealized, completely random, and unpredictable function, offered a simplified means of introducing randomness and streamlined the security analysis, facilitating easier design and assessment of cryptographic algorithms or protocols. The standard model, conversely, operated without reliance on an idealized random oracle and was considered more realistic. Consequently, security proofs achieved in this model were generally regarded as more rigorous and trustworthy. However, establishing such proofs within the standard model often presented greater difficulty and potentially necessitated more sophisticated techniques and methodologies.

Through provable security theory, strict mathematical proofs could be constructed, ensuring that designed cryptographic schemes satisfied specified security properties under defined adversarial models. This furnished cryptography research and practice with a powerful toolkit and methodology, supporting the design and analysis of increasingly secure and reliable encryption algorithms and protocols.

3.3. Formal Definition of Access Control Function Proxy Re-Encryption

The formal definition of the ACFPRE scheme is as follows: Let the key space $K=(pk,sk,rk)$ comprise public keys, private keys, and re-encryption keys, where an empty key $o\in K$ existed. The plaintext space X and the functional space $\mathcal{F}:K\times X\to {\{0,1\}}^{*}$ constituted the input and output domains of the algorithms. The scheme was composed of the following six probabilistic polynomial-time (PPT) algorithms:

• Setup$\left(1^{\lambda }\right)\to (pp,Msk)$: The system was initialized. The parameter $\lambda$ was accepted. Public parameters $pp$ were generated. The master secret key $msk$ was retained.
• KeyGen$(Msk,k)\to (pk,sk)$: Keys were generated. Public-private key pairs $p{k}_i$, $p{k}_j$, $s{k}_i$, $s{k}_j$ were generated.
• Encrypt$(pk,x)\to C$: The encryption algorithm was executed. The ciphertext $C\to Enc(p{k}_i,x)$ was output.
• ReKeyGen$(sk,pk,f^{\prime })\to rk$: The re-encryption key was generated. The data owner’s private key $s{k}_i$ and public key $pk$ were utilized. A re-encryption key $rk$ with the embedded function $f^{\prime }$ was generated.
• ReEncrypt$(C,rk)\to C^{\prime }$: The re-encryption algorithm was executed. The proxy employed the re-encryption key $rk$. The ciphertext C was re-encrypted into a new ciphertext $C^{\prime }$.
• Decrypt$(C^{\prime },s{k}_j)\to \mathcal{F}(k,x)$: The decryption algorithm was executed. The data user’s private key $s{k}_j$ was utilized to decrypt the ciphertext $C^{\prime }$. The functional output value $\mathcal{F}(k,x)$ was obtained.

Decryption Correctness: For any valid ciphertext C, re-encryption key $rk$, and user private key $s{k}_j$, with respect to the data user, if Equation (3) held, then the ACFPRE scheme was said to be correct.

$$Pr[Decrypt(ReEncrypt(C,rk),s{k}_j)=\mathcal{F}(k,x)]\ge 1-negl\left(\lambda \right)$$

(3)

3.4. Security Model for Access Control Function Proxy Re-Encryption

For the security model of Access Control Function Proxy Re-Encryption (ACFPRE), the game-based CPA security definition is provided below. It must be noted that before the game commenced, the adversary $\mathcal{A}$’s selection of messages $m_0$ and $m_1$ had to be restricted such that Equation (4) was satisfied. This ensured that messages $m_0$ and $m_1$ were of equal length, $|m_0|=|m_1|$.

$$\mathcal{F}(k,m_0)=\mathcal{F}(k,m_1)$$

(4)

• Initialization: The challenger $\mathcal{C}$ executed Setup$\left(1^{\lambda }\right)\to (pp,msk)$.
• Phase 1: The adversary $\mathcal{A}$ initiated queries to the challenger $\mathcal{C}$.
• KeyGen$(msk,k)\to (pk,sk)$ was executed. The private key query set ${\mathcal{Q}}_{sk}:=\varnothing$ was initialized. The re-encryption key query set ${\mathcal{Q}}_{rk}:=\varnothing$ was initialized. The challenge user $i^{*}:=\perp ,i\in \left[n\right]$ was recorded.
• Phase 2: The adversary $\mathcal{A}$ could repeatedly perform operations from Phase 1.
• Challenge: The adversary $\mathcal{A}$ initiated a challenge to the challenger $\mathcal{C}$.
  ${\mathcal{A}}^{{\mathcal{O}}_{sk}(·),{\mathcal{O}}_{rk}(·,·,·)}(pp,{\left\{p{k}_i\right\}}_{i\in \left[n\right]})\to (i^{*},m_0,m_1,st)$ was executed. $\{0,1\}\to \beta$ was selected.
• Encrypt$(p{k}_{i^{*}},m_{\beta })\to C^{*}$ was executed.
• Guess: The adversary $\mathcal{A}$ output a guess ${\beta }^{\prime }$ for $\beta$.
  ${\mathcal{A}}^{{\mathcal{O}}_{sk}(·),{\mathcal{O}}_{rk}(·,·,·)}(st,C^{*})\to {\beta }^{\prime }$ was executed. If ${\beta }^{\prime }=\beta$, 1 was returned; otherwise, 0 was returned.
  ${\mathcal{O}}_{sk}\left(i\right)$: If $(i=i^{*})$ or $((i^{*},i)\in {\mathcal{Q}}_{rk})$, ⊥ was output.
  ${\mathcal{Q}}_{sk}:={\mathcal{Q}}_{sk}\cup \left\{i\right\}$ was updated. The private key $s{k}_i$ was output.
  ${\mathcal{O}}_{rk}(i,j,f^{\prime })$: If $(i=i^{*})$ and $(j\in {\mathcal{Q}}_{sk})$, ⊥ was output.
  ${\mathcal{Q}}_{rk}:={\mathcal{Q}}_{rk}\cup \left\{(i,j)\right\}$ was updated. The re-encryption key $rk$ was output.

4. Scheme Design

In this section, an attribute-based access control proxy re-encryption scheme was proposed, and its security proof was provided.

4.1. System Architecture

Figure 1 illustrates the overall framework of the scheme, comprising five core components: Data Owner, Distributed Ledger System, Trusted Authority, Edge Nodes, and Data User: (1) Data Owner: The data owner performs multi-layer encryption operations. It encrypts data and hosts it on the distributed ledger system. It simultaneously constructs proxy re-encryption keys and broadcasts them to the blockchain network. (2) Distributed Ledger System: Provides distributed storage services using Merkle–Patricia tree structures for verifiable storage of data fingerprint chains. Records storage information of ciphertext resources and maintains data provenance chains through smart contract mechanisms. Periodically executes full-node consensus verification for data integrity validation modules to ensure immutability of storage replicas. (3) Trusted Authority: Manages the full lifecycle of keys and can perform revocation operations on users. (4) Edge Nodes: Responsible for storing ciphertext and performing re-encryption computations. (5) Data User: Obtains ciphertext from edge nodes and performs verification operations. If verification passes, decrypts the ciphertext to recover the key, then locates and retrieves the original ciphertext via blockchain; terminates access if anomalies are detected.

