Towards Time-Sensitive and Verifiable Data Aggregation for Mobile Crowdsensing

Mobile crowdsensing systems use the extraction of valuable information from the data aggregation results of large-scale IoT devices to provide users with personalized services. Mobile crowdsensing combined with edge computing can improve service response speed, security, and reliability. However, previous research on data aggregation paid little attention to data verifiability and time sensitivity. In addition, existing edge-assisted data aggregation schemes do not support access control of large-scale devices. In this study, we propose a time-sensitive and verifiable data aggregation scheme (TSVA-CP-ABE) supporting access control for edge-assisted mobile crowdsensing. Specifically, in our scheme, we use attribute-based encryption for access control, where edge nodes can help IoTdevices to calculate keys. Moreover, IoTdevices can verify outsourced computing, and edge nodes can verify and filter aggregated data. Finally, the security of the proposed scheme is theoretically proved. -e experimental results illustrate that our scheme outperforms traditional ones in both effectiveness and scalability under time-sensitive constraints.


Introduction
Recent years have witnessed the proliferation of smart devices in all areas of people's daily life. ese devices are deployed in different Internet of ings (IoT) units, such as smartphones [1], smart cameras [2], wearable devices [3], and environmental sensors [4,5]. e number of IoT devices is still growing rapidly in the near future. According to the prediction of the Global Association for Mobile Communications Systems [6], the number of IoT devices will reach 25.1 billion in 2025. e rapid growth of IoT devices has promoted the development of mobile crowdsensing. e massive IoT devices will together provide mobile crowdsensing systems with more realtime and high-precision data, from which we can extract valuable information for personalized service provision to the majority of end consumers [7]. However, many personalized services require low latency, which usually cannot be provided by the cloud because of the long distances. To address this challenge, edge computing was proposed to achieve a cloud-side-end IoT architecture [8].
Edge computing can provide network, computing, and storage services between the cloud and terminal devices [9], which greatly reduce the response time [10]. Due to these advantages, edge computing combines technologies of IoT and cloud computing to provide more and better services [11]. For example, in the application of Internet of Vehicles [12,13], the sharing of real-time data between a large number of vehicles and edge units improves the vehicle's environmental perception, decision-making, and execution capabilities [14]. However, IoT devices are vulnerable to be attacked. Some attacks can be resisted by traditional security mechanisms [15,16]. But traditional security mechanisms are too expensive overhead to be widely used, especially for the resource-constrained IoT devices [17].
e rapid response capability of edge-assisted mobile crowdsensing can meet the requirements of low latency, but the employment of traditional security mechanisms will increase the communication delay of large-scale devices. In addition, traditional data aggregation schemes cannot recover the original data. Failure to verify the data before aggregation leads to unreliable aggregation results. Consequently, some tough issues remain unsolved.
First of all, data aggregation requires a new mechanism to realize the key distribution of large-scale devices. Some existing aggregation schemes have strong security [18,19], but they use traditional one-to-one encryption. ese aggregation structures are complicated because the number of secret keys increases with the number of devices. ese complex aggregation schemes are difficult to apply to IoT devices [20]. For example, service providers select candidate nodes to perform tasks, but the key management, encryption, and decryption of large-scale nodes will cause serious delays in data aggregation. erefore, it is very important to use secure and efficient access control to realize the key distribution of large-scale devices to reduce latency.
Second, data verifiability has not been specifically considered in most previous data aggregation schemes. Usually, data are aggregated from IoT devices according to specific task requirements, such as sum aggregation or mean calculation. In the previous schemes [21,22], the edge computing node was responsible for collecting and aggregating data, then sending the aggregation results to the cloud. e cloud can only obtain the aggregated result but cannot recover the original data. However, since the information provided by the device could be unreliable, the result of data aggregation may be inaccurate. If the original data cannot be recovered, the false data will be hidden in the aggregation results, leading to inaccurate services provided by the platform. erefore, it is essential to recover and verify the original data from the aggregated results.
Finally, the time-sensitive data aggregation scheme can provide more accurate aggregation results. Personalized data aggregation tasks are usually time-sensitive. For example, we only need to count the data during the time period to monitor the traffic flow during the peak period; the weather forecast reports that the rainstorm level is also determined according to the rainfall in a certain period of time. Time sensitivity means that the task needs to be completed at a specific time. We set the age of the key to the time required by the task. However, existing data aggregation schemes [23,24] without considering the time factor cannot meet the requirements of personalized services. erefore, time parameters need to be taken into account for data aggregation.
Aiming at the above challenges, we propose a novel timesensitive and verifiable data aggregation scheme for edgeassisted mobile crowdsensing. In our scheme, we use attribute-based encryption for access control, and only those authorized nodes can obtain the session key. e device uses the session key to encrypt data. When ciphertexts are collected by edge computing nodes, edge computing nodes preprocess and aggregate them, and then send the aggregation results to the platform. Finally, the platform recovers all the original data and digs out the required information from the legal data. Our contributions can be summarized as follows: (1) Efficient access control. e platform uses attributebased encryption to achieve efficient access control. Because attribute encryption is a one-to-many encryption method, the platform can generate an access structure based on task attributes, and all legal users who meet this access structure can decrypt the session key. (2) Data verifiability. Edge computing nodes aggregate verified data, and the aggregated data can be restored in the cloud. Compared with the traditional nonverifiable solution, the data after verification can guarantee the reliability of data. e platform can provide more accurate services. (3) Time sensitivity. For personalized tasks with time requirements, edge computing nodes gather and upload encrypted data before the task time expires. After introducing time parameters, the accuracy of time-sensitive tasks can be improved.

