OO-MA-KP-ABE-CRF: Online/Ofﬂine Multi-Authority Key-Policy Attribute-Based Encryption with Cryptographic Reverse Firewall for Physical Ability Data

: In many universities, students’ physical ability data are collected and stored in the cloud through various sensing devices to save computational and storage costs. Therefore, how to effectively access data while ensuring data security has become an urgent issue. Key-policy attribute-based encryption (KP-ABE) not only enables secure one-to-many communication and ﬁne-grained access control but also adapts to data sharing in static scenarios, making it more suitable for the cloud sharing of physical ability data. In this paper, we construct an online/ofﬂine multi-authority key-policy attribute-based encryption with a cryptographic reverse ﬁrewall for physical ability data. This scheme uses multi-authority to avoid the single point of failure crisis of a single authority, and is combined with a cryptographic reverse ﬁrewall to resist backdoor attacks. In addition, the scheme uses outsourcing decryption to save users’ computing costs, and utilizes ofﬂine/online technology to move a large amount of computing ofﬂine, reducing the online burden. Finally, the experiment shows the feasibility of the scheme.


Introduction
With the widespread use of sensing devices, various sensors carried by students can collect physical ability data, such as the time spent completing a long-distance race, the number of jump rope skips within a minute, and heart rate, and upload the collected data to the cloud for storage. For security, sensitive data should be encrypted before being stored in the cloud. ABE (attribute-based encryption) can achieve fine-grained access control over ciphertext while providing encryption for data, making it suitable for protecting students' physical ability data. ABE has two types: key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). In the KP-ABE scheme, attributes are used to encrypt data, and the user's decryption key corresponds to an access structure. The decryption key can correctly decrypt the ciphertext if and only if the attribute satisfies the access structure. Firstly, before encrypting the physical ability data, it is not known which users want to share, and the access structure of these users may be different. Therefore, if CP-ABE is used to encrypt physical ability data, it may involve the need to convert ciphertext under one access structure to ciphertext under another access structure [1]. Secondly, due to the sensitivity of physical ability data, the system needs to maintain an audit log. As shown in [2], when the KP-ABE encryption scheme is adopted, the system uses attributes to encrypt the physical ability data. The data can only be decrypted and accessed by the user after obtaining the corresponding key of the specified access structure, thus effectively solving the audit log problem. Finally, due to The remainder of this paper is as follows: Section 2 outlines the related work. Section 3 provides the preliminaries. Section 4 details the proposed OO-MA-KP-ABE-CRF scheme. Section 5 provides the performance analysis. Finally, the conclusion is presented in Section 6.

Related Work
This section provides a summary of related works on ABE, CRF, and online/offline cryptography.

Attribute-Based Encryption
Goyal et al. [2] classified ABE into two types: KP-ABE and CP-ABE. Due to the richness of access structures, the research and application of ABE have received increasing attention, but currently, most ABE access structures are focused on monotonic access structures. In order to enrich the expression of access structures, Yamada et al. [3] modularized KP-ABE and proved that any special-type predicate encryption satisfying certain conditions can be transformed into the non-monotonic KP-ABE format. Subsequently, Attrapadung et al. [4] designed an attribute-based signature supporting non-monotonic span programs by studying predicate encryption schemes and implementing constant-size signature technology. Moreover, ABE serves as a prevalent privacy protection method, playing a crucial role in safeguarding personal privacy and ensuring the secure communication of data in various domains such as cloud computing, medical insurance, intelligent transportation, and the Internet of Things. For instance, Zhang et al. [5] surveyed various ABE-based techniques for securing cloud data, Rasori et al. [6] proposed a KP-ABE scheme against the potential threat of malicious attacks of untrustworthy cloud servers, Kumar et al. [7] researched how to combine IoT with ABE to protect user privacy, and Jaiswal et al. [8] compared and analyzed various ABE schemes in medical privacy scenarios. In addition, there has been a plethora of research related to privacy protection, such as the adoption of the secure encryption random permutation pseudo algorithm (SERPPA) to enhance network security and energy efficiency [9], investigations into ABE in the post-quantum era [10], and the development of privacy-preserving schemes in federated learning [11], among others. Considering that almost all hierarchical ABEs are designed based on CP-ABE schemes and only support monotonic access structures, Li et al. [12] proposed a hierarchical non-monotonic KP-ABE scheme. Therefore, non-monotonic ABE schemes offer more flexible access control than monotonic ABE and can better meet the complex authorization requirements in practical applications.

