Next Article in Journal
Dimensionless Groups by Entropic Similarity: I — Diffusion, Chemical Reaction and Dispersion Processes
Next Article in Special Issue
Personalized Privacy Assistant: Identity Construction and Privacy in the Internet of Things
Previous Article in Journal
How Well Can We Infer Selection Benefits and Mutation Rates from Allele Frequencies?
Previous Article in Special Issue
RNNCon: Contribution Coverage Testing for Stacked Recurrent Neural Networks
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Online/Offline MA-CP-ABE with Cryptographic Reverse Firewalls for IoT

1
College of Data Science and Technology, Heilongjiang University, Harbin 150080, China
2
College of Telecommunication and Electronic Engineering, Qiqihar University, Qiqihar 161006, China
*
Author to whom correspondence should be addressed.
Entropy 2023, 25(4), 616; https://doi.org/10.3390/e25040616
Submission received: 16 February 2023 / Revised: 2 April 2023 / Accepted: 3 April 2023 / Published: 4 April 2023
(This article belongs to the Special Issue Information Security and Privacy: From IoT to IoV)

Abstract

:
Devices in the Internet of Things (IoT) usually use cloud storage and cloud computing to save storage and computing cost. Therefore, the efficient realization of one-to-many communication of data on the premise of ensuring the security of cloud storage data is a challenge. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) can not only protect the security of data in the cloud and achieve one-to-many communication but also achieve fine-grained access control for data. However, the single-authority CP-ABE faces the crisis of single point of failure. In order to improve security, the Multi-Authority CP-ABE (MA-CP-ABE) is adopted. Although there are provably-secure MA-CP-ABE schemes, Edward Snowden’s research shows that provably-secure cryptographic schemes are vulnerable to backdoor attacks, resulting in secret disclosure, and thus threatening security. In addition, ABE requires huge computational overhead in key generation, encryption and decryption, which increase with the increase in the number of attributes and the complexity of the access structure, and there are a large number of resource-constrained devices in the IoT. To mitigate this issue, we construct the Online/Offline MA-CP-ABE with Cryptographic Reverse Firewalls (OO-MA-CP-ABE-CRFs) scheme. This scheme not only uses Cryptographic Reverse Firewall (CRF) to resist backdoor attacks but also uses online/offline key generation, online/offline encryption and outsourcing encryption technology to optimize the efficiency of the MA-CP-ABE scheme with reverse firewall, reducing the storage and computing cost of users. Finally, the security of the OO-MA-CP-ABE-CRFs scheme is proved, and the experimental results indicate that the scheme is efficient and practical.

1. Introduction

With the increasing number of terminal devices connected to the Internet of Things (IoT), the data to be processed increase exponentially. At the same time, with the widespread use of cloud computing and cloud storage technologies, the data from IoT devices were uploaded to the cloud for storage and processing. Considering that the dishonest cloud seriously threatens the privacy and security of data, it is necessary to encrypt the data before cloud storage. Attribute-Based Encryption (ABE) can not only protect data privacy but also realize fine-grained access control to data.
ABE was originally proposed by Sahai and Waters, which can be classified as Key-Policy ABE (KP-ABE) and Ciphertext-Policy ABE (CP-ABE), respectively. In the CP-ABE (KP-ABE) scheme, the user’s private key (ciphertext) is associated with its attributes, and the ciphertext (private key) is associated with the access structure. Only when the attributes of the user meet the access structure of the ciphertext can the user use the private key to recover the plaintext correctly. Because users can use CP-ABE to specify flexible access structures for ciphertext, they can achieve fine-grained access control for ciphertext, so CP-ABE has been widely used in cloud computing [1,2,3,4,5,6]. Because the user’s private key is generated by an attribute authority, the attribute authority knows the user’s private key and can decrypt the ciphertext. Therefore, the attribute authority is required to be a trusted third party. In addition, the single-authority ABE scheme has a series of negative effects such as heavy computing burden, single point of failure crisis, and excessive central authority. The Multi-Authority ABE (MA-ABE) scheme can solve the problem of limited computing resources and single point of failure in the single-authority ABE scheme, so it has been widely used in the IoT [7,8,9].
Edward Snowden’s disclosure showed that even if the user’s machine is executing the cryptographic scheme normally, it may be placed on the machine by the adversary with undetectable backdoor vulnerabilities, so the user’s secret is exposed, thus endangering the user’s security [10,11,12]. Even provably secure cryptographic schemes face this threat, including the provably secure MA-ABE scheme. The Cryptographic Reverse Firewall (CRF) uses a trusted machine placed between the user’s machine and the external environment to intercept illegal data streams entering the machine and modifying system parameters in time, which can resist internal vulnerabilities such as backdoors, thereby providing users with privacy security [13]. Therefore, it is necessary to construct an MA-ABE scheme with CRFs (MA-ABE-CRFs).
One of the main drawbacks of the ABE encryption scheme is that the computational cost of encryption, decryption and key generation increases with the increase in the complexity of the access structure or the number of attributes. MA-ABE-CRFs faces the same drawback because of the increase in attribute authorities and the increase in CRFs, which lead to higher computing cost. The devices in the IoT have limited storage and computing resources, so it is necessary not to use MA-ABE directly. The online/offline key generation, online/offline encryption and outsourced decryption to improve the efficiency of MA-ABE are considered [14]. The online/offline technology splits the computation for MA-ABE into two phases: an offline preparation phase, in which users can do a lot of work, such as offline key generation and offline encryption; and a second phase, where once the user knows the encrypted plaintext and attributes/access structure, the user can quickly generate a key online to encrypt the plaintext. Outsourcing pre-decryption can transfer a large amount of decryption computing cost to cloud service providers, thus reducing users’ decryption computing cost, and is more suitable for resource-constrained IOT devices. Considering the efficiency of MA-ABE-CRFs, especially for IoT devices with limited storage and computing resources, we can consider online/offline key generation, online/offline encryption and outsourced decryption to improve the efficiency of MA-ABE-CRFs [14]. Therefore, it is necessary to study the Online/Offline MA-CP-ABE-CRFs (OO-MA-CP-ABE-CRFs) to ensure the security of data in the IoT and improve the efficiency of data transmission.
In this paper, we combine CRF and CP-ABE, and adopt multi-authority, online/offline, outsourced decryption to construct OO-MA-CP-ABE-CRFs for IoT. The specific contributions are as follows:
(1)
We propose a new MA-CP-ABE-CRF scheme, which not only avoids the crisis of single point of failure of single-authority ABE but also provides flexible access control for ciphertext data. In addition, four CRFs are used to re-randomize key parameters. This allows the MA-CP-ABE scheme to maintain functionality and resist ex-filtration even if it is compromised by unexpected attacks.
(2)
In order to make the scheme suitable for IoT, we have adopted online/offline key generation, online/offline encryption, and outsourcing decryption technologies to improve the computational efficiency of the scheme. These technologies are not only adopted by users and attribute authority but also by the four CRFs, which can significantly improve the efficiency of the scheme. Compared with other studies in terms of computational and storage overhead, our scheme has obvious advantages.
(3)
We have theoretically analyzed and proven the correctness and security of the OO-MA-CP-ABE-CRFs scheme, including CPA security, weak security reservation, and weak demonstration resistance. These security guarantees that devices in IOT are secure even when attacked by backdoors.
The rest of this article is organized as follows. Section 2 discusses the related work. Section 3 presents the preliminaries. Section 4 describes the proposed OO-MA-CP-ABE-CRFs scheme. Section 5 presents the performance analysis of the proposed scheme. Section 6 presents a real-world application of the proposed scheme. Finally, Section 7 concludes this work.

2. Related Work

This section mainly summarizes the related works on ABE, CRF and online/offline cryptography.

2.1. Attribute-Based Encryption

ABE was originally proposed by Sahai and Waters on the basis of Fuzzy Identity-Based Encryption (FIBE) [15]. Goyal et al. [16] extended FIBE technology to ABE technology and defined two types of ABE, called KP-ABE and CP-ABE, respectively. The complete framework of the first anti-collusion CP-ABE scheme was proposed by Bethencourt et al. [17]. Since CP-ABE can customize access control policies by data owners, it is widely used in various cloud scenarios due to the advantages of fine-grained access control. Because the single-authority ABE scheme has a series of negative effects such as heavy computing burden, single point of failure crisis, and excessive central authority, Chase [18] constructed an MA-ABE scheme to solve such problems. Chase et al. [19] further protect user privacy by eliminating the trusted central authority to prevent information from being concentrated on specific users. Lin et al. [20] proposed a threshold-based multi-authority FIBE scheme that can be extended to MA-ABE. Qian et al. [21] proposed an MA-ABE scheme supporting attribute revocation and dynamic policy updates to meet the privacy security requirements of patients in the personal health record (PHR) system.

2.2. Cryptographic Reverse Firewall

Due to the influence of Snowden’s ex-filtration incident, Mironov et al. [13] introduced the concept of a CRF, which aims to intercept and update the receiving and sending messages of the client in time to prevent malicious adversary in the system. Zhou et al. [22] proposed an IBE-based CRF scheme. Chen et al. [23] rely on the malleable smooth projective hash function with key malleability and element re-randomizability to construct multiple CRF-based cryptographic protocols. Zhou et al. [24] designed a single-round CL-PKE-CRF protocol with low communication overhead. Zhou et al. [25] proposed a searchable public key encryption scheme based on CRF, which can resist various attack methods without a secure channel, thereby fully guaranteeing the user’s information security. Ma et al. [26] designed an online/offline CP-ABE-CRF scheme, which effectively reduces the computational overhead while resisting secret ex-filtration, and further ensures the practicability of the scheme on lightweight devices. Hong et al. [27] constructed an MA-KP-ABE-CRF scheme, which supports a non-monotonic access structure.

