#### Abstract

Cloud-assisted Internet of Things (IoT) significantly facilitate IoT devices to outsource their data for high efficient management. Unfortunately, some unsettled security issues dramatically impact the popularity of IoT, such as illegal access and key escrow problem. Traditional public-key encryption can be used to guarantees data confidentiality, while it cannot achieve efficient data sharing. The attribute-based encryption (ABE) is the most promising way to ensure data security and to realize one-to-many fine-grained data sharing simultaneously. However, it cannot be well applied in the cloud-assisted IoT due to the complexity of its decryption and the decryption key leakage problem. To prevent the abuse of decryption rights, we propose a multiauthority ABE scheme with white-box traceability in this paper. Moreover, our scheme greatly lightens the overhead on devices by outsourcing the most decryption work to the cloud server. Besides, fully hidden policy is implemented to protect the privacy of the access policy. Our scheme is proved to be selectively secure against replayable chosen ciphertext attack (RCCA) under the random oracle model. Some theory analysis and simulation are described in the end.

#### 1. Introduction

In traditional public key encryption schemes, the encryptor encrypts the message with the public key of the decryptor; hence, only the decryptor who owns the corresponding decryption key can decrypt the data. In other words, this type of scheme relies on the public key certificate system which we all know is pretty difficult to manage. In 1984, Shamir first proposed the identity-based encryption (IBE) where the encryptor uses the identity of the decryptor as his/her public key [1]. In [2], Boneh et al. proposed an IBE using the elliptic curve pairing, which greatly promoted the development of this field. Although the IBE solves the public key management problem, it still cannot achieve one-to-many private data sharing. Unfortunately, this kind of application is extremely common in ubiquitous Internet of Things (IoT) scenarios.

To tackle this issue, Sahai et al. first proposed a fuzzy identity encryption scheme [3], which is later developed into the attribute-based encryption (ABE). There are two types of ABE, the first one is named as ciphertext-policy attribute-based encryption (CP_ABE) and the other one is key-policy attribute-based encryption (KP_ABE). CP_ABE was proposed by Waters, in which the encryptor needs to know nothing about who can decrypt the ciphertext exactly, and he/she just encrypts the message with a self-defined access policy [4]. Any decryptor can decrypt correctly as long as its attribute set meets the access policy in the ciphertext. In other words, in CP_ABE schemes, data owners own the right to design who can decrypt fully.

IoT, which acts as the bridge between the physical world and the cyber world, enables the creation of a bunch of smart applications [5], such as smart city, smart industry, and smart health care system. Considering that most IoT devices are resource constrained and cannot handle the huge amount of data locally and efficiently, the cloud storage server is included in the IoT and forms a new paradigm, the cloud-IoT, where the cloud or a resource-adequated server provides useful services like storage and computing. ABE schemes with a single attribute authority do not adequately address the needs of the ubiquitous IoT devices properly. In [6], Chase first proposed a multiauthority ABE scheme. However, Chase’s scheme still requires the trusted central authority (CA), which can decrypt any ciphertext that it wants to decrypt. Later, Chase et al. improve their scheme by removing the CA and achieve a truly decentralized ABE scheme [7].

In [8], Lewko et al. proposed a distributed ABE scheme, which not only realizes multiauthority attribute-based encryption (MAABE) but also proves the system security with dual system encryption methodology. Unfortunately, the application of ABE in IoT still faces an important challenge: IoT devices with limited resources cannot afford the huge number of bilinear pairing operations in ABE schemes. Therefore, Green et al. proposed an outsourced ABE scheme which ensures the data security while minimizing the computational burden of equipments [9].

