Revocable Attribute-Based Encryption with Efficient and Secure Verification in Smart Health Systems

Abstract

By leveraging Internet of Things (IoT) technology, patients can utilize medical devices to upload their collected personal health records (PHRs) to the cloud for analytical processing or transmission to doctors, which embodies smart health systems and greatly enhances the efficiency and accessibility of healthcare management. However, the highly sensitive nature of PHRs necessitates efficient and secure transmission mechanisms. Revocable and verifiable attribute-based encryption (ABE) enables dynamic fine-grained access control and can verify the integrity of outsourced computation results via a verification tag. However, most existing schemes have two vital issues. First, in order to achieve the verifiable function, they need to execute the secret sharing operation twice during the encryption process, which significantly increases the computational overhead. Second, during the revocation operation, the verification tag is not updated simultaneously, so revoked users can infer plaintext through the unchanged tag. To address these challenges, we propose a revocable ABE scheme with efficient and secure verification, which not only reduces local computational load by optimizing the encryption algorithm and outsourcing complex operations to the cloud server, but also updates the tag when revocation operation occurs. We present a rigorous security analysis of our proposed scheme, and show that the verification tag retains its verifiability even after being dynamically updated. Experimental results demonstrate that local encryption and decryption costs are stable and low, which fully meets the real-time and security requirements of smart health systems.

1. Introduction

The rapid development of the Internet of Things (IoT) and cloud computing has significantly enhanced healthcare management [1,2,3]. On the one hand, IoT devices, such as smartwatches, enable real-time health data capture and analysis, which assists in disease prevention. On the other hand, patients upload their personal health records (PHRs) to the cloud, which enable doctors to accurately assess patients’ health status and deliver precise remote treatments. Such integration ensures precision and accessibility in modern medical care.

The sensitive nature of PHRs demands rigorous access control. Attribute-based encryption (ABE) provides a cryptographic solution that regulates data accessibility based on the attributes of recipients. For instance, after measuring blood glucose levels with a home blood glucose meter, a diabetic patient can execute ABE to encrypt the data with an access policy $\mathcal{T}$ = (“endocrinologist” ∨ “cardiologist”), which ensures that only endocrinologists or cardiologists can access the data. Specifically, endocrinologists analyze the glucose data to evaluate the patient’s diabetes control status, while cardiologists use the data to assess the patient’s cardiovascular risks. However, in real-world scenarios, access control for PHRs must dynamically adapt to the progression of a patient’s condition rather than remaining static. Consider a situation where the patient’s condition deteriorates during subsequent blood sugar tests. To ensure professional analysis and precise treatment, the system must revoke access privileges for non-specialists and update the policy from $\mathcal{T}$ to ${\mathcal{T}}^{\prime }$ = (“endocrinologist” ∨ “cardiologist”) ∧ “certified specialist”. This demonstrates the critical need for revocable attribute-based encryption (RABE) schemes capable of efficiently implementing policy updates.

Considering the limited computational resources of IoT medical devices, it is essential to reduce local processing overhead to ensure rapid information transmission [4]. While most ABE schemes outsource complex computations to cloud servers, this approach introduces security risks where malicious servers might leak private data or tamper with results [5,6]. To mitigate these risks, strict control over outsourced data is critical. Cloud servers must be prevented from obtaining plaintext information or valid decryption keys from outsourced data, and the integrity of their computational outputs must be rigorously verified. Ge et al. [7] proposed a RABE solution, which uses a verification tag computed from the private message m and an auxiliary random element $m^{\prime }$. This tag enables decryptors to verify the integrity of outsourced results. Although this approach achieves verifiability, it doubles the computational workload by encrypting both m and $m^{\prime }$ using identical algorithms. Furthermore, during revocation, it is imperative that all components within the original ciphertext be refreshed to prevent revoked users from extracting useful information by exploiting unmodified components. However, existing schemes fail to update the tag during revocation. Since the tag remains bound to the private message m, revoked users could infer plaintext by correlating different ciphertext versions via the unchanged tag. Therefore, how to enable the cloud server to update the verification tag during revocation without accessing the plaintext and ensure the new tag can still effectively validate data integrity remains a critical unsolved challenge.

1.1. Motivations and Contributions

As discussed above, due to the need for two secret sharing operations during encryption and the failure to update the verification tag upon revocation, most of existing schemes suffer from inefficient computation and insufficient security when ensuring data integrity. In order to provide an efficient and secure access control solution for smart health scenarios, we propose a novel RABE scheme that achieves efficient data verification, and strict ciphertext update. The contributions of this work are summarized as follows:

• First, to achieve integrity verification, we introduce an auxiliary random message $m^{\prime }$. Through ingenious computations, we ensure that the entire encryption process only requires executing the secret sharing operation once, which reduces computational overhead on IoT medical devices and makes the verification mechanism more efficient. Furthermore, in the access structure, we utilize the linear integer secret sharing (LISS) that operates over integers and achieves lower secret sharing overhead, which we experimentally demonstrate in Appendix A.
• Second, during the revocation process, both the verification tag and the access policy are updated, which ensures that ciphertexts are fully updated and prevents revoked users from accessing any useful information from previous ciphertexts.
• Third, the decryption key is split into a user’s key and a corresponding cloud server’s key, which allows partial decryption task to be outsourced to the cloud server. In addition, by outsourcing revocation and partial encryption procedures to the cloud server, we minimize the local computational load on IoT medical devices.

1.2. Related Work

Attribute-Based Encryption. As a significant cryptographic primitive, ABE was initially proposed by Sahai and Waters [8]. ABE can be broadly categorized into two primary forms: Key-Policy Attribute-Based Encryption (KP-ABE) and Ciphertext-Policy Attribute-Based Encryption (CP-ABE). In KP-ABE, access policies are embedded in users’ keys, while ciphertexts are associated with sets of attributes. Decryption is only possible if the attributes in the ciphertext satisfy the access policy defined in the user’s key. This makes KP-ABE particularly useful in scenarios where an authority controls user access, such as pay-TV systems [9]. Conversely, in CP-ABE, users’ keys are linked to attribute sets, and ciphertexts are tied to access policies. The ability of CP-ABE to allow data owners to autonomously define access policies makes it highly advantageous for cloud data sharing [10]. So far, many research studies have focused on optimizing ABE performance, with emphasis on enhancing security [11,12,13,14] and improving efficiency [15,16,17,18,19,20,21]. Meanwhile, Wan et al. [22] extended ABE with a hierarchical user structure. Their scheme not only enhances scalability but also retains the flexibility and fine-grained access control capabilities of ABE. Chase et al. [23] extended ABE to a multi-authority model, where multiple authorities can issue user attributes. In their subsequent work [24], they enhanced the model’s resilience against pooling attack among multiple authorities, which improved both security and privacy. Most ABE schemes employ access structures based on linear secret sharing schemes (LSSSs), where secret sharing is computed over finite fields. In 2006, Damgard and Thorbek first proposed LISSs [25], in which secret sharing is computed over integers, so the overhead of secret sharing is lowered. Devevey et al. [26] established that LISS possesses small linear reconstruction coefficients, which enables the multiplication of decryption shares without significantly amplifying underlying noise terms. Balu et al. [21] designed a CP-ABE scheme implemented based on LISSs, through which their scheme enables an effective expression of the access policy and efficient sharing of the secret exponent. Zhao et al. [27] proposed a decentralized attribute-based access control scheme with fine-grained policy enforcement, where linear integer secret sharing (LISS) enables secure symmetric key distribution across multiple attributes while maintaining cryptographic security guarantees.

Revocable. When users exit the system or their attributes change, their access permissions to the data must be updated. Therefore, the revocation mechanism is particularly important [28]. Traditional revocation methods include indirect revocation and direct revocation [29]. Indirect revocation typically involves periodically distributing updated keys to all non-revoked users. If users do not receive the updated keys, this indicates that they have been revoked, as seen in schemes [30,31,32]. However, this method has two significant drawbacks. First, updating keys is time-consuming. Second, since keys are updated periodically, real-time revocation cannot be achieved. Direct revocation methods embed a real-time updated revocation list into the ciphertext, which enables real-time revocation, as seen in schemes [33,34,35]. However, a significant drawback of this approach is that the revocation list continues to expand over time. This growth leads to significant storage overhead and may eventually become an efficiency bottleneck for the scheme. Liu et al. [36] introduced a revocable CP-ABE scheme, which integrates both direct and indirect revocation approaches. This scheme achieves both real-time revocation and effective control over the length of the revocation list. However, this approach is unable to handle ciphertext update. When the data’s access policy changes, a revocation operation must be performed. In CP-ABE, revocation caused by such a reason can be implemented by updating the access policy embedded in the ciphertext. Jiang et al. [37] designed a revocable CP-ABE scheme, which can support the AND gate on attributes. On the other hand, Ge et al. [7] proposed a new revocable CP-ABE approach. By representing access policy updates as transformations in a matrix structure, the scheme makes it easier for readers to understand the principles of access policy updates and enhances the scheme’s scalability. Subsequently, Chen et al. [38] utilized the same method to implement revocation and further achieved constant decryption overhead while attaining full security.