2.3. Online/Offline Cryptography

It is also worth noting that not only does the CRF framework bring a lot of computing overhead, but most of the ABE scheme design process itself generally has expensive computing operations. Many researchers use online/offline technology to solve this problem. Khan et al. [28] entrusted the heaviest computing operations to the offline stage through online/offline technology, which reduced computing overhead, and designed an online/offline-aided attribute-based multi-keyword search scheme. In order to reduce the communication overhead in the verification phase, Ali et al. [29] designed a verifiable online/offline multi-keyword search scheme. For fields such as smart grids with high security and timeliness, Zhang et al. [30] outsourced a large number of calculations to the encryption and decryption server, reducing the calculation overhead of the client, and constructed outsourcing attributed-based ranked searchable encryption. In order to further reduce the computational burden of data owners and clients, Shao et al. [31] based on the online/offline MA-ABE scheme combined with key conversion technology to outsource the complex operation of the decryption stage to the proxy server.

3. Preliminaries

This introduces preliminaries of the OO-MA-CP-ABE-CRFs scheme.

3.1. Bilinear Groups

Let G , G T be two multiplicative cyclic groups with a prime order of p. Among them, g is the generator of the group G , and the bilinear map e : G × G G T has the following three properties:
(1)
Bilinearity: For any P , Q G and a , b Z p * , it can calculate; e ( P a , Q b ) = e ( P , Q ) a b .
(2)
Non-degeneracy: If P , Q G is assumed, then e ( P , Q ) 1 is established;
(3)
Computability: For any P , Q G , there exists an efficient algorithm to compute e ( P , Q ) .
q type assumption. The challenger first calls parameters of bilinear pairings p, G , G T , e, and picks a random group element g G and random exponents a , s , b 1 , b 2 , , b q Z q . Then, the challenger sends the following terms to the adversary.
g , g s
g a i , g b j , g a i / b j 2 , ( i , j ) [ q , q ]
g a i / b j , ( i , j ) [ 2 q , q ] w i t h i q + 1
g a i b j / b j 2 , ( i , j , j ) [ 2 q , q , q ] w i t h j j
g s a i b j / b j , g s a i b j / b j 2 , ( i , j , j ) [ q , q , q ] w i t h j j
Finally, the challenger flips a random coin b { 0 , 1 } , sets T = e ( g , g ) s a q + 1 if b = 0 and otherwise T G T is a random term, and sends T to attacker. The attacker outputs a guess b { 0 , 1 } for b. The advantage of the attacker in the game is | Pr [ b = b ] 1 2 | . We say that the q type assumption holds if all probabilistic polynomial time attackers have at most a negligible advantage in the above security game.

3.2. Linear Secret Sharing Schemes

Assuming that { P 1 , P 2 , , P n } is a set of participants, if B A and B C have C A , then we say that the set A 2 { P 1 , P 2 , , P n } is monotonous for any B and C. A monotonic access structure is the set of all non-empty subsets of { P 1 , P 2 , , P n } , namely A 2 { P 1 , P 2 , , P n } \ { } . For this reason, sets in A are called authorized sets, whereas sets not in A are called non-authorized sets.
A linear secret sharing scheme Π with a set of parties is linear on Z p , the following conditions need to be satisfied:
(1)
The shares of each party constitute a vector over Z p ;
(2)
There exists a share-generating matrix M with l rows and n columns for scheme Π . Furthermore, there exists a function ρ that maps each row of the matrix M to an associated party. For example, each row i [ l ] of the matrix is closely related to ρ ( i ) , where [ l ] = 1 , , l . For column vector v = ( s , r 2 , , r n ) , we choose s from Z p as the secret value that needs to be shared, and r 2 , , r n Z p are randomly selected. M v represents a vector composed of l elements, and each element is the secret share generated by the scheme Π for s. The share ( M v ) i belongs to party ρ ( i ) .

3.3. Cryptographic Reverse Firewall

The CRF was originally proposed by Mironov and Stephens Davidowitz to provide a strong security backing for modern cryptographic algorithms to avoid the threat of backdoors. CRF acts as a function of message interception and parameter update in the entire cryptographic system. Deploying a cryptographic scheme that correctly implements CRF can effectively ensure that the scheme can still retain its security even if it runs on an infected machine. Appendix A provides more details about CRF.

3.4. System Model

As shown in Figure 1, the scheme includes five participants and corresponding reverse firewalls. They are the global identity authority (GA), attribute authorities (AA), the cloud service provider (CSP), the data owner (DO) and the data user (DU). Among them, the CRF of GA is W GA , the CRF of AA is W AA , the CRF of DO is W DO , and the CRF of DU is W DU .
Specifically, (1) GA generates global parameter G P . (2) If the process is corrupted, then W GA randomizes the G P , obtains and broadcasts G P globally. (3) GA outputs its own public/private key pair ( G P K , G M K ) by G P . (4) If the process is compromised, W GA outputs the updated public/private key pair ( G P K , G M K ) , and returns it to GA. (5) AA outputs its own public/private key pair ( A P K k , A M K k ) . (6) If the process is compromised, W AA ouputs the updated public/private key pair A P K k , A M K k . (7) DO offline encryption and output offline ciphertext C T o f f . (8) DO encrypts plaintext online and outputs the ciphertext C T A under the access structure A . (9) If the encryption process is compromised, W DO outputs the updated intermediate ciphertext I T offline. (10) W DO outputs the updated ciphertext C T . (11) GA outputs the user’s decryption key u g s k offline. (12) If the process is compromised, W GA outputs the intermediate secret key I S K offline. (13) W GA outputs the user’s updated decryption key u g s k online. (14) AA outputs the user’s offline decryption key u a s k o f f . (15) AA outputs the decryption key u a s k o n , S G I D of the user online. (16) If the process is compromised, W AA of A A k outputs the updated offline decryption key u a s k o f f .(17) W AA outputs the user’s updated online decryption key u a s k o n , S G I D online. (18) In order to realize outsourcing pre-decryption, DU outputs a conversion key T K and a retrieval key R K . (19) If the process is compromised, W DU outputs an updated conversion key T K and a corresponding random β . (20) CSP performs outsourcing pre-decryption and outputs the transformed ciphertext T C T . (21) If the process is compromised, W DU outputs an updated transformed ciphertext T C T . (22) DU outputs the plaintext. For the normalized definition of OO-MA-CP-ABE-CRF, see Appendix B.

3.5. Security Model

We define the security model of the OO-MA-CP-ABE-CRFs scheme based on the security model [26,27]. Similar to [26,27], it is assumed that GA, AA, DO and DC are fully trusted, and the CSP is semi-trusted. Because the algorithms (Global. Setup , GASetup , AASetup , GA . KeyGen . off , GA . KeyGen . on , AA . KeyGen . off , AA . KeyGen . on , Encrypt . off , Encrypt . on and KeyGen . ran ) in the scheme still maintain functionality after implanting malicious trapdoors, so it is necessary to consider that these algorithms may be compromised without the knowledge of the executor. In addition, considering that W DO and W DU are curious about the user’s data, we assume that W DO and W DU are semi-trusted. Since W GA , W AA have access to the decryption key of the user, it is assumed that W GA , W AA are completely trusted. Additionally, all CRFs are considered trusted zones and cannot be tampered with by any outsiders.
The CPA security game for OO-MA-CP-ABE-CRFs is played by a challenger C and an adversary A .
Initialization: Adversary A sends the access structure A * and the functionality maintaining algorithms to challenger C .
Setup: The Setup algorithm is executed by challenger C . The updated global public parameter G P , updated public key G P K and A P K k of the authority are sent to the adversary A .
Phase 1: The adversary A can adaptively query the Key Generation Oracle (KGO). A queries for attribute set S i and user identity G I D , which requires that S i does not satisfy the challenge policy A * , i = 1 , 2 , , q . The challenge C replies to adversary with user’s updated decryption key ( u g s k , u a s k S G I D ) , and updated conversion key T K .
Challenge: Adversary A sends two equal-length plaintexts m 0 , m 1 to C . C selects a random bit b { 0 , 1 } , and sends the updated ciphertext C T b to the adversary A , where C T b is the ciphertext of m b under access structure A * .
Phase 2: The process is the same as Phase 1.
Guess: The adversary A outputs a guess b { 0 , 1 } for b. The advantage of A in the game is | Pr [ b = b ] 1 2 | .
Definition: The OO-MA-CP-ABE-CRFs is CPA secure if all probabilistic polynomial time ( P P T ) adversaries have at most a negligible advantage in the above security game.

4. OO-MA-CP-ABE-CRFs

In this section, we first construct a basic OO-MA-CP-ABE scheme based on [32]. The random of the ciphertext and key in this scheme is all re-randomized. Then, based on this basic OO-MA-CP-ABE scheme, we construct an OO-MA-CP-ABE-CRFs scheme, and finally, prove the security of the constructed scheme.

