#### Abstract

In the Internet of Things (IoT) environment, the intelligent devices collect and share large-scale sensitive personal data for a wide range of application. However, the power of storage and computing of IoT devices is limited, so the mass perceived data will be encrypted and transmitted to a cloud platform-interconnected IoT devices. Therefore, the concern how to save the encryption/decryption cost and preserve the privacy of the sensitive data in IoT environment is an issue that deserves research. To mitigate these issues, an offline/online attribute-based encryption scheme that supports partial policy hidden and outsourcing decryption will be proposed. This scheme adopts offline/online attribute-based encryption algorithms; then, the key generation algorithm and encryption algorithm are divided into two stages: offline stage and online stage. Meanwhile, in order to solve the problem of policy disclosure under the cloud platform, the policy hidden is supported, that is, the attribute is divided into the attribute value and the attribute name. For the pairing operation involved in decryption process, a verifiable outsourced decryption is implemented. Our scheme is constructed based on composite bilinear groups, which meets full security under the standard model. Finally, by comparing with other schemes in terms of functionality and computational overhead, it is shown that the proposed scheme is more efficient and applicable to the mobile devices with limited computing and storage functions in the Internet of Things environment.

#### 1. Introduction

With the continuous development of the Internet of Things technology, it has been widely used in the fields of health care, smart home, industrial manufacturing, and environmental monitoring. But the computing and storage resources of Internet of Things equipment are often limited; an increasing number of individuals or organizations are outsourcing the storage of personal information to the cloud server to achieve lower cost. However, due to the cloud server being not completely trusted, therefore, how to protect the private information contained in the data and how to deal with the huge computing cost for the mobile devices with limited resources are the problems that should be solved in the current research.

In the application of intelligent medicine, personal health information records are collected through wearable devices (e.g., smart bracelets); then, it will be solved by a medical information integration platform. Personal Heath Record (PHR) is the core basic component of intelligent medical, which involves a lot of personal privacy information of users. The data need to be shared with relevant doctors, relatives, and friends, so it is important to achieve the fine-grained access control of data and related equipment. Sahai and Waters proposed a new public key cryptosystem called attribute-based encryption (ABE) [1]. Subsequently, it can be divided into two categories according to the location of the access policy: key policy attribute-based encryption (KP-ABE) [2] and ciphertext policy attribute-based encryption (CP-ABE) [3]. In CP-ABE schemes, access policy is embedded in ciphertext implicitly and outsourced to Cloud Service Provider (CSP) together with ciphertext in cloud environment. Because access policies are publicly available, everyone can access policies that contain some private information. For example, in the intelligent medical system, the patient authorized the cardiologist to access the encrypted data through the access policy as {Department: Cardiology; Doctor: Alice}. If anyone sees the encrypted data, it would still be concluded that the patient obtained “heart disease” without decryption. If the content of the attribute value in the policy is not visible, that is, the policy is set as {Department: ×××; Doctor: ×××}, then the patient’s privacy can be guaranteed.

In order to avoid leaking the sensitive information implicit in the strategy, how to hide the access strategy has become a concern of many scholars. Nishide et al. [4] first proposed the ciphertext policy attribute-based encryption with hiding access structure. The implicit access structure in the ciphertext is not sent along with the ciphertext, that is, no one can obtain the access structure information. But the policy in the scheme only supports the “AND” gate structure. Lai et al. [5] proposed a CP-ABE with partial access structure hidden which achieved better policy expression. Different from the previous schemes, the attribute is divided into two parts: attribute name and attribute value. The attribute name can be publicized, while the attribute value is hidden. Li et al. [6] proposed an efficient attribute-based encryption scheme with partial hiding policy. The scheme has less decryption cost, but the public parameters, ciphertext, and attribute information related to the policy are easily obtained by arbitrary malicious users. Therefore, Yin et al. [7] proposed a more efficient scheme for the deficiency of Li et al.’s [6] scheme in the standard model. It is successfully reduced to the DBDH assumption. Cui et al. [8] constructed a scheme based on a composite order group supporting hidden attribute value, but it only achieves selective security. In the application scenario of the electronic medical system, Zhang et al. [9] not only implements the policy semiconcealment but also takes less computing cost and storage overhead during the decryption process. In addition, the scheme is fully secure under the standard model. However, the bilinear pairing operation and modular power operation involved in decryption process are still associated with numbers of attribute. For decreasing the complicate pairing operation, Hu et al. [10] proposed a semihiding attribute-based encryption scheme with constant pairing operation, but the modular power operation is still linearly related to the number of attributes. However, the above scheme only realizes access structure hidden, and the computing overhead relates to the complexity of access structure and the number of attributes; what is more, the process of encryption and decryption also needs a large number of modular power operation and pairing operation.