Verifiable. Owing to the limited local computational resources of IoT medical devices, complex operations need to be outsourced to cloud servers. However, since cloud servers may be malicious, a verification mechanism is indispensable. In the approaches designed by Ge et al. [7] and Chen et al. [38], a verification tag is introduced. This tag is generated from the private message m and an auxiliary random message $m^{\prime }$, both of which are encrypted with the same method. After decryption, the decryptor reconstructs the verification tag and compares it with the tag embedded in the ciphertext to verify integrity. However, this method has two flaws. First, the addition of $m^{\prime }$ doubles the computational overhead. Second, when the ciphertext is updated during revocation, the verification tag is not updated. If revoked users compare the verification tags from the previous ciphertexts with the tag in the updated ciphertext, they can infer the plaintext in the updated ciphertext. Huang et al. [39] introduced a solution to reduce computational overhead. Specifically, a symmetric key encrypts the private message m, and the key itself is embedded as plaintext in ABE encryption. The verification tag is derived from the symmetric key and m. Although this scheme imposes almost no additional computational overhead in implementing the verification mechanism, it still has drawbacks. During revocation, only the ABE ciphertext is updated, whereas the symmetric key and the ciphertext of m encrypted with this key remain unchanged. As a result, revoked users can still know that their previously accessed message remains valid. Additionally, this scheme also suffers from the issue of the verification tag not being updated. Miao et al. [40] developed a verifiable ABE framework that offloads partial encryption and decryption tasks to the cloud server. To guarantee correctness, distinct validation methods are specifically designed for outsourced encryption and decryption processes. Nevertheless, their approach lacks revocation support.

2. Preliminaries

2.1. Bilinear Mapping

Let $\mathbb{G}$ and ${\mathbb{G}}_T$ denote cyclic groups of prime order p, with g as a generator of $\mathbb{G}$. A function $\widehat{e}:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ is defined as a bilinear pairing if it satisfies the following properties:

• For all $g_1,g_2\in \mathbb{G}$ and $a,b\in {\mathbb{Z}}_p^{*}$, the equality $\widehat{e}(g_1^a,g_2^b)=\widehat{e}{(g_1,g_2)}^{ab}$ holds.
• There exists $g_1,g_2\in \mathbb{G}$ such that $\widehat{e}(g_1,g_2)\ne 1_{{\mathbb{G}}_T}$, where $1_{{\mathbb{G}}_T}$ denotes the identity element in ${\mathbb{G}}_T$.
• The value $\widehat{e}(g_1,g_2)$ can be efficiently computed for any $g_1,g_2\in \mathbb{G}$ in polynomial time.

2.2. Target Collision-Resistant Hash Function

A hash function H is termed target collision-resistant (TCR) if no probabilistic polynomial-time (PPT) adversary can generate a collision for a randomly chosen input. Specifically, given a uniformly sampled element $x\in D$, where D denotes the domain of H, any efficient adversary $\mathcal{A}$ succeeds in finding a distinct $y\in D$ (i.e., $y\ne x$) such that $H\left(y\right)=H\left(x\right)$ only with negligible probability.

Formally, for all PPT adversaries $\mathcal{A}$, the following advantage is negligible in $\lambda$:

$$Ad{v}_{\mathcal{A}}^{\mathsf{TCR}}=Pr\left[y\ne x\wedge H\left(y\right)=H\left(x\right)|x,y\in D\right].$$

2.3. Complex Assumptions

Definition 1 (q-parallel BDHE assumption). 

Let $\mathbb{G}$ and ${\mathbb{G}}_T$ denote cyclic groups of prime order p, with g as a generator of $\mathbb{G}$. Random elements $a,r,b_1,\dots ,b_q\in {\mathbb{Z}}_p^{*}$ are selected. Given the following challenge instance:

$$∆=\left\{\begin{array}{c}g,g^r,g^a,\dots ,g^{a^q},g^{a^{q+2}},\dots ,g^{a^{2q}},\hfill \\ {\forall }_{1\le j\le q}{g}^{r·b_j},g^{a/b_j},\dots ,g^{a^q/b_j},g^{a^{q+2}/b_j},\hfill \\ {\forall }_{1\le j,k\le q,k\ne j}{g}^{a·r·b_k/b_j},\dots ,g^{a^q·r·b_k/b_j}\hfill \end{array}\right.$$

(1) 

the adversary $\mathcal{A}$ must distinguish $\widehat{e}{(g,g)}^{a^{q+1}r}$ from a random element $T\in {\mathbb{G}}_T$. The q-parallel BDHE assumption asserts that for any PPT adversary $\mathcal{A}$, the advantage

$$Ad{v}_{\mathcal{A}}=\left|Pr\left[\mathcal{A}(∆,e{(g,g)}^{a^{q+1}r})=1\right]-Pr\left[\mathcal{A}(∆,T)=1\right]\right|$$

is negligible in λ.

Definition 2 (Discrete Logarithm (DL) Assumption). 

Given a tuple $(\widehat{e},\mathbb{G},{\mathbb{G}}_T,p,g,g^{\delta })$, where $(\widehat{e},\mathbb{G},{\mathbb{G}}_T,p,g)$ defines a bilinear pairing, $g\in \mathbb{G}$, and $\delta \in {\mathbb{Z}}_p^{*}$, the DL assumption indicates that no PPT adversary $\mathcal{A}$ can compute δ with non-negligible advantage. Formally, the advantage of $\mathcal{A}$, $Pr[\mathcal{A}(\widehat{e},\mathbb{G},{\mathbb{G}}_T,p,g,g^{\delta })=\delta ]$, is negligible in λ.

2.4. Linear Integer Secret Sharing (LISS)

In the LISS scheme [25], a secret integer is chosen from a public interval. Shares are generated as linear combinations of the secret value and random integers selected by the dealer. The secret can be reconstructed by computing an integer linear combination of shares from any authorized set.

Let $P=\{1,\dots ,n\}$ represent n shareholders, D the dealer, $\Gamma$ the access structure on P, and s the secret selected from the public interval $[0,2^l]$. The dealer D distributes s to participants in P according to $\Gamma$. Any authorized set $A\in \Gamma$ can recover s, while unauthorized sets $A\notin \Gamma$ cannot. To implement this, D constructs the following LISS scheme:

First, D generates a $d\times e$ distribution matrix $M\in {\mathbb{Z}}^{d\times e}$ and a distribution vector $\overrightarrow{\rho }={(s,{\rho }_2,\dots ,{\rho }_e)}^T$, where each ${\rho }_i$ is uniformly and randomly chosen from $[0,2^{l_0+k}]$. Here, $l_0$ is a predefined constant and k is the security parameter. D computes the shares as

$$M·\overrightarrow{\rho }={(s_1,\dots ,s_d)}^T,$$

where $s_i$ is the i-th share. A surjective function $\psi :\{1,\dots ,d\}\to P$ assigns $s_i$ to shareholder $\psi \left(i\right)$, who holds the i-th row of M.

Definition 3.

The LISS scheme is correct if, for any authorized set $A\in \Gamma$, there exists a set of coefficients $\left\{{\lambda }_i\right\}$ such that $s={\sum }_{i\in A}{\lambda }_i{s}_i$, then the LISS is correct.

Definition 4.

The LISS is private if, for any unauthorized set $A\notin \Gamma$ and any two secrets $s,s^{\prime }$, the distribution of shares generated from s is statistically indistinguishable from the distribution generated from $s^{\prime }$.

2.5. Integer Span Program (ISP)

Let $M\in {\mathbb{Z}}^{d\times e}$ be a $d\times e$ integer matrix, $\psi :\{1,\dots ,d\}\to P$ be a surjective function, and $\overrightarrow{ϵ}={(1,0,\dots ,0)}^T\in {\mathbb{Z}}^d$ be the target vector. The function $\psi$ maps rows of M to participants p, and each participant may hold multiple rows.

Definition 5 (Integer Span Program). 