In this paper, a multiauthority attribute-based encryption scheme with white-box traceability and verifiable outsourced decryption was proposed for cloud IoT. Compared with the existing ABE schemes, our scheme has the following contributions: (i)As there is a great quantity of attributes used in the decryption key generation, each attribute authority controlls a set of disjoint attributes independently in our scheme. The central authority is only responsible for generating the public parameters, and the right to decide who can decrypt is hold by the data owners directly(ii)Our scheme uses the linear secret sharing schemes (LSSS) to allow any monotone access structures. More importantly, to protect the privacy of IoT users, our scheme realizes fully hidden access policy(iii)Considering the needs of resource-constrained IoT devices, our scheme outsources most decryption works to the cloud by the verifiable outsourcing technology(iv)Our scheme adopts the Boneh-Boyen short signature algorithm to implement the user traceability mechanism. In other words, we use a white-box trace algorithm to tackle the private key leaking issue

##### 1.1. Paper Organizaiton

Section 2 summarizes many related works, and Section 3 introduces all preliminaries of our scheme including some complexity assumptions. The system model and security models are presented in Section 4. In Section 5, we propose the concrete construction and a simple application of our scheme. Section 6 outlines the proof of indistinguishability, verifiability, fully hiding, and traceability of our scheme. We compare our scheme with some other schemes about the storage and computation costs in Section 7. Section 8 contains the conclusion.

#### 2. Related Work

Many works have been proposed since Sahai et al. first proposed the attribute-based encryption [3]. ABE schemes can be classified into two categories generally: the key-policy attribute-based encryption (KP_ABE) and the ciphertext-policy attribute-based encryption (CP_ABE) [4, 16]. Because CP_ABE allows the data owner to decide the access policy, it has been treated as the most promising solution to solve the access control issue in the cloud storage. In ABE schemes, the key pair of data users is generated by attribute authorities (AAs). Thus, the security of ABE schemes is based on the trust of the attribute authorities. To tackle the huge amount of data users contained in IoT, multiauthority attribute-based encryption (MA_ABE) was proposed, which can manage the huge amount of attributes in a more efficient way [6, 17–19], where each attribute authority controls an unique set of attributes independently. To achieve both the data confidentiality and the data authentication in the body area network, Hu et al. proposed a fuzzy attribute-based signcryption scheme [20].

Another characteristic of IoT is that most devices are resource-limited [21–23]. As we all know that the decryption overhead of ABE schemes rises along with the attribute number involved in the access policy. Obviously the expensive pairing computations are unacceptable for most IoT devices. Therefore, some ABE schemes using the proxy reencryption concept have been proposed [24–26]. In [9], Green et al. proposed an outsourced ABE scheme, which outsources most decryption overheads to a trusted third-party server, but outsourced ABE schemes all rely on a semitrusted server to semidecrypt that leads to a serious problem: how to ensure the semidecrypted data is correct and not altered. In [27], Lai et al. proposed a verifiable outsourced ABE while this scheme requires heavy costs for decryption. Recently, Li et al. improved an ABE scheme to achieve not only verifiable outsourced decryption but also lightweight user decryption [10], but all outsourced schemes mentioned above rely on a central authority to manage and generate user decryption key. In [11], Belguith et al. proposed an outsourced multiauthority attribute-based encryption scheme. In [28], Deng et al. proposed an efficient outsourced attribute-based signcryption scheme which also solves the user revocation problem.

In the cloud-assisted IoT environment, data owners store private data in the shared cloud. In most ABE schemes, the access policy is uploaded to the cloud server in plaintext along with the encrypted data. This may reveal private information of the encryptor and the decrypor. In [29], Nishide et al. proposed an ABE scheme with partially hided access policy, but this scheme has poor expressiveness.

When it comes to application in the real word, a common issue of ABE schemes needs to be considered: the leakage of decryption keys. In other words, how to trace/recover the global identity of the guilty user who leaks its secret key to a malicious or illegal user. There are two tracing approaches, white-box traceability and black-box traceability, that can be used to solve this issue. In [30], Hinek et al. used the Boneh-Boyen signature [31] to achieve the white-box traceability. Liu et al. proposed a white-box traceable ABE [32] and a black-box traceable ABE with highly expression [33]. In [12], Liu et al. proposed a traceable and revocable ABE scheme which is more practical for real application. In [34], Yu et al. proposed a traceable ABE scheme with white-box traceability to manage data stored in the cloud storage. In [13], an efficient large-universe MA_CP_ABE with white-box traceability was proposed. While in [35], Qiao et al. proposed a traceable ABE scheme with black-box traceability for fog computing.

All traceable ABE schemes mentioned above have a shared issue: their decryption computation burden are intolerable for IoT devices. In [14], an ABE scheme with outsourced decryption designed for electronic health systems was proposed by Li et al. However, Li’s scheme did not consider the privacy of access policies which might contain sensitive personal information of users. We compare our scheme with some existed ABE schemes in Table 1. In a word, our ABE scheme achieves selective replayable CCA security and provides multiple practical functions, such as fully hidden policy, outsourced decryption, and traceability.

#### 3. Preliminaries

In this section, we provide all mathematical preliminaries needed for our scheme.

##### 3.1. Bilinear Maps

Let and be two multiplicative cyclic groups of prime order . Let be a generator of and be a , , with the following three properties [15]: (1)Bilinearity: for all and , we have , where is the integers modulo (2)Nondegeneracy: , where 1 is the unit of (3)Computability: there is a polynomial time algorithm to efficiently compute for any We say is a if the group operation in , and the bilinear map is both efficiently computable. Notice that the map is symmetric since .

##### 3.2. Access Structure

*Definition 1. *(access structure). Let be a set of parties. A collection is monotone if *: if* and , then . An access structure is a collection of nonempty subsets of , such as . The sets in are called authorized sets, and the sets not in are called unauthorized sets [9].

##### 3.3. Linear Secret Sharing Schemes (LSSS)

*Definition 2. *(linear secret sharing schemes (LSSS)). A secret-sharing scheme over a set of parties is called linear over if
(1)The shares of a secret for each party form a vector over (2)There exists a matrix with rows and columns called the share-generating matrix for and a function which maps each row of the matrix to an associated party. That is, for , the value is the party associate with the row . When we consider the column vector where is randomly chosen, then is the vector of shares of the secret according to . The share belongs to the party According to [9], every linear secret-sharing scheme based on the above definition also enjoys the linear reconsruction property defined as follows: Let be an LSSS for the access structure . Let be any authorized set, and let be defined as . Then, there exist constants such that if are valid shares of any secret according to , then . It is shown in [9] that these constants can be found in polynomial time in the size of the share-generating matrix .

##### 3.4. One-Way Anonymous Key Agreement

One-way anonymous key agreement [15] scheme can be used to guarantee anonymity of the access structure. This scheme only ensures the anonymity of one participant. Assume that there are two participants Alice () and Bob () in this scheme. And the master secret of the key generation center (KGC) is . When Alice wants to keep anonymity, the process is listed as follows: (1)Alice calculates . A random number is choosed to generate the pseudonym and computes the session key . Finally, she sends her pseudonyms to Bob(2)Bob uses his secret key to calculate the session key , where is his private key for , and is a strong collision-resistant hash function

##### 3.5. Complexity Assumptions

*Definition 3. *Strong Diffie Hellman problem (q-SDH). Let be a multiplicative cyclic group of order with a generator . Given a random and a tuple , the problem of computing a pair , where , is called the -strong Diffie Hellman problem [13].

*Definition 4. *Computational Diffie Hellman problem (CDH). Let be a multiplicative cyclic group of order with a generator . Given two group elements where are two random integers. The problem of calculating from and is called Computational Diffie Hellman problem [11].

*Definition 5. *Decisional Bilinear Diffie Hellman problem (DBDH). Let be a multiplicative cyclic group of order with a generator . Given three group element where are three random integers. The problem of distinguishing tuples of the form *and* for some random integer is called the Decisional Bilinear Diffie Hellman problem [11].

#### 4. System Definition

##### 4.1. System Model

The system model of our scheme is illustrated in Figure 1, and the associated five entities are described as follows: (1)Central Trusted Authority (CTA): the CTA is only used to generate the public parameter, and it cannot decrypted any data(2)Attribute authorities (AAs): each AA controls a set of attributes. Multiple attribute authorities work together to generate the user’s decryption key. Besides, attribute authorities can use a trace algorithm to recover the global identity of the guilty user who leaks its private decryption key(3)Cloud storage service provider (CS): the CS is responsible to store the encrypted data. Moreover, CS performs the outsourcing decryption for users(4)Data owner (DO): the owner of the data which is responsible to encrypt and upload the data to CS(5)Data user (DU): the party who wants to access data

Table 2 summarizes notations used in our scheme. Assume that there are authorities in our scheme and each attribute is associated with an unique AA, such that for and .

##### 4.2. System Procedure

Our MAABE scheme with outsourced decryption and hidden policy contains the following five phases: (1) this phase includes two algorithms. Firstly, the CTA runs the algorithm to generate the global parameters , where is the security parameter. Then, each AA runs the algorithm to generate their own key pairs, which is consisted with a private key and a public key(2) the DO runs the algorithm to encrypt the message , and then it uploads the ciphertext to the cloud server(3) this phase contains two algorithms. Firstly, each related AA runs the algorithm independently to generate the decryption key for the DU with identity . Then, all results are sent to the user

To outsource the decryption work to the cloud, the user runs the algorithm to generate its outsourced decryption key. (4) this phase is divided into two steps. Firstly, the CS runs the algorithm to partially decrypt the ciphertext. The second step is performed by the user, who runs the algorithm to get the plaintext(5) to begin with, each verifies the format of the decryption key that needed to be traced, and then it runs the algorithm to output the global identity (GID) of the guilty user

##### 4.3. Security Models

We define four security models of our MAABE scheme in this section.
(1)*Confidentiality:* the confidentiality of data is the basic security requirement of a scheme, which is used to resist malicious adversaries to gain extral information from the ciphertext. Our scheme adopts the replayable chosen-ciphertext security (RCCA) defined in [36] by Canetti et al. as this type of security is sufficient enough and not to be too strict. Two restrictions are followed in this experiment: all decryption key queries cannot satisfy the challenge access struction fixed in the initialization phase by the adversary. And the attribute authorities can only be corrupted statically be the adversary

The selective secure against chosen ciphertext attack of our scheme is achieved if no probabilistic polynomial time (PPT) adversary can win the security experiment described in Figure 2 between an adversary and a challenger with nonnegligible advantage.
(2)*Verifiability*: our scheme is verifiable if there is no PPT adversary that can win the security experiment described in Figure 3 between an adversary and a challenger with nonnegligible advantage.(3)*Fully hidden:* in our scheme, the CS knows nothing about the access policy, and the user only knows if his/her attributes satisfy the access policy. Our scheme is an outsourced ABE with fully hidden policy if there is no PPT adversary that can win the security experiment described in Figure 4 between an adversary and a challenger with nonnegligible advantage. The goal of the adversary is to recover the correct access policy without the required decryption key.(4)*Traceability:* our scheme is a traceable ABE if there is no PPT adversary can win the security experiment described in Figure 5 between an adversary and a challenger with nonnegligible advantage.

*Definition 6. *An outsourced ABE scheme is RCCA-secure against static corruption of the attribute authorities if is negligible for all PPT adversaries.

*Definition 7. *An outsourced ABE scheme is verifiable if is negligible for all PPT adversaries.

*Definition 8. *An outsourced ABE scheme achieves policy private if is negligible for all PPT adversaries.

*Definition 9. *An outsourced ABE scheme is traceable if is negligible for all PPT adversaries.

#### 5. Construction and Application

The concrete construction of our MAABE scheme is presented in this section. Firstly, the CTA and all AA perform initialization and generate the PP and the public keys of AAs. Then, the DO can encrypt its data with an access structure. Before accessing the data, the DU needs to request its decryption key to the AAs. Next, the DU can access the data and decrypt successfully with the help of the cloud predecrypting for the DU first. Finally, the trace algorithm is used to reform the global identity of a guilty data user by the AAs. This section also contains a simple application in the end.

##### 5.1. Concrete Construction

###### 5.1.1. Phase I: System Initialization

(1) this step is performed by the CTA

It defines two multiplicative group of prime order , and is a generator of .

It defines a symmetric bilinear map .

It defines three collusion resistant hash functions as follows: where is the length of the symmetric key.

It defines a CPA-secure symmetric encryption scheme .

It outputs the global pubic parameter : (2) each attribute authority performs this step to get their key pair. We take the as an example

It chooses two random numbers for each attribute .

It chooses three random numbers .

It generates its pair of private key and public key as follows:

###### 5.1.2. Phase II: Encryption

We assume that the DO encrypts a message with an self-defined access structure , and is the attribute set which contains all attributes in the access structure . This phase contains three steps defined below: (1)

It chooses a random number and then computes where .

It replaces each attribute in with the corresponding .

It converts the access policy to a LSSS access matrix . (2)

It chooses a random element (the key seed) to calculate and the symmetric key .

It selects a for each row of and two random vectors .

It computers and .

It outputs the tuple where presents a matrix row corresponding to an attribute.

Details of the ciphertext are presented as follows:
(3)*Encrypt the message*

Uses to encrypt the message by the symmetric encryption algorithm and denote the result as .

It uploads to the CS.

###### 5.1.3. Phase III: Key Generation

(1)Decryption key

Each user owns an unique global identity and an attribute set where each attribute is associated with a designed attribute authority. Let be the set of related attribute authorities. According to , we divide into . When the user queries its decryption key, each related runs the key generation algorithm. We take the as an instance.

It chooses a random number for each .

It computes and returns the decryption key :

The decryption key of the user is noted as (2)Outsourced decryption key: the data user runs this algorithm(a)Reconstructs the access policy

It computes .

It uses to replace the attribute to get the attribute set .

It gains the access structure from .

It identifies the set of attributes required for the decryption. (b)Generates the outdec key

Chooses a random number to compute the outsourced decryption key as

###### 5.1.4. Phase IV: Decryption

(1) the CS performs outsourced decryption for the user

It computes the following equation for each matrix row corresponding to an attribute :

It chooses a set of constants such that .

It Computes

where is the row number of the access matrix.

It returns to the user. (2) this phase contains the following two steps(a)Recovers the message based on the partially decrypted ciphertext by computing the following equation

(note that this equation costs one exponentiation only and no pairing performance.) (b)Computes , , and

Judge if . If no, outputs . Else, the user gains the right .

Correctness of Equation (7):

*Proof. *First for each attribute , the CS uses to compute:
Then, it chooses a set of constants such that . Because and , so
Hence, we can get
Then, based on , the user recovers

###### 5.1.5. Phase V: Trace

The algorithm is performed by all attribute authorities. The input is the private key of a user.

Firstly, the AA checks the form of the key. If the key does not satisfies the form, this algorithm aborts.

Then, the AA searches its database to find if , s.t.

If yes, the global identity of the guilty user will be output.

##### 5.2. Application in the EHR System

In this section, we describe a simple application of our scheme based on the electronic health record (EHR) system. The basic procedures are presented in Figure 6, and the details are described as follows: (1)The central trusted authority (the government) performs the system set-up algorithm to generate and publish the global parameters (2)A set of management companies act as attribute authorities, and each attribute authority needs to set up first. Then, they publish their public keys while keeping private keys secret(3)A hospital encrypts a patient’s medical records based on a user-defined access structure and sends the ciphertext along with the fully hidden access structure to the cloud storing server to store(4)Before a data user (a doctor) requests the wanted records from the cloud server, he/she needs to get the decryption key from the attribute authorities first(5)To outsource the decryption work to the cloud server, the doctor generates the outsourced decryption key based on . Then, he/she sends to the cloud server(6)The cloud server will partially decrypt for the doctor as long as his/her attribute set satisfies the encryption access structure. Then, the cloud sends the partially decrypted ciphertext back to the doctor(7)Finally, the doctor can fully decrypt and get the medical records. Note that doctors only require one exponentiation in to fully decrypt, and one hash operation to verify whether the ciphertext was tampered(8)If a malicious user decrypt illegally with a valid decryption key, the attribute authorities can perform the trace algorithm to recover the identity of the guilty user who leaks his/her decryption key to a illegal user

#### 6. Security Analysis

##### 6.1. Indistinguishability

Theorem 1. *If Lewko et al.’s scheme [8] is CPA=secure, our multiauthority attribute-based encryption scheme is selectively replayable CCA-secure according to Definition 6 such that .*

*Proof. *We define a PPT adversary running the experiment defined in Section 4.3(1) with an entity . running Lewko et al.’s CPA-secure [8] experiment with a challenger . The proof described below is going to show that the advantage of to win the experiment is smaller than the advantage of to win Lewko et al.’s CPA-secure experiment . The detailed interactions are described as follows:
(1)Initialization: the adversary submits a challenge access policy to the challenge through (2)Set-Up: runs the algorithm to generate the global parameter It chooses two multiplicative cyclic groups of prime order with a generator of .

It chooses a bilinear map .

It chooses three collusion-resistant hash functions .

It chooses a cpa-secure symmetric encryption scheme .

It sends the global parameter to through .

It runs the algorithm to generate the key pairs of the noncorrupted authorities:

It chooses two random numbers for each attribute .

It chooses three random numbers to compute the public key .

It sends all attribute authorities’ public keys to through .

runs the algorithm to generate the key pairs of the corrupted authorities in the same way.
(3)Query phase I: initializes three empty tables , , , an empty set , and an integer . Details of queries are described as follows:(a)Hash query oracle: if the entry already existed in Table , return . Otherwise, it chooses a random element ( is unique in Table ). Then, it records in Table and returns .

oracle: if the entry already existed in Table , return . Otherwise, it chooses a random element . Then, it records in Table and returns .
(b)Key query: In the -th query, queries the decryption key related with an attribute set by sending and to . calls to generate the decryption key and sends it to . chooses a random number to compute the decryption key while setting chooses a random element to compute to simulate the output of the encryption algorithm. calls to run the outsourced decryption key generation algorithm: chooses a random number to compute
Sends to . stores the entry in the table . Finally, returns the key to .
(c)Decryption query: without loss of generality, we assume that all ciphertexts input to this query have been partially decrypted. For instance, we assume that was correctly decrypted by of the entry . Let be associated with a structure which is not equal with . Let be associated with a set of attributes which satisfies and not satisfies Search Table to find if there exists an entry which satisfies . If not, abort. Else, obtain entry in Table . If this entry does not exist, abort. Else, test if and . If yes, output . Else, abort.
(4)Challenge: chooses two message with same length then sends them to . chooses two message with same length and then sends them to . chooses a random bit , then encrypts under the access structure by running Lewko’s scheme. Finally, returns to . guesses with advantage . Then, computes and . Finally, returns to (5)Query phase II: the adversary can query a polynomially bounded number of queries as in query phase II after receiving the ciphertext with restrictions that the queried attribute set cannot satisfy the challenge access structure, and the response of the decryption query cannot be either or (6)Guess: tries to guess based on . Then, sends to through . If , we say that wins this experimentWe can easily get that the advantage of to win the experiment is smaller than the advantage of to win the experiment , because has to be based on the right provided by to guess successfully. In other words, and our scheme achieve selectively replayable CCA secure.

##### 6.2. Verifiability

Theorem 2. *If and are two collision-resistant hash functions, our scheme is verifiable against malicious servers.*

*Proof. *We define a PPT adversary running the experiment defined in Section 4.3(2) with an entity . tries to break the collision resistance of the two hash functions and .
(1)Initialization: the adversary submits a challenge access policy to the entity (2)Set-up: runs the algorithm to generate the global parameter except the two hash functions(3) runs the algorithm to generate keypairs of attribute authorities.Query: runs the adversary queries as defined in query phase I and query phase II through to get the related decryption keys and outsourced decryption keys
(4)Challenge: sends the challenge message to , and answers as followsIt chooses a random message to run Lewko’s encryption scheme to encrypt under the access policy .

It computes and .

It runs the symmetric encrypt algorithm to encrypt to generate the ciphertext .

It returns the ciphertext to .

If can recover a message , then we say wins this experiment. Hence there are two cases are considered:
(1), which means that finds a collision of the hash function (2) but , which means that breaks the collision resistance condition of such as In other words, since and are two collision-resistant hash functions, the outsourced decryption of our scheme is verifiable.

##### 6.3. Fully Hiding

Theorem 3. *Our scheme is an outsourced ABE with fully hidden policy if the one-way anonymous key agreement protocol [15] is IND-CPA secure.*

*Proof. *The purpose of this proof is that no PPT adversary can recover the access policy without the right decryption key. The setup phase and the query phase 1 are same as the confidentiality experiment.

In the challenge phase, the adversary chooses two challenge messages and two valid access policies , and then it sends them to the challenger . Notice, satisfy the following restriction: either all the attribute sets queried in query phase 1 satisfy none of the policy or all attribute sets satisfy both the policies. Then, computes based on the one-way anonymous key agreement protocol where is a random number. This step is used to hide the real policy by replacing each attributes in the policy with the corresponding . Then, chooses a random bit and encrypts the message under the access policy . Finally, sends to . After that, still can query a polynomially bounded number of queries as in query phase I. The none-or-both principle still works in this phase.

In the guess phase, outputs .

When tries to decrypt , it has to recover the access policy first. In our scheme, the decryption key is necessary for it to compute because we computed the based on the one-way anonymous key agreement protocol before we encrypted the message. It means only the authorized user can get the right access policy. And due to the random value , unauthorized user cannot guess attribute from which prevents the collusion of the users. Hence, the advantage of the adversary to win the experiment is negligible, and our scheme ensures the privacy preservation of the access policy against adaptive chosen plaintext attack.

##### 6.4. Traceability

In this section, we prove that our scheme is fully traceable under the -SDH assumption.

Lemma 1. *Our scheme achieves fully user traceability based on that the Boneh-Boyen fully signature scheme [31] is strong existential forgery secure against adaptive chosen message attack.*

*Proof. *We define a PPT adversary running the experiment defined in Section 4.3(4) to attack our scheme through an entity by breaking the Boneh-Boyen fully signature scheme with the same advantage under adaptive chosen message attacks. Assuming the advantage of the adversary to break our scheme is , and can access a random oracle . Let be the challenger in the B-B scheme, be the signature of , and is the associated public key of .
(1)Set-up: the challenger runs the algorithm to generate the global parameter and sends to . For each noncorrupted authorities in the set , sends to . Then, chooses two random numbers for each attribute in the attribute set of the authority, and then chooses a random number to generate the public key of the authority . Finally, returns and to . For corrupted authorities, runs the algorithm to generate the key pairs for them(2)Key query: runs queries. In the -th query, sends to . initiates an empty table and do the following steps(a)Accesses the random oracle : searches the entry in the table , and if it exists, outputs . Else, chooses a random number while stores in the table . outputs (b)Generates the decryption key : chooses a random number for each attribute and returns the signature . Then, computes the components of Then, sets . Finally returns the following result to :
(3)Key forgery: sends a to . The advantage of the adversary to win is defined aswhere is queried in the last phase. If , it means passed the form check and . Hence, , s.t.
Without loss of generality, we assume the adversary accessed the random oracle before it outputs the . obtains the entry from the table . According to , we can get . Then, computes the signature . Because , hence is a valid signature on message in the B-B signature scheme. Because , it means never queried the signature of before, and the advantage of to break the B-B scheme is equal with the advantage of the adversary to break our scheme, which is .

According to the Boneh-Boyen signature scheme, we can also get the following lemma.

Lemma 2. *If the -SDH assumption holds in the group , the full signature scheme of Boneh and Boyen is strong existential forgery secure against adaptive chosen message attacks.*

Theorem 4. *If the -SDH assumption holds in the group , our scheme achieves fully user traceability.*

*Proof. *It follows directly from the above Lemma 1 and Lemma 2.

#### 7. Performance Analysis

The notations used in our performance analysis are summarized in Table 3.

The comparison of storage cost and computational cost between our scheme and some other ABE schemes is illustrated in Tables 4 and 5separately. Notice that all results do not contain the costs of the symmetric cryptography including hash operations.

From Table 4, we can see that the decryption key lengths of scheme [11] and ours are related to the number of attributes used in decryption as both scheme outsource the most decryption work to the cloud server, while the decryption key length of scheme [14] is related to the number of attributes in user attribute sets. Speaking of the length of the ciphertext, of all four schemes are associated with the row number of the encryption LSSS access matrix.