It is a fact that IoT devices need to be in real-time online when generating policy-related ciphertext, but the IoT devices with limited computing and storage are not always online. In order to solve this problem, Li et al. [11] put forward an offline/online attribute-based encryption supporting the access policy invisible. The key generation and encryption operation are divided into offline and online phases. That is to say, the key and ciphertext are precalculated in the offline phase, while a small amount of overhead is calculated to complete all the key components and ciphertext in the online phase. However, the pairing operation involved in decryption is still linearly related to the number of attributes required for decryption. In this paper, we propose an offline/online attribute-based encryption scheme which can not only hide access structure but also support outsourcing decryption. The main contributions are as follows. (1)Partial access policy hidden: different from the technology of hiding access structure adopted by Li et al. [11], it divides attributes into two parts: attribute name and attribute value. Attribute name can be disclosed, and attribute value can be hidden. Hence, attribute name can be uploaded to cloud server provider (CSP) together with ciphertext, but attribute value is not visible(2)Outsourced decryption: in the decryption process, the bilinear pair operation and modular power operation are outsourced to the CSP for execution. The user only needs to verify the returned results and perform constant exponential operation to recover the plaintext(3)Fully secure: in this paper, our scheme is based on composite order groups and proved to be fully secure by the dual-system encryption technology [12](4)Performance advantages: by comparing with the previous schemes from the aspects of function and performance, the proposed scheme has more advantages. And it is shown that our scheme is feasible in IoT by carrying out simulation experiments based on the PBC function library.

#### 2. Related Work

##### 2.1. Policy Hidden

In order to preserve the privacy of user attributes in the cloud environment, Nishide et al. [4] first proposed a CP-ABE scheme with access structure hidden. Lewko et al. [13] proposed a fully secure CP-ABE scheme by using a dual-system encryption technology under the standard model. Subsequently, Lewko and Waters [14] put forward a new proof method to achieve full security; however, the efficiency is lower. Lai et al. [5] and Jin et al. [15] gave a CP-ABE scheme supporting partial policy hidden. The scheme is proved to satisfy fully secure, but the access structure only support the “AND” gate structure. In order to reduce the bilinear pairwise operation and modular exponentiation involved in decryption process, the schemes [5, 16] gave the specific scheme. It is judged whether the attribute of users is matched with access policy before decryption first; if matched successfully, then the decryption operation is performed. But the scheme [16] only supports the “AND” gate structure, and the linear pair operation and modular exponentiation are still linearly related to the number of attributes during decryption period. At the same time, the scheme is proved to be selective secure, while Lai et al. [5] adopts more flexible LSSS structure, and the scheme is fully secure under the standard model. But the bilinear pairing operations and modular exponentiations involved in the user testing phase and the decryption phase increase linearly with the complexity of the policy. Yan et al. [17] introduced a multiauthority attribute-based encryption of partial policy hidden with dynamic policy updating. In the scheme, the policy hiding is only to hide the attribute value, so it is called semihidden policy. The function of hidden attribute completely can also be realized by the inner product predicate encryption technology [18], but most of them only support the “AND” gate structure with weak expression ability, so there is a range of limitation in the actual application process.

##### 2.2. Offline/Online Attribute-Based Encryption

The offline/online encryption, namely, preprocesses a lot of heavy work in the offline phase and responds to key requests or encryption tasks rapidly in the online phase. Even et al. [19] first proposed the offline/online digital signature technology. Liu et al. [20] gave an identity-based offline/online signature scheme in a wireless sensor network environment. Guo et al. [21] proposed an identity-based offline/online encryption scheme. Most of the computational work is preprocessed in the offline stage, and the actual encryption operation is completed in the online stage. Hohenberger and Waters [22] introduced an offline/online attribute-based encryption scheme in 2014, which is the first scheme that adopted the offline/online technology. Liu et al. [23] proposed a new ciphertext attribute-based encryption scheme by combining the offline/online technology and verification outsourcing technology. Wang et al. [24] proposed an offline/online attribute-based encryption scheme that achieved full security under the standard model. However, there was no verification of the part decryption results which is completed by cloud. Among existing intrusion prevention systems available, an industrial network intrusion detection algorithm is proposed based on the multifeatured data clustering optimization model [25]. With the development of electronic chip technologies of IoT, Liang et al. [26] introduced a fast deep reinforcement learning- (DRL-) based detection algorithm for virtual IP watermarks, by combining the technologies of mapping function and DRL to preprocess the ownership information of the IP circuit resource.

