Soft Set Decision and Cluster Percolation Method-Based Policy Clustering and Encryption Optimization for CP-ABE

Abstract

In ciphertext-policy attribute-based encryption, there might be different levels of overlapping in the access policies of different data objects outsourced by the same data owner. This paper proposes a soft set decision-making method and cluster percolation method-based policy clustering by using policy similarity for CP-ABE, aiming to merge the duplicated access policy pieces to reduce repeated computations during the encryption process of corresponding data objects. Firstly, the access policies are clustered using either the soft set decision-making or the cluster percolation method. Secondly, the access policies within the same cluster are integrated for further encryption of corresponding data objects as a whole, thereby preventing redundant computations during the encryption process and thus reducing computational overhead. Theoretical analysis and experimental results demonstrate the feasibility and effectiveness of the proposed approach in this paper.

1. Introduction

Attribute-based encryption (ABE) [1] has effectively addressed the issue of flexible access control for data in cloud storage. In the ciphertext-policy attribute-based encryption (CP-ABE) [2] scheme proposed by Bethencourt et al., data owners can define access policies flexibly. As a result, CP-ABE is particularly suitable for access control scenarios in cloud storage. Since most CP-ABE schemes are constructed based on elliptic curve bilinear groups, a significant number of bilinear pairings and exponentiation operations are involved in the encryption and decryption processes. These operations yield high computational costs for data owners.

In many cloud storage services that deploy CP-ABE-based access control, as data owners and consumers, many lightweight devices, such as sensors, smartphones, and remote terminals, are involved in computation-intensive data encryption/decryption operations. Therefore, improving CP-ABE encryption/decryption efficiency is a non-trivial issue. As a result, researchers have made substantial efforts to enhance encryption and decryption efficiency [3,4,5,6,7,8,9,10,11,12,13,14,15,16]. Among them, [3,4,5,6,7] are about improving encryption efficiency. Zhou et al. [3] introduced an encryption outsourcing approach. They split the access policy into two pieces, and the encryption-related computations associated with the two pieces are carried out separately by the data owner and the encryption service provider; the data owner only needs to conduct computations related to a sub-tree with just one attribute, while the encryption service provider conducts most of the remaining computations. Li et al. [4] proposed an encryption outsourcing scheme based on MapReduce technology. This scheme divides the access tree into two subtrees from the root node. The encryption-related computations for the left subtree are performed using MapReduce; the data owner performs encryption-related computations for the right subtree. Luo et al. [5] proposed a fast encryption CP-ABE scheme for the Spark big data. They utilized parallel computing methods to improve the efficiency of encryption. Hohenberger et al. [6] introduced an online/offline CP-ABE and KP-ABE scheme. Their scheme divides the encryption process into online and offline stages. The computations of bilinear pairings for encryption are performed in the offline stage; the data owner only needs to modify the relevant attribute parameters during the online stage to obtain the corresponding ciphertext. This approach reduces the computational overhead of the online encryption. Leng et al. [7] presented an ABE scheme that supports encryption outsourcing. This scheme needs to construct the shared access policy as a matrix; it outsources its construction and most of the encryption work of corresponding data objects to a cloud encryption server. As a result, the data owner only needs to perform three exponentiation operations to complete the remaining encryption process.

Researchers have made efforts to address the efficiency concerns in decryption [8,9,10,11,12,13,14,15,16]. Green et al. [8] introduced a CP-ABE scheme that outsources decryption operations to a third party. Subsequently, decryption optimization of CP-ABE has been considered in applications such as intelligent connected vehicles [9], smart healthcare [10], and the Internet of Things (IoT) [11]. The CP-ABE scheme for user privacy protection ABE [12] delegates certain operations to distributed proxy servers during the decryption stage, effectively reducing the computational cost for users. Zou et al. [13] introduced a fast decryption approach for CP-ABE. This approach incorporates Spark cluster and parallel computing techniques into the construction of the CP-ABE scheme, achieving rapid decryption. Li et al. [14] proposed a constant ciphertext length CP-ABE scheme that supports outsourcing encryption and decryption operation, significantly reducing communication costs. Zhang et al. [15] and Sheng [16], respectively, proposed fully outsourced CP-ABE schemes, enabling the outsourcing of key generation, encryption, and decryption. However, all of the mentioned approaches [3,4,5,6,7,8,9,10,11,12,13,14,15,16] address the issue of excessive computational overhead primarily by improving the algorithms’ efficiency.

To tackle the problem of increasing computational costs in encryption due to the complexity of access policies or the number of attributes, some researchers have aimed to enhance encryption efficiency by optimizing access policy and integrating similar access policies, further reducing redundant computations, leading to improve efficiency on the whole, instead of improving efficiency by optimizing encryption and decryption algorithms for single data objects. Wang et al. [17] proposed the layered access structure to solve the secure sharing of hierarchical files. The files are encrypted as a whole with one integrated access structure. This scheme integrates different access trees into a single access tree, thus saving storage costs and reducing encryption overhead. Wang [18] proposed a policy compression approach based on a greedy algorithm. This approach introduces public attribute ciphertext and “sub-policy” and achieves a compact access policy for a given access tree. It reduces the ciphertext length and improves the computational efficiency of both encryption and decryption. In [19], the authors proposed integrating access trees of different data objects of the data owner, thus avoiding repeated computations in the encryption process and reducing the computational overhead. However, this scheme deals with the case of only one shared sub-policy among different access policies. In our previous study [20], we proposed merging multiple shared sub-policies among different access policies and encrypting corresponding data objects as a whole to further reduce the overall computational cost of encryption of these data objects.

Decision-making is selecting the optimal solution from several alternatives to achieve a specific goal. Decision-making based on soft sets and their extensions with uncertainty has been adopted in various fields, including health care, management, finance, and artificial intelligence. The choice value algorithm [21] and the comparison score algorithm [22] are the two primary soft-set theory methods utilized for decision-making problems. Liu et al. [23] proposed a decision model based on a fuzzy soft set and ideal solution approach, which provides an algorithm of “divide-and-conquer” for attributes of the soft set. In contrast to existing works based on the choice value-based approach and the comparison score-based approach, it generates the optimal ideal solution according to the distinct properties of each attribute. After that, it uses the weighted Hamming distance to calculate the similarity between each possible alternative object and the ideal object. The closest one to the ideal object will be the optimal choice.

There might be varying degrees of overlap or similarity in the access policies of different data objects that the same data owner is about to outsource. The above works did not consider globally grouping data objects of a data owner according to the similarity of access policies of these data objects. If we group all data objects of a data owner according to their policy similarity and then merge the identical parts of the policies of data objects in the same group, we can avoid repeated independent computation to some extent during the encryption process, thus improving overall encryption efficiency. That is our intention.

In this paper, we address the tree access structure CP-ABE. We need to clarify some concepts beforehand to describe our study’s object better. We call a subtree with only one branch node a primary sub-policy. When a primary sub-policy appears in multiple access trees, we call it a primary shared sub-policy of these access trees.

We support “AND” gate and “OR” gate tree access structures. However, we have limitations: the parent node of each primary shared sub-policy is the root node of the whole access tree. In addition, if a data owner only releases a few data objects, or among these, access control policies have less overlapping, we might not need to cluster them. If a data owner releases many data objects and there are significant overlaps among their access policies, our scheme will be useful.

Based on previous work [20], this paper employs soft set decision-making and the cluster percolation method (CPM) [24] to cluster the access trees. Similar primary shared sub-policies among access trees from the same cluster are merged to the utmost extent; then corresponding data objects are encrypted together, thereby eliminating repeated independent computation of encryption and enhancing the overall efficiency of encryption.

The main contributions of this paper are as follows:

• For the case that the parent node of each primary shared sub-policy is the root node of the whole access tree, we use a soft set decision-making method to cluster and then integrate all the access trees from the same cluster optimally, thus minimizing the overall computational overhead of encryption for data owners.
• For the case that the parent node of each primary shared sub-policy is the root node of the whole access tree, we use the CPM assisted by the soft set decision-making method to cluster and then integrate all the access trees from the same cluster optimally, thus minimizing the overall computational overhead of encryption for data owners.

Our approach is suitable for data outsourcing scenarios that utilize CP-ABE-based access control where the data objects released by the same data owner have tree access policies with very good overlappings from the perspective of their sub-policies. Similar to most CP-ABE schemes, our scheme is IND-CPA secure.

2. Basic Knowledge

2.1. Bilinear Mapping

Let $G_1$ and $G_2$ be two cyclic groups of prime order p, where the generator of $G_1$ is g. A mapping $e:G_1\times G_1⟶G_2$ is considered bilinear if it fulfills the following three conditions.

• Non-degeneracy: $e(g,g)\ne 1$;
• Bilinear: $\forall u,v\in G_1$ and $a,b\in {\mathbb{Z}}_p$, the equation $e(u^a,v^b)=e{(u,v)}^{ab}$ holds;
• Computable: $\forall x,y\in G_1$, the value of $e(x,y)$ can be computed in polynomial time.

2.2. Monotonic Access Structure

Let $\{P_1,P_2,...,P_n\}$ be the set of participants. If for all subsets B and C, $B\in \mathcal{A}$ and $B\subseteq C$, then $C\in \mathcal{A}$, we say the set $\mathcal{A}\subseteq 2^{\{P_1,P_2,...,P_n\}}$ is monotone. A (monotonic) access structure $\mathcal{A}$ is a (monotonic) set formed by the non-empty subsets of $\{P_1,P_2,...,P_n\}$, i.e., $\mathcal{A}\subseteq 2^{\{1,2,...,n\}}\setminus \{⌀\}$. The subsets in $\mathcal{A}$ are called authorized sets, while the subsets not in $\mathcal{A}$ are referred to as unauthorized sets.

2.3. Access Tree

Let $\mathcal{T}$ denote an access tree composed of leaf nodes and non-leaf nodes. Each non-leaf node x in $\mathcal{T}$ is characterized by its child nodes and a threshold gate. Let $nu{m}_x$ represent the number of child nodes of node x, and $k_x$ be its threshold, where it is specified that $0<k_x\le nu{m}_x$. When $k_x=t$, it represents a logic of “t out of $nu{m}_x$”. When $k_x=1$, it represents a logical “OR”, and when $k_x=nu{m}_x$, it represents a logical “AND”.

For each node y in the access tree $\mathcal{T}$, let $parent\left(y\right)$ denote the parent node of y. Each parent node assigns an index value to each of its child nodes. Define the function $index\left(y\right)$ to represent the index value of node y, where $1\le index\left(y\right)\le nu{m}_x$. The function $att\left(y\right)$ is defined to represent the attributes associated with the leaf node y in $\mathcal{T}$.

2.4. Primary Shared Sub-Policy

Definition 1.

The same subtree that appears in multiple access trees is called a shared sub-policy of these access trees [19].

Definition 2.

If multiple access trees share the same subtree and this subtree contains only one branch node, it is called a primary shared sub-policy of these access trees.

2.5. Ideal Access Tree

Definition 3.

For a given multiple access trees, the ideal access tree is the access tree that includes all the primary shared sub-policies that appeared in these given access trees.

We only require that the ideal access tree includes all of the primary shared sub-policies that appeared in certain access trees. There are no additional requirements regarding its structure or the remaining part of it. We use it to select the most similar access tree to it, which contains the highest number of leaf nodes in its primary shared sub-policies overall. This access tree is used as a basis for later clustering and integration.

2.6. Basic Sub-Policy

Definition 4.

For given access trees, if all of them contain a primary shared sub-policy, we call this primary shared sub-policy the basic sub-policy of these access trees.

2.7. Soft Set

Definition 5.

Let $(U,E)$ be a soft space, where U is the initial universal set, E is the parameter set, $P\left(U\right)$ is the power set of U, and $A\subseteq E$. Let $F:A\to P\left(U\right)$ be a mapping. The pair $(F,A)$ is a soft set over the universe U.

Example 1.

U is the initial universal set, consisting of six houses: $U=\{h_1,h_2,h_3,h_4,h_5,h_6\}$. The parameter set E is given as $E=\{e_1,e_2,e_3,e_4,e_5,e_6,e_7\}$, where $e_1$, $e_2$, $e_3$, $e_4$, $e_5$, $e_6$, and $e_7$, respectively, represent attributes “expensive”, “good environment”, “wooden”, “beautiful”, “cheap”, “well-maintained”, and “in disrepair”. In this soft space $(U,E)$, defining a soft set indicates attributes such as “expensive” and “beautiful”. Suppose someone is interested in purchasing a house and is concerned with attributes $e_1$, $e_2$, $e_3$, $e_4$, $e_5$. Their evaluation of houses can be represented as a soft set $(F,A)$, where $A=\{e_1,e_2,e_3,e_4,e_5\}$. Let us assume that $F\left(e_1\right)=\{h_2,h_4\}$, $F\left(e_2\right)=\{h_1,h_3\}$, $F\left(e_3\right)=\{h_3,h_4,h_5\}$, $F\left(e_4\right)=\{h_1,h_3,h_5\}$, and $F\left(e_5\right)=\left\{h_1\right\}$. Then, $F\left(e_1\right)=\{h_2,h_4\}$ indicates that houses $h_2$ and $h_4$ are “expensive”, $F\left(e_2\right)=\{h_1,h_3\}$ indicates that houses $h_1$ and $h_3$ have a “good environment”, and similar interpretations can be made for the other attributes.

2.8. Decision Function Based on Hamming Distance

Hamming distance describes the degree of difference between two elements of equal length.

Definition 6.

The normalized Hamming distance of dimension n is a mapping $d_H:R^n\times R^n⟶R$ that satisfies:

$$d_H(A,B)=\frac{1}{n}\left(\sum _{i=1}^n|a_i-b_i|\right)$$

where $A=(a_1,a_2,\cdots ,a_n)$, $B=(b_1,b_2,\cdots ,b_n)$.

