OO-MA-KP-ABE-CRF: Online/Offline Multi-Authority Key-Policy Attribute-Based Encryption with Cryptographic Reverse Firewall for Physical Ability Data

Abstract

In many universities, students’ physical ability data are collected and stored in the cloud through various sensing devices to save computational and storage costs. Therefore, how to effectively access data while ensuring data security has become an urgent issue. Key-policy attribute-based encryption (KP-ABE) not only enables secure one-to-many communication and fine-grained access control but also adapts to data sharing in static scenarios, making it more suitable for the cloud sharing of physical ability data. In this paper, we construct an online/offline multi-authority key-policy attribute-based encryption with a cryptographic reverse firewall for physical ability data. This scheme uses multi-authority to avoid the single point of failure crisis of a single authority, and is combined with a cryptographic reverse firewall to resist backdoor attacks. In addition, the scheme uses outsourcing decryption to save users’ computing costs, and utilizes offline/online technology to move a large amount of computing offline, reducing the online burden. Finally, the experiment shows the feasibility of the scheme.

1. Introduction

With the widespread use of sensing devices, various sensors carried by students can collect physical ability data, such as the time spent completing a long-distance race, the number of jump rope skips within a minute, and heart rate, and upload the collected data to the cloud for storage. For security, sensitive data should be encrypted before being stored in the cloud. ABE (attribute-based encryption) can achieve fine-grained access control over ciphertext while providing encryption for data, making it suitable for protecting students’ physical ability data.

ABE has two types: key-policy ABE (KP-ABE) and ciphertext-policy ABE (CP-ABE). In the KP-ABE scheme, attributes are used to encrypt data, and the user’s decryption key corresponds to an access structure. The decryption key can correctly decrypt the ciphertext if and only if the attribute satisfies the access structure. Firstly, before encrypting the physical ability data, it is not known which users want to share, and the access structure of these users may be different. Therefore, if CP-ABE is used to encrypt physical ability data, it may involve the need to convert ciphertext under one access structure to ciphertext under another access structure [1]. Secondly, due to the sensitivity of physical ability data, the system needs to maintain an audit log. As shown in [2], when the KP-ABE encryption scheme is adopted, the system uses attributes to encrypt the physical ability data. The data can only be decrypted and accessed by the user after obtaining the corresponding key of the specified access structure, thus effectively solving the audit log problem. Finally, due to the fact that students’ physical ability data are rarely updated after collection, KP-ABE is more suitable for data sharing in static scenarios. So, compared to CP-ABE, using KP-ABE is more suitable for physical ability data encryption.

However, most KP-ABE schemes are single-authority, leading to a single point of failure crisis and making the cross-organizational sharing of confidential information challenging. The high computational overhead of KP-ABE is also a problem. The large attribute universe and flexible access structures both increase the time required for encryption and key generation. So, we need to adopt effective techniques to improve the efficiency of the KP-ABE scheme. In addition, Edward Snowden’s revelations indicate that even provably secure cryptographic schemes may face the risk of privacy leakage. Adversaries can obtain users’ confidential information through an undetectable backdoor, endangering their privacy and security.

To address these issues, we combined KP-ABE, multi-authority, online/offline and crypto reverse firewall (CRF) capabilities to construct an online/offline multi-authority KP-ABE with a cryptographic reverse firewall (OO-MA-KP-ABE-CRF) for students’ physical ability data. The following are the specific contributions:

(1)

We propose a novel OO-MA-KP-ABE-CRF scheme without a central attribute authority to coordinate key distribution between attribute authorities, while also supporting non-monotonic access structure, making the access control structure more flexible.

(2)

To meet the usage demands of lightweight terminal devices, our proposed scheme utilizes online/offline technology and outsourced decryption to improve efficiency.

(3)

We prove the correctness and security of the proposed OO-MA-KP-ABE-CRF scheme, which encompasses CPA security, weak security preservation, and weak demonstration resistance. These security aspects indicate that even in the face of potential backdoor attacks, the scheme can still ensure its security and functionality.

The remainder of this paper is as follows: Section 2 outlines the related work. Section 3 provides the preliminaries. Section 4 details the proposed OO-MA-KP-ABE-CRF scheme. Section 5 provides the performance analysis. Finally, the conclusion is presented in Section 6.

2. Related Work

This section provides a summary of related works on ABE, CRF, and online/offline cryptography.

2.1. Attribute-Based Encryption

Goyal et al. [2] classified ABE into two types: KP-ABE and CP-ABE. Due to the richness of access structures, the research and application of ABE have received increasing attention, but currently, most ABE access structures are focused on monotonic access structures. In order to enrich the expression of access structures, Yamada et al. [3] modularized KP-ABE and proved that any special-type predicate encryption satisfying certain conditions can be transformed into the non-monotonic KP-ABE format. Subsequently, Attrapadung et al. [4] designed an attribute-based signature supporting non-monotonic span programs by studying predicate encryption schemes and implementing constant-size signature technology. Moreover, ABE serves as a prevalent privacy protection method, playing a crucial role in safeguarding personal privacy and ensuring the secure communication of data in various domains such as cloud computing, medical insurance, intelligent transportation, and the Internet of Things. For instance, Zhang et al. [5] surveyed various ABE-based techniques for securing cloud data, Rasori et al. [6] proposed a KP-ABE scheme against the potential threat of malicious attacks of untrustworthy cloud servers, Kumar et al. [7] researched how to combine IoT with ABE to protect user privacy, and Jaiswal et al. [8] compared and analyzed various ABE schemes in medical privacy scenarios. In addition, there has been a plethora of research related to privacy protection, such as the adoption of the secure encryption random permutation pseudo algorithm (SERPPA) to enhance network security and energy efficiency [9], investigations into ABE in the post-quantum era [10], and the development of privacy-preserving schemes in federated learning [11], among others. Considering that almost all hierarchical ABEs are designed based on CP-ABE schemes and only support monotonic access structures, Li et al. [12] proposed a hierarchical non-monotonic KP-ABE scheme. Therefore, non-monotonic ABE schemes offer more flexible access control than monotonic ABE and can better meet the complex authorization requirements in practical applications.

2.2. Cryptographic Reverse Firewall

Edward Snowden’s revelations have revealed hidden backdoor vulnerabilities in many provably secure cryptographic algorithms. To defend against malicious data streams and prevent the leakage of public parameters, Mironov and Stephens-Devidowitz [13] introduced the CRF in 2015. The CRF is deployed between user machines and external networks to intercept incoming and outgoing data and update it in real-time, preventing potential backdoor threats. Dodis, Mironov, and Stephens-Devidowitz [14] designed an efficient secure transmission protocol based on the CRF framework, focusing on whether users can securely communicate with untrusted machines and others. Ma et al. [15] used bilinear pairing to construct a COO-CP-ABE-CRF scheme, which successfully reduced the overall computational cost compared to the original scheme without CRF, and developed a libabe library which is compatible with Android devices; the prototype has been implemented on laptops and mobile phones. Hong et al. [16] designed a MA-KP-ABE system based on CRF technology that supports non-monotonic access structures. They analyzed the system’s performance using the Charm library. To resist keyword guessing attacks (KGA) initiated by dishonest cloud servers, Zhou et al. [17] combined public key encryption with keyword search (PEKS) with the CRF and designed a searchable public key encryption with CRF (SPKE-CRF). Furthermore, to meet data security sharing requirements in virtual worlds like the Metaverse, Zhao et al. [18] proposed a CP-ABE-CRF scheme with outsourcing decryption, offline encryption, and black-box tracing capabilities.

2.3. Online/Offline Cryptography

The high computational overhead of KP-ABE is a problem. To address this issue, Hohenberger et al. [19] proposed an OO-ABE scheme, which separates the original cryptographic algorithm into an offline and online phase. During the offline phase, the system performs data preprocessing to enable the fast assembly of encryption ciphertexts or keys in the online phase, resulting in significant time and overhead savings. Additionally, Cui et al. [20] proposed a novel keyword search scheme with online/offline attributes in the mobile cloud, which achieved cost savings and maintained data privacy and security. Therefore, online/offline technology has significant advantages in various privacy and security scenarios with real-time requirements, such as healthcare IoT, 5G communications, industrial IoT, etc. [21,22,23,24,25,26]. In order to address the issue of low efficiency in the operation of the medical Internet of Things, Li et al. [27] proposed a flexible and efficient ciphertext-policy attribute-based encryption scheme by integrating online/offline techniques and outsourced decryption. They also effectively ensured the security of the cryptographic algorithm through CRF. Overall, online/offline cryptography technology effectively reduces computational overhead in algorithms and brings significant advantages to various application areas.

3. Preliminaries

This introduces the preliminaries of the OO-MA-KP-ABE-CRF scheme.

3.1. Bilinear Group

For the multiplicative cyclic groups $\mathbb{G}$ and ${\mathbb{G}}_T$ with the same prime order p, we define an efficiently computable bilinear pairing $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ that satisfies the following two properties:

(1)

Bilinearity: One can compute $e(P^a,Q^b)=e{(P,Q)}^{ab}$ for any $P,Q\in \mathbb{G}$ and $a,b\in {\mathbb{Z}}_p^{*}$.

(2)

Non-degeneracy: Let $g\in \mathbb{G}$ and $h\in \mathbb{G}$ be the generators. The equation $e(g,h)\ne 1$ always holds.

3.2. Access Structure

For a set of participants P, we define the attribute x to represent the elements in the set P, and each attribute x is either a positive attribute x or a negative attribute $x^{\prime }$. Assuming that the set S includes all possible attributes, $\tilde{S}=\left\{x^{\prime }\right|x\in S\}$ is the set of negative attributes derived from S. For a monotonic access structure $\mathbb{A}$ defined on the attribute set S, there always exists a corresponding non-monotonic access structure $\tilde{\mathbb{A}}=NM(\mathbb{A})$, where $S\in NM(\mathbb{A})$. When $N(S)\in \mathbb{A}$, there is $N(S)=S\cup \left\{x^{\prime }\right|x\in P-S\}$.

3.3. Linear Secret Sharing Schemes

A linear secret sharing scheme (LSSS) involves $(M,\rho )$ with the general attribute description U, where $M\in {\mathbb{Z}}_p^{l\times n}$ is a secret sharing matrix, and $\rho (M_i)$ is a corresponding attribute, where $M_i$ is the $i\text{-}th$ row of M. For the secret $s\in {\mathbb{Z}}_p$, we randomly select $y_2,\cdots ,y_n\in {\mathbb{Z}}_p$, and then ${\lambda }_i=M_i{(s,y_2,\cdots ,y_n)}^T$ is the share of secret value s corresponding to attribute $\rho (M_i)$. When reconstructing secret values s using the share ${\lambda }_i$, there exists $c_i$ such that ${\sum }_{i\in I}{c}_i{M}_i=(1,0,···,0)$; thus, ${\sum }_{i\in I}{c}_i{\lambda }_i=s$, where $I=\{i:\rho (i)\in P\}$, and P is an authorized set.

3.4. Cryptographic Reverse Firewall

The CRF of party P is a state algorithm that outputs an updated state and message based on the input of the state and the message of party P. For a scheme satisfying functionality requirement and a party P, when the CRF is applied to P polynomial times, the functionality of the scheme is maintaining, it is called CRF maintaining functionality. If a scheme is secure, and the party P in the scheme is replaced with a combination of CRF and functionality-maintaining adversarial implementations, which still satisfies the security requirement, then it is called CRF weakly preserved security. If the corrupted functionality-maintaining implementation of party P cannot leak information through the CRF, then it is called CRF weakly exfiltration resistance. Further understanding of CRF can be found in reference [27].