##### 2.3. Outsourced Attribute-Based Encryption

Green et al. [27] proposed the first outsourced attribute-based encryption scheme which is secure in a random oracle model. The scheme commits the decryption operation to the decrypt server provider, so the ciphertext was converted into the type by ElGamal encryption, and then delivered to users so as to reduce computing cost of data user. Lai et al. [28] realized the outsourcing decryption and provided the accuracy verification of outsourcing calculation. Li et al. [29] presented an offline/online attribute-based encryption scheme, which will reduce the computational overhead during encryption phase with the offline/online technology. Also, the “chameleon” hash function was introduced to implement verification before the decryption phase. What is more, the scheme was proved to satisfy the adaptive chosen ciphertext attack security, but the bilinear pairing operation involved in decryption procession was still a large overhead for the user. Fan et al. [30] introduced a verifiable outsource scheme for multiauthorization in cloud-fog computing, which outsources encryption and decryption to fog nodes closed to the end user. Relative to the remote cloud sever provider, fog nodes can handle data with low latency, which was an ideal choice for real-time calculation of data. Zhang et al. [31] proposed an access control of full outsourcing scheme for the first time, in which the key generation, encryption, and decryption operations are all handled by the cloud, but it lacks verification mechanism. Zhao et al. [32] put forward a verifiable full outsourcing scheme based on the original scheme [31]. The scheme supports verifiable and optimized performance that the computational cost does not increase significantly with the number of attributes or access policy complexity. Yu et al. [33] introduced a verifiable outsourced attribute-based encryption with partial policy hidden. In the particularity of blockchain-based industrial network, the data storage management faces enormous challenges. Liang et al. [34] focuses on data security issues in the industrial network and designs a storage and repair scheme for fault-tolerant data coding.

#### 3. Preliminaries

##### 3.1. Composite Order Bilinear Group

The proposed scheme is based on the composite order bilinear group whose order is the product of three distinct primes. Let be an algorithm that inputs security parameter and outputs a tuple , where are 3 distinct primes, are cycle groups of order , and is a map function such that (1)Bilinear: (2)Nondegenerate: if such that the order of is in .

Assuming that there is an group operation in and the mapping function *e*, it is computable in polynomial time in . Let represent subgroups of *G*, the subgroups have order , respectively, then . If , , then . If the elements in the mapping function *e* are elements of different subgroups, the equation still hold; thus, the composite order bilinear group is said to satisfy its orthogonality.

##### 3.2. Linear Secret Sharing Scheme (LSSS)

The secret sharing scheme on the participant set is called the linear secret sharing scheme if the following conditions are met. (1)A vector can be formed by the secret share of each party over (2)For the secret sharing scheme , there is a matrix of size that maps each row of the matrix to an associated participant . For , is the party associated with the -th row of . We first generate a column vector , where is a shared secret and is randomly selected, . According to scheme , is secret shares of the shared secret , which indicates is held the secret share by the participants .

The linear secret sharing scheme has the characteristics of linear reconstruction. If is an access authorization set, then there is a constant that let hold, where is the effective share of the secret , .

##### 3.3. Key Derivation Function (KDF)

KDF algorithm outputs bit string by inputting original secret key DK and length . KDF algorithm is secure if it has following negligible advantage for adversary in any probability polynomial time.

Note that .

##### 3.4. Complexity Assumption

The order of group is defined as the product of three different prime numbers. For any nonempty set , the order of subgroup of group is. In this paper, the subgroup is denoted by . The security is based on the following complexity assumptions, and a detailed description of the complexity assumptions is given.

*Assumption 1. *(The General Subgroup Decision Assumption): Given a group generation algorithm , represent a nonempty subset of a set, where satisfies or , . Define the following distribution:

If the advantage of Adversary satisfies , then this assumption can be broken.