4.2. Attribute-Based Access Control Function Proxy Re-Encryption Definition

An attribute-based access control function proxy re-encryption scheme consists of seven PPT algorithms as shown in Figure 2: System Initialization, Encryption Key Generation, Encryption Algorithm, Re-encryption Key Generation, Re-encryption Algorithm, Decryption Algorithm, and Revocation Algorithm.

(1) In the Encryption Algorithm Encrypt($Par,\left(\left(A,\rho \right),T\right),M$), the ciphertext is associated with the access structure $\left(\left(A,\rho \right),T\right)$; hence, this is an ACFPRE scheme. (2) Correctness: If the data owner satisfies the access policy $\left(\left(A^{\prime },{\rho }^{\prime }\right),T^{\prime }\right)$, they satisfy Equation (5).

$$\sum _{i\in I}{\theta }_i{\lambda }_i^{\prime }=\sum _{i\in I}{\theta }_i{A}_i^{\prime }\mu =r$$

(5)

4.3. Security Model for Attribute-Based Access Control Function Proxy Re-Encryption

The interactive attack experiment $Ex{p}_{A-ACFPRE,\mathcal{A}}^{SEL-HRA}$ involves two entities: (1) The adversary $\mathcal{A}$ possesses probabilistic polynomial-time (PPT) computational capability and can adaptively initiate oracle queries such as key generation (KeyGen), re-encryption key generation (ReKeyGen), re-encryption (ReEnc), and decryption (Dec), aiming to compromise the scheme’s chosen-ciphertext security (SEL-HRA). (2) The challenger $\mathcal{C}$ simulates the cryptographic system logic, initializes public parameters, maintains key states, and responds to the adversary’s queries according to security rules. Its core task is to construct a reduction proof based on the adversary’s attack behavior, anchoring the scheme’s security to fundamental mathematical problems. Details are illustrated in Figure 3.

Definition 3.

Formal Definition of Security Advantage: In the indistinguishability SEL-HRA (Selective Honest Re-encryption Attack) security experiment, the adversary $\mathcal{A}$ participates in the final decision by outputting a guess ${\xi }^{\prime }\in \{0,1\}$. If and only if ${\xi }^{\prime }=\xi$, the challenger $\mathcal{C}$ outputs decision result 1, indicating $\mathcal{A}$ successfully breaks the scheme; otherwise it outputs 0. The computational advantage of the adversary is defined as follows:

$${Adv}_{\mathcal{A}}^{\mathrm{SEL}-\mathrm{HRA}}\left(\lambda \right)=\left|Pr\left[{\xi }^{\prime }=\xi \right]-{\displaystyle \frac{1}{2}}\right|$$

(6)

where λ is the security parameter, and U denotes the set of oracles accessible to the adversary. If for any probabilistic polynomial-time (PPT) adversary $\mathcal{A}$, its advantage satisfies ${Adv}_{\mathcal{A}}^{SEL-HRA}\left(\lambda \right)\le negl\left(\lambda \right)$ ($\mathsf{negl}(·)$ is a negligible function), then the ACFPRE scheme can be proven to possess adaptive security under the SEL-HRA model. This definition strictly characterizes the scheme’s resistance to key leakage and re-encryption attacks by quantifying the deviation of the adversary’s guess from randomness.

4.4. Scheme Process

The data-sharing scheme is divided into five stages, as shown in the Figure 4.

4.5. Scheme Description

• System Setup Algorithm. Setup$\left(1^{\lambda }\right)$: $\lambda$ represented the system security parameter. Bilinear group parameters were generated: Bilinear groups $\mathbb{G}=\left({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e\right)$ of large prime order p were selected, where $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$ constituted a computable bilinear map. Generators $g\in {\mathbb{G}}_1,h\in {\mathbb{G}}_2$ were chosen. For the universal attribute set U, for each attribute $t\in U$, $d_t\leftarrow {\mathbb{Z}}_p^{*}$ was randomly selected, and the attribute public key component $D_t=g^{d_t}\in {\mathbb{G}}_1$ was computed. The master secret key $\alpha \leftarrow {\mathbb{Z}}_p^{*}$ was randomly selected, and the master public key $g_0=g^{\alpha }\in {\mathbb{G}}_1$ was computed. An encoding function $E:{\mathbb{G}}_1\to {\mathbb{G}}_T$ was defined for ciphertext conversion. The public parameters included collision-resistant hash functions $H:{\{0,1\}}^{*}\to G$, $H_1:G_T\to Z_p^{*}$, and a discrete logarithm-based trapdoor hash function $\mathcal{H}$. The trusted authority published the system parameters $Par=〈p,G,G_T,g,g_0,e(g,g),D_i,H,H_1,\mathcal{H}〉$, while the master secret key $Msk=<g^{\alpha }>$ was securely stored.
• Key Generation Algorithm. KeyGen$(Par,ID,Msk,V_{ID})$: The data owner’s attribute set was defined as $S=\left\{S_1,S_2,\dots ,S_n\right\}\subseteq U$, where each attribute $S_t=\left(I_{S_t},V_{S_t}\right)$ consisted of an index set $I_{S_t}$ and a value set $V_{S_t}$. The trusted authority executed the following: secret parameters $\beta ,\alpha ,b\leftarrow {\mathbb{Z}}_p^{*}$ and a version control factor $C_{V_{ID}}\leftarrow {\mathbb{Z}}_p^{*}$ were randomly selected. A trapdoor key was generated by combining the user identifier ID and key version number $V_{ID}$:

  $$Q_{\mathrm{ID}}=\mathcal{H}{\left(\mathrm{ID}\right)}^b\in {\mathbb{G}}_1$$

  (7)

  where $\mathcal{H}:{\{0,1\}}^{*}\to {\mathbb{G}}_1$ represented a cryptographic hash function. Bilinear pairing parameters were computed as follows:

  $$P{K}_1=e{(g,g)}^{\alpha }\in {\mathbb{G}}_T,P{K}_2=g^{\beta }\in {\mathbb{G}}_1$$

  (8)
  For each attribute index $i\in I_S$, the following was generated as follows:

  $$P{K}_{\mathrm{D},i}={\left(\mathcal{H}{\left(\mathrm{ID}\right)}^{d_i}\right)}^{C_{V_{ID}}}\in {\mathbb{G}}_1$$

