Keywords

1 Introduction

The Internet of Things (IoT) is a complex heterogeneous network. It connects various smart devices through communication and information technology to achieve intelligent identification, positioning, tracking, supervising and so on [1]. At present, IoT applications have been widely used in different fields such as smart cities, e-health, and intelligent transportation systems. However, with the increase of smart devices, more resources are required to manage and process the large amount of data generated by numerous smart devices in the IoT [2,3,4,5,6]. For example, medical systems and traffic monitoring systems generate giga-level high-definition images and videos per minute [7]. It is hard for ordinary users or smart devices in the traditional IoT to undertake the heavy burden in both storage and calculation. Fortunately, cloud-assisted IoT provides a promising solution for solving the kind of data explosion problem under the constraints of individual object capabilities. As a powerful platform, cloud computing empowers users with on-demand services [8] for storing, accessing, and processing data.

Although cloud computing brings immense benefits to IoT, it also takes unprecedented security risks due to its openness. Specifically, the data collected by the smart devices may contain the user’s private information [9, 10]. The curious cloud servers and the unauthorized users may make the endeavors to obtain user’s personal information for financial gains. For this reason, keeping the confidentiality of user’s data is vital of importance. Meanwhile, out of the needs of efficient data sharing in cloud-assisted IoT, it is desirable to design an effective mechanism that enables flexible access control. Due to the advantages in ensuring data confidentiality and realzing fine-grained access control, the primitive of attribute-based encryption (ABE) [11] was widely explored in cloud-assisted IoT. In the ABE schemes [11,12,13,14], both the ciphertext and the key are related to a set of attributes. The encrypter can formulate an encryption strategy consisting of attributes according to the sensitive content and the receiver’s characteristic information. With this method, the resulting ciphertext can only be decrypted by users whose attributes meet the encryption strategy. In this way, not only the confidentiality of the sensitive data is assured but also the access control is achieved in a flexible and fine-grained way. While a series of ABE schemes followed [15, 16], nonetheless, the potential user revocation [17] in cloud-assisted IoT is also challenging to the conventional ABE work.

For enhancing the practicality of ABE, the conception of revocable ABE was subsequently presented. The methods applied in the revocable ABE works for achieving user revocation can be typically divided into two categories: direct revocation and indirect revocation. In directly revocable ABE works [18, 19], the data encryptors need to maintain a revocation list delivered by the trusted authority and keep it up-to-date. Obviously, the communication overhead for requesting the latest revocation list from the trusted authority is burdensome for data encryptors. To avoid the heavy overhead for maintaining the revocation list, various ABE works that supports indirection user revocation were proposed [20,21,22,23]. In an ABE work that supports indirect revocation, each non-revoked user will receive an extra key update material from the trusted authority for generating a complete decryption key. It is effectively guaranteed that the revoked users without key update materials have no access to the shared data. Despite of this, existing revocable ABE works is still insufficient to handle the complicated access policy in a large-scale cloud-assisted IoT system. In these works, the attributes involved in the access policy will be multiply used to establish a fine-grained access control of the sensitive data. It indeed causes extra overheads for embedding the access policy into a ciphertext.

Motivated by this, in this paper, we present a revocable ciphertext-policy attribute-based encryption scheme with arithmetic span program [24,25,26,27] (R-CPABE-ASP) for cloud-assisted IoT environment. The presented R-CPABE-ASP not only achieves fine-grained access control and necessary user revocation but also enables efficient access policy description. Thanks to the expressive ASP access structure and decryption outsourcing, our R-CPABE-ASP obtains high efficiency in the phases of encryption and decryption. In detail, our main contributions are listed below:

  • We propose the first R-CPABE-ASP scheme that achieves user revocation and ASP access structure simultaneously. The presented R-CPABE-ASP can effectively address the potential changes in user’s access right to shared data thanks to the introduction of user revocation.

  • Compared with existing revocable ABE works where the attributes will be multiply required to establish an access policy, each attribute in access policy of our R-CPABE-ASP scheme is merely used once. Hence, the R-CPABE-ASP owns higher efficiency in data encryption for embedding the access policy into a ciphertext. Furthermore, an outsourced version of R-CPABE-ASP (OR-CPABE-ASP) is given, in which the overhead for data decryption is reduced to one exponential operation. Thus, even light weight users can efficiently access the data in cloud-assisted IoT environment.

  • Our proposed R-CPABE-ASP is proved to be adaptively secure under the \(MDDH_{k,l}^m\) assumption by using dual system encryption technology [28]. Finally, the detailed theoretical analysis and experimental simulations demonstrate that the presented R-CPABE-ASP is secure, efficient and feasible in cloud-assisted IoT.

