Efficient Ciphertext-Policy Attribute-Based Online/Offline...

Research ArticleEfficient Ciphertext-Policy Attribute-Based OnlineOfflineEncryption with User Revocation

Haiying Ma 1 Zhanjun Wang 2 and Zhijin Guan 1

1School of Computer Science and Technology Nantong University Nantong 226019 China2School of Science Nantong University Nantong 226019 China

Correspondence should be addressed to ZhanjunWang wzj8855ntueducn

Received 9 September 2018 Accepted 5 January 2019 Published 14 February 2019

Academic Editor Petros Nicopolitidis

Copyright copy 2019 Haiying Ma et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Attribute-Based Encryption (ABE) must provide an efficient revocation mechanism since a userrsquos private key can be compromisedor expired over time The existing revocable ABE schemes have the drawbacks of heavy computational costs on key updates andencryption operations whichmake the entities for performing these operations a possible bottleneck in practice applications In thispaper we propose an efficientCiphertext-PolicyAttribute-BasedOnlineOfflineEncryption with userRevocation (R-CP-ABOOE)We integrate the subset difference method with ciphertext-policy ABE to significantly improve key-update efficiency on the side ofthe trusted party from O(119903 log(119873119903)) to O(119903) where119873 is the number of users and 119903 is the number of revoked users To reduce theencryption burden for mobile devices we use the onlineoffline technology to shift the majority of encryption work to the offlinephase and thenmobile devices only need to execute a few simple computations to create a ciphertext In addition we exploit a noveltrick to prove its selective security under the 119902-type assumption Performance analysis shows that our scheme greatly improves thekey-update efficiency for the trusted party and the encryption efficiency for mobile devices

1 Introduction

Attribute-based encryption (ABE) is a promising alternativeof encryption for achieving fine-grained access control ofencrypted data The notion of ABE is first proposed by Sahaiand Waters [1] and then Goyal et al [2] formalize twosupplementary forms of ABE ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE) In CP-ABE [3 4] eachuser possesses a private key that corresponds to his attributeset A ciphertext is embedded into an access policy overthe possible attributes The ciphertext can be successfullydecrypted by the users whose attributes satisfy the policyAlternatively inKP-ABE the roles are swapped a ciphertext isassociated with an access policy and the private key is relatedto a set of attributes

Any ABE system must provide an efficient method torevoke users since a userrsquos private key can be compromised orexpired over time As a practical solution to the problem forABE Boldyreva et al [5] used the complete subtree method[6] to revoke users In their scheme a user can encryptwith the set of attributes and the current time attribute

eg ldquoTIME 2018 WEEK 16rdquo and the key generation center(KGC) who owns the latest revocation list periodicallybroadcasts the key update component at each time slot suchthat all nonrevoked users can reconstruct their decryptionkey and utilize it decrypt ciphertexts Subsequently Attra-padung and Imai [7] proposed a revocable KP-ABE by usinga similar method However the key-update work can bea system bottleneck since KGC requires broadcasting key-update component to all nonrevoked users at all time slotsAlthough their solutions [6 7] reduce this work from O(119873)to O(119903 log(119873119903)) where 119873 is the number of users and 119903 isthe number of revoked users and the key-update work still isa bottleneck Lee et al [8] proposed an efficiently revocableidentity-based encryption using subset difference methodswhich has O(119903) number of group elements in an update keyWe note that their idea cannot be directly used to constructrevocable ABE because a userrsquos identity is not related todecryption in ABE systems

At the same time in all revocable ABE schemes theencryption process must perform a lot of exponentiationsand the encryption cost grows with the complexity of access

HindawiSecurity and Communication NetworksVolume 2019 Article ID 8093578 11 pageshttpsdoiorg10115520198093578

2 Security and Communication Networks

policy or number of attributes If a mobile device performsthe encryption task battery power and encryption time willbe a large problem To significantly reduce the encryptioncost for mobile device a few onlineoffline ABE schemes[9ndash12] are proposed and move the majority of encryptioncomputations into an offline phase Mobile device only needsto execute a few simple calculations to create a ciphertextHowever the existing onlineoffline ABE schemes cannotrevoke users Therefore our goal is to integrate the subsetdifference method [6 8] with ABE to significantly decreasethe key update work and use the onlineoffline technique togreatly improve the encryption efficiency for mobile devices

In this work we propose an efficient ciphertext-policyattribute-based onlineoffline encryption with user revoca-tion In particular our contributions have three aspects asfollows(1) We present a novel technique that may integrateCP-ABE with the Subset Difference (SD) methodology tosignificantly improve the key-update efficiency for KGC InSD scheme an assigned key for each subset is dependent onother keys so we may categorize all subsets into differentgroups For each group 119866119879 in SD we assign a randompolynomial 119891119866119879(119909) = 119886119866119879119909 + 120572 to it where 119886119866119879 is a randomvalue that is uniquely assigned to the group 119866119879 and 120572 isthe master secret key Using this linear polynomial we splitthe master secret key 120572 into two shares 119891119866119879(1) and 119891119866119879(119879)where 119879 is an update time and is a greater than 1 positiveintegerThe share119891119866119879(1) is used to build a private keywhich isrelated to userrsquos attribute set inCP-ABE as usual and the othershare 119891119866119879(119879) is used to build an update key which is relatedto the update time 119879 Then KGC periodically broadcaststhe update keys and any nonrevoked user can reconstructhis decryption key Since all revoked users possess the sameshare119891119866119879(1) they cannot collude to reconstruct a decryptionkey Therefore our scheme may provide the security againstcollusion attacks(2) To greatly reduce the encryption cost for mobiledevices we employ the onlineoffline technique of [8] tosplit encryption process into the offline phase and the onlinephase The offline encryption first performs a majority ofencryption task before the plaintext and its access policyare known Once the specifications are given the onlineencryption only executes a few simple calculations to producea ciphertext by using the offline-ciphertexts pool that issimilar to the reference [8] Especially the offline work canbe executed by a high-performance computer and thenlightweight devices can quickly run the online encryption onthe move without greatly draining the battery(3) We present a new method to prove the security ofour scheme Based on the CP-ABErsquos access policy 119860lowast anda challenge update time 119879lowast we construct a new challengeaccess policy 119860lowastlowast = 119860lowast and 119879lowast i e we may obtain 119860lowastlowastby appending a well-designed vector to 119860lowast Next we cancreate the public parameters needed in the proof Moreoverunlike the complete subtree method the intersection of thecovering collection of nonrevoked users and the private keyof the revoked users is not empty It leads to impossibilityto construct the update key on the time 119879lowast We solve thisproblem by reasonably assigning the usersrsquo location in the

binary tree Our scheme is proved to be selectively secureunder the q-type assumption The above method may be ofindependent interest in the security proof of the revocableCP-ABE scheme Compared with the related works ourscheme can significantly improve the key-update efficiencyfor the trusted party from O(119903 log(119873119903)) to O(119903) and theencryption efficiency for mobile devices where 119873 is thenumber of users and 119903 is the number of revoked users andgreatly decrease the number of group elements in the updatekey

ABE is a useful cryptographic technology to protectprivate data and achieve fine-grained access control simul-taneously [12 13] many variants of ABE were proposed torealize promising properties e g efficient large universeABE [4] ABE with verifiable outsourced decryption [14ndash16] traceable-then-revocable ABE [17 18] CP-ABE againstkey-delegation abuse [19] the fully-secure ABE [11] ABEresilience against continuous auxiliary-inputs leakage [2021]

To reduce the encryption cost of ABE a few works [9ndash12] presented the onlineoffline ABE by the onlineofflinecryptography [22ndash25] but their schemes cannot revoke usersTo satisfy the practical requirement that usersrsquo access rightscan be revoked dynamically many revocable ABE schemeshave been proposed [10ndash20] The core idea of the works[5 7 26ndash31] utilizes the complete subtree scheme of NNL [8]to revoke userrsquos private key Lee et al [8] proposed a revocableidentity-based encryption to reduce the size of the update keySahai et al [29] constructed a few ABE schemes of revocablestorage by providing a ciphertext delegation means withoutany interaction with data owners Datta et al [32] uses thesubset difference to directly revoke users in KP-ABE systemsNevertheless all the existing revocable ABE schemes have thedrawbacks of heavy computational costs on key updates andencryption operations

Therefore it will be indispensable to reduce the heavycomputational overhead on the key update work and theencryption task Different from prior works we integratethe SD method with the onlineoffline technique in the CP-ABE system which not only may efficiently revoke users butalso can significantly improve the key-update efficiency andencryption efficiency

We review some preliminaries in Section 2The definitionand security model of our scheme is defined in Section 3We propose an efficient ciphertext-policy attribute-basedonlineoffline encryption with user revocation and prove itsselective security in Section 4 Performance analysis is givenin Section 5 Finally we conclude this work in Section 6

2 Preliminaries

In this section we first elaborate the definitions of bilineargroup and the complexity assumption for our R-CP-ABOOEschemeThen we state a brief review of access structures andlinear secret-sharing schemes (LSSS) Finally we introducethe notions of full binary tree and the subset differencemethod

Security and Communication Networks 3

21 Bilinear Group and the Complexity Assumptions We givesome notations For 119899 isin N we define [119899] = 1 2 119899and for 1198991 1198992 119899119896 isin N [1198991 1198992 119899119896] = [1198991] times [1198992] timessdot sdot sdot times [119899119896] For 119897 119899 isin N by 119885119897times119899

119901 we denote a set of matricesof size 119897 times 119899 with elements in 119885119901 A row vector is denotedas ⟨1199101 1199102 119910119899⟩ while a column vector is denoted as⟨1199101 1199102 119910119899⟩T where T denotes the transpose of the vector

Definition 1 (bilinear group) Let 119866 119866T be multiplicativecyclic groups of prime order 119901 and we define a symmetricbilinear map 119890 119866 times 119866 997888rarr 119866T with the following properties(1) bilinearity for all 1198921 1198922 isin 119866 and 119888 119889 isin 119885119901 wehave 119890(119892119888

1 1198921198892 ) = 119890(1198921 1198922)119888119889 (2) nondegeneracy exist119906 isin 119866119890(119906 119906) = 1 (3) computability the bilinear map 119890 and the

group operations in 119866 and 119866T are efficiently computableThen the tuple (119901 119866 119866T 119890) is called a bilinear group

Definition 2 (119902-type assumption [4]) Given a securityparameter 120581 isin N an integer 119902 a group generator G(120581) thatoutputs the bilinear group description (119901 119866119866T 119890) choosesa random element 119892 isin 119866 and 119902 + 2 random values119886 119904 1198871 1198872 119887119902 isin 119885119901 and computes the following terms 119864

119892 119892119904119892119886119894 119892119887119895 119892119904119887119895 119892119886119894119887119895 1198921198861198941198872119895 forall (119894 119895) isin [119902 119902] 119892119886119894119887119895 forall (119894 119895) isin [2119902 119902] and 119894 = 119902 + 1

1198921198861198941198871198951198872

1198951015840 forall (119894 1198951015840 119895) isin [2119902 119902 119902] and 119895 = 11989510158401198921199041198861198941198871198951198871198951015840 119892119904119886119894119887119895119887

2

1198951015840 forall (119894 1198951015840 119895) isin [119902 119902 119902] and 119895 = 1198951015840

(1)

If any probabilistic polynomial-time (PPT) adversary obtainsthe bilinear group description (119901 119866119866T 119890) and the aboveterms 119864 it cannot distinguish the element 119865 = 119890(119892 119892)119904119886119902+1 isin119866T from a random element 119877 isin 119866T with a nonnegligibleadvantage We say that the q-type assumption holds in thebilinear group (119901 119866 119866T 119890)22 Access Structures and Linear Secret Sharing Scheme (LSSS)

Definition 3 (access structures [4]) Let I = I1I2 I119896 be a set of attributes A collection A sube 2I ismonotone if forall119862119863 and 119862 isin A 119862 sube 119863 then 119863 isin A Anaccess structure is a collection A of nonempty subsets of IieA sube 2I The authorized sets are defined as the setsin A and the unauthorized sets are the sets not in A

Definition 4 (LSSS [4]) Let I = I1I2 I119896 afunction 120588 1 2 119897 997888rarr I A secret-sharing scheme Πover a set of attributes I is called linear over 119885119901 if (1) theshares for each attribute form a vector over 119885119901 (2) there is amatrix119860 called the share-generationmatrix forΠThematrix119860 has 119897 rows and 119899 columns For each row 119894 = 1 2 119897 the119894th row of 119860 is labeled by an attribute 120588(119894) Let the columnvector 119907 = ⟨119904 1199032 119903119899⟩T where 119904 isin 119885119901 is the shared secretand 1199032 119903119899 isin 119885119901 are randomly picked then 119860 ∙ 119907 is the

vector of 119897 shares of the secret 119904 according to Π The share(119860119907)119894 belongs to the attribute 120588(119894) Reconstruction propertySuppose the scheme Π is an LSSS for the access structure ALet120596 isin A be any authorized set and 119868 sube 1 2 119897 is definedas 119868 = 119894 120588(119894) isin 120596 If 119904119894 are valid shares of any secret 119904 thereare constants 119888119894 isin 119885119901119894isin119868 that satisfy sum119894isin119868 119888119894119904119894 = 11990423 Full Binary Tree We follow the terminologies on the fullbinary tree in [8] Let T be a full binary tree with 119873 leavesEach user 119868119863 is assigned to a unique leaf node 119894119889 In the treeit has 2N-1 nodes for 120578 = 1 to 2N-1 let V120578 denote a nodeand each edge is labelled as a bit 1 or 0 at the right branchcorresponds to bit 1 and the left branch corresponds to bit 0The identifier119871120578 of a node V120578 is defined as the unique bitstringwhich is the bitstring of all edges in the path from the root tothe node V120578 For each node V120578 its depth 119889120578 is the size of thepath from the root to V120578

