Keywords

1 Introduction

Nowadays, the Internet of Things (IoT) has attracted the attention of researchers in academia and industry. With the development of Internet of Things technology continuously, it is widely used in some areas, such as aviation, rail transit, safe city, industrial manufacturing, logistics management, medical and health, and smart home, etc. However, the computing and storage resources of IoT devices are often limited, which greatly limit the application of the Internet of Things in various fields. Cloud computing provides an on-demand service that provides users with useful and convenient network access. Therefore, cloud computing services can solve the problems, which include technically limited of IoT devices, and satisfy the exchange and sharing requirements of large data volume that the Internet of Things requires. However, cloud computing service providers are not completely trusted. When the data owner stores the data on the cloud server, it loses absolute control over the data. Cloud service providers (CSP) may privately share data to unauthorized users when they are tempted by interests. Cloud service providers may also receive internal and external attacks, resulting in authorization exceptions and data leakage for their users and roles. In the IoT environment, sensor devices are characterized by massiveness, device differentiation and security and privacy protection difficulty. Thus, Internet of Things users have higher requirements for data security and privacy protection.

Attributes-based encryption (ABE) can well meet the needs of data confidentiality and fine-grained access control in the Internet of Things. We divide ABE into two categories: KP-ABE [1] and CP-ABE [2]. In the CP-ABE scheme, the access policy is related to the ciphertext, while the key is connected to the attribute. KP-ABE scheme is the opposite. For reducing equipment burden, some selectively efficient ABE schemes [3,4,5,6] were proposed, such as outsource data to third parties which can save local storage and computing resources. At the same time, some efficient online/offline encryption solutions [7,8,9,10] have proposed.

In the above solution, the data provider needs to be online in real-time while the ciphertext is related to the access control policy, which resulting in increasing the encrypting computational overhead. In addition, during the decryption phase, the cloud service provider needs to send the access control policy to data users along with the ciphertext, while the access policy may contain some sensitive information. If the access control policy for this data is compromised, it may be illegal. Therefore, how to reduce the encryption computing overhead while realizing the hiding of access policies has become one of the urgent problems in the cloud computing environment.

In this paper, we proposed a secure online/offline attribute-based encryption for IoT users in cloud computing. Our scheme mainly uses the online/offline ABE technology to solve the problem of large computing cost in ABE that the most expensive encrypt operations have been executed in the offline phase. What’s more, in order to protect the security of access control structure. When the user uploads and downloads the ciphertext, the access control structure will be hiding.

2 Related Work

Currently, the attribute-based encryption (ABE) system has been widely used. Its main dependency is to use a set of attributes that describe the user’s identity to represent the identity of the user. The data user’s key is generated by the authorization center according to each user’s attribute set, which is a set of characteristic information of the data user. Matching relationship between the user attribute set and the access structure, the decryption capability of the user is determined by realizing the control of the ciphertext. The data provider does not need to distribute the corresponding key for each data consumer. They only need to manage the attributes of the corresponding file by modifying the access control structure, which greatly increases the flexibility of access control. Considering the computational burden of the IoT device during the encryption and decryption phase, it is mainly to delegate the complex calculation by constrained IoT devices to the enough computing power nodes at present. In 2010, to address the burden of key distribution and data management, Yu et al. [3] strengthened the attribute-based access strategy, while allowing data owners to put most of their computing tasks on the cloud server. Hur et al. proposed an attribute-based access control method [4] using CP-ABE to enforce access control policies with efficient attribute and user revocation capability. This fine-grained access control method is implemented by the ABE and the double encryption mechanism of the selective group key distribution method in each attribute group. For the ABE outsourcing decryption scheme, in the literature [5], they adopt the bilinear pairing method to realize the outsource decryption, that is, the calculate operation in the resource-constrained client is outsourced to the semi-trusted third party. However, in the above scheme, the user still needs to operate the index and multiplication operations multiple times. Green et al. [6] proposed an outsourced decryption scheme based on LSSS matrix, which allows the cloud to convert ciphertexts satisfying user attributes into ciphertext of constant size, while the cloud cannot read any part of the user’s message.