1.1 Organizations

The rest of this paper is conducted as follows: Sect. 3 gives some basic notations and structures. The concrete construction of R-CPABE-ASP is contributed in Sect. 4. The performance evaluation is carried out in Sect. 5. Finally, this paper is concluded in Sect. 6.

2 Related Work

Attribute-based encryption (ABE) has been well explored in two branches of key-policy ABE and ciphertext-policy ABE since its seminal proposal [11]. Goyal et al. [12] presented a key-policy attribute-based work, in which each user’s secret key is bound to a tree-access structure. Kaaniche and Laurent [13] presented a privacy-preserving ABE scheme. In their scheme, the general tree access structure is adopted to prevent the sensitive data from being deciphered without authorization. Li et al. [14] proposed a secure cloud data storage system for cloud IoT environment by utilizing ABE with AND-gate access structure. Nevertheless, the normal access structures adopted in these works suffer from heavy overheads to define the access policy of the sensitive data. The fatal reason is that existing access structures establish access control to sensitive data by enumerating all the attribute permutations that meet the access policy. It inevitably causes extra expenses for defining the access policy during the phase of data encryption since the same attribute is used multiple times. Subsequently, the proposal of the arithmetic span program (ASP) [24] contributes a feasible solution for describing the access policy in an efficient manner. By adopting the notion of ASP, the access policy can be defined as an arithmetic expression of the attributes involved [26]. Even for a complicated access policy, the same attribute is merely required once. For this reason, the overhead for defining the access policy is significantly reduced. Inspired by this, Chen et al. [25] constructed the first KP-ABE for ASP. Ma et al. [27] presented the first CP-ABE for ASP recently. Nevertheless, the above mentioned works can hardly handle the challenging user revocation issue caused by the change of the user’s permission in real-life scenarios.

For heightening the feasibility of conventional ABE works in real-life scenarios, measures for realizing user revocation have been well studied in the context of ABE. Zhang et al. [18] proposed a directly revocable ABE work with constant-size ciphertext. In their work, the user revocation is realized by the revocation list embedded into the ciphertext during data encryption. However, each the encrypter needs to continuously request the latest revocation list from the trusted authority. Fairly, encrypters in their work will confront heavy communication burden for keeping the revocation list up-to-date. This issue also threatens all ABE works that support direct user revocation. For eliminating this issue, Qin et al. [20] proposed indirect revocable ABE work. In their work, the trusted authority periodically broadcasts the key update materials to each non-revoked user. Only the users who generate a complete decryption key with the key update materials have access to the data. In this way, the procedure of user revocation will not put any extra burden on the encrypter. Thereafter, Xu et al. [21] constructed a secure IoT cloud storage system that achieves fine-grained access control by LSSS access structure. Wei et al. [23] contributed a revocable storage system for ensuring the security of e-Health records in public cloud scenarios.

Obviously, both efficient access structure and user revocation are essential to make a practical and robust ABE work in cloud-assisted IoT. What a pity, to the best of our knowledge, the ABE work that supports ASP access structure and user revocation simultaneously has not been well discussed.

3 Preliminaries

In this section, some basic knowledge that will be used in the following part of this paper is given.

3.1 Mathematical Notations

For a prime order asymmetric bilinear pairing \((e,\mathbb {G},\mathbb {H},\mathbb {G}_T,g,h)\), \(\mathbb {G},\mathbb {H},\mathbb {G}_T\) are prime order groups, e is a map from \(\mathbb {G}\times \mathbb {H}\) to \(\mathbb {G}_T\), g and h are the generators of \(\mathbb {G}\) and \(\mathbb {H}\), respectively. With the basis, some operations can be defined as:

  • Given a vector \(\mathbf{A} =(g^{a_1},g^{a_2})^{\top }\) and a matrix \(\mathbf{B} \in \mathbb {Z}^{3 \times 2}_p\), \(\mathbf{A} ^\mathbf{B }=g^\mathbf{B (a_1,a_2)^{\top }}\), where \(a_1, \; a_2 \in \mathbb {Z}_p\).

  • Given a matrix \(g^\mathbf{C _1^{\top }}\), where , the result of can be easily obtained as:

    where \(g^{c_{11}}, g^{c_{21}}, g^{c_{31}}\) can be gained from the matrix \(g^\mathbf{C _1^{\top }}\).

  • Given a matrix \(g^\mathbf{C _1^{\top }}\) with unknown \(\mathbf{C} _1 \leftarrow _R\mathbb {Z}_p^3\) and a matrix , the value of matrix can be easily obtained following the above-mentioned steps.