Cryptographic Reverse Firewall
Edward Snowden's revelations have revealed hidden backdoor vulnerabilities in many provably secure cryptographic algorithms. To defend against malicious data streams and prevent the leakage of public parameters, Mironov and Stephens-Devidowitz [13] introduced the CRF in 2015. The CRF is deployed between user machines and external networks to intercept incoming and outgoing data and update it in real-time, preventing potential backdoor threats. Dodis, Mironov, and Stephens-Devidowitz [14] designed an efficient secure transmission protocol based on the CRF framework, focusing on whether users can securely communicate with untrusted machines and others. Ma et al. [15] used bilinear pairing to construct a COO-CP-ABE-CRF scheme, which successfully reduced the overall computational cost compared to the original scheme without CRF, and developed a libabe library which is compatible with Android devices; the prototype has been implemented on laptops and mobile phones. Hong et al. [16] designed a MA-KP-ABE system based on CRF technology that supports non-monotonic access structures. They analyzed the system's performance using the Charm library. To resist keyword guessing attacks (KGA) initiated by dishonest cloud servers, Zhou et al. [17] combined public key encryption with keyword search (PEKS) with the CRF and designed a searchable public key encryption with CRF (SPKE-CRF). Furthermore, to meet data security sharing requirements in virtual worlds like the Metaverse, Zhao et al. [18] proposed a CP-ABE-CRF scheme with outsourcing decryption, offline encryption, and black-box tracing capabilities.

Online/Offline Cryptography
The high computational overhead of KP-ABE is a problem. To address this issue, Hohenberger et al. [19] proposed an OO-ABE scheme, which separates the original cryptographic algorithm into an offline and online phase. During the offline phase, the system performs data preprocessing to enable the fast assembly of encryption ciphertexts or keys in the online phase, resulting in significant time and overhead savings. Additionally, Cui et al. [20] proposed a novel keyword search scheme with online/offline attributes in the mobile cloud, which achieved cost savings and maintained data privacy and security. Therefore, online/offline technology has significant advantages in various privacy and security scenarios with real-time requirements, such as healthcare IoT, 5G communications, industrial IoT, etc. [21][22][23][24][25][26]. In order to address the issue of low efficiency in the operation of the medical Internet of Things, Li et al. [27] proposed a flexible and efficient ciphertextpolicy attribute-based encryption scheme by integrating online/offline techniques and outsourced decryption. They also effectively ensured the security of the cryptographic algorithm through CRF. Overall, online/offline cryptography technology effectively reduces computational overhead in algorithms and brings significant advantages to various application areas.

Preliminaries
This introduces the preliminaries of the OO-MA-KP-ABE-CRF scheme.

Bilinear Group
For the multiplicative cyclic groups G and G T with the same prime order p, we define an efficiently computable bilinear pairing e : G × G → G T that satisfies the following two properties: (1) Bilinearity: One can compute e(P a , Q b ) = e(P, Q) ab for any P, Q ∈ G and a, b ∈ Z * p . (2) Non-degeneracy: Let g ∈ G and h ∈ G be the generators. The equation e(g, h) = 1 always holds.

