Fully Constant-Size CP-ABE with Privacy-Preserving Outsourced Decryption for Lightweight Devices in Cloud-Assisted IoT

In recent years, ciphertext-policy attribute-based encryption (CP-ABE) has been recognized as a solution to the challenge of the information privacy and data confidentiality in cloud-assisted Internet-of-(ings (IoT). Since the devices in cloud-assisted IoTare generally resource-constrained, the lightweight CP-ABE is more suitable for the cloud-assisted IoT. So how to construct the lightweight CP-ABE for the cloud-assisted IoT to achieve the fine-grained access control and ensure the privacy and confidentiality simultaneously is a prominent challenge. (us, in this paper, we propose a constant-size CP-ABE scheme with outsourced decryption for the cloud-assisted IoT. In our scheme, the ciphertexts and the attribute-based private keys for users are both of constant size, which can alleviate the transmission overhead and reduce the occupied storage space. Our outsourced decryption algorithm is privacy-protective, which means the proxy server cannot know anything about the access policy of the ciphertext and the attributes set of the user during performing the online partial decryption algorithm. (is will prevent the privacy from leaking out to the proxy server. And we rigorously prove that our scheme is selectively indistinguishably secure under the chosen ciphertext attacks (IND-CCA) in the random oracle model (ROM). Finally, by evaluating and implementing our scheme as well as other CP-ABE schemes, we can observe that our scheme is more suitable and applicable for cloud-assisted IoT.


Introduction
IoT has been recognized as a new paradigm in the network and information area in recent years [1,2]. By means of the widespread deployment of spatially distributed devices, such as sensors, radio-frequency identification (RFID), wireless devices, and smartphones, IoT has the perfect sensing and actuation capabilities and makes the existing information system intelligent. ough IoT gives a new dimension to the Internet and has envisioned a future in which digital and physical entities can be linked in anywhere [3][4][5], security is still a critical obstacle for enabling the widespread adoption of the cloud-assisted IoT. To solve the security and privacy problem in IoT environment, many works design some authentication protocols [6], signature schemes [7] for Industrial Internet of ings (IIoT) [8,9], Internet of Vehicles (IoV) [10,11], and RFID networks [12]. But how to design a one-to-many and fine-grained access control encryption mechanism for the cloud-assisted IoT is still being an open issue.
In cloud-assisted IoT, the data owners and the users all use the smart IoT devices. In traditional cloud-assisted IoT system, data owners transmit the data to the cloud server over the transmission media and the users download the data from the cloud storage. A hacker can easily access and steal the data in cleartext stored on the cloud storage. So, an encryption mechanism should be deployed in the cloud-assisted IoT architecture to ensure the data confidentiality and prevent the unauthorized access of the data [13,14]. Figure 1 shows the comparison of the traditional cloud-assisted IoT system and the encryption mechanism-based cloud-assisted IoT system. ABE [15] is a new cryptographic primitive widely researched in recent years which supports one-to-many encryption and refines the access control to the attribute level. So, ABE has been regarded as a powerful encryption mechanism for the cloudassisted IoT. Particularly, CP-ABE [16][17][18], which is a type of ABE, enables the data owner to customize an access formula over a set of attributes for each ciphertext and only if the user's attributes set meets the access policy, the user can decrypt the ciphertext. So, in CP-ABE, the data owner can precisely control the access to his/her data, and this makes CP-ABE a more applicable encryption tool for the cloud-based system. Nevertheless, in cloud-assisted IoT, the devices are generally resourceconstrained (e.g., limited battery life, storage, and computing capability); the traditional CP-ABE is too complex to be fit-forpurpose. In typical CP-ABE, as [16][17][18], the ciphertext length grows linearly with the number of the attributes in the access policy and the size of the user's attribute-based private key also grows linearly with the size of the user's attributes set. Furthermore, as the access structure becomes more complex, the decryption time by the user will become longer, which not only increases the power consumption of the user's portable devices, but also makes the system less useful. To make CP-ABE applicable for the lightweight devices in the cloud-assisted IoT, in this paper, we propose a lightweight CP-ABE scheme with both constant-size ciphertexts and private keys. And we also invent a privacy-preserving outsourced decryption algorithm for the users to alleviate their computing burden. e privacy-preserving outsourced decryption algorithm can protect the privacy of the users and the data owners from divulging to the proxy server that means during performing the online partial decryption phase, the proxy server cannot know anything about the access policy associated with the ciphertext and the attributes set of the user. is will prevent the privacy from leaking out to the proxy server. To rigorously prove that our scheme is selectively IND-CCA secure in ROM, we reduce our scheme to n-aMSE-DDH problem [19][20][21].