Related Work.
In the literature, many studies have been carried out on the security and efficiency of data aggregation. However, at present, most works do not take into consideration both the two aspects. Researchers use homomorphic encryption to ensure security, an encryption scheme that can operate in ciphertext, to achieve data aggregation. Wang et al. [25] used the Castagnos-Laguillaumie cryptosystem to realize data aggregation in fog computing. However, their work only supports summation and aggregation and cannot recover all the data. Lu et al. [26] proposed a data aggregation scheme to extend the aggregation function, in which the cloud server can calculate the mean and variance. However, the original data still cannot be recovered, and dynamic groups are not considered. Another major problem with data aggregation is the existence of collusion attacks. To solve this problem, Shim and Park [27] proposed a homomorphic encryption-based data aggregation scheme based on heterogeneously encrypted WSN, which can resist certain attacks but cannot ensure data integrity. Shen et al. [28] adopted the identitybased cryptography. ey proposed a secure WSN data aggregation method, which mainly solves collusion attacks, but its cost is very high.
To make data aggregation meet the requirements of time-sensitive tasks, some schemes introduce privacy protection mechanisms to achieve safe transmission. Since privacy protection guarantees the privacy of sensitive data during data aggregation and the cost is much lower than encryption, they have become a research hotspot. Zhang et al. [21] proposed a verifiable privacy protection aggregation scheme (PPAS) for urban sensor systems. However, it requires trusted hardware and other communications to protect data integrity. Later, Li et al. [22] proposed an effective mobile sensing PPAS, which adopted the idea of multisecret sharing. However, the existence of a trusted key trader and the adjustment of shares when users leave make it inefficient and inflexible.
To achieve verifiable data aggregation, Shen et al. [18] proposed a data aggregation scheme that supports fault tolerance and data integrity, but its inability to support outsourced calculations results in high node calculation overhead, and the scheme also requires a specific structure. To address this problem, Bao and Lu [29] proposed an aggregation scheme that supports dynamic groups, but this scheme needs to set a separate secret key for each device, which increases the cost of key management, encryption, and decryption.
In other aggregation schemes, such as the key management technology of [23], the sum of random numbers of all participants (including all users and control centers) is equal to 0 to reduce the authority of the control center. A major disadvantage of this mechanism is that they cannot tolerate any failures. Even if a single user cannot report data at a certain time, the control center will not obtain any information because the sum of the random numbers in the final encrypted aggregation is no longer zero. is may be a big problem, and there is no guarantee that all devices will not fail during data aggregation.

Organization.
e remainder of this study is organized as follows. Preliminaries are described in Section 2. Next, the system model and security definitions are presented in Section 3. In Section 4, we construct the TSVA-CP-ABE scheme. Security analysis and performance evaluation of the TSVA-CP-ABE are presented in Sections 5 and 6, respectively. Finally, we conclude our work in Section 7.

Background
In this section, we give the background information of bilinear maps, access structure, and Lagrange coefficient which will be used in our proposed scheme.