Access Structure
For a set of participants P, we define the attribute x to represent the elements in the set P, and each attribute x is either a positive attribute x or a negative attribute x . Assuming that the set S includes all possible attributes,S = {x |x ∈ S} is the set of negative attributes derived from S. For a monotonic access structure A defined on the attribute set S, there always exists a corresponding non-monotonic access structureÃ = N M(A), where S ∈ N M(A). When N(S) ∈ A , there is N(S) = S ∪ {x |x ∈ P − S}.

Linear Secret Sharing Schemes
A linear secret sharing scheme (LSSS) involves (M, ρ) with the general attribute description U, where M ∈ Z l×n p is a secret sharing matrix, and ρ(M i ) is a corresponding attribute, where M i is the i − th row of M . For the secret s ∈ Z p , we randomly select y 2 , · · · , y n ∈ Z p , and then λ i = M i (s, y 2 , · · · , y n ) T is the share of secret value s corresponding to attribute ρ(M i ). When reconstructing secret values s using the share λ i , there exists c i such that ∑ i∈I c i M i = (1, 0, · · ·, 0); thus, ∑ i∈I c i λ i = s, where I = {i : ρ(i) ∈ P}, and P is an authorized set.

Cryptographic Reverse Firewall
The CRF of party P is a state algorithm that outputs an updated state and message based on the input of the state and the message of party P. For a scheme satisfying functionality requirement and a party P, when the CRF is applied to P polynomial times, the functionality of the scheme is maintaining, it is called CRF maintaining functionality. If a scheme is secure, and the party P in the scheme is replaced with a combination of CRF and functionality-maintaining adversarial implementations, which still satisfies the security requirement, then it is called CRF weakly preserved security. If the corrupted functionality-maintaining implementation of party P cannot leak information through the CRF, then it is called CRF weakly exfiltration resistance. Further understanding of CRF can be found in reference [27].

System Model and Security Model
This introduces the system model, a real-world application, and a security model of the OO-MA-KP-ABE-CRF scheme.

System Model
The scheme includes five entities accompanied by their corresponding CRF. These entities are the global-identity authority (GA), attribute authorities (AA), the data owner (DO), the data user (DU), and the cloud service provider (CSP). Each entity is equipped with a CRF, namely W GA for GA, W AA for AA, W DO for DO, and W DU for DU. The global parameters GP are generated by GA. To mitigate potential compromises in this process, GP is randomized by W GA to obtain GP , and the updated results are broadcasted throughout the system. The AA generates a public/private key pair for itself and a decryption key for the user. Additionally, the AA's keys and the users' decryption keys are randomized by W AA to mitigate potential vulnerabilities. The CSP is responsible for offering services like cloud storage and outsourced decryption. The DO encrypts the data and then uploads it to the CSP. Given the potential risk of adversaries compromising critical encryption processes, W DO applies additional randomization to the ciphertext. Subsequently, the ciphertext is downloaded from the CSP and decrypted by DU. To mitigate potential vulnerabilities in the outsourced decryption key generation process, W DU randomizes the keys used for outsourced decryption.
Let U denote the general attribute description, whileÃ represents a non-monotonic access structure. The OO-MA-KP-ABE-CRF forÃ consists of 17 algorithmic steps: Global.Setup(λ, U) → GP. For the input security parameters λ and general attribute description U , GA runs the algorithm and outputs the global public parameters GP. W GA .Global.Setup(GP) → GP . For the input GP , W GA runs the algorithm and outputs the updated global public parameters GP .
AA.Setup(GP ) → (PK k , SK k ). For the input GP , AA k runs the algorithm and outputs the public key PK k and private key SK k for itself. W AA .Setup(PK k , SK k ) → (PK k , SK k ). For the input (PK k , SK k ), W AA runs the algorithm and outputs the updated (PK k , SK k ).
KeyGen.off(GP , PK k , A k C ) → D k.o f f . For the input GP , PK k , and A k C , AA k runs the algorithm and outputs the offline decryption key Correctness: For λ ∈ N, U, an access structure P and a message m, the correctness holds:

Real-World Application
We describe the practical workflow of OO-MA-KP-ABE-CRF for physical ability data, as shown in Figure 1.  Setup phase: (1) Students participating in physical ability tests register their identities on the school platform based on their attributes, such as college, grade, age, and so on.
(2) The university calculates global parameters based on these attributes and the CRF of the university randomly updates these parameters. (3) Each department (attribute authority) within the university, such as the education department and the sports department as an attribute authority, independently generates public/private key pairs in the system. (4) To prevent information leakage, the CRF of each department randomizes the update of public/private key pairs. Key generation phase: (5) and (6) The offline phase is responsible for generating offline keys, while the online phase is responsible for assembling offline keys and generating keys. (7) and (8) Finally, the corresponding CRF of each department updates and outputs the decryption key for the user.
Encryption phase: (9) In physical ability testing, the sensors worn by students collect their current physical ability data in real time. After obtaining the ciphertext by encrypting the data using the attributes, it is then uploaded to the CSP. (10) The offline/online technology is used in the encryption for saving computational costs. (11) and (12) The ciphertext generated by the sensors is not immediately sent to the CSP but is first transmitted to the CRF, which updates and transforms the ciphertext.
Decryption phase: (13) Authorized teachers with specific access structures plan to access the physical ability data of students stored in the CSP through mobile devices. They first generate a conversion key and retrieval key based on the obtained decryption key. The conversion key is sent to the CSP for outsourced decryption, while the retrieval key is retained by the teacher. (14) Before sending to CSP, the conversion key is updated by the CRF of the mobile device. (15)(16) After receiving the updated conversion key, CSP runs decryption and sends the result to CRF of the mobile device. (17) Ultimately, the teacher successfully recovers the physical ability data of the students using the retrieval key.

Security Model
We present the security model for the OO-MA-KP-ABE-CRF scheme based on [16,27]. Adversarial Model: We assume the full trustworthiness of GA, AA, DO, and DC, and the semi-trust of CSP. Given that Global.Setup, AA.Setup, KeyGen.off, KeyGen.on, Encrypt.off, Encrypt.on, and KeyGen.ran in the scheme remain functional despite the presence of malicious backdoors, it is important to consider that they may be compromised without the knowledge of the executing parties. Owing to the curiosity of W DO and W DU regarding user data, we assume that W DO and W DU are semi-trusted. Since W AA has access to users' decryption keys, we assume that W AA is fully trusted. Furthermore, all CRFs are regarded as trusted domains and are immune to external tampering.
The selective-set CPA security game for the scheme is played by a challenger C and an adversary A.
Init: The A publicizes the set of AA k , along with the corresponding attribute set A u = A 1 u , · · ·, A K u . The A sends algorithms Global.Setup * , AA.Setup * , KeyGen.off * , KeyGen.on * , KeyGen.ran * , Encrypt.off * , and Encrypt.on * to the C. Setup: , and then sends GP , the PK k of the honest authority, and the (PK k , SK k ) of the corrupted authority to the A.
Phase 1: The adversary A can adaptively issue queries to the AA k . When the access structure A k satisfies the attribute A u , the honest AA k refuse to answer, and otherwise answer the corresponding private key. For each query, the C runs TKUpdate(TK), and sends D GID,k , TK as a response to the adversary A.
Challenge: The A sends two plaintexts, m 0 and m 1 , of equal length to the challenger C. Then, C randomly selects b ∈ {0, 1} and runs Phase 2: Same as Phase 1. Guess: The A outputs a guess b for b.

Definition 1.
If all PPT adversaries have at most negligible advantages in the above game, then the OO-MA-KP-ABE-CRF scheme is selective-set CPA-secure.

OO-MA-KP-ABE-CRF
Firstly, a basic OO-MA-KP-ABE scheme is proposed. Then, we construct the OO-MA-KP-ABE-CRF scheme, and finally show the security.