4. System Model and Security Model

This introduces the system model, a real-world application, and a security model of the OO-MA-KP-ABE-CRF scheme.

4.1. System Model

The scheme includes five entities accompanied by their corresponding CRF. These entities are the global-identity authority (GA), attribute authorities (AA), the data owner (DO), the data user (DU), and the cloud service provider (CSP). Each entity is equipped with a CRF, namely ${\mathcal{W}}_{\mathrm{GA}}$ for GA, ${\mathcal{W}}_{\mathrm{AA}}$ for AA, ${\mathcal{W}}_{\mathrm{DO}}$ for DO, and ${\mathcal{W}}_{\mathrm{DU}}$ for DU. The global parameters $GP$ are generated by GA. To mitigate potential compromises in this process, $GP$ is randomized by ${\mathcal{W}}_{\mathrm{GA}}$ to obtain $G{P}^{\prime }$, and the updated results are broadcasted throughout the system. The AA generates a public/private key pair for itself and a decryption key for the user. Additionally, the AA’s keys and the users’ decryption keys are randomized by ${\mathcal{W}}_{\mathrm{AA}}$ to mitigate potential vulnerabilities. The CSP is responsible for offering services like cloud storage and outsourced decryption. The DO encrypts the data and then uploads it to the CSP. Given the potential risk of adversaries compromising critical encryption processes, ${\mathcal{W}}_{\mathrm{DO}}$ applies additional randomization to the ciphertext. Subsequently, the ciphertext is downloaded from the CSP and decrypted by DU. To mitigate potential vulnerabilities in the outsourced decryption key generation process, ${\mathcal{W}}_{\mathrm{DU}}$ randomizes the keys used for outsourced decryption.

Let U denote the general attribute description, while $\tilde{\mathbb{A}}$ represents a non-monotonic access structure. The OO-MA-KP-ABE-CRF for $\tilde{\mathbb{A}}$ consists of 17 algorithmic steps:

$\mathit{Global}.\mathbf{Setup}(\mathit{\lambda },\mathit{U})\to \mathit{GP}$. For the input security parameters $\lambda$ and general attribute description U, $GA$ runs the algorithm and outputs the global public parameters $GP$.

${\mathcal{W}}_{\mathbf{GA}}\mathbf{.}\mathit{Global}.\mathbf{Setup}(\mathit{GP})\to {\mathit{GP}}^{\prime }$. For the input $GP$, ${\mathcal{W}}_{\mathrm{GA}}$ runs the algorithm and outputs the updated global public parameters $G{P}^{\prime }$.

$\mathbf{AA}\mathbf{.}\mathbf{Setup}({\mathit{GP}}^{\prime })\to (\mathit{P}{\mathit{K}}_{\mathit{k}},\mathit{S}{\mathit{K}}_{\mathit{k}})$. For the input $G{P}^{\prime }$, ${\mathrm{AA}}_k$ runs the algorithm and outputs the public key $P{K}_k$ and private key $S{K}_k$ for itself.

${\mathcal{W}}_{\mathbf{AA}}\mathbf{.}\mathbf{Setup}(\mathit{P}{\mathit{K}}_{\mathit{k}},\mathit{S}{\mathit{K}}_{\mathit{k}})\to (\mathit{P}{\mathit{K}}_{\mathit{k}}^{\prime },\mathit{S}{\mathit{K}}_{\mathit{k}}^{\prime })$. For the input $(P{K}_k,S{K}_k)$, ${\mathcal{W}}_{\mathrm{AA}}$ runs the algorithm and outputs the updated $(P{K}_k^{\prime },S{K}_k^{\prime })$.

$\mathbf{KeyGen}\mathbf{.}\mathbf{off}({\mathit{GP}}^{\mathit{\prime }},\mathit{P}{\mathit{K}}_{\mathit{k}}^{\prime },{\mathcal{A}}_{\mathit{C}}^{\mathit{k}})\to {\mathit{D}}_{\mathit{k}\mathit{.}\mathit{off}}$. For the input $G{P}^{\prime }$, $P{K}_k^{\prime }$, and ${\mathcal{A}}_C^k$, ${\mathrm{AA}}_k$ runs the algorithm and outputs the offline decryption key $D_{k.off}$ corresponding to ${\mathcal{A}}_C^k$.

$\mathbf{KeyGen}\mathbf{.}\mathbf{on}({\mathit{GP}}^{\prime },{\mathit{D}}_{\mathit{k}\mathit{.}\mathit{off}},\mathbf{S}{\mathbf{K}}_{\mathbf{k}}^{\prime },{\tilde{\mathbb{A}}}_{\mathit{k}},\mathit{GID})\to {\mathit{D}}_{\mathit{GID},\mathit{k}}$. For the input $G{P}^{\prime }$, $D_{k.off}$, $S{K}_k^{\prime }$, the non-monotonic access structure ${\tilde{\mathbb{A}}}_k$ of $A{A}_k$, and $GID$, ${\mathrm{AA}}_k$ runs the algorithm and outputs the decryption key ${\left\{D_{GID,k}\right\}}_{i\in {\tilde{\mathbb{A}}}_k}$ for the user $GID$ in $A{A}_k$. the user’s decryption key $D_{GID}={\left\{D_{GID,k}\right\}}_{k\in \left[K\right]}$.

${\mathcal{W}}_{\mathbf{AA}}.\mathbf{KeyGen}\mathbf{.}\mathbf{off}({\mathit{GP}}^{\prime },\mathit{P}{\mathit{K}}_{\mathit{k}}^{\prime },{\mathcal{A}}_{\mathit{C}}^{\mathit{k}})\to {\mathit{D}}_{\mathit{k}.\mathit{off}}^{\prime }$. For the input $G{P}^{\prime }$, $P{K}_k^{\prime }$ and ${\mathcal{A}}_C^k$, ${\mathcal{W}}_{\mathrm{AA}}$ runs the algorithm and outputs the the updated $D_{k.off}^{\prime }$.

${\mathcal{W}}_{\mathbf{AA}}\mathbf{.}\mathbf{KeyGen}\mathbf{.}\mathbf{on}({\mathit{GP}}^{\prime },{\mathit{D}}_{\mathit{k}.\mathit{off}}^{\prime },{\mathit{D}}_{\mathit{GID},\mathit{k}})\to {\mathit{D}}_{\mathit{GID},\mathit{k}}^{\prime }$. For the input $G{P}^{\prime }$, $D_{k.off}^{\prime }$ and $D_{GID,k}$, ${\mathcal{W}}_{\mathrm{AA}}$ runs the algorithm and outputs the updated $D_{GID,k}^{\prime }$. Let $D_{GID}^{\prime }={\left\{D_{GID,k}^{\prime }\right\}}_{k\in \left[K\right]}$.

$\mathbf{Encrypt}\mathbf{.}\mathbf{off}({\mathit{GP}}^{\prime },\mathit{P}{\mathit{K}}_{\mathit{k}}^{\prime })\to \mathit{C}{\mathit{T}}_{\mathit{off}}$. For the input $G{P}^{\prime }$ and $P{K}_k^{\prime }$, $DO$ runs the algorithm and outputs the $C{T}_{off}$.

$\mathbf{Encrypt}\mathbf{.}\mathbf{on}(\mathit{m},\mathit{C}{\mathit{T}}_{\mathit{off}},{\mathcal{A}}_{\mathit{u}})\to \mathbf{CT}$. For the input m, $C{T}_{off}$ and ${\mathcal{A}}_u$, $DO$ runs the algorithm and outputs the ciphertext $CT$.

${\mathcal{W}}_{\mathbf{DO}}\mathbf{.}\mathbf{Encrypt}\mathbf{.}\mathbf{off}({\mathit{GP}}^{\prime },\mathit{P}{\mathit{K}}_{\mathit{k}}^{\prime })\to \mathit{IT}$. For the input $G{P}^{\prime }$ and $P{K}_k^{\prime }$, ${\mathcal{W}}_{\mathrm{DO}}$ runs the algorithm offline and outputs the $IT$.

${\mathcal{W}}_{\mathbf{DO}}\mathbf{.}\mathbf{Encrypt}\mathbf{.}\mathbf{on}(\mathit{CT},\mathit{IT})\to {\mathit{CT}}^{\prime }$. For the input $CT$ and $IT$, ${\mathcal{W}}_{\mathrm{DO}}$ runs the algorithm online and outputs the $C{T}^{\prime }$.

$\mathbf{KeyGen}\mathbf{.}\mathbf{ran}({\mathit{D}}_{\mathit{GID},\mathit{k}}^{\prime })\to (\mathit{TK},\mathit{RK})$. For the input $D_{GID,k}^{\prime }$, $DU$ runs the algorithm and outputs the conversion key $TK$ and the retrieval key $RK$.

${\mathcal{W}}_{\mathbf{DU}}\mathbf{.}\mathbf{TKUpdate}(\mathit{TK})\to {\mathit{TK}}^{\prime }$. For the input $TK$, ${\mathcal{W}}_{\mathrm{DU}}$ runs the algorithm and outputs the $T{K}^{\prime }$ and a value $\delta$.

$\mathbf{Decrypt}\mathbf{.}\mathbf{out}({\mathit{CT}}^{\prime },{\mathit{TK}}^{\prime })\to \mathit{TCT}$. For the input $C{T}^{\prime }$ and $T{K}^{\prime }$, $CSP$ runs the algorithm and outputs the $TCT$.

${\mathcal{W}}_{\mathbf{DU}}\mathbf{.}\mathbf{Decrypt}(\mathit{TCT},\mathit{\delta })\to {\mathit{TCT}}^{\prime }$. For the input $TCT$ and $\delta$, ${\mathcal{W}}_{\mathrm{DU}}$ runs the algorithm and outputs the $TC{T}^{\prime }$.

$\mathbf{Decrypt}\mathbf{.}\mathbf{user}({\mathit{TCT}}^{\prime },\mathit{RK})\to \mathit{m}$. For the input $TC{T}^{\prime }$ and $RK$, DU performs the final computation to produce the plaintext m as output.

