A Traceable and Revocable Multiauthority Attribute-Based Encryption Scheme with Fast Access

School of Mathematics and Information Science, Shaanxi Normal University, Xi’an 710119, China School of Computer Science, Shaanxi Normal University, Xi’an 710119, China School of Computer Science and Technology, Xidian University, Xi’an, Shaanxi 710071, China Network Communication Research Centre, Peng Cheng Laboratory, Shenzhen 518055, Guangdong, China Guangxi Key Laboratory of Trusted Software, Guilin University of Electronic Technology, Guilin 541004, China


Introduction
In recent years, the rise of the Internet of things [1] promotes the application and development of sensor technology [2][3][4]. As an important sensing paradigm, mobile crowdsensing [5] has been widely used in various industries due to its large coverage area and low deployment cost characteristics. One of the most significant services for mobile crowdsensing is cloud storage [6], which supports large-scale data sharing. In cloud storage, the individuals or organizations often need to share the sensitive data with the users whose attributes satisfy a specific policy. For example, a patient wants to share his medical data with nurses and doctors in neurosurgery, but he does not know the identities of the nurses and doctors. Security is a very important issue [7,8] in the Internet, and a potential solution for achieving data security is to encrypt the sensitive data before sharing it by the cloud. Unfortunately, the traditional public key encryption [9] requires the data owner to know the receiver's exact identity, so it is not suitable for the above scenario.
To address this issue, ciphertext-policy attribute-based encryption (CP-ABE) [10,11] was introduced as an expansion of the traditional public key encryption. In CP-ABE, the user's secret key is associated with his attributes, and the ciphertext is associated with an access policy, which is defined in the form of Boolean formula over a set of attributes; the user can decrypt the ciphertext only when his attributes satisfy the access policy. By using CP-ABE in the above example, the patient can encrypt the medical data with the access policy ("Doctor" AND "Neurosurgery") OR ("Nurse" AND "Neurosurgery") and upload the ciphertext to the cloud; then, only nurses and doctors in neurosurgery can access the medical data.
In the typical CP-ABE system, a single central authority should manage all attributes and generate all users' decryption keys. However, many scenarios require multiple authorities to manage different attribute domains. For instance, a patient wants to share his medical document with the users with the attribute "Doctor" that is issued by a hospital and attribute "Researcher" that is issued by a medical research institute. To solve this problem, Chase [12] introduced the multiauthority attribute-based encryption (MA-ABE), in which different authorities manage different attribute sets and each authority issues secret keys only for the attributes it manages. However, before the MA-ABE being applied in practice, there exist the following issues that need to be solved. e standard MA-ABE suffers the decryption key abuse problem. In multiauthority ciphertext-policy attributebased encryption (MA-CP-ABE), the decryption privilege is only based on the user's attributes and the ciphertext does not contain the user's identity information. Hence, a ciphertext can be decrypted by multiple users with same attributes. For example, Alice and Bob have the attributes {"Researcher," "Neurosurgery"}; then, both of them can decrypt the ciphertext associated with the access policy ("Doctor" AND "Neurosurgery") OR ("Researcher" AND "Neurosurgery"). In the MA-CP-ABE system, if a malicious user who has same attributes with others sells his decryption key on the Internet, how to identify the malicious user?
Another major issue in MA-ABE is malicious user revocation. In the MA-CP-ABE system, the decryption keys may be compromised and the corresponding malicious users should be removed from the system. Hence, the user revocation mechanism should be designed for the MA-CP-ABE system. e user revocation mechanism was divided into direct revocation and indirect revocation. In direct revocation, the data owner encrypts the data by a specified revocation list, and the revoked users who in this list cannot decrypt the corresponding ciphertext. Unfortunately, the direct revocation mechanism requires each data owner to keep a revocation user identity list and breaks the user anonymity in the ABE system. In indirect revocation, the authorities help the nonrevoked users to update their decryption keys periodically, so the revoked users cannot decrypt the new ciphertexts. In this paper, we focus on the indirect user revocation issue in the MA-CP-ABE system.
One efficiency drawback for MA-ABE is the significant cost of data access. In the MA-CP-ABE system, the number of resource-consuming pairing operations required to decrypt a ciphertext grows linearly with the number of attributes used for decryption, which makes the data access too expensive. is drawback hinders the large-scale application of the MA-CP-ABE system in lightweight devices. For example, consider a medical cloud system based on MA-CP-ABE, the patients encrypt the data and upload the ciphertexts in cloud, and the doctor may need to real-time access the medical data by a smartphone. Due to the expensive access cost, the traditional MA-CP-ABE system is obviously unsuitable in this scenario. Seeking to address the above issues,  we first give the formal definition and security model for  traceable MA-CP-ABE (T-MA-CP-ABE) scheme and propose a concrete construction of T-MA-CP-ABE on prime  order bilinear groups. en, we prove the construction is  adaptively secure under the symmetric external Dif-fie-Hellman assumption and fully traceable under the q-Strong Diffie-Hellman assumption in the random oracle model. Based on the T-MA-CP-ABE construction, we further present a traceable and revocable MA-CP-ABE (TR-MA-CP-ABE) system for secure cloud storage. To the best of our knowledge, this is the first practical MA-ABE system that simultaneously supports traceability, revocation, and fast access. e major features of our TR-MA-CP-ABE system are outlined as follows:

Our Contributions.
(1) Multiauthority. ere exists a central authority (CA) and multiple attribute authorities in our TR-MA-CP-ABE system. Each attribute authority (AA) is responsible for generating the user secret keys for the attributes under its control, and CA is responsible for tracing and revoking the malicious users. Unlike prior MA-ABE schemes, neither CA nor AA can independently generate user decryption keys in our system, even for just one attribute. In addition, the access policies can be expressed as any monotone access structures, which make our system more practical.
(2) Traceability. Our TR-MA-CP-ABE system supports white-box traceability (traceability can be divided into white-box traceability and black-box traceability. White-box traceability can catch the malicious user who leaks his decryption keys to others, while blackbox traceability can catch the malicious user who leaks a decryption black-box). In our system, CA generates tracing information and user secret keys for the identity. If a malicious user leaks his decryption key to others, then CA can trace the malicious user identity from the corresponding decryption key. By adopting a full signature technique, our system does not require any identity table for tracing, which significantly reduces the storage overhead for CA.
(3) Revocation. Our TR-MA-CP-ABE system supports indirect user revocation. If a malicious user was caught by CA, then CA adds his identity into a revocation list, and AAs only periodically update the attribute-based secret keys for the users whose identities do not belong to the revocation list. Hence, the malicious users cannot obtain the new decryption keys and access the new ciphertext data created in the current time period.
(4) Fast access. In our TR-MA-CP-ABE system, the number of pairings for decrypt a ciphertext is only 6, rather than increases linearly with the number of attributes used during decryption. Furthermore, our decryption operation is run on prime order bilinear groups, which makes access speed significantly faster. e efficiency comparison shows that the data access in our system is more efficient than that in other related works. Table 1 compares the specific features of our TR-MA-CP-ABE system with the existing ABE schemes [13][14][15][16] that achieve multiauthority and traceability simultaneously.

Related Works.
Chase [12] introduced the notion of MA-ABE and gave the first concrete construction of MA-ABE. As CA is assumed to be able to decrypt every ciphertext in [12], Chase and Chow [17] proposed a MA-ABE scheme without any CA, which was limited to expressing a strict "AND" policy over a predetermined set of authorities. Later, Lewko and Waters [18] presented an adaptively secure MA-ABE scheme where a policy could be expressed as any monotonic Boolean formula. Based on [18], Cui and Deng [19] presented a revocable MA-ABE that achieves attribute revocation. Zhang et al. [20] presented a shorter MA-ABE where a ciphertext can be decrypted with a constant number of pairing operations. Wang et al. [21] constructed a MA-ABE scheme from the LWE assumption. More recently, Xiong et al. [22] presented a revocable MA-ABE with outsourced decryption. However, these schemes did not consider the trace problem.
Hinek et al. [23] proposed the first traceable CP-ABE, but their scheme only supports "AND gates with wildcard." To improve the expression ability, Liu et al. [24] presented the first traceable CP-ABE that supports monotonic access structures. Later, Wang et al [25] presented a traceable CP-ABE that can catch the malicious user who leaks a black-box decryption equipment. Ning et al. [26] presented a traceable and revocable CP-ABE that supports both accountable authority and public auditing. Liu and Wong [27] proposed a traceable and revocable CP-ABE for large universe. Xu [28] constructed a traceable CP-ABE with short decryption key. Recently, Han et al. [29] presented a traceable and revocable CP-ABE with hidden policy. Unfortunately, the above schemes can only apply to the single-authority setting.
To address the key abuse problem in MA-ABE, Li et al. [13] presented a traceable MA-CP-ABE with limited access policy and security. Later, Zhou et al. [14] proposed a revocable and traceable MA-CP-ABE that achieves high expressiveness and full security. However, there exists multiple CAs in their scheme, and each CA needs to maintain a tracing identity table. Yu et al. [15] constructed a traceable MA-CP-ABE without any identity table and proved it is adaptively secure in composite order groups. Recently, Zhang et al. [16] presented a more efficient traceable MA-CP-ABE in prime order groups. Unfortunately, their scheme only achieves statically secure and does not support user revocation. In addition, the common efficiency drawback of these schemes is that the number of pairing operations required to decrypt a ciphertext increases linearly with the number of attributes satisfying the access policy, which presents significant challenges for the users who access data by mobile devices.
1.3. Organization. Section 2 introduces the relevant preliminaries, which includes the access structure, bilinear group, and complexity assumptions. Section 3 gives the system architecture, algorithm definition, and security model of TR-MA-CP-ABE. Section 4 presents the detailed constructions and formal security analysis of T-MA-CP-ABE scheme. Section 5 designs a TR-MA-CP-ABE system and compares its efficiency with other related works. Section 6 concludes the whole paper.