Basic Construction of OO-MA-KP-ABE Scheme
Based on the KP-ABE scheme [28], this section introduces the OO-KP-ABE scheme using a decentralized approach similar to [29] incorporating the user's identity GID. Compared with [30], our scheme not only resists collusion attacks, but also eliminates the need for a central attribute authority to coordinate the key distribution among attribute authorities.
(1) Global.Setup(λ, U) → GP. The system selects e : G × G → G T , with prime order p, and randomly selects generators g and h of the group G and hash functions H, F : {0, 1} * → G. Finally, the system outputs GP = {g, h, H(·), F(·)}. (2) AA.Setup(GP) → (PK k , SK k ). For k ∈ [K], attribute authority AA k randomly selects α k1 , α k2 , b k ← Z p and computes α k = α k1 · α k2 . Finally, we compute and output the public key (4) KeyGen.on(GP, D k.o f f , SK k ,Ã k , GID) → D GID.k . AA k selects the non-monotonic access structureÃ k , which associates with an LSS matrix (M, ρ). By utilizing the LSSS mechanism Π, we can acquire the share {λ k,i } of α k1 and the share {ω k,i } of 0, where λ k,i = M i λ, λ is a random vector with the first term being α k1 . ω k,i = M i ω, where ω is a random vector with the first term being 0. M i is row i of M, i ∈ [l], l ≤ P, and P is the maximum number of row of M.
If ρ(i) = x i is non-negative, calculating k,i , D k,i ,D Finally, the conversion key TK = {D k,i } k∈[K],i∈[l] and the retrieval key RK = τ are generated and outputted.
terminate the process and output ⊥. If A k u ∈Ã k , then A k u = N(A k u ) ∈ A k , whereÃ k is the corresponding non-monotonic access structure of A k . Let I = {i : ρ(i) ∈ A k u }.

Theorem 1.
If the KP-ABE scheme of [28] is selective CPA-secure, then the OO-MA-KP-ABE scheme is also selective CPA-secure.
Proof. The MA-KP-ABE scheme is constructed based on the KP-ABE scheme of [28]. We adopt the multi-authority technique of [29] and introduce user identity GID in the construction of the MA-KP-ABE scheme. Compared with [28], our MA-KP-ABE scheme generates the same public parameters and ciphertext as [28] during the Setup and Encrypt steps, and the Decrypt step is also the same as [28]. However, the decryption key generated in the KeyGen step is slightly different from [28]. The D k,i = g λ k,i k2 g b 2 k r k,i F(GID) ω k,i , which has more F(GID) ω k,i than the decryption key in [28]. Here, ω k,i represents linear secret sharing for 0, and 0 is publicly known, so there is no unknown quantity about F(GID) ω k,i for the challenger. Therefore, the challenger can construct a semi-functional key similar to the structure in the security proof of [28]. Therefore, the MA-KP-ABE scheme is secure. Furthermore, we utilize the key blinding technique of [30], and the proof follows a similar approach as presented in [30]. Therefore, it is easy to see that the theorem holds.

2
, h b k , e(g , g ) α k } and SK k = {α k1 , α k2 , b k } are outputted. When receiving the updated PK k and SK k , AA k runs KeyGen.off(GP , PK k , A k C ) → D k.o f f and KeyGen.on(GP , D k,o f f , SK k ,Ã) → D GID,k . Before sending D GID,k to user GID, it is sent to W AA . The following operations are performed. 3 W AA .KeyGen.off(GP , PK k , k,i = g −r k,i . If ρ(i) = x i is non-negative, output D GID.k = (D (1) k,i ,D W DO .Encrypt.off(GP , PK k ) → IT. For ∀x i ∈ A u , the W DO computeŝ , k,i ). DU runs KeyGen.ran(D GID ) → (TK, RK), and sends TK to W DU . W DU performs the following operations: 7 W DU .TKUpdate(TK) → TK . W DU randomly selects δ ← Z p , computesD k,i ,D (4) k,i ,D (5) k,i }. TK is then sent to the CSP, while δ is retained.