Correctness: For $\lambda \in \mathbb{N}$, U, an access structure P and a message m, the correctness holds: for all ${\mathcal{A}}_C^k,{\mathcal{A}}_u\subseteq U,{\tilde{\mathbb{A}}}_k\in P$, all $GP\leftarrow Global.\mathrm{Setup}(\lambda ,U)$, all $G{P}^{\prime }\leftarrow {\mathcal{W}}_{\mathrm{GA}}.Global.\mathrm{Setup}(GP)$, all $(P{K}_k,S{K}_k)\leftarrow \mathrm{AA}.\mathrm{Setup}(G{P}^{\prime })$, all $(P{K}_k^{\prime },S{K}_k^{\prime })\leftarrow {\mathcal{W}}_{\mathrm{AA}}.\mathrm{Setup}$$(P{K}_k,S{K}_k)$, all $D_{k.off}\leftarrow \mathrm{KeyGen}.\mathrm{off}(G{P}^{\prime },P{K}_k^{\prime },{\mathcal{A}}_C^k)$, all $D_{GID,k}\leftarrow \mathrm{KeyGen}.\mathrm{on}(G{P}^{\prime },D_{k.off},$$S{K}_k^{\prime },{\tilde{\mathbb{A}}}_k,GID)$, all $D_{k.off}^{\prime }\leftarrow {\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.\mathrm{off}(G{P}^{\prime },P{K}_k^{\prime },{\mathcal{A}}_C^k)$, all $D_{GID,k}^{\prime }\leftarrow {\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.$$on(G{P}^{\prime },D_{k.off}^{\prime },D_{GID,k})$, all $C{T}_{off}\leftarrow \mathrm{Encrypt}.\mathrm{off}(G{P}^{\prime },P{K}_k^{\prime })$, all $CT\leftarrow \mathrm{Encrypt}.\mathrm{on}(m,C{T}_{off},$${\mathcal{A}}_u)$, all $IT\leftarrow {\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{off}(G{P}^{\prime },P{K}_k^{\prime })$, all $C{T}^{\prime }\leftarrow {\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{on}(CT,IT)$, all $\left(TK,RK\right)\leftarrow \mathrm{KeyGen}.\mathrm{ran}(D_{GID,k}^{\prime })$, all $T{K}^{\prime }\leftarrow {\mathcal{W}}_{\mathrm{DU}}.\mathrm{TKUpdate}(TK)$, all $TCT\leftarrow \mathrm{Decrypt}.$$\mathrm{out}(C{T}^{\prime },T{K}^{\prime })$, all $TC{T}^{\prime }\leftarrow {\mathcal{W}}_{\mathrm{DU}}.\mathrm{Decrypt}\left(TCT,\delta \right)$, if ${\mathcal{A}}_u$ satisfies ${\tilde{\mathbb{A}}}_k$, we have $m\leftarrow \mathrm{Decrypt}.$$\mathrm{user}(TC{T}^{\prime },RK)$.

4.2. Real-World Application

We describe the practical workflow of OO-MA-KP-ABE-CRF for physical ability data, as shown in Figure 1.

Setup phase: (1) Students participating in physical ability tests register their identities on the school platform based on their attributes, such as college, grade, age, and so on. (2) The university calculates global parameters based on these attributes and the CRF of the university randomly updates these parameters. (3) Each department (attribute authority) within the university, such as the education department and the sports department as an attribute authority, independently generates public/private key pairs in the system. (4) To prevent information leakage, the CRF of each department randomizes the update of public/private key pairs.

Key generation phase: (5) and (6) The offline phase is responsible for generating offline keys, while the online phase is responsible for assembling offline keys and generating keys. (7) and (8) Finally, the corresponding CRF of each department updates and outputs the decryption key for the user.

Encryption phase: (9) In physical ability testing, the sensors worn by students collect their current physical ability data in real time. After obtaining the ciphertext by encrypting the data using the attributes, it is then uploaded to the CSP. (10) The offline/online technology is used in the encryption for saving computational costs. (11) and (12) The ciphertext generated by the sensors is not immediately sent to the CSP but is first transmitted to the CRF, which updates and transforms the ciphertext.

Decryption phase: (13) Authorized teachers with specific access structures plan to access the physical ability data of students stored in the CSP through mobile devices. They first generate a conversion key and retrieval key based on the obtained decryption key. The conversion key is sent to the CSP for outsourced decryption, while the retrieval key is retained by the teacher. (14) Before sending to CSP, the conversion key is updated by the CRF of the mobile device. (15)(16) After receiving the updated conversion key, CSP runs decryption and sends the result to CRF of the mobile device. (17) Ultimately, the teacher successfully recovers the physical ability data of the students using the retrieval key.

4.3. Security Model

We present the security model for the OO-MA-KP-ABE-CRF scheme based on [16,27].

Adversarial Model: We assume the full trustworthiness of $GA$, $AA$, $DO$, and $DC$, and the semi-trust of $CSP$. Given that $\mathrm{Global}.\mathrm{Setup}$, $\mathrm{AA}.\mathrm{Setup}$, $\mathrm{KeyGen}.\mathrm{off}$, $\mathrm{KeyGen}.\mathrm{on}$, $\mathrm{Encrypt}.\mathrm{off}$, $\mathrm{Encrypt}.\mathrm{on}$, and $\mathrm{KeyGen}.\mathrm{ran}$ in the scheme remain functional despite the presence of malicious backdoors, it is important to consider that they may be compromised without the knowledge of the executing parties. Owing to the curiosity of ${\mathcal{W}}_{\mathrm{DO}}$ and ${\mathcal{W}}_{\mathrm{DU}}$ regarding user data, we assume that ${\mathcal{W}}_{\mathrm{DO}}$ and ${\mathcal{W}}_{\mathrm{DU}}$ are semi-trusted. Since ${\mathcal{W}}_{\mathrm{AA}}$ has access to users’ decryption keys, we assume that ${\mathcal{W}}_{\mathrm{AA}}$ is fully trusted. Furthermore, all CRFs are regarded as trusted domains and are immune to external tampering.

The selective-set CPA security game for the scheme is played by a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$.

Init: The $\mathcal{A}$ publicizes the set of ${\mathrm{AA}}_k$, along with the corresponding attribute set ${\mathcal{A}}_u={\mathcal{A}}_u^1,···,{\mathcal{A}}_u^K$. The $\mathcal{A}$ sends algorithms $Global.{\mathrm{Setup}}^{*}$, $\mathrm{AA}.{\mathrm{Setup}}^{*}$, $\mathrm{KeyGen}.{\mathrm{off}}^{*}$, $\mathrm{KeyGen}.\mathrm{o}{\mathrm{n}}^{*}$, $\mathrm{KeyGen}.{\mathrm{ran}}^{*}$, $\mathrm{Encrypt}.{\mathrm{off}}^{*}$, and $\mathrm{Encrypt}.\mathrm{o}{\mathrm{n}}^{*}$ to the $\mathcal{C}$.

Setup: The $\mathcal{C}$ obtains $GP\leftarrow Global.{\mathrm{Setup}}^{*}(\lambda ,U)$, $G{P}^{\prime }\leftarrow {\mathcal{W}}_{\mathrm{GA}}.Global.\mathrm{Setup}(GP)$, $(P{K}_k,S{K}_k)\leftarrow \mathrm{AA}.{\mathrm{Setup}}^{*}(G{P}^{\prime })$, and $(P{K}_k^{\prime },S{K}_k^{\prime })\leftarrow {\mathcal{W}}_{\mathrm{AA}}.{\mathrm{Setup}}^{*}(P{K}_k,S{K}_k)$, and then sends $G{P}^{\prime }$, the $P{K}_k^{\prime }$ of the honest authority, and the ($P{K}_k^{\prime }$, $S{K}_k^{\prime }$) of the corrupted authority to the $\mathcal{A}$.

Phase 1: The adversary $\mathcal{A}$ can adaptively issue queries to the ${\mathrm{AA}}_k$. When the access structure ${\mathbb{A}}_k$ satisfies the attribute ${\mathcal{A}}_u$, the honest ${\mathrm{AA}}_k$ refuse to answer, and otherwise answer the corresponding private key. For each query, the $\mathcal{C}$ runs $D_{k.off}\leftarrow \mathrm{KeyGen}.{\mathrm{off}}^{*}(G{P}^{\prime },P{K}_k^{\prime },{\mathcal{A}}_C^k)$, $D_{GID,k}\leftarrow \mathrm{KeyGen}.\mathrm{o}{\mathrm{n}}^{*}(G{P}^{\prime },D_{k.off},S{K}_k^{\prime },{\tilde{\mathbb{A}}}_k,GID)$, $D_{k.off}^{\prime }\leftarrow {\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.\mathrm{off}(G{P}^{\prime },P{K}_k^{\prime },{\mathcal{A}}_C^k)$, $D_{GID,k}^{\prime }\leftarrow {\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.\mathrm{on}(G{P}^{\prime },D_{k.off}^{\prime },D_{GID,k})$, $\left(TK,RK\right)$$\leftarrow \mathrm{KeyGen}.{\mathrm{ran}}^{*}(D_{GID,k}^{\prime })$, $T{K}^{\prime }\leftarrow {\mathcal{W}}_{\mathrm{DU}}.\mathrm{TKUpdate}(TK)$, and sends $\left(D_{GID,k}^{\prime },T{K}^{\prime }\right)$ as a response to the adversary $\mathcal{A}$.

Challenge: The $\mathcal{A}$ sends two plaintexts, $m_0$ and $m_1$, of equal length to the challenger $\mathcal{C}$. Then, $\mathcal{C}$ randomly selects $b\in \{0,1\}$ and runs $C{T}_{off}\leftarrow \mathrm{Encrypt}.{\mathrm{off}}^{*}(G{P}^{\prime },P{K}_k^{\prime })$, $C{T}_b\leftarrow \mathrm{Encrypt}.\mathrm{o}{\mathrm{n}}^{*}(m_b,C{T}_{off},{\mathcal{A}}_u)$, $IT\leftarrow {\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{off}(G{P}^{\prime },P{K}_k^{\prime })$, $C{T}_b^{\prime }\leftarrow {\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{on}$$(C{T}_b,IT)$. Finally, $\mathcal{C}$ sends $C{T}_b^{\prime }$ to the $\mathcal{A}$.

Phase 2: Same as Phase 1.

Guess: The $\mathcal{A}$ outputs a guess $b^{\prime }$ for b.

Definition 1.

If all PPT adversaries have at most negligible advantages in the above game, then the OO-MA-KP-ABE-CRF scheme is selective-set CPA-secure.

5. OO-MA-KP-ABE-CRF

Firstly, a basic OO-MA-KP-ABE scheme is proposed. Then, we construct the OO-MA-KP-ABE-CRF scheme, and finally show the security.

5.1. Basic Construction of OO-MA-KP-ABE Scheme

Based on the KP-ABE scheme [28], this section introduces the OO- KP-ABE scheme using a decentralized approach similar to [29] incorporating the user’s identity GID. Compared with [30], our scheme not only resists collusion attacks, but also eliminates the need for a central attribute authority to coordinate the key distribution among attribute authorities.

(1)

$\mathit{Global}.\mathbf{Setup}(\mathit{\lambda },\mathit{U})\to \mathbf{GP}$. The system selects $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$, with prime order p, and randomly selects generators g and h of the group $\mathbb{G}$ and hash functions $H,F:{\{0,1\}}^{*}\to \mathbb{G}$. Finally, the system outputs $GP=\{g,h,H(·),F(·)\}$.

(2)

$\mathbf{AA}\mathbf{.}\mathbf{Setup}(\mathit{GP})\to (\mathit{P}{\mathit{K}}_{\mathit{k}},\mathit{S}{\mathit{K}}_{\mathit{k}})$. For $k\in \left[K\right]$, attribute authority $\mathrm{A}{\mathrm{A}}_k$ randomly selects ${\alpha }_{k1},{\alpha }_{k2},b_k\leftarrow {\mathbb{Z}}_p$ and computes ${\alpha }_k={\alpha }_{k1}·{\alpha }_{k2}$. Finally, we compute and output the public key $P{K}_k=\{g_{k1}=g^{{\alpha }_{k1}},g_{k2}=g^{{\alpha }_{k2}},g^{b_k},g^{b_k^2},h^{b_k},e{(g,g)}^{{\alpha }_k}\}$, while retaining the secret key $S{K}_k=\{{\alpha }_{k1},{\alpha }_{k2},b_k\}$.