4.1. Basic Construction of OO-MA-CP-ABE Scheme

In order to make the basic OO-MA-CP-ABE scheme suitable for constructing the CRF framework, we construct a concessive OO-MA-CP-ABE scheme, which can be divided into four phases and contains a total of 11 algorithms.
(1) Initialization phase. GA and AA perform initialization.
➀ Global. Setup ( λ , U ) GP . GA chooses a security parameter λ and describes a tuple ( G , G T , p , e ) , where G and G T are two cyclic multiplicative groups of large prime order p and e : ( G × G ) G T is a bilinear map. Let g be a generator of G . GA randomly chooses h , u , v , w G and outputs the global system parameters G P = ( g , h , u , v , w ) .
GA . Setup ( G P ) G P K , G M K . GA randomly chooses α Z , outputs G P K = e ( g , g ) α , and keeps G M K = α by itself.
AA . Setup ( G P , k , U k ) ( A P K k , A M K k ) . It first takes G P , k , U k as input, where k [ K ] . Then, A A k randomly chooses α k Z p , and lets ( u ^ , h ^ ) = ( u α k , h α k ) . Finally, it outputs A P K k = ( u ^ , h ^ ) and keeps A M K k = α k .
(2) Encryption phase. DO encrypts plaintext offline and online.
Encrypt . off ( G P , G P K , A P K ) C T o f f . The algorithm takes G P , G P K , A P K = k [ K ] A P K k as input, and the DO randomly chooses s Z p , t j Z p , j [ J ] , J is used by DO to determine the size of the offline ciphertext pool. It calculates K m = G P K s = e ( g , g ) α s , C 0 = g s , C j , 1 = ( h ^ ) t j , C j , 2 = g t j , C j , 3 = v t j , and outputs C T o f f = ( s , K m , C 0 , { C j , 1 , C j , 2 , C j , 3 } j [ J ] ) .
Encrypt . on ( G P , A P K , m , A , C T o f f ) C T A . On input public parameters P K , an intermediate ciphertext I T , a plaintext m and an LSSS access structure A = ( M , ρ ) , where M is an l × n ( l N ) matrix. DO randomly chooses y 2 , , y n Z p , sets y = ( s , y 2 , , y n ) T , and obtains λ = ( λ 1 , λ 2 , , λ l ) T = M y . In addition, for j l , suppose ρ j corresponds to an attribute controlled by A A k . DO sets C = m · K m , C 0 = C 0 , C j , 1 = C j , 1 u ^ ρ ( j ) t j = ( h ^ u ^ ρ ( j ) ) t j , C j , 2 = C j , 2 = g t j , C j , 3 = C j , 3 · w λ j = w λ j v t j , outputs C T A = ( C , C 0 , { C j , 1 , C j , 2 , C j , 3 } j [ l ] ) .
(3) Key generation phase. GA and AA generate decryption keys offline and online for the user.
GA . KeyGen . off ( G P , G M K ) u g s k . GA randomly chooses r Z p , calculates K 0 = g α w r , K 3 = g r , D = v r , and outputs u g s k = ( K 0 , K 3 , D ) .
AA . KeyGen . off ( G P , A M K k ) u a s k o f f . For k [ K ] , A A k randomly chooses r i Z p , i [ | U k | ] , calculates K i , 1 = g r i α k and K i , 2 = h r i , and outputs u a s k o f f = { r i , K i , 1 , K i , 2 } i [ | U k | ] .
AA . KeyGen . on ( G P , G I D , A P K k , S G I D , k , u a s k o f f ) u a s k o n , S G I D . For i S G I D , k , A A k calculates K i , 1 = K i , 1 = g r i α k , K i , 2 = K i , 2 · u a t t r i r i = ( u a t t r i h ) r i , it outputs u a s k o n = { K i , 1 , K i , 2 } i S G I D , k . It should be noted that the decryption key of the user GID is u g s k , u a s k o n .
(4) Decryption phase. For outsourcing decryption, DU generates a conversion key and a retrieval key. CSP performs outsourcing decryption by conversion key, and DU performs final decryption by retrieval key.
KeyGen . ran ( u g s k , u a s k o n ) ( T K , R K ) . The data user DU randomly chooses τ Z p , calculates K ˜ 0 = K 0 1 τ = g α τ w r τ , K ˜ 3 = K 3 1 τ = g r τ and D ˜ = D 1 τ = v r τ . For i S G I D , k , it calculates K ˜ i , 1 = K i , 1 1 τ = g r i α k τ , K ˜ i , 2 = K i , 2 1 τ = ( u a t t r i h ) r i τ , finally outputs a conversion key T K = ( S G I D , K ˜ 0 , K ˜ 3 , D ˜ , { K ˜ i , 1 , K ˜ i , 2 } i S G I D , k ) and a retrieval key R K = τ .
Decrypt . out ( T K , C T ) T C T . On input, a conversion key T K for the attribute set S GID and a ciphertext C T for access structure A . The CSP judges whether S GID satisfies A , if not, then it returns ⊥. Otherwise, CSP calculates { w i Z p } j I satisfying j I w i M j = ( 1 , 0 , , 0 ) , where I = { j | ρ ( j ) S G I D } [ l ] , and M j is row j of matrix M. Then, it calculates B = e ( K ˜ 0 , C 0 ) j I T j w j = e ( g , g ) α s τ , where T j = e ( K ˜ i , 1 , C j , 1 ) · e ( K ˜ i , 2 · D ˜ , C j , 2 ) · e ( K ˜ 3 , C j , 3 ) , and outputs decrypted transformed ciphertext T C T = ( C , B ) .
Decrypt . user ( R K , T C T ) m . The algorithm is executed by DU, inputs a retrieval key R K and the transformed ciphertext T C T , and finally decrypts C ( B ) τ = e ( g , g ) α s · m ( e ( g , g α s τ ) ) τ to obtain the plaintext m.
Theorem 1. 
The basic OO-MA-CP-ABE scheme is CPA secure if the OO-MA-CP-ABE scheme in [32] is selective CPA-secure.
Proof. 
The form of user key SK and ciphertext CT in the scheme is the same as that in [32]. Therefore, the modification does not affect the security proof. Furthermore, the key-blinding technique in [33] is used. The proof is similar to [33], so it is omitted. □