Notations.
For convenience, we define some notations that will be used in this paper. For a finite set S, we denote by s← R S, the fact that s is chosen uniformly at random from S. Let Z p be a set 0, 1, 2, . . . , p − 1 , where p is a prime. Let Z n p and Z l×n p denote the set of all n-dimensional vectors and l × n matrices (l rows and n columns) in Z p , respectively. We denote a matrix by a bold letter. For a matrix A ∈ Z l×n p , let A ⊤ be the transposition of A, and a ij ∈ Z p be the (i, j) th (the i th row and j th column) element of A. For group G, g ∈ G, and matrix A ∈ Z l×n p , we use g A to denote the l × n matrix, in which its (i, j) th element is g a ij . For matrix B ∈ Z n×m p , we We can also denote the above inner product notation for row and column vectors as follows.

Access Structures
Definition 1 (Access structure [30]). Let U be the attributes universe. An access structure A is a collection of nonempty subsets of U, i.e., A⊆2 U ∖ ∅ { }. If for ∀B, C, we have B ∈ A, B⊆C⇒C ∈ A; then, we say A is monotone. e sets in Table 1: Features comparison with other related works.
AS represents adaptively secure, MAS represents supporting any monotone access structures, ZST represents zero storage cost for tracing, POG represents constructed in prime order groups, FA represents constant pairing operations for data access, and R represents revocation. 2 e scheme [13] achieves selectively secure and the scheme [16] only achieves statically secure. 3 In [13], their scheme only supports "AND gates with wildcard." 4 In [14], the number of identity tables for tracing is equal to the number of central authorities in the scheme. 5 In [13][14][15][16], the number of pairing operations for decryption grows linearly with the number of attributes used for decryption.
A are called authorized sets, while the sets not in A are called unauthorized sets.
Definition 2 (Linear secret-sharing schemes (LSSS) [30]). A secret-sharing scheme Π over the attributes universe U is called linear over Z p if (1) e shares for each attribute form a vector over Z p (2) ere exists a matrix A ∈ Z l×n p and function ρ: 1, 2, . . . , l { } ⟶ U satisfy the following: let the column vector v → � (s, r 2 , . . . , r n ) ∈ Z 1×n p , where s ∈ Z p is the secret to be shared, and r 2 , . . . , Let Π be an LSSS for the access structure A and (A, ρ) be the access policy for A. According to [30], LSSS enjoys the linear reconstruction as follows. Let S ∈ A be an authorized set, and let I � i:

Bilinear Groups and Assumptions.
Let G be an asymmetric bilinear group generator that takes as input a security parameter λ and outputs a tuple G � (p, G 1 , G 2 , G T , g 1 , g 2 , e), where G 1 , G 2 , and G T are the cyclic groups of prime order p, g 1 (respectively, g 2 ) is a generator of G 1 (respectively, G 2 ), and e: G 1 × G 2 ⟶ G T is an efficiently computable bilinear map such that Definition 3 (SXDH, Symmetric External Diffie-Hellman assumption [31]). e adversary A's advantage in SXDH assumption is defined as We say the SXDH assumption holds if for all polynomial time algorithm adversaries A and both i ∈ 1, 2 Definition 4 (q-SDH, q-Strong Diffie-Hellman assumption [32]). e adversary A's advantage in q-SDH assumption is defined as We say the q-SDH assumption holds if for all polynomial time algorithm adversaries A, Adv Note that compared with the q-SDH assumption in [32], g 1 and g 2 have exchanged places here. However, this will not affect the security of full signature scheme [32], that is, strong existential unforgeability under an adaptive chosen message attack based on q-SDH assumption because we will also exchange the places of g 1 and g 2 in the full signature scheme. e modified full signature scheme (BB scheme) is briefly described as follows: , and secret key SK � (g 2 , a, b).
(ii) Sign (SK, M). Given a message M and SK, pick , and set the signature as (σ, r) (iii) Verify (PK, M, σ, r). If e(ug M 1 v r , σ) � z, it outputs 1 meaning that the signature (σ, r) is valid. Otherwise, it outputs 0 meaning that the signature (σ, r) is invalid.

Problem Formulation
In this section, we first describe the system architecture of our TR-MA-CP-ABE. en, we give the formal algorithm definition and security model for T-MA-CP-ABE and TR-MA-CP-ABE scheme. Figure 1, our TR-MA-CP-ABE system comprises the following entities: a cloud sever (CS), a central authority (CA), multiple attribute authorities (AAs), data owners (DOs), and data users (DUs). e role of each party is described as follows:

System Architecture. As shown in
(i) CS: CS is responsible for storing the ciphertexts and processing the ciphertext upload and download requests (ii) CA: CA is not only responsible for generating the identity keys for data users but also for tracing and revoking the malicious users (iii) AA: each AA generates the attribute keys for data users and updates the attribute keys for nonrevoked users (iv) DO: each DO encrypts his own data and outsources the corresponding ciphertext to CS (v) DU: each DU downloads the ciphertext from CS and accesses the corresponding data by his decryption key More specifically, CA generates its own public/secret key pair, publishes the CA public key, and uses the CA secret key to generate the identity keys for all DUs. Each AA generates its own public/secret key pair, publishes the AA public key, and generates the user keys corresponding to the attributes that are managed by it. en, DU uses the identity key and attribute keys to generate his own decryption key. Next, DO encrypts the data by the public keys and an access policy and uploads the ciphertext to CS. Finally, the nonrevoked uses can decrypt the ciphertext when their attributes satisfy the access policy, and other users cannot access the data. In our system, when a malicious user sells his decryption key, CA first identifies him by a tracing algorithm and then revokes him by adding his identity to a revocation list. Since AA will not update the attribute keys for the users whose identities are in the revocation list, the malicious users cannot update their decryption keys and access new ciphertext data.
In our system, DOs are fully trusted entities who honestly execute the encryption algorithm. CS, CA, and AAs are both honest but curious, who correctly execute the algorithms in the system, but try to learn any sensitive information about the data. Our system does not allow CS to modify or delete the stored ciphertext, but allows several corrupt AAs to make an attack on the unauthorized ciphertext whose policy cannot be satisfied by the corrupt attributes. Note that the decryption key is generated by the combination of identity key and attribute keys, so neither CA nor AA can independently construct the complete decryption key in our system. DUs are untrusted entities that may not only try to access the unauthorized data but also sell their decryption keys on the Internet. To formally describe the above system and attacks, Section 3.2 defines the TR-MA-CP-ABE algorithms, and Section 3.3 presents an adaptive security model against the adversary who try to learn any information about the unauthorized data and a traceable security model against the malicious data user who leaks his decryption key.

Algorithm Definition.
A T-MA-CP-ABE scheme consists of eight algorithms: (i) Global Setup (λ). On input a security parameter λ, it outputs the global parameters GP for the system (ii) CA Setup (GP). CA runs this algorithm with the global parameters GP as input, and outputs its public/secret key pair (CPK, CSK) (iii) AA Setup (GP, S j ). Each attribute authority AA j runs this algorithm with the global parameters GP and its attributes set S j as input and outputs its public/secret key pair (APK j , ASK j )

Security Model.
We now describe the adaptive security model for T-MA-CP-ABE scheme. In our security model, an AA can manage multiple attributes, while each attribute can only be controlled by one AA. Let V be the attribute authority universe and U be the attribute universe. e adaptive security game between a challenger and an adversary is defined as follows. e adversary can repeatedly make two types of key queries as follows (1) CA key query. e adversary sends a user's identity GID to the challenger. e challenger returns the corresponding private key CSK GID to the adversary.
(2) AA key query. e adversary sends a pair (S, GID) to the challenger, where GID is an identity, and S is a set of attributes belonging to noncorrupt AAs. e challenger returns the corresponding decryption key SK S,GID to the adversary. Note that the user's AA private key is part of his decryption key in our scheme, so the challenger gives the user's AA private key to the adversary in this query.
(iii) Challenge. e adversary submits two messages M 0 , M 1 and an access policy (A, ρ), where (A, ρ) satisfies the following constraint. Let S V′ denote the attributes controlled by corrupt AAs, and S GID denotes the attributes in which the adversary has queried for identity GID. For each GID, we require that S V′ ∪ S GI D does not satisfy (A, ρ). e challenger chooses a random coin β ∈ 0, 1 { } and returns ciphertext CT * � Encrypt(GP, CPK, {APK j }, M β , (A, ρ)) to the adversary. (iv) Phase 2. e adversary can make the key queries as Phase 1, with the restriction of (A, ρ) as described above (v) Guess. e adversary submits a guess β ′ ∈ 0, 1 { } and wins if β � β ′ . e advantage of an adversary in this game is defined as Pr[β � β ′ ] − (1/2).

Definition 5.
A T-MA-CP-ABE scheme is adaptively (or fully) secure if for any probabilistic polynomial time adversary, its advantage is negligible in λ.
A T-MA-CP-ABE scheme is called selectively secure if the adversary submits the access policy (A, ρ) before the Setup phase. A T-MA-CP-ABE scheme is called statically secure if the adversary submits all queries immediately after seeing the global parameters. Our construction will be proved to satisfy adaptively secure without the above restrictions.
Traceability of the T-MA-CP-ABE is described by a game as follows: e challenger runs the global setup, CA setup, and AA setup algorithms and then gives GP, CPK, and APK j to the adversary (ii) Key query. e adversary makes the following queries (4)

Definition 6.
A T-MA-CP-ABE scheme is fully traceable if for any probabilistic polynomial time adversary, its advantage is negligible in λ.
In our TR-MA-CP-ABE scheme, the AA key generation algorithm is same with the AA key update algorithm. Hence, the security model of our TR-MA-CP-ABE scheme is same with that of our T-MA-CP-ABE scheme.

Our T-MA-CP-ABE Scheme
In this section, we present a T-MA-CP-ABE scheme in an asymmetric bilinear group and prove it is adaptively secure and fully traceable in the random oracle model. [18,20], we adopt a hash function H to map user identities to the elements in group G 2 . Unlike with [18,20], we use a CA to personalize the identity key for each user and the AAs to generate the corresponding attribute keys, so our construction can achieve multiple authorities and the AAs cannot get the user decryption key. Furthermore, we employ a full signature scheme [32] to realize traceability. More specifically, the CA injects the signature of the user identity into the user identity key and traces the user by his decryption key. We now present our T-MA-CP-ABE construction based on [18,20], in which each attribute authority AA j manages an attributes set S j .

Construction. Inspired by
(i) Global Setup (λ). e algorithm first runs G(λ) to obtain (p, G 1 , G 2 , G T , g 1 , g 2 , e). G 1 , G 2 , and G T are the cyclic groups of prime order p, g 1 is a generator of G 1 , g 2 is a generator of G 2 , and e: G 1 × G 2 ⟶ G T is a bilinear map. It then samples B � (b ij ) 3×3 ←GL 3 (Z p ) and sets B * � (B − 1 ) ⊤ and 1 . en, CA publishes the public key CPK � (cpk 1 , cpk 2 ) and sets CSK � (a, b) as its secret key. (iii) AA Setup (GP, S j ). For each attribute i ∈ S j , AA j en, AA j publishes the public key APK j � apk i,1 , apk i,2 i∈S j and as its secret key.

(7)
If SK S,GID passes the above check, it outputs the identity K 1,GID . Otherwise, it outputs ⊤.

Security Analysis.
In this section, we first prove that our T-MA-CP-ABE scheme is adaptively secure based on the SXDH assumption by a reduction to the underlying scheme in [20]. More specifically, we assume an adversary A breaks our T-MA-CP-ABE scheme in the random oracle model with advantage ε; then, we build a simulator B that breaks the scheme [20] in the random oracle model with advantage ε. en, we prove our T-MA-CP-ABE scheme is fully traceable based on the q-SDH assumption by a reduction to a signature scheme [32]. More specifically, we assume an adversary A breaks our T-MA-CP-ABE scheme in the traceability game; then, we build a simulator B that breaks the signature scheme [32] under an adaptive chosen message attack.

Adaptive Security.
Note that there are two typos (that make encryption and decryption algorithms cannot be completely executed) in the scheme [20] that should be corrected: C 1,x should be corrected as and SK GID,i should be corrected as SK GID,i � g k i → Lemma 1 (see [20]). If the SXDH assumption holds, then the ZCGM1 scheme is adaptively secure in the random oracle model.

Lemma 2.
Assuming that the ZCGM1 scheme [20] is adaptively secure, then our T-MA-CP-ABE scheme is adaptively secure.
Proof. Let C denote the challenger corresponding to B in the adaptive security game of ZCGM1 scheme.
(i) Setup. When B receives the global parameters GP from C, it picks a, b← R Z p and computes en, B stores (a, b) and sends GP and CPK � (cpk 1 , cpk 2 ) to A. Next, A submits a corrupt AAs set V ′ ⊆V to B, and B submits V − V ′ to C to request the AA public keys for noncorrupt AAs. When B obtains AA public keys APK j j∈V− V′ from C, it sends APK j j∈V− V′ to A. ). en, B com- e adversary makes the key queries as Phase 1, but with the restriction of (A, ρ) as described above. B responds the queries in the same way as Phase 1.
Since B perfectly simulates the ZCGM1 security game for A, the advantage of B breaks the ZCGM1 scheme equals to the advantage of A breaks our scheme.

Theorem 1. If the SXDH assumption holds, then our T-MA-CP-ABE scheme is adaptively secure.
Proof.
is proof follows directly from Lemmas 1 and 2. Traceability. Now, we prove our T-MA-CP-ABE scheme is fully traceable by a reduction to BB scheme [32], which is strongly existentially unforgeable. [32]). If the q-SDH assumption holds, then the BB scheme is strongly existentially unforgeable under an adaptive chosen message attack.

Lemma 4.
Assuming that the BB scheme [32] is strongly existentially unforgeable under an adaptive chosen message attack, then our T-MA-CP-ABE scheme is fully traceable in the random oracle model.
Proof. Let (p, G 1 , G 2 , G T , g 1 , g 2 , e) be a prime order bilinear group, and p, g 1 , g 2 , g a 1 , g b 1 be the public key of BB scheme. Let S j be the attributes set managed by attribute authority AA j , and C be the challenger corresponding to B in the BB security game.
When B receives public key p, g 1 , g 2 , g a 1 , g b 1 , and sets CPK � (cpk 1 , cpk 2 ). For each attribute i ∈ S j , 2 ), and sets APK j � apk i,1 , apk i,2 i∈S j . Finally, B sends global parameters GP, CA public key CPK, and AA public Security and Communication Networks 9 keys APK j to A. B stores (b 1 → , t k i → , tY i ) and controls the random oracle H.
(ii) Key query. In this phase, A queries the CA keys corresponding to GID i m i�1 and AA keys corresponding to (S i , GID i ) m i�1 . B initializes two empty tables Q 1 and Q 2 and answers A's queries as follows: (1) Random oracle hash query. When A submits an identity GID to B to request the corresponding random oracle hash value H(GID), B first searches the entry (GID, t GID ���→ , g t GID ���→ 2 ) in Q 1 . If such entry exists, B returns g t GID ���→ 2 . Otherwise, (2) CA key query. When A submits an identity GID i to B to request the corresponding CA key SK GID i , B first searches the entry Otherwise, B submits GID i to C to request the corresponding signature. When B receives as the corresponding CA private key. Finally, B sends SK GID i to A and stores it in Q 2 .
(3) AA key query. When A submits a pair (S i , GID i ) to B to request the corresponding decryption key SK S i ,GID i , B first searches CA key If no such entry exists, B generates CA key SK GID i as in (2) and stores it in (iii) Key forgery. A returns a decryption key SK * to B. If A wins this game, then Trace(GP, CPK, {APK j }, SK, SK * ) ∉ ⊤, GID 1 , . . . , GID m }. erefore, the decryption key SK * � (K 1,GID , K 2,GID , SK i,GID i∈S ) passes the key sanity check, and K 1,GID ∉ GID 1 , . . . , GID m . Hence, K 1,GID ∈ Z p , K 2,GID ∈ Z p , ∃i ∈ S, s.t. SK i,GID ∈ G 3 2 , and e g b 1 → K 1,GID 1 cpk 1 cpk B queries the random oracle hash H(K 1,GID ) as in (1) and gets the record (K 1, from SK i,GID and sets Since e(g a 1 g can output a valid signature (σ, K 2,GID ) on message K 1,GID in the BB security game. Note that K 1,GID ∉ GID 1 , . . . , GID m , so B has never queried a signature on K 1,GID , and then, B wins the BB security game. Hence, if A breaks our T-MA-CP-ABE scheme in the traceability game with advantage ε, then B breaks the BB scheme with advantage ε. □ Theorem 2. If the q-SDH assumption holds, then our T-MA-CP-ABE scheme is fully traceable in the random oracle model.

Proof.
is proof follows directly from Lemmas 3 and 4.

Our TR-MA-CP-ABE System
Based on our T-MA-CP-ABE scheme, we design a TR-MA-CP-ABE system for secure and flexible data access control in cloud storage. In our system, each data owner can share his data with multiple data users whose attributes satisfy the specific access policy. e malicious users who leak their decryption keys on the Internet will be caught and revoked by CA. Furthermore, we give an efficiency comparison that shows our system accesses the data significantly faster than other related works.

Concrete
System. Inspired by [9,19], we extend our construction to realize malicious user revocation by adopting a hash function F: 0, 1 { } * ⟶ Z p and a revocation identity list RL. In our TR-MA-CP-ABE system, CA adds the malicious user's GID to the revocation identity list RL in the user tracing and revocation phase, and AAs help the nonrevoked users to update their decryption keys in the key update phase. More specifically, we first use the hash function F to map the time period T and user attribute i in Z p , and then add T into the system by embedding the element F(T‖i) into the decryption key and ciphertext. e malicious users' time elements will not be updated by AAs, so they cannot update their decryption keys and decrypt the new ciphertexts encrypted in new time period.

System Initialization.
In this phase, CA generates the system parameters, revocation list, and its public and secret keys. Each AA j creates a secret key for itself and a corresponding public key for public usage.
AA j first runs the algorithm TMABE : AASetup (GP, S j ) to generate its own public key APK j and secret key ASK j . en, AA j keeps ASK j secret and publishes APK j to others.

User Registration.
When a data user wants to join the system, he should register himself to the CA and relevant AAs. In this phase, CA issues the identity keys, and AAs issue the attribute keys to the registered users. From the identity and attribute keys, the registered users can crate their decrypt keys, which can be used for decrypting the policy-matching ciphertext. First, the data user with identity GID makes a registration request to CA. CA runs the algorithm TMABE : CAKeyGen (GID, CSK, GP) to obtain CSK GID � (K 1, GID, K 2,GID , K 3,GID , K 4,GID ), sets CSK GID as the user identity key, and sends it to the data user.
Next, the data user submits his identity GID and attributes set S and (K 3,GID , K 4,GID ) to the relevant authorities AA j . For each attribute i ∈ S ∩ S j , AA j sets the corresponding user attribute key SK i, 4,GID and sends it to the data user, where T is a time period.
Finally, the user sets SK S,GID � (K 1,GID , K 2,GID , SK i,GID i∈S ) as his decryption key.

Data Outsource.
In this phase, each data owner encrypts his data with a specific access policy and then outsources the ciphertext data in the cloud. When a data owner wants to share data F with the specific data users, he should generate a ciphertext data that is composed of the body and header as follows.
First, the data owner picks a symmetric session key K ∈ G T , uses it to encrypt the data F under a symmetric encryption algorithm (such as AES), and sets the resulting ciphertext CT F as the ciphertext body. en, the data owner encrypts the session key K ∈ G T under an access policy (A, ρ) and a time period T ′ as follows.

Data
Access. In our system, each data user can download any ciphertext data from the cloud server, but can only access the limited plain data by decryption of the corresponding ciphertext data successfully. In this phase, the data user has a decryption key SK S,GID for an attributes set S for a time period T and tries to access the data in the cloud. e data user first queries an interested ciphertext data and gets the ciphertext (CT K , CT F ) from the cloud server. en, the data user checks whether he has the access permission or not. If S does not satisfy (A, ρ) or T ≠ T ′ , then he outputs ⊥ meaning that he cannot access this data. Otherwise, the data user runs the algorithm TMABE : Decrypt (GP, SK S,GID , CT K ) and gets the session key K. Finally, the data user decrypts the ciphertext body CT F by the key K and recovers the plain data F.

Key
Update. In this phase, AAs help the nonrevoked data users update their decryption keys in a new time period T ″ . When the data user wants to update his decryption key, he submits his identity GID and attributes set S and (K 3,GID , K 4,GID ) to the relevant authorities AA j . AA j first checks whether the data user has been revoked or not. If GID ∈ RL, AA j outputs ⊥ meaning that the revoked data user cannot update his decryption key. Otherwise, for each attribute i ∈ S ∩ S j , AA j computes the user attribute key After that, AA j sends the update Security and Communication Networks 11 attribute key SK i,GID i∈S ∩ S j to the data user. Finally, the data user sets the decryption key as SK S,GID � (K 1,GID , K 2,GID , SK i,GID i∈S ), which can be used for decrypt the ciphertext data in the new time period T ″ .

User Tracing and Revocation.
In this phase, CA traces the malicious users who leak their decryption key to others and revokes their access permissions in the system. When CA finds a decryption key SK S,GID is sold on the Internet, it first runs the algorithm TMABE : Trace (GP, CPK, APK j , SK S,GID ). If the algorithm outputs ⊤, CA outputs ⊤ meaning that SK S,GID does not need to be traced. If the algorithm outputs an identity GID, then CA sets GID as the identity of the malicious user who leaks his decryption key SK S,GID . Finally, CA adds GID into the revocation list RL and updates RL for public usage. Alike with [9,19], we view hash function F as a random oracle, and our TR-MA-CP-ABE scheme has the same security conclusion with our T-MA-CP-ABE scheme. e correctness and security proofs are almost the same with that in Section 4.

Efficiency Comparison.
In this section, we give an efficiency comparison between our TR-MA-CP-ABE system with other T-MA-CP-ABE schemes, all of which support multiauthority and traceability. In Table 2, PK represents the public key (including the CA and AA public keys) size, DK represents the decryption key size, CT represents the ciphertext size, PID represents the number of pairing operations in decryption, and GO represents the group order. Let |U| be the number of attributes in the system, |V| the number of AAs in the system, D the number of CAs in the system, ρ the bit length of the user identity, |S| the number of attributes in the decryption key, l the number of rows of the matrix in the access policy, and |I| (|I| ≤ |S|, l ) the number of attributes used for decryption.
As shown in Table 2, the number of resource-consuming pairing operations required to decrypt a ciphertext in [13][14][15][16] increases with the number of attributes used for decryption. While our TR-MA-CP-ABE system only needs to compute 6 pairings for decryption. Since an element in prime order groups is 12 times shorter than that in composite order groups [33], the storage overhead of our system is significantly smaller than that of the schemes [14,15] which are constructed in composite order groups. Compared with our TR-MA-CP-ABE system, the schemes [13,16] in prime order groups achieve smaller public key size, but they neither achieve adaptively secure nor support user revocation.
We evaluate our pairing operations in Python language using the PBC library [34] with type A curve. e experiment is performed on a Macbook laptop with a 2.8 GHz Intel Core i7 processor and 16 GB memory. Figure 2 illustrates the pairing costs for decryption in our TR-MA-CP-ABE system and other two T-MA-CP-ABE schemes [13,16] in prime order groups. We set |S| � |I| and ρ � 10 and increase the value of |I| from 1 to 50. It is easy to see that pairing costs for decryption in our system is a constant time and significantly shorter than that grows linearly with the number of attributes in [13,16]. Note that a pairing operation in prime order groups is about 100 times faster than that in composite (3 primes) order groups [35], which makes the data access speed in our system is significantly faster than that in schemes [14,15] constructed in composite order groups.

Conclusion and Future Work
In this work, we presented a traceable and revocable MA-CP-ABE system in the prime order groups. Specifically, the proposed system has the following advantages: (1) the ciphertext cannot be decrypted by any individual authority, and the ciphertext policy can be any monotone access structures; (2) CA can not only catch the malicious user by his decryption key but also revoke the corresponding decryption privilege; and (3) the system achieves adaptively secure and fast access.   As far as we know, our TR-MA-CP-ABE system is the first MA-CP-ABE system that supports traceability, revocation, and fast access simultaneously. However, our system only supports white-box traceability: the decryption key leaked by the malicious user is assumed to pass the key sanity check. Hence, our system is not suitable for black-box traceability scenario: the malicious user can construct a decryption black-box by his decryption key and unknown decryption algorithm and leak a decryption black-box instead of his decryption key. We leave it as our future work to obtain a black-box traceable and revocable MA-CP-ABE system with fast access.

Data Availability
No data were used to support the findings of this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.