As we can see from Table 4, scheme [13] needs exponentiations in group to generate the user decryption key. It needs exponentiations in group and exponentiations in group in the encryption phase. Specially, exponentiations in group and pairings are costed by a user who needs to decrypt in scheme [13], which is too heavy for resource-limited IoT devices. Scheme [11] is an ABE scheme with outsourced decryption which needs exponentiations in group in the key generation phase. It requires exponentiations in group , one exponentiation in group , and pairings to encrypt. As the most pairing operations are done by the cloud server, users only cost one exponentiation in group to decrypt in [11].

Li et al. proposed a traceable ABE scheme which needs exponentiations in group to generate the private key [14]. In encryption phase, users spends exponentiations in group and one exponentiation in group , while the cloud server performs exponentiations in group as well as pairings to predecrypt in [14]. As a result, users only cost three exponentiations in group to fully decrypt.

Our scheme needs exponentiations in group in the key generation phase. To achieve fully policy hidden which is deeply valuable in some healthy data application, our scheme requires exponentiations in group , one exponentiation in group , and pairings to encrypt. Meanwhile, our scheme realizes verifiable outsourced decryption. Our scheme outsources exponentiations in group and pairings to the cloud server. Thus, IoT devices in our scheme only require one exponentiation in group to decrypt, which dramaticlly reduces the computational overhead of resource-limited devices.

Figure 7 illustrates the time overhead of decryption. The simulation is performed in a Ubuntu 16.4 desktop system with 3.0-GHz Intel Core (TM) i5-7400 CPU and 2-GB RAM, and all experiments are done by using the Charm (version 0.50) [37], a rapid prototyping framework for cryptographic schemes based with Python.

Compared with the outsourced multiauthority ABE scheme [11] with no traceability, our traceable MAABE scheme is with little extra computational cost. However, the user decryption cost of [11] and our scheme is same owing to the outsourced decryption. While comparing with the traceable single-authority ABE scheme [14], our multiauthority scheme can handle more attributes and is more suitable for a large number of devices of IoT systems. In addition, another traceable MAABE [13] is not applicable for resource-limited IoT devices due to its heavy decryption cost.

More importantly, our scheme costs barely one hash operation to achieve the verification of decryption results. About another practical function is achieved by our scheme, traceability, and the cost of our scheme is . Although it looks like that this result is linear to the size of the attribute universe set, the real computational cost of this algorithm for each is linear to the size of its own attribute set as we assumed that attribute sets controlled by different attribute authorities are disjoint in our scheme.

#### 8. Conclusion

In this paper, we propose a multiauthority ABE scheme supporting verifiable outsourced decryption and white-box traceability. Our scheme outsources most decryption works to the honest-but-curious resource-rich cloud server; thus, our scheme meets the special needs of resource-limited IoT devices. Moreover, our scheme protects the privacy of both the encryptor and the decryptor by the fully hiding policy technology. At the same time, another issue influences the application of ABE—the key leakage problem—which is solved by the user traceability algorithm. In a word, our scheme realizes several practical functions while achieving replayable chosen-ciphertext attack security.

In the future, we plan to improve the scheme with fixed key size and ciphertext size to further reduce equipment overheads. Moreover, we can also consider how to solve another difficulty of the practical application of the ABE—attribute revocation and user revocation. How to dynamically withdraw attributes or users without affecting other authorized users is the focus of our future works.

#### Data Availability

All data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was supported in part by the National Key Research and Development Program of China under Grant 2019YFB2102600; in part by the National Natural Science Foundation of China under Grants 62072065, 61832012, 61672321, 61771289, and 61373027; in part by the Fundamental Research Funds for the Central Universities under Grant 2019CDQYRJ006; in part by the Chongqing Research Program of Basic Research and Frontier Technology under Grant cstc2018jcyjAX0334; in part by the Key Project of Technology Innovation and Application Development of Chongqing under Grant CSTC2019jscx-mbdx0151; and in part by the Overseas Returnees Innovation and Entrepreneurship Support Program of Chongqing under Grants cx2018015 and cx2020004.