Meanwhile, IoT devices include not only sensor devices with weak underlying computing capabilities, but also devices with strong computing power. These devices are sufficient to perform encryption and decryption work, but there is no guarantee that resources will be online in real time. Online/offline cryptography is an effective tool for improving encryption efficiency. The complex encryption operations are preprocessed by using high-performance devices that makes lightweight devices only need to perform a small amount of simple operations. Hohenberg [7] first proposed constructing an online/offline ABE encryption scheme in which the computational work is divided into two phases: the offline phase (preparation process) and the online phase. In 2015, Datta [8] combines searchable encryption and access control with security proof. Later, Cui [9] uses outsourced ABE technology to place most of the decryption work on the cloud server while implementing keyword search, which greatly reduces the user’s computational cost. Considering resources with limited resources, Liu [10] quickly performs keyword encryption or token generation by consuming costs to the offline phase, while the mobile device is powered without consuming battery. However, the above operations do not consider the operation of the multi-authority ABE. We know that the computing power of sensor devices is limited. Before sending the sensitive message to users, we must encrypt these messages for protecting the privacy. This is a great challenge for the IoT sensor devices. Consequently, it would be much better to do a part of encrypt operation in the free time.

3 System Design

3.1 System Model and Design Goals

As shown in Fig. 1, the system architecture of our proposed scheme consists of four entities: a cloud service provider (CSP), an attribute authority (AA), data owners (DOs) and data users (DUs).

  • CSP is responsible for storing a large amount of data generated in the Internet of Things which is composed of multiple servers. It has strong computing power, which is honest and curious.

  • AA is an independent attribute authority that can generate a public key and a master secret key for DO by executing an AuthoritySetup algorithm. After receiving the attribute set from the user, it returns the attribute private key generating by SecretKeyGen algorithm.

  • DO is the owner of the data. In the IoT environment, the data owner is a resource-constrained entity. It cannot guarantee that its computing resources are always online. Since most of costly computations can evaluated by running Offline.Encrypt algorithm, the efficiency of encryption can be greatly improved because Online.Encrypt algorithm only incurs little computation costs.

  • DU refers to the actual user of the actual data in the Internet of Things. The entity can obtain a plaintext message through the Decrypt algorithm.

Fig. 1.
figure 1

System architecture of the scheme in cloud model

Full size image

In our scheme, we prescribe some security assumptions to meet the real IoT environment’s needs. we assume AA is fully trusted while does not reveal user data and collude with users. The CSP is semi-trusted (honest-but-curious) entity which can honestly save user-uploaded data and perform user’s tasks. But it may be curious about the data content. Meanwhile, users are not completely trusted. Malicious users may hide their identity to obtain sensitive information.

3.2 Proposed Scheme

This section is dedicated to proposing our scheme, which has six algorithms: GlobalSetup, AuthoritySetup, SecretKeyGen, Offline.Encrypt, Online.Encrypt, Decrypt.

System Initialization.

Similar to the scheme [11], this phase is required to initialization the public parameter and to generation public keys and secret keys.

\( {\text{GlobalSetup}}(1^{k} ) \to (PP) \) This algorithm inputs a security parameter \( 1^{k} \), and then outputs public parameter

$$ PP = \left\{ {g,h,e,p,{\mathbb{G}},{\mathbb{G}}_{T} ,H} \right\}. $$

The algorithm chooses two random generators \( g,h \) from \( {\mathbb{G}} \). And selects two bilinear groups \( {\mathbb{G}} \times {\mathbb{G}} \to {\mathbb{G}}_{T} \) of prime order \( e,p \). Furthermore, we employ a strong collision-resistant hash function \( H:\left\{ {0,1} \right\} \to {\mathbb{G}} \).

\( {\text{AuthoritySetup}}\left( {PP} \right) \to \left( {{\text{PK}},{\text{MSK}}} \right) \). Taking as input the system public parameters PP, the authority chooses \( \upalpha,\upbeta,\upgamma \) randomly from \( {\mathbb{Z}}_{p} \). Then, AA picks random generators \( {\text{u}} \) from \( {\mathbb{G}} \). AA publishes the public key and the master secret key

$$ {\text{PK}} = \left\{ {e\left( {g,g} \right)^{\alpha } ,h^{\beta } ,g^{\gamma } ,{\text{u}}} \right\},{\text{MSK}} = \left\{ {{\text{PK}},\upalpha} \right\}. $$

Secret Key Generation.

In this phase, the attribute authority issues a key extract algorithm with hidden access structure, which not get any information about user’s identifier and attributes to protect user’s privacy.