Bilinear Maps
Definition 1 (Bilinear maps). Let G and G T be two multiplicative cyclic groups with big prime order p. Let g be a generator of G. Let e be a bilinear map e: G × G ⟶ G T with the following properties: Bilinearity: for ∀u, v ∈ G and a, b ∈ Z p , the equation e(u a , v b ) � e(u, v) ab holds Nondegeneracy: e(g, g) ≠ 1 Computability: there exists an efficient algorithm to compute the bilinear map e: G × G ⟶ G T 2.2. Access Structure. In our construction, we represent the access structure through an access tree Γ with root r. A leaf node of the tree represents an attribute, and a nonleaf node represents a threshold gate. If the node x is a leaf node, set Γx(S) � 1 if and only if the attribute of the node x match the attribute set S. If x is a nonleaf, Γx(S) � 1, if and only if the number of children nodes that meet the requirements is more than the threshold.
Definition 2 (Access structure [30]). Let P 1 , . . . , P n be a set of parties. A collection A ∈ 2 P 1 ,...,P n is monotone if ∀B, C if B ∈ A, and B ⊆ C, then C ∈ A. An (monotone) access structure is a (monotone) collection A of nonempty subsets P 1 , . . . , P n , i.e., A ⊆ 2 P 1 ,...,P n \ ∅ { }. e sets in A are called the authorized sets; otherwise, they are called unauthorized sets.

Lagrange Coefficient.
In our scheme, we use the Lagrange coefficient to achieve a collision-resistant secret sharing.

Definition 3 (Lagrange coefficient).
e Lagrange coefficient Δ i,S for i ∈ Z p and a set, S, of elements in ). We will associate each attribute with a unique element in Z * p .

System Model and Definitions
In this section, we first describe the system model. Next, we present replayable chosen-ciphertext attack security of the TSVA-CP-ABE scheme. Finally, we formulate the efficient data aggregation problem.

System Model.
In this study, we consider the typical IoT data aggregation system, as shown in Figure 1. e system consists of four kinds of entities, namely, IoT devices, edge computing nodes, a mobile crowdsensing platform, and a trusted authority [31]. More specifically, sensory data are first uploaded from the IoT devices to the edge computing node, processed, and relayed to the mobile crowdsensing platform for further aggregation to obtain more valuable results. e data sensed by devices can be of any format, such as big string, video, or pictures. We assume that there are two-way communication channels between different entities in our system, where each entity can upload and download necessary data. More specifically, the role of each entity is described as follows: (1) Trusted authority (TA). TA initializes the system by publishing the public parameter (MPK, MSK) and provides the attribute-related private keys (DK, TK T s ) for ID. TA accepts the registration of all IDs in the system, and it is responsible for issuing a pseudonym ID pid for each ID. TA stops updating attacked IDs' private keys by pid. (2) Mobile crowdsensing platform (MCP). When encrypting, MCP encrypts the time-sensitive task as published ciphertext CT T s to the corresponding ID and ECN. When decrypting, MCP uses the secret key corresponding to the task to decrypt the aggregated data c ′ . And, MCP judges the legality of data and stores the legal data. (3) Edge computing node (ECN). ECN responds to outsource decryption to generate TCT T s from legality nodes and filter out expired ciphertexts. After that, ECN verifies the legal of encrypted data and aggregates the legal data and then forwards c ′ to Security and Communication Networks 3 MCP. In the decryption and data aggregation, ECN cannot decrypt the ciphertext. (4) IoT device (ID). ID uses their own private key associated with its attributes to decrypt the message to obtain the symmetric key and then uses the symmetric key to encrypt the uploaded data c.
In our scheme, TA and MCP are trustworthy. ECN is assumed to be honest-but-curious [32]. In the decryption, ECN only transforms ciphertext. In data aggregation, ECN can only verify the reliability of data. It honestly executes the specified procedures but tries to gain secret information from the encrypted data. e adversary could be a malicious ID or a group of multiple IDs, which may post false information and try to control other normal IDs. Moreover, the adversary also aims to obtain the symmetric key from attribute-based encryption. erefore, TA should be able to revoke the keys from malicious IDs. Actually, the assumption of this model is widely used in previous work [18,19,21,22]. Transform (TK T c , CT T s , VT2) ⟶ (TCT T s ): the transform algorithm takes as input a transformation key TK T c , a ciphertext CT T s , and a verification tag VT2. It outputs a transformation decrypted ciphertext TCT T s which is associated with a task of time T s . Decrypt (DK, VT1, TCT T s ) ⟶ (M/⊥): the decrypt algorithm takes as input a decryption key DK T c , a verification tag VT1, and a transformation decrypted ciphertext TCT T s . It outputs a message M/⊥. Here, the special symbol ⊥ indicates that the transformation decrypted ciphertext is invalid.

RCCA Security.
e security of our scheme is based on the replayable chosen-ciphertext attack security (RCCA) [33] for ABE with verifiable outsourced decryption and verification keys. Different from their schemes, we add the time parameter, which also increases the additional security risk. e security of the time parameter will be proved later.  All the ciphertexts must be decrypted by outsourced; otherwise, the correct plaintexts cannot be decrypted. If a decryption response would be either M 0 or M 1 , then the challenger responds with the special message ⊥.
(v) Guess. e adversary outputs a guess b ′ of b. e advantage of A in this game is defined as e TSVA-CP-ABE is RCCA-secure, if for any PPT adversary A has at most a negligible advantage in the above game.