Related Works.
Lately, some researchers improve CP-ABE in two approaches to make the pure CP-ABE schemes applicable for the resource-constrained devices in IoT environment. One way is to construct the lightweight CP-ABE to mitigate the transmission overhead of the system. And another way is outsourcing the decryption phase to proxy server to relieve the computing burden of the users used IoT devices.

Constant-Size CP-ABE.
ese works [20,22] construct the constant-size ciphertext CP-ABE schemes which are using " reshold policy" as their access structures. e scheme in [21] improves the work [20] to make a constant-size ciphertext CP-ABE scheme based on " reshold policy" without dummy attributes. Emura et al. [23] build a fully constant-size CP-ABE scheme with both constant-size ciphertexts and private keys, but the access structure in their scheme [23] is using the less expressive "Strict AND-gate Policy." And these works [24,25] use [23] as their base construction also using the less expressive "Strict AND-gate Policy." To make a trade-off between the expressiveness of the access structure and scale of the scheme, Yang et.al [26], Doshi and Jinwala [27], and Han et al. [28] use "AND-gate Policy with Wildcards" as their access structures to build the CP-ABE schemes with constant-size ciphertexts. To further lighten the CP-ABE schemes and reduce the transmission pressure, these schemes [19,29] use "Tolerant AND-gate Policy based on Bits String" as their access structures which encoding an access structure to a bit string.  [30]. But in their schemes, a malicious proxy server could return a wrong transformed ciphertext to the user by disloyally running the outsourced transforming algorithm.
us, their scheme [30] does not strictly guarantee the correctness of the transformed ciphertext sent to users. To solve this flaw, Lai et al. [31] add a verification function to Encrypt the data to a ciphertext in advance by using the encryption mechanism e attacker cannot decrypt the ciphertext to detect the sensitive information Figure 1: e comparison of the traditional cloud-assisted IoT system and the encryption mechanism-based cloud-assisted IoT system. [30], but their scheme [31] adds some redundant components to the original ciphertext; this will make their ciphertext being twice length of the original ciphertext. To increase the efficiency of [31], Lin et al. [32], Qin et al. [33], and Mao et al. [34], respectively, designed a CP-ABE scheme with outsourced decryption and efficient decryption verification simultaneously. And all the schemes above [30][31][32][33][34] are based on [17]. Recently, Ning et al. [35] proposed an auditable σtime outsourced CP-ABE scheme based on [18], which can achieve higher security and can resist various types of attacks such as key-leakage attacks. And some schemes [36][37][38] with different properties combine with the outsourced decryption to make their schemes more suitable for IoT devices. But the users in all the above outsourced CP-ABE schemes will expose their attribute sets to the proxy server for running the semidecryption, which will lead to the disclosure of the privacy.

Preliminaries
Iff for all i ∈ [1, n], l i � w i holds, we call L satisfies the policy W. e scheme in [23] uses the "Strict AND-gate Policy" as its access structure.

AND-Gate Policy with Wildcards.
Let N � name 1 , name 2 , . . . , name n } be the set of the attribute names. And S i � v i,1 , v i,2 , . . . , v i,n i is the possible values set of the name name i . L � [l 1 , l 2 , . . . , l n ] is the attribute set of a user where l i is an element in S i (l i ∈ S i , 1 ≤ i ≤ n). e W � [w 1 , w 2 , . . . , w n ] is an AND-gate policy with wildcards where w i is an element in S i or the wildcard * (w i ∈ S i , * , 1 ≤ i ≤ n). I W is the set of indices i (1 ≤ i ≤ n) in which w i ≠ * ; that is, Iff for all i ∈ I W , l i � w i holds, we call L satisfies the policy W. e schemes in [26,27] use the "AND-gate Policy with Wildcards" as their access structure.