Here, we treat each primary shared sub-policy as an attribute for decision-making. Let U be composed of attributes (primary shared sub-policies), and $(F,A)$ be a soft set on the domain U. All attributes have equal importance. Let $u_{goal}$ represent the optimal solution. Thus, the decision problem becomes an optimization problem:

$$min\{d_H(u_{goal},u_i)u_i\in U,i=1,2,\cdots ,n\}$$

where n is the number of elements in the initial universal set.

Definition 7.

Let $W=(w_1,w_2,\cdots ,w_n)$ be the weights, ${\sum }_{i=1}^n{w}_i=1$. The weighted Hamming distance $d_{WH}$ is a mapping $d_{WH}:R^n\times R^n\to R$ given by:

$$d_{WH}(A,B)={\sum }_{i=1}^n{w}_i{a}_i-b_i,i=1,2,\cdots ,n$$

where $A=(a_1,a_2,\cdots ,a_n)$, $B=(b_1,b_2,\cdots ,b_n)$.

2.9. Primary Shared Sub-Policy Weight

Our proposal calculates the distance between each access tree and the ideal access tree using the weighted Hamming distance. The weights for each attribute (primary shared sub-policy) are calculated according to the following definitions:

Definition 8.

The impact factor of a primary shared sub-policy is defined as multiplying the number of access trees containing it by the number of leaf nodes within it.

Definition 9.

The maximum combinable number of a primary shared sub-policy is defined as subtracting its number of leaf nodes from its impact factor.

Definition 10.

The weight of a primary shared sub-policy is defined as dividing its maximum combinable number by the sum of the maximum combinable numbers of all the primary shared sub-policies.

2.10. Cluster Percolation Method

A faction refers to an undirected graph where any two nodes are connected by an edge, forming a complete subgraph or cluster. The maximal complete subgraph has the highest number of nodes among all complete subgraphs. A complete subgraph with k nodes in the graph is called a k clique. We say two k-cliques are connected if one overlaps with another by $k-1$ nodes, as shown in Figure 1.

The set of all connected cliques with a size of k or greater than k forms a k-community, as shown in Figure 2.

The main idea of the CPM is first to find complete subgraphs and then utilize these complete subgraphs to find k-communities; the k value of a community represents that the community is composed of cliques of size k or greater than k. After finding all k cliques, an overlap matrix of these cliques can be constructed. In this symmetric matrix, each row (column) represents a clique, and the non-diagonal elements of the matrix represent the number of common nodes in two connected cliques. The diagonal elements represent the size of the clique. By setting non-diagonal elements less than $k-1$ to 0 and diagonal elements less than k to 0, with other elements set to 1, we obtain a k-clique adjacency matrix, where each connected part forms a k-community, as shown in Figure 3.

In our second approach, we measure the similarity between two access trees based on the number of leaf nodes in their primary shared sub-policies. Using this similarity metric, we find k-cliques and combine multiple connected k-cliques to form the k-community. We select the k-community with the largest number of nodes and the maximum value of k as the pre-selected result for clustering. Finally, we refine the pre-selected result using the soft-set decision-making method.

3. Access Policy Clustering Method Based on Soft Set Decision-Making

3.1. Overview

In this paper, we first use a soft set decision-making method to select an optimal access tree closest to the ideal access tree, i.e., the one with the highest number of leaf nodes in all its primary shared sub-policies, from a given number of access trees. After that, we select the primary shared sub-policy with the maximum combinable number and use this primary shared sub-policy as the clustering criterion to put all access trees containing this primary shared sub-policy into one cluster; the rest of the access trees are repeatedly clustered using the same method.

The following example illustrates the clustering method of the access policy based on soft-set decision-making.

Example 2.

Consider an example of 20 access trees ${\mathcal{T}}_1,{\mathcal{T}}_2,\cdots ,{\mathcal{T}}_{20}$ containing 10 primary shared sub-policies $T_A,T_B,\cdots ,T_J$. Each tree’s primary shared sub-policies are randomly given, as shown in

Table 1. Example of 10 primary shared sub-policies contained in 20 access trees.

	${\mathit{T}}_{\mathit{A}}$	${\mathit{T}}_{\mathit{B}}$	${\mathit{T}}_{\mathit{C}}$	${\mathit{T}}_{\mathit{D}}$	${\mathit{T}}_{\mathit{E}}$	${\mathit{T}}_{\mathit{F}}$	${\mathit{T}}_{\mathit{G}}$	${\mathit{T}}_{\mathit{H}}$	${\mathit{T}}_{\mathit{I}}$	${\mathit{T}}_{\mathit{J}}$
${\mathcal{T}}_1$	3		1		2	1			1
${\mathcal{T}}_2$	3		1		2					2
${\mathcal{T}}_3$		2		3		1		2	1
${\mathcal{T}}_4$	3				2
${\mathcal{T}}_5$		2	1			1			1
${\mathcal{T}}_6$				3
${\mathcal{T}}_7$						1				2
${\mathcal{T}}_8$				3			2
${\mathcal{T}}_9$						1				2
${\mathcal{T}}_{10}$		2						2
${\mathcal{T}}_{11}$			1
${\mathcal{T}}_{12}$		2			2		2		1
${\mathcal{T}}_{13}$			1			1
${\mathcal{T}}_{14}$	3									2
${\mathcal{T}}_{15}$				3
${\mathcal{T}}_{16}$		2	1
${\mathcal{T}}_{17}$						1		2
${\mathcal{T}}_{18}$		2					2			2
${\mathcal{T}}_{19}$					2				1
${\mathcal{T}}_{20}$	3		1			1		2
impact factor	15	12	7	12	10	8	6	8	5	10
maximum combinable number	12	10	6	9	8	7	4	6	4	8

. The numbers in the table indicate the number of leaf nodes of a primary shared sub-policy included in the access tree.

First, we count all primary sub-policies of each access tree and further determine all primary shared sub-policies according to whether they appear repeatedly in different access trees. Next, use all primary shared sub-policies to construct a vector. Each component represents if the corresponding primary shared sub-policy is included; if included, the component is set to 1; otherwise, it is set to 0.

According to Table 1, the minimum shared sub-policies of the access tree ${\mathcal{T}}_1$ can be represented by the vector (1,0,1,0,1,1,0,0,1,0). The representation of other access trees is in the same way. For the ideal access tree containing all the minimum shared sub-policies, the corresponding vector is represented as (1,1,1,1,1,1,1,1,1,1).

$$(F,A)=\left[\begin{array}{ccccccccccc}& e_1& e_2& e_3& e_4& e_5& e_6& e_7& e_8& e_9& e_{10}\\ {\mathcal{T}}_{goal}& 1& 1& 1& 1& 1& 1& 1& 1& 1& 1\\ {\mathcal{T}}_1& 1& 0& 1& 0& 1& 1& 0& 0& 1& 0\\ {\mathcal{T}}_2& 1& 0& 1& 0& 1& 0& 0& 0& 0& 1\\ {\mathcal{T}}_3& 0& 1& 0& 1& 0& 1& 0& 1& 1& 0\\ {\mathcal{T}}_4& 1& 0& 0& 0& 1& 0& 0& 0& 0& 0\\ {\mathcal{T}}_5& 0& 1& 1& 0& 0& 1& 0& 0& 1& 0\\ {\mathcal{T}}_6& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0\\ {\mathcal{T}}_7& 0& 0& 0& 0& 0& 1& 0& 0& 0& 1\\ {\mathcal{T}}_8& 0& 0& 0& 1& 0& 0& 1& 0& 0& 0\\ {\mathcal{T}}_9& 0& 0& 0& 0& 0& 1& 0& 0& 0& 1\\ {\mathcal{T}}_{10}& 0& 1& 0& 0& 0& 0& 0& 1& 0& 0\\ {\mathcal{T}}_{11}& 0& 0& 1& 0& 0& 0& 0& 0& 0& 0\\ {\mathcal{T}}_{12}& 0& 1& 0& 0& 1& 0& 1& 0& 1& 0\\ {\mathcal{T}}_{13}& 0& 0& 1& 0& 0& 1& 0& 0& 0& 0\\ {\mathcal{T}}_{14}& 1& 0& 0& 0& 0& 0& 0& 0& 0& 1\\ {\mathcal{T}}_{15}& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0\\ {\mathcal{T}}_{16}& 0& 1& 1& 0& 0& 0& 0& 0& 0& 0\\ {\mathcal{T}}_{17}& 0& 0& 0& 0& 0& 1& 0& 1& 0& 0\\ {\mathcal{T}}_{18}& 0& 1& 0& 0& 0& 0& 1& 0& 0& 1\\ {\mathcal{T}}_{19}& 0& 0& 0& 0& 1& 0& 0& 0& 1& 0\\ {\mathcal{T}}_{20}& 1& 0& 1& 0& 0& 1& 0& 1& 0& 0\end{array}\right]$$

(1)

As shown in Table 1, the number of leaf nodes for the primary shared sub-policies $T_A,T_B,\dots ,T_J$ are 3; 2; 1; 3; 2; 1; 2; 2; 1; 2, respectively. Five access trees include the primary shared sub-policy $T_A$, so the impact factor of $T_A$ is $3\times 5=15$. Similarly, for the primary shared sub-policies $T_B,\dots ,T_J$, the impact factors are as follows: 12: 7; 12; 10; 8; 6; 8; 5; 10.

Next, calculate the maximum combinable number for each primary shared sub-policy. The maximum combinable number for the primary sharing sub-policy $T_A$ is 15-3=12. Similarly, for the primary shared sub-policies $T_B,\dots ,T_J$, the maximum combinable numbers are as follows: 10; 6; 9; 8; 7; 4; 6; 4; 8.

After that, calculate the weights for the primary shared sub-policies as follows: For $T_A$, the weight is 12/(12+10+6+9+8+7+4+6+4+8)=12/74. For $T_B,\dots ,T_J$, the weights are: 10/74; 6/74; 9/74; 8/74; 7/74; 4/74; 6/74; 4/74; 8/74.

Using the soft set decision-making matrix (1), calculate the weighted Hamming distance between each access tree and the ideal access tree as follows:

$$d_H({\mathcal{T}}_{goal},{\mathcal{T}}_1)=37/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_2)=40/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_3)=38/74$$

$$d_H({\mathcal{T}}_{goal},{\mathcal{T}}_4)=54/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_5)=47/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_6)=65/74$$

$$d_H({\mathcal{T}}_{goal},{\mathcal{T}}_7)=59/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_8)=61/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_9)=59/74$$

$$d_H({\mathcal{T}}_{goal},{\mathcal{T}}_{10})=58/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_{11})=71/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_{12})=56/74$$

$$d_H({\mathcal{T}}_{goal},{\mathcal{T}}_{13})=61/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_{14})=54/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_{15})=65/74$$

$$d_H({\mathcal{T}}_{goal},{\mathcal{T}}_{16})=58/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_{17})=61/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_{18})=52/74$$

$$d_H({\mathcal{T}}_{goal},{\mathcal{T}}_{19})=62/74,d_H({\mathcal{T}}_{goal},{\mathcal{T}}_{20})=43/74$$

Since $d_H({\mathcal{T}}_{goal},{\mathcal{T}}_1)=37/74$ is the smallest, tree ${\mathcal{T}}_1$ is selected as the optimal tree.

The optimal tree ${\mathcal{T}}_1$ contains the primary shared sub-policies: $T_A$, $T_C$, $T_E$, $T_F$, $T_I$. The largest maximum combinable number among them is 12, and the corresponding primary shared sub-policy is $T_A$. We chose it as the criterion for the first clustering. Access trees ${\mathcal{T}}_1$, ${\mathcal{T}}_2$, ${\mathcal{T}}_4$, ${\mathcal{T}}_{14}$, ${\mathcal{T}}_{20}$, containing the primary shared sub-policy $T_A$, are grouped into the first cluster.

We repeat the same method for the remaining access trees from scratch. ${\mathcal{T}}_3$ has the smallest weighted Hamming distance with the ideal access tree. Therefore, ${\mathcal{T}}_3$ is chosen as the optimal tree for the second clustering. In ${\mathcal{T}}_3$, the primary shared sub-policies are $T_B$, $T_D$, $T_F$, $T_H$, $T_I$.

Among them, the largest maximum combinable number is 10, and the corresponding primary shared sub-policy is $T_B$. We chose it as the criterion for the second clustering. Access trees ${\mathcal{T}}_3$, ${\mathcal{T}}_5$, ${\mathcal{T}}_{10}$, ${\mathcal{T}}_{12}$, ${\mathcal{T}}_{16}$ and ${\mathcal{T}}_{18}$, containing the primary shared sub-policy $T_B$, are grouped into the second cluster. The remaining trees are further clustered using the same method.

3.2. A General Approach to Access Tree Clustering Based on Soft Set Decision-Making

Based on Example 2, we provide a general soft set decision-making-based clustering method for access trees.

• Find primary shared sub-policies in a given multiple access trees. Determine the current ideal access tree. For each access tree, count the number of primary shared sub-policies and the number of leaf nodes each primary shared sub-policy contained.
• Calculate the impact factor, maximum combinable number, and weight for each primary shared sub-policy.
• Calculate the weighted Hamming distance between each access tree and the ideal access tree.
• Select the access tree with the smallest distance from the ideal access tree as the optimal tree. Select the primary shared sub-policy with the largest maximum combinable number in the optimal tree as the criterion for clustering. Put access trees containing this primary shared sub-policy into a cluster.
• Repeat steps 1–4 for the remaining access trees until all access trees are clustered.

4. Access Policy Clustering Method Based on Cluster Percolation Method

4.1. Overview

Below, we introduce our second approach of access control policy clustering. We use the total number of leaf nodes in the primary shared sub-policies contained in two access trees to measure the similarity between them; based on this metric, regarding access trees as nodes, we find all maximal complete subgraphs among the access trees and regard each maximal complete subgraph as a clique to construct the overlapping matrix. The overlapping matrix is then transformed into a community adjacency matrix, as described in Section 2.10, We select the k-community with the largest number of nodes (access trees) and the maximum value of k as the pre-selected result for clustering. If all these access trees contain at least one primary shared sub-policy, this pre-selected result becomes the final result. If there is no primary shared sub-policy contained in all access trees in the pre-selected result, then we chose the primary shared sub-policy with the largest maximum combinable number among primary shared sub-policies that these access trees in the pre-selected result contain. Other access trees that do not contain the selected primary shared sub-policy are eliminated from the pre-selected result, and the remaining access trees become the final result.