Verifiable Outsourced
Setup. e challenger runs the Setup(k, U) to generate the master key pair (MPK, MSK). It gives MPK to the adversary. Phase 1. e adversary can adaptively query the create, corrupt, and transformation oracles as in phase 1 in Section 3.2.
Challenge. e adversary submits a message M * and an access tree c * . e challenger computes a challenge ciphertext CT * and sends it to A. Phase 2. e same as phase 1. Output. Finally, the adversary outputs a set S * such that f(c * , S * ) � 1 and a transformation ciphertext TCT.
Above presents a formal definition of the verifiability for an ABE system with outsourced decryption, through a game played between an adversary A and a challenger.
Suppose that the entry (j, S * , T * c , TK * T c , DK * ) has already existed in table E. If not, the challenger can generate it using MSK. We say that A succeeds in the above defined game, if A's advantage is defined as Adv � Pr(A succeeds in the above game).
Definition 6 (Verifiability). An ABE system with outsourced decryption is verifiable, if ∀ PPT adversary A has at most a negligible advantage in the above game [31].

Efficient Access Control.
In our scheme, we assume all parties hold the same secret key for each task. We use attribute-based encryption for access control, and authorized nodes can obtain session keys. Phase 1. MCP uses a symmetric secret key to encrypt the data to be sent. MCP selects the corresponding attribute encryption symmetric key according to the task requirements. Phase 2. ECN is responsible for outsourcing and decrypting attribute-based encryption to reduce the computing burden of IDs. Phase 3. ID decrypts the symmetric key according to its own attributes and then uses the symmetric key to communicate with MCP.

Construction of the TSVA-CP-ABE Scheme
In this section, we will introduce our scheme in two levels: system level and algorithm level. e system level describes the implementations of the upper operations, while the algorithm level focuses on the specific details of the underlying algorithms called by system level operations [34]. We depict the framework of our scheme in Figure 2. e details of these two levels are described as follows.

System
Setup. In the system initialization phase, TA invokes the algorithm Setup( ) belonging to the algorithm level to generate master public key MPK and master secret key MSK. MCP obtains MSK and shares a random number and a key with ECN in a secure way (such as public key encryption) at the same time. When IDs register with TA, TA uses a one-way function to generate a key-value pair based on the device ID did, where the key is did, and the value is pid. ID uses a pseudonym ID when submitting data to MCP, thereby protecting the privacy of ID. If MCP wants to revoke a device, it provides the pseudonym ID to TA.
en, TA will revoke the real id.

Time-Sensitive
Encryption. e tasks issued by MCP are time-sensitive. MCP chooses an access tree c for the message M and defines a time interval set T s for ciphertext. en, MCP invokes the algorithm Encrypt (MPK, M, c, T s ) to generate ciphertext CT T s , which is associated with c and T s . Finally, CT T s is sent to IDs. ID will be able to decrypt a ciphertext if and only if ID's attributes satisfy the access tree and ID's key is valid for a limited period of time.

Access Control.
Attribute-based encryption is a oneto-many encryption scheme. When MCP issues a task, it constructs an access structure based on attributes of the task performer. Any ID that satisfies the access structure can decrypt ciphertext according to its own private key and obtain the session key of the corresponding task. us, MCP achieves key distribution in this way.

Selective
Outsourced. ID applies for a decryption key from TA. TA invokes the algorithm KeyGen (MSK, S, T c ) to generate a decryption key DK and a transformation key TK T c which is associated with the current time interval T c . en, ID sends the ciphertext CT T s and the transformation key TK T c to ECN to apply for outsourced decryption. After receiving the outsourced decryption application, ECN does not directly decrypt it. It first checks whether the ID is in a white list, which stores IDs that have not been revoked. If ID exists in a white list, then it verifies the validity of the ciphertext by the random s 2 previously shared with the platform (H(s 2 , CT T s ) � VT2) and verifies the validity for a limited period time of the secret key (T c + T all < T s ). en, ECN conducts the outsourced decryption after both verifications pass.