For any set $A\subset P$, the quadruple $\mathfrak{M}=(\mathbb{Z},M,\psi ,ϵ)$ is an Integer Span Program (ISP) under the access structure if the following condition holds:

• If $A\in \Gamma$, there exists a vector ${\overrightarrow{\lambda }}_A={({\lambda }_1,\dots ,{\lambda }_d)}^T\in {\mathbb{Z}}^d$ such that $M_A^T·{\overrightarrow{\lambda }}_A=\overrightarrow{ϵ}$, where ${\overrightarrow{\lambda }}_A$ is called the spanning vector of A.
• If $A\notin \Gamma$, there exists a vector ${\overrightarrow{k}}_A={(k_1,\dots ,k_e)}^T\in {\mathbb{Z}}^e$ such that $M_A·{\overrightarrow{k}}_A=0$, where $k_i=1$, and $k_i$ is defined as the elimination vector of A.

If we have an ISP $\mathfrak{M}=(\mathbb{Z},M,\psi ,ϵ)$, which computes $\Gamma$, we build an LISS scheme for $\Gamma$ as follows: we use M as the distribution matrix and $l_0=l+\lceil {log}_2\left(k_{max}(e-1)\right)\rceil +1$, where l is the length of the secret and $k_{max}=max\left\{\right|a|\mid a$ is an entry in some sweeping vector}.

According to Definition 5, for an authorized set A, the secret s can be reconstructed using

$$s_A^T·\overrightarrow{{\lambda }_A}={(M_A·\overrightarrow{p})}^T·{\overrightarrow{\lambda }}_A={\overrightarrow{\rho }}^T·(M_A^T·{\overrightarrow{\lambda }}_A)={\overrightarrow{\rho }}^T·\overrightarrow{ϵ}=s.$$

3. System Architecture and Definitions

3.1. System Architecture

As illustrated in Figure 1, our proposed scheme comprises four entities:

• Key Generation Center (KGC): In smart health systems, the KGC generates and distributes keys for all participants, including IoT medical devices, cloud servers, and doctors.
• Cloud Server (CS): The CS is tasked with storing ciphertexts and assisting in complex revocation operations and partial encryption/decryption operations.
• Data Owner (DO): DOs are IoT medical devices that collect PHRs, perform local encryption operations, and upload ciphertexts to the CS. Additionally, when the access policy of the data changes, the DO sends a revocation delegation to the CS.
• Data User (DU): Doctors act as DUs. They submit decryption requests to the CS based on their attributes, decrypt intermediate ciphertexts from the CS using their private keys and perform the treatment procedures according to the data content.

3.2. Threat Model

We consider the following adversarial threats in our system:

• Confidentiality Adversary: This category represents any malicious entity that aims to compromise data confidentiality. Without valid decryption keys, this adversary attempts to decrypt ciphertexts and access sensitive messages.
• Integrity Adversary: This adversary is typically a semi-honest cloud server that aims to violate data integrity by generating incorrect computational results during outsourced operations.

3.3. Scheme Definition

Definition 6.

Our scheme comprises the following algorithms and Figure 2 illustrates the complete interaction process between the four participating entities, including the KGC, DO, DU and CS, during the execution of these algorithms. Note that, for simplicity, we have removed the system parameters $pp$ from the algorithm’s input.

(1) 

$Setup(\lambda ,U)$: Inputting the security parameter λ and attribute universe U, the KGC generates public parameters $pp$ and master secret key $msk$.

(2) 

$KeyGen(msk,S_u)$: Given the master secret key $msk$ and a user’s attribute set $S_u$, the KGC produces the user’s private key $s{k}_u$ and the corresponding CS’s private key $s{k}_{CS,u}$. These keys are distributed to the user and cloud server, respectively.

(3) 

$Enc(m,(M,\tau \left)\right)$: This algorithm contains two steps. First, the DO performs local encryption ($En{c}_{DO}$) by processing message $m\in {\mathbb{G}}_T$ with access policy $(M,\tau )$ to create initial ciphertext $C{T}_{init}$. The CS then executes outsourced encryption ($En{c}_{CS}$) to generate final ciphertext $CT$.

(4) 

$Delegate((\tilde{M},\tilde{\tau }),m,z,r)$: This takes as input the access policy $(\tilde{M},\tilde{\tau })$ to be revoked. The DO generates a revocation delegation $DG$ using the message m and parameters $z,r$ from $En{c}_{DO}$, and sends $DG$ to the CS.

(5) 

$Revoke(CT,DG)$: Given the initial $CT$ and revocation delegation $DG$, the CS constructs the revoked access policy $(M^{\prime },{\tau }^{\prime })$ and outputs the revoked ciphertext $C{T}^{\prime }$ based on this policy.

(6) 

$Dec(C{T}^{\prime },S_{DU},s{k}_{CS,DU},s{k}_{DU},ta{g}_{DG})$: The decryption process comprises two sequential phases. First, the cloud server performs partial decryption ($De{c}_{CS}$) by verifying if the attribute set $S_{DU}$ satisfies $(M^{\prime },{\tau }^{\prime })$ using inputs $C{T}^{\prime }$, $s{k}_{CS,DU}$, and $S_{DU}$. If the verification succeeds, it generates the partial decryption result $C{T}_{part}$ and sends it to the DU. The DU then executes final decryption ($De{c}_{DU}$) with $C{T}_{part}$, $s{k}_{DU}$, and $ta{g}_{DG}$, verifying the equivalence between the tag in $C{T}_{part}$ and $DG$. If the tags match, the user computes m and validates $ta{g}^{\prime }={\Phi }^{H\left(m\right)}{\Psi }^{H\left(m^{\prime }\right)}$. If valid, output m; otherwise, ⊥ is returned.

3.4. Security Definitions

The security of our scheme requires selective security and data integrity.

Definition 7 (Semantic Security). 

The proposed scheme satisfies semantic security in the selective model under the condition that, for any PPT adversary $\mathcal{A}$, its advantage $Ad{v}_{\mathcal{A}}^{Semantic}\left(\lambda \right)$ is negligible. The security game proceeds as follows:

(1) 

Init. The adversary $\mathcal{A}$ submits a challenge access policy $(M_{d^{*}\times e}^{*},{\tau }^{*})$, where $d^{*},e^{*}\le q$.

(2) 

Setup. The challenger $\mathcal{C}$ executes the $Setup$ algorithm to produce $pp$ as public parameters and $msk$ as the master secret key, then sends $pp$ to $\mathcal{A}$.

(3) 

Phase I. $\mathcal{A}$ adaptively issues private key queries for attribute sets $S_u$ that do not satisfy $(M^{*},{\tau }^{*})$. $\mathcal{C}$ generates and returns the corresponding private keys.

(4) 

Challenge. $\mathcal{A}$ provides two messages $m_0,m_1$ of equal length. $\mathcal{C}$ randomly selects $b\in \{0,1\}$, encrypts $m_b$ under $(M^{*},{\tau }^{*})$ to generate the challenge ciphertext $C{T}^{*}$, and delivers $C{T}^{*}$ to $\mathcal{A}$.

(5) 

Phase II. $\mathcal{A}$ proceeds to issue key queries under the same restrictions as in Phase I.

(6) 

Guess. $\mathcal{A}$ outputs $b^{\prime }\in \{0,1\}$. The advantage of the adversary $\mathcal{A}$ is quantified as

$$Ad{v}_{\mathcal{A}}^{IND\text{-}CPA}\left(\lambda \right)=\left|Pr[b^{\prime }=b]-{\displaystyle \frac{1}{2}}\right|.$$

Definition 8 (Integrity). 

The proposed scheme satisfies data integrity provided that, for any PPT adversary $\mathcal{A}$, the advantage $Ad{v}_{\mathcal{A}}^{DI}\left(\lambda \right)$ is negligible. The security game proceeds as follows:

(1) 

Setup: The challenger $\mathcal{C}$ performs the $Setup$ algorithm to create the public parameters $pp$ and the master secret key $msk$, then sends $pp$ to $\mathcal{A}$.

(2) 

Phase I: $\mathcal{A}$ adaptively issues private key queries for any attribute set $S_u$. $\mathcal{C}$ generates and returns the corresponding private keys.

(3) 

Challenge: $\mathcal{A}$ selects an access policy $(M,\tau )$ and a message m. $\mathcal{C}$ generates an initial ciphertext $C{T}_{init}$ and returns it. In revocation scenarios, $\mathcal{C}$ additionally generates and sends a revocation delegation $DG$.

(4) 

Phase II: $\mathcal{A}$ proceeds to issue queries as in Phase I.

(5) 

Output: $\mathcal{A}$ outputs a partial decryption result $C{T}_{part}$ and corresponding verification tags $tag$ or $ta{g}^{\prime }$. The adversary wins if either of the following apply:

Case 1 (no revocation). 