CFinder-2.0.6–1448 (https://www.cfinder.org/, accessed on 1 March 2023) is a software developed by Adamcsek et al. [25] for searching, visualizing, and analyzing the implicit group module of graphs based on the CPM. It can find cliques of a specified size in the graph and construct larger communities from the nodes and edges shared in the cliques.

The following is an example to introduce our access policy clustering approach based on the CPM.

Example 3.

Suppose 20 primary shared sub-policies $T_A,T_B,\cdots ,T_T$ randomly distributed in 50 access trees ${\mathcal{T}}_1\left(AND\right),{\mathcal{T}}_2\left(AND\right),\cdots ,{\mathcal{T}}_{50}\left(OR\right)$, where $\left(AND\right)$ or $\left(OR\right)$ denotes the threshold value of the root node of this access tree, as shown in

Table 2. Example of access trees with primary shared sub-policies.

	${\mathit{T}}_{\mathit{A}}$	${\mathit{T}}_{\mathit{B}}$	${\mathit{T}}_{\mathit{C}}$	${\mathit{T}}_{\mathit{D}}$	${\mathit{T}}_{\mathit{E}}$	${\mathit{T}}_{\mathit{F}}$	${\mathit{T}}_{\mathit{G}}$	${\mathit{T}}_{\mathit{H}}$	${\mathit{T}}_{\mathit{I}}$	${\mathit{T}}_{\mathit{J}}$	${\mathit{T}}_{\mathit{K}}$	${\mathit{T}}_{\mathit{L}}$	${\mathit{T}}_{\mathit{M}}$	${\mathit{T}}_{\mathit{N}}$	${\mathit{T}}_{\mathit{O}}$	${\mathit{T}}_{\mathit{P}}$	${\mathit{T}}_{\mathit{Q}}$	${\mathit{T}}_{\mathit{R}}$	${\mathit{T}}_{\mathit{X}}$	${\mathit{T}}_{\mathit{T}}$
${\mathcal{T}}_1\left(AND\right)$	0	0	0	3	0	0	3	0	0	0	0	3	0	0	0	0	1	4	0	2
${\mathcal{T}}_2\left(AND\right)$	0	2	0	3	0	2	0	0	0	0	0	0	0	4	0	4	0	0	0	0
${\mathcal{T}}_3\left(OR\right)$	0	0	0	0	0	0	0	0	0	0	0	3	0	0	0	0	0	0	0	0
${\mathcal{T}}_4\left(OR\right)$	0	0	2	0	0	0	3	0	4	0	0	3	0	4	0	0	0	0	0	0
${\mathcal{T}}_5\left(AND\right)$	0	2	0	0	0	0	0	0	0	0	0	3	3	0	0	0	0	0	4	2
${\mathcal{T}}_6\left(OR\right)$	0	0	0	0	0	0	0	0	4	3	0	0	0	0	0	4	0	0	0	2
${\mathcal{T}}_7\left(AND\right)$	3	0	0	0	2	2	0	3	0	3	4	0	0	4	4	4	0	4	0	2
${\mathcal{T}}_8\left(AND\right)$	0	0	0	0	2	0	3	0	0	3	0	0	3	0	0	0	1	0	0	0
${\mathcal{T}}_9\left(OR\right)$	3	0	0	0	2	0	0	3	0	3	0	0	3	0	0	0	1	0	4	0
${\mathcal{T}}_{10}\left(OR\right)$	0	2	0	0	0	0	0	0	4	3	0	0	3	0	0	0	0	4	0	0
${\mathcal{T}}_{11}\left(AND\right)$	0	0	0	0	2	0	0	3	0	0	0	3	3	0	0	4	1	0	0	0
${\mathcal{T}}_{12}\left(AND\right)$	0	0	0	0	2	2	0	3	0	0	0	0	0	0	4	4	0	0	4	0
${\mathcal{T}}_{13}\left(AND\right)$	0	2	0	3	0	2	3	0	0	0	0	0	0	0	4	0	0	4	0	0
${\mathcal{T}}_{14}\left(AND\right)$	0	2	0	3	0	0	0	3	0	0	0	0	0	0	0	0	0	0	0	0
${\mathcal{T}}_{15}\left(AND\right)$	0	0	0	0	0	0	0	0	4	3	0	0	0	0	4	0	0	4	0	2
${\mathcal{T}}_{16}\left(OR\right)$	0	0	2	0	0	0	3	0	0	0	0	3	3	0	4	4	0	0	0	2
${\mathcal{T}}_{17}\left(OR\right)$	0	0	0	3	0	0	3	0	0	3	4	0	0	0	4	0	0	0	4	2
${\mathcal{T}}_{18}\left(AND\right)$	0	0	2	0	0	0	0	0	0	3	0	0	0	4	0	0	0	0	0	2
${\mathcal{T}}_{19}\left(OR\right)$	0	0	0	3	0	0	0	0	0	0	4	0	0	0	0	0	1	0	4	0
${\mathcal{T}}_{20}\left(OR\right)$	3	0	0	0	2	0	0	3	0	0	0	0	3	4	4	4	0	0	0	0
${\mathcal{T}}_{21}\left(OR\right)$	0	0	2	0	2	0	0	0	0	3	0	0	0	0	0	0	0	0	0	0
${\mathcal{T}}_{22}\left(OR\right)$	0	0	0	3	0	0	3	3	0	3	0	0	0	0	0	0	0	4	0	2
${\mathcal{T}}_{23}\left(OR\right)$	3	0	0	0	0	0	0	0	4	0	0	0	0	0	4	0	0	4	0	0
${\mathcal{T}}_{24}\left(OR\right)$	3	0	0	0	0	0	0	0	4	0	0	0	0	0	0	4	0	0	0	0
${\mathcal{T}}_{25}\left(AND\right)$	0	0	0	3	0	2	0	3	0	0	0	3	0	4	0	4	0	4	0	0
${\mathcal{T}}_{26}\left(AND\right)$	0	0	2	0	0	0	0	0	0	3	0	0	0	0	0	0	0	0	0	0
${\mathcal{T}}_{27}\left(AND\right)$	0	0	0	0	0	0	0	0	4	0	0	3	0	0	0	0	0	0	0	2
${\mathcal{T}}_{28}\left(OR\right)$	0	0	0	0	0	0	0	0	4	3	0	0	0	4	4	4	0	0	0	0
${\mathcal{T}}_{29}\left(AND\right)$	3	2	2	0	0	2	3	0	0	0	4	3	0	4	0	0	0	0	0	0
${\mathcal{T}}_{30}\left(AND\right)$	0	0	0	0	2	0	0	3	4	0	0	0	3	4	0	0	0	0	0	2
${\mathcal{T}}_{31}\left(OR\right)$	0	2	2	3	0	0	0	3	0	3	0	3	0	0	0	4	1	0	0	2
${\mathcal{T}}_{32}\left(AND\right)$	0	0	0	3	0	2	0	0	0	0	0	3	3	4	4	4	0	0	4	0
${\mathcal{T}}_{33}\left(AND\right)$	0	2	2	0	0	0	0	0	0	0	0	0	0	4	0	0	0	0	0	0
${\mathcal{T}}_{34}\left(OR\right)$	0	0	2	0	0	0	0	3	4	0	0	3	3	4	0	0	1	4	0	0
${\mathcal{T}}_{35}\left(AND\right)$	0	0	0	0	0	0	3	3	0	0	0	0	3	4	0	0	0	0	0	2
${\mathcal{T}}_{36}\left(OR\right)$	0	0	0	3	0	0	0	0	0	3	0	0	0	4	4	0	0	0	0	0
${\mathcal{T}}_{37}\left(AND\right)$	3	0	0	0	0	0	0	0	0	0	0	0	0	0	0	4	0	0	0	0
${\mathcal{T}}_{38}\left(AND\right)$	3	0	0	0	0	0	0	0	0	0	4	0	3	0	0	0	0	0	4	0
${\mathcal{T}}_{39}\left(AND\right)$	3	0	0	0	0	0	0	3	0	0	0	0	0	0	4	0	0	4	0	0
${\mathcal{T}}_{40}\left(OR\right)$	3	0	0	0	0	0	3	0	4	3	0	3	3	0	4	0	1	0	0	0
${\mathcal{T}}_{41}\left(AND\right)$	0	2	0	0	0	0	0	0	0	3	0	0	0	0	0	0	1	0	4	0
${\mathcal{T}}_{42}\left(AND\right)$	0	0	0	3	0	2	3	0	4	0	4	0	0	0	4	0	0	0	0	0
${\mathcal{T}}_{43}\left(AND\right)$	0	0	2	0	0	2	0	0	0	0	0	0	0	0	0	0	0	4	0	0
${\mathcal{T}}_{44}\left(AND\right)$	0	2	0	0	0	2	0	0	0	0	0	3	0	4	0	0	0	0	4	0
${\mathcal{T}}_{45}\left(OR\right)$	0	0	0	0	2	0	0	0	0	0	0	0	3	4	0	0	0	0	0	2
${\mathcal{T}}_{46}\left(OR\right)$	3	2	0	0	2	0	0	0	4	3	0	0	0	0	0	0	0	0	0	0
${\mathcal{T}}_{47}\left(AND\right)$	0	2	0	0	0	2	3	3	0	0	0	0	0	0	4	0	0	0	4	2
${\mathcal{T}}_{48}\left(OR\right)$	0	2	0	0	2	2	0	3	0	0	0	0	0	0	0	0	0	0	0	0
${\mathcal{T}}_{49}\left(OR\right)$	0	2	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0	4	0	0
${\mathcal{T}}_{50}\left(AND\right)$	0	0	0	0	0	0	0	0	0	3	0	0	0	4	0	0	0	0	0	0

.

We take the sum of the number of leaf nodes contained in all the identical primary shared sub-policies in two trees as the similarity of the two trees. The access tree ${\mathcal{T}}_1\left(AND\right)$ and ${\mathcal{T}}_2\left(AND\right)$ share a primary shared sub-policy $T_D$ that has three leaf nodes; therefore, the similarity between ${\mathcal{T}}_1\left(AND\right)$ and ${\mathcal{T}}_2\left(AND\right)$ is 3. There is no identical primary shared sub-policy in access tree ${\mathcal{T}}_1\left(AND\right)$ and access tree ${\mathcal{T}}_{12}\left(AND\right)$; thus, the similarity between access tree ${\mathcal{T}}_1\left(AND\right)$ and access tree ${\mathcal{T}}_{12}\left(AND\right)$ is 0. Therefore, we obtain the similarity between every two access trees. The similarity between partial access trees is shown in

Table 3. Similarity between partially access trees.

	${\mathcal{T}}_1$	${\mathcal{T}}_2$	${\mathcal{T}}_3$	${\mathcal{T}}_4$	${\mathcal{T}}_5$	${\mathcal{T}}_6$	${\mathcal{T}}_7$	${\mathcal{T}}_8$	${\mathcal{T}}_9$	${\mathcal{T}}_{10}$	${\mathcal{T}}_{11}$	${\mathcal{T}}_{12}$	${\mathcal{T}}_{13}$	${\mathcal{T}}_{14}$	${\mathcal{T}}_{15}$	${\mathcal{T}}_{16}$	${\mathcal{T}}_{17}$	${\mathcal{T}}_{18}$	${\mathcal{T}}_{19}$	${\mathcal{T}}_{20}$	${\mathcal{T}}_{21}$	${\mathcal{T}}_{22}$	${\mathcal{T}}_{23}$	${\mathcal{T}}_{24}$
${\mathcal{T}}_1$
${\mathcal{T}}_2$	3
${\mathcal{T}}_3$	3	0
${\mathcal{T}}_4$	6	4	3
${\mathcal{T}}_5$	5	2	3	3
${\mathcal{T}}_6$	2	4	0	4	2
${\mathcal{T}}_7$	6	10	0	4	2	9
${\mathcal{T}}_8$	4	0	0	3	3	3	5
${\mathcal{T}}_9$	1	0	0	0	7	3	11	9
${\mathcal{T}}_{10}$	4	2	0	4	5	7	7	6	6
${\mathcal{T}}_{11}$	4	4	3	3	6	4	9	6	9	3
${\mathcal{T}}_{12}$	0	6	0	0	4	4	15	2	9	0	9
${\mathcal{T}}_{13}$	10	7	0	3	2	0	10	3	0	6	0	6
${\mathcal{T}}_{14}$	3	5	0	0	2	0	3	0	3	2	3	3	5
${\mathcal{T}}_{15}$	6	0	0	4	2	9	13	3	3	11	0	4	8	0
${\mathcal{T}}_{16}$	8	4	3	8	8	6	10	6	3	3	10	8	7	0	6
${\mathcal{T}}_{17}$	8	3	0	3	6	5	13	6	7	3	0	8	10	3	9	9
${\mathcal{T}}_{18}$	2	4	0	6	2	5	9	3	3	3	0	0	0	0	5	4	5
${\mathcal{T}}_{19}$	4	3	0	0	4	0	4	1	5	0	1	4	3	3	0	0	11	0
${\mathcal{T}}_{20}$	0	8	0	4	3	4	20	5	11	3	12	13	4	3	4	11	4	4	0
${\mathcal{T}}_{21}$	0	0	0	2	0	3	5	5	5	3	2	2	0	0	3	2	3	5	0	2
${\mathcal{T}}_{22}$	12	3	0	3	2	5	12	6	6	7	3	3	10	6	9	5	11	5	3	3	3
${\mathcal{T}}_{23}$	4	0	0	4	0	4	11	0	3	8	0	4	8	0	12	4	4	0	0	7	0	4
${\mathcal{T}}_{24}$	0	4	0	4	0	8	7	0	3	4	4	4	0	0	4	4	0	0	0	7	0	0	7
${\mathcal{T}}_{25}$	10	13	3	7	3	4	17	0	3	4	10	9	9	6	4	7	3	4	3	11	0	10	4	4

.