  (9)
  Based on the attribute verification tuple $(S,Ver,F)$, where $V_{ID}$ denoted the version identifier and $F=\left(g^{\beta },e\left(g^{{\beta }^b},\mathcal{H}\left(\mathrm{ID}\right)\right)\right)$, the user private key component was computed as follows:

  $$S{K}_i=\mathcal{H}(\mathrm{ID},S,Ver,F)={\left(g^{\beta }\right)}^{\alpha }·{\left(\mathcal{H}{\left(V_S\right)}^{d_i}\right)}^{C_{Ver}}\in {\mathbb{G}}_1$$

  (10)
  This process ensured dynamic binding between the private key and attribute values, supporting key revocation and update mechanisms based on version numbers.
• Encryption Algorithm. Encrypt$(P{K}_{ID},file)$ or Encrypt$(Par,((A,\rho ),T),M)$: For the original message $file$, the data owner utilized the $SM4$ key $P{K}_{ID}$ for encryption, obtaining the initial ciphertext $IC={\mathrm{Encrypt}}_{SM4}\left(file\right)$. For the critical message $M=<k,has{h}_{\mathrm{path}}>$, the data owner selected the corresponding access structure $\left(\right(A,\rho ),T)$ to encrypt M. Subsequently, the data owner randomly selected a vector $\mu ={\left(r,v_2,v_3,\dots ,v_n\right)}^T$, where $r\in Z_p^{*}$ represented the secret value to be shared, and $\left\{v_2,v_3,\dots ,v_n\right\}\in {\left(Z_p^{*}\right)}^{n-1}$ were random numbers used to conceal r. The value ${\lambda }_t=A_t\mu$ was computed. The data owner selected ${\lambda }^{\prime }\in Z_p^{*}$, then computed the initial ciphertext components: $C=M·e{(g,g)}^{\alpha r}$, $C_0=g^{H_1\left(e{(g,g)}^{\alpha r}\right)}$, $C_1=g_0^r$, $C_2={\left(g^{\beta }\right)}^{{\lambda }^{\prime }}$, $C_i={\left(g^{d_i}\right)}^{{\lambda }^{\prime }}$, $C_{{\mathrm{D}}_i}={\lambda }_i-{\lambda }^{\prime }$. The final ciphertext $CT$ was generated as $CT=<(A,\rho ),C,C_0,C_1,C_2,{\left\{C_t,C_{I{D}_t}\right\}}_{t\in [1,l]}>$.
• Re-Encryption Key Generation Algorithm. ReKeyGen$\left(Par,SK,P{K}_{ID},\left(\left(A^{\prime },{\rho }^{\prime }\right),T^{\prime }\right)\right)$: The re-encryption authority selected a new access structure $\left(\left(A^{\prime },{\rho }^{\prime }\right),T^{\prime }\right)$, where $A^{\prime }$ was an $l^{\prime }\times n^{\prime }$ matrix and ${\rho }^{\prime }$ was an injective function mapping each row of $A^{\prime }$ to an attribute name. $m\leftarrow {\mathbb{Z}}_p^{*}$ was chosen, and $g^m$ along with the master-key-related term $g_0^m=g^{\alpha m}$ were computed. $g^m$ was encoded as $E\left(g^m\right)\in {\mathbb{G}}_T$. A ciphertext was generated by encrypting under the new policy:

  $$C^{\prime }=〈\left(A^{\prime },{\rho }^{\prime }\right),C^{″}=E\left(g^m\right)·e{(g,g)}^{\alpha r},{\left\{C_{I{D}_t}^{\prime }\right\}}_{t\in \left[1,l^{\prime }\right]}〉$$

  (11)

  where components satisfied the following:

  $$C_{I{D}_t}^{\prime }={\lambda }_t^{\prime }-{\lambda }^{\prime },{\lambda }_t^{\prime }=A_t^{\prime }\mu \left(\mu \leftarrow {\mathbb{Z}}_p^{n^{\prime }}\right)$$

  (12)
  Blinding was applied to the original private key attribute components:

  $$S{K}_t^{*}=g_0^m·S{K}_i=g^{\alpha m}·\left(g^{\beta \alpha }·\mathcal{H}{\left(V_S\right)}^{d_t{C}_{Ver}}\right)\left(\forall t\in I_S\right)$$

  (13)
  The re-encryption key was output as follows:

  $$RK=〈C^{\prime },{\left\{S{K}_t^{*}\right\}}_{t\in I_S},P{K}_{ID}〉$$

  (14)
  This algorithm achieved dynamic updating of the access control function through the policy-binding matrix $A^{\prime }$, and the blinding of key components $S{K}_t^{*}$ ensured the security of the original private key.
• Re-Encryption Algorithm. ReEnc$(par,CT,RK)$: The re-encryption key $RK=〈C^{\prime },{\left\{S{K}_t^{*}\right\}}_{t\in I_S},P{K}_{ID}〉$ and the original ciphertext $CT=〈(A,\rho ),C,C_0,C_1,\left\{C_{I{D}_t}\right\}〉$ were input. If the ciphertext was marked as non-re-encryptable (i.e., permission had been revoked or expired), or if the attribute set S failed to satisfy the original access structure $(A,\rho )$, the termination symbol ⊥ was output. Otherwise, a valid attribute index set $T=\{t\mid \rho (t)\in S\}$ was determined. Lagrange coefficients ${\left\{{\theta }_t\right\}}_{t\in T}\subseteq {\mathbb{Z}}_p$ were selected such that

  $$\sum _{t\in T}{\theta }_t{A}_t=(1,0,0,\dots ,0)\in {\mathbb{Z}}_p^n$$

  (15)

  where $A_t$ denoted the t-th row vector of matrix A. The re-encrypted ciphertext component $C_{re}$ was synthesized using bilinear pairing operations:

  $$C_{re}=\prod _{t\in T}{\left({\displaystyle \frac{e\left(S{K}_t^{*}·D_t,g^{C_{I{D}_t}^{\prime }}·C_2\right)}{e\left(P{K}_{ID},D_t^{C_{I{D}_t}}·C_t·P{K}_2\right)}}\right)}^{{\theta }_t}$$

  (16)

  where $D_t=g^{d_t}$ represented the attribute public key component; $C_{I{D}_t}^{\prime }$ was derived from the re-encryption key $C^{\prime }$; $C_2$ was an original ciphertext component; $P{K}_2=g^{\beta }$ was the system public key; and the numerator part was computed via the blinded private key $S{K}_t^{*}$ and attribute parameters, while the denominator part verified proxy authority legitimacy. The re-encrypted ciphertext decryptable by the target user was constructed:

  $$C{T}^{*}=〈\left(A^{\prime },{\rho }^{\prime }\right),C,C_0,C_1,C_{re},C^{\prime }〉$$