\( {\text{SecretKeyGen}}\left( {PP,{\text{GID}}_{U} ,{\text{PK}},{\text{U}},De_{ID} ,CM_{ID} } \right) \to \left( {SK_{U} } \right) \). Firstly, data user execute commitment algorithm \( {\text{Commit}}\left( {PP,{\text{GID}}_{U} } \right) \to \left( {CM_{ID} ,De_{ID} } \right) \) and send \( \left( {CM_{ID} ,De_{ID} } \right) \) to attribute authority. Then AA take public parameters \( {\text{PP}} \), an attribute set \( {\text{U}} = \left\{ {A_{1} ,A_{2} \ldots \ldots ,A_{n} } \right\} \), the public key \( {\text{PK}} \) and commitment \( \left( {CM_{ID} ,De_{ID} } \right) \) as input. Then if Decommit algorithm output the right sight, it computes \( K_{1} = g^{\beta } , \) and for \( {\text{i}} = 1 \) to \( {\text{n}} \), it computes \( K_{i,1} = (u^{{A_{i} }} h^{\beta } )^{{t_{i} }} ,K_{i,2} = g^{{t_{i} }} \). Otherwise, it outputs the error messages and the SecretKeyGen algorithm is terminated. The algorithm outputs

$$ SK_{U} = \left\{ {K_{1} ,\left\{ {K_{i,1} ,K_{i,2} } \right\}_{{i \in \left[ {1,n} \right]}} } \right\} $$

which authority picks \( t_{1} ,t_{2} , \ldots ,t_{n} \in {\mathbb{Z}}_{p} \).

Encryption.

This phase is divided into the offline data creation and online data creation. Data owner who is resource-limited generates offline ciphertexts by running Offiline.Encrypt and generates the final ciphertext by running Online.Encrypt.

\( {\text{Offline.Encrypt}}\left( {PP,{\rm{PK}}} \right) \to \left( {{\rm{C}}{{\rm{T}}_{Off}}} \right) \). The offline encryption algorithm takes in the public parameters only. The algorithm randomly picks \( {\text{s}},\uplambda \in {\mathbb{Z}}_{p} \) and computes \( C_{0} = g^{s} \). Next it chooses random \( \tau_{j} ,x_{j} \in {\mathbb{Z}}_{p} \) for each j \( \in \left[ {1,n} \right] \) The algorithm sets \( {\text{key}} = e\left( {g,g} \right)^{\alpha s} ,C_{j,1} = g^{{ - \tau_{j} }} , C_{j,2} = \left( {u^{{x_{j} }} h^{\beta } } \right)^{{\tau_{j} }} , C_{j,3} = h^{{x_{j} }} \). The algorithm outputs

$$ {\text{CT}}_{Off} = \left\{ {key,C_{0} ,\{ C_{j,1} ,C_{j,2} ,C_{j,3} ,x_{j} ,\tau_{j} \}_{{{\text{j}} \in \left[ {1,n} \right]}} } \right\}. $$

\( {\text{Online.Encrypt}}\left( {PP,{\rm{U}},C{T_{Off}},{\rm{PK}}} \right) \to \left( {{\rm{CT}}} \right) \). The online encryption algorithm takes as input the public parameters \( {\text{PP}} \), the data owner’s attribute U, an offline ciphertext \( CT_{Off} \) and the public key \( {\text{PK}} \). The owner computes \( P_{j} = e\left( {h^{\beta } ,H\left( {U_{j} } \right)} \right) \) for each j \( \in \left[ {1,Y} \right] \), where \( U_{j} \) denotes attribute of access policy T and Y is the number of attributes in T. Next, the access policy T is converted to LSSS access control structure \( \left( {M,\rho } \right) \), while we use \( P_{j} \) to replace the attribute \( U_{j} \) in the access policy. The structure control matrix M is an \( {\text{l}} \times {\text{n}} \) matrix and \( {\text{l}} \le {\text{P}} \). It set the vector \( {\mathbf{y}} = \left( {{\text{s}},y_{2} , \ldots ,y_{n} } \right)^{T} \) in which \( y_{2} , \ldots ,y_{n} \in {\mathbb{Z}}_{p} \) is random where \( T \) denotes the transpose of the matrix. Then it computes a vector of shares of s as \( \left( {\lambda_{1} ,\lambda_{2} , \ldots ,\lambda_{l} } \right)^{T} = M\varvec{y} \). The algorithm computes \( C_{j,4} = \lambda_{j} - x_{j} , C_{j,5} = \tau_{j} \left( {A_{j} - x_{j} } \right) \). Eventually, the algorithm sets the ciphertext as

$$ {\text{CT}} = \left\{ {\left( {M,\rho } \right),C_{0} ,C_{1} ,\left\{ {\{ C_{j,1} ,C_{j,2} ,C_{j,3} ,C_{j,4} ,C_{j,5} } \right\}_{{j \in \left[ {1,P} \right]}} } \right\}. $$

Decryption.