Subsequently, all the similarity data are imported into CFinder; we first set the similarity threshold to 3. The community with the largest k value and maximum nodes (access trees) is selected as a pre-selected result of the first clustering among the communities generated from the similarity data. Now, 17 access trees ${\mathcal{T}}_2\left(AND\right)$, ${\mathcal{T}}_4\left(OR\right)$, ${\mathcal{T}}_7\left(AND\right)$, ${\mathcal{T}}_{18}\left(AND\right)$, ${\mathcal{T}}_{20}\left(OR\right)$, ${\mathcal{T}}_{25}\left(AND\right)$, ${\mathcal{T}}_{28}\left(OR\right)$, ${\mathcal{T}}_{29}\left(AND\right)$, ${\mathcal{T}}_{30}\left(AND\right)$, ${\mathcal{T}}_{32}\left(AND\right)$, ${\mathcal{T}}_{33}\left(AND\right)$, ${\mathcal{T}}_{34}\left(OR\right)$,${\mathcal{T}}_{35}\left(AND\right)$, ${\mathcal{T}}_{36}\left(OR\right)$, ${\mathcal{T}}_{44}\left(AND\right)$, ${\mathcal{T}}_{45}\left(OR\right)$, ${\mathcal{T}}_{50}\left(OR\right)$ are pre-selected results. All of them contain the primary shared sub-policy $T_N$, there is no need to exclude any access tree from the first cluster. Therefore, these access trees are the result of the first clustering, as shown in

Table 4. Results of the first clustering of 50 access trees.

	${\mathit{T}}_{\mathit{A}}$	${\mathit{T}}_{\mathit{B}}$	${\mathit{T}}_{\mathit{C}}$	${\mathit{T}}_{\mathit{D}}$	${\mathit{T}}_{\mathit{E}}$	${\mathit{T}}_{\mathit{F}}$	${\mathit{T}}_{\mathit{G}}$	${\mathit{T}}_{\mathit{H}}$	${\mathit{T}}_{\mathit{I}}$	${\mathit{T}}_{\mathit{J}}$	${\mathit{T}}_{\mathit{K}}$	${\mathit{T}}_{\mathit{L}}$	${\mathit{T}}_{\mathit{M}}$	${\mathit{T}}_{\mathit{N}}$	${\mathit{T}}_{\mathit{O}}$	${\mathit{T}}_{\mathit{P}}$	${\mathit{T}}_{\mathit{Q}}$	${\mathit{T}}_{\mathit{R}}$	${\mathit{T}}_{\mathit{X}}$	${\mathit{T}}_{\mathit{T}}$
${\mathcal{T}}_2\left(AND\right)$	0	2	0	3	0	2	0	0	0	0	0	0	0	4	0	4	0	0	0	0
${\mathcal{T}}_4\left(OR\right)$	0	0	2	0	0	0	3	0	4	0	0	3	0	4	0	0	0	0	0	0
${\mathcal{T}}_7\left(AND\right)$	3	0	0	0	2	2	0	3	0	3	4	0	0	4	4	4	0	4	0	2
${\mathcal{T}}_{18}\left(AND\right)$	0	0	2	0	0	0	0	0	0	3	0	0	0	4	0	0	0	0	0	2
${\mathcal{T}}_{20}\left(OR\right)$	3	0	0	0	2	0	0	3	0	0	0	0	3	4	4	4	0	0	0	0
${\mathcal{T}}_{25}\left(AND\right)$	0	0	0	3	0	2	0	3	0	0	0	3	0	4	0	4	0	4	0	0
${\mathcal{T}}_{28}\left(OR\right)$	0	0	0	0	0	0	0	0	4	3	0	0	0	4	4	4	0	0	0	0
${\mathcal{T}}_{29}\left(AND\right)$	3	2	2	0	0	2	3	0	0	0	4	3	0	4	0	0	0	0	0	0
${\mathcal{T}}_{30}\left(AND\right)$	0	0	0	0	2	0	0	3	4	0	0	0	3	4	0	0	0	0	0	2
${\mathcal{T}}_{32}\left(AND\right)$	0	0	0	3	0	2	0	0	0	0	0	3	3	4	4	4	0	0	4	0
${\mathcal{T}}_{33}\left(AND\right)$	0	2	2	0	0	0	0	0	0	0	0	0	0	4	0	0	0	0	0	0
${\mathcal{T}}_{34}\left(OR\right)$	0	0	2	0	0	0	0	3	4	0	0	3	3	4	0	0	1	4	0	0
${\mathcal{T}}_{35}\left(AND\right)$	0	0	0	0	0	0	3	3	0	0	0	0	3	4	0	0	0	0	0	2
${\mathcal{T}}_{36}\left(OR\right)$	0	0	0	3	0	0	0	0	0	3	0	0	0	4	4	0	0	0	0	0
${\mathcal{T}}_{44}\left(AND\right)$	0	2	0	0	0	2	0	0	0	0	0	3	0	4	0	0	0	0	4	0
${\mathcal{T}}_{45}\left(OR\right)$	0	0	0	0	2	0	0	0	0	0	0	0	3	4	0	0	0	0	0	2
${\mathcal{T}}_{50}\left(OR\right)$	0	0	0	0	0	0	0	0	0	3	0	0	0	4	0	0	0	0	0	0

.

Similarly, the similarity data for the remaining 33 access trees were imported into CFinder. We set the similarity threshold to 3, The communities with the largest k value and maximum nodes (access trees) are ${\mathcal{T}}_1\left(AND\right)$, ${\mathcal{T}}_{13}\left(AND\right)$, ${\mathcal{T}}_{15}\left(AND\right)$, ${\mathcal{T}}_{16}\left(OR\right)$, ${\mathcal{T}}_{17}\left(OR\right)$, ${\mathcal{T}}_{22}\left(OR\right)$, ${\mathcal{T}}_{23}\left(OR\right)$, ${\mathcal{T}}_{39}$, ${\mathcal{T}}_{40}\left(OR\right)$, ${\mathcal{T}}_{42}\left(AND\right)$, ${\mathcal{T}}_{47}\left(AND\right)$. Since these access trees do not have a primary shared sub-policy in common, we need to handle them further. We compute the maximum combinable number of primary shared sub-policies contained in these trees.

The primary shared sub-policy $T_O$ has the largest maximum combinable number and is chosen as the criterion for further clustering. The access trees ${\mathcal{T}}_1\left(AND\right)$, ${\mathcal{T}}_{22}\left(OR\right)$ that do not contain $T_O$ are excluded from the current pre-selected cluster; the remaining trees ${\mathcal{T}}_{13}\left(AND\right)$, ${\mathcal{T}}_{15}\left(AND\right)$, ${\mathcal{T}}_{16}\left(OR\right)$, ${\mathcal{T}}_{17}\left(OR\right)$, ${\mathcal{T}}_{23}\left(OR\right)$, ${\mathcal{T}}_{39}\left(AND\right)$, ${\mathcal{T}}_{40}\left(OR\right)$, ${\mathcal{T}}_{42}\left(AND\right)$, ${\mathcal{T}}_{47}\left(AND\right)$ are the final result of the second clustering. These access trees contain primary shared sub-policies, as shown in

Table 5. Results of the second clustering of 50 access trees.

	${\mathit{T}}_{\mathit{A}}$	${\mathit{T}}_{\mathit{B}}$	${\mathit{T}}_{\mathit{C}}$	${\mathit{T}}_{\mathit{D}}$	${\mathit{T}}_{\mathit{E}}$	${\mathit{T}}_{\mathit{F}}$	${\mathit{T}}_{\mathit{G}}$	${\mathit{T}}_{\mathit{H}}$	${\mathit{T}}_{\mathit{I}}$	${\mathit{T}}_{\mathit{J}}$	${\mathit{T}}_{\mathit{K}}$	${\mathit{T}}_{\mathit{L}}$	${\mathit{T}}_{\mathit{M}}$	${\mathit{T}}_{\mathit{N}}$	${\mathit{T}}_{\mathit{O}}$	${\mathit{T}}_{\mathit{P}}$	${\mathit{T}}_{\mathit{Q}}$	${\mathit{T}}_{\mathit{R}}$	${\mathit{T}}_{\mathit{X}}$	${\mathit{T}}_{\mathit{T}}$
${\mathcal{T}}_{13}\left(AND\right)$	0	2	0	3	0	2	3	0	0	0	0	0	0	0	4	0	0	4	0	0
${\mathcal{T}}_{15}\left(AND\right)$	0	0	0	0	0	0	0	0	4	3	0	0	0	0	4	0	0	4	0	2
${\mathcal{T}}_{16}\left(OR\right)$	0	0	2	0	0	0	3	0	0	0	0	3	3	0	4	4	0	0	0	2
${\mathcal{T}}_{17}\left(OR\right)$	0	0	0	3	0	0	3	0	0	3	4	0	0	0	4	0	0	0	4	2
${\mathcal{T}}_{23}\left(OR\right)$	3	0	0	0	0	0	0	0	4	0	0	0	0	0	4	0	0	4	0	0
${\mathcal{T}}_{39}\left(AND\right)$	3	0	0	0	0	0	0	3	0	0	0	0	0	0	4	0	0	4	0	0
${\mathcal{T}}_{40}\left(OR\right)$	3	0	0	0	0	0	3	0	4	3	0	3	3	0	4	0	1	0	0	0
${\mathcal{T}}_{42}\left(AND\right)$	0	0	0	3	0	2	3	0	4	0	4	0	0	0	4	0	0	0	0	0
${\mathcal{T}}_{47}\left(AND\right)$	0	2	0	0	0	2	3	3	0	0	0	0	0	0	4	0	0	0	4	2

.

Similarly, the similarity data for the remaining 24 access trees were imported into CFinder. We set the similarity threshold to 2, The communities with the largest k value and maximum nodes (access trees) are ${\mathcal{T}}_6\left(OR\right)$, ${\mathcal{T}}_8\left(AND\right)$, ${\mathcal{T}}_9\left(OR\right)$, ${\mathcal{T}}_{10}\left(OR\right)$, ${\mathcal{T}}_{21}\left(OR\right)$, ${\mathcal{T}}_{22}\left(OR\right)$, ${\mathcal{T}}_{26}\left(AND\right)$, ${\mathcal{T}}_{31}\left(OR\right)$, ${\mathcal{T}}_{41}\left(AND\right)$, ${\mathcal{T}}_{46}\left(OR\right)$. All of these access trees contain the primary shared sub-policy $T_J$, so it does not require excluding any access tree from the cluster. Therefore, the pre-selected access trees above are the result of the third clustering. These access trees contain primary shared sub-policies, as shown in

Table 6. Results of the third clustering of 50 access trees.

	${\mathit{T}}_{\mathit{A}}$	${\mathit{T}}_{\mathit{B}}$	${\mathit{T}}_{\mathit{C}}$	${\mathit{T}}_{\mathit{D}}$	${\mathit{T}}_{\mathit{E}}$	${\mathit{T}}_{\mathit{F}}$	${\mathit{T}}_{\mathit{G}}$	${\mathit{T}}_{\mathit{H}}$	${\mathit{T}}_{\mathit{I}}$	${\mathit{T}}_{\mathit{J}}$	${\mathit{T}}_{\mathit{K}}$	${\mathit{T}}_{\mathit{L}}$	${\mathit{T}}_{\mathit{M}}$	${\mathit{T}}_{\mathit{N}}$	${\mathit{T}}_{\mathit{O}}$	${\mathit{T}}_{\mathit{P}}$	${\mathit{T}}_{\mathit{Q}}$	${\mathit{T}}_{\mathit{R}}$	${\mathit{T}}_{\mathit{X}}$	${\mathit{T}}_{\mathit{T}}$
${\mathcal{T}}_6\left(OR\right)$	0	0	0	0	0	0	0	0	4	3	0	0	0	0	0	4	0	0	0	2
${\mathcal{T}}_8\left(AND\right)$	0	0	0	0	2	0	3	0	0	3	0	0	3	0	0	0	1	0	0	0
${\mathcal{T}}_9\left(OR\right)$	3	0	0	0	2	0	0	3	0	3	0	0	3	0	0	0	1	0	4	0
${\mathcal{T}}_{10}\left(OR\right)$	0	2	0	0	0	0	0	0	4	3	0	0	3	0	0	0	0	4	0	0
${\mathcal{T}}_{21}\left(OR\right)$	0	0	2	0	2	0	0	0	0	3	0	0	0	0	0	0	0	0	0	0
${\mathcal{T}}_{22}\left(OR\right)$	0	0	0	3	0	0	3	3	0	3	0	0	0	0	0	0	0	4	0	2
${\mathcal{T}}_{26}\left(AND\right)$	0	0	2	0	0	0	0	0	0	3	0	0	0	0	0	0	0	0	0	0
${\mathcal{T}}_{31}\left(OR\right)$	0	2	2	3	0	0	0	3	0	3	0	3	0	0	0	4	1	0	0	2
${\mathcal{T}}_{41}\left(AND\right)$	0	2	0	0	0	0	0	0	0	3	0	0	0	0	0	0	1	0	4	0
${\mathcal{T}}_{46}\left(OR\right)$	3	2	0	0	2	0	0	0	4	3	0	0	0	0	0	0	0	0	0	0

.

The remaining 22 access trees can then be clustered in the same way, but we omit it here for brevity.

4.2. A General Approach to Access Tree Clustering with Cluster Percolation Method

Based on example 3, a general method for clustering access trees based on CPM is given.

• For all primary shared sub-policies between every two access trees, calculate the sum of the number of leaf nodes contained in these primary shared sub-policies and take it as the similarity of the two trees.
• Set the similarity threshold and use the CPM to find all cliques and communities composed of access trees.
• Access trees from the community with the largest value of k and maximum nodes (access trees) are set to be the pre-selected result for clustering. If all these access trees contain at least one primary shared sub-policy, this pre-selected result becomes the final result. If there is no primary shared sub-policy contained in all access trees in the pre-selected result of the cluster, then we choose the primary shared sub-policy with the largest maximum combinable number among primary shared sub-policies that these access trees in the pre-selected result contain; other access trees that do not contain the primary shared sub-policy are eliminated from the pre-selected result, and the remaining access trees become the final result.
• Repeat step 2 and step 3 for the remaining access trees until all access trees are clustered.