  (17)

  where $\left(A^{\prime },{\rho }^{\prime }\right)$ were the LSSS matrix and labeling function of the new access policy; $C_0=g^s$ and $C_1={\mathcal{H}}_2\left(e{(g,g)}^{\alpha s}\right)\oplus m$ preserved the original encryption random number s and ciphertext core; and $C^{\prime }$ contained the blinded factor $g^m$ encrypted in the re-encryption key.
• Decryption Algorithm. Decrypt$(Par,C{T}^{*},SK,P{K}_{ID})$ or Decrypt$(P{K}_{ID},M)$: Blinding factor extraction: Decryption was performed on the non-re-encrypted ciphertext $C^{\prime }$, and $g^m=Decode\left(E\left(g^m\right)\right)$ was decoded. The verification parameter was computed as follows:

  $$L={\displaystyle \frac{C_{re}}{e\left(C_1,g^m\right)}}=e\left(g^{\alpha },g^r\right)\in {\mathbb{G}}_T$$

  (18)
  If $C_0=g^{{\mathcal{H}}_1\left(L\right)}$ held, the proxy re-encryption computation was deemed correct (true was output). Otherwise, the process was terminated (⊥ was output). For the re-encrypted ciphertext $C{T}^{*}=〈\left(A^{\prime },{\rho }^{\prime }\right),C,C_0,C_1,C_{re},C^{\prime }〉$,

  $$R=\prod _{t\in S}{\left({\displaystyle \frac{e\left(S{K}_t·D_t,g^{C_{I{D}_t}^{\prime }}·C_2\right)}{e\left(P{K}_{ID}·P{K}_2,D_t^{C_{I{D}_t}}·C_t\right)}}\right)}^{{\theta }_t}$$

  (19)

  where ${\theta }_t$ satisfied $\sum {\theta }_t{A}_t^{\prime }=(1,0,\dots ,0)$;

  $$m^{″}={\displaystyle \frac{C^{″}}{R}}=E\left(g^m\right)⟹m^{\prime }=Decode\left(m^{″}\right)=g^m$$

  (20)

  $$M={\displaystyle \frac{C·e\left(g^m,C_1\right)}{C_{re}}}=〈k,{\mathrm{hash}}_{\mathrm{path}}〉$$

  (21)
  The blockchain smart contract was accessed via ${\mathrm{hash}}_{path}$ to retrieve the original encrypted data IC. The session key k was utilized to execute the following:

  $$\mathrm{file}=SM{4}^{-1}(IC,k)$$

  (22)
  The original plaintext data was recovered.
• Revocation Algorithm. Revocation$(Par,Ve{r}^{\prime },S^{\prime })$: For non-revoked users $D{U}^{\prime }$, the trusted proxy distributed a new random factor $C_{ve{r}^{\prime }}\in Z_p^{*}$. The attribute set $S^{\prime }$ of $D{U}^{\prime }$ remained unchanged ($S^{\prime }=S$), and $d_t^{*}=d_t,\forall t\in T_S$ was maintained. During revocation, $D{U}^{\prime }$ only required updates to the key $S{K}_i$ and $P{K}_{\mathrm{ID}}$. Additionally, the trusted proxy selected a random factor ${\beta }^{\prime }\in Z_p^{*}$ to update F, resulting in $F^{\prime }=\left(g^{{\beta }^{\prime }},e\left(g^{{\beta }^{\prime b}},H\left(\mathrm{ID}\right)\right)\right)$, where

  $$\begin{array}{cc}\hfill & g^{{\beta }^{\prime }}=g^{\beta }{\left({\left(H\left(S\right)\right)}^{d_t^{*}}\right)}^{C_{Ver}-C_{ver}},g^{{\beta }^{\prime {\alpha }^{\prime }}}=g^{{\beta }^{\alpha }}{\left({\left(H\left(S\right)\right)}^{d_t^{*}}\right)}^{C_{Ver}-C_{ver}},\hfill \\ \hfill & e\left(g^{{\beta }^{b^b}},H\left(\mathrm{ID}\right)\right)=e\left(g^{{\beta }^{\prime }},H{\left(\mathrm{ID}\right)}^b\right)\hfill \\ \hfill & =e\left(g^{\beta }{\left({\left(H\left(S\right)\right)}^{d_t^{*}}\right)}^{C_{Ver}-C_{ver}^{\prime }},{\left(H\left(\mathrm{ID}\right)\right)}^b\right)\hfill \\ \hfill & =e\left(g^{\beta },{\left(H\left(\mathrm{D}\right)\right)}^b\right)e\left({\displaystyle \genfrac{}{}{0pt}{}{\left(\begin{array}{c}{\left.{\left(H\left(S\right)\right)}^{d_t^{*}}\right)}^{C_{Ver}-C_{Ver\prime }}\hfill \end{array},\right.}{{\left(H\left(\mathrm{ID}\right)\right)}^b}}\right)\hfill \\ \hfill & =e\left(g^{\beta b},H\left(\mathrm{ID}\right)\right)e{(H\left(S\right),H\left(\mathrm{ID}\right))}^{b{d}_t^{\prime }\left(C_{Ver}-C_{Ve{r}^{\prime }}\right)}\hfill \end{array}$$

  (23)
  The data owner $D{U}^{\prime }$ executed the key update operation using parameters generated by the trusted proxy:

  $$\begin{array}{cc}\hfill S{K}_i^{\prime }& =\mathcal{H}\left(\mathrm{ID},S^{\prime },Ve{r}^{\prime },F^{\prime }\right)=g^{{\alpha }^{\prime }{\beta }^{\prime }}{\left({\left(H\left(S\right)\right)}^{d_t^{*}}\right)}^{C_{Ve{r}^{\prime }}}\hfill \\ \hfill & =g^{{\beta }^{\alpha }}{\left({\left(H\left(S\right)\right)}^{d_t^{*}}\right)}^{C_{Ver}-C_{Ve{r}^{\prime }}}{\left({\left(H\left(S\right)\right)}^{d_t^{*}}\right)}^{C_{Ve{r}^{prime}}}\hfill \\ \hfill & =g^{{\beta }^{\alpha }}{\left({\left(H\left(S\right)\right)}^{d_t^{*}}\right)}^{C_{Ver}}=S{K}_i,\hfill \\ \hfill & P{K}_{ID}^{\prime }={\left({\left(H\left(ID\right)\right)}^{d_t^{*}}\right)}^{C_{Var}^{\prime }}\hfill \end{array}$$

  (24)
  Non-revoked data users accessed original data using the updated $S{K}_t^{\prime }$ and $P{K}_{ID}^{\prime }$. For revoked data users, the trusted proxy updated the attribute set $S^{\prime }=S\setminus \left\{S_t\right\},\forall t\in T_S,d_t^{*}\ne d_t$. In the updated $Ve{r}^{\prime }$, since the random factor $C_{ve{r}^{\prime }}\in Z_p^{*}$ was not distributed to data users by the trusted proxy, key updates were impossible and access to original data was prevented. The revocation of data owners was thereby completed by the trusted proxy.