Let 119878120578 denote the set of leaves in the subtree that is rootedat the node V120578 For any two nodes V120578 V120579 so that V120578 is anancestor node of V120579 119878120578120579 is defined as the set of all leaves thatare descendants of V120578 but not V120579 ie 119878120578120579 = 119878120578ndash119878120579

LetGT identify a group and a grouprsquos tag GT is describedas the collection of subset 119878120578120579 such that V120578 is the same nodeand other different nodes V120579 have the same depth and let119866119879 = 119871120578 119889120579 In our scheme we randomly choose 119886119866119879 isin 119885119901

and specify a polynomial 119891119866119879(119909) = 119886119866119879119909 + 120572 once for onegroup GT to revoke users

LetR be the list of all revoked users 119878119879(R) be the SteinerTree induced by the root node and the set R that is theminimal subtree of the tree T connects the root node andall the leaves inR

24 Subset Difference Method As a general revocationmethodology Subset-Cover framework [6] includes both thecomplete subtree method and the subset difference (SD)method and SD was presented as an improvement on thecomplete subtree scheme The definition of SD is given asfollows

Definition 5 (subset difference) The SD scheme for the setN = 1 2 119873 of all users consists of four algorithmsSetup Assign Cover Match which are described as follow-ing

SDSetup(N) 997888rarr (TS) The setup algorithm inputs allusers N and sets a full binary tree T with at least 119873 leaveswhere119873 is the total number of users It assigns a unique leafofT once to a user For any two nodes V120578 V120579 isin T such that V120578is an ancestor node of V120579 and it gets the collection S of subset119878120578120579 It outputs the treeT and the collection S

SDAssign(T 119868119863) 997888rarr 119875119881119868119863 Given the full binary treeT and a user 119868119863 isin N the assignment algorithm assigns aleaf 119894119889 of T to the user 119868119863 Let (V0 V1198961 V119896119899 = 119894119889) denotethe path from the root V0 to the leaf id and a private set 119875119881119868119863

be an empty one For all V120578 V120579 isin V0 V1198961 V119896119899 such that V120578is an ancestor of V120579 and it adds all subset 119878120578120579 to 119875119881119868119863 Then itoutputs the userrsquos private collection 119875119881119868119863 = 119878120578120579

SDCover(TR) 997888rarr 119862119881R Given the full binary treeT and the set R of revoked users the covering algorithm


gets the Steiner Tree 119878119879(R) and sets a subtree 119879119877 = 119878119879(R)and then constructs a covering collection 119862119881R by iterativelyremoving nodes from the tree TR until TR is made up of onlya single node as follows(1) It derives two leaves V119894 and V119895 from the tree 119879119877 andthen finds their least-common ancestor V which does notcontain any other leaf in this tree 119879119877 Let V119897 and V119896 be twochild of V where V119897 is a father node of V119894 and V119896 is a fathernode of V119895 If 119879119877 has only one leaf it sets V119894 = V119895 to be a leafnode and sets V = V119897 = V119896 to be the root of V(2) If V119896 = V119895 it adds the subset 119878119896119895 to 119862119881R similarly ifV119897 = V119894 it adds the subset 119878119897119894 to 119862119881R(3) It deletes all descendants of V from TR and lets V be aleaf

It outputs the covering collection 119862119881R = 119878119894119895SDMatch(119875119881119868119863 119862119881R) 997888rarr (119878120578120579 119878119894119895)perp Given a private

collection 119875119881119868119863 = 119878120578120579 and a covering collection 119862119881R =119878119894119895 this matching algorithm searches two subsets 119878120578120579 isin119875119881119868119863 and 119878119894119895 isin 119862119881R so that 120578 = 119894 120579 = 119895 and the nodesV120579 and V119895 have the same depth ie 119889120579 = 119889119895 If it finds twosubsets then it outputs (119878120578120579 119878119894119895) Otherwise it failsRemark In the SD scheme the revocation list R cannot beempty Let 119903 be the size ofR ie 119903 ge 1 To address the case 119903 =0 we may add a dummy user that is revoked so that |R1015840| =1199031015840 = 119903 + 13 Definition and Security Modelof R-CP-ABOOE

The R-CP-ABOOE scheme consists of eight algorithmsSetup KeyGen KeyUpdate DecKey Encoff Encon Dec andRev which are defined as follows

Setup(120581UN) 997888rarr (119901119896119898119904119896 ΛR) This setup algo-rithm inputs a security parameter 120581 the universe of attributesU and all usersN and outputs the system public key 119901119896 themaster secret key msk the state Λ and the revocation listR

KeyGen(119898119904119896 (119868119863 120596) Λ 119901119896) 997888rarr 119904119896(119868119863120596) This key-generation algorithm inputs the master secret keymsk a useridentity-attribute pair (ID 120596) the state Λ and public key pkand outputs the userrsquos private key 119904119896(119868119863120596)

KeyUpdate(119879R 119898119904119896 Λ 119901119896) 997888rarr (Λ 119906119896119879R) This key-update algorithm inputs a time 119879 the revocation list R themaster secret key119898119904119896 the current state Λ and the public key119901119896 and outputs the updated state Λ and an update key 119906119896119879R

DecKey(119904119896(119868119863120596) 119906119896119879R 119901119896) 997888rarr 119889119896(119868119863120596)119879 perp Thisdecryption-key algorithm inputs a userrsquos private key 119904119896(119868119863120596)an update key 119906119896119879R and the public key pk and outputs adecryption key 119889119896(119868119863120596)119879 or a failure perp

Encoff(119901119896) 997888rarr (119874119862119898119886119894119899 119874119862119886119905119905) This offline-encryptionalgorithm can independently create an arbitrary numberof main 119874119862119898119886119894119899 and many attribute modules 119874119862119886119905119905 byusing the public key pk and then stores them in a pool ofoffline-ciphertextsThis algorithm can be performed by high-performance computer

Encon((119874119862119898119886119894119899 119874119862119886119905119905) 119898A 119879) 997888rarr 119862119879A119879 This online-encryption algorithm first picks one main module 119874119862119898119886119894119899

and some attribute modules 119874119862119886119905119905120591 from the pool of offline-ciphertexts Then it inputs a message 119898 an access policy

A and a time 119879 and outputs a ciphertext 119862119879A119879 Thisalgorithm is a true encryption process and is performed bythe constrained-computation devices

Dec(119862119879A119879 119889119896(119868119863120596)119879 119901119896) 997888rarr 119898 perp This decryp-tion algorithm inputs a ciphertext 119862119879A119879 a decryption key119889119896(119868119863120596)119879 and the public key pk and outputs a message m ora failure notation perp

Rev(119868119863 119879R Λ) 997888rarr R1015840 This revocation algorithminputs an identity 119868119863 a revocation time 119879 the currentrevocation list R and the state Λ and outputs the updatedrevocation listR1015840

The correctness of R-CP-ABOOE For Setup(120581UN) 997888rarr (119901119896119898119904119896 ΛR) KeyGen(119898119904119896 (119868119863 120596) Λ 119901119896) 997888rarr119904119896(119868119863120596) KeyUpdate(119879R 119898119904119896 Λ 119901119896) 997888rarr (119906119896119879R Λ)Encon(Encoff (119901119896)119898A 119879) 997888rarr 119862119879A119879 it is satisfied by thetwo cases(1) If (119868119863 notin R) then DecKey(119904119896(119868119863120596) 119906119896119879R 119901119896) 997888rarr119889119896(119868119863120596)119879 Otherwise DecKey(119904119896(119868119863120596) 119906119896119879R 119901119896) 997888rarrperp

(2) If (120596 isin A) and (119879 = 1198791015840) then Dec(119862119879A1198791015840 119889119896(119868119863120596)119879 119901119896) 997888rarr 119898 Otherwise Dec(119862119879A1198791015840 119889119896(119868119863120596)119879119901119896) 997888rarrperpThe selective security of R-CP-ABOOE is formally

described as the following game between a challenger S andan adversary A

Init The adversary A submits the challenge policy Alowastthe challenge time119879lowast the revocation listRlowast on the challengetime 119879lowast to the challenger S

Setup S runs Setup(120581UN) 997888rarr (119901119896119898119904119896 ΛR) andsends pk toA

Phase 1 A adaptively requests a polynomial number ofthe following oracles simulated by S(1)Theprivate Key Generation oracleKG(sdot)A submitsan identity-attribute pair (119868119863 120596) to S then S runs Key-Gen(119898119904119896 (119868119863120596) Λ 119901119896) 997888rarr 119904119896(119868119863120596) and sends 119904119896(119868119863120596) toA

(2)TheKey Update oracleKU(sdot)A submits a time T toS then S runsKeyUpdate(119879R 119898119904119896 Λ 119901119896) 997888rarr (119906119896119879R Λ)and sends 119906119896119879R toA

(3) The Revocation oracle R(sdot) A submits an identity-time pair (119868119863119879) toS then S runs Rev(119868119863119879R Λ) 997888rarr R1015840

and sendsR1015840 toAThis phase must be satisfied by the restricted condition

as follows (1) for each query (119868119863120596) where 120596 satisfies thechallenge policy Alowast andR(sdot)must be queried on (119868119863119879) forany 119879 le 119879lowast (2) KU(sdot) and R(sdot) are queried on the timewhich cannot be less than the time of all previous queries

Challenge A submits two messages 1198980 and 1198981 withequal length to S S picks a random bit 119888 isin 0 1 and runsEncon(Encoff (119901119896) 119879Alowast 119898119888) 997888rarr 119862119879lowast and sends 119862119879lowast toA

Phase 2 The same as Phase 1GuessA outputs a guess bit 1198881015840Only if 1198881015840 = 119888 doesAwin this gameTherefore we define

the advantage of A as Adv(A) = |119875119903|1198881015840 = 119888 1003816100381610038161003816minus121003816100381610038161003816 in theabove game

Definition 6 Our scheme is selectively secure if any PPTadversary can break the above game with negligible advan-tage


4 Our Scheme and Security Proof

41 Our Intuition At a high level we explain how to constructour scheme We uses the full binary tree with 119873 leaves as inthe subset difference (SD) method [8] Each user 119868119863 can beassigned to a leaf node idwhich is not appointed yet In SD allthe subsets can be categorized into different groups and eachgroup119866119879 is assigned a random secret one-degree polynomial119891119866119879(119909) such that 119891119866119879(0) = 120572 where 120572 is the master secret keyLet 119883 = 119890(119892 119892)119904 Our scheme uses 119883120572 = 119890(119892 119892)120572119904 isin 119866T toencrypt a message where 119904 is a random number

Given the revoked usersrsquo set R on the time 119879 theKGC utilizes the master secret key to build an updatekey corresponding to each subset in Cover(R) Only thenonrevoked user ID can retrieve a subset 119878120578120579 isin Cover(R)such that 119868119863 isin 119878120578120579 and the user ID can compute 119883119891119866119879(119879)Simultaneously only the user ID whose attribute set 120596satisfies the access policy associated with ciphertext cancompute119883119891119866119879(1) Because the function 119891119866119879(119909) is a first-orderpolynomial using these two elements we can obtain 119883119891119866119879(0)

by interpolation in the exponent Obviously the revokedusers only can obtain the same element 119883119891119866119879(1) and thenthey cannot get two different elements of the one-degreepolynomial 119891119866119879(119909) Therefore our scheme provides securityagainst collusion attacks

42 Our Construction For 119909 119894 isin 119885119901 and a set of indexes 119868 sube119885119901 a Lagrange coefficient Δ 119894119868(119909)may be defined as

Δ 119894119868 (119909) = prod119895isin119868119895 =119894

119909 minus 119895119894 minus 119895 (2)

Our R-CP-ABOOE scheme is described as followsSetup(120581UN) 997888rarr (119901119896119898119904119896 ΛR) This setup algo-

rithm first runs the group generator G(120581) to get bilineargroups G 119866T of prime order p U = 119885119901 and randomlypicks 119892 ℎ 119906 V 119908 isin 119866 and 120572 isin 119885119901 Let a user list L119868119863

contain a tuple (119868119863 119894119889) as an empty one and let a functionlist L119891 contain a tuple (119866119879 119891119866119879(119909)) for a grouprsquos tag GT asan empty one Let M be the message space and the size ofa message |M| = 2119899M Let a hash function 119867 0 1lowast 997888rarr0 1119899M It runs SDSetup(N) to get the full binary tree TLet C denote the collection of all sets 119878120578120579 of T For each119878120578120579 isin C it makes 119866119879 = 119871120578 119889120579 and runs the followingif (119866119879 lowast) notin L119891 then it chooses randomly 119886119866119879 isin 119885119901 andspecifies a polynomial 119891119866119879(119909) = 119886119866119879119909 + 120572 once for onegroup 119866119879 and saves (119866119879 119891119866119879(119909)) into L119891 Finally it sets anempty revocation list R a state Λ = (TL119868119863) and outputsa master secret key 119898119904119896 = (L119891 120572) and system public key119901119896 = (119901 119892 ℎ 119906 V 119908Φ = 119890(119892 119892)120572 119867(sdot))

KeyGen(119898119904119896 (119868119863 120596) Λ 119901119896) 997888rarr (119904119896(119868119863120596) Λ) This key-generation algorithm inputs the master secret key mska user identity-attribute pair (119868119863120596) where the set 120596 =(1198601 1198602 119860 |120596|) the state Λ = (TL119868119863) and public key119901119896 For the user 119868119863 it chooses an unassigned leaf node 119894119889from Λ and stores the tuple (119868119863 119894119889) into L119868119863 and runsSD Assign(T 119868119863) to obtain 119875119881119868119863 = 119878120578120579 Next for each119878120578120579 isin 119875119881119868119863 it sets the group 119866119879 = 119871120578 119889120579 and retrieves

(119866119879 119891119866119879(119909)) from L119891 Second it chooses random values119903 1199031 1199032 119903|120596| isin 119885119901 and computes 1198700 = 119892119891119866119879(1)119908119903 1198701 = 119892119903For 120591 = 1 to |120596| it computes 1198702120591 = 119892119903120591 1198703120591 = (119906119860120591ℎ)119903120591Vminus119903and outputs

