An Efficient Scheme of Cloud Data Assured Deletion

With the rapid development of cloud storage technology, cloud data assured deletion has received extensive attention. While ensuring the deletion of cloud data, users have also placed increasing demands on cloud data assured deletion, such as improving the execution efficiency of various stages of a cloud data assured deletion system and performing fine-grained access and deletion operations. In this paper, we propose an efficient scheme of cloud data assured deletion. The scheme replaces complicated bilinear pairing with simple scalar multiplication on elliptic curves to realize ciphertext policy attribute-based encryption of cloud data, while solving the security problem of shared data. In addition, the efficiency of encryption and decryption is improved, and fine-grained access of ciphertext is realized. The scheme designs an attribute key management system that employs a dual-server to solve system flaws caused by single point failure. The scheme is proven to be secure, based on the decisional Diffie-Hellman assumption in the standard model; therefore, it has stronger security. The theoretical analysis and experimental results show that the scheme guarantees security and significantly improves the efficiency of each stage of cloud data assured deletion.


Introduction
With the rapid development of cloud storage technology, an increasing number of individuals or enterprises choose to store data in the cloud to reduce data management costs. However, compared with traditional data storage methods, data storage in the cloud is beyond the direct control of the data owner, which renders the security of the data difficult to guarantee. The goal of the data owner when deleting data is to prevent access to the data after the data are deleted [1]. When user data reaches their storage period or the user wants to delete the data stored in the cloud, without an effective data deletion mechanism, unauthorized access, privacy leakage and other security issues may occur and hinder the promotion and development of cloud services [2,3]. Therefore, achieving the assured deletion of cloud data has become an urgent problem to be solved.
In cloud computing, the ownership of data is separated from the management rights of data. To protect the confidentiality and privacy of data, cloud data must be encrypted before they are outsourced to the cloud [4,5]. A central advantage of using cryptographic primitives such as symmetric-key encryption is that the safety of a large amount of sensitive data can be reduced to the safety of a very small key [6]. Therefore, the issue of cloud data assured deletion is translated into the secure deletion problem of the corresponding key of the client [7]. A cloud data assured deletion scheme can be divided into two types: assured deletion based on key management and assured deletion based on an access control policy.
Assured deletion schemes based on key management. Perlman [8,9], first proposed an assured deletion scheme based on files. Xiong et al. proposed a cloud data security self-destruction scheme (ISS) that is based on identity-based encryption (IBE) [10], which divides the data to be protected into different security levels according to different sensitivity levels. The first encryption is performed through the key and then by a coupling and extraction algorithm, the original ciphertext is transformed into a coupled ciphertext, a part of the ciphertext is extracted to convert to the ciphertext, and the remaining part is the encapsulated ciphertext. The encapsulated ciphertext is outsourced to the cloud service provider, and the extracted ciphertext and the IBE-encrypted symmetric key are distributed to the distributed DHT network nodes by the Shamir secret sharing scheme. When the key exceeds the lifetime of the DHT node, the DHT node will automatically delete the key component information to prevent restoration and decryption of the encapsulated ciphertext, and assured deletion of the cloud data is realized. Yao et al. [11] proposed a cloud data assured deletion scheme that is based on bitstream conversion. The scheme divides the file into fixed-size data blocks, each block is converted into a bit stream, the location information of the bit stream and the original data are encrypted and uploaded to the cloud, and the bit stream data and key are saved by the data owner. When data are deleted, the data owner deletes the local stored bitstream data and the key to implement the assured deletion of data.
The assured deletion scheme that is based on key management cannot achieve fine-grained access to ciphertext. When the key of the encrypted data is deleted, all users cannot decrypt the ciphertext again.