4.6. Security Proof

4.6.1. Correctness Analysis

First verifies the correctness of decrypting the non-re-encrypted ciphertext component $C^{\prime }$, as follows:

$$\begin{array}{cc}\hfill & R=\prod _{t\in S}{\left({\displaystyle \frac{e\left(S{K}_t{D}_t,g^{C_{I{D}_t}^{\prime }}{C}_2\right)}{e\left(P{K}_{1}P{K}_{ID}P{K}_2,D_t^{C_{I{D}_t}}{C}_t\right)}}\right)}^{{\theta }_t}\hfill \\ \hfill & =\prod _{t\in S}{\left({\displaystyle \frac{e\left(g^{{\beta }^{\alpha }}{\left({\left(H\left(\mathrm{ID}\right)\right)}^{d_i}\right)}^{C_{Ver}}{g}^{d_t},g^{{\lambda }_t^{\prime }-{\lambda }^{\prime }}{g}^{\beta {\lambda }^{\prime }}\right)}{e\left(g^{\beta }{\left({\left(H\left(ID\right)\right)}^{d_t}\right)}^{C_{Ver}}{g}^{\beta },D_t^{\left({\lambda }_t^{\prime }-{\lambda }^{\prime }\right)}{g}^{d_t{\lambda }^{\prime }}\right)}}\right)}^{{\theta }_t}\hfill \\ \hfill & =\prod _{t\in S}{\left({\displaystyle \frac{e\left(g^{{\beta }^a}{\left({\left(H\left(\mathrm{ID}\right)\right)}^{d_t}\right)}^{C_{Ver}}{g}^{d_t},g^{{\lambda }_t^{\prime }}\right)}{e\left(g^{\beta }{\left({\left(H\left(\mathrm{ID}\right)\right)}^{d_t}\right)}^{C_{Ver}},g^{d_t\left({\lambda }_t^{\prime }-{\lambda }^{\prime }\right)}{g}^{d_t{\lambda }^{\prime }}\right)}}\right)}^{{\theta }_t}\hfill \\ \hfill & =\prod _{t\in S}{\left({\displaystyle \frac{e\left(g^{{\beta }^{\alpha }},g^{{\lambda }_t^{\prime }}\right)}{e\left(g^{\beta },g^{{\lambda }_t^{\prime }}\right)}}\right)}^{{\theta }_t}\hfill \\ \hfill & =e{(g,g)}^{\alpha {\sum }_{t\in S}{\lambda }_t^{\prime }{\theta }_t}=e{(g,g)}^{\alpha r}\hfill \end{array}$$

(25)

$m^{″}={\displaystyle \frac{C^{″}}{R}}={\displaystyle \frac{E\left(g^m\right)·e{(g,g)}^{\alpha r}}{e{(g,g)}^{\alpha r}}}=E\left(g^m\right)$. $m^{\prime }$ was obtained by decoding $m^{″}$, i.e., $m^{\prime }=g^m$.

Secondly, when the data user satisfied the access policy $\left(\left(A^{\prime },{\rho }^{\prime }\right),T^{\prime }\right)$, it simultaneously satisfied ${\sum }_{t\in T}{\theta }_t{\lambda }_t^{\prime }={\sum }_{t\in I}{\theta }_t{A}_i^{\prime }\mu =r$. The decryption algorithm $Decrypt\left(Par,C{T}^{*},SK,P{K}_{ID}\right)\to M$ was executed. The correctness of the decryption process for the re-encrypted ciphertext $C_{re}$ was verified, as detailed below:

$$\begin{array}{cc}\hfill M& ={\displaystyle \frac{Ce\left(g^m,C_1\right)}{C_{re}}}\hfill \\ \hfill & ={\displaystyle \frac{Me{(g,g)}^{\alpha r}·e\left(g^m,g_0^r\right)}{{\prod }_{t\in T}{\left(\frac{e\left(S{K}_t^{*}{D}_t,g^{C_{I{D}_t}^{\prime }}{C}_2\right)}{e\left(P{K}_{ID},D_t^{C_{I{D}_t}^{\prime }}{C}_{t}P{K}_2\right)}\right)}^{{\theta }_i}}}\hfill \\ \hfill & ={\displaystyle \frac{Me\left(g^{\alpha },g^r\right)·e\left(g^m,g_0^r\right)}{e{\left(g_0^m{g}^{\alpha },g\right)}^r}}\hfill \\ \hfill & ={\displaystyle \frac{Me\left(g^{\alpha },g^r\right)·e\left(g^m,g_0^r\right)}{e\left(g^m,g_0^r\right)·e\left(g^{\alpha },g^r\right)}}=M\hfill \end{array}$$

(26)

4.6.2. Security Analysis

Theorem 1.

Under the assumption that the decisional q-parallel BDHE problem is hard, the adaptive attack advantage of any probabilistic polynomial-time (PPT) adversary $\mathcal{A}$ against a chosen access policy $\left(A^{*},{\rho }^{*},T^{*}\right)$ satisfies

$${Adv}_{\mathcal{A}}^{\mathit{IND}\text{-}\mathit{sAS}\text{-}\mathit{CPA}}\left(\lambda \right)\le negl\left(\lambda \right)$$

(27)

This conclusion demonstrates that the scheme achieves indistinguishability security against selectively chosen access structures in the standard model. The adversary cannot gain significant cracking advantages through policy selection.

Proof. 

If a probabilistic polynomial-time (PPT) adversary $\mathcal{A}$ breaks the scheme with advantage

$${Adv}_{\mathcal{A}}=\left|Pr\left[\zeta ={\zeta }^{\prime }\right]-{\displaystyle \frac{1}{2}}\right|$$

(28)

In the CPA game, there exists an algorithm $\mathcal{C}$ capable of breaking the decisional q-parallel BDHE assumption with non-negligible advantage. Specifically, the challenger $\mathcal{C}$ simulates $\mathcal{A}$’s attack process, directly reducing the adversary’s advantage $Ad{v}_{\mathcal{A}}$ to the intractability of the q-parallel BDHE problem:

$${Adv}_{\mathcal{C}}^{q-\mathrm{parallel}\mathrm{BDHE}}\ge {Adv}_{\mathcal{A}}$$

(29)

This reduction rigorously proves that if the q-parallel BDHE assumption holds, the scheme satisfies IND-sAS-CPA security in the standard model. The adversary’s success probability is suppressed within the negligible function range.