4.2. Construction of OO-MA-CP-ABE-CRFs

We propose the OO-MA-CP-ABE-CRFs based on the above basic construction, which can resist the exfiltration of secret information from arbitrarily compromised functional-maintaining algorithms executed by the GA, AA, DO and DU. The structure of OO-MA-CP-ABE-CRFs is specifically as follows.
(1) Initialization phase. GA, AA, W GA and W GA perform initialization.
➀ Before broadcasting GP Setup ( ˘ , U ) to other participants, GA first sends G P to W GA for the algorithm W GA . Global. Setup .
W GA .Global. Setup ( G P ) G P . After receiving G P , W GA randomly selects a , b , c , d , e Z p and calculates g = g a , u = u b , h = h c , w = w d , v = v e . The algorithm outputs G P = ( g , u , h , w , v ) and broadcasts G P to all members of the system.
➁ When GA receives the updated global public parameter G P , it runs algorithm GA . Setup ( G P ) to obtain G P K , G M K and sends it to W GA , and W GA performs the algorithm W GA . GA . Setup .
W GA . GA . Setup ( G P , G P K , G M K ) ( G P K , G M K ) . W GA randomly selects f Z p , sets α = α + f , calculates and outputs G P K = G P K · e ( g , g ) f = e ( g , g ) α + f = e ( g , g ) α , G M K = G M K + f = α + f = α , while keeping f by itself.
➂ After receiving the updated G P , AA runs AA . Setup ( G P , k , U k ) ( A P K k , A M K k ) and sends ( A P K k , A M K k ) to W AA . W AA performs the algorithm W AA . Setup .
W AA . Setup ( G P , A P K k , A M K k ) ( A P K k , A M K k ) . W AA randomly selects α ˜ k Z p , sets α k = α k + α ˜ k , ( u ^ , h ^ ) = ( u α k , h α k ) and ouputs A P K k = ( u ^ · u α ˜ k , h ^ · h α ˜ k ) = ( u α k + α ˜ k , h α k + α ˜ k ) = ( u α k , h α k ) = ( u ^ , h ^ ) , while keeping A M K k = α k + α ˜ k = α k by itself.
(2) Encryption phase. DO and W DO encrypt plaintext offline and online.
The DO runs Encrypt . off ( G P , G P K , A P K ) and Encrypt . on ( G P , A P K A , m , A , C T o f f ) to obtain the ciphertext C T A of the message m under the access structure A , and sends C T A to W DO before uploading C T A to the CSP. W DO performs the following algorithms.
W DO . Encrypt . off ( G P , G M K , A P K ) I T . W DO randomly selects s ˜ Z p , t ˜ j Z p , j [ J ] , calculates K ^ m = e ( g , g ) α s ˜ , C ^ 0 = g s ˜ , C ^ j , 1 = h ^ t ˜ j , C ^ j , 2 = g t ˜ j , C ^ j , 3 = v t ˜ j , and outputs I T = ( s ˜ , K ^ m , C ^ 0 , { C ^ j , 1 , C ^ j , 2 , C ^ j , 3 } j [ J ] ) .
W DO . Encrypt . on ( G P , I T , C T A ) C T A . W DO sets y = ( s ˜ , y 2 , , y n ) T , where y i Z p , i = 1 , , n , λ = ( λ ˜ 1 , , λ ˜ l ) T = M y; , s = s + s ˜ , t j = t j + t ˜ j , λ j = λ j + λ ˜ j . It calculates C ^ = C · K ^ m = m e ( g , g ) α ( s + s ˜ ) = m e ( g , g ) α s , where s = s + s ˜ . Then, it sets C ^ 0 = C 0 · C ^ 0 = g ( s + s ˜ ) = g s , C ^ j , 1 = C j , 1 · C ^ j , 1 · u ^ ρ ( j ) t ˜ j = ( u ^ ρ ( j ) h ^ ) t j · h ^ t ˜ j · u ^ ρ ( j ) t ˜ j = ( u ^ ρ ( j ) h ^ ) t j , C ^ j , 2 = C j , 2 · C ^ j , 2 = g ( t j + t ˜ j ) = g t j , C ^ j , 3 = C j , 3 · C ^ j , 3 · w λ ˜ j = ( v t j w λ j ) · v t ˜ j w λ ˜ j = v ( t j + t ˜ j ) w ( λ j + λ ˜ j ) = v t j w λ j , and outputs the updated ciphertext
C T = ( A , C ^ , C ^ 0 , C ^ j , 1 , C ^ j , 2 , C ^ j , 3 j l ) .
(3) Key generation phase. GA, AA, W GA and W AA generate decryption key offline and online for user.
GA runs GA . KeyGen . off ( G P , G M K ) u g s k , and sends u g s k to W GA . A A k runs AA . KeyGen . off ( G P , A M K k ) and AA . KeyGen . on ( G P , G I D , A P K k , S G I D , k , u a s k o f f ) , then sends u a s k o n , S G I D to W AA . W GA and W AA perform the following algorithms.
W GA . GAKeyGen . off ( G P , f ) I S K . W GA randomly selects r ˜ Z p , calculates K ^ 0 = g f w r ˜ , K ^ 3 = g r ˜ , D ^ = v r ˜ , and outputs an intermediate secret key I S K = ( r ˜ , K ^ 0 , K ^ 3 , D ^ ) .
W GA . GAKeyGen . on ( G P , I S K , u g s k ) u g s k . W GA sets r = r ˜ + r . It calculates K ^ 0 = K ^ 0 · K 0 = g ( α + f ) w ( r ˜ + r ) = g α w ( r ˜ + r ) = g α w r , K ^ 3 = K ^ 3 · K 3 = g ( r + r ˜ ) = g r , D ^ = v ( r + r ˜ ) = v r , outputs the updated u g s k = ( K ^ 0 , K ^ 3 , D ^ ) and sends it to the user.
W AA . KeyGen . off ( G P , A M K k ) u a s k o f f . W AA randomly selects r ˜ i Z p , i S G I D , k , calculates K ^ i , 1 = g r ˜ i α k , K ^ i , 2 = h r ˜ i , and outputs u a s k o f f = ( r ˜ i , K ^ i , 1 , K ^ i , 2 ) .
W AA . KeyGen . on ( G P , r ˜ i , S G I D , G I D , u a s k o n , S G I D , k , u a s k o f f ) u a s k o n , S G I D . W AA sets r i = r i + r ˜ i , calculates K ^ i , 1 = K i , 1 · K ^ i , 1 = g r i α k · g r ˜ i α k = g ( r i + r ˜ i ) α k = g r i α k , K ^ i , 2 = K i , 2 · K ^ i , 2 · ( u a t t r i ) r ˜ i = ( u a t t r i h ) r i · h r ˜ i · u a t t r i × r ˜ i = ( u a t t r i h ) r i , and outputs u a s k o n , S G I D = K ^ i , 1 , K ^ i , 2 i S G I D , k .
(4) Decryption phase. The W DU re-randomizes the conversion key. The CSP uses the re-randomized conversion key to perform outsourcing decryption. W DU performs the decryption algorithm.
After obtaining ( T K , R K ) KeyGen . ran ( u g s k , u a s k o n , S G I D ) , DU sends T K to W DU for the algorithm W D U . TKUpdate .
W D U . TKUpdate ( T K ) ( T K , β ) . W DU randomly selects β Z p and calculates K ˜ 0 = K ˜ 0 1 β = g α τ β w r τ β , K ˜ 3 = K ˜ 3 1 β = g r τ β , D ˜ = D ˜ 1 β = v r τ β . For i [ | u k | ] , k [ K ] , it computes K ˜ i , 1 = K ˜ i , 1 1 β = g r i α k τ β , K ˜ i , 2 = K ˜ i , 2 1 β = ( u a t t r i h ) r i τ β , outputs the updated conversion key T K = ( S G I D , K ˜ 0 , K ˜ 3 , D ˜ , { K ˜ i , 1 , K ˜ i , 2 } i [ | u k | ] ) , while keeping β by itself.
The CSP receives T K , runs Decrypt . out ( T K , C T ) T C T , and sends T C T to W DU . W DU performs the algorithm W D U . Decrypt ( T C T , β ) .
W D U . Decrypt ( T C T , β ) T C T . W DU calculates B β = e ( g , g ) α s τ and outputs T C T = ( B β , C ^ ) .
After receiving T C T = ( B β , C ^ ) , DU runs Decrypt . user ( R K , T C T ) m , and obtains the plaintext m.

4.3. Security Analysis

Theorem 2. 
The proposed OO-MA-CP-ABE-CRFs is CPA secure and CRFs for GA, AAs, DO and DU maintain functionally, weakly preserve security, and weakly resist exfiltration if the basic structure of OO-MA-CP-ABE in Section 4.1 is CPA secure.
Proof. 
We prove the security of our construction via the following parts. □
FUNCTIONALITY MAINTAINING.
If the user attribute set S GID satisfies the access policy A , then there is
T j = e ( K ˜ i , 1 , C ^ j , 1 ) · e ( K ˜ i , 2 · D ˜ , C ^ j , 2 ) · e ( K ˜ 3 , C ^ j , 3 ) = e ( g r i α k τ β , ( u ^ ρ ( j ) h ^ ) t j ) · e ( ( u a t t r i h ) r i τ β · v r τ β , g t j ) · e ( g r τ β , v t j w λ j ) = e ( g r i α k τ β , ( u α k ρ ( j ) h α k ) t j ) · e ( ( u a t t r i h ) r i τ β · v r τ β , g t j ) · e ( g r τ β , v t j w λ j ) = e ( g r i α k τ β , ( u ρ ( j ) h ) α k t j ) · e ( ( u a t t r i h ) r i τ β · v r τ β , g t j ) · e ( g r τ β , v t j w λ j ) = e ( g r i α k τ β , ( u ρ ( j ) h ) α k t j ) · e ( ( u a t t r i h ) r i τ β · v r τ β , g t j ) · e ( g r τ β , v t j w λ j ) = e ( g , ( u ρ ( j ) h ) ) r i t j τ β · e ( g t j , ( u a t t r i h ) r i τ β ) · e ( g t j , v r τ β ) · e ( g r τ β , v t j w λ j ) = e ( g , ( u ρ ( j ) h ) ) r i t j τ β · e ( g , ( u a t t r i h ) ) r i t j τ β · e ( g t j , v r τ β ) · e ( g r τ β , v t j w λ j ) = e ( g t j , v r τ β ) · e ( g r τ β , v t j w λ j ) = e ( g t j , v r τ β ) · e ( g r τ β , v t j ) · e ( g r τ β , w λ j ) = e ( g r τ β , w λ j ) = e ( g , w ) r λ j τ β
so successfully calculate
B = e ( K ˜ 0 , C ^ 0 ) j I T j w j = e ( g α τ β w r τ β , g s ) j I e ( g , w ) r λ j τ β = e ( g α τ β w r τ β , g s ) e ( g , w ) r s τ β = e ( g α τ β , g s ) · e ( w r τ β , g s ) e ( g , w ) r s τ β = e ( g α τ β , g s ) = e ( g , g ) α s τ β ,
and then compute C ^ ( B β ) τ = e ( g , g ) α s · m ( e ( g , g α s τ ) ) τ to obtain the plaintext m.
CPA-SECURE.
For any tampered implementation on the GA, AA, DO and DU that maintains functionality, we prove the CPA security of the constructed OO-MA-CP-ABE-CRFs with tampered algorithms Global. Setu p * , GASetu p * , AASetu p * , GAKeyGen . of f * , GAKeyGen . o n * , AAKeyGen . of f * , AAKeyGen . o n * , KeyGen . ra n * , Encrypt . off * and Encrypt . o n * .
Assuming that adversary A can break the CPA security of the OO-MA-CP-ABE-CRFs scheme with a non-negligible advantage ϵ , we can construct a PPT simulator B to break the CPA security of the basic OO-MA-CP-ABE scheme with the same advantage ϵ . In the OO-MA-CP-ABE-CRFs scheme, simulator B plays the role of a challenger, interacting with adversary A . Let C be the challenger in the OO-MA-CP-ABE scheme.
Initialization: B receives the access structure A * and the functionality maintaining algorithms from A , and sends them to C .
Setup: B receives G P = ( g , h , u , v , w ) , G P K and A P K k = ( u ^ , h ^ ) from the C , randomly selects a , b , c , d , e , f , α ˜ k Z p , calculates g = g a , u = u b , h = h c , w = w d , v = v e , u α ˜ k , h α ˜ k , let G P = ( g , u , h , w , v ) , G P K = G P K · e ( g , g ) f , A P K k = ( u ^ · u α ˜ k , h ^ · h α ˜ k ) , and passes G P , G P K and A P K k to A .
Phase 1: B receives the key query about S and G I D from A , passes them to C and obtains u g s k = ( K 0 , K 3 , D ) , u a s k S G I D = { K i , 1 , K i , 2 } , T K . Then, B randomly selects r ˜ , r ˜ i , β Z p , i S G I D , k , calculates K ^ 0 = g f w r ˜ , K ^ 3 = g r ˜ , D ^ = v r ˜ , K ^ i , 1 = g r ˜ i α k , K ^ i , 2 = h r ˜ i , lets u g s k = ( K ^ 0 , K ^ 3 , D ^ ) = ( K ^ 0 · K 0 , K ^ 3 · K 3 , D ^ · D ) , u a s k o n , S G I D = K ^ i , 1 , K ^ i , 2 = ( K ^ i , 1 = K i , 1 · K ^ i , 1 , K ^ i , 2 = K i , 2 · K ^ i , 2 · ( u a t t r i ) r ˜ i ) , T K = T K 1 β , and passes ( u g s k , u a s k S G I D ) , and T K to A .
Challenge: B sends two equal-length plaintexts m 0 , m 1 to C and receives a challenge ciphertext C T A = ( C , C 0 , { C j , 1 , C j , 2 , C j , 3 } j [ l ] ) . Then, B randomly selects s ˜ Z p , t ˜ j Z p , j [ J ] , y i Z p , i [ n ] , calculates K ^ m = e ( g , g ) α s ˜ , C ^ 0 = g s ˜ , C ^ j , 1 = h ^ t ˜ j , C ^ j , 2 = g t ˜ j , C ^ j , 3 = v t ˜ j , lets C T = ( A , C ^ , C ^ 0 , C ^ j , 1 , C ^ j , 2 , C ^ j , 3 j l ) , where C ^ = C · K ^ m , C ^ 0 = C 0 · C ^ 0 , C ^ j , 1 = C j , 1 · C ^ j , 1 · u ^ ρ ( j ) t ˜ j , C ^ j , 2 = C j , 2 · C ^ j , 2 , C ^ j , 3 = C j , 3 · C ^ j , 3 · w λ ˜ j , y = ( s ˜ , y 2 , , y n ) T , λ = ( λ ˜ 1 , , λ ˜ l ) T = M y and passes C T b to A .
Phase 2: The process is the same as Phase 1.
Guess: The adversary A outputs a guess b { 0 , 1 } for b. Then, B outputs the same guess b . Thus, if A has advantage ϵ in the OO-MA-CP-ABE-CRFs experiment, then B breaks the OO-MA-CP-ABE scheme with the same probability ϵ .
It is also known from the Theorem 1 of [32] that if an adversary breaks the scheme of [32] with a non-negligible advantage ϵ , a simulator can be constructed to break the q type assumption in G with the same advantage ϵ . Therefore, if A has advantage ϵ in breaking our OO-MA-CP-ABE-CRFs scheme, then a simulator can be constructed to break the q type assumption in G with the same advantage ϵ .
WEAK SECURITY PRESERVATION AND WEAK EXFILTRATION RESISTANCE.
According to the CPA security of the OO-MA-CP-ABE-CRFs scheme, the CRFs W GA , W AA , W DO and W DU corresponding to GA, AA, DO and DU always maintain weak preserve security. On the other hand, the proof of the CPA security further demonstrates that reverse firewalls W GA , W AA , W DO and W DU have weak resist exfiltration.
Combining the above discussion, the proof is completed.