5. Amendment and Integration of Access Trees in the Same Cluster

5.1. Overview

After first-level clustering according to clustering methods provided in Section 3.2 or Section 4.2, access trees within the same cluster are further categorized into $AND$-type and $OR$-type classes based on the threshold value of their root node. Then, based on the similarity of the access trees, we perform divisive clustering for all access trees in the two classes until all access trees in the same cluster have at least two primary shared sub-policies in common. Then, starting from the final round of clustering results, we do the following: integrate the access trees of the same class and within the same cluster to achieve a bigger access tree corresponding to that cluster, and then integrate the bigger access trees within these same classes to achieve much bigger access trees. Repeat this integration operation until two large access trees with $AND$ root and $OR$ root are generated, respectively. Then, the two access trees are connected with basic sub-policies as crossing nodes.

5.2. Amendment of Access Trees within the Same Class

Before integrating access trees in the same class, we need to make some amendments to them. Here, for clarity, we first illustrate how to amend access trees using an example of four trees ${\mathcal{T}}_1$, ${\mathcal{T}}_2$, ${\mathcal{T}}_3$ and ${\mathcal{T}}_4$. Suppose they are from the same class ($AND$-type) and the same cluster of the first-level clustering. The symbols $T_1\left(other\right),T_2\left(other\right),T_3\left(other\right),T_4\left(other\right)$ are used to denote the non-shared sub-policy part of access trees; the symbols $T_A,T_B,T_C$ denote the primary shared sub-policy part.

The four access trees have basic sub-policy $T_A$ and the primary shared sub-policy $T_B$ in common. We add a child node—“$AND$”, the same child node as the root node, under the root node, making it the parent node of the two primary shared sub-policies. The two primary shared sub-policies with their newly added parent node construct a new shared sub-policy for all access trees; we denote it $T_{AB}\left(AND\right)$. We can observe that ${\mathcal{T}}_3$ and ${\mathcal{T}}_4$ have $T_{AB}\left(AND\right)$ and $T_C$ in common. Therefore, we repeat the above operation; that is, we add the “$AND$” node under the root node of ${\mathcal{T}}_3$ and ${\mathcal{T}}_4$, making it the parent node of the two shared sub-polices $T_{AB}\left(AND\right)$ and $T_C$. Before and after the amendment are shown in Figure 4. Access trees in the $OR$-type class can be amended in the same way. Here, we omit it.

5.3. Case Study of Policy Integration

The following illustrates the amendment and integration of access trees within the first cluster in Example 3.

Example 4.

As part of the first-level clustering result, there are 17 trees in the first clusters in Example 3, and the primary shared sub-policies they contain are shown in Table 4.

These trees all contain the primary shared sub-policy $T_N$, where $T_N$ is the basic sub-policy in this cluster. The access trees with the “$AND$” root node are categorized into the $AND$-type class; they are ${\mathcal{T}}_2\left(AND\right)$, ${\mathcal{T}}_7\left(AND\right)$, ${\mathcal{T}}_{18}\left(AND\right)$, ${\mathcal{T}}_{25}\left(AND\right)$, ${\mathcal{T}}_{29}\left(AND\right)$, ${\mathcal{T}}_{30}\left(AND\right)$, ${\mathcal{T}}_{32}\left(AND\right)$, ${\mathcal{T}}_{33}\left(AND\right)$, ${\mathcal{T}}_{35}\left(AND\right)$, ${\mathcal{T}}_{44}\left(AND\right)$. The access trees with the “$OR$” root node are categorized into the $OR$-type class; they are ${\mathcal{T}}_4\left(OR\right)$, ${\mathcal{T}}_{20}\left(OR\right)$, ${\mathcal{T}}_{28}\left(OR\right)$, ${\mathcal{T}}_{34}\left(OR\right)$, ${\mathcal{T}}_{36}\left(OR\right)$, ${\mathcal{T}}_{45}\left(OR\right)$, ${\mathcal{T}}_{50}\left(OR\right)$. After first-level clustering and classifying, we now start second-level clustering. In the domain of $AND$-type class, the maximum combinable numbers of these 20 primary shared sub-policies are recalculated. They are $3,6,4,6,2,10,3,9,0,3,4,9,6,36,4,12,-1,4,4,6.$ Besides the basic sub-policy $T_N$, $T_P$ has the largest maximum combinable number. The access trees ${\mathcal{T}}_2\left(AND\right)$, ${\mathcal{T}}_7\left(AND\right)$, ${\mathcal{T}}_{25}\left(AND\right)$, ${\mathcal{T}}_{32}\left(AND\right)$ containing both $T_P$ and $T_N$ are put into a new cluster as a part of second-level clustering result, and their structure is illustrated in Figure 5.

Since these access trees also contain the primary shared sub-policy $T_F$, $T_F$ and $T_P$ can be integrated with the basic sub-policy $T_N$ first. For the cluster of access trees ${\mathcal{T}}_2\left(AND\right)$, ${\mathcal{T}}_7\left(AND\right)$, ${\mathcal{T}}_{25}\left(AND\right)$, ${\mathcal{T}}_{32}\left(AND\right)$ that generated in the second-level clustering, we add a child node—“$AND$”, the same child node as the root node, under the root node, making it the parent node of the three primary shared sub-policies. The three primary shared sub-policies with their newly added parent node construct a new shared sub-policy for these access trees; we denote it $T_{NPF}\left(AND\right)$. We recompute the maximum combinable number of each primary shared sub-policy within the domain composed of these four access trees ${\mathcal{T}}_2\left(AND\right)$, ${\mathcal{T}}_7\left(AND\right)$, ${\mathcal{T}}_{25}\left(AND\right)$, ${\mathcal{T}}_{32}\left(AND\right)$, and they are $0;0;-2;6;0;6;-3;3;-4;0;0;3;0;12;4;12;-1;4;0;0.$ Besides the primary shared sub-policies $T_P$, $T_F$, and basic sub-policy $T_N$, we find the primary shared sub-policy $T_D$ that has the largest maximum combinable number out of the remaining 17 minimal sub-polices. We can observe that ${\mathcal{T}}_2\left(AND\right)$, ${\mathcal{T}}_{25}\left(AND\right)$ and ${\mathcal{T}}_{32}\left(AND\right)$ have $T_{NPF}\left(AND\right)$ and $T_D$ in common. Therefore, we repeat the above operation, that is, we add the “$AND$” node under the root node of ${\mathcal{T}}_2\left(AND\right)$, ${\mathcal{T}}_{25}\left(AND\right)$ and ${\mathcal{T}}_{32}\left(AND\right)$, making it the parent node of the two shared sub-polices $T_{NPF}\left(AND\right)$ and $T_C$. According to the access tree amendment method provided in Section 5.2, we have the amendment results of access trees ${\mathcal{T}}_2\left(AND\right)$, ${\mathcal{T}}_7\left(AND\right)$, ${\mathcal{T}}_{25}\left(AND\right)$, ${\mathcal{T}}_{32}\left(AND\right)$, as illustrated in Figure 6; we also have the amendment results of access trees ${\mathcal{T}}_2\left(AND\right)$, ${\mathcal{T}}_{25}\left(AND\right)$, ${\mathcal{T}}_{32}\left(AND\right)$, as illustrated in Figure 7.

Then the identical parts $T_{(NPF-D)}\left(AND\right)$ of the three access trees ${\mathcal{T}}_2\left(AND\right)$, ${\mathcal{T}}_{25}\left(AND\right)$, ${\mathcal{T}}_{32}\left(AND\right)$ are merged first to obtain a bigger access tree; then, the identical parts $T_{NPF}\left(AND\right)$ of the newly generated bigger access tree and ${\mathcal{T}}_{32}\left(AND\right)$ are merged. Finally, we obtained the final integrated access structure shown in Figure 8.

In the domain of the $AND$-type class, for the remaining 6 access trees ${\mathcal{T}}_{18}\left(AND\right)$, ${\mathcal{T}}_{29}\left(AND\right)$, ${\mathcal{T}}_{30}\left(AND\right)$, ${\mathcal{T}}_{33}\left(AND\right)$,${\mathcal{T}}_{35}\left(AND\right)$, ${\mathcal{T}}_{44}\left(AND\right)$, we repeat the same second-level clustering method. The maximum combinable numbers of these 20 primary shared sub-policies are recalculated. They are $0;4;4;-3;0;2;3;3;0;0;0;3;3;20;-4;-4;-1;-4;0;4.$ Besides the basic sub-policy $T_N$, $T_C$ has the largest maximum combinable number. The access trees ${\mathcal{T}}_{18}\left(AND\right)$, ${\mathcal{T}}_{29}\left(AND\right)$, ${\mathcal{T}}_{33}\left(AND\right)$ containing both $T_N$ and $T_C$ are categorized into second-level clustering results. Since these access trees contain the primary shared sub-policy $T_C$, $T_C$ can be integrated with the basic sub-policy $T_N$ first. For the cluster of access trees ${\mathcal{T}}_{18}\left(AND\right)$, ${\mathcal{T}}_{29}\left(AND\right)$, ${\mathcal{T}}_{33}\left(AND\right)$ that were generated in the second-level clustering, we add a child node—“$AND$”, the same child node as the root node, under the root node, making it the parent node of the two primary shared sub-policies. The two primary shared sub-policies with their newly added parent node construct a new shared sub-policy for these access trees; we denote it $T_{NC}\left(AND\right)$. We recompute the maximum combinable number of each primary shared sub-policy within the domain composed of these three access trees ${\mathcal{T}}_{18}\left(AND\right)$, ${\mathcal{T}}_{29}\left(AND\right)$, ${\mathcal{T}}_{33}\left(AND\right)$, and they are $0;2;4;-3;-2;0;0;-3;-4;0;0;0;-3;8;-4;-4;1;-4;-4;0.$ Besides the primary shared sub-policies $T_C$ and basic sub-policy $T_N$, we find the primary shared sub-policy $T_B$ that has the largest maximum combinable number out of the remaining 18 minimal sub-polices. We can observe that ${\mathcal{T}}_{18}\left(AND\right)$ and ${\mathcal{T}}_{29}\left(AND\right)$ have $T_{NC}\left(AND\right)$ and $T_B$ in common. Therefore, we repeat the above operation, that is, we add the “$AND$” node under the root node of ${\mathcal{T}}_{18}\left(AND\right)$ and ${\mathcal{T}}_{29}\left(AND\right)$, making it the parent node of the two shared sub-polices $T_{NC}\left(AND\right)$ and $T_B$. We repeat previous amendment and integration methods. The access trees ${\mathcal{T}}_{18}\left(AND\right)$, ${\mathcal{T}}_{29}\left(AND\right)$ and ${\mathcal{T}}_{33}\left(AND\right)$ are connected into one access tree using the basic sub-policy as a cross-node. For the remaining 3 access trees, ${\mathcal{T}}_{30}\left(AND\right)$, ${\mathcal{T}}_{35}\left(AND\right)$, ${\mathcal{T}}_{44}\left(AND\right)$, we repeat the same method. After that, the basic sub-policy is used as a cross-node to integrate these ten access trees into one access tree. The access trees in the $OR$-type class are amended and integrated similarly. Finally, the $OR$-type access tree and $AND$-type access tree are integrated into one access tree using the basic sub-policy as a cross-node.

5.4. A General Approach for Integration of Access Trees in the Same Cluster

Based on Example 4, a general approach for integrating access trees in the same cluster is given.

• For first-level clustering results, access trees within the same cluster are classified into $AND$-type access trees and $OR$-type access trees according to the threshold of the parent node of the primary shared sub-policy (the root node of the access tree).
• Select the primary shared sub-policy, excluding the basic sub-policy, with the largest maximum combinable number in the same class as the criterion for the second-level clustering. Conduct the second-level clustering for the remaining access trees until all access trees in the same cluster have at least two primary shared sub-policies in common.
• Make amendments and integration of the access trees in clusters that generated the second-level clustering; connect access trees in the same type access tree into one large access tree using the basic sub-policy as a cross node.
• Connect the $AND$-type access tree and $OR$-type access tree with the basic sub-policy to obtain an access tree.

5.5. Secret Sharing for Integrated Access Trees

As a preparation for our CP-ABE scheme with policy integration, we use six access trees with different sub-policies, as shown in Figure 9, to illustrate how to set the security parameter s (the constant term of the polynomial) for each node within the integrated access tree. According to the integration method described in Section 5.4, access trees within the same class are integrated first; then, we obtain two big access trees with the $AND$ root node and $OR$ root node. The result of the integration is shown in Figure 10. These two access trees are finally integrated into one access tree using the basic sub-policy as a cross-node, as shown in Figure 11.