Algorithm Constructions.
Here, we will give the concrete constructions of the TSVA-CP-ABE scheme. e notations used in the TSVA-CP-ABE scheme are given in Table 1.
(i) Setup. e setup algorithm will choose a bilinear group G of prime order p with generator g. Next, it will choose two random exponents α, β ∈ Z p . In addition, let T be the maximum time in the system. T is provided by TA which satisfies |T| � n. en, we choose u 1 , . . . , u n ∈ Z p randomly. e master public key is published as MPK � G, g, h � g β , e(g, g) α , u 1 , . . . , u n ∈ Z p , (1) and the master secret key MSK is (β, g α ). For each node x in the tree, we set the degree d x of the polynomial q x to be one less than the threshold value k x of that node, that is, Starting with the root node R, the algorithm chooses a random s 1 ∈ Z p and sets q R (0) � s 1 . en, it chooses d R other points of the polynomial q R randomly to define it completely. For any other node x, it sets q x (0) � q parent(x) (index(x)) and chooses d x other points randomly to completely define q x . MCP generates a random s 2 and sends it safely to ECN. MCP also generates verification tags VT1 and VT2. Let Y be the set of leaf nodes in c. e ciphertext constrained by a time interval T s is then constructed by giving the tree access structure c and computing  (2) (iii) KeyGen (MSK, S, T c ). e key generation algorithm will take as input a set of attributes S, MSK, and the current time interval T c . It will output a decryption key DK and a transformation key TK T c which is associated with the current time interval T c . e algorithm first chooses a random r ∈ Z p and then random r j ∈ Z p for each attribute j ∈ S. en, it computes the key as (iv) Transform (TK T c , CT T s , VT2). When ECN receives the request of outsourcing decryption, ECN first checks whether the ID is in a white list. If ID exists in a white list, then ECN verifies the legality of the message with the random s 2 agreed with the platform and makes a judgment on the time parameters to decide whether to perform outsourced. If VT2 � VT2 ′ (VT2 ′ � H(s 2 , CT T s )) and T c + T all < T s , it starts to perform outsourced calculation.
We first define a recursive algorithm TransformDecrypt (TK T c , CT T s , x) that takes as input a ciphertext CT T s , a node x belongs to c, and a transformation key TK T c . TK T c is associated with a set S of attributes and the current time interval T c . Before calculating, we define L as the sum of time parameters from T c to T s . If the node x is a leaf node, then we let i � att(x) and define as follows: if i ∈ S, then If i ∉ S, then we define TransformDecrypt(TK T c , CT T s , x) � ⊥. We consider the recursive case when x is a nonleaf node. e algorithm TransformDecrypt (TK T c , CT T s , x) then proceeds as follows: for all nodes z that are children of x, it invokes TransformDecrypt (TK T c , CT T s , z) and stores the output as F z . Let S x be an arbitrary k x -sized set of child nodes z such that F z ≠ ⊥. If no such set exists, then the node was not satisfied and the function outputs ⊥. Otherwise, we compute Security and Communication Networks e algorithm begins by simply calling the function on the root node R of the tree c. If the tree is satisfied by S, we set A � e(g, g) rL T s s 1 .
e algorithm now outputs transformed ciphertext by computing (v) Decrypt (DK, VT1, TCT T s ). e decryption algorithm will take as input TCT T s , a decryption key DK, and a verification tag VT1. It will recover the message M * . If VT1 � VT1 ′ (VT1 ′ � H 0 (M * )), the decryption is successful. Otherwise, the decryption fails. e result can be verified as follows: (vi) Data aggregation (c, ct). When ID completes the final decryption, it obtains the session key, including k 1 (encryption key) and k 2 (authentication key). First, ID uses k 1 to complete the data encryption c � e(data, k 1 )(e is symmetric encryption) and then generates ct � c‖H 0 (k 2 , T 1 , c)‖T 1 , where T 1 is the current time interval when ID submitted data. Second, ECN receives the data and verifies the time and hash value. Once the verification is passed, the redundant data will be removed. Only the ciphertext is aggregated to generate c ′ , and then, c ′ is used to generate ct ′ � c ′ ‖H 0 (k 2 , T 2 , c ′ )‖T 2 , where T 2 is the current time interval when ECN submitted data. ird, MCP receives the data and uses the same method to verify ciphertext and removes redundant data after verification. All ciphertexts are aggregated to generate c ″ . Finally, MCP uses the encryption key k 1 to decrypt all data for the task.

Security of the Scheme
In this section, we detail the security proof of our scheme.