119901119904119896(119868119863120596)119878120578120579= (1198700 1198701 1198702120591 1198703120591120591isin[|120596|]) (3)

Finally it outputs the updated state Λ and a private key

119904119896(119868119863120596) = ((119868119863120596) 119875119881119868119863 119901119904119896(119868119863120591)119878120578120579119878120578120579isin119875119881119868119863

) (4)

KeyUpdate(119879R 119898119904119896 Λ 119901119896) 997888rarr (Λ 119906119896119879R) This algo-rithm inputs an update time 119879 the revocation list R themaster secret key119898119904119896 the stateΛ = (TL119868119863) and the publickey 119901119896 First it defines the identities of revoked users on thetime T according to R and uses L119868119863 to define the revokedindex set 119877119868 It runs SDCover(TR) to obtain119862119881119877119868 = 119878120578120579Second for each 119878120578120579 isin 119862119881119877119868 it sets 119866119879 = 119871120578 119889120579 andretrieves (119866119879 119891119866119879(119909)) from L119891 Then it chooses randomvalues 119905 1199051 isin 119885119901 and computes a time-constrained updatekey

119905119906119896119879119878120578120579= 1198800 = 119892119891119866119879(119879)119908119905 1198801 = 119892119905 1198802 = 1198921199051 1198803 = (119906119879ℎ)1199051 Vminus119905 (5)

Finally it outputs the updated state Λ and an update key

119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (6)

DecKey(119904119896(119868119863120596) 119906119896119879R 119901119896) 997888rarr 119889119896(119868119863120596)119879 perp Thisdecryption-key generation algorithm inputs a user privatekey 119904119896(119868119863120596) an update key 119906119896119879R and pk First if 119868119863 notin Rthen it calls SDMatch(119862119881119877119868 119875119881119868119863) to get (119878120578120579 1198781205781015840 1205791015840) suchthat 119878120578120579 isin 119862119881119877119868 11987812057810158401205791015840 isin 119875119881119868119863 120578 = 1205781015840 and 119889120579 = 1198891205791015840 and 120579 = 1205791015840Otherwise it exports perp

Second it retrieves 119905119906119896119879119878120578120579 from 119906119896119879R and 119901119904119896(119868119863120596)11987812057810158401205791015840

from 119904119896(119868119863120596) Since 120578 = 1205781015840 and 119889120579 = 1198891205791015840 119905119906119896119879119878120578120579 and119901119904119896(119868119863120596)11987812057810158401205791015840

share the same 119891119866119879(119909) for 119866119879 = 119871120578 119889120579 It sets 119868 = 1 119879 and computes two Lagrangecoefficients Δ 1119868(0) and Δ119879119868(0) It chooses random values1199051015840 11990511015840 1199031015840 11990311015840 11990321015840 119903|120596|1015840 isin 119885119901 and computes a decryptionkey as

1198640 = 119880Δ119879119868(0)

0 1199081199051015840 1198641 = 119880Δ119879119868(0)

1 1198921199051015840 1198642 = 119880Δ119879119868(0)

2 11989211990511015840

1198643 = 119880Δ119879119868(0)3 (119906119879ℎ)11990511015840 Vminus1199051015840

1198630 = 1198701119868(0)0 1199081199031015840

1198631 = 119870Δ 1119868(0)1 1198921199031015840

(7)


For 120591 = 1 to |120596| it computes

1198632120591 = 119870Δ 1119868(0)

2120591 1198921199031205911015840

1198633120591 = 119870Δ 1119868(0)3120591 (119906119860120591ℎ)1199031205911015840 Vminus1199031015840

(8)

Finally it outputs a decryption-key 119889119896(119868119863120596)119879 =((119868119863120596)1198630 1198631 (1198632120591 1198633120591)120591isin[|120596|] 1198640 1198641 1198642 1198643)Encoff (119901119896) 997888rarr (119874119862119898119886119894119899 119874119862119886119905119905) This offline-encryption

algorithm can construct an arbitrary number of main mod-ules 119874119862119898119886119894119899 and attribute modules 119874119862119886119905119905 by using 119901119896 It firstchoose randomly 119904 isin 119885119901 and computes 119896119890119910 = 119890(119892 119892)120572119904 and1198620 = 119892119904 It sets the main module 119874119862119898119886119894119899 = (119904 119896119890119910 1198620) Thenit picks randomly 1199091 1199092 1199093 isin 119885119901 and computes 1198621 = 1199081199091V1199093 1198622 = (1199061199092ℎ)minus1199093 and 1198623 = 1198921199093 to obtain an attribute module119874119862119886119905119905 = (1199091 1199092 1199093 1198621 1198622 1198623) Using the above processit can obtain a lot of main modules 119874119862119898119886119894119899 and attributemodules 119874119862119886119905119905

Encon(119874119862119898119886119894119899 119874119862119886119905119905120591120591isin[119897+1] 119898A(119860 120588) 119879) 997888rarr 119862119879A119879Suppose that119860 is an 119897times119899 accessmatrix this online-encryption

algorithm first picks one main module 119874119862119898119886119894119899 = (119904 119896119890119910 1198620)and 119897 + 1 attribute modules 119874119862119886119905119905 = (1199091 1199092 1199093 1198621 1198622 1198623)available from the pool For 120591 = 1 2 119897 + 1 it sets theattribute module 119874119862119886119905119905120591 = (1199091120591 1199092120591 1199093120591 1198621120591 1198622120591 1198623120591) Itrandomly chooses 1199102 119910119899 isin 119885119901 and sets the vector 119904 =⟨119904 1199102 119910119899⟩T whereTdenotes the transpose of the vector Itcomputes a vector ⟨1205821 1205822 120582119897⟩T = 119860119904 Finally for 120591 = 1 to119897 it calculates1198624120591 = 120582120591minus11990911205911198625120591 = minus1199093120591(120588(120591)minus1199092120591) It com-putes 1198701015840 = 119867(119896119890119910 11986231 11986232 1198623119897+1) 1198624119897+1 = 119904 minus 1199091119897+1and1198625119897+1 = minus1199093119897+1(119879ndash1199092119897+1) It outputs a ciphertext119862119879A119879 =(A(119860 120588) 119879119898 oplus 1198701015840 1198620 1198621120591 1198622120591 1198623120591 1198624120591 1198625120591120591isin[119897+1])

Dec(119862119879A119879 119889119896(119868119863120596)119879 119901119896) 997888rarr 119898 perp This algo-rithm takes in a ciphertext 119862119879A119879 = (A(119860 120588) 119879119898 oplus1198701015840 1198620 1198621120591 1198622120591 1198623120591 1198624120591 1198625120591120591isin[119897+1]) a decryption key119889119896(119868119863120596)119879 = ((119868119863120596) 1198630 1198631 (1198632120591 1198633120591)120591isin[|120596|] 1198640 1198641 1198642 1198643)and the public key 119901119896 If 120596 satisfies the policy A(119860 120588) thenit sets Γ = 120591 | 120588(120591) isin 120596 and computes constants 119908120591 isin 119885119901

such that sum120591isinΓ 119908120591119860120591 = ⟨1 0 0⟩ where 119860120591 is the 120591-th rowof matrix 119860 and it denotes 120588(120591) = 119860119894 where 119894 is the index ofattribute 120588(120591) in 120596 It recovers 119890(119892 119892)120572119904 by computing

119890 (1198620 1198630)119890 (119908sum120591isinΓ 1198624120591119908120591 1198631)prod120591isinΓ (119890 (1198621120591 1198631) 119890 (11986221205911199061198625120591 1198632119894) 119890 (1198623120591 1198633119894))119908120591 = 119890 (119892 119892)119891119866119879(1)Δ 1119868(0)119904 (9)

119890 (1198620 1198640)119890 (1198621119897+11199081198624119897+1 1198641) 119890 (1198622119897+11199061198625119897+1 1198642) 119890 (1198623119897+1 1198643) = 119890 (119892 119892)119891119866119879(119879)Δ119879119868(0)119904 (10)

119890 (119892 119892)119891119866119879(1)Δ 1119868(0)119904119890 (119892 119892)119891119866119879(119879)Δ119879119868(0)119904 = 119890 (119892 119892)120572119904 = 119896119890119910 (11)

1198701015840 = 119867(119896119890119910 11986231 11986232 1198623119897+1) 119898 oplus 1198701015840 oplus 1198701015840 = 119898

(12)

Rev(119868119863119879R Λ) 997888rarr R1015840 This revocation algorithmtakes as inputs an identity 119868119863 a revocation time 119879 therevocation list R and the state Λ = (TL119868119863) If (119868119863 lowast) notinL119906 then it outputsperp if the private key of the pair (119868119863120596)wasnot generated Otherwise it adds (119868119863119879) toR It outputs theupdated revocation listR1015840

43 Security Proof

Theorem 7 Our scheme is selectively secure under chosenplaintext attacks if the q-type assumption holdsThat is all PPTadversaries have at most a negligible advantage in breaking theR-CP-ABOOE scheme

Proof Suppose there exists a PPT adversaryA that breaks theR-CP-ABOOE scheme with a nonnegligible advantage andthen a simulator S can solve the q-type assumption with anonnegligible advantage by using the given terms of the q-type assumption

Init S receives the given terms from the q-type assump-tion a challenge policy (119860lowast 120588lowast) a challenge time 119879lowast and the

revocation list Rlowast on the time 119879lowast from A The challengematrix 119860lowast is an 119897 times 119899matrix and satisfies the restriction 119897 + 1119899 le 119902 and the map 120588lowast [119897] 997888rarr 119885119901 Let M be the messagespace and the size of amessage |M| = 2119899M Let a hash function119867 0 1lowast 997888rarr 0 1119899M It sets an 119899-dimensional vector 119907 =⟨1 0 0⟩ that is related to the challenge time 119879lowast S buildsa new policy (119860lowastlowast 120588lowastlowast) where 120588lowastlowast [119897 + 1] 997888rarr U cup 119879lowast

119860lowastlowast = (119860

lowast

119907)

120588lowastlowast (119894) = 120588lowast (119894) 119894 isin [119897] 119879lowast119894 = 119897 + 1(13)

SinceUcap119879lowast = we know that for any attribute set120596 sub U120596 satisfies 119860lowastlowast if and only if120596 satisfies 119860lowast and for time119879 thatsatisfies 119860lowastlowast if and only if 119879 = 119879lowast

Setup S implicitly sets 120572 = 119886119902+1 + 1205721 where 119886 119902 areassigned in the assumption and a random exponent 1205721 isin 119885119901

is known only to S Especially this way 120572 is well distributedand 119886 is hidden to A from information theory Then S

proceeds as follows


(1) It calls SDSetup(N) to get the full binary treeT with2119873 leaves and setsC to be the collection of all sets 119878120578120579 ofTLetL119868119863 and L119891 be an empty set respectively For each user119868119863 isin Rlowast it allocates 119868119863 isin N to an unsigned leaf 119894119889 thatbelongs to the left subtree of T and stores (119868119863 119894119889) in L119868119863According to Rlowast sube N it uses L119868119863 to define the revokedindex set 119877119868lowast For each 119868119863 notin Rlowast it allocates 119868119863 isin N to anunsigned leaf 119894119889 that belongs to the right subtree of T andstores (119868119863 119894119889) inL119868119863(2) It calls SDAssign(T 119877119868lowast) to obtain ⋃119894119889isin119877119868lowast(119875119881119868119863)Then it sets Fixedsubset(Rlowast) = ⋃119894119889isin119877119868lowast(119875119881119868119863) It setsfunction list L119891 as follows if 119878120578120579 isin Fixedsubset(Rlowast) itchooses a random value 119910 isin 119885119901 and stores (119866119879 = 119871120578 119889120579 (119909 = 1 119910)) in L119868119863 Otherwise for each 119878120578120579 isin C Fixedsubset(Rlowast) it picks random value 119910 isin 119885119901 and stores(119866119879 = 119871120578 119889120579 (119879lowast 119910)) in L119891 such that (119866119879 = 119871120578 119889120579 lowast) notin L119891 Note that it employs the Lagrange interpolationmethod to implicitly define 119891119866119879(119909) by two points (0 120572) and(119909 119910) Next it sets an empty revocation list L119877 and setsΛ = (TL119868119863) It selects random values V1 1199061 ℎ1 isin 119885119901 andgives toA the following public parameters

119892 = 119892119908 = 119892119886V = 119892V1 sdot 119892119886119887119897+1 sdot prod

(119895119896)isin[119897119899]

(119892119886119896119887119895)119860lowast119895119896

119906 = 1198921199061 sdot 1198921198861198872119897+1 sdot prod(119895119896)isin[119897119899]

(1198921198861198961198872119895 )119860lowast119895119896

ℎ = 119892ℎ1 prod(119895119896)isin[119897119899]

(1198921198861198961198871198952)minus120588lowast(119895)119860lowast119895119896 sdot 119892minus119886119879lowast1198872119897+1

119890 (119892 119892)120572 = 119890 (119892119886 119892119886119902) 119890 (119892 119892)1205721

(14)

Finally it publishes public keys 119901119896 = (119892 119908 V 119906ℎ 119890(119892 119892)120572 119867(sdot))Phases 1 A inquiries adaptively a polynomial number

of private key generation update key and user revocationoracles If this is a private key query for (119868119863 120596) where theattribute set 120596 = (1198601 1198602 119860 |120596|) then S proceeds asfollows

If120596 does not satisfy (119860lowast 120588lowast) from the pair (119868119863 120596) denote120596 ⊭ (119860lowast 120588lowast) then 120596 ⊭ (119860lowastlowast 120588lowastlowast) It executes the followingsteps(1) It first constructs temporal private key components forthe point (0 120572) as follows Since 120596 ⊭ (119860lowastlowast 120588lowastlowast) there existsa vector 119908 = ⟨1199081 1199082 119908119899⟩ isin 119885119901