5. Performance Evaluations

In order to compare our scheme with other schemes, we conduct a detailed analysis of property and performance analysis.

5.1. Property Comparison

We choose schemes [26,32,34,35,36,37] to compare with our scheme. These schemes are CP-ABE schemes that support the LSSS access structure. It can be seen from Table 1 that the scheme [37] only supports online/offline encryption (OO Encrypt). The scheme [26] supports online/offline key generation(OO KeyGen), OO Encrypt and CRF. However, the schemes [26,37] are not multi-authority. The schemes [32,34,35,36] are multi-authority, but the scheme [32] only supports OO KeyGen and OO Encrypt without CRF. The scheme [36] also only supports OO Encrypt. Only our scheme meets all the above properties, so it is more suitable for IoT.

5.2. Performance Analysis

In order to simulate the time cost of computing operations, Table 2 lists the complexity analysis of system setup, key generation, encryption, and decryption. We define P as a bilinear pairing operation, E as an exponentiation operation, and M as a multiplication operation. We use K, S, l and I to represent the number of attribute authorities, the number of user attributes, the number of rows in the LSSS matrix, and the row set of the LSSS matrix used for decryption. We consider the time cost of user key generation, user encryption and user decryption. Although CRFs are added to our scheme, and CRFs also generate keys and perform encryption, the time cost of this part does not belong to users, so the additional cost caused by CRFs can be ignored. In addition, considering that the offline phase does not affect the actual cost of the online part of the user in the actual scenario, we only consider the time cost of the online phase in the efficiency analysis.
As shown in Table 3, we show the storage cost of our scheme and schemes [26,32,34,35,36], respectively, in the public parameters, ciphertext and user decryption key, where | G | is the number of elements in group G , | G T | is the number of elements in group G T . Because these schemes are CP-ABE schemes, the size of l is proportional to the size of the ciphertext, and the size of S is proportional to the size of the user decryption key. Compared to [36], our scheme has better storage cost for public parameters, ciphertext and user decryption key. Compared with [26,32,34,35], the storage cost of ciphertext and the user decryption key is approximately equal.
It is worth noting that we implement the simulation of the algorithm by deploying the Charm-Crypto cryptographic library based on the Python language development framework in the Ubuntu system. The experimental environment is Ubuntu 18.04.6, 12th Gen Intel(R) Core(TM) i7-12700H 4-core 2.30 GHz processor and 4 GB of RAM.
In the experiment, we imported the PBC module and selected the parameter value “SS512”, type A curve to generate the prime order bilinear group G . We further try to perform 1000 repeated experiments and take the average to estimate the running time of bilinear pairing operation, exponentiation operation and multiplication operation in G , respectively. The results show that the average time cost of the bilinear pairing operation is 2.05 ms, the average time cost of the exponentiation operation is 2.80 ms, and the average time cost of the multiplication operation is 2.82 ms. The source code can be obtained at https://github.com/abcde123411/OO-MA-CP-ABE-CRF (accessed on 2 April 2023. Finally, we present the results in Table 4.
In order to show the computational time cost and the storage cost of our scheme and other schemes, we make a comparison with Zhang et al. scheme [32] (ZZLL), Ma et al. scheme [26] (MZYS), Xie et al. scheme [34] (XRHS), Zhang et al. scheme [35] (ZGWW) and Zhang et al. scheme [36] (ZZWM). By analyzing the calculation overhead of the online user key generation phase, user decryption phase and the storage overhead of ciphertexts and keys in the system, there is a slight difference between the ZZWM scheme [36] and other schemes. In addition, we let the number of attribute authorities K be 1, the number of users N and the depth d is 0, Z p is equal to G to facilitate unified comparison, as shown in Figure 2 and Figure 3.
In Figure 2a, the curve of MZYS scheme [26] coincides with that of our scheme, which shows that the time cost of our scheme in the key generation phase is the same as that of MZYS scheme [26], which has obvious advantages over XRHS scheme [34] and ZZWM scheme [36]. In Figure 2b, the curve of MZYS scheme [26] coincides with that of our scheme. With the help of outsourced decryption technology, the time overhead of our scheme in the decryption phase is very considerable.
As can be seen from Table 3, since the ciphertext storage cost of each scheme contains a constant G T , we can ignore it in the analysis of the storage cost of ciphertext. As shown in Figure 3a, the curves of MZYS scheme [26], ZZLL scheme [32] and ZZWM scheme [36] coincide with that of our scheme, which shows that the ciphertext storage cost of our scheme is equivalent to that of [26,32,36]. As shown in Figure 3b, the curves of XRHS scheme [34], ZGWW scheme [35] and ZZWM scheme [36] are coincident, and the curves of MZYS scheme [26] and ZZLL scheme [32] coincide with that of our scheme, which shows that the secret key storage cost of our scheme is equivalent to that MZYS scheme [26] and ZZLL scheme [32].