3.2 Basis Structure

To simulate the composite-order groups with three primes- order subgroups. We first choose \(l_1,l_2,l_3,l_w\ge 1\), and pick \(\mathbf{W} _1\leftarrow _R \mathbb {Z}_p^{l\times l_1},\mathbf{W} _2\leftarrow _R \mathbb {Z}_p^{l\times l_2},\mathbf{W} _3\leftarrow _R \mathbb {Z}_p^{l\times l_3},\) where \(l=l_1+l_2+l_3\). \((\mathbf{W} _1^{*}|\mathbf{W} _2^{*}|\mathbf{W} _3^{*})^{\top }\) is defined as the inverse of \((\mathbf{W} _1|\mathbf{W} _2|\mathbf{W} _3)\). It is clear that \(\mathbf{W} _i^{\top }{} \mathbf{W} _i^{*}=\mathbf{I} \), and \(\mathbf{W} _i^{\top }{} \mathbf{W} _j^{*}=\mathbf{0} ~(i\ne j)\), where \(\mathbf{I} \) is the identity matrix. And for any \(\mathbf{T} \leftarrow _R \mathbb {Z}^{l\times l_w}\), there’s always \(\mathbf{T} =\mathbf{B} ^{(1)}+\mathbf{B} ^{(2)}+\mathbf{B} ^{(3)}\), where \(\mathbf{B} ^{(1)}\leftarrow _R\textsf {span}^{l_w}(\mathbf{W} ^{*}_1),\mathbf{B} ^{(2)}\leftarrow _R\textsf {span}^{l_w}(\mathbf{W} ^{*}_2),\mathbf{B} ^{(3)}\leftarrow _R\textsf {span}^{l_w}(\mathbf{W} ^{*}_3)\).

Theorem 1

Given matrices \(\mathbf{W} _1,\mathbf{W} _2,\mathbf{W} _3,\mathbf{W} ^{*}_1,\mathbf{W} ^{*}_2,\mathbf{W} ^{*}_3, \mathbf{T} \) mentioned in the basis structure, the following two distributions \(\{\mathbf {W}^{\top }_1\mathbf {T},\mathbf {W}^{\top }_3\mathbf {T},\mathbf {T}\}\) and \(\{\mathbf {W}^{\top }_1\mathbf {T},\) \(\mathbf {W}^{\top }_3\mathbf {T},\mathbf {T}+\mathbf {P}^{(2)}\}\) are statistically identical with the probability \(1-1/p\), where \(\mathbf {P}^{(2)}\leftarrow _R\textsf {span}^{l_w}(\mathbf {W}^{*}_2)\).

3.3 \(\text {MDDH}^{m}_{k,l}\) Assumption

For any PPT adversary \(\mathcal {A}\), \(\textsf {Adv}^{\text {MDDH}^{m}_{k,l}}_{\mathcal {A}}(\lambda )=|\mathrm {Pr}[\mathcal {A}(\mathbb {G},g^\mathbf{M },g^\mathbf{MS })=1] - \mathrm {Pr} [\mathcal {A} (\mathbb {G},\) \( g^\mathbf{M }, g^\mathbf{S '}) =1]|\) is negligible for a security parameter \(\lambda \), in which g is the generator of \(\mathbb {G}\), \(\mathbf{M} \leftarrow _{R} \mathbb {Z}^{l\times k}_p\), \(\mathbf{S} \leftarrow _R\mathbb {Z}^{k\times m}_p\), \(\mathbf{S} '\leftarrow _R\mathbb {Z}^{l\times m}_p\) (\(m\ge 1\) and \(l>k\ge 1\)). According to [29], the \(\text {MDDH}^{m}_{k,l}\) assumption is equivalent to the well-known k-Linear assumption [29]. For convenience, we denote \(\text {MDDH}^{1}_{k,k+1}\) by \(\text {MDDH}_k\) in the remainder part of this paper.

3.4 Arithmetic Span Program

The ASP access policy is formed with a vector set \(\mathcal {V}=\{\mathbf {y}_i, \mathbf {z}_i\}_{i\in [n]}\) and a map \(\pi : [n]\rightarrow A\), where A is an attribute set and \(n=|A|\). If there is an attribute vector \(\mathbf{x} =(x_{\pi (1)}, x_{\pi (2)},\cdots , x_{\pi (n)})\in \mathbb {Z}^n_p\) which satisfies the ASP \((\mathcal {V},\pi )\), it is able to get \(\gamma _1,\cdots ,\gamma _n\in \mathbb {Z}_p\) such that \(\sum \limits ^{n}_{i=1}\gamma _i(\mathbf{y} _i+x_{\pi (i)}{} \mathbf{z} _i)=(1,0,\cdots ,0)\).