The $IND-sAS-CPA$ game is executed according to the following simulated algorithms (Sim.Init, Sim.Setup, Sim.KeyGen, Sim.ReKeyGen):

Sim.Init: $\mathcal{A}$ issues a challenge request for access structure ${\Gamma }^{*}=\left(A^{*},{\rho }^{*},T^{*}\right)$ to $\mathcal{C}$, where the sharing matrix $A^{*}\in {\mathbb{Z}}_p^{l^{*}\times n^{*}}$.

Sim.Setup: $\mathcal{C}$ initializes the key storage structure. An empty private key list $S{K}_t^{\mathrm{List}}$ and a public key list $P{K}_{ID}^{\mathrm{List}}$ are generated, with their index domain covering the attribute set $T_S$.

Sim.KeyGen: Queries are generated by $\mathcal{A}$ regarding attribute sets $S\mid \ne \left(A^{*},{\rho }^{*},T^{*}\right)$ that do not match the access policy $\left(A^{*},{\rho }^{*},T^{*}\right)$. $\mathcal{C}$ selects random factors ${\left\{{\theta }_{n^{*}}\in Z_p\right\}}_{n^{*}\in T}$. When $n^{*}=1$, ${\theta }_{n^{*}}=-1$, resulting in a vector $\overrightarrow{\theta }=\left({\theta }_1,{\theta }_2,{\theta }_3\dots ,{\theta }_n\right)\in Z_p^{\dot{n}}$. Additionally, all x satisfying ${\rho }^{*}\left(x\right)\in T_S$ were identified where $x\in [1,l]$, such that $\overrightarrow{\theta }{A}_x^{*}=0$ held for each. Under the current version Ver, $\mathcal{C}$ selected $〈d_t,C_{Ver}>\in Z_p^{*}$ and output user identity-related public keys $P{K}_{\mathrm{D}}={\left(H{\left(\mathrm{ID}\right)}^{d_1}\right)}^{C_{Ver}},\dots ,P{K}_{ID}={\left(H{\left(\mathrm{ID}\right)}^{d_t}\right)}^{C_{Ver}}$. Private keys generated via the discrete logarithm-based trapdoor hash function were $S{K}_1={\left(g^{\beta }\right)}^{\alpha }{\left(H{\left(S\right)}^{d_1}\right)}^{C_{Ver}}$, $\dots ,S{K}_t={\left(g^{\beta }\right)}^{\alpha }{\left(H{\left(S\right)}^{d_t}\right)}^{C_{Ver}}$. $\mathcal{C}$ injected the generated private key $S{K}_t$ into $S{K}_t^{List}$ and public key $P{K}_{ID}$ into $P{K}_{ID}^{List}$, then returned $P{K}_{ID},SK$ to $\mathcal{A}$. If the attribute set S satisfied access policy ${\Gamma }^{*}=\left(A^{*},{\rho }^{*},T^{*}\right)$ (i.e., $S\vDash {\Gamma }^{*}$), $\mathcal{C}$ randomly selected $b\leftarrow \{0,1\}$ and terminated the security game. This operation severed the adversary’s advantage accumulation path through policy constraints, ensuring the rigor of the reduction proof.

Sim.ReKeyGen$(pp,s{k}_f,h,g)$: Queries for required re-encryption keys were issued by $\mathcal{A}$ to $\mathcal{C}$ via attribute set S and access policy $\left(A^{″},{\rho }^{″},T^{″}\right)$. The adversary $\mathcal{A}$ selected attribute set S. When S satisfied access structures $\left(A^{*},{\rho }^{*},T^{*}\right)$ and $\left(A^{″},{\rho }^{″},T^{″}\right)$ (i.e., $S\mid =\left(A^{*},{\rho }^{*},T^{*}\right)$ and $S\mid =\left(A^{″},{\rho }^{″},T^{″}\right)$), then $\mathcal{C}$ output any value from $\{0,1\}$ and terminated the game. Otherwise, $\mathcal{C}$ executed algorithm $RK\leftarrow ReKeyGen\left(Par,SK,P{K}_{\mathrm{D}},\left(A^{″},{\rho }^{″},T^{″}\right)\right)$, selected random factor $m^{*}\in Z_p^{*}$, and computed $g^{m^{*}}$ and $g_0^{m^{*}}$. $g^{m^{*}}$ was encoded as $E\left(g^{m^{*}}\right)$, then $E\left(g^{m^{*}}\right)$ was encrypted under $\left(A^{″},{\rho }^{″},T^{″}\right)$ to obtain $C^{*}$. $S{K}_1^{*}=g_0^{m}S{K}_1,S{K}_2^{*}=g_0^{m}S{K}_2,\dots ,S{K}_t^{*}=g_0^{m}S{K}_t$ were computed, where $S{K}_t={\left(g^{\beta }\right)}^{\alpha }{\left(H{\left(S\right)}^{d_t}\right)}^{C_{Ver}}$. The re-encryption key $RK=<C^{*},{\left\{S{K}_t^{*}\right\}}_{\forall t\in T_s},P{K}_{\mathrm{D}}>$ was output and sent to $\mathcal{A}$.

Challenge: Equal-length messages $m_0$ and $m_1$ were submitted by $\mathcal{A}$ to $\mathcal{C}$. $\zeta \leftarrow \{0,1\}$ was randomly selected by $\mathcal{C}$. Ciphertext $C{T}^{\prime }\leftarrow Enc\left(m_{\zeta }\right)$ was generated and returned to $\mathcal{A}$. This process tested the adversary’s cracking capability through message indistinguishability, constructing the core verification link for security reduction.

Guess: After $\mathcal{A}$ output guess value ${\zeta }^{\prime }\in \{0,1\}$, challenger $\mathcal{C}$ determined the result as follows: (1) Successful guess: If $\zeta ={\zeta }^{\prime }$, $\mathcal{C}$ inferred $\mathfrak{T}=e{(g,g)}^{a^{q+1}·r}$ (i.e., ${\zeta }^{\prime }=1$), indicating $\mathcal{A}$ successfully associated ciphertext $C{T}^{\prime }$ with message $m_{\zeta }$. (2) Failed guess: If $\zeta \ne {\zeta }^{\prime }$, $\mathcal{C}$ determined $\mathfrak{y}$ to be a random element in ${\mathbb{G}}_T$ (i.e., ${\zeta }^{\prime }=0$). The adversary could not obtain effective informational correlation. Security quantification: The adversary $\mathcal{A}$’s cracking advantage was defined as

$${Adv}_{\mathcal{A}}^{\mathrm{IND}-\mathrm{CPA}}\left(\lambda \right)=\left|Pr\left[\zeta ={\zeta }^{\prime }\right]-{\displaystyle \frac{1}{2}}\right|$$

(30)

If and only if the decisional q-parallel BDHE assumption holds, there exists a negligible function $negl(·)$ such that

$${Adv}_{\mathcal{A}}^{\mathrm{IND}-\mathrm{CPA}}\left(\lambda \right)\le negl\left(\lambda \right)$$