Starting from the root node, a polynomial $f_t\left(x\right)$ needs to be generated for each node $N_t$ in the integrated access tree; the degree of the polynomial equals the threshold value of the node minus one, i.e., $d_t=k_t-1$. As shown in Figure 11, starting from the root node $N_0$, for each node, the data owner generates a polynomial in the following way: first, choose a random number $s\in {\mathbb{Z}}_p$ such that $f_0\left(0\right)=s$. Then $s_{d_o},s_{d_o-1},\cdots ,s_1\in {\mathbb{Z}}_p$ is randomly chosen to determine $f_0\left(x\right)$, that is $f_0\left(x\right)=s_{d_o}{x}^{d_o}+s_{d_o-1}{x}^{d_o-1}+\cdots +s_{1}x+s$. Since $N^{\left(1\right)}$ is an $AND$ node, the corresponding polynomial is made using the secret sharing scheme; details are as follows: $f_1\left(x\right)=a_{d_1}{x}^{d_1}+a_{d_1-1}{x}^{d_1-1}+\cdots +a_{1}x+a_0$; set the index value of $N_0$ to be 1, i.e., $index\left(N_0\right)=1$, then $s=f_1\left(1\right)=a_{d_1}+a_{d_1-1}+\cdots +a_1+a_0$; choosing the remaining $d_1$ points again, we can determine $a_0=s-(a_{d_1}+a_{d_1-1}+\cdots +a_1)$. Since $N^{\left(n\right)}$ is an $AND$ node, assignments are made according to the secret sharing scheme such that $f_n\left(x\right)=n_{d_n}{x}^{d_n}+n_{d_n-1}{x}^{n_n-1}+\cdots +n_{1}x+n_0$. set the index value of $N_0$ to be 1, i.e., $index\left(N_0\right)=1$, then $s=f_1\left(1\right)=a_{d_1}+a_{d_1-1}+\cdots +a_1+a_0$; choosing the remaining $d_n$ points again, we can determine $n_0=s-(n_{d_n}+a_{n_1-n}+\cdots +n_1)$. Since $N^{\left(2\right)}$ is an $OR$ node, assignments are made according to the secret sharing scheme such that $f_2\left(0\right)=f_0\left(0\right)=s$. For $N^{\left(1\right)}$ with parents $N_p$ and $N_m$, and $N^{\left(2\right)}$ with parents $N_q$ and $N_s$, there are

$$f_m\left(index\left(N^{\left(1\right)}\right)\right)=f_p\left(index\left(N^{\left(1\right)}\right)\right)=f_1\left(0\right)=a_0$$

(2)

$$f_q\left(index\left(N^{\left(2\right)}\right)\right)=f_s\left(index\left(N^{\left(2\right)}\right)\right)=f_2\left(0\right)=f_0\left(0\right)=s$$

(3)

Let $f_m\left(x\right)=m_{d_m}{x}^{d_m}+m_{d_m-1}{x}^{d_m-1}+\cdots +m_{1}x+m_0$. $f_p\left(x\right)=p_{d_p}{x}^{d_p}+p_{d_p-1}{x}^{d_p-1}+\cdots +p_{1}x+p_0$, $f_q\left(x\right)=q_{d_q}{x}^{d_q}+q_{d_q-1}{x}^{d_q-1}+\cdots +q_{1}x+q_0$, $f_s\left(x\right)=s_{d_s}{x}^{d_s}+s_{d_s-1}{x}^{d_s-1}+\cdots +s_{1}x+s_0$. $s=q_{d_q}+q_{d_q-1}+\cdots +q_1+q_0=s_{d_s}+s_{d_s-1}+\cdots +s_1+s_0$. set $N^{\left(1\right)}$ in $f_m\left(x\right)$ and $f_p\left(x\right)$, and $N^{\left(2\right)}$ in $f_q\left(x\right)$ and $f_s\left(x\right)$ both have index values 1, i.e., $index\left(N^{\left(1\right)}\right)=index\left(N^{\left(2\right)}\right)=1$, then $a_o=f_m\left(1\right)=f_p\left(1\right)$, $s=f_q\left(1\right)=f_s\left(1\right)$, i.e., $a_0=p_{d_p}+p_{d_p-1}+\cdots +p_1+p_0=m_{d_m}+m_{d_m-1}+\cdots +m_1+m_0$. $s=q_{d_q}+q_{d_q-1}+\cdots +q_1+q_0=s_{d_s}+s_{d_s-1}+\cdots +s_1+s_0$. Selecting the remaining $d_m+d_p+d_q+d_s$ points can then be computed:

$$p_0=a_0-(p_{d_p}+p_{d_p-1}+\cdots +p_1)$$

(4)

$$m_0=a_0-(m_{d_m}+m_{d_m-1}+\cdots +m_1)$$

(5)

$$q_0=s-(q_{d_q}+q_{d_q-1}+\cdots +q_1)$$

(6)

$$s_0=s-(s_{d_s}+s_{d_s-1}+\cdots +s_1)$$

(7)

Thus, $f_p\left(x\right)$, $f_m\left(x\right)$, $f_q\left(x\right)$ and $f_s\left(x\right)$ are determined. For the parent nodes $N_r$ and $N_t$ of $N^{\left(m\right)}$, there are

$$f_r\left(index\left(N^{\left(m\right)}\right)\right)=f_t\left(index\left(N^{\left(m\right)}\right)\right)=f_m\left(0\right)=m_0$$

(8)

Let $f_r\left(x\right)=r_{d_r}{x}^{d_r}+r_{d_r-1}{x}^{d_r-1}+\cdots +r_{1}x+r_0$, $f_t\left(x\right)=t_{d_t}{x}^{d_t}+t_{d_t-1}{x}^{d_t-1}+\cdots +t_{1}x+t_0$. set the index value of $N^{\left(m\right)}$ in $f_r\left(x\right)$ and $f_t\left(x\right)$ to be 1, i.e., $index\left(N^{\left(m\right)}\right)=1$, then $m_o=f_r\left(1\right)=f_t\left(1\right)$, i.e., $m_0=r_{d_r}+r_{d_r-1}+\cdots +r_1+r_0=t_{d_t}+t_{d_t-1}+\cdots +t_1+t_0$. Selecting the remaining $d_r+d_t$ points can then be computed:

$$r_0=m_0-(r_{d_r}+r_{d_r-1}+\cdots +r_1)$$

(9)

$$t_0=m_0-(t_{d_t}+t_{d_t-1}+\cdots +t_1)$$

(10)

Thus, $f_r\left(x\right)$, $f_t\left(x\right)$ are determined. For the other nodes $N_t$, let $f_t\left(0\right)=f_{parent\left(N_t\right)}\left(index\left(N_t\right)\right)$, and choose the remaining $d_t$ values to determine $f_t\left(x\right)$. Thus, the polynomial for each node in the integrated access tree can be determined.

6. Construction of CP-ABE Scheme with Integrated Access Trees

6.1. System Architecture

The system framework for this proposal is illustrated in Figure 12. The proposal involves four entities, as follows:

-

Cloud storage platform (CSP): responsible for storing the ciphertext uploaded by data owners; it is semi-trusted.

-

Attribute authority (AA): responsible for generating the system’s public key and master private key and generating private keys for data users based on their attributes; it is fully trusted.

-

Data owner (DA): responsible for specifying access policies and uploading ciphertexts embedded with access policies to the CSP.

-

Users: can download ciphertext from the CSP and successfully decrypt it when their attributes satisfy the access policies.

6.2. Algorithm Description

This CP-ABE scheme primarily consists of four algorithms: system establishment ($Setup$), key generation ($KeyGen$), data encryption ($Encrypt$), and data decryption ($Decrypt$). The algorithm definitions are as follows:

(1) $Setup\left(1^{\lambda }\right)⟶(PK,MSK)$: The AA executes this algorithm. It takes the system’s security parameter $\lambda$ as input and produces its public key $PK$ and master key $MSK$ as output.

(2) $KeyGen(PK,MSK,S)⟶SK$: The AA executes this algorithm, generating the corresponding private key for data users based on their attribute set. It takes the system’s public key $PK$, master key $MSK$, and the attribute set S of the user as input and produces the user’s private key $SK$ as output.

(3) $Encrypt(PK,{\left\{M_i\right\}}_{1\le i\le n},{\left\{{\mathcal{T}}_i\right\}}_{1\le i\le n})⟶{\left\{C{T}_i\right\}}_{1\le i\le n}$: The DA executes this algorithm, encrypting data $M_i$ using the access tree ${\mathcal{T}}_i$, where there are shared sub-policies among n access trees. The algorithm takes the system’s public key $PK$, data ${\left\{M_i\right\}}_{1\le i\le n}$, and access trees ${\left\{{\mathcal{T}}_i\right\}}_{1\le i\le n}$ as input, and produces ciphertext ${\left\{C{T}_i\right\}}_{1\le i\le n}$ as output.

(4) $Decrypt(PK,SK,C{T}_i)⟶\left(M_i\right),1\le i\le n$: The data users execute this algorithm, using their private key $SK$ to decrypt ciphertext $C{T}_i$. The algorithm takes the system’s public key $PK$, user’s private key $SK$, and ciphertext $C{T}_i$ as input and produces the corresponding plaintext data $M_i$ as output.

6.3. Details of Algorithms

The CP-ABE scheme for multiple shared sub-policies proposed in this paper includes four algorithms: system setup ($Setup$), key generation ($KeyGen$), data encryption ($Encrypt$), and data decryption ($Decrypt$). The detailed descriptions of each algorithm are as follows:

(1) $Setup$

Two multiplicative cyclic groups are selected, denoted as $G_1$ and $G_2$, both of prime order p. Let g be the generator of $G_1$. A bilinear map $e:G_1\times G_1\to G_2$ is defined, and a hash function $\mathcal{H}:{\{0,1\}}^{*}⟶G_1$ is chosen. The AA randomly selects $\alpha$ and $\beta$ from ${\mathbb{Z}}_p^{*}$ and generates the system’s public key $PK$ and master key $MSK$ as follows:

$$PK=(G_1,g,g^{\beta },e{(g,g)}^{\alpha })$$

(11)

$$MSK=(\beta ,g^{\alpha })$$

(12)

Finally, the AA publishes $PK$ to all data owners and users.

(2) $KeyGen$

Based on the user’s attribute set S, the AA generates the corresponding private key $SK$. The AA first randomly selects $r\in {\mathbb{Z}}_p$, and then for each attribute i in the attribute set S, it randomly selects $r_i\in {\mathbb{Z}}_p$. Finally, it computes the user’s private key $SK$ as follows:

$$SK=(D=g^{\frac{\alpha +r}{\beta }},\forall i\in A:D_i=g^r·\mathcal{H}{\left(i\right)}^{r_i},D_i^{\prime }=g^{r_i})$$

(13)

(3) $Encrypt$

Here, we describe the algorithm using the example of 6 distinct shared sub-policy access trees, as depicted in Figure 9. First, the encryption algorithm constructs polynomials for all nodes of the access tree, following the secret sharing scheme described in Section 5.5. Second, it computes the ciphertext using the traditional CP-ABE encryption scheme [2]. Let $Y\left(T_A\right),Y\left(T_B\right),Y\left(T_C\right),Y\left(T_D\right)$ and $Y\left(T_E\right)$ be the sets of leaf nodes of primary shared sub-policies $A,B,C,D$, and E. $Y\left({\mathcal{T}}_{othe{r}_i}\right),i=1,2,...,6$ be the sets of leaf nodes of the non-shared parts of access trees ${\mathcal{T}}_{othe{r}_i},i=1,2,...,6$, respectively. The encryption of data $M_1$, $M_2$, $M_3$, $M_4$, $M_5$ and $M_6$ is as follows:

$$\begin{array}{cc}\hfill C{T}_1=& ({\mathcal{T}}_1,\tilde{C}=M_1·e{(g,g)}^{\alpha f_n(0)},C=g^{\beta f_n(0)},\hfill \\ & \forall N_a\in Y(T_A):C_{N_a}=g^{f_a(0)},{C^{\prime }}_{N_a}=\mathcal{H}{(att(N_a))}^{f_a(0)},\hfill \\ & \forall N_{othe{r}_1}\in Y(T_{othe{r}_1}):C_{N_{othe{r}_1}}=g^{f_{othe{r}_1}(0)},{C^{\prime }}_{N_{othe{r}_1}}=\mathcal{H}{(att(N_{othe{r}_1}))}^{f_{othe{r}_1}(0)})\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill C{T}_2=& ({\mathcal{T}}_2,\tilde{C}=M_2·e{(g,g)}^{\alpha f_p(0)},C=g^{\beta f_p(0)},\hfill \\ & \forall N_a\in Y(T_A):C_{N_a}=g^{f_a(0)},{C^{\prime }}_{N_a}=\mathcal{H}{(att(N_a))}^{f_a(0)},\hfill \\ & \forall N_b\in Y(T_B):C_{N_b}=g^{f_b(0)},{C^{\prime }}_{N_b}=\mathcal{H}{(att(N_b))}^{f_b(0)},\hfill \\ & \forall N_{othe{r}_2}\in Y(T_{othe{r}_2}):C_{N_{othe{r}_2}}=g^{f_{othe{r}_2}(0)},{C^{\prime }}_{N_{othe{r}_2}}=\mathcal{H}{(att(N_{othe{r}_2}))}^{f_{othe{r}_2}(0)})\hfill \end{array}$$

(15)

$$\begin{array}{cc}\hfill C{T}_3=& ({\mathcal{T}}_3,\tilde{C}=M_3·e{(g,g)}^{\alpha f_t(0)},C=g^{\beta f_t(0)},\hfill \\ & \forall N_a\in Y(T_A):C_{N_a}=g^{f_a(0)},{C^{\prime }}_{N_a}=\mathcal{H}{(att(N_a))}^{f_a(0)},\hfill \\ & \forall N_b\in Y(T_B):C_{N_b}=g^{f_b(0)},{C^{\prime }}_{N_b}=\mathcal{H}{(att(N_b))}^{f_b(0)},\hfill \\ & \forall N_c\in Y(T_C):C_{N_c}=g^{f_c(0)},{C^{\prime }}_{N_c}=\mathcal{H}{(att(N_c))}^{f_c(0)},\hfill \\ & \forall N_{othe{r}_3}\in Y(T_{othe{r}_3}):C_{N_{othe{r}_3}}=g^{f_{othe{r}_3}(0)},{C^{\prime }}_{N_{othe{r}_3}}=\mathcal{H}{(att(N_{othe{r}_3}))}^{f_{othe{r}_3}(0)})\hfill \end{array}$$