Theorem 2

For any attribute set S that is not satisfied with \(\mathcal {V}=\{(\mathbf{y} _j,\mathbf{z} _j)\}_{j\in S}\), the distributions

\(\{s,\mathbf{y} _j\begin{array}{lc}\bigl ({\begin{matrix}l_0s\\ \mathbf{L} \end{matrix}}\bigr )\end{array}+r_jp_j, \mathbf{z} _j\begin{array}{lc}\bigl ({\begin{matrix}l_0s\\ \mathbf{L} \end{matrix}}\bigr )\end{array}+r_jp'_j,s_j\}_{j\in S},(\{\alpha +rl_0,r,rp_j\})_{j \in S}\) perfectly hide \(\alpha \), where \(p_j,p'_j, l_0, s, r, s_j\leftarrow _R \mathbb {Z}_p, \mathbf{L} \leftarrow _R\mathbb {Z}^{l'-1}_p\), and \(r_j\ne 0\).

One-Use Restriction. Similar to the ideas of [25, 30], for \(\forall (\mathbf{y} _i,\mathbf{z} _i), (\mathbf{y} _j,\mathbf{z} _j)\in \mathcal {V}\), if \(i\ne j\), then these two pairs of vectors correspond to different attributes.

4 Revocable CP-ABE for Arithmetic Span Programs for Cloud-Assisted IoT

4.1 System and Threat Models

The responsibility of each entity involved is described as below:

  • Key generate center is the manager of the whole system. It is responsible for generating long-term key materials for each users and broadcast key update information to non-revoked users.

  • Smart devices are data collectors. They can be various wearable devices or personal health monitor. Each smart devices will continuously gather the personal information and uploaded the encrypted data to the cloud server.

  • Cloud server is a powerful third-party entity for mitigating the heavy burden of data storage and management for data users.

  • Data user is the entity that is authorized to access the shared data. Each non-revoked data user can periodically receive the key update information from key generate center to synthesize a complete decryption key.

In the R-ABE-ASP scheme, the cloud servers that are responsible for storing the user’s data may curious-but-honest. It may snoop user’s personal information while honestly response for user’s request. Besides, the users whose attributes mismatch the access policy or has been revoked may also make efforts to eavesdrop user’s sensitive data.

4.2 Design Goals

In this paper, we plan to design a secure R-CPABE-ASP scheme that can not only achieve user revocation but also enable the efficient description of access policy. For this purpose, the R-CPABE-ASP should achieve the following goals.

  • Data confidentiality: The data stored on the cloud servers can only be decrypted by authorized users. It should be inaccessible to the adversary defined in the threat model.

  • Efficiency: The data is supposed to be stored and shared in an efficient manner. The overhead for smart devices to encrypt the sensitive data and the cost for data users to access corresponding data should be carried out in a low-cost manner.

  • Reliable access control: Considering the complex application scenarios in cloud-assisted IoT, the user revocation mechanism is also necessary except for fine-grained access control to sensitive data.

4.3 Outline of the R-CPABE-ASP

Different from the CP-ABE scheme with other access structures like LSSS, an attribute vector \(\mathbf{x} \) corresponding to the attribute set S is needed in the R-CPABE-ASP scheme, which controls the various relationship between attributes and access structure. And now, we show the outline of a R-CPABE-ASP scheme that is formed with seven algorithms as below.

Setup\((\lambda )\): This algorithm is executed by the key generate center to initialize the system. Taking a security parameter \(\lambda \) as input, the algorithm outputs the public parameter pp and the master secret key msk.

AttrKeyGen\((\mathsf {st}, pp, msk, S, \mathbf {x}, \mathsf {ID})\): This algorithm is executed by the key generate center to generate the attribute related key for data users. Taking the state information st, public parameter pp, the master secret key msk, an attribute set S, an attribute vector x and unique credential ID of a user as input, this algorithm outputs the corresponding attribute key \(AK_{\textsf {ID}}\).

KeyUpdate\((\mathsf {st}, msk, t, \mathsf {REL})\): This algorithm is executed by the key generate center to produce the key update materials for each non-revoked user. Taking the state information st, the master secret key msk, current time period t and revocation list REL as input, this algorithm outputs the key update information \(KU_t\).