Security Analysis
Theorem 2. The proposed OO-MA-KP-ABE-CRF is selective-set CPA-secure and contains reverse firewalls for GA, AAs, DO and DU, which maintains functionality, weakly preserves security, and weakly resists exfiltration if the basic structure of OO-MA-KP-ABE in Section 5.1 is selectiveset CPA-secure.
Proof. We prove the security through the following parts.
Functionality maintenance. Let the attribute set A u = A 1 u , · · ·, A K u . If A k u / ∈Ã k , terminate the process and output ⊥.
If ρ(i) = x , then we can get the decryptor can choose constants c i such that ∑ i c i M i = (1, 0, · · ·, 0). then Z k = ∏ s ·α k1 ·α k2 τσ = e(g , g ) s ·α k τσ . Finally, we can executeĈ (1)  Game 1. The only difference from Game 0 is that GP, SK, and PK are generated by the setup, independent of Global.Setup * , W GA .Global.Setup, AA.Setup * , and W AA .Setup. Game 2. The only difference from Game 1 is that in Phase 1 and Phase 2, the decryption key D GID is generated by KeyGen.off and KeyGen.on, independent of algorithms KeyGen.off * , KeyGen.on * , W AA .KeyGen.off, and W AA .KeyGen.on. Additionally, the conversion key TK is generated by KeyGen.ran, independent of KeyGen.ran * and W DU .TKUpdate. Game 3. Apart from the challenge phase, the rest is the same as Game 2. The challenge ciphertext CT b is generated by Encrypt.off and Encrypt.on, independent of Encrypt.off * , Encrypt.on * , W DO .Encrypt.off, and W DO .Encrypt.on. Note that Game 3 is the same as the security game of OO-MA-KP-ABE.
For any tampered Global.Setup * , because of a, c ← Z p , it can be known from key malleability that the GP generated by W GA .Global.Setup has the same uniform random distribution as the GP generated by Global.Setup in the basic construction. Similarly, due toα k1 ,α k2 ,b k ← Z p , for any tampered AA.Setup * , the (PK k , SK k )generated by W AA .Setup has the same uniform random distribution as (PK k , SK k ) generated by AA.Setup. So, we claim that Game 0 and Game 1 cannot be distinguished. Becauser ki ← Z p , the LSSS is re-randomizable and D GID and TK have key malleability, and Game 1 and Game 2 cannot be distinguished. For any tampered Encrypt.off * and Encrypt.on * , because ofŝ k,i ← Z p , it can be known that the ciphertext generated by W DO .Encrypt.off and W DO .Encrypt.on is uniformly random, which is consistent with the distribution of ciphertext generated by the basic scheme. Therefore, based on the fact that Game 2 and Game 3 cannot be distinguished, we can find that Game 0 and Game 3 cannot be distinguished. Furthermore, since the basic scheme is selective-set CPA-secure, it follows that the proposed OO-MA-KP-ABE-CRF is selective-set CPA-secure.
Weak security preservation and weak exfiltration resistance. The selective-set CPA security of the OO-MA-KP-ABE-CRF scheme indicates that CRFs for GA, AA, DO, and DU maintain weak security preservation. Additionally, the indistinguishability between Game 0 and Game 3 suggests that W GA , W AA , W DO and W DU can weakly resist data exfiltration attacks.
With this discussion, we have successfully completed the proof of the scheme.

Performance Evaluations
This section compares the proposed OO-MA-KP-ABE-CRF scheme with other ABE schemes from the perspectives of property comparison and performance analysis.