119899 such that 1199081 = -1 and119860119894

lowastlowast sdot 119908 = 0 for all 119894 isin 119868 = 119894 | 119894 isin [119897 + 1] and 120588lowastlowast(119894) isin 120596and then it picks 1199031015840 isin 119885119901 and implicitly sets 119903 = 1199031015840 + 1199081119886119902 +1199082119886119902minus1 + sdot sdot sdot + 119908119899119886119902minus119899+1 = 1199031015840 + sum119894isin[119899] 119908119894119886119902+1minus119894 and computes

1198750 = 119892120572119908119903 = 1198921205721 (119892119886)1199031015840 119899prod119894=2

(119892119886119902+2minus119894)119908119894 1198751 = 119892119903 = 1198921199031015840prod

119894isin[119899]

(119892119886119902+1minus119894)119908119894 (15)

In addition for each attribute 119860120591 isin 120596 it randomly selects1199031205911015840 isin 119885119901 and implicitly sets

119903120591 = 1199031205911015840 + 1199031015840 sum1198941015840isin[119897+1]120588lowastlowast(1198941015840)notin120596

1198871198941015840119860120591 minus 120588lowastlowast (1198941015840)

+ sum(1198941198941015840)isin[119899119897+1]120588lowastlowast(1198941015840)notin120596

1199081198941198871198941015840119886119902+1minus119894119860120591 minus 120588lowastlowast (1198941015840) (16)

Then it may compute the terms

1198752120591 = 119892119903120591 = 1198921199031205911015840 sdot prod

1198941015840isin[119897+1]120588lowastlowast(1198941015840)notin120596

(1198921198871198941015840 )1199031015840(119860120591minus120588lowastlowast(1198941015840))

sdot prod(1198941198941015840)isin[119899119897+1]120588lowastlowast(1198941015840)notin120596

(1198921198871198941015840119886119902+1minus119894

1015840)119908119894(119860120591minus120588lowastlowast(1198941015840))

(17)

1198753120591 = (119906119860120591ℎ)119903120591 Vminus119903 = (119906119860120591ℎ)1199031205911015840 (1198752120591119892minus1199031205911015840)1199061119860120591+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]

120588lowastlowast(1198941015840)notin120596

(1198921198871198941015840119886119896119887minus2119895 )1199031015840119860lowastlowast119895119896 (119860120591minus120588lowastlowast(119895))(119860120591minus120588lowastlowast(1198941015840))

sdot prod(1198941198941015840 119895119896)isin[119899119897+1119897+1119899]

120588lowastlowast(1198941015840)notin120596(119895=1198941015840or119894 =119896)

(1198921198871198941015840119886119902+1+119896minus119894119887minus2119895 )(119860120591minus120588lowastlowast(119895))119908119894119860lowastlowast119895119896 (119860120591minus120588lowastlowast(1198941015840))minus1 sdot Vminus1199031015840prod

119894isin[119899]

(119892119886119902+1minus119894)minusV1119908119894

sdot prod(119894119895119896)isin[119899119897+1119899]119894=119896

(119892119886119902+1+119896minus119894119887minus1119895 )minus119908119894119860lowastlowast119895119896

(18)

(2) If (119868119863 lowast) isin L119868119863 then it loads (119868119863 119894119889) from L119868119863Otherwise it allocates 119868119863 isin N to a unique index id that isnot assigned previously and stores (119868119863 119894119889) in L119868119863 Then itcalls SDAssign(T 119868119863) to obtain 119875119881119894119889 = 119878120578120579(3) For each 119878120578120579 isin 119875119881119894119889 it retrieves (119866119879 = 119871120578 119889120579 (119909 119910))from L119891 If 119878120578120579 isin Fixedsubset(Rlowast) it must have 119909 = 1fromL119891 It chooses random value 119903 1199031 1199032 119903|120596| isin 119885119901 andcomputes a private key by implicitly setting 119891119866119879(1) = 119910 as1198700 = 119892119910119908119903 and 1198701 = 119892119903 and for 120591 = 1 to |120596| it computes1198702120591 = 119892119903120591 1198703120591 = (119906119860120591ℎ)119903120591Vminus119903 Then it outputs the updatedstate Λ and a private key

119904119896(119868119863120596) = ((119868119863120596) 1198700 1198701 1198702120591 1198703120591120591isin[|120596|]119878120578120579isin(119875119881119868119863and119865119894119909119890119889119904119906119887119904119890119905(Rlowast)))

(19)

Otherwise for each 119878120578120579 notin 119865119894119909119890119889119904119906119887119904119890119905(Rlowast) since 119909 isa random value then it has 119909 = 119879lowast Let 119868 = 0 119879lowastit computes two Lagrange coefficients Δ 0119868(1) and 119879lowast 119868(1)Then it chooses random exponents 11990310158401015840 119903110158401015840 119903210158401015840 sdot sdot sdot 11990311989610158401015840 isin 119885119901

and computes a private key as 1198700 = 119875Δ 0119868(1)0 (119892119910)119879lowast119868(1)11990811990310158401015840

and 1198701 = 119875Δ 0119868(1)1 11989211990310158401015840 and for 120591 = 1 to |120596| it computes

1198702120591 = 119875Δ 0119868(1)

2120591 11989211990312059110158401015840

and 1198703120591 = 119875Δ 0119868(1)

3120591 Vminus11990310158401015840(119906119860120591ℎ)11990312059110158401015840 Then

it outputs the updated state Λ and a private key

119904119896(119868119863120596) = ((119868119863120596) 11987001198701 1198702120591 1198703120591120591isin[|120596|]119878120578120579isin119875119881119868119863and119878120578120579notin119865119894119909119890119889119904119906119887119904119890119905(Rlowast)))

(20)


If 120596 satisfies (119860lowast 120588lowast) it must set 119868119863 isin Rlowast and executesthe following steps(1) It loads (119868119863 119894119889) from L119868119863 Then it callsSDAssign(BT 119868119863) to obtain 119875119881119868119863 = 119878120578120579(2) For each 119878120578120579 isin 119875119881119868119863 it retrieves (119866119879 = 119871120578 119889120579 (1 119910)) from L119891 Since 119878120578120579 isin Fixedsubset(Rlowast) itmust have 119909 = 1 from L119891 It chooses random value119903 1199031 1199032 119903119896 isin 119885119901 and computes a private key by implicitlysetting 119891119866119879(1) = 119910 as 1198700 = 119892119910119908119903 1198701 = 119892119903 and for 120591 = 1 to|120596| 1198702120591 = 119892119903120591 and 1198703120591 = (119906119860120591ℎ)119903120591Vminus119903 Then it outputs theupdated state Λ and a private key

119904119896(119868119863120596) = ((119868119863120596) 1198700 1198701 1198702120591 1198703120591120591isin[|120596|]119878120578120579isin119875119881119894119889) (21)

IfA requests the update key query for time119879 and119879 = 119879lowastthen 119879 ⊭ (119860lowastlowast 120588lowastlowast) S performs the four steps(1) Since 119879 ⊭ (119860lowastlowast 120588lowastlowast) there exists a vector 119908 =⟨minus1 0 0⟩T isin 119885119901

119899 for all 119894 isin 119868 = 119894 | 119894 isin [119897 + 1] and 120588lowastlowast(119894) =119879 = and then it picks 1199051015840 isin 119885119901 and implicitly sets 119905 = 1199051015840minus119886119902and computes

1198610 = 119892120572119908119905 = 11989212057211198921198861199051015840

1198611 = 119892119905 = 1198921199051015840119892minus119886119902 (22)

In addition it randomly selects 11990511015840 isin 119885119901 and implicitly sets

1199051 = 11990511015840 + 1199051015840 sum1198941015840isin[119897+1]

1198871198941015840119879 minus 120588lowastlowast (1198941015840) minus sum1198941015840isin[119897+1]

1198871198941015840119886119902119879 minus 120588lowastlowast (1198941015840) (23)


1198612 = 1198921199051

= 11989211990511015840 sdot prod

1198941015840isin[119897+1]


sdot prod1198941015840isin[119897+1]

(1198921198871198941015840119886119902)minus1(119879minus120588lowastlowast(1198941015840))

(24)

1198613 = (119906119879ℎ)1199051 Vminus119905

= (119906119879ℎ)11990511015840 (1198612119892minus11990511015840)1199061119879+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]


sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]

(119895 =1198941015840or119896 =1)

(1198921198871198941015840119886119902+119896119887minus2119895 )minus(119879minus120588lowastlowast(119895))119860lowastlowast119895119896 (119879minus120588lowastlowast(1198941015840))minus1

sdot Vminus1199051015840119892119886119902V1 sdot prod(119895119896)isin[119897+1119899]119896=1

(119892119886119902+119896119887minus1119895 )119860lowastlowast119895119896

(25)

(2) It defines the revocation set on the time 119879 from Rand uses L119868119863 to define the revoked index set 119877119868 It runsSDCover(TR) to obtain 119862119881119877119868 = 119878120578120579

(3) For each 119878120578120579 isin 119862119881119877119868 it retrieves (119866119879 = 119871120578 119889120579 (119909 119910)) from L119891 and sets 119868 = 0 1 For each 119878120578120579 isinFixedsubset(Rlowast) it chooses random values 119905 1199051 isin 119885119901 andcomputes a time-constrained update key by implicitly setting119891119866119879(1) = 119910 as

119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ 1119868(119879) 119908119905 1198801

= (1198611)Δ 0119868(119879) 119892119905 1198802 = (1198612)Δ 0119868(119879) 1198921199051 1198803

= 119861Δ 0119868(119879)

3 Vminus119905 (119906119879ℎ)1199051 (26)

For each 119878120578120579 notin Fixedsubset(Rlowast) it sets 119868 = 0 119879lowast andcomputes two Lagrange coefficients Δ 0119868(119879) and Δ119879lowast 119868(119879) Itchooses random values 11990510158401015840 119905110158401015840 isin 119885119901 and computes a time-constrained update key as

119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ119879lowast119868(119879) 11990811990510158401015840 1198801

= (1198611)Δ 0119868(119879) 11989211990510158401015840 1198802 = (1198612)Δ 0119868(119879) 119892119905101584010158401 1198803

= 119861Δ 0119868(119879)3 Vminus119905

10158401015840 (119906119879ℎ)119905101584010158401 (27)

(4) Finally it outputs the updated state Λ and an updatekey

119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (28)

If 119879 = 119879lowast it executes the following three steps(1) It sets R = Rlowast and obtains the revoked indexset 119877119868lowast of the revocation list Rlowast by L119868119863 It does notrun SDCover(TRlowast) to obtain 119862119881119877119868lowast but assigns all thenonrevoked users to the right subtree of T ie 119862119881119877119868lowast canbe described as the set 119878120578120579 | 120578 is the root node of the rightsubtree of T 120579 is the descendant node of 120578 Thus 119862119881119877119868lowastcapFixedsubset(Rlowast) = (2) For each 119878120578120579 isin 119862119881119877119868lowast it sets 119866119879 = 119871120578 119889120579 andretrieves (119866119879 (119879lowast 119910)) from L119891 Then it chooses randomvalues 119905 1199051 isin 119885119901 and computes a time-constrained updatekey by implicitly setting 119891119866119879(119879lowast) = 119910 as

119905119906119896119879119878120578120579= 1198800 = 119892119910119908119905 1198801 = 119892119905 1198802 = 1198921199051 1198803 = (119906119879lowastℎ)1199051 Vminus119905 (29)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (30)

Challenge The adversary A submits a pair of messages(1198980 1198981) with the same length to the simulator S Then Sflips a random bit 119888 isin 0 1 and constructs 119896119890119910 = 119865 sdot119890(119892 119892119904)1205721 1198620 = 119892119904 where 119865 is the challenge term and 119892119904 isthe appropriate term of the assumption


S implicitly sets a vector 119910 = (119904 119904119886 + 1199102 119904119886119902+1119910119899)where 1199102 119910119899 are chosen uniformly at random from 119885119901Therefore the secret 119904 and the vector 119910 are uniformlydistributed Especially 119904 is hidden for A from informationtheory Let 120582 = 119860lowast119910T For each row 120591 isin [119897] it implicitly sets

120582120591 = sum119894isin[119899]

119860lowast120591119894119904119886119894minus1 + sum

119894isin[119899]

119860lowast120591119894119910119894 = sum

119894isin[119899]

119860lowast120591119894119904119886119894minus1 + 1205821015840

120591 (31)

Let the terms 1205821015840120591 be known to S For each row of 119860lowast120591 S

implicitly sets 119905120591 = minus119904119887120591 Since 119887120591rsquos are hidden for A frominformation theory the terms 119905120591 are uniformly distributedas well S also picks random values 1199091015840

1120591 11990910158402120591 1199091015840

3120591 isin 119885119901 andimplicitly sets 1199091120591 = 120582120591 minus 1199091015840

1120591 1199092120591 = 120588(120591)lowast minus 11990910158402120591 sdot 119887minus1120591 and1199093120591 = minus119904119887120591 As a resultA computes

1198621120591 = 1199081199091120591V1199093120591 = 119908120582120591 (119892119904119887120591)minusV1

sdot 119908minus11990910158401120591 prod(119895119896)isin[119897+1119899]and119895=120591

(119892119904119886119896119887120591119887minus1119895 )minus119860lowastlowast119895119896 (32)

1198622120591 = (1199061199092120591ℎ)minus1199093120591 = 119906minus11990910158402120591 (119892119904119887120591)minus(1199061120588lowastlowast(120591)+ℎ1)

sdot prod(119895119896)isin[119897119899]and119895=120591

(119892119904119886119896119887120591119887minus2119895 )minus119860lowastlowast119895119896 (120588lowastlowast(120591)minus120588lowastlowast(119895)) (33)

1198623120591 = 1198921199093120591 = 119892minus119904119887120591 1198624120591 = 120582120591 minus 1199091120591 = 1199091015840

11205911198625120591 = minus1199093120591 (120588lowastlowast (120591) minus 1199092120591) = 1199091015840