Assured deletion schemes based on access control policy. Zhang et al. [12] proposed an assured deletion scheme that is based on ciphertext sampling and partitioning. The original data were encrypted by an encryption algorithm that is based on attributes, and the encrypted ciphertext was sampled. The ciphertext was divided into sampling ciphertext and residual ciphertext. The key and the information of the sampled ciphertext are sent to the trusted third party for management, and assured deletion of the cloud data is realized by deleting the key managed by the trusted third party and sampling the ciphertext information. Although this scheme uses an attributebased encryption algorithm, it does not implement finegrained access control. For fine-grained access control problems, Liang et al. [13] proposed an assured deletion scheme that is based on an undo tree, which uses a linear secret sharing scheme and a binary tree as the underlying tool and assigns a set of attributes to each user and assigns a unique identifier. The data owner encrypts the data by an encryption algorithm that is based on attributes. The system administrator disables a user from accessing the data by deleting the corresponding user identifier on the undo tree to achieve assured deletion of the data. Wang et al. [14] proposed an assured deletion scheme that is based on attribute revocation, which is a CP-ABE scheme that supports attribute-level user revocation. In this scheme, once the attribute of a user is revoked, the cloud service provider will randomly select the index that corresponds to the undo attribute to update the ciphertext. After the ciphertext is updated, the user who has revoked the attribute will not be able to decrypt the ciphertext. Xue et al. [15] proposed a cloud data assured deletion scheme that is based on hash tree verification for attribute revocation. The scheme employs a set of attributes to describe the encrypted data and constructs the access policy into the private key of a user. If the user private key with attributes satisfies the access structure of the encrypted data, the user can access the data. When the data in the cloud are deleted, the user can change the attributes in the ciphertext by re-encrypting the ciphertext, which prevents the authorized user from decrypting the ciphertext and implement assured deletion of the cloud data. Zhao et al. [16] proposed a keyless hosted revocable attribute-based encryption scheme in a cloud environment. In this scheme, attribute authority and central control construct a keyless escrow key distribution protocol to solve the key escrow problem using secure two-party computing technology. By updating the attribute version key, an attribute level user can be revoked. The system level user can be revoked via central control. After the attribute is revoked, the user cannot decrypt the ciphertext and realize the assured deletion of the cloud data.
Although the assured deletion scheme that is based on an access control policy solves the problem of fine-grained access control, these schemes use a bilinear pair to implement the attribute-based encryption scheme, which creates the problem of low system efficiency.
In this paper, an efficient scheme of cloud data assured deletion (ESAD) is proposed for schemes that cannot balance efficiency and fine-grained access. This scheme employs simple scalar multiplication in an elliptic curve instead of a complex bilinear pair to implement an attribute-based encryption algorithm [17], which simplifies the calculations during encryption and decryption. The key is generated by the key generator and the attribute authorizer in the attribute key management system. The key generator is responsible for generating the system master key and the public key, and the attribute authorizer is responsible for maintaining a list of user attributes. When the user needs to decrypt, the authorized user sends part of the ciphertext to the attribute authorizer. The attribute authorizer generates the user private key via the attribute list, and partially decrypts the ciphertext, which reduce the decryption overhead of the authorized user. When deleting data, the data owner only needs to generate a random number to replace the attribute value of the attribute that needs to be deleted in the attribute list of the original attribute authorize. The public key of the corresponding attribute value is not updated, which ensure that fine-grained access control can be realized without complicated calculation. Based on the decision Diffie-Hellman assumption, the provable security in the standard model of the scheme is implemented, which shows that the scheme has higher security.

Elliptic curve cryptography (ECC)
Definition 1(ECC) The elliptic curve in ECC is defined by the following equation: The safety of ECC is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP). For this problem, the algorithms that have not been effective can obtain the corresponding solutions in a short time as follows.
Let Ep(a, b) be an elliptic curve (a, b ∈ GF(p)) defined on the finite field GF(p). Given the two points P and Q on Ep(a, b), find an integer s ∈ GF(p) * to satisfy Q = sP .
Compared with RSA, ECC can ensure the same security with a smaller key size as solving ECDLP is more difficult than breaking down integers. The security of the elliptic curve cryptosystem in the meta domain, when the length of p is 160 bits, is equivalent to RSA using a 1024-bit modulus [18]. A short key indicates a small bandwidth and storage requirements, which may be a decisive factor in some applications [19].

Merkle hash tree (MHT)
The Merkle Hash Tree is an extensively employed authentication structure that can be used to efficiently check if a set of elements are stored unaltered. An MHT is a binary tree where the leaf nodes contain the hashes of authentic data and each internal node stores the hash values of its children nodes. Figure 1 depicts an example of an authentication structure, where the MHT is constructed for an ordered set of data blocks a 1 , a 2 , …, a 8 ; each internal node and the root node is generated from its two children nodes. For example, h 2 = h(h 5 ∥ h 6 ), h 3 = h(h(a 1 ) ∥ h(a 2 )), and h R = h(h 1 ∥ h 2 ). The auxiliary authentication information (AAI) for element a i represents the sibling nodes of a i , which are located on the path from the ith leaf node to the root; thus, the root can be computed. To validate the integrity of block a 2 , the verifier with the authentic h R requests theh 0 R corresponding auxiliary authentication information Ω = (h(a 1 ), h 4 , h 2 ) from the prover, computes h(a 2 ), h 3 = h(h(a 1 ) ∥ h(a 2 )), h 1 = h(h 3 ∥ h 4 ), and h R ' = h(h 1 ∥ h 2 ), and checks if the calculated is h 0 R equal to h R .

Decisional Diffie-Hellman (DDH)
Definition 2 (DHH) The DDH assumptions in the elliptic curve are defined as follows: the challenger selects the cyclic group P of order r, where G is the generator on group P, and randomly selects the parameters a, b ∈ Z r . If the Challenger gives the adversary parameters (G, aG, bG), the adversary cannot easily distinguish abG ∈ P from the random element R in group P. Simulator B guesses through the output, defines its advantage ε to solve the DDH hypothesis with group P, if If any polynomial time adversary has at most a negligible advantage to solve the DDH problem, then we assume that DDH is true in group P.

System model and security model
In this section, we introduce the system model of the ESAD scheme and the security assumptions.   AKMS is responsible for the generation and update of the key and helps an authorized user to decrypt part of the ciphertext. The main internal structure is shown in Fig. 3. AKMS is primarily composed of a key generator and an attribute authorizer. The two parts independently communicate with other components and the TPM security chip protects its internal data. The key generator is responsible for managing the system master key and the system public key. The attribute authorizer is responsible for assigning each authorized user a unique identifier ID and maintaining a list of attributes for the authorized user. When the authorized user decrypts the ciphertext, the attribute authorizer generates the user private key and assists the authorized user to partially decrypt the ciphertext. A question-and-answer method is employed between the key generator and the attribute authorizer to confirm that each is normally functioning. The attribute authorizer periodically issues a question to the key generator, and the key generator must return the correct answer within the specified time. If a question or answer is not returned within the specified time, the party is considered to have an abnormality, and the other party will replace the abnormal party to handle the transaction, which ensures normal operation of the system and prevents system paralysis caused by failure of a single point.
The CSP is responsible for storing the encrypted data of the data owner. CSP honestly stores the encrypted data of the data owner and reliably responds to data requests.
The DO is responsible for assigning the unique identifier k i to each attribute and encrypting the data that needs to be uploaded to the cloud. When the cloud data are deleted, the DO sends an update request to the attribute authorizer in the attribute key management system and verifies the returned update result.
The AU accesses the encrypted data stored by the data owner in the cloud and obtains the encrypted data by sending a data request to the cloud service provider. After obtaining the encrypted data, the AU requests that the attribute authorizer in the attribute key management system partially decrypt the ciphertext. After receiving the result returned by the Generate attribute value ki Send partial decrypted ciphertext C y SK y ID Send key update request (kx,hx) Return validation information R Send partial ciphertext C y y Fig. 2 The system model Fig. 3 Internal structure of attribute key management system attribute authorizer, the UA decrypts all ciphertexts to obtain the original data.

Security assumptions
Based on the system model, the following five assumptions are made: 1). CSP is untrustworthy. While providing data storage services to data owners, it may store data that is stored in the cloud by a data owner for backup or steal data content without authorization from a user and disclose the data to unauthorized individuals or organizations. 2). AKMS is semi-trusted. The attribute authorizer in AKMS will honestly assist an authorized user in decrypting the encrypted data but will not faithfully execute the key update request of the data owner. The attribute authorizer retains only the latest attributes list of the authorized user for the convenience of management. 3). AKMS is unbreakable. The system environment in AKMS is sufficiently secure to withstand external attacks and protect the contents of AKMS from being stolen and tampered by malicious users. 4). The AU is trusted and does not actively disclose the plaintext data of a data owner to an unauthorized entity or actively disclose the obtained decrypted information. 5). A secure channel exists between the entities. The secure channel is established by the shared key obtained by the parties via a key agreement between two parties, and can also be established based on the public-private key encryption and decryption between two parties.

Security model
This section defines a selective security model of standard semantic security, namely, ciphertext indistinguishability under chosen plaintext attacks (IND-CPA).
1). Initialization. Adversary A chooses a challenge access structure (A, ρ) and then sends it to challenger B. 2). Setup. Challenger B runs the Setup algorithm to generate the necessary public parameters for the system and the public and secret key pair for each attribute. The challenger sends the public key PK to adversary A. 3). Phase 1. Adversary A can adaptively send the attribute secret key pairs to the challenger, such as (S 1 , ID 1 ), (S 2 , ID 2 ), ⋯, (S n , ID n ), with the restriction that any set of keys can-not satisfy the access control structure (A, ρ). 4). Challenge. Adversary A submits two messages M 0 and M 1 of equal length to Challenger B. Challenger B randomly selects β ∈ {0, 1} and sends the encryption of M β under the access control structure (A, ρ) to adversary A.

5)
. Phase 2. The adversary may adaptively submit additional key queries (S n + 1 , ID n + 1 ), (S n + 2 , ID n + 2 ), ⋯, (S n + m , ID n + m )) to the challenger with the same restriction indicated in Phase 1. 6). Guess. Adversary A may output the value β ' ∈ {0, 1} as a guess for β. If β ' = β, we consider that adversary A wins the game. The adversary advantage in this game is defined as follows: If any polynomial time adversary has at most a negligible advantage to win this security game, then we consider that the encryption scheme is safe.

Design idea of ESAD
The design idea of the ESAD scheme. Establish a secure and efficient cloud data assured deletion system. To improve the performance of the encryption algorithm, simple scalar multiplication in an elliptic curve is employed instead of the complex bilinear pair, which simplifies the calculation in the process of encryption and decryption, improves the encryption and decryption efficiency of the data, and ensures the security of the encrypted data. The LSSS [20,21] is used to split the encryption key, combine with encrypted data to form ciphertext and upload it to the cloud. To prevent collusion attacks, each user is assigned a global unique identification ID, each attribute of the user will be bound with the ID of the user as the private key of the user, and the user attribute set is maintained by the attribute authorizer in the form of a list. The attribute list of the attribute authorizer is changed by updating the attribute, and the update verification is performed; thus, the cloudencrypted data cannot be smoothly decrypted, and the assured deletion of the cloud data is realized.

Algorithm description of ESAD scheme
The workflow of the ESAD scheme is shown in Fig. 2. The main algorithms are described as follows: Step 1. System Initialization Let GF(p) be a finite field of order p, E be an elliptic curve defined in the finite field GF(p), r be the order of the subgroup in the elliptic curve E, and G be a base point in the subgroup. G generates a cyclic subgroup of elliptic curves E; Z r is an integer domain of order r; and the one-way function H: 0; 1 f g * →Z * r is randomly selected: the user ID is mapped to the integer domain Z r . Setup n; S; k i ð Þ→ MSK; PK ð Þ For each attribute i in the system attribute set S, the data owner randomly selects the parameters k 1 , k 2 , ⋯, k S ∈ Z r to upload to the attribute key management system.
The key generator randomly selects n (n ∈ Z r ) to generate the system master key.
The attribute authorizer maintains a list of attributes that correspond to its ID for each user in the system, as shown in Table 1.
Step 2. Generate a private key AKMSKeyGen(ki, ID, n) → {SK i, ID } For each attribute i in the user ID attribute set S ID , the attribute authorizer calculates the user private key Step 3.

Data Encryption
The data owner encrypts the original data M to generate the encrypted data CT, and the encryption algorithm proceeds as follows: The data owner randomly selects s ∈ Z r as the encryption key; it calculates The key s is split using the LSSS as follows: Define the access control strategy (A, ρ), where A is a linear secret sharing matrix, ρ is the mapping function of the matrix row vector and the attribute, and ρ maps each row A x of the matrix A to the attribute ρ(x). As in [22], ρ does not map two different rows to the same attribute. Randomly select the parameters v 2 , v 3 , ⋯, v l ∈ Z p , define the vector e v ¼ e s; e v 2 ; e v 3 ; :::e v l ð Þ T , and calculate the inner product λ x = A x ⋅ v for each row A x of the matrix A. Randomly select the parameters u 2 , u 3 , ⋯, u l ∈ Z p , define the vector u = (0, u 2 , u 3 , ⋯, u l ) T , and calculate the inner product ω x = A x ⋅ u for each row A x of the matrix A.
The data owner outputs the ciphertext Step 4. Data decryption To decrypt the cloud data, the authorized user sends a ciphertext request to the cloud. After obtaining the ciphertext, the authorized user sends the ID and the (C 2, y , ρ(y)) associated with each attribute y ∈ S ID to the attribute authorizer. The attribute authorizer verifies the sender identity and the attribute set based on the maintained attribute list. If the request is valid, the attribute authorizer calculates each of the requests (C 2, y , ρ(y)) The attribute authorizer sends the calculated result to the authorized user, and the authorized user receives the returned result and then calculates The authorized user selects the vector c ∈ Z r , lets c ⋅ A y = (1, 0, ⋯, 0), and calculates ∑ y∈S ID c λ y G−ω y H ID ð ÞnG À Á ¼ sG: Table 1 User attribute list The authorized user calculates C−sG ¼ M : The original data M are obtained.
Step 5. Update Key For attribute x, the data owner randomly selects h x ∈ Z r and h x ≠ k x , and sends k x and h x to the key generator and attribute authorizer in the attribute key management system. The key generator updates the public key: The attribute authorizer searches for the user set RL x that has the attribute x according to k x and updates the corresponding attribute value to h x . The new user private key of the attribute x is The data owner randomly selects e s∈Z p , uses the same access control strategy (A, ρ) as previously defined, randomly selects the parameters e v 2 ; e v 3 ; ⋯; e v l ∈Z p , defines the vector e v ¼ e s; e v 2 ; e v 3 ; :::;e v l ð Þ T , and computes the inner product e λ x ¼ A x ⋅e v for each row A x of matrix A. The data owner then randomly selects the parameters e u 2 ; e u 3 ; ⋯; e u l ∈Z p , defines the vector e u ¼ 0; e u 2 ; e u 3 ; ⋯; e u l ð Þ T , and calculates the inner product e ω x ¼ A x ⋅e u for each row A x of the matrix A. The data owner outputs the updated ciphertext Step 6. Delete Data The data owner sends a key update request to the attribute authorizer. First, randomly select h x ∈ Z r and h x ≠ k x , and then send the original attribute value k x of the attribute x and the updated attribute value h x to the attribute authorizer. The attribute authorizer finds the user set RL x , owns the attribute according to k x , and then replaces k x with h x . The user private key after the attribute value is replaced is The public key remains When the authorized user in the user set RL x decrypts the ciphertext, the attribute authorizer calculates (C 2, x , ρ(x)) for each attribute x∈S ID RLx .
Return the result to the authorized user. After the authorized user receives the result, it calculates Therefore, the ciphertext cannot be decrypted, and the deletion operation of the encrypted data is realized.
Step 7. Verification The attribute authorizer hashes the attribute list of each user in units of users, and then uses the hash value X ID of each column of the attribute list as the leaf node of the hash tree to establish a hash tree and obtain the hash tree root value R. The data owner also maintains a list of attributes of an authorized user, uses the same hash function as the attribute authorizer to calculate the hash values e X ID of each attribute list of the user, and generates a hash tree. When the data owner verifies whether the attribute authorizer performs an update or delete operation, the root value R of the updated attribute list hash tree is sent to the data owner by requesting the attribute authorizer, and the data owner updates the hash value e X RL x of the user set RL x . Calculate the local hash tree root value e R using the hash value e X RL x and the auxiliary authentication information Ω RL x . If e R ¼ R, the attribute update operation requested by the data owner is successful; otherwise, the request execution fails.

Choose plaintext attack
Theorem 1 If the PPT adversary A that can break the proposed scheme in this paper with the non-negligible advantage ε = Ad exists, then the PPT algorithm B that can overcome the ESAD scheme with the advantage ε 2 exists.
Let G be the generator of group P of order r. Randomly select a, b ∈ Z r , β ∈ {0, 1} and R ∈ P. If β = 0, then Z = abG; otherwise, when β = 1, Z = R. We will construct simulator B to break the deterministic DDH assumption.

1) Initialization. Adversary A chooses a challenge access
structure (A, ρ) and sends it to B. 2) Setup. Simulator B randomly selects k i ∈ Z r for each attribute i and calculates PK i = k i aG as a public key. 3) Phase 1. Adversary A adaptively performs a key generation query for the user identity ID j and the user attribute set S j to B. According to the rule, for each identity ID j , if S j satisfies the access control structure (A, ρ), then ⊥ is output. Otherwise, B responds by recording this attribute i on the attribute list that corresponds to ID j . For each j ∈ S i , B computes SK j;ID j ¼ k j a þ H ID j À Á n as its secret key, and then sends it to A. 4) Challenge. Adversary A submits ciphertexts M 0 and M 1 of the same length to B. B randomly chooses the parameters and s ∈ Z r , then generates the challenge ciphertext C = M β + sG. B randomly selects the parameters v 2 , v 3 , ⋯, v l ∈ Z p , defines the vector v = (s, v 2 , v 3 , ⋯, v l ) T , and calculates the inner product λ x = A x ⋅ v for each row A x of the matrix A. B randomly selects the parameters u 2 , u 3 , ⋯, u l ∈ Z p , defines the vector u = (0, u 2 , u 3 , ⋯, u l ) T , and calculates the inner product ω x = A x ⋅ u for each row A x of the matrix A. B generates the challenge ciphertext Þ and sends to it adversary A. 5) Phase 2. As described in Phase 1, adversary A may submit additional key queries (i, ID) without violating the constraints. 6) Guess. Adversary A outputs the guess β ' of β. If β = β ' , B outputs 0 to indicate that Z = abG in the previous game; otherwise, B outputs 1 to guess Z = R. If Z = abG, then CT is a real ciphertext; thus, this process concludes that When Z = R, M β is completely random to the attacker, which yields The advantage to break this security games is Therefore, B can simulate a deterministic DDH hypothesis with a non-negligible advantage.

Collusion attack
To ensure the security of ciphertext in the cloud, the ESAD scheme defends against collusion attacks by introducing user ID into the private key of the users. To prove that the ESAD scheme can resist collusion attacks, assume that Alice intends to collaborate with Bob to decrypt the ciphertext in the access structure A ∧ B ∧ (C ∨ D). Alice only has attributes A and B, and Bob only has attribute C. Alice and Bob cannot separately decrypt the ciphertext, but if they collude with each other, the ciphertext is decrypted using their private key. The calculation process is described as follows: Alice sends partial ciphertext to the attribute authorizer, which returns the partial decryption result λ x G − H(ID Alice )ω x nG for each attribute x ∈ {A, B}. Bob sends partial ciphertext to the attribute authorizer for the partial decryption result λ C G − H(ID Bob )ω C nG. In general, an authorized user can select the vectorc ∈ Z r to obtain the sG by calculation. When Alice and Bob have different IDs, Then there is Therefore, the original ciphertext cannot be decrypted, and the collusion attack is invalid.

Solution analysis and performance analysis
This paper uses the cloud storage platform of the Alibaba Cloud (equipped with a CentOS 7.3 64-bit system, 4-core CPU with a main frequency of 2.5GHz, 16GB memory, intranet broadband of 0.8 Gbps, a public network broadband of 100 Mbps, a system disk with a high efficiency cloud disk of 40 GB) to store ciphertext. The remaining components are deployed on the physical host of the lab. The specific hardware configuration is Inter(R) Core (TM) i5-2400 3.10 GHz; the memory is 2 GB; the operating system is the Ubantu 14.04.5 LTS server; the kernel version number is 4.4.0-31generic; and the maximum bandwidth is 100Mbit/s. The 160 b elliptic curve group based on the super-singular curve y 2 = x 3 + x on the 512b finite field is employed; the encryption algorithm uses the algorithm library PBC; the test program is written in C language; and the length of the key is 160 bits.
The ESAD scheme proposed in this paper is compared with several assured deletion schemes. The comparison considers the scheme functionality, communication costs, and computing performance. To illustrate the functional advantages of the ESAD scheme, it is compared with the ISS scheme [10] and the ADBST scheme [11], which is based on the key management and the CP-ABE-R scheme [13] and the AD-KP-ABE scheme [15], which is based on the access control strategy. The remainder of the comparison is only compared with the CP-ABE-R scheme and the AD-KP-ABE scheme of the same type as the ESAD scheme. The descriptors are described as follows: |C 1 | indicates the length of the data elements in G; |C p | indicates the length of the data elements in Z p ; |C M | indicates the length of the plaintext; |C T | indicates the length of the elements in the G T ; t indicates the number of attributes in the system; k indicates the number of attributes of the user key; n attr represents the total number of all user attributes; n user represents the total number of users in the entire system; n ra represents the number of attributes revoked in the system; n col represents the number of columns in the ciphertext access structure; and n str represents the total number of attributes in the access structure.

Function description
Functional comparisons are primarily compared in terms of security and fine-grained access control. As shown in Table 2, the ESAD scheme implements user revocation at the attribute level. When an attribute of users is revoked, it does not affect the normal access of other legitimate attributes of the users. The ESAD scheme can effectively resist various attacks and prevent system failure caused by failures of a single point. Although the AD-KP-ABE scheme also implements attribute-level user revocation, it cannot resist collusion attacks and sniffing attacks compared with the ESAD scheme, and cannot prevent failures of a single point. Thus, the security is poor. The CP-ABE-R scheme implements system-level user revocation. Once an attribute of the user is revoked, the user loses access to all other legal attributes in the system and is inferior to the ESAD scheme and the AD-KP-ABE scheme in terms of fine-grained access control. Since the CP-ABE-R scheme applies the LSSS to process the keys, the CP-ABE-R scheme can prevent failures of a single point. The ISS scheme is highly secure and can prevent failures of a single point but does not implement fine-grained access control. The ADBST scheme does not prevent failures of a single point and does not implement fine-grained access control for ciphertext. The ESAD scheme has higher security than other schemes and has achieved fine-grained access control for ciphertext. Table 3 compares the communication costs of the ESAD scheme with costs of the AD-KP-ABE scheme and the CP-ABE-R scheme. Communication costs are primarily generated by keys and ciphertext. The communication between AKMS and DO is attributed to the key and the revocation request. For the ESAD scheme, since the least public key is employed, and the deletion operation only sends the attribute to be deleted, the communication overhead is lower than that of the other two schemes. The communication between AKMS and AU is primarily generated by a private key. However, in the ESAD scheme, the private key is stored in the attribute authorizer. When the authorized user decrypts the ciphertext, only the ciphertext content related to the user attribute needs to be sent to the authorized user for partial decryption, and then the user is authorized to return the result. Thus, the communication overhead is very low. The remaining two schemes need to send all private keys; thus, the communication overhead is large. The communication overhead between CSP and DO and AU is primarily related to ciphertext. In the AD-KP-ABE scheme, the CSP is responsible for the ciphertext update and then returns the verification result; thus, the communication overhead of CSP and DO in the AD-KP-ABE scheme is larger than the other two schemes. In terms of communication overhead between CSP and AU, the communication overhead of the three schemes are similar. In general, the ESAD solution is better than the other two solutions in terms of communication overhead.

Calculation performance
In this paper, the three schemes are compared in terms of key generation time, encryption time, decryption time and data deletion time. The data file with size 1 M is employed, and n col = 4, n ra = 1 and n user = 10 are employed [10]. As shown in Fig. 4, the key generation time and the number of user attributes linearly increase. The key generation time of the ESAD scheme is the shortest time, whereas the key generation time of the CP-ABE-R scheme is the longest time. As the key generation of the ESAD scheme is only related to the number of user attributes, the AD-KP-ABE scheme is related to the number of attributes in the entire access structure, and the key generation time of the CP-ABE-R scheme is related to not only the number of the user attributes but also the ciphertext access structure column vector n col and the number n user of users, the key generation time of the CP-ABE-R scheme is considerably higher than the other two schemes.
As shown in Fig. 5, the encryption time increases linearly with the number of attributes in the access structure. The encryption time of the ESAD scheme is the shortest, the encryption time of the AD-KP-ABE scheme is slightly higher than that of the ESAD scheme, and the encryption time of the CP-ABE-R scheme is much larger than other schemes. The file encryption time of the CP-ABE-R scheme is related to not only the number of attributes in the access structure but also the column vector n col of the access structure matrix. Although the ESAD scheme is also related to the two aspects, the encryption operation of ESAD is only a simple scalar multiplication operation on the access control matrix. However, the CP-ABE-R scheme is to operate on the bilinear pair, which causes a large time overhead. Thus, the encryption time of the CP-ABE-R scheme is considerably larger than the encryption time of other schemes.
As shown in Fig. 6. The decryption times of the ESAD scheme and the AD-KP-ABE scheme and the CP-ABE-R scheme increase with an increase in the number of decryption attributes. However, the ESAD scheme significantly reduces the decryption time of the users. As the number of attributes increases, the decryption time overhead difference of the three schemes gradually increases. That is, when the number of attributes is sufficiently large, the decryption time of the ESAD scheme is significantly better than the decryption time of the other two schemes. Figure 7 shows the relationship between the data deletion time and the number of attributes. When deleting data, the key or ciphertext needs to be updated. The ESAD scheme has the shortest time expenditure among the three schemes. The data deletion time of the three schemes does not change with the number of attributes, and is stable within a certain range of values. The ESAD scheme and the CP-ABE-R scheme primarily update the key; however, the AD-KP-ABE scheme primarily updates the ciphertext. The data deletion efficiency of the ESAD scheme and the AD-KP-ABE scheme is significantly better than the CP-ABE-R scheme. However, the ESAD scheme and the AD-KP-ABE scheme need to verify the deletion results of the data after deleting the data, which increases the time overhead of the two schemes. When Table 3 Comparison of communication costs   Scheme  ESAD  AD-KP-ABE  CP-ABE-R AKMS&DO t|C 1 | + (n ra + 1)|C p | ( n attr + 2)|C 1 | + |C T | + (n attr + n ra + 1)|C p | ( n col ⋅ t + 6)|C 1 | + |C T | + |C p | AKMS&AU 2k|C 1 | | C 1 | + (n str + 2)|C p | + |C T | k þ 3 þ n col ð Þlbn user þ 1 ð ÞC 1 j j þ n col ⋅n str þ 1 ð ÞC T j j CSP&DO (n col ⋅ n str )|C p | + |C M | + 2n str |C 1 | | C M | + (n attr + 1)|C 1 | + (n attr + n ra + 1)|C p | 3 | C 1 | + (n col ⋅ n str + 1)|C T | + |C M | CSP&AU (n col ⋅ n str )|C p | + |C M | + 2n str |C 1 | | C M | + (n attr + 1)|C 1 | + n str |C p | 3 | C 1 | + (n col ⋅ n str + 1)|C T | + |C M | 6 8 10 12 14 16 Number of attributes

Conclusion
This paper proposes an efficient cloud data assured deletion scheme that enables users to encrypt and decrypt and delete original data in a short period. In this scheme, if the attribute authorizer changes the attribute value of the maintained user attribute list, and the data owner does not update the public key, the user whose attribute is revoked cannot decrypt the ciphertext of the cloud, only the attribute satisfies the access policy and users who have not been revoked can successfully decrypt the ciphertext. Thus, fine-grained access and deletion of cloud data are achieved. Based on the DDH hypothesis, this paper makes a security proof of the selected access structure plaintext attack using the scheme in the standard model. The performance analysis and experimental verification of the scheme are performed. The experimental results show that compared with the existing schemes, the scheme has distinct advantages in terms of system function and time overhead.
With an increase in the encrypted files, the time advantage will be more distinct. The scheme also realizes the reasonable allocation of the work in the system, which reduces the computational overhead of a single party and increases the communication overhead. However, this allocation can be disregarded as only a small amount of information is required to be transmitted. However, when the number of users of the ESAD scheme increases, the attributes list maintained by the attribute authorizer will also increase, which will increase the time overhead of data deletion and verification. Solving the problem that deletion and verification efficiency decrease with an increase in the number of users needs to be addressed in future studies.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.