Tolerant AND-Gate Policy Based on Bits String.
Let U � Attr 1 , Attr 2 , ..., Attr n be the attribute universe. L � l 1 l 2 , . . . , l n is an n-bit string used to denote a user's attribute set where l i ∈ 0, 1 { }(1 ≤ i ≤ n). If l i � 1, it means that the user has the attribute Attr i and if l i � 0, it means that the user does not have the attribute Attr i . And W � w 1 w 2 , . . . , w n (w i ∈ 0, 1 { }, 1 ≤ i ≤ n) is the policy n-bit string. If w i � 1, it means that the access policy W needs the attribute Attr i and if w i � 0, it means that the access policy W does not care about attribute Attr i . I W is the set of indices i(1 ≤ i ≤ n) in which w i � 1; that is, I W � i|1 ≤ i ≤ n, w i � 1 . |I W | denotes the size of I W . Iff for all i ∈ I W , l i � w i � 1 holds, we call the attributes set L satisfies the access policy W. For instance, suppose U � Attr 1 , Attr 2 , Attr 3 , Attr 4 , Attr 5 and two attribute sets as L 1 � 10011 and L 2 � 00111. e access policy is W � 10001. So, we can observe that L 1 can satisfy W and L 2 cannot meet W. e schemes in [19,39] use the "Tolerant AND-gate Policy based on Bits String" as their access structure.
rough the description of the three types of ANDgate access structures, we can observe that the "AND-gate Policy with Wildcards" and "Tolerant AND-gate Policy based on Bits String" are more flexible and expressive than the "Strict AND-gate Policy." Furthermore, encoding an access structure to a bit string can compress the size of the access structure and which also can mitigate the communication burden. Our scheme uses the "Tolerant AND-gate Policy Based on Bits String" as the access structure.

Bilinear
Pairings. G 1 , G 2 are two elliptic groups and G T is a multiplicative group. g 0 is a generator of G 1 and h 0 is a generator of G 2 . G 1 , G 2 , G T are all with prime order p. e: And, the terms BP � G 1 , G 2 , G T , p, g 0 , h 0 , e are called the bilinear pairing terms. [19][20][21]. Let BP � G 1 , G 2 , G T , p, g 0 , h 0 , e} be the bilinear pairing terms. Let f(x) and θ(x) be two coprime polynomials in

n-aMSE-DDH Problem
where "← R " means "randomly choose from." Give T, p → to any probabilistic polynomial-time (PPT) adversary. en, no adversary has the nonnegligible advantage to distinguish

System
Architecture. e framework of our cloudassisted IoT system used our scheme is shown in Figure 2.
ere are six entities involved in our system which are stated as follows.

Attribute Authority (AA).
AA is in charge of initializing the system and generating the private keys for users.

Cloud Storage.
e cloud storage stores the ciphertexts for data owners (DOs).

Data Owner (DOs).
DOs encrypt the data to ciphertexts and upload the ciphertexts to the cloud.

Users.
e users download the ciphertexts from the cloud storage then retrieve the plaintext by the decryption algorithm. e users have two types. One type is Users with PCs and the other is Users with smart IoT devices.
(i) Users with PCs: users with PCs retrieve the plaintext by running the local-decryption phase (ii) Users with IoT devices: the users with smartphones or the smart tablets can retrieve the data by performing the privacy-preserving outsourced decryption phase 3.1.5. Proxy Server. Proxy servers take charge of running the online partial decryption algorithm for the users with smart IoT devices. Note that the proxy servers cannot know anything about the user's attributes and the access policy associated with the ciphertext during running the partial decryption.

Algorithm
Definitions. e workflow of our cloudassisted IoT system used in our scheme is shown in Figure 3.
ere are four algorithms in our scheme described as below.

3.2.1.
Setup. AA initializes the system by executing the Setup algorithm to export the public parameters PK and master private key MK of the system. AA preserves the private master key privately and publishes the public parameters to all the entities in the system.