2120591(34)

For 120591 = 119897 + 1 S implicitly sets 119905119897+1 = minus119904119887119897+1 and also picksrandom values 1199091015840

1119897+1 11990910158402119897+1 isin 119885119901 and implicitly sets 1199091119897+1 =

119904 minus 11990910158401119897+1 1199092119897+1 = 119879lowast minus 1199091015840

2119897+1 and 1199093119897+1 = minus119904119887119897+1 As a resultA computes

1198621119897+1 = 1199081199091119897+1V1199093119897+1

= (119892119904119887119897+1)minusV1 prod(119895119896)isin[119897+1119899]and119895=120591

(119892119904119886119896119887119897+1119887minus1119895 )minus119860lowastlowast119895119896 (35)

1198622119897+1 = (1199061199092119897+1ℎ)minus1199093119897+1= (119892119904119887119897+1)minus(1199061119879lowast+ℎ1) prod

(119895119896)isin[119897+1119899]

(119892119904119886119896119887119897+1119887minus2119895 )minus119860lowastlowast119895119896 (119879lowastminus120588lowastlowast(119895)) (36)

1198623119897+1 = 1198921199093119897+1 = 119892minus119904119887119897+1 1198624119897+1 = 119904 minus 1199091119897+1 = 1199091015840

1119897+1(37)

1198625119897+1 = minus1199093119897+1 (119879lowast minus 1199092119897+1) = 11990910158402119897+1

1198701015840 = 119867 (119896119890119910 11986231 11986232 1198623119897+1) (38)

Finally S submits the ciphertext 119862119879lowast = (119860lowast 120588lowast) 119879lowast 1198620 =119898119888 oplus 1198701015840 1198621120591 1198622120591 1198623120591 1198624120591 1198625120591120591isin[119897+1] toAPhase 2 it is the same as Phase 1

Guess A outputs a guess 1198881015840 for the challenge ciphertext119862119879lowast If 1198881015840 = 119888 S outputs 0 it means that the challenge termis 119865 = 119890(119892 119892)minus119904119886119902+1 Otherwise it outputs 1

If 119865 = 119890(119892 119892)minus119904119886119902+1 A played the real security game since119896119890119910 = 119865 sdot 119890(119892 119892)120572119904 1198701015840 = 119867(119896119890119910 11986231 11986232 1198623119897+1) and1198620 = 119898119888oplus1198701015840 Otherwise if119865 is a randomvalue of119866119879 then theadvantage of A is 0 Therefore if A wins the above securitygame with a nonnegligible advantage thenS can solve the q-type assumption with a nonnegligible advantage by using thegiven terms of the q- type assumption

5 Performance Analysis

This section elaborates the comparisons between our R-CP-ABOOE and some related ABE schemes on the functionali-ties and efficiency respects We summarized the comparisonresults in Table 1 where 119898119888 M and E respectively denote amodular operation in 119885119901 a multiplication and an exponen-tiation in the groups 119866 or 119866T Let 119897 be the number of rowsin the matrix 119860 and 119903 be the number of revoked users inRLet |120596| 119873 |119880| |119866| |119866T| and |M| represent the number ofattributes in the collection 120596 the total number of users thenumber of all attributes the size of an element in 119866 the sizeof an element in119866T and the size of a message in the spaceMrespectively

In Table 1 the revocable ABE schemes [5 17 32] and ourR-CP-ABOOE scheme support user revocation However thereal (online) encryption algorithms in the schemes [5 17 32]must perform many exponentiation operations which isunsuitable for mobile devices with limited-computationpower Fortunately in our scheme first the offline-encryptionphase can be executed by high performance computer in atrusted environment Then our real (or online) encryptiononly requires 3119897 + 2modular operations and does not requireany exponentiation Modular operation is much faster thanthe exponentiation operation Thus our real encryptionalgorithm is the fastest among these schemes [5 17 32]

In addition compared with the indirectly revocable ABE[5] our scheme may significantly reduce the key-update costand the size of update key from O(119903 log(119873119903) to O(119903) whichis important since the update keys should be periodicallybroadcasted to all nonrevoked users Compared with thedirectly revocable ABE [17 32] that cannot be integrated withthe onlineoffline technology our encryption algorithm andciphertext size are not related to the number of revokedusers Therefore our scheme has less encryption overheadand shorter ciphertext length than the directly revocable ABE[17 32] which is suitable for data owners with resource-limited devices Although our scheme need store additionalupdate key and small amount of offline ciphertexts currentmobile devices are perfectly capable The onlineoffline ABEscheme [9] cannot provide the user revocation whereas ourscheme achieves the user revocation mechanism withoutexcessive computational and storage costs In general ourR-CP-ABOOE scheme is the first CP-ABE scheme whichcan simultaneously support the user revocation and theonlineoffline encryption mode and it has desirable featuresof very little encryption overhead for mobile device and less


Table 1 Comparisons of the related attribute-based encryption schemes

Schemes Online-Enc cost Key-update cost Ciphertext size Update-key size Rev[5] (|120596| + 2)E 119903 log(119873119903)E (|120596| + 1) |119866| + 1003816100381610038161003816119866T

1003816100381610038161003816 119903 log(119873119903) |119866| radic[17] (2119897 + 119903 log(119873119903) + 3)E - (2 + 119903 log (119873119903) + 119897) |119866| + 1003816100381610038161003816119866T

1003816100381610038161003816 - radic[32] (80 |120596| + 160119903 minus 48)E - (16 |120596| + 64119903 minus 27) |119866| + 1003816100381610038161003816119866T

1003816100381610038161003816 - radic[9] 3119897119898119888 - (3119897 + 1)|119866| + 2119897 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| - timesOurs (3119897 + 2)119898119888 (14r-7)E (3119897 + 4) |119866| + 2 (1 + 119897) 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| (8119903 minus 4) |119866| radic

the number of group elements in a ciphertext and updatekey Performance analysis shows that our scheme greatlyimproves the key-update efficiency for the trusted party andthe encryption efficiency for mobile devices

6 Conclusions

In this work we deal with the key-update efficiency andthe encryption efficiency issues in revocable CP-ABE sys-tems and propose an efficient ciphertext-policy attribute-based onlineoffline encryption with user revocation (R-CP-ABOOE) which is proven to be selectively secure under theq-type assumption Our R-CP-ABOOE scheme simultane-ously supports user revocation and onlineoffline encryptionmode and significantly improves the key-update efficiencyfrom O(119903 log(119873119903) to O(119903) Moreover our scheme has desir-able features of very little encryption overhead for mobiledevice and less group elements in the update key Perfor-mance analysis shows that our scheme greatly improves thekey-update efficiency for the trusted party and the encryptionefficiency for mobile devices Furthermore we can employthe outsourcing decryption technology [10 16 33] to reducethe decryption cost

Data Availability

ldquoNo data were used to support this studyrdquo

Conflicts of Interest

The three authors confirm that they have no conflicts ofinterest

Acknowledgments

This work is supported by Jiangsu Overseas Visiting ScholarProgram for University Prominent Young and Middle-aged Teachers and Presidents the National Natural Sci-ence Foundation of China (Nos 61402244 11371207 and61762044) Nantong City Application Basic Research Project(No GY12017024) and the Zhejiang Natural Science Foun-dation (LY15F020010)

References

[1] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo inAdvances in Cryptology ndash EUROCRYPT pp 457ndash473 Aarhus2005

[2] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypteddatardquo in Proceedings of the 13th ACM Conference on Computerand Communications Security (CCS rsquo06) pp 89ndash98 November2006

[3] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 BerkeleyMay 2007

[4] Y Rouselakis and B Waters ldquoPractical constructions and newproof methods for large universe attribute-based encryptionrdquoin Proceedings of the ACM SIGSAC conference on Computer andcommunications security ACM rsquo13 pp 463ndash474 2013

[5] A Boldyreva V Goyal and V Kumar ldquoIdentity-based encryp-tion with efficient revocationrdquo in Proceedings of the 14th ACMConference on Computer and Communications Security Cryp-tology ePrint Archive 2008 httpseprintiacrorg2012052pdf

[6] D Naor M Naor and J Lotspiech ldquoRevocation andtracing schemes for stateless receiversrdquo in Advances inCryptologymdashCRYPTO vol 2139 of Lecture Notes in ComputerScience pp 41ndash62 Springer Berlin Germany 2001

[7] N Attrapadung and H Imai ldquoAttribute-based encryption sup-porting directindirect revocation modesrdquo in Proceedings of the12th IMA International Conference Cryptography and Codingpp 278ndash300 2009

[8] K Lee D H Lee and J H Park ldquoEfficient revocable identity-based encryption via subset differencemethodsrdquoDesigns Codesand Cryptography vol 85 no 1 pp 39ndash76 2017

[9] S Hohenberger and B Waters ldquoOnlineoffline attribute-basedencryptionrdquo in Public-key cryptography (PKC) vol 8383 ofLectureNotes in Comput Sci pp 293ndash310 SpringerHeidelberg2014

[10] Z-J Wang H-Y Ma and J-H Wang ldquoAttribute-basedonlineoffline encryption with outsourcing decryptionrdquo Journalof Information Science and Engineering vol 32 no 6 pp 1595ndash1611 2016

[11] P Datta R Dutta and S Mukhopadhyay ldquoFully SecureOnlineOffline Predicate and Attribute-Based Encryptionrdquo inInformation Security Practice and Experience vol 9065 ofLecture Notes in Computer Science pp 331ndash345 Springer Inter-national Publishing Berlin Germany 2015

[12] J Li Y Zhang X Chen and Y Xiang ldquoSecure attribute-baseddata sharing for resource-limited users in cloud computingrdquoComputers amp Security vol 72 pp 1ndash12 2018

[13] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing vol 10no 5 pp 785ndash796 2017

[14] J Li Y Wang Y Zhang and J Han ldquoFull Verifiability forOutsourced Decryption in Attribute Based Encryptionrdquo IEEETransactions on Services Computing 2017


[15] J Li X Y Huang J W Li X F Chen and Y Xiang ldquoSecurelyoutsourcing attribute-based encryptionwith checkabilityrdquo IEEETransactions on Parallel and Distributed Systems vol 25 no 8pp 2201ndash2210 2014

[16] S Lin R Zhang H Ma and M Wang ldquoRevisiting attribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 10 no10 pp 2119ndash2130 2015

[17] Z Liu S Duan P Zhou et al ldquoTraceable-then-revocableciphertext-policy attribute-based encryption schemerdquo FutureGeneration Computer Systems 2017 httpsdoiorg101016jfuture201709045

[18] H YMa andG S Zeng ldquoAn attribute-based encryption schemefor traitor tracing and revokingrdquo Chinese Journal of ComputersJisuanji Xuebao vol 35 no 9 pp 1845ndash1855 2012

[19] Y Jiang W Susilo Y Mu and F Guo ldquoCiphertext-policyattribute-based encryption against key-delegation abuse in fogcomputingrdquo Future Generation Computer Systems vol 78 pp720ndash729 2018

[20] H Ma G Zeng Z Bao J Chen J Wang and Z WangldquoAttribute-based encryption scheme resilient againstcontinuous auxiliary-inputs leakagerdquo Jisuanji Yanjiu yuFazhanComputer Research and Development vol 53 no 8 pp1867ndash1878 2016

[21] J Li Q Yu Y Zhang and J Shen ldquoKey-Policy Attribute-Based Encryption against Continual Auxiliary Input LeakagrdquoInformation Sciences vol 470 pp 175ndash188 2019

[22] S Even O Goldreich S Micali et al ldquoOn-lineoff-line digitalsignaturesrdquo Journal of Cryptology vol 9 no 1 pp 35ndash67 1996

[23] F Guo C Y Mu and Z Chen ldquoIdentity-based onlineofflineencryptionrdquo in Financial Cryptography pp 247ndash261 SpringerBerlin 2008

[24] S S Chow J K Liu and J Zhou ldquoIdentity-based onlineofflinekey encapsulation and encryptionrdquo in Proceedings of the ASI-ACCS pp 52ndash60 Springer Berlin 2011

[25] J K Liu and J Zhou ldquoAn efficient identity-based onlineofflineencryption schemerdquo in Proceedings of ACNS pp 156ndash167Springer Berlin 2009

[26] N Attrapadung and H Imai ldquoConjunctive broadcast andattribute-based encryptionrdquo in Pairing-Based Cryptography(Pairing rsquo09) pp 248ndash265 Springer Berlin Germany 2009

[27] Q Li H Xiong and F Zhang ldquoBroadcast revocation scheme incomposite-order bilinear group and its application to attribute-based encryptionrdquo International Journal of Security and Net-works vol 8 no 1 pp 1ndash12 2013

[28] Y Shi Q Zheng J Liu and Z Han ldquoDirectly revocablekey-policy attribute-based encryption with verifiable ciphertextdelegationrdquo Information Sciences vol 295 pp 221ndash231 2015

[29] A Sahai H Seyalioglu and B Waters ldquoDynamic credentialsand ciphertext delegation for attribute-based encryptionrdquo inAdvances in cryptology-CRYPTO vol 7417 of Lecture Notes inComput Sci pp 199ndash217 Springer Berlin Germany 2012

[30] T Ishiguro S Kiyomoto and Y Miyake ldquoA key-revocableattribute-based encryption for mobile cloud environmentsrdquo inProceedings of IEEE Symposium on Security Cryptography pp1ndash11 Iceland 2015

[31] H Cui R Deng H X Ding et al ldquoAttribute-based encryptionwith granular revocationrdquo in Proceedings of the Conference onSecurity and Privacy in Communication Systems pp 165ndash181Springer Berlin Germany 2016

[32] P Datta R Dutta and S Mukhopadhyay ldquoAdaptively secureunrestricted attribute-based encryption with subset differencerevocation in bilinear groups of prime orderrdquo in Progressin cryptology-AFRICACRYPT vol 9646 of Lecture Notes inComput Sci pp 325ndash345 Springer Berlin Germany 2016