(31)

This conclusion rigorously proves the scheme’s adaptive security in the standard model by reducing $\mathcal{A}$’s advantage to the intractability of the q-parallel BDHE problem.

$$\begin{array}{cc}\hfill \mathcal{A}d{v}_{\mathcal{A}}& =\left|Pr\left[\zeta ={\zeta }^{\prime }\right]-{\displaystyle \frac{1}{2}}\right|\hfill \\ \hfill & =\left|Pr\left[\mathfrak{H}\left(\overrightarrow{v},\mathfrak{T}=e{(g,g)}^{a^{q+1}·r}\right)=0\right]-{\displaystyle \frac{1}{2}}\right|\hfill \\ \hfill & =\left|Pr\left[\zeta ={\zeta }^{\prime }\mid \left(\mathfrak{T}=e{(g,g)}^{a^{q+1}·r}\right)=0\right]-{\displaystyle \frac{1}{2}}\right|=\mathcal{A}dv\hfill \end{array}$$

(32)

If $\mathcal{C}$ output result ${\zeta }^{\prime }=0$, then $\mathfrak{T}\in G_T$, indicating $\mathcal{A}$ could not obtain $C{T}^{\prime }$ related to $m_{{\zeta }^{\prime }}$. According to the security model’s guessing, $\mathcal{A}dv=Pr\left[\zeta ={\zeta }^{\prime }\mid \mathfrak{H}\left(\overrightarrow{v},\mathfrak{T}\in G_T\right)=0\right]={\displaystyle \frac{1}{2}}$. The challenger $\mathcal{C}$’s advantage could be derived as follows:

$$\begin{array}{cc}\hfill \mathcal{A}d{v}_{\mathcal{C}}& ={\displaystyle \frac{1}{2}}\left|Pr\left[\mathfrak{H}\left(\overrightarrow{v},\mathfrak{T}=e{(g,g)}^{a^{q+1·}·r}\right)=0\right]\right|+{\displaystyle \frac{1}{2}}\left|Pr\left[\mathfrak{H}\left(\overrightarrow{v},\mathfrak{T}\in G_T\right)=0\right]\right|-{\displaystyle \frac{1}{2}}\hfill \\ \hfill & ={\displaystyle \frac{1}{2}}\left({\displaystyle \frac{1}{2}}+\mathcal{A}dv\right)+{\displaystyle \frac{1}{4}}-{\displaystyle \frac{1}{2}}\hfill \\ \hfill & ={\displaystyle \frac{\mathcal{A}dv}{2}}.\hfill \end{array}$$

(33)

Theoretical analysis shows the adversary $\mathcal{A}$’s attack advantage satisfies

$${Adv}_{\mathcal{A}}=\left|Pr\left[\mathrm{Win}\right]-{\displaystyle \frac{1}{2}}\right|⊈neg\left(\lambda \right)$$

(34)

The challenger $\mathcal{C}$’s reduction advantage for cracking the q-parallel BDHE problem is

$${Adv}_{\mathcal{C}}^{\mathrm{q}-\mathrm{DBDHE}}\ge {\displaystyle \frac{1}{2}}·{Adv}_{\mathcal{A}}$$

(35)

Based on the intractability of the decisional q-parallel Bilinear Diffie–Hellman assumption, the scheme satisfies IND-sAS-CPA security under the adaptive chosen attribute set attack model. This contradictory relationship proves the existential conclusion: If the assumption holds, the adversary’s advantage must be negligible.  □

5. Efficiency Analysis

5.1. Theoretical Analysis

As shown in the

Table 1. Functional comparison with other related schemes.

Scheme	Policy Hiding	Re-Encryption Verification	Distributed Storage	Revocability	Collusion Resistance
[11]	✓	✗	✓	✓	✓
[15]	✗	✓	✗	✓	✓
[13]	✗	✓	✗	✗	✓
[10]	✗	✓	✗	✗	✓
[16]	✗	✗	✗	✓	✓
[17]	✓	✓	✓	✓	✓
Our Scheme	✓	✓	✓	✓	✓

, the scheme proposed in this paper is compared with other data-sharing schemes in functional features. The scheme in [11] supports policy hiding, which effectively protects users’ private information by hiding sensitive attribute values; while schemes [10,13,15] additionally support verification of re-encrypted ciphertexts on the basis of ABPRE. This achieves one-time encryption with multiple sharing, and the verifiability of ciphertexts effectively prevents collusion attacks from semi-trusted proxies and malicious users. Furthermore, the re-encrypted ciphertext embeds the original ciphertext generated by the encoding function, making the verification process controllable.

The scheme proposed in this paper not only inherits the advantage of verifiable re-encrypted ciphertexts from schemes [10,13,15,17], but also possesses the characteristics of attribute revocation and collusion attack resistance from scheme [11]. Additionally, our scheme satisfies indistinguishability against chosen-plaintext attacks under specific access structures.

The distributed storage of data on the blockchain in scheme [11] ensures message integrity during data sharing. This paper chooses to store encrypted data on the blockchain, effectively avoiding repeated uploading of identical ciphertexts and reducing the workload of data owners. Although schemes in [15,17] both implement user revocation, the methods they use differ. This paper adopts a more efficient revocation method by constructing private keys using SM3 and updating keys to revoke malicious users.

Analysis of the results in

Table 2. Storage space comparison of related schemes.

Scheme	Public Parameters	Decryption Key	Original Ciphertext	Re-Encrypted Ciphertext
[11]	$10m+m^{\prime }$	$(5n+2)m$	$(6n+2)m+m^{\prime }$	$4m+m\prime$
[15]	$4m+m^{\prime }$	$(n+1)m$	$(2n+3)m+m^{\prime }$	$4m+m^{\prime }$
[13]	$9m+3m^{\prime }$	$(2n+4)m$	$(2u+5)m+2m^{\prime }$	$(2u+7)m+3m^{\prime }$
[10]	$3m+m^{\prime }$	$(n+1)m$	$(2n+3)m+2m^{\prime }$	$(2\mathcal{N}+5)m+m^{\prime }$
[16]	$(u+5)m+2m^{\prime }(n+2)m$	$(2u+2)m+m^{\prime }$	$(2u+2)m+2m\prime$	$(2u+2)m+2m\prime$
[17]	$3m+m^{\prime }$	$(2n+1)m+m^{\prime }$	$(n+2)m+2m^{\prime }$	$3m+2m^{\prime }$
Proposed Scheme	$2m+m^{\prime }$	$\left(2n\right)m+2m^{\prime }$	$nm+2m^{\prime }$	$m+2m^{\prime }$

1. m,$m^{\prime }$: the length of elements in prime-order groups for G and $G_T$; 2. u: the number of attribute elements in the system attribute space; 3. n: the number of attributes in the user’s access structure; 4. $\mathcal{N}$: the number of attributes in the access structure satisfied by the data user.

indicates that the Ge2023 scheme [16] exhibits constrained storage efficiency in large-scale scenarios due to its public parameter size scaling linearly with attribute quantity. In contrast, the proposed scheme adopted a fixed-length parameter design, achieving minimized storage occupation for public parameters while enhancing adaptability to scalability requirements in extensive IoT environments. As attribute counts in user access structures increased, all storage overhead metrics in schemes [10,11,13,15,17] demonstrated linear growth patterns. The proposed scheme maintained lower overhead across all dimensions compared to existing solutions, concurrently reducing key compromise risks. In summary, substantially reduced storage occupation was achieved by the proposed solution relative to alternative data-sharing approaches.