KeyGen\((pp, AK_{\textsf {ID}}, KU_t)\): This algorithm is executed by each users to produce the complete decryption key. Taking the public parameter pp, the attribute key \(AK_{\textsf {ID}}\) of a user and the key update information \(UK_t\) as input, this algorithm outputs the whole secret key \(sk_t\).

Encrypt\((pp,(\mathcal {V},\pi ),msg, t)\): This algorithm is executed by various smart devices. Taking the public parameter pp, an arithmetic span program \((\mathcal {V},\pi )\), a message msg and current time period t as input, the algorithm outputs the ciphertext \(ct_t\) under time period t.

Decrypt\((ct_t,sk_{t'}, (\mathcal {V},\pi ))\): This algorithm is carried out by the authorized data users to access the shared data. Taking a ciphertext \(ct_t\), the secret key \(sk_{t'}\) and an arithmetic span program \((\mathcal {V},\pi )\), the algorithm outputs the message msg or a symbol \(\bot \) for a failure decryption.

Revoke(REL, ID, t): This algorithm is carried out by key generate center to revoke the compromised users. Taking the revocation list REL, the credential ID of a user and current time period t, this algorithm updates the REL by adding a tuple (\(\textsf {ID}, t\)).

4.4 Construction

The detailed description of the proposed puncturable ciphertext-policy attribute-based encryption scheme for arithmetic span program is presented as below.

  • Setup(\(\lambda , \ell , N\) ): On input a security parameter \(\lambda \), the maximum length of the time period \(\ell \) and the maximum users of the system N, this algorithm sets a bilinear group generator \(\mathcal {G}\) and computes \((\mathbb {G}, \mathbb {H}, \mathbb {G}_T,\) \(e, g, h) \leftarrow \mathcal {G}(\lambda )\). In the tuple \((\mathbb {G}, \mathbb {H}, \mathbb {G}_T, e, g, h)\), there exists a map \(e: \mathbb {G} \times \mathbb {H} \rightarrow \mathbb {G}_T\), and g, h are the generators of \(\mathbb {G}\) and \(\mathbb {H}\), respectively. In addition, this algorithm selects a hash function \(H: \{0,1\}^{*}\rightarrow \mathbb {Z}_p\) and some parameters \(\mathbf{C} _1 \leftarrow _{R}\mathbb {Z}_p^{3}, \mathbf{D} \leftarrow _{R}\mathbb {Z}_p^{2}, \mathbf{K} , \mathbf{K} _0, \mathbf{K} _1,\) randomly. Then, this algorithm picks a binary tree BT with N leaf nodes that are used to store the information of users and initialize an empty list REL to record the revoked user’s credential, as well as the state information \(\textsf {st}=\textsf {BT}\). Finally, this algorithm outputs the public parameter as \( pp = (g, h, H, g^\mathbf{C ^{\top }_1}, g^\mathbf{C ^{\top }_1\mathbf{K} }, g^\mathbf{C ^{\top }_1\mathbf{K} _0}, g^\mathbf{C ^{\top }_1\mathbf{K} _1}, g^\mathbf{C ^{\top }_1\mathbf{K} '}, g^\mathbf{C ^{\top }_1\mathbf{K} '_0}, \) and the master secret key as \( msk = (\mathbf{C} _1, \mathbf{D} , \mathbf{K} ,\)

  • AttrKeyGen(\(\textsf {st}, pp, msk, S, \mathbf {x}, \textsf {ID}\) ): On input the state information st, public parameter pp, the master secret key msk, an attribute set S, an attribute vector and the unique credential ID of the user that generated by the system when the user joins for the first time, this algorithm arbitrarily assigns an unused leaf node \(\delta \) of \(\textsf {BT}\) to store the information of this user. After that, for each node \(\varrho \in \textsf {Path(}\delta \textsf {)}\), this algorithm picks an random vector and stores it in this node. Then, this algorithm further calculates . Subsequently, this algorithm samples \(\mathbf {b},\{\mathbf {b}_y,\mathbf {b}'_y\}_{y\in S} \leftarrow _R \textsf {span}(\mathbf {D})\) and then computes

    Finally, this algorithm outputs the attribute key \(AK_{\textsf {ID}} = \{K, IK_{\varrho }\}_{\varrho \in \textsf {Path}(\delta )}\) where \(K = (K_0, \{K_{0,y}, K'_{0,y},\) \( K_{1,y} \}_{y \in S}, K_2)\).