[33] B Qin R H Deng S Liu and S Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEETransactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


policy or number of attributes If a mobile device performsthe encryption task battery power and encryption time willbe a large problem To significantly reduce the encryptioncost for mobile device a few onlineoffline ABE schemes[9ndash12] are proposed and move the majority of encryptioncomputations into an offline phase Mobile device only needsto execute a few simple calculations to create a ciphertextHowever the existing onlineoffline ABE schemes cannotrevoke users Therefore our goal is to integrate the subsetdifference method [6 8] with ABE to significantly decreasethe key update work and use the onlineoffline technique togreatly improve the encryption efficiency for mobile devices

In this work we propose an efficient ciphertext-policyattribute-based onlineoffline encryption with user revoca-tion In particular our contributions have three aspects asfollows(1) We present a novel technique that may integrateCP-ABE with the Subset Difference (SD) methodology tosignificantly improve the key-update efficiency for KGC InSD scheme an assigned key for each subset is dependent onother keys so we may categorize all subsets into differentgroups For each group 119866119879 in SD we assign a randompolynomial 119891119866119879(119909) = 119886119866119879119909 + 120572 to it where 119886119866119879 is a randomvalue that is uniquely assigned to the group 119866119879 and 120572 isthe master secret key Using this linear polynomial we splitthe master secret key 120572 into two shares 119891119866119879(1) and 119891119866119879(119879)where 119879 is an update time and is a greater than 1 positiveintegerThe share119891119866119879(1) is used to build a private keywhich isrelated to userrsquos attribute set inCP-ABE as usual and the othershare 119891119866119879(119879) is used to build an update key which is relatedto the update time 119879 Then KGC periodically broadcaststhe update keys and any nonrevoked user can reconstructhis decryption key Since all revoked users possess the sameshare119891119866119879(1) they cannot collude to reconstruct a decryptionkey Therefore our scheme may provide the security againstcollusion attacks(2) To greatly reduce the encryption cost for mobiledevices we employ the onlineoffline technique of [8] tosplit encryption process into the offline phase and the onlinephase The offline encryption first performs a majority ofencryption task before the plaintext and its access policyare known Once the specifications are given the onlineencryption only executes a few simple calculations to producea ciphertext by using the offline-ciphertexts pool that issimilar to the reference [8] Especially the offline work canbe executed by a high-performance computer and thenlightweight devices can quickly run the online encryption onthe move without greatly draining the battery(3) We present a new method to prove the security ofour scheme Based on the CP-ABErsquos access policy 119860lowast anda challenge update time 119879lowast we construct a new challengeaccess policy 119860lowastlowast = 119860lowast and 119879lowast i e we may obtain 119860lowastlowastby appending a well-designed vector to 119860lowast Next we cancreate the public parameters needed in the proof Moreoverunlike the complete subtree method the intersection of thecovering collection of nonrevoked users and the private keyof the revoked users is not empty It leads to impossibilityto construct the update key on the time 119879lowast We solve thisproblem by reasonably assigning the usersrsquo location in the

binary tree Our scheme is proved to be selectively secureunder the q-type assumption The above method may be ofindependent interest in the security proof of the revocableCP-ABE scheme Compared with the related works ourscheme can significantly improve the key-update efficiencyfor the trusted party from O(119903 log(119873119903)) to O(119903) and theencryption efficiency for mobile devices where 119873 is thenumber of users and 119903 is the number of revoked users andgreatly decrease the number of group elements in the updatekey

ABE is a useful cryptographic technology to protectprivate data and achieve fine-grained access control simul-taneously [12 13] many variants of ABE were proposed torealize promising properties e g efficient large universeABE [4] ABE with verifiable outsourced decryption [14ndash16] traceable-then-revocable ABE [17 18] CP-ABE againstkey-delegation abuse [19] the fully-secure ABE [11] ABEresilience against continuous auxiliary-inputs leakage [2021]

To reduce the encryption cost of ABE a few works [9ndash12] presented the onlineoffline ABE by the onlineofflinecryptography [22ndash25] but their schemes cannot revoke usersTo satisfy the practical requirement that usersrsquo access rightscan be revoked dynamically many revocable ABE schemeshave been proposed [10ndash20] The core idea of the works[5 7 26ndash31] utilizes the complete subtree scheme of NNL [8]to revoke userrsquos private key Lee et al [8] proposed a revocableidentity-based encryption to reduce the size of the update keySahai et al [29] constructed a few ABE schemes of revocablestorage by providing a ciphertext delegation means withoutany interaction with data owners Datta et al [32] uses thesubset difference to directly revoke users in KP-ABE systemsNevertheless all the existing revocable ABE schemes have thedrawbacks of heavy computational costs on key updates andencryption operations

Therefore it will be indispensable to reduce the heavycomputational overhead on the key update work and theencryption task Different from prior works we integratethe SD method with the onlineoffline technique in the CP-ABE system which not only may efficiently revoke users butalso can significantly improve the key-update efficiency andencryption efficiency

We review some preliminaries in Section 2The definitionand security model of our scheme is defined in Section 3We propose an efficient ciphertext-policy attribute-basedonlineoffline encryption with user revocation and prove itsselective security in Section 4 Performance analysis is givenin Section 5 Finally we conclude this work in Section 6

2 Preliminaries

In this section we first elaborate the definitions of bilineargroup and the complexity assumption for our R-CP-ABOOEschemeThen we state a brief review of access structures andlinear secret-sharing schemes (LSSS) Finally we introducethe notions of full binary tree and the subset differencemethod









1198921198861198941198871198951198872

1198951015840 forall (119894 1198951015840 119895) isin [2119902 119902 119902] and 119895 = 11989510158401198921199041198861198941198871198951198871198951015840 119892119904119886119894119887119895119887

2

1198951015840 forall (119894 1198951015840 119895) isin [119902 119902 119902] and 119895 = 1198951015840

(1)


















































Δ 119894119868 (119909) = prod119895isin119868119895 =119894

119909 minus 119895119894 minus 119895 (2)






119901119904119896(119868119863120596)119878120578120579= (1198700 1198701 1198702120591 1198703120591120591isin[|120596|]) (3)


119904119896(119868119863120596) = ((119868119863120596) 119875119881119868119863 119901119904119896(119868119863120591)119878120578120579119878120578120579isin119875119881119868119863

) (4)


119905119906119896119879119878120578120579= 1198800 = 119892119891119866119879(119879)119908119905 1198801 = 119892119905 1198802 = 1198921199051 1198803 = (119906119879ℎ)1199051 Vminus119905 (5)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (6)





1198640 = 119880Δ119879119868(0)

0 1199081199051015840 1198641 = 119880Δ119879119868(0)

1 1198921199051015840 1198642 = 119880Δ119879119868(0)

2 11989211990511015840

1198643 = 119880Δ119879119868(0)3 (119906119879ℎ)11990511015840 Vminus1199051015840

1198630 = 1198701119868(0)0 1199081199031015840

1198631 = 119870Δ 1119868(0)1 1198921199031015840

(7)



1198632120591 = 119870Δ 1119868(0)

2120591 1198921199031205911015840

1198633120591 = 119870Δ 1119868(0)3120591 (119906119860120591ℎ)1199031205911015840 Vminus1199031015840

(8)








119890 (1198620 1198640)119890 (1198621119897+11199081198624119897+1 1198641) 119890 (1198622119897+11199061198625119897+1 1198642) 119890 (1198623119897+1 1198643) = 119890 (119892 119892)119891119866119879(119879)Δ119879119868(0)119904 (10)

119890 (119892 119892)119891119866119879(1)Δ 1119868(0)119904119890 (119892 119892)119891119866119879(119879)Δ119879119868(0)119904 = 119890 (119892 119892)120572119904 = 119896119890119910 (11)

1198701015840 = 119867(119896119890119910 11986231 11986232 1198623119897+1) 119898 oplus 1198701015840 oplus 1198701015840 = 119898

(12)


43 Security Proof






lowast

119907)





proceeds as follows



119892 = 119892119908 = 119892119886V = 119892V1 sdot 119892119886119887119897+1 sdot prod

(119895119896)isin[119897119899]

(119892119886119896119887119895)119860lowast119895119896


(1198921198861198961198872119895 )119860lowast119895119896

ℎ = 119892ℎ1 prod(119895119896)isin[119897119899]


119890 (119892 119892)120572 = 119890 (119892119886 119892119886119902) 119890 (119892 119892)1205721

(14)




119899 such that 1199081 = -1 and119860119894


1198750 = 119892120572119908119903 = 1198921205721 (119892119886)1199031015840 119899prod119894=2

(119892119886119902+2minus119894)119908119894 1198751 = 119892119903 = 1198921199031015840prod

119894isin[119899]

(119892119886119902+1minus119894)119908119894 (15)







1198752120591 = 119892119903120591 = 1198921199031205911015840 sdot prod




(1198921198871198941015840119886119902+1minus119894


(17)

1198753120591 = (119906119860120591ℎ)119903120591 Vminus119903 = (119906119860120591ℎ)1199031205911015840 (1198752120591119892minus1199031205911015840)1199061119860120591+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]



sdot prod(1198941198941015840 119895119896)isin[119899119897+1119897+1119899]



119894isin[119899]

(119892119886119902+1minus119894)minusV1119908119894

sdot prod(119894119895119896)isin[119899119897+1119899]119894=119896


(18)



(19)




1198702120591 = 119875Δ 0119868(1)

2120591 11989211990312059110158401015840

and 1198703120591 = 119875Δ 0119868(1)

3120591 Vminus11990310158401015840(119906119860120591ℎ)11990312059110158401015840 Then



(20)



119904119896(119868119863120596) = ((119868119863120596) 1198700 1198701 1198702120591 1198703120591120591isin[|120596|]119878120578120579isin119875119881119894119889) (21)



1198610 = 119892120572119908119905 = 11989212057211198921198861199051015840

1198611 = 119892119905 = 1198921199051015840119892minus119886119902 (22)


1199051 = 11990511015840 + 1199051015840 sum1198941015840isin[119897+1]




1198612 = 1198921199051

= 11989211990511015840 sdot prod

1198941015840isin[119897+1]


sdot prod1198941015840isin[119897+1]


(24)

1198613 = (119906119879ℎ)1199051 Vminus119905

= (119906119879ℎ)11990511015840 (1198612119892minus11990511015840)1199061119879+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]


sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]

(119895 =1198941015840or119896 =1)




(25)



119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ 1119868(119879) 119908119905 1198801

= (1198611)Δ 0119868(119879) 119892119905 1198802 = (1198612)Δ 0119868(119879) 1198921199051 1198803

= 119861Δ 0119868(119879)

3 Vminus119905 (119906119879ℎ)1199051 (26)


119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ119879lowast119868(119879) 11990811990510158401015840 1198801

= (1198611)Δ 0119868(119879) 11989211990510158401015840 1198802 = (1198612)Δ 0119868(119879) 119892119905101584010158401 1198803

= 119861Δ 0119868(119879)3 Vminus119905

10158401015840 (119906119879ℎ)119905101584010158401 (27)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (28)


119905119906119896119879119878120578120579= 1198800 = 119892119910119908119905 1198801 = 119892119905 1198802 = 1198921199051 1198803 = (119906119879lowastℎ)1199051 Vminus119905 (29)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (30)




120582120591 = sum119894isin[119899]

119860lowast120591119894119904119886119894minus1 + sum

119894isin[119899]

119860lowast120591119894119910119894 = sum

119894isin[119899]

119860lowast120591119894119904119886119894minus1 + 1205821015840

120591 (31)



1120591 11990910158402120591 1199091015840



1198621120591 = 1199081199091120591V1199093120591 = 119908120582120591 (119892119904119887120591)minusV1






1198623120591 = 1198921199093120591 = 119892minus119904119887120591 1198624120591 = 120582120591 minus 1199091120591 = 1199091015840


2120591(34)





1198621119897+1 = 1199081199091119897+1V1199093119897+1




(119895119896)isin[119897+1119899]


1198623119897+1 = 1198921199093119897+1 = 119892minus119904119887119897+1 1198624119897+1 = 119904 minus 1199091119897+1 = 1199091015840

1119897+1(37)


1198701015840 = 119867 (119896119890119910 11986231 11986232 1198623119897+1) (38)













1003816100381610038161003816 - radic[9] 3119897119898119888 - (3119897 + 1)|119866| + 2119897 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| - timesOurs (3119897 + 2)119898119888 (14r-7)E (3119897 + 4) |119866| + 2 (1 + 119897) 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| (8119903 minus 4) |119866| radic


6 Conclusions


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia










1198921198861198941198871198951198872

1198951015840 forall (119894 1198951015840 119895) isin [2119902 119902 119902] and 119895 = 11989510158401198921199041198861198941198871198951198871198951015840 119892119904119886119894119887119895119887

2

1198951015840 forall (119894 1198951015840 119895) isin [119902 119902 119902] and 119895 = 1198951015840

(1)


















































Δ 119894119868 (119909) = prod119895isin119868119895 =119894

119909 minus 119895119894 minus 119895 (2)






119901119904119896(119868119863120596)119878120578120579= (1198700 1198701 1198702120591 1198703120591120591isin[|120596|]) (3)


119904119896(119868119863120596) = ((119868119863120596) 119875119881119868119863 119901119904119896(119868119863120591)119878120578120579119878120578120579isin119875119881119868119863

) (4)


119905119906119896119879119878120578120579= 1198800 = 119892119891119866119879(119879)119908119905 1198801 = 119892119905 1198802 = 1198921199051 1198803 = (119906119879ℎ)1199051 Vminus119905 (5)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (6)





1198640 = 119880Δ119879119868(0)

0 1199081199051015840 1198641 = 119880Δ119879119868(0)

1 1198921199051015840 1198642 = 119880Δ119879119868(0)

2 11989211990511015840

1198643 = 119880Δ119879119868(0)3 (119906119879ℎ)11990511015840 Vminus1199051015840

1198630 = 1198701119868(0)0 1199081199031015840

1198631 = 119870Δ 1119868(0)1 1198921199031015840

(7)