Property Comparison
We chose KP-ABE schemes [16,21,26] to compare their properties with the proposed schemes, as shown in Table 1. Although both the scheme presented in [16] and our proposed scheme are multi-authority, there is no central attribute authority to coordinate key distribution between attribute authorities in our scheme, which greatly reduces the time and cost associated with the setup phase. On the other hand, considering Edward Snowden's disclosure of backdoor attacks in known security schemes, the scheme presented in [16] and our proposed scheme adopt CRF to resist such attacks. To reduce the high computational overhead caused by the combination of MA-ABE and CRF, Refs. [16,21] and our scheme adopt online/offline technology to improve the efficiency of the scheme. However, only our scheme considers both MA-ABE, online/offline technology and CRF.  [16] × × × [21] × × × × [26] × × × × × Proposed

Performance Analysis
We compare [16,21,26], and our proposed scheme in terms of computational and storage costs. The comparison of the computational cost of system setup, user key generation, user encryption, and user decryption is shown in Table 2, and the comparison of the storage cost of public parameters, ciphertext, and user decryption key is shown in Table 3, where P represents the bilinear pairing operation, E represents the exponentiation operation on group G, and M represents the multiplication operation on group G. U represents the attribute universe, K denotes the number of attribute authorities, S indicates the number of attributes associated with the ciphertext, l represents the number of attributes involved in the access structure, and I represents the actual number of attributes used for decryption. |G| represents the elements in group G, and |G T | represents the elements in group G T .
In real-world applications, the computational cost of the offline phase can be preworked when the user is idle. Therefore, during testing, we only focus on the computational cost incurred during the online phase. Due to the integration of online/offline technology, it can be seen from Table 2 that our proposed scheme has lower computational costs in key generation and encryption compared to [16,26]. In addition, due to the adoption of outsourced decryption, our proposed scheme and [21] shift a large number of decryption calculations to cloud servers, thus having greater advantages in decryption compared to the schemes in [16,26]. Therefore, the proposed scheme may be applicable to lightweight devices such as mobile phones with limited computing resources. Based on the analysis from Table 3, our scheme has successfully reduced the storage overhead to a certain extent compared to [16]. However, there is still a noticeable gap compared to [21,26] due to the multi-authority aspect. Table 3. Comparison of storage costs.