$tag=tag$ but the decrypted message $m\ne m$;

Case 2 (with revocation). 

$ta{g}^{\prime }=tag$ but the decrypted message $m\ne m$.

The advantage of the adversary $\mathcal{A}$ is defined as

$$Ad{v}_{\mathcal{A}}^{DI}\left(\lambda \right)=Pr\left[\mathcal{A}\mathrm{wins}\right].$$

4. Construction

(1)

$Setup(\lambda ,S)$: The algorithm generates a bilinear pairing tuple $\mathbb{BG}=(\widehat{e},\mathbb{G},{\mathbb{G}}_T,g,p)$ and selects random elements $f_1,f_2,\dots ,f_{\left|U\right|},\Phi ,\Psi \in \mathbb{G},a,\alpha ,{\alpha }_1,{\alpha }_2\in {\mathbb{Z}}_p^{*}$, where $\alpha ={\alpha }_1+{\alpha }_2$ along with a hash function $H:{\mathbb{G}}_T\to {\mathbb{Z}}_p^{*}$. Then, KGC computes $v=\widehat{e}{(g,g)}^{\alpha }$ and outputs the public parameters $pp$ as well as the master secret key $msk$ as follows:

$$\begin{array}{cc}\hfill pp& =(\mathbb{BG},\Phi ,\Psi ,v,g^a,H,{\left\{f_x\right\}}_{x\in U}),\hfill \\ \hfill msk& =(\alpha ,{\alpha }_1,{\alpha }_2).\hfill \end{array}$$

(2)

$KeyGen(msk,S_u)$: When a user u registers with the system, KGC picks a random element $s\in {\mathbb{Z}}_p^{*}$ and calculates

$$\begin{array}{c}K=g^{{\alpha }_1}{g}^{as},K_0=g^s,K_x=f_x^s,\\ s{k}_u=g^{{\alpha }_2}{g}^{as}.\end{array}$$

Then, KGC transmits $s{k}_{CS,u}=(K,K_0,{\left\{K_x\right\}}_{x\in S_u})$ to the CS and sends $s{k}_u$ to the user u.

(3)

$Enc(m,(M,\tau \left)\right)$: The encryption algorithm is structured in two steps, as detailed in Algorithm 1. Initially, the DO performs the core initial encryption $En{c}_{DO}$ to convert the message m into an initial ciphertext $C{T}_{init}$. Subsequently, the CS executes computationally intensive operations to expand $C{T}_{init}$ into the final ciphertext $CT$. Notably, the entire encryption process requires only a single secret sharing operation, which reduces the computational overhead. The sub-algorithms are detailed below:

(i)

$En{c}_{DO}(m,(M,\tau ))$: Given a private message $m\in {\mathbb{G}}_T$ and an access policy $(M,\tau )$, where M is a $d\times e$ matrix, the DO randomly selects $r\in [0,2^l]$ and $y_j\in [0,2^{l_0+k}]$ for $j\in [2,e]$ to construct a vector $\overrightarrow{u}=(r,y_2,\dots ,y_e)$. Here, k is the security parameter and $l_0$ is a predefined constant. The DO then computes ${\lambda }_i=\overrightarrow{u}·M_i$ for all $i\in [1,d]$, where $M_i$ denotes the i-th row of M. Subsequently, DO randomly selects $m^{\prime }\in {\mathbb{G}}_T,z\in {\mathbb{Z}}_p^{*}$ and calculates

$$\begin{array}{c}{C}_0=m·v^r,C_1=g^r,\\ D_0=m^{\prime }·v^{z+r},D_1=g^{z+r},\\ D_2=g^{az},tag={\Phi }^{H\left(m\right)}{\Psi }^{H\left(m^{\prime }\right)}.\end{array}$$

(2)

Finally, the DO transmits the initial ciphertexts $C{T}_{init}=((M,\tau ),C_0,C_1,D_0,D_1$, $D_2,tag,{\left\{{\lambda }_i\right\}}_{i=1}^d)$ to the CS.  

(ii)

$En{c}_{CS}\left(C{T}_{init}\right)$: Upon receiving $C{T}_{init}$, CS randomly chooses $r_i\in {\mathbb{Z}}_p^{*}$ for all $i\in [1,d]$ and computes:

$$\begin{array}{c}{C}_{2,i}=g^{a{\lambda }_i}{f}_{\tau \left(i\right)}^{-r_i},C_{3,i}=g^{r_i},i\in [1,d].\end{array}$$

(3) 

Then, CS stores the final ciphertext $CT=((M,\tau ),C_0,C_1,{\{C_{2,i},C_{3,i}\}}_{i=1}^d,D_0,D_1$, $D_2,tag)$

(4)

$Delegate((\tilde{M},\tilde{\tau }),m,z,r)$: When the access policy is updated, to prevent the verification tag from leaking any information about the message m, the DO updates the verification tag and issues a revocation delegation to the CS. Specifically, DO randomly selects $m^{″}\in {\mathbb{G}}_T$ and computes

$$\begin{array}{c}{\overline{D}}_0=m^{\prime \prime }·v^{z+r},ta{g}^{\prime }={\Phi }^{H\left(m\right)}{\Psi }^{H\left(m^{″}\right)},\end{array}$$

then sends $DG=((\tilde{M},\tilde{\tau }),{\overline{D}}_0,ta{g}^{\prime })$ to the CS.

Algorithm 1: Encryption Algorithm ($Enc$)

(5)

$Revoke(CT,DG)$: The revocation process is described in Algorithm 2. On receiving the delegation $DG$, CS first defines the revoked access policy $(M^{\prime },{\tau }^{\prime })$ as follows:

$$M^{\prime }=\left(\begin{array}{ccc}M& \overline{)-co{l}_1}& 0\\ 0& \multicolumn{2}{c}{\tilde{M}\phantom{\tilde{M}}}\end{array}\right),{\tau }^{\prime }\left(i\right)=\left\{\begin{array}{cc}\tau \left(i\right)\hfill & i\le d\hfill \\ \tilde{\tau }(i-d)\hfill & i>d\hfill \end{array}\right..$$

(4) 

Note that $co{l}_1$ refers to the first column of M, and $\tilde{M}$ is a $d^{\prime }\times e^{\prime }$ matrix, where $d^{\prime }=d+\tilde{d},e^{\prime }=e+\tilde{e}$. For each $i\in [d+1,d^{\prime }]$, the CS sets

$$\begin{array}{c}{C}_{3,i}=1_{\mathbb{G}},C_{4,i}=1_{\mathbb{G}}.\end{array}$$

Next, the CS selects a vector ${\overrightarrow{u}}^{\prime }=(r^{\prime },y_2^{\prime },\dots ,y_{e^{\prime }}^{\prime })$, where $r^{\prime }\in [0,2^l]$ and $y_j^{\prime }\in [0,2^{l_0+k}]$ for $j\in [2,e^{\prime }]$, computes ${\lambda }_i^{\prime }={\overrightarrow{u}}^{\prime }·M_i^{\prime }$ for all $i\in [1,d^{\prime }]$, and randomly chooses $z^{\prime },r_i^{\prime }\in {\mathbb{Z}}_p^{*}$ ($i\in [1,d^{\prime }]$). The CS then calculates

$$\begin{array}{c}{C}_0^{\prime }=C_0·v^{r^{\prime }},C_1^{\prime }=C_1·g^{r^{\prime }},\\ C_{2,i}^{\prime }=C_{2,i}·g^{a{\lambda }_i^{\prime }}{f}_{{\tau }^{\prime }\left(i\right)}^{-r_i^{\prime }},C_{3,i}^{\prime }=C_{3,i}·g^{r_i^{\prime }},i\in [1,d^{\prime }],\\ D_0^{\prime }={\overline{D}}_0·v^{z^{\prime }+r^{\prime }},D_1^{\prime }=D_1·g^{z^{\prime }+r^{\prime }},D_2^{\prime }=D_2·g^{a{z}^{\prime }}.\end{array}$$

(5) 

Finally, the CS outputs the revoked ciphertext: $C{T}^{\prime }=((M^{\prime },{\tau }^{\prime }),C_0^{\prime },C_1^{\prime },{\{C_{2,i}^{\prime },C_{3,i}^{\prime }\}}_{i=1}^{d^{\prime }}$, $D_0^{\prime },D_1^{\prime },D_2^{\prime },ta{g}^{\prime })$.