1198632120591 = 119870Δ 1119868(0)

2120591 1198921199031205911015840

1198633120591 = 119870Δ 1119868(0)3120591 (119906119860120591ℎ)1199031205911015840 Vminus1199031015840

(8)








119890 (1198620 1198640)119890 (1198621119897+11199081198624119897+1 1198641) 119890 (1198622119897+11199061198625119897+1 1198642) 119890 (1198623119897+1 1198643) = 119890 (119892 119892)119891119866119879(119879)Δ119879119868(0)119904 (10)

119890 (119892 119892)119891119866119879(1)Δ 1119868(0)119904119890 (119892 119892)119891119866119879(119879)Δ119879119868(0)119904 = 119890 (119892 119892)120572119904 = 119896119890119910 (11)

1198701015840 = 119867(119896119890119910 11986231 11986232 1198623119897+1) 119898 oplus 1198701015840 oplus 1198701015840 = 119898

(12)


43 Security Proof






lowast

119907)





proceeds as follows



119892 = 119892119908 = 119892119886V = 119892V1 sdot 119892119886119887119897+1 sdot prod

(119895119896)isin[119897119899]

(119892119886119896119887119895)119860lowast119895119896


(1198921198861198961198872119895 )119860lowast119895119896

ℎ = 119892ℎ1 prod(119895119896)isin[119897119899]


119890 (119892 119892)120572 = 119890 (119892119886 119892119886119902) 119890 (119892 119892)1205721

(14)




119899 such that 1199081 = -1 and119860119894


1198750 = 119892120572119908119903 = 1198921205721 (119892119886)1199031015840 119899prod119894=2

(119892119886119902+2minus119894)119908119894 1198751 = 119892119903 = 1198921199031015840prod

119894isin[119899]

(119892119886119902+1minus119894)119908119894 (15)







1198752120591 = 119892119903120591 = 1198921199031205911015840 sdot prod




(1198921198871198941015840119886119902+1minus119894


(17)

1198753120591 = (119906119860120591ℎ)119903120591 Vminus119903 = (119906119860120591ℎ)1199031205911015840 (1198752120591119892minus1199031205911015840)1199061119860120591+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]



sdot prod(1198941198941015840 119895119896)isin[119899119897+1119897+1119899]



119894isin[119899]

(119892119886119902+1minus119894)minusV1119908119894

sdot prod(119894119895119896)isin[119899119897+1119899]119894=119896


(18)



(19)




1198702120591 = 119875Δ 0119868(1)

2120591 11989211990312059110158401015840

and 1198703120591 = 119875Δ 0119868(1)

3120591 Vminus11990310158401015840(119906119860120591ℎ)11990312059110158401015840 Then



(20)



119904119896(119868119863120596) = ((119868119863120596) 1198700 1198701 1198702120591 1198703120591120591isin[|120596|]119878120578120579isin119875119881119894119889) (21)



1198610 = 119892120572119908119905 = 11989212057211198921198861199051015840

1198611 = 119892119905 = 1198921199051015840119892minus119886119902 (22)


1199051 = 11990511015840 + 1199051015840 sum1198941015840isin[119897+1]




1198612 = 1198921199051

= 11989211990511015840 sdot prod

1198941015840isin[119897+1]


sdot prod1198941015840isin[119897+1]


(24)

1198613 = (119906119879ℎ)1199051 Vminus119905

= (119906119879ℎ)11990511015840 (1198612119892minus11990511015840)1199061119879+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]


sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]

(119895 =1198941015840or119896 =1)




(25)



119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ 1119868(119879) 119908119905 1198801

= (1198611)Δ 0119868(119879) 119892119905 1198802 = (1198612)Δ 0119868(119879) 1198921199051 1198803

= 119861Δ 0119868(119879)

3 Vminus119905 (119906119879ℎ)1199051 (26)


119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ119879lowast119868(119879) 11990811990510158401015840 1198801

= (1198611)Δ 0119868(119879) 11989211990510158401015840 1198802 = (1198612)Δ 0119868(119879) 119892119905101584010158401 1198803

= 119861Δ 0119868(119879)3 Vminus119905

10158401015840 (119906119879ℎ)119905101584010158401 (27)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (28)


119905119906119896119879119878120578120579= 1198800 = 119892119910119908119905 1198801 = 119892119905 1198802 = 1198921199051 1198803 = (119906119879lowastℎ)1199051 Vminus119905 (29)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (30)




120582120591 = sum119894isin[119899]

119860lowast120591119894119904119886119894minus1 + sum

119894isin[119899]

119860lowast120591119894119910119894 = sum

119894isin[119899]

119860lowast120591119894119904119886119894minus1 + 1205821015840

120591 (31)



1120591 11990910158402120591 1199091015840



1198621120591 = 1199081199091120591V1199093120591 = 119908120582120591 (119892119904119887120591)minusV1






1198623120591 = 1198921199093120591 = 119892minus119904119887120591 1198624120591 = 120582120591 minus 1199091120591 = 1199091015840


2120591(34)





1198621119897+1 = 1199081199091119897+1V1199093119897+1




(119895119896)isin[119897+1119899]


1198623119897+1 = 1198921199093119897+1 = 119892minus119904119887119897+1 1198624119897+1 = 119904 minus 1199091119897+1 = 1199091015840

1119897+1(37)


1198701015840 = 119867 (119896119890119910 11986231 11986232 1198623119897+1) (38)













1003816100381610038161003816 - radic[9] 3119897119898119888 - (3119897 + 1)|119866| + 2119897 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| - timesOurs (3119897 + 2)119898119888 (14r-7)E (3119897 + 4) |119866| + 2 (1 + 119897) 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| (8119903 minus 4) |119866| radic


6 Conclusions


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





































Δ 119894119868 (119909) = prod119895isin119868119895 =119894

119909 minus 119895119894 minus 119895 (2)






119901119904119896(119868119863120596)119878120578120579= (1198700 1198701 1198702120591 1198703120591120591isin[|120596|]) (3)


119904119896(119868119863120596) = ((119868119863120596) 119875119881119868119863 119901119904119896(119868119863120591)119878120578120579119878120578120579isin119875119881119868119863

) (4)


119905119906119896119879119878120578120579= 1198800 = 119892119891119866119879(119879)119908119905 1198801 = 119892119905 1198802 = 1198921199051 1198803 = (119906119879ℎ)1199051 Vminus119905 (5)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (6)





1198640 = 119880Δ119879119868(0)

0 1199081199051015840 1198641 = 119880Δ119879119868(0)

1 1198921199051015840 1198642 = 119880Δ119879119868(0)

2 11989211990511015840

1198643 = 119880Δ119879119868(0)3 (119906119879ℎ)11990511015840 Vminus1199051015840

1198630 = 1198701119868(0)0 1199081199031015840

1198631 = 119870Δ 1119868(0)1 1198921199031015840

(7)



1198632120591 = 119870Δ 1119868(0)

2120591 1198921199031205911015840

1198633120591 = 119870Δ 1119868(0)3120591 (119906119860120591ℎ)1199031205911015840 Vminus1199031015840

(8)








119890 (1198620 1198640)119890 (1198621119897+11199081198624119897+1 1198641) 119890 (1198622119897+11199061198625119897+1 1198642) 119890 (1198623119897+1 1198643) = 119890 (119892 119892)119891119866119879(119879)Δ119879119868(0)119904 (10)

119890 (119892 119892)119891119866119879(1)Δ 1119868(0)119904119890 (119892 119892)119891119866119879(119879)Δ119879119868(0)119904 = 119890 (119892 119892)120572119904 = 119896119890119910 (11)

1198701015840 = 119867(119896119890119910 11986231 11986232 1198623119897+1) 119898 oplus 1198701015840 oplus 1198701015840 = 119898

(12)


43 Security Proof






lowast

119907)





proceeds as follows



119892 = 119892119908 = 119892119886V = 119892V1 sdot 119892119886119887119897+1 sdot prod

(119895119896)isin[119897119899]

(119892119886119896119887119895)119860lowast119895119896


(1198921198861198961198872119895 )119860lowast119895119896

ℎ = 119892ℎ1 prod(119895119896)isin[119897119899]


119890 (119892 119892)120572 = 119890 (119892119886 119892119886119902) 119890 (119892 119892)1205721

(14)




119899 such that 1199081 = -1 and119860119894


1198750 = 119892120572119908119903 = 1198921205721 (119892119886)1199031015840 119899prod119894=2

(119892119886119902+2minus119894)119908119894 1198751 = 119892119903 = 1198921199031015840prod

119894isin[119899]

(119892119886119902+1minus119894)119908119894 (15)







1198752120591 = 119892119903120591 = 1198921199031205911015840 sdot prod




(1198921198871198941015840119886119902+1minus119894


(17)

1198753120591 = (119906119860120591ℎ)119903120591 Vminus119903 = (119906119860120591ℎ)1199031205911015840 (1198752120591119892minus1199031205911015840)1199061119860120591+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]



sdot prod(1198941198941015840 119895119896)isin[119899119897+1119897+1119899]



119894isin[119899]

(119892119886119902+1minus119894)minusV1119908119894

sdot prod(119894119895119896)isin[119899119897+1119899]119894=119896


(18)



(19)




1198702120591 = 119875Δ 0119868(1)

2120591 11989211990312059110158401015840

and 1198703120591 = 119875Δ 0119868(1)

3120591 Vminus11990310158401015840(119906119860120591ℎ)11990312059110158401015840 Then



(20)



119904119896(119868119863120596) = ((119868119863120596) 1198700 1198701 1198702120591 1198703120591120591isin[|120596|]119878120578120579isin119875119881119894119889) (21)



1198610 = 119892120572119908119905 = 11989212057211198921198861199051015840

1198611 = 119892119905 = 1198921199051015840119892minus119886119902 (22)


1199051 = 11990511015840 + 1199051015840 sum1198941015840isin[119897+1]




1198612 = 1198921199051

= 11989211990511015840 sdot prod

1198941015840isin[119897+1]


sdot prod1198941015840isin[119897+1]


(24)

1198613 = (119906119879ℎ)1199051 Vminus119905

= (119906119879ℎ)11990511015840 (1198612119892minus11990511015840)1199061119879+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]


sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]

(119895 =1198941015840or119896 =1)




(25)



119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ 1119868(119879) 119908119905 1198801

= (1198611)Δ 0119868(119879) 119892119905 1198802 = (1198612)Δ 0119868(119879) 1198921199051 1198803

= 119861Δ 0119868(119879)

3 Vminus119905 (119906119879ℎ)1199051 (26)


119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ119879lowast119868(119879) 11990811990510158401015840 1198801

= (1198611)Δ 0119868(119879) 11989211990510158401015840 1198802 = (1198612)Δ 0119868(119879) 119892119905101584010158401 1198803

= 119861Δ 0119868(119879)3 Vminus119905

10158401015840 (119906119879ℎ)119905101584010158401 (27)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (28)


119905119906119896119879119878120578120579= 1198800 = 119892119910119908119905 1198801 = 119892119905 1198802 = 1198921199051 1198803 = (119906119879lowastℎ)1199051 Vminus119905 (29)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (30)




120582120591 = sum119894isin[119899]

119860lowast120591119894119904119886119894minus1 + sum

119894isin[119899]

119860lowast120591119894119910119894 = sum

119894isin[119899]

119860lowast120591119894119904119886119894minus1 + 1205821015840

120591 (31)



1120591 11990910158402120591 1199091015840



1198621120591 = 1199081199091120591V1199093120591 = 119908120582120591 (119892119904119887120591)minusV1






1198623120591 = 1198921199093120591 = 119892minus119904119887120591 1198624120591 = 120582120591 minus 1199091120591 = 1199091015840


2120591(34)





1198621119897+1 = 1199081199091119897+1V1199093119897+1




(119895119896)isin[119897+1119899]


1198623119897+1 = 1198921199093119897+1 = 119892minus119904119887119897+1 1198624119897+1 = 119904 minus 1199091119897+1 = 1199091015840

1119897+1(37)


1198701015840 = 119867 (119896119890119910 11986231 11986232 1198623119897+1) (38)













1003816100381610038161003816 - radic[9] 3119897119898119888 - (3119897 + 1)|119866| + 2119897 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| - timesOurs (3119897 + 2)119898119888 (14r-7)E (3119897 + 4) |119866| + 2 (1 + 119897) 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| (8119903 minus 4) |119866| radic


6 Conclusions


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




1198632120591 = 119870Δ 1119868(0)

2120591 1198921199031205911015840

1198633120591 = 119870Δ 1119868(0)3120591 (119906119860120591ℎ)1199031205911015840 Vminus1199031015840

(8)








119890 (1198620 1198640)119890 (1198621119897+11199081198624119897+1 1198641) 119890 (1198622119897+11199061198625119897+1 1198642) 119890 (1198623119897+1 1198643) = 119890 (119892 119892)119891119866119879(119879)Δ119879119868(0)119904 (10)

119890 (119892 119892)119891119866119879(1)Δ 1119868(0)119904119890 (119892 119892)119891119866119879(119879)Δ119879119868(0)119904 = 119890 (119892 119892)120572119904 = 119896119890119910 (11)

1198701015840 = 119867(119896119890119910 11986231 11986232 1198623119897+1) 119898 oplus 1198701015840 oplus 1198701015840 = 119898

(12)


43 Security Proof






lowast

119907)





proceeds as follows



119892 = 119892119908 = 119892119886V = 119892V1 sdot 119892119886119887119897+1 sdot prod

(119895119896)isin[119897119899]

(119892119886119896119887119895)119860lowast119895119896


(1198921198861198961198872119895 )119860lowast119895119896

ℎ = 119892ℎ1 prod(119895119896)isin[119897119899]


119890 (119892 119892)120572 = 119890 (119892119886 119892119886119902) 119890 (119892 119892)1205721

(14)




119899 such that 1199081 = -1 and119860119894


1198750 = 119892120572119908119903 = 1198921205721 (119892119886)1199031015840 119899prod119894=2