(16)

$$\begin{array}{cc}\hfill C{T}_4=& ({\mathcal{T}}_4,\tilde{C}=M_4·e{(g,g)}^{\alpha f_r(0)},C=g^{\beta f_r(0)},\hfill \\ & \forall N_a\in Y(T_A):C_{N_a}=g^{f_a(0)},{C^{\prime }}_{N_a}=\mathcal{H}{(att(N_a))}^{f_a(0)},\hfill \\ & \forall N_b\in Y(T_B):C_{N_b}=g^{f_b(0)},{C^{\prime }}_{N_b}=\mathcal{H}{(att(N_b))}^{f_b(0)},\hfill \\ & \forall N_c\in Y(T_C):C_{N_c}=g^{f_c(0)},{C^{\prime }}_{N_c}=\mathcal{H}{(att(N_c))}^{f_c(0)},\hfill \\ & \forall N_{othe{r}_4}\in Y(T_{othe{r}_4}):C_{N_{othe{r}_4}}=g^{f_{othe{r}_4}(0)},{C^{\prime }}_{N_{othe{r}_4}}=\mathcal{H}{(att(N_{othe{r}_4}))}^{f_{othe{r}_4}(0)})\hfill \end{array}$$

(17)

$$\begin{array}{cc}\hfill C{T}_5=& ({\mathcal{T}}_5,\tilde{C}=M_5·e{(g,g)}^{\alpha f_q(0)},C=g^{\beta f_q(0)},\hfill \\ & \forall N_a\in Y(T_A):C_{N_a}=g^{f_a(0)},{C^{\prime }}_{N_a}=\mathcal{H}{(att(N_a))}^{f_a(0)},\hfill \\ & \forall N_d\in Y(T_D):C_{N_d}=g^{f_d(0)},{C^{\prime }}_{N_d}=\mathcal{H}{(att(N_d))}^{f_d(0)},\hfill \\ & \forall N_e\in Y(T_E):C_{N_e}=g^{f_e(0)},{C^{\prime }}_{N_e}=\mathcal{H}{(att(N_e))}^{f_e(0)},\hfill \\ & \forall N_{othe{r}_5}\in Y(T_{othe{r}_5}):C_{N_{othe{r}_5}}=g^{f_{othe{r}_5}(0)},{C^{\prime }}_{N_{othe{r}_5}}=\mathcal{H}{(att(N_{othe{r}_5}))}^{f_{othe{r}_5}(0)})\hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill C{T}_6=& ({\mathcal{T}}_6,\tilde{C}=M_6·e{(g,g)}^{\alpha f_s(0)},C=g^{\beta f_s(0)},\hfill \\ & \forall N_a\in Y(T_A):C_{N_a}=g^{f_a(0)},{C^{\prime }}_{N_a}=\mathcal{H}{(att(N_a))}^{f_a(0)},\hfill \\ & \forall N_d\in Y(T_D):C_{N_d}=g^{f_d(0)},{C^{\prime }}_{N_d}=\mathcal{H}{(att(N_d))}^{f_d(0)},\hfill \\ & \forall N_e\in Y(T_E):C_{N_e}=g^{f_e(0)},{C^{\prime }}_{N_e}=\mathcal{H}{(att(N_e))}^{f_e(0)},\hfill \\ & \forall N_{othe{r}_6}\in Y(T_{othe{r}_6}):C_{N_{othe{r}_6}}=g^{f_{othe{r}_6}(0)},{C^{\prime }}_{N_{othe{r}_6}}=\mathcal{H}{(att(N_{othe{r}_6}))}^{f_{othe{r}_6}(0)})\hfill \end{array}$$

(19)

Finally, the DA uploads $C{T}_1$, $C{T}_2$, $C{T}_3$, $C{T}_4$, $C{T}_5$ and $C{T}_6$ to the CSP.

(4) $Decrypt$

Assuming a user with an attribute set S and private key $SK$ intends to access data $M_1$, the user first downloads ciphertext $C{T}_1$ from the CSP. Then, they initiate the decryption process using $SK$. The decryption process is described as a recursive algorithm as follows: Let $N_j$ represent a node in ${\mathcal{T}}_1$. If $N_j$ is a leaf node and $att(N_j)=i$ where $i\in S$, then the computation is as follows:

$$F_j=DecryptNode(CT,SK,N_j)=\frac{e(D_i,C_{N_j})}{e(D_i^{\prime },C_{N_j}^{\prime })}=e{(g,g)}^{r{f}_j\left(0\right)}$$

(20)

If $N_j$ is a leaf node and $att\left(N_j\right)=i$ where $i\notin S$, then let $F_j=\perp$.

If $N_j$ is a non-leaf node, for all child nodes $N_z$ of $N_j$, let $Q_j$ represent a set of any $k_j$ nodes $N_z$, and for each $N_z$ in the set, ensure that $F_z\ne \perp$. If such a $Q_j$ does not exist, then let $F_z=\perp$. If $Q_j$ exists, then the computation is as follows:

$$\begin{array}{cc}\hfill F_j& =\prod _{z\in Q_j}{F}_z^{{\Delta }_{z,Q_j}\left(0\right)}=\prod _{z\in Q_j}e{(g,g)}^{r{f}_z\left(0\right){\Delta }_{z,Q_j}\left(0\right)}=\prod _{z\in Q_j}e{(g,g)}^{r{f}_{parent\left(N_z\right)}\left(index\left(N_z\right)\right){\Delta }_{z,Q_j}\left(0\right)}\hfill \\ & =\prod _{z\in Q_j}e{(g,g)}^{r{f}_j\left(z\right){\Delta }_{z,Q_j}\left(0\right)}=e{(g,g)}^{r{\sum }_{z\in Q_j}{f}_j\left(z\right){\Delta }_{z,Q_j}\left(0\right)}=e{(g,g)}^{r{f}_j\left(0\right)}\hfill \end{array}$$

(21)

Here, ${\Delta }_{z,Q_j}\left(x\right)={\prod }_{u\in Q_j,u\ne z}\frac{x-u}{z-u}$ is the Lagrange coefficient polynomial.

When the user’s attribute set S satisfies the access control policy ${\mathcal{T}}_1$, the $DecryptNode$ function is called at the root node $N_n$ of ${\mathcal{T}}_1$ as follows:

$$F_p=DecryptNode(CT,SK,N^{\left(1\right)})=e{(g,g)}^{r{f}_n\left(0\right)}$$

(22)

The final step of decryption to obtain the data $M_1$ is accomplished through the following calculations:

$$\frac{\tilde{C}·F_n}{e(C,D)}=\frac{M_1·e{(g,g)}^{\alpha f_n\left(0\right)}·e{(g,g)}^{r{f}_n\left(0\right)}}{e(g^{\beta f_n\left(0\right)},g^{\frac{\alpha +r}{\beta }})}=M_1$$

(23)

7. Security Analysis

7.1. Security Model

This paper uses a security game between the attacker $\mathcal{A}$ and the challenger $\mathcal{C}$ to describe the security model of the scheme. The specific process is as follows:

(1) Initialization Phase

Attacker $\mathcal{A}$ selects a challenge access structure $(\mathcal{T},{\mathcal{T}}^{*})$ and sends it to challenger $\mathcal{C}$, where $\mathcal{T}$ and ${\mathcal{T}}^{*}$ share sub-policies.

(2) Setup Phase

Challenger $\mathcal{C}$ obtains the public key $PK$ and sends it to attacker $\mathcal{A}$.

(3) Key Query Phase 1

Attacker $\mathcal{A}$ initiates a private key query request to challenger $\mathcal{C}$, and challenger $\mathcal{C}$ generates the corresponding attribute private key $S{K}_i$ based on the attribute set $S_i$. However, the key queries do not satisfy the access policies $\mathcal{T}$ and ${\mathcal{T}}^{*}$.

(4) Challenge Phase

Attacker $\mathcal{A}$ sends two pairs of plaintexts of the same length, $(M_0,M_0^{*})$ and $(M_1,M_1^{*})$, to challenger $\mathcal{C}$. Challenger $\mathcal{C}$ randomly selects b from the set $\{0,1\}$ and encrypts $(M_b,M_b^{*})$ using $\mathcal{T}$ and ${\mathcal{T}}^{*}$ to obtain ciphertexts $(CT,C{T}^{*})$, which are then sent to attacker $\mathcal{A}$.

(5) Query Phase 2

Repeat the operations of the key query phase 1.

(6) Guess Phase

Attacker $\mathcal{A}$ outputs a guess $b^{{}^{\prime }}$ for b. If $b=b^{{}^{\prime }}$, then it is considered that attacker $\mathcal{A}$ has won this security game. The advantage of $\mathcal{A}$ winning this game can be denoted as:

$$Ad{v}_A=Pr[b^{{}^{\prime }}=b]-1/2$$

7.2. Proof of Security

Definition 11.

If the CP-ABE scheme is secure, then it can be proven that there does not exist an attacker $\mathcal{A}$ who can break the scheme proposed in this chapter with a certain advantage in polynomial time. This implies the security of the scheme presented in this chapter.

Proof. 

The scheme is based on the CP-ABE scheme [2], which has been proven to be secure in the generic group and random oracle model. If attacker $\mathcal{A}$ can break the scheme proposed in this chapter with a certain advantage in polynomial time, then there exists a challenger $\mathcal{C}$ who can break the CP-ABE scheme with the same advantage.

Initialization phase: attacker $\mathcal{A}$ selects a challenge access structure $(\mathcal{T},{\mathcal{T}}^{*})$ and sends it to challenger $\mathcal{C}$, where $\mathcal{T}$ and ${\mathcal{T}}^{*}$ share sub-policies.

Setup phase: challenger $\mathcal{C}$ obtains the public key $PK=(G_0,g,g^{\beta },e(g,g^{\alpha }))$ from the CP-ABE scheme and sends $PK$ to attacker $\mathcal{A}$.

Key query phase 1: attacker $\mathcal{A}$ queries challenger $\mathcal{C}$ for the private key corresponding to the attribute set $S_i$. Challenger $\mathcal{C}$ selects two random variables $r,r_i\in Z_p$ and generates the corresponding private key $S{K}_i=(D=g^{\frac{\alpha +r}{\beta }},{\{D_i=g^r·\mathcal{H}{\left(i\right)}^{r_i},D_i^{\prime }=g^{r_i}\}}_{\forall i\in A_{q_1}})$ using the key generation algorithm and sends it to $\mathcal{A}$. Attacker $\mathcal{A}$ can query $\mathcal{C}$ multiple times. Challenger $\mathcal{C}$ will continue to respond to attacker $\mathcal{A}$’s queries. However, all key queries fail to satisfy the access policies $\mathcal{T}$ and ${\mathcal{T}}^{*}$.

Challenge phase: attacker $\mathcal{A}$ sends two plaintext message pairs $\{M_0,{M_0}^{*}\}$ and $\{M_1,{M_1}^{*}\}$ to challenger $\mathcal{C}$. Challenger $\mathcal{C}$ obtains $\{M_0,{M_0}^{*}\}$ and $\{M_1,{M_1}^{*}\}$. It sends $(\mathcal{T},{\mathcal{T}}^{*})$ to the CP-ABE scheme, randomly chooses $b\in 0,1$, and encrypts using access policies $\mathcal{T}$ and ${\mathcal{T}}^{*}$ to generate the corresponding ciphertexts $CT$ and $C{T}^{*}$. Then, challenger $\mathcal{C}$ sends the generated challenge ciphertexts $CT,C{T}^{*}$ to attacker $\mathcal{A}$. $CT,C{T}^{*}$ are as follows:

$$\begin{array}{cc}\hfill C{T}_1=& (\mathcal{T},\tilde{C}=M_b·e{(g,g)}^{\alpha f_p\left(0\right)},C=g^{\beta f_p\left(0\right)},\hfill \\ & \forall N_{\xi }\in Y\left({\mathcal{T}}_A\right):C_{N_{\xi }}=g^{f_{\xi }\left(0\right)},{C^{\prime }}_{N_{\xi }}=\mathcal{H}{\left(att\left(N_{\xi }\right)\right)}^{f_{\xi }\left(0\right)},\hfill \\ & \forall N_{\rho }\in Y\left({\mathcal{T}}_{othe{r}_1}\right):C_{N_{\rho }}=g^{f_{\rho }\left(0\right)},{C^{\prime }}_{N_{\rho }}=\mathcal{H}{\left(att\left(N_{\rho }\right)\right)}^{f_{\rho }\left(0\right)})\hfill \end{array}$$

(24)

$$\begin{array}{cc}\hfill C{T}_1=& ({\mathcal{T}}^{*},\tilde{C}={M_b}^{*}·e{(g,g)}^{\alpha f_q\left(0\right)},C=g^{\beta f_q\left(0\right)},\hfill \\ & \forall N_{\xi }\in Y\left({\mathcal{T}}_A\right):C_{N_{\xi }}=g^{f_{\xi }\left(0\right)},{C^{\prime }}_{N_{\xi }}=\mathcal{H}{\left(att\left(N_{\xi }\right)\right)}^{f_{\xi }\left(0\right)},\hfill \\ & \forall N_{\rho }\in Y\left({\mathcal{T}}_{othe{r}_1}\right):C_{N_{\rho }}=g^{f_{\rho }\left(0\right)},{C^{\prime }}_{N_{\rho }}=\mathcal{H}{\left(att\left(N_{\rho }\right)\right)}^{f_{\rho }\left(0\right)})\hfill \end{array}$$

(25)

Key query phase 2: attacker $\mathcal{A}$ continues to initiate private key queries for different attribute sets. If the queried attribute set does not satisfy $\mathcal{T}$ and ${\mathcal{T}}^{*}$, challenger $\mathcal{C}$ responds to the query in the same manner as in Phase 1. Otherwise, the attacker’s $\mathcal{A}$’s query requests are terminated.