Security of Time Parameters.
e master public key is published as MPK � G, g, h � g β , e(g, g) α , u 1 , . . . , u n ∈ Z p , which makes the parameters of the time interval in the group u 1 , . . . , u n unsafe. e adversary can counterfeit or copy the parameters of the time interval because it obtains additional information from MPK. First, in order to ensure the unforgeability of u n , we add a random number s 1 whenever we encrypt. In ciphertexts, the time parameter we add is s 1 L T s � s 1 T s k�1 u t k k . en, in order to ensure the freshness of the secret key, we add the current time parameter t i to u i . For the parameters in key generation, we add rL T c � r T c k�1 u t k k to the secret key and send ∀k � T c + 1: n, g ru t k k to the decryptor. In combination with the difficult problem (discrete logarithm problem [35]: in group G, given generators g and a ∈ Z 1 , it is easy to find g a . When given g a and generators g, it is difficult to calculate a), if c is smaller than or equal to s, the ciphertext can be decrypted. Otherwise, the ciphertext cannot be decrypted.

Theorem 1. Our ABE system with verifiable outsourced decryption is (selectively) CPA-secure if and only if the underlying outsourced ABE system is (selectively) CPA-secure.
H 0 is a collision-resistance hash function, and SE is a semantically secure one-time symmetric encryption scheme.
Proof. e proof applies the hybrid argument of games. We define two games: Game 0 and Game 1 . Game 0 is the original (selective) CPA-security game as defined in Section 3.2 for an outsourced ABE system. We intend to prove that any two subsequent games only have a negligible difference from the adversary's perspective. Let S i denote A's success probability in Game i . Above, we have proven the security of time parameters. When the time parameter is not satisfied, it cannot be decrypted. erefore, we assume that the time parameters are valid in the following proof process. On this basis, we prove the security of the proposed scheme.
Game 0 : this is the original (selective) CPA-security game. Let (CT * T s , VT2 * ) denote the challenge ciphertext and verification tag for a challenge access tree c selected by the adversary. Denote by M � k1‖k2, the key encrypted in ciphertext, and by k1, the symmetric key used in ciphertext in the uploading data. Game 1 : this game is the same as Game 0 , except that we compute VK1 * and VK2 * using other random keys k3 and k4 and number s * 2 □ Claim 1. Suppose that the outsourced ABE system is (selectively) CPA-secure, then the adversary's views in Game 0 and Game 1 are computationally indistinguishable.
Proof of Claim 1. We define a PPT algorithm B which aims to break the (selective) CPA-security of the underlying ABE system under the help of the adversary B. B simulates B's views in Game 0 or in Game 1 depending on its challenge ciphertext. Denote by Chall, the challenger of the underlying ABE system.
Setup. B first runs Chall to obtain a challenge public parameter MPK * . en, it chooses by itself a collisionresistant hash function H * 0 and a semantically secure one-time encryption scheme SE * . Finally, it sends (MPK * , H * 0 , and SE * ) to A as a challenge master public key. Phase 1. It is straightforward to answer A's queries, including create (S, T c ) (for any attributes S) and corrupt (i). is is because B can obtain the answers of these queries via running Chall with the same queries. Challenge. Once A submits two equal-length messages M 0 and M 1 as well as an access tree c * , the simulator B first chooses four independent random keys k1‖k2, k3‖k4. It then queries Chall with ((k1‖k2, k3‖k4), c * ). Chall will return a challenge ciphertext CT T s to B. Next, B sets VK1 � H * 0 (k1‖k2). It also computes C * SE � SE * (k1, M b ) for a random b ∈ 0, 1 { } and sets VK2 � H * 0 (s 2 , CT T s ). Finally, it sends CT T s and VK2 to the adversary. Clearly, if the "message" encrypted in CT T s is k1‖k2, then CT T s is a challenge ciphertext as in Game 0 . Otherwise, it is a challenge ciphertext as in Game 1 . Phase 2. e same as phase 1 except that A cannot query corrupt (i), in which the attribute S satisfies f(c * , S) � 1.
Finally, B outputs what A outputs. From the above analysis, B perfectly simulates A's views in Game 0 or Game 1 . So, we have the following result: □ Claim 2. Suppose that the symmetric encryption scheme SE is semantically secured, then the adversary in Game 1 has a negligible advantage.
Proof of Claim 2. e security of Claim 2 depends on the symmetric cipher scheme we choose. Here, we choose the AES (advanced encryption standard) scheme that has proven to be secure. erefore, the security of Claim 2 is guaranteed.
Taking all the claims together, the (selective) CPA-security of our scheme is given as follows.
In the above security proof, we only consider the (selective) CPA-security of our scheme. Similarly, we can prove its RCCA-security if the underlying outsourced ABE scheme is RCCA-secure and the symmetric encryption scheme is also RCCA-secure. □ Claim 3. Suppose that H 0 is a collision-resistant hash function.
en, the ABE scheme we proposed with outsourced decryption is verifiable.
Proof. Given an adversary A against the verifiability, we construct an efficient algorithm B to break the collisionresistance of the underlying hash function H 0 . Given a challenge hash function H * 0 , B simulates the experiment described in Section 3.3 as follows.
B generates the public parameter MPK and master secret key MSK as setup, except for a hash function H * 0 . Note that, B knows the master secret key MSK. Hence, it can simulate A's queries in phase 1 and phase 2. For a challenge message M * and an access tree c * submitted by A, the simulator first invokes encrypt (MPK, M * , c * , T s ) to obtain a ciphertext CT * T s . It then sets VT1 * � H 0 (M * ) and VT2 * � H 0 (s 2 , CT * T s ). After that, it sends CT * T s and VT2 * to the adversary. Finally, the adversary outputs attributes S * (such that f(c * , S * ) � 1) and a transformation ciphertext TCT T c . If A breaks the verifiability, B will recover a message M ∉ M * , ⊥ { } via decrypt. Here, we discuss A's success probability. Observe that the decryption algorithm outputs ⊥ if H * 0 (M) ≠ VT1 * . erefore, we only need to consider the following the case: Security and Communication Networks 9 Case: (s 2 , CT T s ) � (s 2 , CT * T s ), but M ≠ M * . Observe that H * 0 (M) � H * 0 (M * ). erefore, it breaks the collision-resistance of H * 0 .