(3)

$\mathbf{KeyGen}\mathbf{.}\mathbf{off}(\mathit{GP},\mathit{P}{\mathit{K}}_{\mathit{k}},{\mathcal{A}}_{\mathit{C}}^{\mathit{k}})\to {\mathit{D}}_{\mathit{k}.\mathit{off}}$. For $x_i\in {\mathcal{A}}_C^k$, $\mathrm{A}{\mathrm{A}}_k$ randomly selects $r_{k,i}\leftarrow {\mathbb{Z}}_p$, calculates $D_{k,i}^{(1)}=H{(x_i)}^{r_{k,i}}$, $D_{k,i}^{(2)}=g^{r_{k,i}}$, $D_{k,i}^{(3)}=g^{b_k^2{r}_{k,i}}$, $D_{k,i}^{(4)}=g^{r_{k,i}{b}_k{x}_i}{h}^{r_{k,i}}$, $D_{k,i}^{(5)}=g^{-r_{k,i}}$, and finally outputs $D_{k.off}={\{D_{k,i}^{(1)},D_{k,i}^{(2)},D_{k,i}^{(3)},D_{k,i}^{(4)},D_{k,i}^{(5)}\}}_{i\in {\mathcal{A}}_C^k}$.

(4)

$\mathbf{KeyGen}\mathbf{.}\mathbf{on}(\mathit{GP},{\mathit{D}}_{\mathit{k}.\mathit{off}},\mathit{S}{\mathit{K}}_{\mathit{k}},{\tilde{\mathbb{A}}}_{\mathit{k}},\mathit{GID})\to {\mathit{D}}_{\mathit{GID}.\mathit{k}}$. $A{A}_k$ selects the non-monotonic access structure ${\tilde{\mathbb{A}}}_k$, which associates with an LSS matrix $(M,\rho )$. By utilizing the LSSS mechanism $\mathsf{\Pi }$, we can acquire the share $\left\{{\lambda }_{k,i}\right\}$ of ${\alpha }_{k1}$ and the share $\left\{{\omega }_{k,i}\right\}$ of 0, where ${\lambda }_{k,i}=M_i\lambda$, $\lambda$ is a random vector with the first term being ${\alpha }_{k1}$. ${\omega }_{k,i}=M_i\omega$, where $\omega$ is a random vector with the first term being 0. $M_i$ is row i of M, $i\in \left[l\right], l\le P$, and P is the maximum number of row of M.

If $\rho (i)=x_i$ is non-negative, calculating

$$D{}_{k,i}^{(1)\prime }=g_{k2}^{{\lambda }_{k,i}}·D_{k,i}^{(1)}·F{(GID)}^{{\omega }_{k,i}}=g_{k2}^{{\lambda }_{k,i}}H{(x_i)}^{r_{k,i}}F{(GID)}^{{\omega }_{k,i}},D{}_{k,i}^{(2)\prime }=D_{k,i}^{(2)}=g^{r_{k,i}},$$

then we let $D_{k,i}=(D{}_{k,i}^{(1)\prime },D{}_{k,i}^{(2)\prime })$.

If $\rho (i)={x_i}^{\prime }$ is negative, calculating

$$D{}_{k,i}^{(3)\prime }=g_{k2}^{{\lambda }_{k,i}}·D_{k,i}^{(3)}·F{(GID)}^{{\omega }_{k,i}}=g_{k2}^{{\lambda }_{k,i}}{g}^{b_k^2{r}_{k,i}}F{(GID)}^{{\omega }_{k,i}},$$

$$D{}_{k,i}^{(4)\prime }=D_{k,i}^{(4)}=g^{r_{k,i}{b}_k{x}_i}{h}^{r_{k,i}},D{}_{k,i}^{(5)\prime }=D_{k,i}^{(5)}=g^{-r_{k,i}},$$

then we let $D_{k,i}=(D{}_{k,i}^{(3)\prime },D{}_{k,i}^{(4)\prime },D{}_{k,i}^{(5)\prime })$. Finally, we output the decryption key $D_{GID.k}={\left\{D_{k.i}\right\}}_{i\in \left[l\right]}$ of the user $GID$ in $\mathrm{A}{\mathrm{A}}_k$. The user’s decryption key $D_{GID}={\left\{D_{GID,k}\right\}}_{k\in \left[K\right]}$.

(5)

$\mathbf{KeyGen}\mathbf{.}\mathbf{ran}({\mathit{D}}_{\mathit{GID},\mathit{k}})\to (\mathit{TK},\mathit{RK})$. With input $D_{GID}$, the user GID randomly selects $\tau \leftarrow {\mathbb{Z}}_p$.

If $\rho (i)=x_i$ is non-negative, let

$${\widehat{D}}_{k,i}=({\widehat{D}}_{k,i}^{(1)},{\widehat{D}}_{k,i}^{(2)})=(D{}_{k,i}^{(1)\prime \frac{1}{\tau }},D{}_{k,i}^{(2)\prime \frac{1}{\tau }})=(g_{k2}^{\frac{{\lambda }_{k,i}}{\tau }}F{(GID)}^{\frac{{\omega }_{k,i}}{\tau }}H{(x_i)}^{\frac{r_{k,i}}{\tau }},g^{\frac{r_{k,i}}{\tau }}).$$

If $\rho (i)={x_i}^{\prime }$ is negative, let

$${\widehat{D}}_{k,i}=({\widehat{D}}_{k,i}^{(3)},{\widehat{D}}_{k,i}^{(4)},{\widehat{D}}_{k,i}^{(5)})=(D{}_{k,i}^{(3)\prime \frac{1}{\tau }},D{}_{k,i}^{(4)\prime \frac{1}{\tau }},D{}_{k,i}^{(5)\prime \frac{1}{\tau }})=(g_{k2}^{\frac{{\lambda }_{k,i}}{\tau }}F{(GID)}^{\frac{{\omega }_{k,i}}{\tau }}{g}^{\frac{b_k^2{r}_{k,i}}{\tau }},g^{\frac{r_{k,i}{b}_k{x}_i}{\tau }}{h}^{\frac{r_{k,i}}{\tau }},g^{-\frac{r_{k,i}}{\tau }}).$$

Finally, the conversion key $TK={\left\{{\widehat{D}}_{k,i}\right\}}_{k\in \left[K\right],i\in \left[l\right]}$ and the retrieval key $RK=\tau$ are generated and outputted.

(6)

$\mathbf{Encrypt}\mathbf{.}\mathbf{off}(\mathit{GP},\mathit{P}{\mathit{K}}_{\mathit{k}})\to {\mathit{CT}}_{\mathit{off}}$. For $\forall x_i\in {\mathcal{A}}_u$, the DO computes $C_k^{(1)}={\displaystyle \prod _{k=1}^K}e{(g,g)}^{{\alpha }_k}$, $C_{k,i}^{(5)}=g^{b_k^2{x}_i}{h}^{b_k}$ and outputs $C{T}_{off}={\{C_k^{(1)},C_{k,i}^{(5)}\}}_{x_i\in {\mathcal{A}}_u}$.

(7)

$\mathbf{Encrypt}\mathbf{.}\mathbf{on}(\mathit{m},\mathit{C}{\mathit{T}}_{\mathit{off}},{\mathcal{A}}_{\mathit{u}})\to \mathit{CT}$. For $\forall x_i\in {\mathcal{A}}_u$, the DO randomly selects $s_i\leftarrow {\mathbb{Z}}_p$. Let $s={\displaystyle \sum _{x_i\in {\mathcal{A}}_u}}{s}_i$. The DO calculates $C^{(1)\prime }=m·{(C_k^{(1)})}^s=m·e{(g,g)}^{s({\displaystyle \sum _{k=1}^K}{\alpha }_k)}$, $C^{(2)\prime }=g^s$, $C{}_i^{(3)\prime }=H{(x_i)}^s$, $C{}_k^{(4)\prime }={\left\{g^{b_{k}s}\right\}}_{k\in \left[K\right]}$, $C{}_{k,i}^{(5)\prime }={(C_{k,i}^{(5)})}^s=g^{b_k^{2}s{x}_i}{h}^{b_{k}s}$ and outputs $CT=\{C^{(1)\prime },C^{(2)\prime },$ $C{}_i^{(3)\prime },C{}_k^{(4)\prime },C{}_{k,i}^{(5)\prime }\}$.

(8)

$\mathbf{Decrypt}\mathbf{.}\mathbf{out}(\mathit{TK},\mathit{CT})\to \mathit{TCT}$. Let the attribute set ${\mathcal{A}}_u={\mathcal{A}}_u^1,···,{\mathcal{A}}_u^K$. If ${\mathcal{A}}_u^k\notin {\tilde{\mathbb{A}}}_k$, we terminate the process and output ⊥. If ${\mathcal{A}}_u^k\in {\tilde{\mathbb{A}}}_k$, then ${{\mathcal{A}}_u^k}^{\prime }=N({\mathcal{A}}_u^k)\in {\mathbb{A}}_k$, where ${\tilde{\mathbb{A}}}_k$ is the corresponding non-monotonic access structure of ${\mathbb{A}}_k$. Let $I=\{i:\rho (i)\in {{\mathcal{A}}_u^k}^{\prime }\}$.

If $\rho (i)=x$, we have $Z_{k,i}=\frac{e({\widehat{D}}_{k,i}^{(1)},{C^{(2)}}^{\prime })}{e({\widehat{D}}_{k,i}^{(2)},C{{}_{k,i}^{(3)}}^{\prime })}=e{(g_{k2},g)}^{\frac{{\lambda }_{k,i}s}{\tau }}e{(F(GID),g)}^{\frac{{\omega }_{k,i}s}{\tau }}$.

If $\rho (i)=x^{\prime }$, we obtain

$Z_{k,i}=\frac{e({\widehat{D}}_{k,i}^{(3)},{C^{(2)}}^{\prime })}{e({\widehat{D}}_{k,i}^{(4)},{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}C{{{}_k^{(4)}}^{\prime }}^{\frac{1}{x_i-x_j}})·e({\widehat{D}}_{k,i}^{(5)},{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}C{{{}_{k,j}^{(5)}}^{\prime }}^{\frac{1}{x_i-x_j}})}$

= $\frac{e(g_{k2}^{\frac{{\lambda }_{k,i}}{\tau }}F{(GID)}^{\frac{{\omega }_{k,i}}{\tau }}{g}^{\frac{b_k^2{r}_{k,i}}{\tau }},g^s)}{e(g^{\frac{r_{k,i}{b}_k{x}_i}{\tau }}{h}^{\frac{r_{k,i}}{\tau }},{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}{(g^{b_{k}s})}^{\frac{1}{x_i-x_j}})·e(g^{-\frac{r_{k,i}}{\tau }},{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}{(g^{b_k^{2}s{x}_j}{h}^{b_{k}s})}^{\frac{1}{x_i-x_j}})}$

= $\frac{e{(g_{k2},g)}^{\frac{{\lambda }_{k,i}s}{\tau }}e{(F(GID),g)}^{\frac{{\omega }_{k,i}s}{\tau }}e{(g,g)}^{\frac{b_k^2{r}_{k,i}s}{\tau }}}{e(g^{\frac{r_{k,i}{b}_k{x}_i}{\tau }}{h}^{\frac{r_{k,i}}{\tau }},{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}{(g^{b_{k}s})}^{\frac{1}{x_i-x_j}})·e(g^{-\frac{r_{k,i}}{\tau }},{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}(g^{b_k^{2}s{x}_j·\frac{1}{x_i-x_j}}{h}^{b_{k}s·\frac{1}{x_i-x_j}}))}$