AttrKeyGen.
A user forms his attribute set as a bit string then sends his/her bit string-based attribute set to the AA; AA runs the AttrKeyGen algorithm to generate the constant-size attribute-based private key for the user. en, the user will preserve the attribute-based key privately. If the user's attribute set can meet the access policy associated with the ciphertext, he/she can use his/her private key to decrypt the ciphertext.

Encrypt.
A DO customizes a bit string formed attribute-based access policy for the data; then, by the Encrypt algorithm, the DO encrypts the data under the customized access policy to a ciphertext, which is constant size. en, the DO uploads the ciphertext with the bit string formed access policy onto the cloud storage.

Decrypt.
A user downloads the ciphertext with the access policy from the cloud storage. If the user's attribute set meets the access policy, then he/she can retrieve the data by running the Decrypt algorithm. And, the Decrypt algorithm has two modes. One mode is local decryption. e local decryption means all the computations are running on the user's local device, and this mode is suitable for the users with PCs. If the user is using the smart IoT devices, then the user can choose the other decryption mode called privacypreserving outsourced decryption to securely and privately outsource some complex computations to the proxy server.
is will reduce the decryption time of the user and save the battery power of the user's smart IoT device. Note that the proxy servers cannot know anything about the user's attributes and the access policy associated with the ciphertext during partially decrypting the ciphertext.

Security Model.
We define a selectively IND-CCA security game for our scheme which involves an adversary algorithm A and a challenge algorithm C in.
(i) Initialization. A sends a bit string based AND-gate challenge access structure W * to C. (ii) Setup. C runs setup algorithm to generate the master private key MK and public parameters PK. en, C sends PK to A. (iii) Key Query 1. A queries a list of bit strings to C for the key queries. Note that all the key queries cannot satisfy the challenge access structure W * . (iv) Decryption Query 1. A queries the decryption of ciphertext Encrypt(W i , M i ) from C.
(ii) AA defines the attribute universe U � Attr 1 , Attr 2 , . . . , Attr n } of the system, n � |U|. en, AA Finally, AA preserves the master private key (MK) and publishes the public parameters (PK) as

AttrKeyGen.
A user forms his attribute set as a bit string L � l 1 l 2 , . . . , l n where l i ∈ 0, 1 { }(1 ≤ i ≤ n) and then sends L to the AA via a secure channel. en, AA generates the attribute-based private key for the user by the following steps.
(i) AA generates an n − degree at most polynomial and computes s u with the condition (1/f(a, L)) � k 1 s u + k 2 r u , that is, s u � (((1/f(a, L)) − k 2 r u )/k 1 ). (iii) Finally, AA computes the attribute-based private key K u � K u,1 � g r u , K u,2 � g s u for the user and sends K u to the user via a secure channel.

3.4.3.
Encrypt. DO performs the following steps to encrypt the data M ∈ 0, 1 { } l m .
(i) DO customizes an AND-gate access structure based on bit string as W � w 1 w 2 , . . . , w n where

Decryption.
e user downloads the ciphertext CT, W { } from the cloud storage. If the user's attributes set L can meet the access policy W associated with the ciphertext, the user can decrypt the ciphertext in two ways. One way is the local decryption and another is the privacy-preserving outsourced decryption. If the user uses the PC, he/she can use the local decryption algorithm to obtain the data. Or if the user uses the IoT device, such as smartphone, he/she can use the privacy-preserving outsourced decryption to obtain the data without the computing pressure. Notice that if and only if L meets W, the user can generate a (n − |I W |) − degree at most polynomial en, the user sends C 1 , C 2 , C 3 , BV � �→ , BK to the proxy server. It is clear that the proxy server only cannot know anything about L and W from the blind coefficient vector BV � �→ and the blind private key BK. e proxy server uses C 1 , C 2 , C 3 , BV � �→ , BK to compute en, proxy server sends P 1 , P 2 back to the user. e user uses C 4 , C 5 , P 1 , P 2 , u 1 , u 2 to compute en, the user computes r m′ � H 1 (W, M ′ , β m′ ) and verifies V 1 � ? e(g, h) r m′ . If the equation holds, this indicates the user decrypts the ciphertext successfully (M ′ � M).