  • KeyUpdate(\(\textsf {st}, msk, t, \textsf {REL}\) ): For each node \(\varrho \in \textsf {KUNodes}(\textsf {BT}, \textsf {RL}, \)t), this algorithm retrieves the random vector stored from the node \(\varrho \). After that, it generates the key update information as follows:

    where \(\varUpsilon = \{k|t(k) = 0\}\) and is randomly picked. Finally, this algorithm outputs key update information \(KU_t = \{\varrho , KU_{\varrho , 0}, KU_{\varrho , 1}\}_{\varrho \in \textsf {KUNodes(BT, RL},\,t)}\).

  • Keygen(\(pp, AK_{\textsf {ID}, KU_t}\) ): For each node \(\varrho \in \mathsf {Path}(\delta ) \cap \textsf {KUNodes(BT, RL,}\,t{\mathsf )}\), this algorithm picks and calculates the time-related decryption key

    where \(\varUpsilon = \{k|t(k) = 0\}\). Finally, this algorithm outputs the whole decryption key \(sk_t = (K_0, \{K_{0,y}, K'_{0,y}, K_{1,y}\}_{y \in S}, K_2, {K_{\textsf {ID}, t}})\).

  • Encrypt(\(pp, (\mathcal {V},\pi ), msg, t\) ): Note that, \(\mathcal {V} = {(\mathbf{y} _j,\mathbf{z} _j)}_{j \in [n]}\), and \(\pi \) is a map from \((\mathbf{y} _j,\mathbf{z} _j)\) to A. Let l denote the length of the vectors in \((\mathcal {V},\pi )\). After receiving the public parameter pp, an arithmetic span program \((\mathcal {V},\pi )\) satisfying with an attribute set A and a message \(msg \in \mathbb {G}_T\), this algorithm performs below. This algorithm samples \(\mathbf{L} \leftarrow _R\mathbb {Z}_p^{(l-1) \times 2}\), \(s,\{s_j\}_{j \in [n]},\) \( s_t \leftarrow _R \mathbb {Z}_p\) and then computes

    Finally, this algorithm outputs the ciphertext \(ct_t = (C_0, \{C_{0,j}, C_{1,j}, C_{2,j}, C'_{1,j}, C'_{2,j} \}_{j \in [n]}, C_3, C_{4}, C_5)\) under time period t.

  • Decrypt(\(ct_t, sk_{t'},(\mathcal {V},\pi )\) ): This algorithm aborts as \(t'<t\). Or else, if the attribute vector \(\mathbf{x} \) satisfies the arithmetic span program \((\mathcal {V},\pi )\), this algorithm computes \(\gamma _1,\gamma _2, \cdots \in \mathbb {Z}_p\) such that \(\sum _{j \in [n]} \gamma _j(\mathbf{y} _j + x_{\pi (j)}{} \mathbf{z} _j) = (1,0,\cdots ,0).\) On input a ciphertext associated and a secret key sk, this algorithm computes

    and recovers the message as \( msg = \frac{C_3 \cdot B}{A}.\)

  • Revoke(\(\textsf {REL}, \textsf {ID}, t\) ): After receiving a tuple (ID, t), this algorithm updates REL by inserting this tuple to revocation list and outputs updated list REL.

Limited by the space, the detailed security proof of R-CPABE-ASP is given in the full version of our paper [31], and omitted here.

4.5 Outsourced Version of R-CPABE-ASP Scheme

In this section, a outsourced R-CPABE-ASP (OR-CPABE-ASP) scheme is proposed. The OR-CPABE-ASP scheme consists the following 8 algorithms:

The Setup, AttrKeyGen, Keygen, Encrypt and Revoke algorithms are the same as R-CPABE-ASP scheme. The only difference is the outsourced R-CPABE-ASP scheme has following three algorithms:

Keygen.rand(\(sk_t\) ): The algorithm samples \(\tau \in \mathbb {Z}_p\) and computes \(\bar{K}_0=K_0^{\tau }, \{\bar{K}_{0,y}=K^{\tau }_{0,y}, \bar{K}'_{0,y}=K^{'\tau }_{0,y}, \bar{K}_{1,y}=K_{1,y}^{\tau }\}_{y \in S}, \bar{K}_2=K^{\tau }_2, \bar{K}_{\textsf {ID}, t}=K^{\tau }_{\textsf {ID}, t}\). Finally, it sets \(\bar{sk}_t = \{\bar{K}_0, \{\bar{K}_{0,y}, \bar{K}'_{0,y}, \bar{K}_{1,y}\}_{y \in S}, \bar{K}_2, \bar{K}_{\textsf {ID}, t}\}\) as the conversion key and outputs \((\bar{sk}_t,\tau )\) as the retrieval key.