Guessing phase: attacker $\mathcal{A}$ outputs a guess about $b^{{}^{\prime }}\in 0,1$. If $b=b^{{}^{\prime }}$, then the advantage of attacker $\mathcal{A}$ winning the game can be denoted as:

$$Ad{v}_A=Pr[b=b^{{}^{\prime }}]-1/2$$

In summary, if attacker $\mathcal{A}$ can win the query and request game in this scheme with a certain advantage, it can be concluded that there exists a challenger $\mathcal{C}$ who can break the CP-ABE scheme with the same advantage. However, research has shown that CP-ABE schemes are provably secure, so the proposed scheme is secure. □

8. Performance Analysis

8.1. Encryption Computation Overhead Analysis

All experiments in this paper use the CP-ABE toolkit based on the JPBC (Java pairing-based cryptography) library. The running environment of the simulation experiments: the operating system is Windows 10 Home edition, CPU is Intel(R) Core(TM) i7-7700HQ CPU @ 2.80 GHz 2.80 GHz, and memory is 16 GB of RAM. All the experimental results are the average of 10 runs. Let $T\left(m_i\right)$ represent the computational cost of exponentiation in group $G_i(i=1,2)$, and $T\left(p{m}_2\right)$ represent the computational cost of multiplication in group $G_2$.

In the CP-ABE scheme [2], the DA encrypts each data object separately, and the computational cost of $\tilde{C}$ in the ciphertext involves exponentiation and multiplication operations in group $G_2$, which is $T\left(m_2\right)+T\left(p{m}_2\right)$. The computational cost of C is in terms of exponentiation in group $G_1$, which is $T\left(m_1\right)$. For each leaf node of $C_{N_y}$ and ${C^{\prime }}_{N_y}$, the computational cost is also exponentiation in group $G_1$, which is $T\left(m_1\right)$. Let $Y\left(T_1\right)$ represent the number of attributes. Therefore, the total computational cost for a leaf node is $2Y\left(T_1\right)T\left(m_1\right)$. Thus, the total computational cost for encrypting a single data object is $(2Y\left(T_1\right)+1)T\left(m_1\right)+T\left(m_2\right)+T\left(p{m}_2\right)$. The computational costs for the three types of operations involved in the encryption algorithm are shown in

Table 7. Operations and runtime involved in encryption algorithms.

Notation	Description	Running Time (ms)
$T\left(m_1\right)$	Exponential operations on group $G_1$	15.30
$T\left(m_2\right)$	Exponential operations on group $G_2$	1.08
$T\left(p{m}_2\right)$	Multiplication on group $G_2$	0.02

.

It can be seen that the encryption computational overhead mainly comes from the exponential operation on the group $G_1$ on the leaf nodes. If we reduce the number of leaf nodes involved in encryption operations, we will reduce the overall encryption overhead.

8.2. Comparison of Different Schemes

As shown in

Table 8. Comparison of different schemes in supporting shared sub-policies.

Scheme	Single Shared Sub-Policy	Multiple Shared Sub-Policies with Same Numbers	Multiple Shared Sub-Polices with Different Numbers	Policy Clustering
[2]	no	no	no	no
[19]	yes	no	no	no
[20]	yes	yes	no	no
Ours	yes	yes	yes	yes

, the traditional CP-ABE scheme [2] does not take into account the occurrence of shared sub-policies. Li’s scheme [19] can only handle a single shared sub-policy. Our previous work [20] handles the case where there exists the same number of shared sub-policies among multiple access trees. Our scheme provides a global clustering method of access trees according to their policy similarity and then integrates access trees in the same cluster. In contrast to our previous work, in our approach, within the same cluster of access trees, we allow the number of primary shared sub-policies among access trees to differ.

For brevity, we use the six access trees illustrated in Figure 9 to compare the computational overheads of different schemes. The example is representative; it includes six access trees with three layers; six access trees include both “AND” root gate and “OR” root gate; they have both different and the same number of primary shares sub-policies. In reality, if a data owner only releases a few data objects, or access control policies have less overlapping, we might not need to cluster them. If a data owner releases many data objects, and there are significant overlaps among their access policies, our scheme will be useful. The computational overheads of the traditional CP-ABE scheme for encrypting the six access trees in Figure 9 are:

$${\mathcal{T}}_1:[2Y\left(T_{other1}\right)+2Y\left(T_A\right)+1]T\left(m_1\right)+T\left(m_2\right)+T\left(p{m}_2\right)$$

$${\mathcal{T}}_2:[2Y\left(T_{other2}\right)+2Y\left(T_A\right)+2Y\left(T_B\right)+1]T\left(m_1\right)+T\left(m_2\right)+T\left(p{m}_2\right)$$

$${\mathcal{T}}_3:[2Y\left(T_{other3}\right)+2Y\left(T_A\right)+2Y\left(T_B\right)+2Y\left(T_C\right)+1]T\left(m_1\right)+T\left(m_2\right)+T\left(p{m}_2\right)$$

$${\mathcal{T}}_4:[2Y\left(T_{other4}\right)+2Y\left(T_A\right)+2Y\left(T_B\right)+2Y\left(T_C\right)+1]T\left(m_1\right)+T\left(m_2\right)+T\left(p{m}_2\right)$$

$${\mathcal{T}}_5:[2Y\left(T_{other5}\right)+2Y\left(T_A\right)+2Y\left(T_D\right)+2Y\left(T_E\right)+1]T\left(m_1\right)+T\left(m_2\right)+T\left(p{m}_2\right)$$

$${\mathcal{T}}_6:[2Y\left(T_{other6}\right)+2Y\left(T_A\right)+2Y\left(T_D\right)+2Y\left(T_E\right)+1]T\left(m_1\right)+T\left(m_2\right)+T\left(p{m}_2\right)$$

The total computational overhead is

$$\begin{array}{c}[12Y\left(T_A\right)+6Y\left(T_B\right)+4Y\left(T_C\right)+4Y\left(T_D\right)+4Y\left(T_E\right)\hfill \\ +2Y\left(T_{other1}\right)+2Y\left(T_{other2}\right)+2Y\left(T_{other3}\right)\hfill \\ +2Y\left(T_{other4}\right)+2Y\left(T_{other5}\right)+2Y\left(T_{other6}\right)\hfill \\ +6]T\left(m_1\right)+6T\left(m_2\right)+6T\left(p{m}_2\right)\hfill \end{array}$$

(26)

All of the single shared sub-policies, $T_A$, of six access trees are merged into one, and the data objects corresponding to the six access trees are encrypted together in reference [19], which reduces the computational overhead by $10Y\left(T_A\right)T\left(m_1\right)$ compared to the traditional CP-ABE scheme. The scheme supporting the integration of multiple shared sub-policies with the same numbers in reference [20] reduces the computational overhead of $[10Y\left(T_A\right)+4Y\left(T_B\right)+2Y\left(T_D\right)+2Y\left(T_E\right)]T\left(m_1\right)$ compared to the traditional CP-ABE scheme. We support the integration of multiple shared sub-policies with different numbers, which reduces the computational overhead of $[10Y\left(T_A\right)+4Y\left(T_B\right)+2Y\left(T_C\right)+2Y\left(T_D\right)+2Y\left(T_E\right)]T\left(m_1\right)$ compared to the traditional CP-ABE scheme.

8.3. Simulation Experiment

8.3.1. Simulation Experiments with Different Scenarios

For clarity, we set that the primary shared sub-policies have the same structure, i.e., they have the same number of leaf nodes $i=Y\left(T_A\right)=Y\left(T_B\right)=Y\left(T_C\right)=Y\left(T_D\right)=Y\left(T_E\right)=Y\left(T_F\right)$; we also set the access structure of the non-shared part to be the same; therefore, $j=Y\left(T_{other1}\right)=Y\left(T_{other2}\right)=Y\left(T_{other3}\right)=Y\left(T_{other4}\right)=Y\left(T_{other5}\right)=Y\left(T_{other6}\right)$.

When the number of attributes j of the non-shared sub-policy corresponding to each of the six access trees shown in Figure 9 is constant, the encryption computational overheads of the four schemes increase as the number of attributes i in the primary shared sub-policies increases, as shown in

Table 9. The encryption computational overhead of the four schemes (unit: s).

i	2	3	4	5	6
[2]	2.966	3.665	4.308	5.085	5.801
[19]	2.501	2.938	3.366	3.908	4.404
[20]	2.141	2.366	2.619	2.952	3.324
Ours	2.061	2.238	2.429	2.701	2.912

. In this experiment, we take $j=5$; $i=\{2,3,4,5,6\}$.

From Figure 13, it can be seen that the encryption computation overhead of all four schemes gradually increases with the increase in the number of attributes of the primary shared sub-policy i. The encryption overhead of this scheme is smaller than the above three schemes.

8.3.2. Simulation Experiment with Clustering

Using the clustering method in Section 5.4, we achieve the clustering results shown in Figure 14.

In first-level clustering, we obtain the first cluster composed of 17 access trees; these access trees are ${\mathcal{T}}_2\left(AND\right)$, ${\mathcal{T}}_4\left(OR\right)$, ${\mathcal{T}}_7\left(AND\right)$, ${\mathcal{T}}_{18}\left(AND\right)$, ${\mathcal{T}}_{20}\left(OR\right)$, ${\mathcal{T}}_{25}\left(AND\right)$, ${\mathcal{T}}_{28}\left(OR\right)$, ${\mathcal{T}}_{29}\left(AND\right)$, ${\mathcal{T}}_{30}\left(AND\right)$, ${\mathcal{T}}_{32}\left(AND\right)$, ${\mathcal{T}}_{33}\left(AND\right)$, ${\mathcal{T}}_{34}\left(OR\right)$,${\mathcal{T}}_{35}\left(AND\right)$, ${\mathcal{T}}_{36}\left(OR\right)$, ${\mathcal{T}}_{44}\left(AND\right)$, ${\mathcal{T}}_{45}\left(OR\right)$, ${\mathcal{T}}_{50}\left(OR\right)$. After classifying, second-level clustering, access tree amendment, and integration, these 17 access trees are integrated into one big access tree. We can avoid repeated computation for primary shared sub-policies during the encryption process. Hence, in contrast to traditional CP-ABE that encrypts these 17 objects separately, we respectively reduced the computational costs of encryption related to minimal sub-policies $T_N$, $T_P$, $T_F$, $T_D$, $T_L$, $T_C$, $T_B$, $T_H$, $T_M$, $T_T$, $T_O$, and $T_I$ by 16 times, four times, three times, two times, two times, three times, one time, one time, one time, one time, two times, and one time.

In first-level clustering, we obtain the second cluster composed of nine access trees; these access trees are:= ${\mathcal{T}}_{13}\left(AND\right)$, ${\mathcal{T}}_{15}\left(AND\right)$, ${\mathcal{T}}_{16}\left(OR\right)$, ${\mathcal{T}}_{17}\left(OR\right)$, ${\mathcal{T}}_{23}\left(OR\right)$, ${\mathcal{T}}_{39}\left(AND\right)$, ${\mathcal{T}}_{40}\left(OR\right)$, ${\mathcal{T}}_{42}\left(AND\right)$, ${\mathcal{T}}_{47}\left(AND\right)$. After classifying, second-level clustering, access tree amendment, and integration, these 9 access trees are integrated into one big access tree. We can avoid repeated computation for primary shared sub-policies during the encryption process. Hence, in contrast to traditional CP-ABE that encrypts these 9 objects separately, we respectively reduced the computational costs of encryption related to minimal sub-policies $T_O$, $T_R$, $T_F$, $T_G$, $T_L$, and $T_M$ by eight times, two times, one time, three times, one time, and one time.

In first-level clustering, we obtain the third cluster composed of 10 access trees; these access trees are ${\mathcal{T}}_6\left(OR\right)$, ${\mathcal{T}}_8\left(AND\right)$, ${\mathcal{T}}_9\left(OR\right)$, ${\mathcal{T}}_{10}\left(OR\right)$, ${\mathcal{T}}_{21}\left(OR\right)$, ${\mathcal{T}}_{22}\left(OR\right)$, ${\mathcal{T}}_{26}\left(AND\right)$, ${\mathcal{T}}_{31}\left(OR\right)$, ${\mathcal{T}}_{41}\left(AND\right)$, ${\mathcal{T}}_{46}\left(OR\right)$. After classifying, second-level clustering, access tree amendment, and integration, these 10 access trees are integrated into one big access tree. We can avoid repeated computation for primary shared sub-policies during the encryption process. Hence, in contrast to traditional CP-ABE that encrypts these 10 objects separately, we respectively reduced the computational costs of encryption related to minimal sub-policies $T_J$, $T_Q$, $T_H$, $T_D$, $T_T$, $T_I$, and $T_B$ by nine times, one time, two times, one time, one time, two times, and one time.

A comparison of the computational cost of encryption before and after clustering is shown in

Table 10. Comparison of the computational cost of encryption before and after clustering.

	First Cluster of Access Trees	Second Cluster of Access Trees	Third Cluster of Access Trees
Number of access trees	17	9	10
Total number of original leaf nodes	304	172	137
Total number of leaf nodes after integration	174	115	88
Sum of encryption time costs without clustering and integration (separate encryption)	14.248 s	8.053 s	6.435 s
Sum of encryption time costs with clustering and integration	8.311 s	5.443 s	4.186 s

.

From Figure 15, we can see that after integrating access trees in the same cluster, we can encrypt the corresponding data objects as a whole, which reduces the computational overhead significantly compared to encrypting them separately.

9. Conclusions

Most research works about CP-ABE efficiency try to improve their scheme’s efficiency by improving encryption, key generation, or decryption algorithms. They ignore the fact that there might exist similarities among different data objects’ access policies released by the same data owner. Considering the practical existence of varying degrees of overlap or similarity among the access policies of various data objects outsourced by the same data owner, we propose a policy clustering approach based on soft-set decision-making and cluster percolation methods. In addition, we provide how to merge these similar policy pieces and integrate access policies in the same cluster, enabling the encryption of corresponding data objects as a whole. Thus, our approach helps to prevent redundant computations associated with these similar policy pieces during the encryption process, ultimately enhancing the overall encryption efficiency from the data owners’ standpoint. Our method is suitable for the CP-ABE application scenarios where the data objects released by a data owner have access policies composed of a small set of the attribute universe; the policies have very good overlappings. Like most CP-ABE schemes, our scheme is IND-CPA secure.

Our proposal includes certain restrictions on the structure of access policies, and we have not yet provided an integration method for arbitrary access trees that have shared sub-policies. We will focus on developing a less restrictive integration method for similar access trees in the future. Additionally, we will explore more precise measuring methods of policy similarity.