Schemes
Public Parameters Ciphertext User Decryption Key [16] (U + 6)|G| + |G T | (4S + 1)|G| + |G T | 3l|G| [21] 7|G| (S + 1)|G| + |G T | 5l|G| [26] (U + 2)|G| + |G T | 4|G| + |G T | (2l + 1)|G| Proposed (5K + 2)|G| + K|G T | (K + 1)(S + 1)|G| + |G T | 3l|G| We implemented the OO-MA-KP-ABE-CRF scheme using the Python programming language in the Charm-Crypto cryptographic library. The algorithm was thoroughly evaluated on a computer running the Linux Ubuntu 18.04.6 operating system, equipped with a 2.30 GHz 12th Gen Intel(R) Core(TM) i7-12700H CPU and 32 GB RAM. During the experimental phase, we deployed an Ubuntu virtual machine on the Windows 11 operating system and introduced the PYPBC module to provide the underlying mathematical foundation for the algorithm. Additionally, we initialized the parameter values "SS512" and "type A" curve to generate a prime-order bilinear group G. It is worth noting that we categorized the computational operations involved in the algorithm's computational cost, including bilinear pairing operations, multiplication operations, and exponentiation operations performed on group elements. Furthermore, to ensure the feasibility and practicality of the algorithm, we repeated the experiments multiple times and recorded the time cost of bilinear pairing operations as 2.05 ms, the time cost of exponentiation operations on group G as 2.80 ms, and the time cost of multiplication operations on group G as 2.82 ms. We assume that the number of attribute universes U is 5 and the number of attribute institutions K is 1, because scheme [21,26] is a single-authority scheme, while [16] and our scheme are multi-authority.
We performed experimental simulations of the online user key generation, online user encryption and online user decryption of these schemes, as shown in Figure 2, to provide a comparison of computational costs. From Figure 2a,b, it can be seen that our OO-MA-KP-ABE-CRF scheme has certain advantages in user key generation and user encryption compared to [16,21], but it is higher than [26]. This is mainly because [26] is a single-authority KP-ABE scheme, and only one attribute organization is considered when generating keys and encrypting, while our scheme is multi-authority, so we need to consider the cost of key generation and encryption. Furthermore, compared to other schemes, Ref. [21] and our proposed scheme have been effectively optimized in decryption by employing outsourced decryption, as shown in Figure 2c.
We analyzed the storage costs of these schemes using ciphertexts and keys, as shown in Figure 3. Based on the analysis in Table 3, it can be seen that each scheme's ciphertext storage contains |G T |, so the impact of |G T | can be ignored when comparing the cost of ciphertext storage. From Figure 3a, it can be seen that our scheme and [16] have a higher cost of ciphertext storage compared to [21,26]. This is because the schemes in [21,26] are both single-authority, and our scheme and [16] are both multi-authority. Therefore, in ciphertext construction, multiple authorities need to be considered, resulting in higher ciphertext storage costs. However, compared to the scheme [16] with multiple authorities, our scheme outperforms [16] in terms of ciphertext storage costs. As shown in Figure 3b, it can be seen that our scheme has the same storage cost in terms of keys as [16], lower than [21], but higher than [26]. This is mainly due to the access structures. The access structure in this scheme and [16] is non-monotonic and has more flexible expressions than the monotonic access structures in [21,26].
In order to provide a more detailed description of the differences between our scheme and other schemes, we conducted a detailed comparison and analysis from the perspectives of energy consumption and communication cost. Based on [31], and Tables 2 and 3, we can calculate the energy consumption and communication cost. From Figure 4a, it can be seen that in the encryption, our scheme has a higher energy consumption compared to [21], mainly due to the presence of multiple authorities, and there is no need for any central authority to coordinate key distribution between various attribute authorities. Therefore, compared to other schemes, it will generate a certain amount of energy consumption. From Figure 4b, it can be seen that our scheme has the same energy consumption as [21] during the decryption phase and is at a lower level, because both [21] and our scheme adopt outsourced decryption.   In terms of communication cost, according to Figure 5, our scheme has a higher communication cost when sending ciphertext than [21,26], but better than [16]. This is because both our scheme and [16] are multi-authority, but those in [21,26] are singleauthority. Therefore, when sending ciphertext, our scheme consumes more than those in [21,26], but it consumes less compared to [16], both being multi-authority. In terms of receiving keys, our scheme is the same as [16], but it consumes more than [26]. This is because our scheme and [16] both support non-monotonic access structures, resulting in a larger scale of keys. Therefore, while achieving complex and diverse access structures, this also increases the cost of key communication.

Conclusions
To effectively ensure the security of students' physical ability data in a cloud-sharing environment, this paper proposes an OO-MA-KP-ABE-CRF scheme. Compared with other schemes, the proposed scheme has a non-monotonic access structure, multiple authorities, CRF, and online/offline capabilities. This not only enables the scheme to support more flexible access structures, but also effectively reduces the risk of single-authority failure, which may be caused by a large number of attributes, and resists backdoor attacks. In addition, we have integrated online/offline encryption, online/offline key generation, and outsourced decryption to reduce user storage and computing costs. Finally, we proved the security of the proposed scheme, and experimental analysis showed its effectiveness and feasibility.
In future work, we will further optimize the proposed scheme. In terms of security, we will consider the authentication requirement, as well as different attacks, such as MITM and replay attacks. In terms of efficiency, we will further optimize the efficiency of the scheme, through approaches such as optimizing the size of ciphertext, and consider the measurements for practical implementation.  shared secret A u a set of attributes GID the user's global identifier W cryptographic reverse firewall K the number of AAs A k C a set of attributes in k-th AA (PK k , SK k ) the public/secret key pair for k-th AA D GID the user's decryption key m plaintext CT ciphertext TK conversion key RK retrieval key