= $\frac{e{(g_{k2},g)}^{\frac{{\lambda }_{k,i}s}{\tau }}e{(F(GID),g)}^{\frac{{\omega }_{k,i}s}{\tau }}e{(g,g)}^{\frac{b_k^2{r}_{k,i}s}{\tau }}}{e(g^{\frac{r_{k,i}{b}_k{x}_i}{\tau }}{h}^{\frac{r_{k,i}}{\tau }},g^{b_{k}s·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{1}{x_i-x_j}})·e(g^{-\frac{r_{k,i}}{\tau }},g^{b_k^{2}s·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{x_j}{x_i-x_j}}{h}^{b_{k}s·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{1}{x_i-x_j}})}$

= $\frac{e{(g_{k2},g)}^{\frac{{\lambda }_{k,i}s}{\tau }}e{(F(GID),g)}^{\frac{{\omega }_{k,i}s}{\tau }}e{(g,g)}^{\frac{b_k^2{r}_{k,i}s}{\tau }}}{e{(g,g)}^{\frac{r_{k,i}{b}_k^{2}s·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{x_i}{x_i-x_j}}{\tau }}·e{(h,g)}^{\frac{r_{k,i}{b}_{k}s·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{1}{x_i-x_j}}{\tau }}·e{(g,g)}^{\frac{r_{k,i}{b}_k^{2}s·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{-x_j}{x_i-x_j}}{\tau }}·e{(g,h)}^{\frac{-r_{k,i}{b}_{k}s·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{1}{x_i-x_j}}{\tau }}}$

= $\frac{e{(g_{k2},g)}^{\frac{{\lambda }_{k,i}s}{\tau }}e{(F(GID),g)}^{\frac{{\omega }_{k,i}s}{\tau }}e{(g,g)}^{\frac{b_k^2{r}_{k,i}s}{\tau }}}{e{(g,g)}^{\frac{r_{k,i}{b}_k^{2}s·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{x_i}{x_i-x_j}}{\tau }}·e{(g,g)}^{\frac{r_{k,i}{b}_k^{2}s·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{-x_j}{x_i-x_j}}{\tau }}}$

= $\frac{e{(g_{k2},g)}^{\frac{{\lambda }_{k,i}s}{\tau }}e{(F(GID),g)}^{\frac{{\omega }_{k,i}s}{\tau }}e{(g,g)}^{\frac{b_k^2{r}_{k,i}s}{\tau }}}{e{(g,g)}^{\frac{r_{k,i}{b}_k^{2}s·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{x_i-x_j}{x_i-x_j}}{\tau }}}$

= $\frac{e{(g_{k2},g)}^{\frac{{\lambda }_{k,i}s}{\tau }}e{(F(GID),g)}^{\frac{{\omega }_{k,i}s}{\tau }}e{(g,g)}^{\frac{b_k^2{r}_{k,i}s}{\tau }}}{e{(g,g)}^{\frac{r_{k,i}{b}_k^{2}s}{\tau }}}$

= $e{(g_{k2},g)}^{\frac{{\lambda }_{k,i}s}{\tau }}e{(F(GID),g)}^{\frac{{\omega }_{k,i}s}{\tau }}$.

Since ${{\mathcal{A}}_u^k}^{\prime }=N({\mathcal{A}}_u^k)\in {\mathbb{A}}_k$, the decryptor can choose constants $c_i$ such that ${\sum }_i{c}_i{M}_i=(1,0,···,0)$. Computing $Z_k={\displaystyle \prod _{x_i\in {\mathcal{A}}_u^k}}{Z_{k,i}}^{c_i}=e{(g^{{\alpha }_{k2}},g)}^{\frac{{\alpha }_{k1}·s}{\tau }}=e{(g,g)}^{\frac{{\alpha }_k·s}{\tau }}$, we obtain $Z={\displaystyle \prod _{k=1}^K}{Z}_k={\displaystyle \prod _{k=1}^K}e{(g,g)}^{\frac{{\alpha }_k·s}{\tau }}=e{(g,g)}^{\frac{s}{\tau }·{\displaystyle \sum _{k=1}^K}{\alpha }_k}$, output $TCT=\{Z,{C^{(1)}}^{\prime }\}$.

(9)

$\mathbf{Decrypt}\mathbf{.}\mathbf{user}(\mathit{RK},\mathit{TCT})$. By $\frac{{C^{(1)}}^{\prime }}{Z^{\tau }}=\frac{m·e{(g,g)}^{s·({\displaystyle \sum _{k=1}^K}{\alpha }_k)}}{{(e{(g,g)}^{\frac{s}{\tau }·({\displaystyle \sum _{k=1}^K}{\alpha }_k)})}^{\tau }}$, we can obtain the plaintext m.

Theorem 1.

If the KP-ABE scheme of [28] is selective CPA-secure, then the OO-MA-KP-ABE scheme is also selective CPA-secure.

Proof. 

The MA-KP-ABE scheme is constructed based on the KP-ABE scheme of [28]. We adopt the multi-authority technique of [29] and introduce user identity $GID$ in the construction of the MA-KP-ABE scheme. Compared with [28], our MA-KP-ABE scheme generates the same public parameters and ciphertext as [28] during the Setup and Encrypt steps, and the Decrypt step is also the same as [28]. However, the decryption key generated in the KeyGen step is slightly different from [28]. The $D{}_{k,i}^{(1)\prime }=g_{k2}^{{\lambda }_{k,i}}H{(x_i)}^{r_{k,i}}F{(GID)}^{{\omega }_{k,i}}$, $D{}_{k,i}^{(3)\prime }=g_{k2}^{{\lambda }_{k,i}}{g}^{b_k^2{r}_{k,i}}F{(GID)}^{{\omega }_{k,i}}$, which has more $F{\left(GID\right)}^{{\omega }_{k,i}}$ than the decryption key in [28]. Here, ${\omega }_{k,i}$ represents linear secret sharing for 0, and 0 is publicly known, so there is no unknown quantity about $F{\left(GID\right)}^{{\omega }_{k,i}}$ for the challenger. Therefore, the challenger can construct a semi-functional key similar to the structure in the security proof of [28]. Therefore, the MA-KP-ABE scheme is secure. Furthermore, we utilize the key blinding technique of [30], and the proof follows a similar approach as presented in [30]. Therefore, it is easy to see that the theorem holds. □

5.2. Construction of OO-MA-KP-ABE-CRF

The system initially runs algorithm $Global.\mathrm{Setup}(\lambda )\to GP$. Firstly, $GP$ is sent to ${\mathcal{W}}_{\mathrm{GA}}$. After running the following algorithm, ${\mathcal{W}}_{\mathrm{GA}}$ sends the updated $G{P}^{\prime }$ to the other participants.

①

${\mathcal{W}}_{\mathrm{GA}}.Global.\mathrm{Setup}(GP)\to G{P}^{\prime }.$ After receiving $GP$ from GA, the ${\mathcal{W}}_{\mathrm{GA}}$ selects random $a,c\leftarrow {\mathbb{Z}}_p$, computes $g^{\prime }=g^a$, $h^{\prime }=h^c$, and outputs the updated global parameters $G{P}^{\prime }=\{g^{\prime },h^{\prime },H(·),F(·)\}$.

After receiving $G{P}^{\prime }$, the attribute authority ${\mathrm{AA}}_k$ runs algorithm $\mathrm{AA}.\mathrm{Setup}(G{P}^{\prime })\to (P{K}_k,S{K}_k)$, and sends the $(P{K}_k,S{K}_k)$ to ${\mathcal{W}}_{\mathrm{AA}}$. ${\mathcal{W}}_{\mathrm{AA}}$ performs the following operations.

②

${\mathcal{W}}_{\mathrm{AA}}.\mathrm{Setup}(G{P}^{\prime },P{K}_k,S{K}_k)\to (P{K_k}^{\prime },S{K_k}^{\prime }).$${\mathcal{W}}_{\mathrm{AA}}$ randomly selects ${{\widehat{\alpha }}_{k1}}^{\prime },{{\widehat{\alpha }}_{k2}}^{\prime },{\widehat{b}}_k\leftarrow {\mathbb{Z}}_p$, and sets ${{\alpha }_{k1}}^{\prime }={\alpha }_{k1}+{{\widehat{\alpha }}_{k1}}^{\prime }$, ${{\alpha }_{k2}}^{\prime }={\alpha }_{k2}+{{\widehat{\alpha }}_{k2}}^{\prime }$, ${{\alpha }_k}^{\prime }={{\alpha }_{k1}}^{\prime }·{{\alpha }_{k2}}^{\prime }$, and ${b_k}^{\prime }=b_k+{\widehat{b}}_k$. Then, we calculate ${g_{k1}}^{\prime }=g^{\prime {{\alpha }_{k1}}^{\prime }}$, ${g_{k2}}^{\prime }=g^{\prime {{\alpha }_{k2}}^{\prime }}$, and $e{(g^{\prime },g^{\prime })}^{{{\alpha }_k}^{\prime }}$. Finally, the updated $P{K_k}^{\prime }=\{{g_{k1}}^{\prime },{g_{k2}}^{\prime },g^{\prime {b_k}^{\prime }},g^{\prime b_k{{}^{\prime }}^2},h^{\prime {b_k}^{\prime }},e{(g^{\prime },g^{\prime })}^{{{\alpha }_k}^{\prime }}\}$ and $S{K_k}^{\prime }=\{{{\alpha }_{k1}}^{\prime },{{\alpha }_{k2}}^{\prime },{b_k}^{\prime }\}$ are outputted.

When receiving the updated $P{K_k}^{\prime }$ and $S{K_k}^{\prime }$, ${\mathrm{AA}}_k$ runs $\mathrm{KeyGen}.\mathrm{off}(G{P}^{\prime },P{K}_k^{\prime },{\mathcal{A}}_C^k)\to D_{k.off}$ and $\mathrm{KeyGen}.\mathrm{on}(G{P}^{\prime },D_{k,off},S{K_k}^{\prime },\tilde{\mathbb{A}})\to D_{GID,k}$. Before sending $D_{GID,k}$ to user $GID$, it is sent to ${\mathcal{W}}_{\mathrm{AA}}$. The following operations are performed.

③

${\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.\mathrm{off}(G{P}^{\prime },P{K}_k^{\prime },{\mathcal{A}}_C^k)\to D_{k.off}^{\prime }$. For $\forall x_i\in {\mathcal{A}}_c^k$, ${\mathcal{W}}_{\mathrm{AA}}$ randomly selects ${\widehat{r}}_{k,i}\leftarrow {\mathbb{Z}}_p$, computes ${\widehat{D}}_{k,i}^{(1)}=H{(x_i)}^{{\widehat{r}}_{k,i}}$, ${\widehat{D}}_{k,i}^{(2)}=g^{\prime {\widehat{r}}_{k,i}}$, ${\widehat{D}}_{k,i}^{(3)}=g^{\prime b_k{{}^{\prime }}^2{\widehat{r}}_{k,i}}$, ${\widehat{D}}_{k,i}^{(4)}=g^{\prime {\widehat{r}}_{k,i}{b_k}^{\prime }{x}_i}{h}^{\prime {\widehat{r}}_{k,i}}$, and ${\widehat{D}}_{k,i}^{(5)}=g^{\prime -{\widehat{r}}_{k,i}}$, and outputs ${D^{\prime }}_{k,off}=({\widehat{D}}_{k,i}^{(1)},{\widehat{D}}_{k,i}^{(2)},{\widehat{D}}_{k,i}^{(3)},{\widehat{D}}_{k,i}^{(4)},{\widehat{D}}_{k,i}^{(5)})$.