In this phase, data user downloads a ciphertext CT from CSP, and performs the following algorithm \( {\text{Decrypt}} \) based on secret key \( SK_{u} \) to recover the consequent message.

\( {\text{Decrypt}}\left( {{\text{SK}},{\text{CT}}} \right) \to {\text{key}}. \) It takes a secure private key \( SK_{U} = \left\{ {K_{1} ,\left\{ {K_{i,1} ,K_{i,2} } \right\}_{{i \in \left[ {1,n} \right]}} } \right\} \) from \( SecretKeyGen \) algorithm and a ciphertext \( {\text{CT}} = \left\{ {\left( {M,\rho } \right),C_{0} ,C_{1} ,\left\{ {\{ C_{j,1} ,C_{j,2} ,C_{j,3} ,C_{j,4} ,C_{j,5} } \right\}_{{j \in \left[ {1,P} \right]}} } \right\} \) for hiding access structure \( \left( {M,\rho } \right) \). If \( SK_{U} \) does not satisfy the hiding structure, then the algorithm outputs an error message. Or else, the algorithm computes constants \( \mathop \sum \nolimits_{i \in I} w_{i} \lambda_{i} = s \) for making \( w_{i} \in {\mathbb{Z}}_{p} ,{\text{I}} \subseteq \left\{ {1,2, \ldots ,{\text{l}}} \right\} \) and setting \( \lambda_{i} \) is the result of the secret s share. The cloud computes

$$ e\left( {g,g} \right)^{\alpha s} = \frac{{e\left( {K_{0} ,C_{0} } \right)}}{{e\left( {h^{{\sum_{i \in I} w_{i} \cdot C_{j,4} }} ,K_{1} } \right) \cdot \prod_{i \in I} \left( {e\left( {K_{i,1} ,C_{j,1} } \right)} \right) \cdot e\left( {K_{i,2} ,C_{j,2} \cdot u^{{C_{j,5} }} } \right) \cdot e\left( {K_{1} ,C_{j,3} } \right))^{{w_{i} }} }} $$

where j is the index of the attribute \( A_{i} \) in S (it depends on i).

4 Performance Evaluation

In this section, we provide estimate on the performance of the comparison results in Table 1, which compare the proposed scheme with some existing schemes in the efficient respects. The comparison results are summarized in Table 1, where A, G, P, E and M represent the number of attributes, the size of an element in \( {\mathbb{Z}}_{p} \), a pairing operation, an exponentiation operation and a multiplication operation in bilinear groups, respectively. And the complexity of the access structure is denoted by k. The symbol H is a chameleon hash operation. The symbol N means the size of offline ciphertext pool and it is determined by the size of the attribute universe (Table 2).

Table 1. Computation cost comparisons of online/offline attribute-based encryption schemes
Full size table
Table 2. Function compare between our scheme and other scheme
Full size table

We compare the proposed scheme with the state-of-the-art schemes with regard to the generation cost of the offline encryption cost, the online encryption cost and the decryption cost. In the online phase, our scheme reduces nearly half of cost compared with ABDS [12] while it less than other schemes. Because in our scheme, we only complete the encryption of using the access control policy in this phase. Our scheme incurs more computation costs than ABDS [12] in the offline phase, but the total workload of the user can be significantly reduced, which is suitable for the resource-limited users. Thus, the proposed scheme is efficient with respect to the computation costs on the user side and achieves security goals. Consider the function of our proposed scheme and several related schemes, we can observe that our scheme is superior to other schemes. All the online/offline schemes are allowed LSSS ciphertext policies.

5 Conclusion

In this paper, aiming at tackling the computation efficiency and weak data security issues, we proposed a secure online/offline attribute-based encryption for IoT users in cloud computing. Different from existing CP-ABE schemes, our scheme realizes efficient data encryption and privacy protection while heavy encryption computations are performed during the offline phase making the whole encryption phase faster and more efficient than existing schemes. For protect the access control, we hide the access structure in online phase and protect the data user key in secret key generation phase. Theoretical analysis indicate that the proposed data sharing scheme is extremely suitable for IoT users who have enough computing power but not real-time online. The security of our scheme is proven secure in the proposed selective chosen attribute set. The performance analysis show that our solution can be used to control access for shared data in an internet of things environment.