(119892119886119902+2minus119894)119908119894 1198751 = 119892119903 = 1198921199031015840prod

119894isin[119899]

(119892119886119902+1minus119894)119908119894 (15)







1198752120591 = 119892119903120591 = 1198921199031205911015840 sdot prod




(1198921198871198941015840119886119902+1minus119894


(17)

1198753120591 = (119906119860120591ℎ)119903120591 Vminus119903 = (119906119860120591ℎ)1199031205911015840 (1198752120591119892minus1199031205911015840)1199061119860120591+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]



sdot prod(1198941198941015840 119895119896)isin[119899119897+1119897+1119899]



119894isin[119899]

(119892119886119902+1minus119894)minusV1119908119894

sdot prod(119894119895119896)isin[119899119897+1119899]119894=119896


(18)



(19)




1198702120591 = 119875Δ 0119868(1)

2120591 11989211990312059110158401015840

and 1198703120591 = 119875Δ 0119868(1)

3120591 Vminus11990310158401015840(119906119860120591ℎ)11990312059110158401015840 Then



(20)



119904119896(119868119863120596) = ((119868119863120596) 1198700 1198701 1198702120591 1198703120591120591isin[|120596|]119878120578120579isin119875119881119894119889) (21)



1198610 = 119892120572119908119905 = 11989212057211198921198861199051015840

1198611 = 119892119905 = 1198921199051015840119892minus119886119902 (22)


1199051 = 11990511015840 + 1199051015840 sum1198941015840isin[119897+1]




1198612 = 1198921199051

= 11989211990511015840 sdot prod

1198941015840isin[119897+1]


sdot prod1198941015840isin[119897+1]


(24)

1198613 = (119906119879ℎ)1199051 Vminus119905

= (119906119879ℎ)11990511015840 (1198612119892minus11990511015840)1199061119879+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]


sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]

(119895 =1198941015840or119896 =1)




(25)



119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ 1119868(119879) 119908119905 1198801

= (1198611)Δ 0119868(119879) 119892119905 1198802 = (1198612)Δ 0119868(119879) 1198921199051 1198803

= 119861Δ 0119868(119879)

3 Vminus119905 (119906119879ℎ)1199051 (26)


119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ119879lowast119868(119879) 11990811990510158401015840 1198801

= (1198611)Δ 0119868(119879) 11989211990510158401015840 1198802 = (1198612)Δ 0119868(119879) 119892119905101584010158401 1198803

= 119861Δ 0119868(119879)3 Vminus119905

10158401015840 (119906119879ℎ)119905101584010158401 (27)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (28)


119905119906119896119879119878120578120579= 1198800 = 119892119910119908119905 1198801 = 119892119905 1198802 = 1198921199051 1198803 = (119906119879lowastℎ)1199051 Vminus119905 (29)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (30)




120582120591 = sum119894isin[119899]

119860lowast120591119894119904119886119894minus1 + sum

119894isin[119899]

119860lowast120591119894119910119894 = sum

119894isin[119899]

119860lowast120591119894119904119886119894minus1 + 1205821015840

120591 (31)



1120591 11990910158402120591 1199091015840



1198621120591 = 1199081199091120591V1199093120591 = 119908120582120591 (119892119904119887120591)minusV1






1198623120591 = 1198921199093120591 = 119892minus119904119887120591 1198624120591 = 120582120591 minus 1199091120591 = 1199091015840


2120591(34)





1198621119897+1 = 1199081199091119897+1V1199093119897+1




(119895119896)isin[119897+1119899]


1198623119897+1 = 1198921199093119897+1 = 119892minus119904119887119897+1 1198624119897+1 = 119904 minus 1199091119897+1 = 1199091015840

1119897+1(37)


1198701015840 = 119867 (119896119890119910 11986231 11986232 1198623119897+1) (38)













1003816100381610038161003816 - radic[9] 3119897119898119888 - (3119897 + 1)|119866| + 2119897 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| - timesOurs (3119897 + 2)119898119888 (14r-7)E (3119897 + 4) |119866| + 2 (1 + 119897) 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| (8119903 minus 4) |119866| radic


6 Conclusions


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




119892 = 119892119908 = 119892119886V = 119892V1 sdot 119892119886119887119897+1 sdot prod

(119895119896)isin[119897119899]

(119892119886119896119887119895)119860lowast119895119896


(1198921198861198961198872119895 )119860lowast119895119896

ℎ = 119892ℎ1 prod(119895119896)isin[119897119899]


119890 (119892 119892)120572 = 119890 (119892119886 119892119886119902) 119890 (119892 119892)1205721

(14)




119899 such that 1199081 = -1 and119860119894


1198750 = 119892120572119908119903 = 1198921205721 (119892119886)1199031015840 119899prod119894=2

(119892119886119902+2minus119894)119908119894 1198751 = 119892119903 = 1198921199031015840prod

119894isin[119899]

(119892119886119902+1minus119894)119908119894 (15)







1198752120591 = 119892119903120591 = 1198921199031205911015840 sdot prod




(1198921198871198941015840119886119902+1minus119894


(17)

1198753120591 = (119906119860120591ℎ)119903120591 Vminus119903 = (119906119860120591ℎ)1199031205911015840 (1198752120591119892minus1199031205911015840)1199061119860120591+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]



sdot prod(1198941198941015840 119895119896)isin[119899119897+1119897+1119899]



119894isin[119899]

(119892119886119902+1minus119894)minusV1119908119894

sdot prod(119894119895119896)isin[119899119897+1119899]119894=119896


(18)



(19)




1198702120591 = 119875Δ 0119868(1)

2120591 11989211990312059110158401015840

and 1198703120591 = 119875Δ 0119868(1)

3120591 Vminus11990310158401015840(119906119860120591ℎ)11990312059110158401015840 Then



(20)



119904119896(119868119863120596) = ((119868119863120596) 1198700 1198701 1198702120591 1198703120591120591isin[|120596|]119878120578120579isin119875119881119894119889) (21)



1198610 = 119892120572119908119905 = 11989212057211198921198861199051015840

1198611 = 119892119905 = 1198921199051015840119892minus119886119902 (22)


1199051 = 11990511015840 + 1199051015840 sum1198941015840isin[119897+1]




1198612 = 1198921199051

= 11989211990511015840 sdot prod

1198941015840isin[119897+1]


sdot prod1198941015840isin[119897+1]


(24)

1198613 = (119906119879ℎ)1199051 Vminus119905

= (119906119879ℎ)11990511015840 (1198612119892minus11990511015840)1199061119879+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]


sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]

(119895 =1198941015840or119896 =1)




(25)



119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ 1119868(119879) 119908119905 1198801

= (1198611)Δ 0119868(119879) 119892119905 1198802 = (1198612)Δ 0119868(119879) 1198921199051 1198803

= 119861Δ 0119868(119879)

3 Vminus119905 (119906119879ℎ)1199051 (26)


119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ119879lowast119868(119879) 11990811990510158401015840 1198801

= (1198611)Δ 0119868(119879) 11989211990510158401015840 1198802 = (1198612)Δ 0119868(119879) 119892119905101584010158401 1198803

= 119861Δ 0119868(119879)3 Vminus119905

10158401015840 (119906119879ℎ)119905101584010158401 (27)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (28)


119905119906119896119879119878120578120579= 1198800 = 119892119910119908119905 1198801 = 119892119905 1198802 = 1198921199051 1198803 = (119906119879lowastℎ)1199051 Vminus119905 (29)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (30)




120582120591 = sum119894isin[119899]

119860lowast120591119894119904119886119894minus1 + sum

119894isin[119899]

119860lowast120591119894119910119894 = sum

119894isin[119899]

119860lowast120591119894119904119886119894minus1 + 1205821015840

120591 (31)



1120591 11990910158402120591 1199091015840



1198621120591 = 1199081199091120591V1199093120591 = 119908120582120591 (119892119904119887120591)minusV1






1198623120591 = 1198921199093120591 = 119892minus119904119887120591 1198624120591 = 120582120591 minus 1199091120591 = 1199091015840


2120591(34)





1198621119897+1 = 1199081199091119897+1V1199093119897+1




(119895119896)isin[119897+1119899]


1198623119897+1 = 1198921199093119897+1 = 119892minus119904119887119897+1 1198624119897+1 = 119904 minus 1199091119897+1 = 1199091015840

1119897+1(37)


1198701015840 = 119867 (119896119890119910 11986231 11986232 1198623119897+1) (38)













1003816100381610038161003816 - radic[9] 3119897119898119888 - (3119897 + 1)|119866| + 2119897 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| - timesOurs (3119897 + 2)119898119888 (14r-7)E (3119897 + 4) |119866| + 2 (1 + 119897) 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| (8119903 minus 4) |119866| radic


6 Conclusions


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




119904119896(119868119863120596) = ((119868119863120596) 1198700 1198701 1198702120591 1198703120591120591isin[|120596|]119878120578120579isin119875119881119894119889) (21)



1198610 = 119892120572119908119905 = 11989212057211198921198861199051015840

1198611 = 119892119905 = 1198921199051015840119892minus119886119902 (22)


1199051 = 11990511015840 + 1199051015840 sum1198941015840isin[119897+1]




1198612 = 1198921199051

= 11989211990511015840 sdot prod

1198941015840isin[119897+1]


sdot prod1198941015840isin[119897+1]


(24)

1198613 = (119906119879ℎ)1199051 Vminus119905

= (119906119879ℎ)11990511015840 (1198612119892minus11990511015840)1199061119879+ℎ1

sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]


sdot prod(1198941015840 119895119896)isin[119897+1119897+1119899]

(119895 =1198941015840or119896 =1)




(25)



119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ 1119868(119879) 119908119905 1198801

= (1198611)Δ 0119868(119879) 119892119905 1198802 = (1198612)Δ 0119868(119879) 1198921199051 1198803

= 119861Δ 0119868(119879)

3 Vminus119905 (119906119879ℎ)1199051 (26)


119905119906119896119879119878120578120579 = 1198800 = 119861Δ 0119868(119879)

0 (119892119910)Δ119879lowast119868(119879) 11990811990510158401015840 1198801

= (1198611)Δ 0119868(119879) 11989211990510158401015840 1198802 = (1198612)Δ 0119868(119879) 119892119905101584010158401 1198803

= 119861Δ 0119868(119879)3 Vminus119905

10158401015840 (119906119879ℎ)119905101584010158401 (27)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (28)


119905119906119896119879119878120578120579= 1198800 = 119892119910119908119905 1198801 = 119892119905 1198802 = 1198921199051 1198803 = (119906119879lowastℎ)1199051 Vminus119905 (29)


119906119896119879R = (119862119881119877119868 119905119906119896119879119878120578120579119878120578120579isin119862119881119877119868) (30)




120582120591 = sum119894isin[119899]

119860lowast120591119894119904119886119894minus1 + sum

119894isin[119899]

119860lowast120591119894119910119894 = sum

119894isin[119899]

119860lowast120591119894119904119886119894minus1 + 1205821015840

120591 (31)



1120591 11990910158402120591 1199091015840



1198621120591 = 1199081199091120591V1199093120591 = 119908120582120591 (119892119904119887120591)minusV1






1198623120591 = 1198921199093120591 = 119892minus119904119887120591 1198624120591 = 120582120591 minus 1199091120591 = 1199091015840


2120591(34)





1198621119897+1 = 1199081199091119897+1V1199093119897+1




(119895119896)isin[119897+1119899]


1198623119897+1 = 1198921199093119897+1 = 119892minus119904119887119897+1 1198624119897+1 = 119904 minus 1199091119897+1 = 1199091015840

1119897+1(37)


1198701015840 = 119867 (119896119890119910 11986231 11986232 1198623119897+1) (38)













1003816100381610038161003816 - radic[9] 3119897119898119888 - (3119897 + 1)|119866| + 2119897 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| - timesOurs (3119897 + 2)119898119888 (14r-7)E (3119897 + 4) |119866| + 2 (1 + 119897) 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| (8119903 minus 4) |119866| radic


6 Conclusions


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




120582120591 = sum119894isin[119899]

119860lowast120591119894119904119886119894minus1 + sum

119894isin[119899]

119860lowast120591119894119910119894 = sum

119894isin[119899]

119860lowast120591119894119904119886119894minus1 + 1205821015840

120591 (31)



1120591 11990910158402120591 1199091015840



1198621120591 = 1199081199091120591V1199093120591 = 119908120582120591 (119892119904119887120591)minusV1






1198623120591 = 1198921199093120591 = 119892minus119904119887120591 1198624120591 = 120582120591 minus 1199091120591 = 1199091015840


2120591(34)





1198621119897+1 = 1199081199091119897+1V1199093119897+1




(119895119896)isin[119897+1119899]


1198623119897+1 = 1198921199093119897+1 = 119892minus119904119887119897+1 1198624119897+1 = 119904 minus 1199091119897+1 = 1199091015840

1119897+1(37)


1198701015840 = 119867 (119896119890119910 11986231 11986232 1198623119897+1) (38)













1003816100381610038161003816 - radic[9] 3119897119898119888 - (3119897 + 1)|119866| + 2119897 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| - timesOurs (3119897 + 2)119898119888 (14r-7)E (3119897 + 4) |119866| + 2 (1 + 119897) 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| (8119903 minus 4) |119866| radic


6 Conclusions


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia







1003816100381610038161003816 - radic[9] 3119897119898119888 - (3119897 + 1)|119866| + 2119897 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| - timesOurs (3119897 + 2)119898119888 (14r-7)E (3119897 + 4) |119866| + 2 (1 + 119897) 10038161003816100381610038161003816119885119901

10038161003816100381610038161003816 + |M| (8119903 minus 4) |119866| radic


6 Conclusions


Data Availability




Acknowledgments


References





































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia
























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


Efficient Ciphertext-Policy Attribute-Based Online/Offline...

Documents

Transcript of Efficient Ciphertext-Policy Attribute-Based Online/Offline...