④

${\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.\mathrm{on}(G{P}^{\prime },D_{k.off}^{\prime },D_{GID,k})\to D_{GID,k}^{\prime }$. ${\mathcal{W}}_{\mathrm{AA}}$ sets ${r_{k,i}}^{\prime }=r_{k,i}+{\widehat{r}}_{k,i}$, computes $\widehat{D}{}_{k,i}^{(1)\prime }=D{}_{k,i}^{(1)\prime }·{\widehat{D}}_{k,i}^{(1)}=g_{k2}{}^{\prime {\lambda }_{k,i}}F{(GID)}^{{\omega }_{k,i}}H{(x_i)}^{{r_{k,i}}^{\prime }}$, $\widehat{D}{}_{k,i}^{(2)\prime }=D{}_{k,i}^{(2)\prime }·{\widehat{D}}_{k,i}^{(2)}=g^{\prime {r_{k,i}}^{\prime }}$, $\widehat{D}{}_{k,i}^{(3)\prime }=D{}_{k,i}^{(3)\prime }·{\widehat{D}}_{k,i}^{(3)}=g_{k2}{}^{\prime {\lambda }_{k,i}}F{(GID)}^{{\omega }_{k,i}}{g}^{\prime b_k{{}^{\prime }}^2{r_{k,i}}^{\prime }}$, $\widehat{D}{}_{k,i}^{(4)\prime }=D{}_{k,i}^{(4)\prime }·{\widehat{D}}_{k,i}^{(4)}=g^{{r_{k,i}}^{\prime }{b_k}^{\prime }{x}_i}{h}^{{r_{k,i}}^{\prime }}$, $\widehat{D}{}_{k,i}^{(5)\prime }=g^{\prime -{r_{k,i}}^{\prime }}$. If $\rho (i)=x_i$ is non-negative, output $D_{GID.k}^{\prime }=(\widehat{D}{}_{k,i}^{(1)\prime },\widehat{D}{}_{k,i}^{(2)\prime })$. If $\rho (i)=x_i$ is negative, output $D_{GID.k}^{\prime }=(\widehat{D}{}_{k,i}^{(3)\prime },\widehat{D}{}_{k,i}^{(4)\prime },\widehat{D}{}_{k,i}^{(5)\prime })$.

${\mathcal{W}}_{\mathrm{AA}}$ sends $D_{GID,k}^{\prime }$ to the users (DO and DU). DO generates ciphertext, $CT$, by running $\mathrm{Encrypt}.\mathrm{off}(G{P}^{\prime },P{K_k}^{\prime })\to C{T}_{off}$ and $\mathrm{Encrypt}.\mathrm{on}(m,C{T}_{off},{\mathcal{A}}_u)\to CT$ and sends $CT$ to ${\mathcal{W}}_{\mathrm{DO}}$. The following operations are performed.

⑤

${\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{off}(G{P}^{\prime },P{K_k}^{\prime })\to IT.$ For $\forall x_i\in {\mathcal{A}}_u$, the ${\mathcal{W}}_{\mathrm{DO}}$ computes

${\widehat{C}}_k^{(1)}={\displaystyle \sum _{k=1}^K}e{(g,g)}^{{\alpha }_k^{\prime }},{\widehat{C}}_{k,i}^{(5)}={\left\{g^{{b_k^{\prime }}^2{x}_i}{h}^{b_k^{\prime }}\right\}}_{k\in \left[K\right]}$ and outputs $\widehat{C}{T}_{off}={\left\{({\widehat{C}}_k^{(1)},{\widehat{C}}_{k,i}^{(5)})\right\}}_{x_i\in {\mathcal{A}}_u}$.

⑥

${\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{on}(CT,IT)\to C{T}^{\prime }.$ For $\forall x_i\in {\mathcal{A}}_u$, the ${\mathcal{W}}_{\mathrm{DO}}$ selects random ${\widehat{s}}_i\leftarrow {\mathbb{Z}}_p$. ${\mathcal{W}}_{\mathrm{DO}}$ sets $\widehat{s}={\displaystyle \sum _{x_i\in {\mathcal{A}}_u}}{\widehat{s}}_i$ and $s^{\prime }=s+\widehat{s}$, computes ${\widehat{C}}^{(1)\prime }={({C^{(1)}}^{\prime }{\widehat{C}}_{k,i}^{(1)})}^{s^{\prime }}=m·e{(g^{\prime },g^{\prime })}^{s^{\prime }·({\displaystyle \sum _{k=1}^K}{{\alpha }_k}^{\prime })}$, ${\widehat{C}}^{(2)\prime }={g^{\prime }}^{s^{\prime }}$, $\widehat{C}{}_i^{(3)}\prime =H{(x_i)}^{s^{\prime }}$, $\widehat{C}{{}_k^{(4)}}^{\prime }={g^{\prime }}^{{b_k}^{\prime }{s}^{\prime }}$, $\widehat{C}{}_{k,i}^{(5)\prime }=C{{}_{k,i}^{(5)}}^{\prime }·{({\widehat{C}}_{k,i}^{(5)})}^{\widehat{s}}={g^{\prime }}^{b_k{{}^{\prime }}^2{s}^{\prime }{x}_i}{h^{\prime }}^{{b_k}^{\prime }{s}^{\prime }}$, and outputs $C{T}^{\prime }=({\widehat{C}}^{(1)\prime },{\widehat{C}}^{(2)\prime },\widehat{C}{}_i^{(3)\prime },\widehat{C}{}_k^{(4)\prime },\widehat{C}{}_{k,i}^{(5)\prime }).$

DU runs $\mathrm{KeyGen}.\mathrm{ran}(D_{GID}^{\prime })\to (TK,RK)$, and sends $TK$ to ${\mathcal{W}}_{\mathrm{DU}}$. ${\mathcal{W}}_{\mathrm{DU}}$ performs the following operations:

⑦

${\mathcal{W}}_{\mathrm{DU}}.\mathrm{TKUpdate}(TK)\to T{K}^{\prime }.$${\mathcal{W}}_{\mathrm{DU}}$ randomly selects $\delta \leftarrow {\mathbb{Z}}_p$, computes ${\tilde{D}}_{k,i}^{(1)}=\widehat{D}{}_{k,i}^{(1)\frac{1}{\delta }}=g_{k2}{}^{\prime \frac{{\lambda }_{k,i}}{\tau \delta }}·F{(GID)}^{\frac{{\omega }_{k,i}}{\tau \delta }}·H{(x_i)}^{\frac{{r_{k,i}}^{\prime }}{\tau \delta }}$, ${\tilde{D}}_{k,i}^{(2)}=\widehat{D}{}_{k,i}^{(2)\frac{1}{\delta }}=g^{\prime \frac{{r_{k,i}}^{\prime }}{\tau \delta }}$, ${\tilde{D}}_{k,i}^{(3)}=\widehat{D}{}_{k,i}^{(3)\frac{1}{\delta }}=g_{k2}{}^{\prime \frac{{\lambda }_{k,i}}{\tau \delta }}·F{(GID)}^{\frac{{\omega }_{k,i}}{\tau \delta }}·g^{\prime \frac{b_k{{}^{\prime }}^2{r_{k,i}}^{\prime }}{\tau \delta }}$, ${\tilde{D}}_{k,i}^{(4)}=\widehat{D}{}_{k,i}^{(4)\frac{1}{\delta }}=g^{\prime \frac{{r_{k,i}}^{\prime }{b_k}^{\prime }{x}_i}{\tau \delta }}{h}^{\prime \frac{{r_{k,i}}^{\prime }}{\tau \delta }}$, ${\tilde{D}}_{k,i}^{(5)}=\widehat{D}{}_{k,i}^{(5)\frac{1}{\delta }}=g^{\prime -\frac{{r_{k,i}}^{\prime }}{\tau \delta }}$, and outputs the updated conversion key $T{K}^{\prime }=\{{\tilde{D}}_{k,i}^{(1)},{\tilde{D}}_{k,i}^{(2)},{\tilde{D}}_{k,i}^{(3)},{\tilde{D}}_{k,i}^{(4)},{\tilde{D}}_{k,i}^{(5)}\}$. $T{K}^{\prime }$ is then sent to the CSP, while $\delta$ is retained.

The CSP executes algorithm $\mathrm{Decrypt}.\mathrm{out}(T{K}^{\prime },C{T}^{\prime })\to TCT$ and sends $TCT$ to ${\mathcal{W}}_{\mathrm{DU}}$. ${\mathcal{W}}_{\mathrm{DU}}$ performs the following operations.

⑧

${\mathcal{W}}_{\mathrm{DU}}.\mathrm{Decrypt}(TCT,\delta )\to TC{T}^{\prime }.$${\mathcal{W}}_{\mathrm{DU}}$ computes $Z^{\prime }=Z^{\delta }=e{(g^{\prime },g^{\prime })}^{\frac{s^{\prime }}{\tau }{\displaystyle \sum _{k=1}^K}{{\alpha }_k}^{\prime }}$ and outputs $TC{T}^{\prime }=(Z^{\prime },{\widehat{C}}^{(1)\prime })$.

Upon receiving $TC{T}^{\prime }$, DU executes algorithm $\mathrm{Decrypt}.\mathrm{user}$ to obtain m.

5.3. Security Analysis

Theorem 2.

The proposed OO-MA-KP-ABE-CRF is selective-set CPA-secure and contains reverse firewalls for GA, AAs, DO and DU, which maintains functionality, weakly preserves security, and weakly resists exfiltration if the basic structure of OO-MA-KP-ABE in Section 5.1 is selective-set CPA-secure.

Proof. 

We prove the security through the following parts.

Functionality maintenance. Let the attribute set ${\mathcal{A}}_u={\mathcal{A}}_u^1,···,{\mathcal{A}}_u^K$. If ${\mathcal{A}}_u^k\notin {\tilde{\mathbb{A}}}_k$, terminate the process and output ⊥. If ${\mathcal{A}}_u^k\in {\tilde{\mathbb{A}}}_k$, then ${{\mathcal{A}}_u^k}^{\prime }=N({\mathcal{A}}_u^k)\in {\mathbb{A}}_k$, where ${\tilde{\mathbb{A}}}_k$ is the corresponding non-monotonic access structure of ${\mathbb{A}}_k$. Let $I=\{i:\rho (i)\in {{\mathcal{A}}_u^k}^{\prime }\}$. Algorithm ${\mathcal{W}}_{\mathrm{DU}}.\mathrm{TKUpdate}(TK)\to T{K}^{\prime }$ is executed to decrypt $C{T}^{\prime }$.