As detailed in

Table 3. Comparison of computational costs for related schemes.

Scheme	Key Generation	Encryption	Re-Encryption Key Generation	Re-Encryption
[11]	$(5n+2)T_G$	$(6n+2)T_G+T_G^{\prime }$	$(5\mathcal{N}+4)T_G+T_G^{\prime }$	$(2\mathcal{N}+3)T_G+T_G^{\prime }$
[15]	$(n+1)T_G$	$(2n+4)T_G+2T_G^{\prime }$	$(\mathcal{N}+3)T_G+T_G^{\prime }$	$2\mathcal{N}{T}_P+\mathcal{N}{T}_G^{\prime }$
[13]	$(2n+5)T_G+T_G^{\prime }$	$(u+7)T_G+T_G^{\prime }$	$(\mathcal{N}+10)T_G+T_G^{\prime }$	$(3u+4)T_G+5T_G^{\prime }$
[10]	$(3n+5)T_G+T_G^{\prime }$	$(2n+5)T_G+T_G^{\prime }$	$(2\mathcal{N}+8)T_G+T_G^{\prime }$	$4\mathcal{N}{T}_P+2T_G^{\prime }$
[16]	$(u+2)T_G$	$(2u+4)T_G+T_G^{\prime }$	$(3\mathcal{N}+8)T_G+T_G^{\prime }$	$u{T}_P+u{T}_G^{\prime }$
[17]	$(2n+3)T_G+T_G^{\prime }$	$(n+4)T_G+T_G^{\prime }$	$(\mathcal{N}+2)T_G+T_G^{\prime }$	$2\mathcal{N}{T}_P+\mathcal{N}{T}_G^{\prime }$
Proposed Scheme	$(n+3)T_G+T_G^{\prime }$	$(n+2)T_G+T_G^{\prime }$	$(\mathcal{N}+2)T_G+T_G^{\prime }$	$2\mathcal{N}{T}_P+\mathcal{N}{T}_G^{\prime }$

1. $T_P$: bilinear pairing operations; 2. $T_G,T_G^{\prime }$: exponentiation operations in groups G and $G_T$.

, computational overhead is compared across four dimensions: key generation, data encryption, re-encryption key generation, and auxiliary operations. The proposed scheme achieves functional enhancements while maintaining superior computational efficiency in all four aspects compared to existing solutions.

5.2. Experimental Analysis

To evaluate the performance of the proposed scheme, four schemes were executed on a 12th Gen Intel(R) Core(TM) i5-12500H CPU operating at 3.10 GHz within the PyCharm 2023.1.4 (Professional Edition) environment. Experimental results are presented in

Table 4. Computation time of cryptographic operations.

Symbol	Execution Time (ms)
$N_p$	9.0813
$N_{E\left(G\right)}$	6.4675
$N_{E\left(T\right)}$	0.3868

.

Time consumption during four critical phases—key generation, encryption, re-encryption key generation, and re-encryption—was comparatively analyzed against schemes from [10,11,13,15,16,17]. Experimental comparisons are visualized in Figure 5. This paper selects the number of attributes in the access structure as the independent variable, taking the average value after 50 experiments in each phase.

According to Figure 5a, this study demonstrates that in key generation scenarios, the algorithm’s execution time increases significantly with the number of attributes in the access structure; all seven schemes exhibit an upward trend, with scheme [11] showing the highest computational overhead (reaching 2800 ms at 60 attributes). Our scheme maintains optimal efficiency throughout, requiring only 600 ms under identical conditions, closely approaching the suboptimal scheme [17]; particularly beyond 20 attributes, performance disparities accelerate, highlighting our solution’s effectiveness in curbing the time-increase slope through algorithmic optimizations. Figure 5b shows that key generation time for all schemes exhibits a monotonically increasing trend with attribute growth; Scheme [16] demonstrates the most significant time overhead escalation, while our solution maintains efficiency leadership with execution time significantly lower than most algorithms and the flattest growth curve aligned with scheme [17].

Curve trend analysis based on Figure 5c indicates execution time for all re-encryption key generation schemes increases monotonically with attribute count; scheme [11] consistently exhibits the highest curve position, while our solution maintains the lowest trajectory with significantly flatter growth slope; performance gaps markedly widen beyond 20 attributes. Analysis of Figure 5d demonstrates all schemes show monotonically increasing execution time yet divergent growth patterns: scheme [13,16] display drastic nonlinear acceleration, while scheme [11,15] maintain gradual increases; our solution shows the shallowest growth slope, confining incremental cost to millisecond-level increases—starkly contrasting Ge2023’s thousands-of-milliseconds surge.

These results confirm our design effectively suppresses nonlinear time-cost expansion through algorithmic optimizations, establishing critical foundations for large-scale re-encryption deployment. Curve trend analysis of Figure 6 shows that execution time for scheme [15,16,17] and our scheme increases monotonically with attributes;scheme [15] shows highest curve position indicating lowest efficiency; scheme [16,17] exhibit mid-tier performance with scheme [16] slope steepening; our solution maintains lowest trajectory, validating our revocation algorithm suppresses computational burden expansion and enables efficient re-encryption deployment. During the revocation process, the trusted authority executes the revocation algorithm to generate random factors for non-revoked users. This process only requires performing key update computations, and the update involves only one exponentiation operation. When the number of attributes in the access structure is 50, the time consumed is approximately 324 ms.

6. Conclusions

To address proxy authority boundary violations in cross-domain ciphertext sharing, this work constructs an Attribute-Based Access Control Proxy Re-Encryption scheme. Targeting limitations in traditional identity-based models for fine-grained permission allocation and multi-dimensional attribute adaptation, the scheme enables access policy definition based on multiple user attributes. It provides flexible authorization that restricts data access exclusively to users satisfying specific attribute conditions. A formal security model with comprehensive proofs is established. Theoretical and experimental results demonstrate effective control over proxy/receiver permissions, featuring shorter key generation latency and compact keys. This resolves proxy permission overreach and receiver permission diffusion issues.