Algorithm 2: Revoke Algorithm ($Revoke$)

(6)

$Dec(C{T}^{\prime },S_{DU},s{k}_{CS,DU},s{k}_{DU},ta{g}_{DG})$: The decryption algorithm involves two phases, as outlined in Algorithm 3. Firstly, the DU submits a decryption request to the CS. Upon confirming that the DU is authorized for data decryption, the CS executes the partial decryption algorithm $De{c}_{CS}$ with $s{k}_{CS,DU}$ to generate $C{T}_{part}$ and forwards it to the DU. Secondly, the DU decrypts $C{T}_{part}$ with $s{k}_{DU}$ and checks the message validity via the tag. The sub-algorithms are defined as follows:

(i)

$De{c}_{CS}(C{T}^{\prime },s{k}_{CS,DU},S_{DU})$: Given a ciphertext $C{T}^{\prime }$ and a user’s attribute set $S_{DU}$, the CS first verifies if $S_{DU}$ satisfies $(M^{\prime },{\tau }^{\prime })$. If not, the process terminates and outputs ⊥. Otherwise, the CS defines $A^{\prime }=\{i\mid {\tau }^{\prime }\left(i\right)\in S_{DU}\}\subset \{1,\dots ,d^{\prime }\}$ and finds constant elements ${\eta }_i^{\prime }\in {\mathbb{Z}}_p^{*}$ such that ${\sum }_{i\in A^{\prime }}{\eta }_i^{\prime }·M_i^{\prime }=(1,0,\dots ,0)$. Then, the CS computes

$$\begin{array}{c}{W}^2=\prod _{i\in A^{\prime }}{(\widehat{e}(K_0,C_{2,i}^{\prime })·\widehat{e}(K_{{\tau }^{\prime }\left(i\right)},C_{3,i}^{\prime }))}^{2{\eta }_i^{\prime }},\\ C_{DU}=C_0^{\prime }/{\displaystyle \frac{\widehat{e}(C_1^{\prime },K)}{W^2}},D_{DU}=D_0^{\prime }/{\displaystyle \frac{\widehat{e}(D_1^{\prime },K)}{\widehat{e}{(D_2^{\prime },K_0)}^2·W^2}}.\end{array}$$

(6)

The CS sends the partially decrypted ciphertext $C{T}_{part}=(C_1^{\prime },C_{DU},D_1^{\prime },D_{DU}$, $ta{g}^{\prime })$ to the DU.

(ii)

$De{c}_{DU}(C{T}_{part},s{k}_{DU},ta{g}_{DG})$: Taking as input an intermediate ciphertext $C{T}_{part}$ and the verification tag $ta{g}_{DG}$ from $DG$, the DU first verifies whether the verification tag in $C{T}_{part}$ is equal to $ta{g}_{init}$. If not, the algorithm outputs ⊥ and aborts. Otherwise, it computes

$$\begin{array}{c}m={\displaystyle \frac{C_{DU}}{\widehat{e}(C_1^{\prime },s{k}_{DU})}},m^{″}={\displaystyle \frac{D_{DU}}{\widehat{e}(D_1^{\prime },s{k}_{DU})}}.\end{array}$$

(7) 

The DU verifies whether ${\overline{tag}}^{\prime }={\Phi }^{H\left(m\right)}{\Psi }^{H\left(m^{″}\right)}$. If valid, it outputs m; otherwise, ⊥ is returned.

Algorithm 3: Decryption Algorithm ($Dec$)

Remark 1.

In this scheme, the partial decryption operations by the CS do not lead to privacy data leakage. First, the ciphertext component $C_0^{\prime }=m·\widehat{e}{(g,g)}^{\alpha r^{\prime }}$ in $C{T}^{\prime }$ encrypts the message m using the master private key α, where the master private key is split via $\alpha ={\alpha }_1+{\alpha }_2$. The CS’s key only holds ${\alpha }_1$, while ${\alpha }_2$ is embedded in the user’s private key. Since the CS cannot reconstruct the complete α solely from ${\alpha }_1$, independent decryption is infeasible. Second, the design of the verification tag $ta{g}^{\prime }={\Phi }^{H\left(m\right)}{\Psi }^{H\left(m^{″}\right)}$ in $C{T}^{\prime }$ ensures that any attempt by the CS to derive the plaintext m from it would require solving the discrete logarithm problem, which is computationally infeasible under standard cryptographic assumptions. More importantly, even if the CS colludes with revoked users, it remains unable to decrypt the ciphertext. During the key generation phase, the KGC independently selects random values $s_x$ and $s_y$ for revoked users (e.g., $D{U}_x$) and non-revoked users (e.g., $D{U}_y$) and generates key pairs $(s{k}_{CS,x},s{k}_x)$ and $(s{k}_{CS,y},s{k}_y)$, respectively. If the CS colludes with $D{U}_x$ and attempts to forward the intermediate ciphertext decrypted using $s{k}_{CS,y}$ to $D{U}_x$, the local decryption process will yield ${\displaystyle \frac{m·\widehat{e}(g^{r+r^{\prime }},g^{{\alpha }_2}{g}^{a{s}_y})}{\widehat{e}(g^{r+r^{\prime }},g^{{\alpha }_2}{g}^{a{s}_x})}}$. Due to the mismatch between $s_x$ and $s_y$, the encryption components cannot be canceled out. This guarantees that an unauthorized decryption of the ciphertext is impossible.

Correctness. Now, we clarify the correctness of our presented solution. In the $Dec$ algorithm, it holds that

$$\begin{array}{cc}\hfill W^2& =\prod _{i\in A^{\prime }}{(\widehat{e}(K_0,C_{2,i}^{\prime })·\widehat{e}(K_{{\tau }^{\prime }\left(i\right)},C_{3,i}^{\prime }))}^{2{\eta }_i^{\prime }},\hfill \\ \hfill & =\prod _{i\in A^{\prime }}{(\widehat{e}(g^s,g^{a({\lambda }_i+{\lambda }_i^{\prime })}{f}_{{\tau }^{\prime }\left(i\right)}^{-(r_i+r_i^{\prime })})·\widehat{e}(f_{{\tau }^{\prime }\left(i\right)}^s,g^{r_i+r_i^{\prime }}))}^{2{\eta }_i^{\prime }}\hfill \\ \hfill & =\prod _{i\in A^{\prime }}\widehat{e}{(g^s,g^{a({\lambda }_i+{\lambda }_i^{\prime })})}^{2{\eta }_i^{\prime }}\hfill \\ \hfill & =\widehat{e}{(g^s,g^a)}^{2{\sum }_{i\in A^{\prime }}{\eta }_i^{\prime }({\lambda }_i+{\lambda }_i^{\prime })}\hfill \\ \hfill & =\widehat{e}{(g,g)}^{2as(r+r^{\prime })},\hfill \end{array}$$

$$\begin{array}{cc}\hfill C_{DU}& =C_0^{\prime }/{\displaystyle \frac{\widehat{e}(C_1^{\prime },K)}{W^2}}\hfill \\ \hfill & ={\displaystyle \frac{m·v^{r+r^{\prime }}·\widehat{e}{(g,g)}^{2as(r+r^{\prime })}}{\widehat{e}(g^{r+r^{\prime }},g^{{\alpha }_1}{g}^{as})}}\hfill \\ \hfill & =m·\widehat{e}(g^{r+r^{\prime }},g^{{\alpha }_2}{g}^{as}),\hfill \end{array}$$

$$\begin{array}{cc}\hfill D_{DU}& =D_0^{\prime }/{\displaystyle \frac{\widehat{e}(D_1^{\prime },K)}{\widehat{e}{(D_2^{\prime },K_0)}^2·W^2}}\hfill \\ \hfill & ={\displaystyle \frac{m·v^{z+z^{\prime }+r+r^{\prime }}·\widehat{e}{(g^{a(z+z^{\prime })},g^s)}^2·\widehat{e}{(g,g)}^{2as(r+r^{\prime })}}{\widehat{e}(g^{z+z^{\prime }+r+r^{\prime }},g^{{\alpha }_1}{g}^{as})}}\hfill \\ \hfill & =m·\widehat{e}(g^{z+z^{\prime }+r+r^{\prime }},g^{{\alpha }_2}{g}^{as}).\hfill \end{array}$$

Thus, the following equality holds:

$$\begin{array}{c}\hfill {\displaystyle \frac{C_{DU}}{\widehat{e}(C_1^{\prime },s{k}_{DU})}}={\displaystyle \frac{m·\widehat{e}(g^{r+r^{\prime }},g^{{\alpha }_2}{g}^{as})}{\widehat{e}(g^{r+r^{\prime }},g^{{\alpha }_2}{g}^{as})}}=m\end{array}$$

$$\begin{array}{c}\hfill {\displaystyle \frac{D_{DU}}{\widehat{e}(D_1^{\prime },s{k}_{DU})}}={\displaystyle \frac{m^{″}·\widehat{e}(g^{z+z^{\prime }+r+r^{\prime }},g^{{\alpha }_2}{g}^{as})}{\widehat{e}(g^{z+z^{\prime }+r+r^{\prime }},g^{{\alpha }_2}{g}^{as})}}=m^{″}.\end{array}$$

5. Security Analysis

In this section, we first demonstrate the semantic security of the proposed approach through a reduction to the q-parallel BDHE assumption. Then, we give a integrity proof of our proposed scheme by reducing it to the DL assumption.

Theorem 1.

Under the q-parallel BDHE assumption, the proposed scheme is selectively secure against unauthorized access.

Proof. 

Suppose a PPT adversary $\mathcal{A}$ breaks the selective security with an advantage $ϵ$. We construct a simulator $\mathcal{B}$ that solves the q-parallel BDHE problem. The simulator $\mathcal{B}$ is given the q-parallel BDHE instance $∆$ as shown in Equation (1), along with an element $T\in {\mathbb{G}}_T$, which is either $\widehat{e}{(g,g)}^{a^{q+1}r}$ or a random element. The task of $\mathcal{B}$ is to output 0 if $T=\widehat{e}{(g,g)}^{a^{q+1}r}$ and 1 otherwise. The simulator $\mathcal{B}$ interacts with the adversary $\mathcal{A}$ through the following game:

(1)

Init. $\mathcal{A}$ submits a challenge access policy $(M_{d^{*}\times e^{*}}^{*},{\tau }^{*})$, where $d^{*},e^{*}\le q$.

(2)

Setup. The simulator $\mathcal{B}$ first randomly selects ${\alpha }^{\prime },{\alpha }_1^{\prime },{\alpha }_2^{\prime },\Phi ,\Psi \in \mathbb{G}$ and a hash function $H:{\mathbb{G}}_T\to {\mathbb{Z}}_p^{*}$ with ${\alpha }^{\prime }={\alpha }_1^{\prime }+{\alpha }_2^{\prime }$. Then, it implicitly defines ${\alpha }_1={\alpha }_1^{\prime }+a^{q+1}/2$, ${\alpha }_2={\alpha }_2^{\prime }+a^{q+1}/2$ and $\alpha ={\alpha }^{\prime }+a^{q+1}$, such that $v=\widehat{e}{(g,g)}^{\alpha }=\widehat{e}(g^a,g^{a^q})\widehat{e}{(g,g)}^{{\alpha }^{\prime }}$. For each attribute $x\in U$, $\mathcal{B}$ computes $f_x=g^{t_x}{\prod }_{i\in X}{\prod }_{j=1}^{e^{*}}{g}^{a^j{M}_{i,j}^{*}/b_i}$, where $X=\{i\mid {\tau }^{*}\left(i\right)=x\}$, and $t_x$ is randomly selected from ${\mathbb{Z}}_p^{*}$. Note that $f_x=g^{t_x}$ if $X=\varnothing$. The public key is published as

$$\begin{array}{c}pp=(g,v,g^a,\Phi ,\Psi ,H,{\left\{f_x\right\}}_{x\in U}).\end{array}$$

(3)

Phase I. For each private key query on a set $S_u$ that does not satisfy $(M^{*},{\tau }^{*})$, $\mathcal{B}$ first constructs a vector $\overrightarrow{w}=(w_1,\dots ,w_{e^{*}})$ with $w_1=-1$ and $\overrightarrow{w}·M_i^{*}=0$ for all i, where ${\tau }^{*}\left(i\right)\in S$. Then, it randomly selects $\mu \in {\mathbb{Z}}_p^{*}$, implicitly defines $h=\mu +{\sum }_{j=1}^{e^{*}}{w}_j{a}^{q-j+1}$, and computes

$$\begin{array}{cc}\hfill K& =g^{{\alpha }_1^{\prime }}{g}^{a\mu }\prod _{j=2}^{e^{*}}{\left(g^{a^{q+2-j}}\right)}^{w_j},\hfill \\ \hfill K_0& =g^h,\hfill \\ \hfill K_x& =K_0^{t_x}\prod _{i\in X}\prod _{j=1}^{e^{*}}{\left(g^{{({\displaystyle \frac{a_j}{b_i}})}^{\mu }}\prod _{\begin{array}{c}k=1,\\ k\ne j\end{array}}^{e^{*}}{g}^{{({\displaystyle \frac{a^{q+1+j-k}}{b_i}})}^{w_{\mu }}}\right)}^{M_{i,j}^{*}},\hfill \\ \hfill s{k}_u& =g^{{\alpha }_2^{\prime }}{g}^{a\mu }\prod _{j=2}^{e^{*}}{\left(g^{a^{q+2-j}}\right)}^{w_j}.\hfill \end{array}$$

Note that if $X=\varnothing$, $K_x=K_0^{t_x}$. Finally, $\mathcal{B}$ sends $(K,K_0,{\left\{K_x\right\}}_{x\in S_u},s{k}_u)$ to $\mathcal{A}$.

(4)

Challenge. $\mathcal{A}$ submits $m_0,m_1$. $\mathcal{S}$ flips a coin $b\in \{0,1\}$ and chooses random element $y_2,\cdots y_{e^{*}}$ to generate the vector $\overrightarrow{u}=(r,ra+y_2,r{a}^2+y_3,\cdots ,r{a}^{e^{*}-1}+y_{e^{*}})$. Then, it randomly selects $z,r_1,r_2\cdots r_{d^{*}}\in {\mathbb{Z}}_p^{*},m^{\prime }\in {\mathbb{G}}_T,Q\in \mathbb{G}$, defines the set $Y_i=\{j\mid {\tau }^{*}\left(j\right)={\tau }^{*}\left(i\right)\wedge j\ne i\}$ for all $i\in [1,e^{*}]$, and computes

$$\begin{array}{cc}\hfill C_0& =m_b·T·\widehat{e}(g^r,g^{{\alpha }^{\prime }}),C_1=g^r,C_{2,i}=g^{-r_i-r{b}_i},\hfill \\ \hfill C_{3,i}& =f_{{\tau }^{*}\left(i\right)}^{r_i^{\prime }}{\left(g^{b_{i}r}\right)}^{-t_{{\tau }^{*}\left(i\right)}}\prod _{j=2}^{n^{*}}{g}^{a{M}_{i,j}^{*}{y}_j}\prod _{k\in Y_i}\prod _{j=1}^{n^{*}}{(g^{{\displaystyle \frac{a^{j}s{b}_i}{b_k}}})}^{M_{k,j}^{*}},\hfill \\ \hfill D_0& =m^{\prime }·T·\widehat{e}(g^r,g^{{\alpha }^{\prime }})·v^z,D_1=g^r{g}^z,D_2={\left(g^a\right)}^z.\hfill \end{array}$$

$\mathcal{B}$ sends the challenge ciphertext $C{T}^{*}=(C_0,C_1,C_{2,i},C_{3,i},D_0,D_1,D_2,Q)$ to $\mathcal{A}$.

(5)

Phase II. $\mathcal{A}$ continues private key queries for unauthorized sets as in Phase I.

(6)

Guess. $\mathcal{A}$ output a guess $b^{\prime }$ of b. If $b^{\prime }=b$, $\mathcal{B}$ outputs 0 to guess that $T=\widehat{e}{(g,g)}^{a^{q+1}r}$; otherwise, $\mathcal{B}$ outputs 1.

Except for the challenge phase, the simulation is perfect. Next, we rigorously analyze the simulation of verification tag and the revoked ciphertext. In this phase, $\mathcal{B}$ returns a random element $Q\in \mathbb{G}$ instead of $tag={\Phi }^{H\left(m_b\right)}{\Psi }^{H\left(m^{\prime }\right)}$. However, the distribution of Q is identical to that of $tag$ because the adversary $\mathcal{A}$ has no knowledge of $m^{\prime }$. From $\mathcal{A}$’s perspective, ${\Phi }^{H\left(m_b\right)}{\Psi }^{H\left(m^{\prime }\right)}$ and Q are indistinguishable.

When revocation occurs, the distribution of the revoked ciphertext remains identical to the original ciphertext distribution from $\mathcal{A}$’s view. In our scheme, the revoked ciphertext replaces $m^{\prime }$ with a random element $m^{″}\in {\mathbb{G}}_T$. Since $\mathcal{A}$ has no information about $m^{\prime }$, the values $m^{\prime }$ and $m^{″}$ are perfectly indistinguishable. Additionally, the revoked ciphertext are the elements in ${\mathbb{G}}_T$ generated by $\overrightarrow{u}+\overrightarrow{u^{\prime }}$, $r_j+r_j^{\prime }$, and $z+z^{\prime }$, where $\overrightarrow{u^{\prime }}$, $r_j^{\prime }$, and $z^{\prime }$ are randomly selected during revocation, while $\overrightarrow{u}$, $r_j$, and z are random parameters from the initial ciphertext. So, $\overrightarrow{u}+\overrightarrow{u^{\prime }}$, $r_j+r_j^{\prime }$, and $z+z^{\prime }$ remain random to $\mathcal{A}$. In summary, the ciphertexts before and after revocation are indistinguishable to adversary $\mathcal{A}$.

We now analyze the probability that the simulator $\mathcal{B}$ solves the q-parallel BDHE assumption. If T is random, the view of $\mathcal{A}$ is independent of b, which implies $Pr[b^{\prime }=b\mid T\mathrm{is}\mathrm{random}]=1/2$. If $T=\widehat{e}{(g,g)}^{a^{q+1}r}$, the output of $\mathcal{B}$ depends on $\mathcal{A}$’s guess. In this case, we have $Pr[b^{\prime }=b\mid T=\widehat{e}{(g,g)}^{a^{q+1}r}]=1/2+ϵ$. So, $\mathcal{B}$’s advantage in solving the q-parallel BDHE problem is

$$\begin{array}{cc}\hfill {ϵ}^{\prime }& =|Pr[b^{\prime }=b\mid T=\widehat{e}{(g,g)}^{a^{q+1}r}]-Pr[b^{\prime }=b\mid T\mathrm{is}\mathrm{random}]|\hfill \\ \hfill & =|1/2+ϵ-1/2|\hfill \\ \hfill & =ϵ.\hfill \end{array}$$

This indicates that $\mathcal{B}$ can break the q-parallel BDHE assumption with a non-negligible advantage, which contradicts the assumption itself. Consequently, our scheme is proven to be selectively secure against unauthorized accesses under the q-parallel BDHE assumption. □

Theorem 2.

Our scheme achieves the data integrity under the DL assumption.

Proof. 

If an adversary $\mathcal{A}$ can successfully compromise the integrity of the proposed scheme, we can construct a simulator $\mathcal{B}$ capable of solving the DL problem. $\mathcal{B}$ is given a discrete logarithm instance $(\widehat{e},\mathbb{G},{\mathbb{G}}_T,p,g,g^{\delta })$; its goal is to obtain $\delta$.

(1)

Setup. Simulator $\mathcal{B}$ sets a bilinear pairing $(\widehat{e},\mathbb{G},{\mathbb{G}}_T,g,p)$ and selects $a,\alpha ,{\alpha }_1,{\alpha }_2,\eta \in {\mathbb{Z}}_p$, $f_1,f_2,\cdots ,f_{\left|U\right|}\in \mathbb{G}$ as well as a hash function $H:{\mathbb{G}}_T\to {\mathbb{Z}}_p^{*}$. Then, $\mathcal{B}$ sets $v=\widehat{e}{(g,g)}^{\alpha },\Phi =g^{\delta },\Psi =g^{\eta }$ and outputs the public parameters $pp=(\widehat{e},\mathbb{G},{\mathbb{G}}_T,g,p,\Phi ,\Psi$, $v,g^a,H,{\left\{f_x\right\}}_{x\in U})$ to $\mathcal{A}$.

(2)

Phase I. When $\mathcal{A}$ issues a private key query for an attribute set S, since $\mathcal{B}$ possesses the master secret key, $\mathcal{B}$ is able to generate the corresponding private keys and return them to $\mathcal{A}$.

(3)

Challenge. $\mathcal{A}$ chooses a message m as well as the access policy $(M,\tau )$, and sends them to the challenger $\mathcal{B}$. $\mathcal{B}$ executes the $En{c}_{DO}$ algorithm to obtain the ciphertext $C{T}_{init}=((M,\tau ),C_0,C_1,D_0,D_1,D_2,tag,{\left\{{\lambda }_i\right\}}_{i=1}^d)$, where $tag={\Phi }^{H\left(m\right)}{\Psi }^{H\left(m^{\prime }\right)}$.

Case 1 (no revocation). $\mathcal{B}$ returns $C{T}^{*}=C{T}_{init}$ to $\mathcal{A}$.

Case 2 (with revocation). $\mathcal{B}$ executes $Delegate$ to obtain $DG=((\tilde{M},\tilde{\tau }),{\overline{D}}_0,ta{g}^{\prime })$, where $ta{g}^{\prime }={\Phi }^{H\left(m\right)}{\Psi }^{H\left(m^{″}\right)}$. Then, $\mathcal{B}$ sends $C{T}^{*}=(C{T}_{init},DG)$ to $\mathcal{A}$.

(4)

Phase II. $\mathcal{A}$ continues to issue queries as in Phase I, and $\mathcal{B}$ responds the queries as in Phase I.

(5)

Output. $\mathcal{A}$ outputs a partially decrypted ciphertext $C{T}_{part}$. When there is no revocation, the ciphertext contains the verification tag $\overline{tag}$; when revocation occurs, the ciphertext contains the verification tag ${\overline{tag}}^{\prime }$ (we set the updated access policy as $(M^{\prime },{\tau }^{\prime })$).

Case 1 (no revocation). 

Simulator $\mathcal{B}$ selects an attribute set $S_u$ that satisfies M, generates the corresponding private key $s{k}_u$, and decrypts the ciphertext $C{T}_{part}$ using this key to obtain the plaintext $\overline{m}$ and random message ${\overline{m}}^{\prime }$. If $\mathcal{A}$ wins the integrity game, then $\overline{m}\notin \{m,\perp \}$ (i.e., $\overline{m}\ne m$ and $\overline{tag}=tag$). Therefore, $\mathcal{B}$ has

$$\begin{array}{cc}\hfill & \overline{tag}=tag\hfill \\ \hfill \iff & {\Phi }^{H\left(\overline{m}\right)}{\Psi }^{H\left({\overline{m}}^{\prime }\right)}={\Phi }^{H\left(m\right)}{\Psi }^{H\left(m^{\prime }\right)}\hfill \\ \hfill \iff & g^{\delta ·H\left(\overline{m}\right)+\eta ·H\left({\overline{m}}^{\prime }\right)}=g^{\delta ·H\left(m\right)+\eta ·H\left(m^{\prime }\right)}\hfill \\ \hfill \iff & \delta ·H\left(\overline{m}\right)+\eta ·H\left({\overline{m}}^{\prime }\right)=\delta ·H\left(m\right)+\eta ·H\left(m^{\prime }\right).\hfill \end{array}$$

Finally, $\mathcal{B}$ derives $\delta ={\displaystyle \frac{\eta ·(H\left(m^{\prime }\right)-H\left({\overline{m}}^{\prime }\right))}{H\left(\overline{m}\right)-H\left(m\right)}}$ and outputs δ as its answer for the DL assumption.

Case 2 (with revocation). 

$\mathcal{B}$ selects the attribute set $S_u^{\prime }$ that satisfies the updated policy $M^{\prime }$, generates the corresponding private key, and decrypts $C{T}_{part}$ to obtain the plaintext $\overline{m}$ and the random message ${\overline{m}}^{″}$. If $\mathcal{A}$ wins the game, this implies $\overline{m}\notin \{m,\perp \}$. Therefore, $\mathcal{B}$ obtains ${\overline{\mathit{tag}}}^{\prime }={\mathit{tag}}^{\prime }$. Then, $\mathcal{B}$ computes $\delta ={\displaystyle \frac{\eta ·(H\left(m^{″}\right)-H\left({\overline{m}}^{″}\right))}{H\left(\overline{m}\right)-H\left(m\right)}}$ as the answer to the DL assumption.

Analysis. The simulation is perfectly executed. As demonstrated in Case 2, our scheme still achieves the data integrity even after the tag has been updated. The advantage of $\mathcal{B}$ in breaking the DL problem is precisely equivalent to the advantage of $\mathcal{A}$ in winning the integrity game. □

6. Performance Analysis

This section systematically compares our proposed scheme with the methods proposed by Ge et al. [7] and Huang et al. [39] using theoretical analysis and experimental tests. The comparison focuses on computational overhead and functional characteristics to validate the comprehensive performance advantages of our scheme in smart health environments.

6.1. Theoretical Analysis

First, for clarity, we define $T_p,T_e,T_s$ as the time needed for one bilinear pairing operation, one exponentiation operation in ${\mathbb{G}}_T$, and one scalar multiplication in $\mathbb{G}$, respectively. Let b and c represent the row quantity in the access control matrix and the number of attribute, respectively.

Table 1. Comparison of computational cost.

Scheme	Key Generation	Encryption	Revocation	Decryption
[7]	$(c+3)T_s$	$2T_e+(4+6b)T_s$	$2T_e+(2+6b)T_s$	$(2+4c)T_p+2c{T}_e+2T_s$
[39]	$(c+8)T_s$	$T_e+(3+3b)T_s$	$T_e+(1+3b)T_s$	$(1+2c)T_p+c{T}_e+2T_s$
Ours	$(c+5)T_s$	$\mathrm{DO}:2T_e+5T_s$ $\mathrm{CS}:3b{T}_s$	$2T_e+(3+3b)T_s$	$\mathrm{CS}:(2c+3)T_p+(c+1)T_e$ $\mathrm{DU}:2T_p+2T_s$

presents a comparison of computational costs across different phases. In terms of key generation, our scheme incurs slightly higher costs than [7] but outperforms [39] in efficiency. Unlike prior schemes that perform all encryption tasks on the DO side, our approach splits encryption between the DO and CS. The total encryption cost of our scheme is lower than [7] but higher than [39] while the DO-side cost remains constant at $2T_e+5T_s$, which is significantly lower than the non-constant costs of both [7] and [39]. For revocation, our costs are lower than [7] but higher than [39]. Like the encryption algorithm, in contrast to existing schemes that execute all decryption tasks on the DU side, we distribute decryption between the DU and CS. The total decryption cost of our scheme is lower than [7] but higher than [39] while the DU-side cost remains constant at $2T_p+2T_s$, which is notably lower than the variable costs of the other two schemes. Overall, our scheme achieves constant and low local computation costs, and the moderately higher CS-side costs for revocation and partial encryption/decryption operations are justified by the CS’s superior computational capacity. This design leverages the powerful processing capabilities of the cloud to offload complex computations and ensures that the local costs remain constant and low, which is critical for resource-constrained IoT medical devices in smart health.

Table 2. Comparison of functionality.

Scheme	Revocable	Verifiable	Tag Update	Access Policy
[7]	✓	✓	✗	LSSS
[39]	✓	✓	✗	LSSS
Ours	✓	✓	✓	LISS

highlights functional advantages. Our scheme ensures dynamic updates of the verification tag, which prevents revoked users from inferring plaintext via tag analysis. In contrast, the verification tags in the other two schemes remain unchanged during revocation, which poses security risks. Furthermore, our scheme employs LISS for access structure. Unlike LSSS over finite fields, LISS leverages secret sharing over integers and reduces the cost of secret sharing. These advantages demonstrate the practicality of our scheme for large-scale collaborative IoT medical networks.

6.2. Experimental Tests

To evaluate computational efficiency, we designed an experimental system, which we describe in the following four aspects: the hardware platform, cryptographic implementation, security parameters, and experimental protocol. The hardware platform is based on a 2.4-GHz Intel i5 processor that runs the Windows XP operating system. Cryptographic operations leverage the Stanford Pairing-Based Cryptography (PBC) library [41], which enables the implementation of the Tate pairing $\widehat{e}:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ over the supersingular elliptic curve $E/{\mathbb{F}}_p:y^2=x^3+x$. In this context, $\mathbb{G}$ denotes a group of points on $E/{\mathbb{F}}_p$ and ${\mathbb{G}}_T$ represents a subgroup of ${\mathbb{F}}_{p^2}$. To achieve security equivalent to 1024-bit RSA, critical parameters are configured as follows: the embedding degree of the curve is set to 2, and the prime p is selected such that $p\equiv 3mod4$. Finally, the runtime of three core cryptographic operations (bilinear pairing, exponentiation and scalar multiplication) is measured by repeating the experiments 1,000 times on an Intel-core personal computer. This protocol guarantees statistical reliability by minimizing random fluctuations. According to [42], in this experiment, the value of $T_p$, $T_e$, and $T_s$ are 25.1 ms, 2.84 ms, and 11.88 ms, respectively. To simulate realistic smart healthcare deployment scenarios, we established the experimental parameters as follows: The number of user attributes ranged from 5 to 50 with an increment of 10. During original ciphertext generation, the access policy $\mathcal{T}$ took the form of a logical AND gate over selected attributes. For the revocation algorithm, the revocation access policy $\tilde{\mathcal{T}}$ varied from 5 to 50 attributes with an increment of 5. This configuration produced a revoked access policy ${\mathcal{T}}^{\prime }=\mathcal{T}AND\tilde{\mathcal{T}}$ whose dimension spanned from 10 to 100 with an increment of 10.

Through comparative analysis of experimental results, we can clearly observe the significant computational efficiency advantages of our proposed scheme. Figure 3 demonstrates the trend of local encryption computational overhead with varying access policy dimensions, where our scheme maintains constant computational costs as dimensions increase from 5 to 50, while the schemes by Ge et al. and Huang et al. exhibit clear linear growth patterns. In the comparison of revocation computational overhead shown in Figure 4, although all three schemes demonstrate linearly increasing computational costs with growing dimensions, our scheme and Huang et al.’s approach show lower growth slopes compared to Ge et al.’s method. Notably, as shown in Figure 4, the performance curves of our scheme and Huang et al.’s scheme nearly overlap, yet the computational cost of our scheme is marginally higher. This slight efficiency compromise is entirely justified, as our scheme achieves enhanced security through a verifiable tag update mechanism, which demonstrates a deliberate and reasonable trade-off between security and efficiency. Figure 5 specifically compares the trends of local decryption overhead with increasing attribute quantities. Experimental data confirm that our scheme maintains consistently low and stable decryption overhead regardless of attribute quantity growth.

The experimental results from all three datasets exhibit strong consistency with theoretical analysis. The experimental outcomes conclusively prove that our solution achieves an optimal balance between security assurance and computational efficiency for smart health systems.

7. Future Work

To further improve the practical applicability and security robustness of our proposed scheme, future work will explore the following directions:

• Decentralized KGC Architectures: The current scheme relies on a single KGC, which introduces risks such as single points of failure and centralized trust. To address these limitations, the framework can be extended to multi-authority KGC architectures or threshold-based KGC architectures. The former distributes trust among independent authorities, which eliminates centralized control and improves compatibility with decentralized healthcare ecosystems. The latter employs $(t,n)$-threshold cryptography to ensure that key generation requires collaboration from at least t out of n authorities. This design prevents compromises even if some authorities are corrupted.
• Security Model Strengthening: While the current scheme achieves selective security under static adversarial assumptions, it cannot fully resist attacks from adversaries who adaptively select attack targets during security games. To overcome this limitation, the scheme must be upgraded to achieve full adaptive security, which would significantly enhance its resilience in dynamic real-world environments.

To implement these extensions, the following critical challenges must be carefully addressed and resolved:

• For decentralized KGC architectures, secure and efficient distributed key generation protocols must be designed to balance cryptographic robustness with computational overhead. This requires establishing reliable communication channels among multiple KGC nodes to prevent eavesdropping and tampering. Furthermore, dynamic scenarios such as nodes join/exit demand adaptable protocols to maintain stability without sacrificing security.
• For achieving full adaptive security, we must redesign the scheme to include a hash function that maps bit strings to points in group $\mathbb{G}$. Due to the computational overhead of this function, it is critical to rigorously define where and how it should be applied. Furthermore, the security proof must be reformulated under a stronger adversarial model where attackers adaptively query secrets and issue challenges. Finally, even with the increased complexity of addressing adaptive attacks, the scheme must maintain computational efficiency to ensure practical deployment in real-world scenarios.

Through these improvements, the proposed scheme can achieve full adaptive security, adapt to more sophisticated decentralized application scenarios, and preserve the functional advantages of the existing design. Theoretical analysis and practical implementation of these extensions will form the core focus of our future research.

8. Conclusions

This study proposes a revocable and verifiable ABE scheme tailored for time-sensitive and secure transmission requirements in smart health systems. The scheme uses an attribute-based encryption framework to achieve dynamic fine-grained access control and provides efficient verification mechanism. Crucially, it enforces strict ciphertext update to ensure that revoked users cannot extract any useful information from the previous ciphertexts. This resolves the risk in existing schemes where revoked users could infer plaintext through unchanged verification tags. We formally prove the semantic security and integrity of the scheme and conduct simulations to evaluate its performance. The results demonstrate that our scheme effectively addresses data transmission challenges in smart health systems and is highly suitable for such environments.