If $\rho (i)=x$, calculate ${Z_{k,i}}^{\prime }=\frac{e({\tilde{D}}_{k,i}^{(1)},{\widehat{C}}^{(2)\prime })}{e({\tilde{D}}_{k,i}^{(2)},\widehat{C}{}_i^{(3)\prime })}=\frac{e(g_{k2}{{}^{\prime }}^{\frac{{\lambda }_{k,i}}{\tau \sigma }}F{(GID)}^{\frac{{\omega }_{k,i}}{\tau \sigma }}H{(x_i)}^{\frac{{r_{k,i}}^{\prime }}{\tau \sigma }},{g^{\prime }}^{s^{\prime }})}{e({g^{\prime }}^{\frac{{r_{{}_{k,i}}}^{\prime }}{\tau \sigma }},H{(x_i)}^{s^{\prime }})}$

$=\frac{e{({g_{k2}}^{\prime },g^{\prime })}^{\frac{s^{\prime }·{\lambda }_{k,i}}{\tau \sigma }}·e{(F(GID),g^{\prime })}^{\frac{s^{\prime }·{\omega }_{k,i}}{\tau \sigma }}·e{(H(x_i),g^{\prime })}^{\frac{s^{\prime }·{r_{k,i}}^{\prime }}{\tau \sigma }}}{e{(g^{\prime },H(x_i))}^{\frac{s^{\prime }·{r_{k,i}}^{\prime }}{\tau \sigma }}}=e{({g_{k2}}^{\prime },g^{\prime })}^{\frac{s^{\prime }·{\lambda }_{k,i}}{\tau \sigma }}·e{(F(GID),g^{\prime })}^{\frac{s^{\prime }·{\omega }_{k,i}}{\tau \sigma }}$.

If $\rho (i)=x^{\prime }$, then we can get

${Z_{k,i}}^{\prime }=\frac{e({\tilde{D}}_{k,i}^{(3)},{\widehat{C}}^{(2)\prime })}{e({\tilde{D}}_{k,i}^{(4)},{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}\widehat{C}{{{}_k^{(4)}}^{\prime }}^{\frac{1}{x_i-x_j}})·e({\tilde{D}}_{k,i}^{(5)},{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}\widehat{C}{{{}_{k,j}^{(5)}}^{\prime }}^{\frac{1}{x_i-x_j}})}$

=$\frac{e(g_{k2}{{}^{\prime }}^{\frac{{\lambda }_{k,i}}{\tau \delta }}F{(GID)}^{\frac{{\omega }_{k,i}}{\tau \delta }}{g^{\prime }}^{\frac{b_k{{}^{\prime }}^2{r_{k,i}}^{\prime }}{\tau \delta }},{g^{\prime }}^{s^{\prime }})}{e({g^{\prime }}^{\frac{{r_{k,i}}^{\prime }{b_k}^{\prime }{x}_i}{\tau \sigma }}{h^{\prime }}^{\frac{{r_{k,i}}^{\prime }}{\tau \sigma }},{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}{({g^{\prime }}^{{b_k}^{\prime }{s}^{\prime }})}^{\frac{1}{x_i-x_j}})·e({g^{\prime }}^{-\frac{{r_{k,i}}^{\prime }}{\tau \sigma }},{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}{({g^{\prime }}^{b_k{{}^{\prime }}^2{s}^{\prime }{x}_j}{h^{\prime }}^{{b_k}^{\prime }{s}^{\prime }})}^{\frac{1}{x_i-x_j}})}$

=$\frac{e{({g_{k2}}^{\prime },g^{\prime })}^{\frac{s^{\prime }·{\lambda }_{k,i}}{\tau \sigma }}·e{(F(GID),g^{\prime })}^{\frac{s^{\prime }·{\omega }_{k,i}}{\tau \sigma }}·e{(g^{\prime },g^{\prime })}^{\frac{s^{\prime }·b_k{{}^{\prime }}^2{r_{k,i}}^{\prime }}{\tau \sigma }}}{e({g^{\prime }}^{\frac{{r_{k,i}}^{\prime }{b_k}^{\prime }{x}_i}{\tau \sigma }}{h^{\prime }}^{\frac{{r_{k,i}}^{\prime }}{\tau \sigma }},{({g^{\prime }}^{{b_k}^{\prime }{s}^{\prime }})}^{{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{1}{x_i-x_j}})·e({g^{\prime }}^{-\frac{{r_{k,i}}^{\prime }}{\tau \sigma }},{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}{({g^{\prime }}^{b_k{{}^{\prime }}^2{s}^{\prime }{x}_j})}^{\frac{1}{x_i-x_j}}·{\displaystyle \prod _{x_j\in {\mathcal{A}}_u^k}}{({h^{\prime }}^{{b_k}^{\prime }{s}^{\prime }})}^{\frac{1}{x_i-x_j}})}$

=$\frac{e{({g_{k2}}^{\prime },g^{\prime })}^{\frac{s^{\prime }·{\lambda }_{k,i}}{\tau \sigma }}·e{(F(GID),g^{\prime })}^{\frac{s^{\prime }·{\omega }_{k,i}}{\tau \sigma }}·e{(g^{\prime },g^{\prime })}^{\frac{s^{\prime }·b_k{{}^{\prime }}^2{r_{k,i}}^{\prime }}{\tau \sigma }}}{e({g^{\prime }}^{\frac{{r_{k,i}}^{\prime }{b_k}^{\prime }{x}_i}{\tau \sigma }}{h^{\prime }}^{\frac{{r_{k,i}}^{\prime }}{\tau \sigma }},{g^{\prime }}^{{b_k}^{\prime }{s}^{\prime }·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{1}{x_i-x_j}})·e({g^{\prime }}^{-\frac{{r_{k,i}}^{\prime }}{\tau \sigma }},{g^{\prime }}^{b_k{{}^{\prime }}^2{s}^{\prime }·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{x_j}{x_i-x_j}}·{h^{\prime }}^{{b_k}^{\prime }{s}^{\prime }·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{1}{x_i-x_j}})}$

=$\frac{e{({g_{k2}}^{\prime },g^{\prime })}^{\frac{s^{\prime }·{\lambda }_{k,i}}{\tau \sigma }}·e{(F(GID),g^{\prime })}^{\frac{s^{\prime }·{\omega }_{k,i}}{\tau \sigma }}·e{(g^{\prime },g^{\prime })}^{\frac{s^{\prime }·b_k{{}^{\prime }}^2{r_{k,i}}^{\prime }}{\tau \sigma }}}{e{(g^{\prime },g^{\prime })}^{\frac{{r_{k,i}}^{\prime }{b}_k{{}^{\prime }}^2{s}^{\prime }}{\tau \sigma }·{\displaystyle \sum _{x_j\in {\mathcal{A}}_u^k}}\frac{x_i-x_j}{x_i-x_j}}}$

= $e{({g_{k2}}^{\prime },g^{\prime })}^{\frac{s^{\prime }·{\lambda }_{k,i}}{\tau \sigma }}·e{(F(GID),g^{\prime })}^{\frac{s^{\prime }·{\omega }_{k,i}}{\tau \sigma }}$

Since ${{\mathcal{A}}_u^k}^{\prime }=N({\mathcal{A}}_u^k)\in {\mathbb{A}}_k$, the decryptor can choose constants $c_i$ such that ${\sum }_i{c}_i{M}_i=(1,0,···,0)$. then ${Z_k}^{\prime }={\displaystyle \prod _{x_i\in {\mathcal{A}}_u^k}}{Z_{k,i}^{\prime }}^{c_i}=e{(g^{\prime },g^{\prime })}^{\frac{s^{\prime }·{{\alpha }_{k1}}^{\prime }·{{\alpha }_{k2}}^{\prime }}{\tau \sigma }}=e{(g^{\prime },g^{\prime })}^{\frac{s^{\prime }·{{\alpha }_k}^{\prime }}{\tau \sigma }}$ and $Z^{\prime }={\displaystyle \prod _{k=1}^K}{Z_k}^{\prime }=e{(g^{\prime },g^{\prime })}^{\frac{s^{\prime }}{\tau \sigma }·{\displaystyle \sum _{k=1}^K}{{\alpha }_k}^{\prime }}$. Finally, we can execute $\frac{{\widehat{C}}^{(1)}\prime }{{({(Z^{\prime })}^{\sigma })}^{\tau }}=\frac{m·e{(g^{\prime },g^{\prime })}^{s^{\prime }·{\displaystyle \sum _{k=1}^K}{{\alpha }_k}^{\prime }}}{{({(e{(g^{\prime },g^{\prime })}^{\frac{s^{\prime }}{\tau \sigma }·{\displaystyle \sum _{k=1}^K}{{\alpha }_k}^{\prime }})}^{\sigma })}^{\tau }}=m$ to successfully recover the plaintext.

Selectibe-set CPA-secure. We show through game hopping that the security game of OO-MA-KP-ABE-CRF is indistinguishable from that of OO-MA-KP-ABE. Based on the security of OO-MA-KP-ABE in Section 5.1, we find the selective-set CPA security of the proposed OO-MA-KP-ABE-CRF scheme.

Game 0. The security game is the same as the security game of OO-MA-KP-ABE-CRF presented in Section 4.3.

Game 1. The only difference from Game 0 is that $GP$, $SK$, and $PK$ are generated by the setup, independent of $Global.{\mathrm{Setup}}^{*}$, ${\mathcal{W}}_{\mathrm{GA}}.Global.\mathrm{Setup}$, $\mathrm{AA}.{\mathrm{Setup}}^{*}$, and ${\mathcal{W}}_{\mathrm{AA}}.\mathrm{Setup}$.

Game 2. The only difference from Game 1 is that in Phase 1 and Phase 2, the decryption key $D_{GID}$ is generated by $\mathrm{KeyGen}.\mathrm{off}$ and $\mathrm{KeyGen}.\mathrm{on}$, independent of algorithms $\mathrm{KeyGen}.{\mathrm{off}}^{*}$, $\mathrm{KeyGen}.\mathrm{o}{\mathrm{n}}^{*}$, ${\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.\mathrm{off}$, and ${\mathcal{W}}_{\mathrm{AA}}.\mathrm{KeyGen}.\mathrm{on}$. Additionally, the conversion key $TK$ is generated by $\mathrm{KeyGen}.\mathrm{ran}$, independent of $\mathrm{KeyGen}.{\mathrm{ran}}^{*}$ and ${\mathcal{W}}_{\mathrm{DU}}.\mathrm{TKUpdate}$.

Game 3. Apart from the challenge phase, the rest is the same as Game 2. The challenge ciphertext $C{T}_b$ is generated by $\mathrm{Encrypt}.\mathrm{off}$ and $\mathrm{Encrypt}.\mathrm{on}$, independent of $\mathrm{Encrypt}.{\mathrm{off}}^{*}$, $\mathrm{Encrypt}.\mathrm{o}{\mathrm{n}}^{*}$, ${\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{off}$, and ${\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{on}$. Note that Game 3 is the same as the security game of OO-MA-KP-ABE.