*Definition 2. *For any probability polynomial time, if is a negligible function, then the algorithm meets Assumption 1.

*Assumption 3. *Given a group generation algorithm , define the following distribution:

If the advantage of Adversary satisfies , then this assumption can be broken.

*Definition 4. *For any probability polynomial time, if is a negligible function, then the algorithm meets Assumption 3.

#### 4. System Algorithm and Security Model

##### 4.1. Algorithm Definition

The algorithm included in this scheme is composed of the following seven algorithms:

the algorithm inputs the security parameters , attributes universe *U*, and outputs master key and the public parameter including the Key Derivation Function (KDF)

this algorithm is implemented by the attribute authority in the offline phase. Input the public parameter *PK* and attribute set , and return the intermediate key

this algorithm is implemented by the attribute authority in the online phase. It inputs the public parameter *PK*, master key *MSK*, attribute set , and intermediate key , then returns the transformed key and secret key , where *TK* is used for outsourced decryption and *SK* is used for user local decryption

the algorithm is run by the data owner in the offline stage. Input public parameters and access policy ; it will output intermediate ciphertext *IC*

the algorithm is run by the data owner in the online stage. Input public parameters , intermediate ciphertext *IC*, and message ; then, it outputs complete ciphertext

the algorithm is executed by the cloud server provider (CSP) to generate partial decryption ciphertext by inputting the transformed key TK and the ciphertext *CT*

the algorithm is executed by the local user to generate by inputting secret key , complete ciphertext , and partial decryption ciphertext , then returns .

##### 4.2. Security Model

We define the security model of this paper through the security game between Challenger (Simulator) and Adversary . The game process is as follows:

*Setup*. Challenger performs the Setup algorithm and outputs the public parameter *PK* to the Adversary

*Phase 1*. Challenger initializes empty table , empty set , and integer . Adversary can repeatedly ask any of the following queries:

*Create (**)*. The challenger sets run the key generation algorithm on the attribute set to obtain the key set (, ), and finally stores in table

*Corrupt (**)*. If there is an -th entity in table , then the challenger obtains the entity and sets , and then outputs the key set to Adversary . If it does not exist, then outputs “”

*Challenge*. For all , Adversary submits two equal-length messages and access structures to B, the Challenger selects and encrypts the messages in the access structure , then sends the generated ciphertext to the Adversary .

*Phase 2*. The Challenger continues to respond to the adversary’s queries in the way of *Phase 1*, but the adversary cannot ask the challenger the attribute set that satisfies the policy

*Guess*. The Adversary outputs the guess value , and if , then the Adversary wins the game.

#### 5. Our Construction

The offline/online attribute-based encryption scheme which supports the partial policy hidden and outsourced decryption proposed in this paper is inspired based on references [14, 24] and consists of the following seven algorithms. The scheme is constructed as follows:

the algorithm inputs the security parameters , attributes universe , and selects a linear group of order , where , are three different prime numbers, and represents the order of subgroup . Then, it randomly selects and , meanwhile setting the key derivation function KDF with the output length and the resistant-collusion hash function , and finally outputs the public parameters and the master key .

The user attribute set is defined as , where represents the attribute name index, , and represents the attribute value set

the algorithm selects and calculates, where, then outputs

it randomly selects , and calculates , then outputs the transformed key and user secret key .

the algorithm inputs the specified access policy, where is a matrix of and is a function that maps the -th row of the matrix to the attribute name index. And is the attribute value set associated with access policy . Then, it selects a vector , , computes, , and finally generates intermediate ciphertext

it firstly computes . Next, it selects and computes , , then finally outputs the complete ciphertext

after receiving the transformed key *TK* and the ciphertext *CT*, if the attribute set satisfies access policy , there is a subset that satisfies , where denotes the subset of that meets , and then there exists a set of constants such that holds, and is the valid share of the secret . The procedure of transformed ciphertext follows the steps below:
which finally gain the partial decryption ciphertext

the algorithm is run by data user, which takes and *SK* as input, then computes , . If and hold, meanwhile if , it outputs , else , then returns “.”

#### 6. Security Proof

Theorem 5. *If the Assumption 1 and Assumption 3 hold, then the proposed scheme based on the defined security model is fully secure and satisfies CPA (Chosen-Plaintext Attack) security.*

*Proof. *The security proof of the scheme is similar to that in literature [14], that is, the dual-system encryption technology is used to prove its security. First, define two semifunctional structures: semifunctional ciphertext and semifunctional key. The normal secret key can decrypt normal ciphertext and semifunctional ciphertext, but the semifunctional secret key cannot decrypt semifunctional ciphertext. And semifunctional key and semifunctional ciphertext are only used in security proof and do not appear in actual systems.

Semifunctional key: it first calls the normal key generation algorithm to generate a normal key and then randomly selects elements to generate a semifunctional key: ; in other words, except for , the remaining components are multiplied by the elements in.

Semifunctional ciphertext: first call the normal encryption algorithm to generate a normal ciphertext: , then select a random exponent , and random vector , where is the first element in the set, random exponent , then the semifunctional ciphertext is . The element structure in group here is similar to the element structure in , but not related to public parameters.

First, let denote the total number of key queries made by the adversary, and define the game , where.

in this game, the ciphertext obtained by to the attacker is a semifunctional ciphertext, the first keys are also semifunctional, and the remaining keys are normal.

The security proof of the scheme based on Assumption 1 and Assumption 3 is demonstrated through a series of games. We first transition from to , then to , and until to , where the key and ciphertext submitted to the attacker are semifunctional. Finally, to stop, the ciphertext obtained by to the attacker at this time is generated by semifunctional encryption of random messages. Because the attacker does not have any advantages in the final game, the security proof of the scheme in this paper ends here.

Lemma 6. *Under Assumption 1 (the general subgroup decision assumption), no polynomial time attacker can achieve a nonnegligible difference in advantage between and .*

*Proof. *We first create an algorithm in probabilistic polynomial time to break the general subgroup decision assumption and set . Let input to Algorithm , where is the generator of the group , is the generator of the group , and is the random element of the group or the random element of the group . can act as a simulator to interact with the adversary, and can simulate or interact with the Adversary , depending on the nature of .

chooses a random exponent and sets public parameters to submit to Adversary . We notice that Simulator knows the master key . When makes a secret key query, will call the normal key generation algorithm to create a secret key.

The adversary requests a challenge ciphertext and message related to the access policy . randomly selects bit and generates the ciphertext ; then, of implicit setting is equivalent to the part of in . randomly selects the vector , and the first element of the vector has a value of 1. At the same time, let and select randomly, then set . We should note that the elements are distributed randomly, and then, the corresponding ciphertexts are .

If , the ciphertext is normal ciphertext, and simulates the game and interacts with . If , it is a semifunctional ciphertext. And the elements in are set as follows: is the components of in , is equivalent to the value of , is equivalent to , is equivalent to , is equivalent to , and is equivalent to . We note that these values are generated by proper distribution, and the values of the element uniformly selected at random are independently and uniformly distributed. We also notice that public parameters will leak the value of , so when , and simulate game, and then can use adversary’s nonnegligible distinction in these games to obtain a nonnegligible advantage to break Assumption 1 (general subgroup decision assumption).

Lemma 7. *Under Assumption 1 (the general subgroup decision assumption), no polynomial time attacker can achieve a nonnegligible difference in advantage between and .*

*Proof. *We first create an algorithm in probabilistic polynomial time to break the general subgroup decision assumption and set . Let input to Algorithm , where is the generator of the group , is the generator of the group , is the generator of the group , and is the random element of the group or the random element of the group . And can simulate or to interact with Adversary , depending on the nature of .

chooses a random exponent and sets public parameters to submit to Adversary . We noticed that Simulator knows the master key . When makes a secret key request, will call the normal key generation algorithm to create a private key in response to ’s key query. In response to the first key query of , generates a semifunctional key according to the following. First, the normal key generation algorithm is called to generate the normal key, and then the random value is selected to generate the semifunctional key: , where group elements are distributed uniformly and randomly in .

In order to generate semifunctional challenge ciphertext, the adversary requests a challenge ciphertext and message related to access policy. randomly selects bit and generates the ciphertext of , and the is equivalent to the part of in . randomly selects the vector and the first element value of the vector is 1, and set ; then, the corresponding ciphertext calculated is as follows: , where set implicitly. In order to create a semifunctional ciphertext, the value of will not be revealed by the public parameters. To generate the -th key request query for the associated attribute set, randomly selects and the random element and calculates the following components: .