Resist DDOS.
e attacker can forge a large amount of false data and request ECN to perform outsourced decryption. When ECN processes false data, it cannot provide services to normal IDs. In our scheme, ECN will verify the data before calculation, and only the data that passes the verification will be calculated. e key and random number shared between ECN and MCP are included in the verification. e attacker cannot obtain these two parameters and therefore cannot forge data that can be verified by the edge computing node. erefore, our scheme can resist distributed denial of service attacks.

Resist Replay Attacks.
e attacker can capture a large amount of normal data and send a large amount of expired normal data at a later time period, thereby consuming the computing resources of MCP and ECN. In our proposed scheme, all data will be added with the timestamp, and the timestamp is protected by a hash function with a secret key. If the timestamp is modified, the hash value will return a different result. us, our scheme can protect the freshness of the data.

Revocation Security.
Assuming that a certain ID has revoked its decryption capability, it will not continue decrypting new ciphertexts. In our scheme, ECN maintains a white list and only performs outsourced decryption for IDs in the white list. ECN and MCP share the same random number. When MCP encrypts tasks, random numbers are embedded in the ciphertext. ID cannot obtain the plaintext without outsourced decryption. ID that is not on the white list cannot be outsourced, which is equivalent to ID being revoked. is scheme makes the revoked ID unable to decrypt without affecting other legal IDs.

Analysis of the TSVA-CP-ABE Scheme
In this section, we first describe the theoretical analysis and the comprehensive comparison. en, we present the experimental analysis of the TSVA-CP-ABE scheme.
6.1. eoretical Analysis. We first compare several related works theoretically. Table 2 gives a comparison of the results of our work and several related works in terms of features. e compared schemes all support data integrity. However, Fan et al.'s scheme [23] is a summation aggregation, which cannot detect the legality of single data. erefore, it does not support data fault tolerance. Moreover, schemes in [36] and in [23] must determine the number of IDs, and the aggregation can be successful only after all IDs have uploaded data. erefore, they cannot support the dynamic joining and exiting of some devices. Our proposed scheme adds verification to ECN, and we can thus choose outsourced verification, which is not supported by other schemes [18,23,36].
In this analysis, we focus on the most time-consuming operations, paring, and exponentiation conducted in groups G. Let ψ, ω, and ], respectively, denote computation times of the most time-consuming operations, paring, and exponentiation. Let O(tree) be the computation complexity of the decryption tree. In the encryption stage, when the ciphertext is generated, a pair is made, and then, two ciphertext parameters, time parameters, and access structure parameters are exponentially calculated. e total time cost is ψ + ω + (|T| + 2 + |S|)]. In the KeyGen stage, both the time parameter and the secret key parameter are exponential operations, and the properties in the secret key are paired operations. e total time cost is ψ + |Y|ω + (n + 1)]. In the transform stage, when ECN decrypts, it pairs the secret key and the access structure and then performs an exponential operation on the structure with its own parameters. e total time cost is O(tree) + |Y|ω + ]. In the decryption stage, ID needs to do exponential operation on the time parameter. Finally, it can do an exponential operation on the ciphertext again. e total time cost is ψ + n].
Different from the above works, we propose a timesensitive and verifiable data aggregation scheme supporting access control for edge-assisted mobile crowdsensing. Our scheme is compared with the schemes in [18,23] in Table 3. In our scheme, though pair operations, exponentiations, and multiplications are explored, these operations are only used to generate or verify the signatures. Moreover, any secure aggregate signature scheme can be utilized in our scheme. In [18], the time parameter is introduced in the scheme to make the secret key have a deadline. But it does not support outsourcing, which leads to high computational cost. In [23], only the sum of the sensing data can be recovered by the cloud. Comparatively, in our scheme, MCP can collect all the raw data and compute any statistical function on them. Besides, our scheme can resist collision attacks and support dynamic groups.