For any tampered $Global.{\mathrm{Setup}}^{*}$, because of $a,c\leftarrow {\mathbb{Z}}_p$, it can be known from key malleability that the $G{P}^{\prime }$ generated by ${\mathcal{W}}_{\mathrm{GA}}.Global.\mathrm{Setup}$ has the same uniform random distribution as the $GP$ generated by $Global.\mathrm{Setup}$ in the basic construction. Similarly, due to ${\widehat{\alpha }}_{k1},{\widehat{\alpha }}_{k2},{\widehat{b}}_k\leftarrow {\mathbb{Z}}_p$, for any tampered $\mathrm{AA}.{\mathrm{Setup}}^{*}$, the $(P{K_k}^{\prime },S{K_k}^{\prime })$ generated by ${\mathcal{W}}_{\mathrm{AA}}.\mathrm{Setup}$ has the same uniform random distribution as $(P{K}_k,SK{}_k)$ generated by $\mathrm{AA}.\mathrm{Setup}$. So, we claim that Game 0 and Game 1 cannot be distinguished. Because ${\widehat{r}}_{ki}\leftarrow {\mathbb{Z}}_p$, the LSSS is re-randomizable and $D_{GID}$ and $TK$ have key malleability, and Game 1 and Game 2 cannot be distinguished. For any tampered $\mathrm{Encrypt}.{\mathrm{off}}^{*}$ and $\mathrm{Encrypt}.\mathrm{o}{\mathrm{n}}^{*}$, because of ${\widehat{s}}_{k,i}\leftarrow {\mathbb{Z}}_p$, it can be known that the ciphertext generated by ${\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{off}$ and ${\mathcal{W}}_{\mathrm{DO}}.\mathrm{Encrypt}.\mathrm{on}$ is uniformly random, which is consistent with the distribution of ciphertext generated by the basic scheme. Therefore, based on the fact that Game 2 and Game 3 cannot be distinguished, we can find that Game 0 and Game 3 cannot be distinguished. Furthermore, since the basic scheme is selective-set CPA-secure, it follows that the proposed OO-MA-KP-ABE-CRF is selective-set CPA-secure.

Weak security preservation and weak exfiltration resistance. The selective-set CPA security of the OO-MA-KP-ABE-CRF scheme indicates that CRFs for GA, AA, DO, and DU maintain weak security preservation. Additionally, the indistinguishability between Game 0 and Game 3 suggests that ${\mathcal{W}}_{\mathrm{GA}}$, ${\mathcal{W}}_{\mathrm{AA}}$, ${\mathcal{W}}_{\mathrm{DO}}$ and ${\mathcal{W}}_{\mathrm{DU}}$ can weakly resist data exfiltration attacks.

With this discussion, we have successfully completed the proof of the scheme. □

6. Performance Evaluations

This section compares the proposed OO-MA-KP-ABE-CRF scheme with other ABE schemes from the perspectives of property comparison and performance analysis.

6.1. Property Comparison

We chose KP-ABE schemes [16,21,26] to compare their properties with the proposed schemes, as shown in

Table 1. Comparison of properties.

Schemes	Multi-Authority	Online/Offline Key Generation	Online/Offline Encryption	CRF	Computation Outsourcing
[16]	✓	×	×	✓	×
[21]	×	×	×	×	✓
[26]	×	×	×	×	×
Proposed	✓	✓	✓	✓	✓

. Although both the scheme presented in [16] and our proposed scheme are multi-authority, there is no central attribute authority to coordinate key distribution between attribute authorities in our scheme, which greatly reduces the time and cost associated with the setup phase. On the other hand, considering Edward Snowden’s disclosure of backdoor attacks in known security schemes, the scheme presented in [16] and our proposed scheme adopt CRF to resist such attacks. To reduce the high computational overhead caused by the combination of MA-ABE and CRF, Refs. [16,21] and our scheme adopt online/offline technology to improve the efficiency of the scheme. However, only our scheme considers both MA-ABE, online/offline technology and CRF.

6.2. Performance Analysis

We compare [16,21,26], and our proposed scheme in terms of computational and storage costs. The comparison of the computational cost of system setup, user key generation, user encryption, and user decryption is shown in

Table 2. Comparison of computational costs.

Schemes	System Setup	Online User Key Generation	Online User Encryption	Online User Decryption
[16]	$1\mathrm{P}+(2U+14)\mathrm{E}+U\mathrm{M}$	$5l\mathrm{E}+2l\mathrm{M}$	$(5S+2)\mathrm{E}+S\mathrm{M}$	$4\mathrm{P}+3I\mathrm{E}+(2K+3I-2)\mathrm{M}$
[21]	$5\mathrm{E}$	$7l\mathrm{E}+2l\mathrm{M}$	$1\mathrm{P}+(S+4)\mathrm{E}+2\mathrm{M}$	$1\mathrm{E}+1\mathrm{M}$
[26]	$1\mathrm{P}+(U+1)\mathrm{E}$	$(l+1)\mathrm{E}$	$1\mathrm{P}+(S+3)\mathrm{E}+S\mathrm{M}$	$3\mathrm{P}+I\mathrm{E}+2I\mathrm{M}$
Proposed	$K\mathrm{P}+(12K+2)\mathrm{E}$	$2l\mathrm{E}+2l\mathrm{M}$	$(KS+K+S+2)\mathrm{E}$	$1\mathrm{E}+1\mathrm{M}$

, and the comparison of the storage cost of public parameters, ciphertext, and user decryption key is shown in

Table 3. Comparison of storage costs.

Schemes	Public Parameters	Ciphertext	User Decryption Key
[16]	$(U+6)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(4S+1)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$3l\left|\mathbb{G}\right|$
[21]	$7\left|\mathbb{G}\right|$	$(S+1)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$5l\left|\mathbb{G}\right|$
[26]	$(U+2)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$4\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(2l+1)\left|\mathbb{G}\right|$
Proposed	$(5K+2)\left|\mathbb{G}\right|+K|{\mathbb{G}}_T|$	$(K+1)(S+1)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$3l\left|\mathbb{G}\right|$

, where P represents the bilinear pairing operation, E represents the exponentiation operation on group $\mathbb{G}$, and M represents the multiplication operation on group $\mathbb{G}$. U represents the attribute universe, K denotes the number of attribute authorities, S indicates the number of attributes associated with the ciphertext, l represents the number of attributes involved in the access structure, and I represents the actual number of attributes used for decryption. |$\mathbb{G}$| represents the elements in group $\mathbb{G}$, and |${\mathbb{G}}_T$| represents the elements in group ${\mathbb{G}}_T$.

In real-world applications, the computational cost of the offline phase can be pre-worked when the user is idle. Therefore, during testing, we only focus on the computational cost incurred during the online phase. Due to the integration of online/offline technology, it can be seen from Table 2 that our proposed scheme has lower computational costs in key generation and encryption compared to [16,26]. In addition, due to the adoption of outsourced decryption, our proposed scheme and [21] shift a large number of decryption calculations to cloud servers, thus having greater advantages in decryption compared to the schemes in [16,26]. Therefore, the proposed scheme may be applicable to lightweight devices such as mobile phones with limited computing resources. Based on the analysis from Table 3, our scheme has successfully reduced the storage overhead to a certain extent compared to [16]. However, there is still a noticeable gap compared to [21,26] due to the multi-authority aspect.

We implemented the OO-MA-KP-ABE-CRF scheme using the Python programming language in the Charm-Crypto cryptographic library. The algorithm was thoroughly evaluated on a computer running the Linux Ubuntu 18.04.6 operating system, equipped with a 2.30 GHz 12th Gen Intel(R) Core(TM) i7-12700H CPU and 32 GB RAM. During the experimental phase, we deployed an Ubuntu virtual machine on the Windows 11 operating system and introduced the PYPBC module to provide the underlying mathematical foundation for the algorithm. Additionally, we initialized the parameter values “SS512” and “type A” curve to generate a prime-order bilinear group $\mathbb{G}$. It is worth noting that we categorized the computational operations involved in the algorithm’s computational cost, including bilinear pairing operations, multiplication operations, and exponentiation operations performed on group elements. Furthermore, to ensure the feasibility and practicality of the algorithm, we repeated the experiments multiple times and recorded the time cost of bilinear pairing operations as 2.05 ms, the time cost of exponentiation operations on group $\mathbb{G}$ as 2.80 ms, and the time cost of multiplication operations on group $\mathbb{G}$ as 2.82 ms. We assume that the number of attribute universes U is 5 and the number of attribute institutions K is 1, because scheme [21,26] is a single-authority scheme, while [16] and our scheme are multi-authority.

We performed experimental simulations of the online user key generation, online user encryption and online user decryption of these schemes, as shown in Figure 2, to provide a comparison of computational costs. From Figure 2a,b, it can be seen that our OO-MA-KP-ABE-CRF scheme has certain advantages in user key generation and user encryption compared to [16,21], but it is higher than [26]. This is mainly because [26] is a single-authority KP-ABE scheme, and only one attribute organization is considered when generating keys and encrypting, while our scheme is multi-authority, so we need to consider the cost of key generation and encryption. Furthermore, compared to other schemes, Ref. [21] and our proposed scheme have been effectively optimized in decryption by employing outsourced decryption, as shown in Figure 2c.

We analyzed the storage costs of these schemes using ciphertexts and keys, as shown in Figure 3. Based on the analysis in Table 3, it can be seen that each scheme’s ciphertext storage contains $|{\mathbb{G}}_T|$, so the impact of $|{\mathbb{G}}_T|$ can be ignored when comparing the cost of ciphertext storage. From Figure 3a, it can be seen that our scheme and [16] have a higher cost of ciphertext storage compared to [21,26]. This is because the schemes in [21,26] are both single-authority, and our scheme and [16] are both multi-authority. Therefore, in ciphertext construction, multiple authorities need to be considered, resulting in higher ciphertext storage costs. However, compared to the scheme [16] with multiple authorities, our scheme outperforms [16] in terms of ciphertext storage costs. As shown in Figure 3b, it can be seen that our scheme has the same storage cost in terms of keys as [16], lower than [21], but higher than [26]. This is mainly due to the access structures. The access structure in this scheme and [16] is non-monotonic and has more flexible expressions than the monotonic access structures in [21,26].

In order to provide a more detailed description of the differences between our scheme and other schemes, we conducted a detailed comparison and analysis from the perspectives of energy consumption and communication cost. Based on [31], and Table 2 and Table 3, we can calculate the energy consumption and communication cost. From Figure 4a, it can be seen that in the encryption, our scheme has a higher energy consumption compared to [21], mainly due to the presence of multiple authorities, and there is no need for any central authority to coordinate key distribution between various attribute authorities. Therefore, compared to other schemes, it will generate a certain amount of energy consumption. From Figure 4b, it can be seen that our scheme has the same energy consumption as [21] during the decryption phase and is at a lower level, because both [21] and our scheme adopt outsourced decryption.

In terms of communication cost, according to Figure 5, our scheme has a higher communication cost when sending ciphertext than [21,26], but better than [16]. This is because both our scheme and [16] are multi-authority, but those in [21,26] are single-authority. Therefore, when sending ciphertext, our scheme consumes more than those in [21,26], but it consumes less compared to [16], both being multi-authority. In terms of receiving keys, our scheme is the same as [16], but it consumes more than [26]. This is because our scheme and [16] both support non-monotonic access structures, resulting in a larger scale of keys. Therefore, while achieving complex and diverse access structures, this also increases the cost of key communication.

7. Conclusions

To effectively ensure the security of students’ physical ability data in a cloud-sharing environment, this paper proposes an OO-MA-KP-ABE-CRF scheme. Compared with other schemes, the proposed scheme has a non-monotonic access structure, multiple authorities, CRF, and online/offline capabilities. This not only enables the scheme to support more flexible access structures, but also effectively reduces the risk of single-authority failure, which may be caused by a large number of attributes, and resists backdoor attacks. In addition, we have integrated online/offline encryption, online/offline key generation, and outsourced decryption to reduce user storage and computing costs. Finally, we proved the security of the proposed scheme, and experimental analysis showed its effectiveness and feasibility.

In future work, we will further optimize the proposed scheme. In terms of security, we will consider the authentication requirement, as well as different attacks, such as MITM and replay attacks. In terms of efficiency, we will further optimize the efficiency of the scheme, through approaches such as optimizing the size of ciphertext, and consider the measurements for practical implementation.