If , the distributed key is a normal key. If , the distributed key is a semifunctional key, so when , simulates the game to interact with adversary. When , simulates the game . Then, can take advantage of adversary’s nonnegligible difference in these games to obtain a nonnegligible advantage to break Assumption 1 (general subgroup decision assumption).

Lemma 8. *Under Assumption 3 (the general subgroup decision assumption), no polynomial time attacker can achieve a nonnegligible difference in advantage between and .*

*Proof. *We first create an algorithm in probabilistic polynomial time to break the general subgroup decision Assumption 3. Let input to Algorithm , where is the random element of or the group . And can simulate or to interact with the Adversary , depending on the nature of .

chooses a random exponent and sets public parameters to submit to Adversary . We noticed that Simulator knows the master key . When generates the -th key request query of the associated attribute set, randomly selects exponent and random elements , then calculates the following components (see the formula (6)):

We note that the generated key is a semifunctional key. In response to the first key query of , generates a semifunctional key according to the following. First, the normal key generation algorithm is called to generate the normal key , and then, the random value is selected to generate the semifunctional key: , where group elements are distributed uniformly and randomly in .

To generate a semifunctional challenge ciphertext, randomly selects a vector , and the first element of the vector has a value of 1, while letting, randomly selects exponent , and sets . We should note that the elements are distributed randomly; then, the corresponding ciphertext is

This ciphertext is a semifunctional ciphertext, where is equivalent to , is equivalent to , is equivalent to , is equivalent to, and . These values are randomly distributed, because are random elements in , and the value of the mod distributed is independent of the value of these elements mod.

If , the generated ciphertext is a semifunctional ciphertext by encrypting , and simulates the game and interacts with . If is a random element in , then it is a semifunctional ciphertext generated by encrypting a random message, simulation game . Therefore, can take advantage of ’s nonnegligible difference in these games to obtain a nonnegligible advantage to break Assumption 3.

This completes proof of Theorem 5.

#### 7. Performance Analysis

The proposed scheme is compared with the schemes [9, 11, 14, 22–24] from the perspectives of function and computing cost. In the comparison, represents the subgroup of the order . indicates the number of attribute universe. represents the number of the matrix ** M** row, and represents the number of attribute sets that satisfy the policy. We use ,, and to denote 1 module exponential time executed in , a module exponential time executed in , and 1 bilinear pair time executed, respectively. Because the main computing overhead of this scheme contains linear pairwise operation and modular exponentiation, module multiplication and hash operation can be ignored.

##### 7.1. Theoretical Analysis

Table 1 mainly shows the comparison of the functionality of the scheme. It can be seen that Zhang et al. [9], Lewko and Waters [14], Wang et al. [24], and our scheme are constructed on the composite order group, and these schemes are proved to be fully secure, while the schemes of Li et al. [11], Waters et al. [22], and Liu et al. [23] do not achieve full security. In terms of attribute privacy protection, besides our scheme, Zhang et al. [9] and Li et al. [11] also implemented partial policy hidden. In terms of reducing computational overhead, Li et al. [11] and Waters et al. [22] adopt offline/online technology to solve the problem, while Liu et al. [23] and Wang et al. [24] not only adopt offline/online technology but also support outsourced decryption algorithms. However, the scheme of Liu et al. [23] supports the verification of outsourced decryption results, while the scheme of Wang et al. [24] does not implement verification mechanism. Based on the above analysis, the scheme proposed in this paper not only realizes the information hiding of attribute values but also adopts offline/online technology and verifiable outsourced decryption algorithms to reduce the user’s local computational cost. Besides, it is proven to be fully secure.

Table 2 gives the analysis from the computing cost. Since the literatures [14, 22, 23] do not support the policy hidden function, no analysis and comparison are listed in Table 2. It can be seen that the amount of computing required in the data encryption and data decryption stages is linearly and positively related to the number of attributes. The literatures [11, 24] and the proposed scheme use offline/online key generation and offline/online encryption technology. Therefore, most of the computing overhead in the data encryption process are performed in the offline phase, while it requires only a small amount of computing cost to complete key generation and data encryption operation in the online phase. In the scheme of [9], the modular exponentiation operation in the encryption process is much higher than other schemes. The literature [11] and our scheme have roughly the same modular exponentiation time. Although, the encryption cost of literature [24] is less than the modular exponentiation operation in literature [11] and our scheme. In the decryption process, our scheme is less than the linear pair operation and modular exponentiation operation in literature [24]. Compared with the scheme [11], our scheme is less than the linear pair operation and modular exponentiation operation. Compared with the scheme [9], our scheme is less than the modular exponentiation operations. Therefore, the computational efficiency of our scheme is better than other related schemes.