Security Analysis
eorem. If the n-aMSE-DDH problem holds, then our scheme is selectively IND-CCA-secure.
Proof. Suppose there is a PPT adversary A who can break the security of our scheme with a nonnegligible advantage Adv A . en, we can construct a PPT simulator algorithm C which is able to solve the n-aMSE-DDH problem with the nonnegligible advantage (Adv A − (q H 2 /p)) by interacting with A in the following manner where p is the order of group G T and q H 2 is the number of the queries to the oracle H 2 .
3.5.1. Initialization. Note that there are n attributes U � Attr 1 , Attr 2 , . . . , Attr n in the scheme. A submits the challenge access bit string C sends θ(x) and f(x) to the n-aMSE-DHH problem and receives the problem instances p → , T from n-aMSE-DHH problem. T is the challenge term and where g 0 is a generator of G 1 and h 0 is a generator of G 2 and e: G 1 × G 2 ⟶ G T mod p.
3.5.2. Setup. C w 1 , w 2 ← R Z * p and implicitly sets master private key MK as e public parameters PK are computed as Finally, C sends PK to A. (H ′ , H 1 , H 2 , H 3 ), and C maintains the hash lists L H′ , L H 1 , L H 2 , L H 3 to record the queries and responses, respectively. If the query has a previous response and the output result recorded in the hash lists, C will respond with the recorded result in the hash lists. Otherwise, C will perform as follows.

Hash Queries. A can access the hash oracles
And the term β i : Q i will be recorded in L H 3 .

Key Query 1.
A sends an attribute bit string L � l 1 l 2 , . . . , l n where l i ∈ 0, 1 { }(1 ≤ i ≤ n) to C for one key query. Note that L cannot meet the challenge policy W * . C sets and θ(x). And if L does not fulfill the challenge access structure W * , the degree of the polynomial f f (x, L) is nonzero. C r← R Z * p and implicitly sets r u � (k 1 ra/k 2 ) by computing Implicitly set C computes g s u as We denote Let f i,L be the coefficient of So, g s u can be computed as Finally, C sends K u � K u,1 � g r u , K u,2 � g s u to A.

Decryption Query 1. For any decryption query on
L H 3 such that the ciphertext is generated using r i , C sets M i as the output of the decryption query to A. Otherwise, C outputs null. No query will be aborted since all valid encryptions need the response from hash oracles H ′ , H 1 , H 2 , H 3 , and the response contains the random number r i which is used in encryption.
3.5.6. Challenge. A sends two messages M 0 ∈ 0, 1 { } l m and M 1 ∈ 0, 1 { } l m to C for challenge. C implicitly defines r m � c by setting Finally, C sends W * , C 1 , C 2 , C 3 , C 4 , C 5 to A.

Key Query 2.
It is the same as Key Query 1. Notice that all key queries in this phase also cannot satisfy the access structure W * .

Decryption Query 2.
It is the same as Decryption Query 1. And notice that the decryption queries cannot be the challenge messages M 0 and M 1 .
3.5.9. Guess. Eventually, A gives the guess b ′ of b to the simulator C.
If b ′ � b, the simulator C outputs 0 and guesses T � e(g 0 , h 0 ) cf(a) ; otherwise, C outputs 1 and guesses T � R.
If the n-aMSE-DHH problem sends T � e(g 0 , h 0 ) cf(a) to the simulator C. e attacker A plays the real security game as our actual scheme. Referring to our supposition, the attacker has Adv A selectively breaking our actual scheme. So, If the n-aMSE-DHH problem sends T � R to C, all the bits in M b are hidden due to R. So,   e only error event is that T � R, but it is queried to H 2 oracle. is occurs with probability (q H 2 /p) at most where p is the order of group G T and q H 2 is the number of the queries to the oracle H 2 . So,

Security and Communication Networks
So, the simulator C can solve the n-aMSE-DHH problem in PPT.