6. Real-World Application

In this section, we will provide a detailed description of the practical application of our OO-MA-CP-ABE-CRFs scheme in the e-health system, as shown in Figure 4, which shows the true practical value of the scheme. The following steps are required.
(1) Patients and doctors need to register in the system. The superior management organization of the university and affiliated hospital executes algorithm Global. Setup to generate system global parameters and send them to registered users.
(2) Given that malicious adversaries may threaten the security of the system through backdoor attacks, the CRF corresponding to the superior management organization executes algorithm W GA .Global. Setup to randomize the system’s global parameters and broadcasts the updated results across the network.
(3) The superior management organization executes the algorithm GA . Setup to generate the public/private key pair.
(4) The CRF of the superior management organization runs the algorithm W GA . GA . Setup to update the public/private key pair, and returns the results to the superior management organization.
(5) The school and hospital, as attribute authorities in the system, respectively, execute the algorithm AA . Setup to generate their own public/private key pair.
(6) To prevent this process from being compromised, the CRFs of the school and hospital execute the algorithm W AA . Setup to randomize their respective public and private key pair.
(7) Considering that most patients usually use resource-constrained mobile devices, some computational operations are performed in the Encrypt . off algorithm. This will ensure that mobile device resources are not excessively consumed when performing online encryption operations.
(8) Patient sets access control policies and executes the algorithm Encrypt . on to encrypt Electronic Medical Records (EMR).
(9) If the encryption process is compromised, the patient’s EMR may be compromised, directly endangering the privacy and security of the patient. To avoid this situation, the CRF of the patient executes the algorithm W DO . Encrypt . off to generate intermediate ciphertext offline.
(10) The CRF of the patient executes the algorithm W DO . Encrypt . on to update the ciphertext and stores the results in the CSP.
(11) The superior management organization executes the algorithm GA . KeyGen . off offline to generate a portion of the decryption key for registered users.
(12) The CRF of the superior management organization executes the algorithm
W GA . GAKeyGen . off in the offline phase to generate an intermediate conversion key.
(13) The CRF of the superior management organization executes the algorithm
W GA . GAKeyGen . on to generate a portion of the updated decryption key and sends the result to the doctor.
(14) School and hospital execute the algorithm AA . KeyGen . off in the offline phase to provide pre-computing services for the decryption key generation of doctors.
(15) The school and affiliated hospital execute the algorithm AA . KeyGen . on to generate the corresponding decryption key for the doctor based on their attribute set.
(16) Considering the backdoor attacks, the CRFs of the school and hospital execute the algorithm W AA . KeyGen . off to update a portion of the decryption key offline.
(17) The CRF of the school and hospital execute the algorithm W AA . KeyGen . on to update the doctor’s decryption key online and send the result to the doctor.
(18) Because we use outsourced decryption, the doctor executes the algorithm KeyGen . ran to generate a conversion key and a recovery key.
(19) If the conversion key is compromised, it may cause serious consequences. To this end, the CRF of the doctor executes the algorithm W D U . TKUpdate to randomize the conversion key, and sends the updated result to the CSP.
(20) The CSP executes the algorithm Decrypt . out to pre-decrypt and obtain the transformed ciphertext.
(21) The doctor’s CRF executes the algorithm W D U . Decrypt to partially decrypt transformed ciphertext.
(22) Doctors execute the algorithm Decrypt . user , and only authorized doctors can successfully obtain the patient’s EMR.

7. Conclusions

To solve the problem of data privacy security in IoT, we propose an OO-MA-CP-ABE-CRFs scheme. This scheme can not only protect the security of data but also achieve fine-grained access control of data. In addition, our scheme uses multi-authority technology to further reduce the trust of a single authority, uses CRF technology, which can effectively resist the ex-filtration of secret information, fully protect the privacy and security of users, and adopt online/offline and outsourcing decryption technology to reduce users’ storage and computing cost. The security proof and experimental comparison of the scheme show that our scheme is more suitable for data sharing for IoT.
Although the OO-MA-CP-ABE-CRFs scheme implements multi-authority, it requires a global identity authority. In future work, we will study how to remove the global identity authority so that each attribute authority has equal status. We can consider introducing a user’s identity or blockchain to achieve this. In addition, in order to make this scheme suitable for resource-constrained IOT devices, we need to further optimize the efficiency of the encryption algorithm. We can consider adopting techniques such as obfuscation encryption and reducing the size of ciphertext.

Author Contributions

Conceptualization and Validation, Y.F. and Q.Y.; Writing—original draft, J.L. and Y.F.; Writing—review and editing, X.B. and J.L. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by National Natural Science Foundation of China (No. 61872204), Natural Science Foundation of Heilongjiang Province of China (No. LH2020F050), Fundamental Research Funds for Heilongjiang Universities of China (No. 2021-KYYWF-0016), and Science Research project of Basic scientific research business expenses in Heilongjiang Provincical colleges and universities of China (No. 135309453).

Institutional Review Board Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

Definition A1. 
(Cryptographic Reverse Firewall (CRF).) A cryptographic reverse firewall (CRF) is a stateful algorithm W that takes its state and message as input and outputs an updated state and message. For simplicity, we do not explicitly indicate the state information of W . For a party P and reverse firewall W in the system, we use W P to define the composed party. When a composed party W P engages in the protocol, the state of W is initialized as a public parameter. If W is meant to be composed with a party P, then we call it a reverse firewall for P. For a party P = ( receive , next , output ) and CRF W with an initial state of σ, we define a composed party W P ,where W P : = ( receiv e W P ( σ , m ) = receiv e P ( σ , W ( m ) ) , nex t W P ( σ ) = W ( nex t P ( σ ) ) , outpu t W P ( σ ) = outpu t P ( σ ) .
Definition A2. 
(Functionality-maintaining CRFs.) For any CRF W and any party P, let W 1 P = W P . Meanwhile, for k 2 , let W k P = W ( W k 1 P ) . For the scheme E that satisfies a certain functional requirement F , if the party P in the scheme E whose W k P is bounded by any polynomial k 1 always maintains F , then we say that the reverse firewall W maintains the normal function of all the parties P in the scheme E . When F , P, and E are clear, it is said that the reverse firewall W maintains functionality.
Definition A3. 
(Weakly security-preserving CRFs.) For a scheme E that satisfies security requirement S and functionality F and a CRF W . If for any P P T adversary A maintaining F , the scheme E P W P ^ , where P is replaced by W P ^ in scheme E and P ^ denote adversarial implementations during protocol function maintenance, satisfies the security requirement S , then CRF W can weakly preserve S of the party P in E . When E , P, S and F are clear, we simply say that W weakly preserves security.
Definition A4. 
(Weakly exfiltration-resistant CRFs.) For a scheme E and reverse firewall W satisfying functional F , if any PPT adversary A whose advantage A d v A , W LEAK ( l ) = P r [ LEAK ( E , P 1 , P 2 , W , l ) = 1 ] 1 2 in the security parameter l provided that P 1 * maintains F for P 1 is negligible, then we say the party P 1 against the party P 2 in scheme E , where the game LEAK ( E , P 1 , P 2 , W , l ) is as follows: we define A as the adversary, σ P 2 * as the state of P 2 * , T * is the transcript of running scheme ε P 1 P * , P 2 P 2 * ( I ) . The adversary first chooses P 1 * , P 2 * , I according to the security parameter l, and then chooses b $ { 0 , 1 } randomly. If b = 1 , the challenger lets P * W P 1 * , otherwise lets P * W P 1 , and outputs T * ε P 1 P * , P 2 P 2 * ( I ) . At last, the adversary outputs the guess b * A ( T * , σ P 2 * ) for b, and outputs 1 if and only if b * = b .