Decrypt.out(\(ct_t, \bar{sk}_{t'},(\mathcal {V},\pi )\) ): This algorithm aborts as \(t'<t\). Or else, if the attribute vector \(\mathbf{x} \) satisfies the arithmetic span program \((\mathcal {V},\pi )\), this algorithm computes \(\gamma _1,\gamma _2, \cdots \in \mathbb {Z}_p\) such that \(\sum _{j \in [n]} \gamma _j(\mathbf{y} _j + x_{\pi (j)}{} \mathbf{z} _j) = (1,0,\cdots ,0).\) On input a ciphertext associated and a secret key sk, this algorithm computes

$$\begin{aligned} A&= e(C_0, \bar{K}_2)\cdot \prod _{j \in [n]}\left[ (e(C_{1,j} \cdot C'^{x_{\pi (j)}}_{1,j}, \bar{K}_0) \cdot e(C_{2,j}, \bar{K}_{0,\pi (j)})\right] ^{\gamma _j}\\&\cdot \left[ e(C'^{x_{\pi (j)}}_{2,j}, \bar{K}'_{0,\pi (j)}) \cdot e(C_{0,j}, \bar{K}_{1,\pi (j)})^{-1}) \right] ^{\gamma _j}, \\ B&= e(C_4, \bar{K}_{\textsf {ID},t',1}) \cdot e(C_5, \bar{K}_{\textsf {ID},t',2}), \varUpsilon = \{k|\tilde{t}(k) = 0\}, \bar{C_3}=C_3,\bar{C}' = \frac{B}{A} \end{aligned}$$

and outputs \(\bar{ct}=(\bar{C}_3,\bar{C}')\)

Decrypt.user(\(\bar{ct},\tau \) ): The algorithm recover the message as \(msg = (\bar{C}_3/\bar{C})^{'-\tau }\).

4.6 Rationales Discuss

  • Data confidentiality: according to the detailed security analysis displayed in the full version of our paper [31], our R-CPABE-ASP is adaptively secure against an adversary who has no corresponding attribution set or was revoked in the prior time period. Thereby, the presented R-CPABE-ASP scheme meets the requirement of data confidentiality.

  • Efficiency: because of the introduction of ASP access structure, the access policy involved in the encryption phase can be defined in a more efficient way than the works adopting normal access structure. Hence, encryption efficiency is significantly improved by reducing the redundant description of the access policy. Meanwhile, as shown in the outsourced version of the R-CPABE-ASP, the decryption cost for data users is merely one exponential operation. By considering this, both the encryption efficiency and decryption efficiency are effectively assured in R-CPABE-ASP.

  • Reliable access control: the compromised user can be efficiently revoked in the R-CPABE-ASP since the adoption of the user revocation mechanism. Hence, the reliability of data access is assured in R-CPABE-ASP.

Table 1. Properties and efficiency comparison among the works
Full size table

5 Performance Evaluation

After the concrete construction of our OR-CPABE-ASP, an outsourced version of the OR-CPABE-ASP is given to mitigate the heavy decryption burden for users in our scheme. In this part, we mainly consider the OR-CPABE-ASP version for meeting the requirement of efficiency in cloud-assisted IoT scenarios. For making an overall performance evaluation in terms of our OR-CPABE-ASP and the state-of-the-art worksFootnote 1, both theoretical analysis and experimental simulations are carried out.

5.1 Theoretical Analysis

The detailed comparisons in terms of essential properties, communication and computation efficiency are summarized in Table 1. In this table, |S| represents the number of attributes held by the user; |A| is the size of attributes involved in the access policy; |V| is the size of bits with the value of 0 in a time period string; \(|\mathbb {G}|\), \(|\mathbb {H}|\) and \(|\mathbb {G}_T|\) denote the size of one element in group \(\mathbb {G}\), \(\mathbb {H}\) and \(\mathbb {G}_T\); \(E_{\mathbb {G}}\), \(E_{\mathbb {H}}\) and \(E_{\mathbb {T}}\) present one exponential operations in groups \(\mathbb {G}\), \(\mathbb {H}\) and \(\mathbb {G}_T\), separately.

From the results of Table 1, all the works of QZZC [20], XYML [21], CDLQ [22] and ours adopt the indirect model to achieve user revocation. According to the results displayed in Table 1, it is fair to make a summary that both the works of QZZC [20] and CDLQ [22] outperform our OR-CPABE-ASP work in decryption key size, ciphertext size, update key size, data encryption efficiency and key update efficiency. Nonetheless, the works of QZZC [20] and CDLQ [22] only achieves selective security, which is too strict to handle the real-life security threats. Furthermore, our OR-CPABE-ASP scheme is more efficient in terms of data decryption than that in work of QZZC [20]. In QZZC [20], users need to carry out two heavy pairing operations to access the data stored on the cloud servers. While the cost for users to access the data is merely one exponential operation in our work. On the other hand, it is straightforward to see that the OR-CPABE-ASP scheme performs well in terms of security, ciphertext size, encryption efficiency and key update efficiency compared with XYML [21]. In XYML [21], the overhead for data encryption is affected by the value of current time period. The time period in their work is re-encoded as a binary string. During the phase of data encryption, the bits with a value of 0 in the time period string will induce extra exponential operations. In the worst case that all bits of the time period string are with the value of 0, the resulting overheads for data encryption and ciphertext delivery will come to an unacceptably high level. By considering this, only our proposed OR-CPABE-ASP work is secure, efficient and feasible in the complex real-life cloud-assisted IoT scenarios.

5.2 Experimental Simulations

To discuss the feasibility and efficiency of the OR-CPABE-ASP work in a more comprehensive manner, the simulations for testing the computation efficiency are conducted in this section. We implement all the works with the PBC library on a Win 10 operation system installed with an Core i7-7700 @3.60 GHz processor and 8 G RAM. The results of simulations are shown in Fig. 1, Fig. 2 and Fig. 3.

The data encryption efficiency comparison among the works is shown in Fig. 1. In particular, we simulate XYML [21] and our OR-CPABE-ASP work under the extreme conditions. In XYML [21], data encryption cost is related to the length of bits with value of 0 in the current time period string. In this way, as all the bits are with value of 1, their work enjoy the best efficiency in terms of data encryption. On the contrary, if all the bits are with value of 0, the cost for data encryption is at ist maximum. Since the more expressive ASP access structure is introduced in our proposed work, hence there are also two cases in the data encryption phase of OR-CPABE-ASP work. The reason is that our OR-CPABE-ASP work is a ciphertext-policy variant of ABE. The data encryption cost will be affected by the expressiveness of the access structure. For instance, the access structure specifies that the user who has the 5 of 10 attributes is able to access the data. In traditional access structure, such as LSSS, all the possible attribute combinations are traversed to test whether a user owns the corresponding attributes (the worst case of our OR-CPABE-ASP work). However, in ASP access structure, the access policy can be easily described as the arithmetic expression results of these attributes. In other words, the involved attributes are merely required once such that the cost for defining the access policy is significantly reduced (the best cast of our work). Obviously, the OR-CPABE-ASP work is more efficient in data encryption than the state-of-the-art works [20,21,22] according to Fig. 1. It is easy to see that our OR-CPABE-ASP work is almost unaffected by the number of attributes involved in access policy. Compared with the existing works [20,21,22] where the encryption overhead increases dramatically with the growth of the attribute’s number, the OR-CPABE-ASP scheme is more applicable to the cloud-assisted IoT scenarios where the access policy for ciphertext may be complicated.

Fig. 1.
figure 1

Encryption cost

Full size image
Fig. 2.
figure 2

Decryption cost

Full size image
Fig. 3.
figure 3

Key update cost

Full size image

The cost for data decryption is shown in Fig. 2. From the details displayed in Fig. 2, the cost for data decryption in XYML [21] is affected by the number of attributes involved. In a sharp contrary, QZZC [20], CDLQ [22] and the OR-CPABE-ASP work keep a low and constant overhead in data decryption. A similar trend is also demonstrated during the phase of key update as shown in Fig. 3. It is worth noting that the OR-CPABE-ASP scheme owns the best efficiency in terms of the key update for each non-revoked user.

As described above, our proposed OR-CPABE-ASP work outperforms the state-of-the-art works in both the efficiency of encryption and decryption, which makes the possibility of fast data storage and convenient data access in our work. Taking into this account, our work is expected to achieve efficient data storage and sharing in cloud-assisted IoT environments compared with the state-of-the-art works utilizing similar underlying primitive.

6 Conclusion

In this paper, we construct the first revocable CP-ABE for arithmetic span programs (R-CPABE-ASP) for cloud-assisted IoT. Compared with existing revocable ABE works, the proposed R-CPABE-ASP scheme has the ability to describe the complicated access policy in an easier manner by adopting arithmetic span programs access structure. Hence, the data encryption efficiency in the R-CPABE-ASP work can be significantly enhanced. Meanwhile, we also show how to mitigate the heavy data decryption burden for users by giving an outsourced version of the R-CPABE-ASP scheme. Finally, the detailed theoretical analysis and experimental simulations demonstrate that our R-CPABE-ASP is secure and efficient in cloud-assisted IoT.