Properties Evaluation.
In this section, we compare our scheme with some related CP-ABE schemes in terms of the properties in Table 1. From Table 1, we can know that only our scheme provides "constant-size ciphertext," "constantsize private key," and "privacy-preserving outsourced decryption" simultaneously. e schemes in [23,24] are also with constant-size ciphertext and constant-size private key, but their access structures-"Strict AND-gate Policy" are less expressive and too strict. us, these schemes [23,24] cannot achieve fine-grained access control. And the work [25] based on [23] also uses the less expressive "Strict ANDgate Policy" as its access structure. So, the data owner in [25] also cannot customize the flexible access policy for his/her ciphertext. And these works [20][21][22] apply the reshold policy in their schemes, so their schemes [20][21][22] cannot realize the precise and flexible attribute-based access control.

eoretical Analysis and Simulation Experiments.
In this section, we choose some representative schemes [19-21, 23, 26, 29, 34] in Table 1 as well as our scheme for theoretical analysis in terms of the transmission load and computational complexity. To make the theoretical comparison clearer, we adopt the symmetric bilinear pairing e: G × G ⟶ G T for the schemes to be compared and evaluated. e definitions of the notations for theoretical analysis are presented in Table 2.
e evaluation of the transmission load is shown in Table 3. From Table 3, we can observe that in our scheme, no matter how many attributes a user has and how complexity an access policy is, the length of the user's private key is only 2|G| and the size of the ciphertext is only 3|G|. e comparison of the computational complexity in terms of the five algorithms as AttrKeyGen, Encrypt, Blind KeyGen (by user), Online Decryption (by proxy server), and Offline Decryption (by users) is presented in Table 4.
To evaluate the actual performance in terms of the transmission overhead and computational complexity of our scheme, we use the PBC [42] cryptographic library to run the simulation experiments of our scheme as well as the scheme in [19,29], which are also using the "Tolerant AND-gate Policy based on Bits String" as their access policies to ensure the single-variable principle. e hardware for the experiments is the i5-1135G7 2.4 GHz with 16 GB 3200 MHz RAM and OS is Windows 10 1909. To realize the symmetric bilinear pairing e: G × GG T with the security level of 80 bits, we adopt the supersingular (symmetric) curve E(F q ): y 2 � x 3 + x mod q with embedding degree k � 2 in the field F q with the prime q of 512 bits. And G is an additive subgroup in the E(F q ) with the prime order r of 160 bits. In this case, |G| � |G T | � 512(bits) × 2 � 1024(bits) � 128(bytes), |Z * p | � 160(bits) � 20(bytes). e execution time of the cryptographic operations has been listed in Table 2. e results of the experiments are shown in Figures 4 and 5. And we compare the consumption time of local decryption algorithm and privacy-preserving outsourced decryption algorithm by performing a comparison simulation experiment between the two algorithms. And the result of the comparison simulation experiment is shown in Figure 6. By doing this, we can easily detect that our privacy-preserving outsourced decryption algorithm can greatly ease the computing burden of IoT devices. If the Table 3: Transmission load comparison.

Conclusion
In this paper, we propose a lightweight CP-ABE scheme with both constant-size ciphertexts and private keys for the IoT devices in cloud-assisted IoT environment. And users can outsource the decryption mission to the proxy server in a secure and private manner by using our privacy-preserving outsourced decryption algorithm. Our scheme can not only protect the privacy of users and confidentiality of the data but also reduce the communication overhead of the cloudassisted IoT system and the computing pressure of users. en, we rigorously prove that our scheme is selectively IND-CCA secure by reducing the indistinguishability of our scheme to the n-aMSE-DHH problem. Finally, we compare our scheme with other CP-ABE schemes in terms of properties, transmission overhead, and computational complexity to show that our scheme is more applicable for the cloud-assisted IoT system. e main limitation and defect of our scheme is that our scheme cannot support the large universe attributes; that means users only can use the attributes which are defined by the AA in advance. In future research, to improve the flexibility and practicality of our scheme, we will make our scheme support the large universe attributes.

Data Availability
No data are used in this study. 10 15 e size of thr user's attribute set (|S|) Private key length 20 25 30 [19] [29] Our scheme  Local decryption algorithm Privacy-perserving outsourced decryption algorithm Figure 6: Comparison of decryption time between our two decryption modes.