Appendix B

Let U be the full set of attributes, and A = ( M , ρ ) be the monotonic access structure. The OO-MA-CP-ABE-CRFs for access structure space A = ( M , ρ ) consists of 22 algorithms:
(1) Global . Setup ( λ , U ) G P . This algorithm is run by the global identity authority GA. It inputs the security parameter λ , the attributes set U and outputs the global public parameter G P .
(2) W GA .Global. Setup ( G P ) G P . This algorithm is run by the cryptographic reverse firewall W GA . On the input of a public parameter G P , it outputs the updated global public parameter G P .
(3) GA . Setup ( G P ) G P K , G M K . This algorithm is run by GA. On input the updated global public parameter G P , it outputs the public/private key pair ( G P K , G M K ) of GA.
(4) W GA . GA . Setup ( G P , G P K , G M K ) ( G P K , G M K ) . This algorithm is run by the reverse firewall W G A for GA. On input G P , G P K and G M K , it outputs the updated public/private key pair ( G P K , G M K ) , and returns it to GA.
(5) AA . Setup ( G P , k , U k ) ( A P K k , A M K k ) . This algorithm is run by attribute authority A A k . It inputs G P , k, U k , where U k is the set of attributes managed by A A k , U = i K U k , U i U j = , i j . Finally, it outputs the public/private key pair ( A P K k , A M K k ) of attribute authority A A k .
(6) W AA . Setup ( G P , A P K k , A M K k ) ( A P K k , A M K k ) . This algorithm is run by the reverse firewall W AA of the attribute authority A A k . It inputs G P , A P K k , A M K k and ouputs the updated parameters A P K k , A M K k .
(7) Encrypt . off ( G P , G P K , A P K ) C T o f f . This algorithm is run offline by the data owner DO. Input G P , G P K , A P K , and output offline ciphertext C T o f f .
(8) Encrypt . on ( G P , A P K , m , A , C T o f f ) C T A . This algorithm is run online by the data owner DO. Input G P , A P K , m, A , C T o f f , and output the ciphertext C T A of m under the access structure A .
(9) W DO . Encrypt . off ( G P , G M K , A P K ) I T . This algorithm is run offline by the reverse firewall W DO of the data owner DO. On input G P , G M K and A P K , it outputs the updated intermediate ciphertext I T .
(10) W DO . Encrypt . on ( G P , I T , C T ) C T . This algorithm is run online by the reverse firewall W DO of the data owner DO. On input G P , I T and C T , it outputs the updated ciphertext C T .
(11) GAKeyGen . off ( G P , G M K ) u g s k . This algorithm is run offline by GA, inputs G P , G M K and outputs the user’s decryption key u g s k .
(12) W GA . GAKeyGen . off ( G P , f ) I S K . This algorithm is run offline by the reverse firewall W GA of GA. On input G P and f, it outputs the intermediate secret key I S K .
(13) W GA . GAKeyGen . on ( G P , I S K , u g s k ) u g s k . This algorithm is run online by the reverse firewall W GA of GA. On input G P , I S K , u g s k , it outputs the user’s updated decryption key u g s k .
(14) AA . KeyGen . off ( G P , A M K k ) u a s k o f f . This algorithm runs offline by A A k . Inputs G P , A M K k , and outputs the user’s offline decryption key u a s k o f f .
(15) AA . KeyGen . on ( G P , G I D , A P K k , S G I D , k , u a s k o f f ) u a s k o n , S G I D . This algorithm runs online by A A k , inputs G P , G I D , A P K k , S G I D , k , u a s k o f f , and outputs the decryption key u a s k o n , S G I D of the user GID.
(16) W AA . KeyGen . off ( G P , A M K k ) u a s k o f f . This algorithm is run offline by the reverse firewall W AA of A A k , input G P , A M K k , and output the updated offline decryption key u a s k o f f of the user.
(17) W AA . KeyGen . on ( G P , r ˜ i , S G I D , G I D , u a s k o n , S G I D , k , u a s k o f f ) u a s k o n , S G I D . This algorithm is run online by the reverse firewall W AA of A A k . Input G P , r ˜ i , S G I D , G I D , u a s k o n , S G I D , k , u a s k o f f , and output the user’s updated online decryption key u a s k o n , S G I D .
(18) KeyGen . ran ( u g s k , u a s k o n , S G I D ) ( T K , R K ) . This algorithm is run by DU. Input u g s k , u a s k o n , S G I D , and output a conversion key T K and a retrieval key R K .
(19) W DU . TKUpdate ( T K ) ( T K , β ) . This algorithm is run by the reverse firewall W DU of DU, which inputs T K , outputs an updated conversion key T K and a corresponding random β .
(20) Decrypt . out ( T K , C T ) T C T . This algorithm is run by CSP. Input T K , C T and output the transformed ciphertext T C T .
(21) W DU . Decrypt ( T C T , β ) T C T . This algorithm is run by the reverse firewall W DU of DU, which inputs the transformed ciphertext T C T , a random β and outputs an updated transformed ciphertext T C T .
(22) Decrypt . user ( R K , T C T ) m . This algorithm is run by the data user DU, which inputs a retrieval key R K , the updated transformed ciphertext T C T and outputs the plaintext m.
Correctness: For the fixed universe description U, the security parameter λ , the access structure space A = ( M , ρ ) and the message m, the correctness property requires that for all Setup ( λ , U ) GP , all W GA . Global. Setup ( G P ) G P , all GA . Setup ( G P ) G P K , G M K , all GA . Setup ( G P ) G P K , G M K , all W GA . GA . Setup ( G P , G P K , G M K ) ( G P K , G M K ) , all AA . Setup ( G P , k , U k ) ( A P K k , A M K k ) , all W AA . Setup ( G P , A P K k , A M K k ) ( A P K k , A M K k ) , all Encrypt . off ( G P , G P K , A P K ) C T o f f , all Encrypt . on ( G P , A P K , m , A , C T o f f ) C T A , all W DO . Encrypt . off ( G P , G M K , A P K ) I T , all W DO . Encrypt . on ( G P , I T , C T ) C T , all GAKeyGen . off ( G P , G M K ) u g s k , all W GA . GAKeyGen . off ( G P , f ) I S K , all W GA . GAKeyGen . on ( G P , I S K , u g s k ) u g s k , all AA . KeyGen . off ( G P , A M K k ) u a s k o f f , all AA . KeyGen . on ( G P , G I D , A P K k , S G I D , k , u a s k o f f ) u a s k o n , S G I D , all W AA . KeyGen . off ( G P , A M K k ) u a s k o f f , all W AA . KeyGen . on ( G P , r ˜ i , S G I D , G I D , u a s k o n , S G I D , k , u a s k o f f ) u a s k o n , S G I D , all KeyGen . ran ( u g s k , u a s k o n , S G I D ) ( T K , R K ) , all W DC . TKUpdate ( T K ) ( T K , β ) , all Decrypt . out ( T K , C T ) T C T , all W DU . Decrypt ( T C T , β ) T C T . If S satisfies ( M , ρ ) , then Decrypt . user ( R K , T C T ) m .