##### 7.2. Experiment Analysis

Through the above theoretical analysis, the proposed scheme has more advantages in term of function and efficiency. In order to evaluate the actual performance more accurately, we perform the experiment analysis. Because the literature [11] is based on prime order groups, and other schemes are based on composite order groups, for better comparison, we only analyze the time spent in literature [9] and literature [24] through simulation experiments, including the time required of offline encryption, online encryption, outsourced decryption, and local decryption.

*Experimental environment*: Windows 10, Inter® Core(TM) i5-8300H (2.30 GHz), memory 8GB, the experimental code is based on JPBC-2.0.0 (Java Pairing-Based Cryptography Library) function library and MyEclipse development environment. In the experiment, the paired structure of type A is used to construct an elliptic curve on a finite field. The order of the group is , and the order of the base field is . Here, we take , , where the pairing operation and modular exponent invoked pairing.pairing and G_1.powZn respectively, in the library for testing.

*Experimental setup*: in CP-ABE, the number of attributes in the access policy affects the encryption and decryption time. In the experiment process, we set the number of attributes as 20 and increase by 5 number of attributes each time, so it is tested with 4 different access policies. By comparing the computing time of the terminal user under different access policies, we can obtain the required time.

Figure 1 has four subfigures, Figures 1(a)–1(d), which represent the data owner’s offline encryption, online encryption time, cloud server decryption time required for outsourced partial decryption, and local user’s decryption time.

**(a)**

**(b)**

**(c)**

**(d)**

We can see in Figure 1(a) that the offline encryption time of our scheme is higher than the time of the literature [24]. In Figure 1(b), the online encryption process of the literature [24] does not involve modular exponentiation and pairing operation, so the computing time is 0, but compared with the literature [9], the encryption time of our scheme is constant, and its time of consumption is much lower than that of the literature [9]. In Figure 1(c), the decryption overhead performed by the cloud server is lower than that in the literature [24]. In Figure 1(d), the local decryption time of our scheme and that of the literature [24] are both constant, which is much lower than that of the scheme of literature [9]. The decryption time required is slightly higher than scheme of [24], but in [24], the partial decryption ciphertext returned by the cloud server is not supported verification; then, the correctness is not guaranteed. Meanwhile, Wang et al.’s scheme [24] cannot realize the policy hiding function. Since the proposed scheme supports outsourced decryption operations and verification operations, the user only needs to perform a constant number of exponential operations, which can not only reduce the user’s calculation burden but also ensure the accuracy of partial decryption result returned.

From the above comprehensive analysis, the proposed scheme is superior to other schemes in terms of function and performance, so it is more effective and feasible in the IoT environment.

#### 8. Conclusion

In order to solve the problem of privacy leaking and heavy computing overhead in IoT environment, an offline/online outsourced ABE scheme with partial policy hidden is proposed in the paper. In the scheme, it divides attributes into two parts: attribute name and attribute value, attribute name is open and attribute value is hidden, to achieve the privacy of user attributes. Additionally, the offline/online technology is adopted to reduce the burden of encryption and decryption. A lot of heavy work can be preprocessed in the offline stage, and the rest computation only need to be done in the online stage. For the bilinear pairing operation and module power operation, the operation will be outsourced to the cloud server, and the user only needs to verify the outsourced calculation results to ensure the accuracy. It is proven that the scheme based on the static assumption problem can achieve full security under the standard model. Lastly, through theoretical and experiment analysis, it shows that our scheme has more advantages in the IoT environment.

#### Data Availability

The data used to support the findings of this study are included within the article.

#### Conflicts of Interest

The authors declare there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This work was supported in part by the Special Focus on Research and Promotion of Henan Province under Grant 192102210280, in part by the Research Foundation of Young Core Instructor in Henan Province under Grants 2018GGJS058 and 2019GGJS061, and in part by the Innovative Scientists and Technicians Team of Henan Provincial High Education under Grant 20IRTSTHN013.