Experimental Analysis.
We simulate our scheme on a laptop with an Intel Core i5-3210M CPU at 2.50 GHz and 8 GB RAM running on Eclipse 4.10 and Windows 7. Charm-crypto framework integrated with the OpenSSL and JPBC library is applied to implement the cryptographic operations. Besides, the group operations are based on the elliptic curve of SS512, and the number of policy attributes associated with ciphertext is from 10 to 50. e simulation results are averaged on 10 independent runs. Since we use a computer to simulate the whole communication process, we give the test values of bandwidth and network delay in the communication process. MCP, TA, and ECN are connected via wire networks. ECN, TA, and ID are connected via wireless networks [37]. In wire networks, the communication bandwidth between the two machines is 20 MB/s, and the average network delay is 1 ms. In wireless networks, the communication bandwidth between the two machines is 4 MB/s, and the average network delay is 4 ms.
When considering data aggregation, our scheme is to verify the data and join the data that passes the verification. A hash function is used during verification, and the input parameters are ciphertext, timestamp, and secret key. Among them, the ciphertext is 512 bits, the secret key is 128 bits, the timestamp is 64 bits, and the hash function is 32 bits. e length of the data uploaded by the device is (512 + 64 + 32) bits (the secret key has been transmitted before). ECN only needs to perform one hash operation and two comparisons (one-time comparison and the other hash result comparison) to verify the legality of the data. e length of data uploaded by ECN is (512n + 64 + 32) bits, where n is the number of IDs. MCP then verifies the uploaded data again. After passing   the verification, an AES decryption can recover all the plaintext.
Our goal is to evaluate the efficiency of our scheme. Figure 3 shows the time of outsourcing, which also increases with the number of attributes. Figure 4 shows the time of final decryption. Because most of the computational cost is in the outsourced phase, and the final decryption phase only needs to perform the exponential operation once. erefore, the time of the final decryption is independent of the number of attributes. In particular, because IDs only need to perform   final decryption, this makes our system suitable for applications with limited resources.
When considering data aggregation, we separately calculate the time consumption of IDs, ECNs, and MCP. Here, we stipulate that the size of each uploaded data is 512 bits. For ID, only one AES encryption and one hash operation need to be performed each time. erefore, the calculation cost will not increase with the number of devices. e computational cost is shown in Figure 5. e communication cost is the sum of the ciphertext's size, the length of the timestamp, and the length of the hash result, which is 608 bits.
For ECNs, only 2n comparisons and one hash operation are required each time; therefore, the computational cost will increase as the number of IDs increases. e computational cost is shown in Figure 6. e communication cost is the sum of the size of the aggregated ciphertext, the length of the timestamp, and the length of the hash result, which is (512n + 64 + 32) bits. When the number of IDs increases to a certain extent, the number of ECNs can be appropriately increased to reduce the computational overhead of each ECN.
For MCP, only 2n comparisons, one AES decryption, and one hash operation are required each time. erefore, the computational cost will increase as the number of IDs increases. e computational cost is shown in Figure 7. Most of the encryption and decryption calculations are assigned to ECN, which allows MCP to perform other tasks.

Conclusion
In this study, we proposed the TSVA-CP-ABE scheme for mobile crowdsensing. e proposed scheme supports key distribution and efficient data aggregation. ECN can assist ID to quickly obtain the session key and reduce the computing overhead of ID. At the same time, ECN can filter out the expired key and illegal aggregated data to save bandwidth. Combined with the revocation of attribute-based encryption, we have realized the dynamic joining and exiting of IDs. Performance analysis shows that, compared with traditional methods, our scheme can reduce computing overhead and communication costs and is very suitable for edge-assisted mobile crowdsensing. In our scheme, the verification of the outsourced results is verified by ID itself, and no additional fully trusted third party is required to verify. Our proposed system is the first TSVA-CP-ABE system that supports time-sensitive, revocation, and verifiable data. However, our system only supports detecting false data in plaintext. erefore, our system is not suitable for the environment with a large number of malicious devices: malicious devices upload a large number of false data, and the platform can only be found after decryption, resulting in waste of computing resources. Our future work is to obtain a TSVA-CP-ABE system that can detect false data in the ciphertext.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.