References

  1. Le, T.; Hsu, C.; Chen, W. A hybrid blockchain-based log management scheme with nonrepudiation for smart grids. IEEE Trans. Ind. Inform. 2021, 18, 5771–5782. [Google Scholar] [CrossRef]
  2. Zhong, H.; Zhou, Y.; Zhang, Q.; Xu, Y.; Cui, J. An efficient and outsourcing-supported attribute-based access control scheme for edge-enabled smart healthcare. Future Gener. Comput. Syst. 2021, 115, 486–496. [Google Scholar] [CrossRef]
  3. Li, J.; Wang, S.; Li, Y.; Wang, H.; Wang, H.; Wang, H.; Chen, J.; You, Z. An efficient attribute-based encryption scheme with policy update and file update in cloud computing. IEEE Trans. Ind. Inform. 2019, 15, 6500–6509. [Google Scholar] [CrossRef]
  4. Chen, N.; Li, J.; Zhang, Y.; Guo, Y. Efficient CP-ABE scheme with shared decryption in cloud storage. IEEE Trans. Comput. 2020, 71, 175–184. [Google Scholar] [CrossRef]
  5. Li, J.; Yao, W.; Han, J.; Zhang, Y.; Shen, J. User collusion avoidance CP-ABE with efficient attribute revocation for cloud storage. IEEE Syst. J. 2017, 12, 1767–1777. [Google Scholar] [CrossRef]
  6. Ezhilarasi, T.P.; Sudheer, K.N.; Latchoumi, T.P.; Balayesu, N. A secure data sharing using IDSS CP-ABE in cloud storage. In Proceedings of the Advances in Industrial Automation and Smart Manufacturing, Kurnool, India, 26–27 July 2019; Springer: Singapore, 2021; pp. 1073–1085. [Google Scholar]
  7. Chaudhary, C.K.; Sarma, R.; Barbhuiya, F.A. RMA-CPABE: A multi-authority CPABE scheme with reduced ciphertext size for IoT devices. Future Gener. Comput. Syst. 2023, 138, 226–242. [Google Scholar] [CrossRef]
  8. Zhong, H.; Zhu, W.; Xu, Y.; Cui, J. Multi-authority attribute-based encryption access control scheme with policy hidden for cloud storage. Soft Comput. 2018, 22, 243–251. [Google Scholar] [CrossRef]
  9. Das, S.; Namasudra, S. Multi-Authority CP-ABE-Based Access Control Model for IoT-Enabled Healthcare Infrastructure. IEEE Trans. Ind. Inform. 2023, 19, 821–829. [Google Scholar] [CrossRef]
  10. Ball, J.; Borger, J.; Greenwald, G. Revealed: How US and UK spy agencies defeat internet privacy and security. Know Your Neighborhood 2013, 6, 1–10. [Google Scholar]
  11. Perlroth, N.; Larson, J.; Shane, S. NSA Able to Foil Basic Safeguards of Privacy on Web. The New York Times, 5 September 2013; pp. 1–8. [Google Scholar]
  12. Greenwald, G. No Place to Hide: Edward Snowden, the NSA, and the US Surveillance State; Macmillan: New York, NY, USA, 2014. [Google Scholar]
  13. Mironov, I.; Stephens-Davidowitz, N. Cryptographic reverse firewalls. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, 26–30 April 2015; Springer: Berlin/ Heidelberg, Germany, 2015; pp. 657–686. [Google Scholar]
  14. Miao, Y.; Tong, Q.; Choo, K.K.R.; Liu, X.; Deng, R.H.; Li, H. Secure online/offline data sharing framework for cloud-assisted industrial Internet of Things. IEEE Internet Things J. 2019, 6, 8681–8691. [Google Scholar] [CrossRef]
  15. Sahai, A.; Waters, B. Fuzzy identity-based encryption. In Proceedings of the Annual international conference on the theory and applications of cryptographic techniques, Aarhus, Denmark, 22–26 May 2005; Springer: Berlin/ Heidelberg, Germany, 2005; pp. 457–473. [Google Scholar]
  16. Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM Conference on Computer and Communications Security, Lexandria, VA, USA, 30 October–3 November 2006; pp. 89–98. [Google Scholar]
  17. Bethencourt, J.; Sahai, A.; Waters, B. Ciphertext-policy attribute-based encryption. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (SP’07), Berkeley, CA, USA, 20–23 May 2007; pp. 321–334. [Google Scholar]
  18. Chase, M. Multi-authority attribute based encryption. In Proceedings of the Theory of Cryptography Conference, Amsterdam, The Netherlands, 21–24 February 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp. 515–534. [Google Scholar]
  19. Chase, M.; Chow, S.S.M. Improving privacy and security in multi-authority attribute-based encryption. In Proceedings of the 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA, 9–13 November 2009; pp. 121–130. [Google Scholar]
  20. Lin, H.; Cao, Z.; Liang, X.; Shao, J. Secure threshold multi authority attribute based encryption without a central authority. Inf. Sci. 2010, 180, 2618–2632. [Google Scholar] [CrossRef]
  21. Qian, H.; Li, J.; Zhang, Y.; Han, J. Privacy-preserving personal health record using multi-authority attribute-based encryption with revocation. Int. J. Inf. Secur. 2015, 14, 487–497. [Google Scholar] [CrossRef]
  22. Zhou, Y.; Guan, Y.; Zhang, Z.; Li, F. Cryptographic reverse firewalls for identity-based encryption. In Proceedings of the International Conference on Frontiers in Cyber Security, Xi’an, China, 15–17 November 2019; Springer: Singapore, 2019; pp. 36–52. [Google Scholar]
  23. Chen, R.; Mu, Y.; Yang, G.; Susilo, W.; Guo, F.; Zhang, M. Cryptographic reverse firewall via malleable smooth projective hash functions. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, 4–8 December 2016; Springer: Berlin/Heidelberg, Germany, 2016; pp. 844–876. [Google Scholar]
  24. Zhou, Y.; Guo, J.; Li, F. Certificateless public key encryption with cryptographic reverse firewalls. J. Syst. Archit. 2020, 109, 101754. [Google Scholar] [CrossRef]
  25. Zhou, Y.; Hu, Z.; Li, F. Searchable public-key encryption with cryptographic reverse firewalls for cloud storage. IEEE Trans. Cloud Comput. 2021, 11, 383–396. [Google Scholar] [CrossRef]
  26. Ma, H.; Zhang, R.; Yang, G.; Song, Z.; Sun, S.; Xiao, Y. Concessive online/offline attribute based encryption with cryptographic reverse firewalls—Secure and efficient fine-grained access control on corrupted machines. In Proceedings of the European Symposium on Research in Computer Security, Barcelona, Spain, 3–7 September 2018; Springer: Cham, Switzerland, 2018; pp. 507–526. [Google Scholar]
  27. Hong, B.; Chen, J.; Zhang, K.; Qian, H. Multi-authority non-monotonic KP-ABE with cryptographic reverse firewall. IEEE Access 2019, 7, 159002–159012. [Google Scholar] [CrossRef]
  28. Khan, S.; Zareei, M.; Khan, S.; Alanazi, F.; Alam, M.; Waheed, A. OO-ABMS: Online/Offline-Aided Attribute-Based Multi-Keyword Search. IEEE Access 2021, 9, 114392–114406. [Google Scholar] [CrossRef]
  29. Ali, M.; Sadeghi, M.R.; Liu, X.; Miao, Y.; Vasilakos, A.V. Verifiable online/offline multi-keyword search for cloud-assisted Industrial Internet of Things. J. Inf. Secur. Appl. 2022, 65, 103101. [Google Scholar] [CrossRef]
  30. Zhang, L.; Su, J.; Mu, Y. Outsourcing attributed-based ranked searchable encryption with revocation for cloud storage. IEEE Access 2020, 8, 104344–104356. [Google Scholar] [CrossRef]
  31. Shao, J.; Zhu, Y.; Ji, Q. Privacy-preserving online/offline and outsourced multi-authority attribute-based encryption. In Proceedings of the 2017 IEEE/ACIS 16th International Conference on Computer and Information Science (ICIS), Wuhan, China, 24–26 May 2017; pp. 285–291. [Google Scholar]
  32. Zhang, Y.; Zheng, D.; Li, Q.; Li, J.; Li, H. Online/offline unbounded multi-authority attribute-based encryption for data sharing in mobile cloud computing. Secur. Commun. Netw. 2016, 9, 3688–3702. [Google Scholar] [CrossRef]
  33. Green, M.; Hohenberger, S.; Waters, B. Outsourcing the decryption of abe ciphertexts. USENIX Secur. Symp. 2011, 3, 8–12. [Google Scholar]
  34. Xie, M.; Ruan, Y.; Hong, H.; Shao, J. A CP-ABE scheme based on multi-authority in hybrid clouds for mobile devices. Future Gener. Comput. Syst. 2021, 121, 114–122. [Google Scholar] [CrossRef]
  35. Zhang, J.; Gong, Q.; Wei, Z.; Wang, X.; Yan, X.; Zhang, X. Efficient Multi-Authority Attribute-Based Encryption with Policy Hiding and Updating. In Proceedings of the 2022 IEEE 10th International Conference on Computer Science and Network Technology (ICCSNT), Dalian, China, 22–23 October 2022; pp. 34–38. [Google Scholar]
  36. Zhang, L.; Zhao, C.; Wu, Q.; Mu, Y.; Rezaeibagha, F. A traceable and revocable multi-authority access control scheme with privacy preserving for mHealth. J. Syst. Archit. 2022, 130, 102654. [Google Scholar] [CrossRef]
  37. Datta, P.; Dutta, R.; Mukhopadhyay, S. Fully secure online/offline predicate and attribute-based encryption. In Proceedings of the International Conference on Information Security Practice and Experience, Beijing, China, 5–8 May 2015; Springer: Cham, Switzerland, 2015; pp. 331–345. [Google Scholar]
Figure 1. System architecture of OO-MA-CP-ABE-CRFs.
Figure 1. System architecture of OO-MA-CP-ABE-CRFs.
Entropy 25 00616 g001
Figure 2. Computational cost comparison of online key generation and decryption: (a) The Online Key Generation Cost; (b) The Decryption Cost.
Figure 2. Computational cost comparison of online key generation and decryption: (a) The Online Key Generation Cost; (b) The Decryption Cost.
Entropy 25 00616 g002
Figure 3. Storage cost comparison of ciphertext and secret key: (a) The Ciphertext Storage Cost; (b) The Secret Key Storage Cost.
Figure 3. Storage cost comparison of ciphertext and secret key: (a) The Ciphertext Storage Cost; (b) The Secret Key Storage Cost.
Entropy 25 00616 g003
Figure 4. The OO-MA-CP-ABE-CRFs in an e-health system.
Figure 4. The OO-MA-CP-ABE-CRFs in an e-health system.
Entropy 25 00616 g004
Table 1. Comparison of properties.
Table 1. Comparison of properties.
SchemesMulti-AuthorityOnline/Offline Key GenerationOnline/Offline EncryptionCRF
[26]×
[37]×××
[32]×
[34]×××
[35]×××
[36]××
Proposed
The symbol ✓ represents that the scheme has this property, while the symbol × represents that the scheme does not have this property.
Table 2. Comparison of computational cost.
Table 2. Comparison of computational cost.
SchemesSystem SetupOnline User Key GenerationOnline User EncryptionUser Decryption
[32] 1 P + ( 2 K + 1 ) E 3 | S | E + | S | M 1 M ( 3 | I | + 1 ) P + 3 | I | E + ( 5 | I | + 1 ) M
[26] 1 P + 7 E | S | E + | S | M ( 2 l + 1 ) M + 2 l E 1 E + 1 M
[34] 1 P + 3 E ( | S | + 2 ) E + 1 M ( 1 l + 1 ) M + ( 3 l + 2 ) E ( 2 | I | + 1 ) P + 2 | I | E + ( 1 | I | + 1 ) M
[35] 1 P + ( 2 K 1 ) E ( 3 | S | + 1 ) E l P + ( l + 3 ) E 3 P + 4 E
[36] ( | U | + 2 N 1 ) E ( 6 K + S ) E + K M ( N + 1 ) E + ( l + 1 ) M 1 E + 1 M
Proposed 1 P + ( 4 K + 6 ) E + 1 M | S | E + | S | M ( 2 l + 1 ) M + 2 l E 1 E + 1 M
Table 3. Comparison of storage cost.
Table 3. Comparison of storage cost.
SchemesPublic ParametersCiphertextUser Decryption Key
[32] ( 2 K + 5 ) | G | + | G T | ( 3 l + 1 ) | G | + | G T | ( 2 S + 2 ) | G |
[26] 5 | G | + | G T | ( 3 l + 1 ) | G | + | G T | ( 2 S + 3 ) | G |
[34] 3 | G | + | G T | ( 2 l + 1 ) | G | + | G T | ( S + 2 ) | G |
[35] | G | + | G T | ( l + 2 ) | G | + | G T | ( S + 2 ) | G |
[36] ( 2 K + | U | + 2 N + 2 ) | G | + K | G T | ( 3 l + N 2 + 1 ) | G | + | G T | ( ( 4 + d ) K + S ) | G | + 2 K | Z p |
Proposed ( 2 K + 5 ) | G | + | G T | ( 3 l + 1 ) | G | + | G T | ( 2 S + 3 ) | G |
Table 4. Time cost of sub-operations.
Table 4. Time cost of sub-operations.
OperationTime Cost
bilinear pairing operation2.05 ms
exponentiation in G 2.80 ms
multiplication in G 2.82 ms
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Li, J.; Fan, Y.; Bian, X.; Yuan, Q. Online/Offline MA-CP-ABE with Cryptographic Reverse Firewalls for IoT. Entropy 2023, 25, 616. https://doi.org/10.3390/e25040616

AMA Style

Li J, Fan Y, Bian X, Yuan Q. Online/Offline MA-CP-ABE with Cryptographic Reverse Firewalls for IoT. Entropy. 2023; 25(4):616. https://doi.org/10.3390/e25040616

Chicago/Turabian Style

Li, Juyan, Ye Fan, Xuefen Bian, and Qi Yuan. 2023. "Online/Offline MA-CP-ABE with Cryptographic Reverse Firewalls for IoT" Entropy 25, no. 4: 616. https://doi.org/10.3390/e25040616

APA Style

Li, J., Fan, Y., Bian, X., & Yuan, Q. (2023). Online/Offline MA-CP-ABE with Cryptographic Reverse Firewalls for IoT. Entropy, 25(4), 616. https://doi.org/10.3390/e25040616

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop