Traceable Multiauthority Attribute-Based Encryption with Outsourced Decryption and Hidden Policy for CIoT

School of Computer Science, Qufu Normal University, Rizhao, 276826 Shandong, China School of Computer Science and Technology, Qilu University of Technology (Shandong Academy of Sciences), Jinan, Shandong 250353, China Shandong Computer Science Center (National Supercomputer Center in Jinan), Jinan, Shandong 250014, China Shandong Laboratory of Computer Networks, Jinan 250014, China School of Big Data and Software Engineering, Chongqing University, Chongqing 400044, China Key Laboratory of Dependable Service Computing in Cyber Physical Society, Ministry of Education (Chongqing University), China


Introduction
In traditional public key encryption schemes, the encryptor encrypts the message with the public key of the decryptor; hence, only the decryptor who owns the corresponding decryption key can decrypt the data. In other words, this type of scheme relies on the public key certificate system which we all know is pretty difficult to manage. In 1984, Shamir first proposed the identity-based encryption (IBE) where the encryptor uses the identity of the decryptor as his/her public key [1]. In [2], Boneh et al. proposed an IBE using the elliptic curve pairing, which greatly promoted the development of this field. Although the IBE solves the public key management problem, it still cannot achieve one-to-many private data sharing. Unfortunately, this kind of application is extremely common in ubiquitous Internet of Things (IoT) scenarios.
To tackle this issue, Sahai et al. first proposed a fuzzy identity encryption scheme [3], which is later developed into the attribute-based encryption (ABE). There are two types of ABE, the first one is named as ciphertext-policy attributebased encryption (CP_ABE) and the other one is key-policy attribute-based encryption (KP_ABE). CP_ABE was proposed by Waters, in which the encryptor needs to know nothing about who can decrypt the ciphertext exactly, and he/she just encrypts the message with a self-defined access policy [4]. Any decryptor can decrypt correctly as long as its attribute set meets the access policy in the ciphertext. In other words, in CP_ABE schemes, data owners own the right to design who can decrypt fully.
IoT, which acts as the bridge between the physical world and the cyber world, enables the creation of a bunch of smart applications [5], such as smart city, smart industry, and smart health care system. Considering that most IoT devices are resource constrained and cannot handle the huge amount of data locally and efficiently, the cloud storage server is included in the IoT and forms a new paradigm, the cloud-IoT, where the cloud or a resource-adequated server provides useful services like storage and computing. ABE schemes with a single attribute authority do not adequately address the needs of the ubiquitous IoT devices properly. In [6], Chase first proposed a multiauthority ABE scheme. However, Chase's scheme still requires the trusted central authority (CA), which can decrypt any ciphertext that it wants to decrypt. Later, Chase et al. improve their scheme by removing the CA and achieve a truly decentralized ABE scheme [7].
In [8], Lewko et al. proposed a distributed ABE scheme, which not only realizes multiauthority attribute-based encryption (MAABE) but also proves the system security with dual system encryption methodology. Unfortunately, the application of ABE in IoT still faces an important challenge: IoT devices with limited resources cannot afford the huge number of bilinear pairing operations in ABE schemes. Therefore, Green et al. proposed an outsourced ABE scheme which ensures the data security while minimizing the computational burden of equipments [9].
In this paper, a multiauthority attribute-based encryption scheme with white-box traceability and verifiable outsourced decryption was proposed for cloud IoT. Compared with the existing ABE schemes, our scheme has the following contributions: (i) As there is a great quantity of attributes used in the decryption key generation, each attribute authority controlls a set of disjoint attributes independently in our scheme. The central authority is only responsible for generating the public parameters, and the right to decide who can decrypt is hold by the data owners directly (ii) Our scheme uses the linear secret sharing schemes (LSSS) to allow any monotone access structures. More importantly, to protect the privacy of IoT users, our scheme realizes fully hidden access policy (iii) Considering the needs of resource-constrained IoT devices, our scheme outsources most decryption works to the cloud by the verifiable outsourcing technology (iv) Our scheme adopts the Boneh-Boyen short signature algorithm to implement the user traceability mechanism. In other words, we use a white-box trace algorithm to tackle the private key leaking issue 1.1. Paper Organizaiton. Section 2 summarizes many related works, and Section 3 introduces all preliminaries of our scheme including some complexity assumptions. The system model and security models are presented in Section 4. In Section 5, we propose the concrete construction and a simple application of our scheme. Section 6 outlines the proof of indistinguishability, verifiability, fully hiding, and traceability of our scheme. We compare our scheme with some other schemes about the storage and computation costs in Section 7. Section 8 contains the conclusion.

Related Work
Many works have been proposed since Sahai et al. first proposed the attribute-based encryption [3]. ABE schemes can be classified into two categories generally: the key-policy attribute-based encryption (KP_ABE) and the ciphertextpolicy attribute-based encryption (CP_ABE) [4,16]. Because CP_ABE allows the data owner to decide the access policy, it has been treated as the most promising solution to solve the access control issue in the cloud storage. In ABE schemes, the key pair of data users is generated by attribute authorities (AAs). Thus, the security of ABE schemes is based on the trust of the attribute authorities. To tackle the huge amount of data users contained in IoT, multiauthority attributebased encryption (MA_ABE) was proposed, which can manage the huge amount of attributes in a more efficient way [6,[17][18][19], where each attribute authority controls an unique set of attributes independently. To achieve both the data confidentiality and the data authentication in the body area network, Hu et al. proposed a fuzzy attribute-based signcryption scheme [20]. Another characteristic of IoT is that most devices are resource-limited [21][22][23]. As we all know that the decryption overhead of ABE schemes rises along with the attribute number involved in the access policy. Obviously the expensive pairing computations are unacceptable for most IoT devices. Therefore, some ABE schemes using the proxy reencryption concept have been proposed [24][25][26]. In [9], Green et al. proposed an outsourced ABE scheme, which outsources most decryption overheads to a trusted third-party server, but outsourced ABE schemes all rely on a semitrusted server to semidecrypt that leads to a serious problem: how to ensure the semidecrypted data is correct and not altered. In [27], Lai et al. proposed a verifiable outsourced ABE while this scheme requires heavy costs for decryption. Recently, Li et al. improved an ABE scheme to achieve not only verifiable outsourced decryption but also lightweight user decryption [10], but all outsourced schemes mentioned above rely on a central authority to manage and generate user decryption key. In [11], Belguith et al. proposed an outsourced multiauthority attribute-based encryption scheme. In [28], Deng et al. proposed an efficient outsourced attribute-based signcryption scheme which also solves the user revocation problem.
In the cloud-assisted IoT environment, data owners store private data in the shared cloud. In most ABE schemes, the access policy is uploaded to the cloud server in plaintext along with the encrypted data. This may reveal private information of the encryptor and the decrypor. In [29], Nishide et al. proposed an ABE scheme with partially hided access policy, but this scheme has poor expressiveness.
When it comes to application in the real word, a common issue of ABE schemes needs to be considered: the leakage of  [14], an ABE scheme with outsourced decryption designed for electronic health systems was proposed by Li et al. However, Li's scheme did not consider the privacy of access policies which might contain sensitive personal information of users. We compare our scheme with some existed ABE schemes in Table 1. In a word, our ABE scheme achieves selective replayable CCA security and provides multiple practical functions, such as fully hidden policy, outsourced decryption, and traceability.

Preliminaries
In this section, we provide all mathematical preliminaries needed for our scheme.
3.1. Bilinear Maps. Let G and G T be two multiplicative cyclic groups of prime order p. Let g be a generator of G and e be a bilinearmap, e : G × G → G T , with the following three properties [15]: (1) Bilinearity: for all u, v ∈ G and a, b ∈ ℤ p , we have eðu a , v b Þ = eðu, vÞ ab , where ℤ p is the integers modulo p (2) Nondegeneracy: eðg, gÞ ≠ 1, where 1 is the unit of G T (3) Computability: there is a polynomial time algorithm to efficiently compute eðu, vÞ for any u, v ∈ G We say G is a bilineargroup if the group operation in G, and the bilinear map e : G × G → G T is both efficiently computable. Notice that the map e is symmetric since eðg a , g b Þ = e ðg, gÞ ab = eðg b , g a Þ.
3.2. Access Structure Definition 1. (access structure). Let P = fP 1 , ⋯P n g be a set of parties. A collection A ⊆ 2 fP 1 ,⋯P n g is monotone if ∀B, C : if B ∈ A and B ⊆ C, then C ∈ A. An access structure is a collection A of nonempty subsets of fP 1 , ⋯P n g, such as A ⊆ 2 fP 1 ,⋯P n g \ ∅. The sets in A are called authorized sets, and the sets not in A are called unauthorized sets [9].

Linear Secret Sharing Schemes (LSSS)
Definition 2. (linear secret sharing schemes (LSSS)). A secretsharing scheme Q over a set of parties ℙ is called linear over ℤ p if (1) The shares of a secret s ∈ ℤ p for each party form a vector over ℤ p (2) There exists a matrix M with l rows and n columns called the share-generating matrix for Q and a function ρ which maps each row of the matrix to an associated party. That is, for i = 1, ::, l, the value ρðiÞ is the party associate with the row i. When we consider the column vector v = ðs, r 2 , ⋯, r n Þ where r 2 , ⋯, r n ∈ ℤ p is randomly chosen, then Mv is the vector of l shares of the secret s according to Q . The share ðMvÞ i belongs to the party ρðiÞ According to [9], every linear secret-sharing scheme based on the above definition also enjoys the linear reconsruction property defined as follows: Let Q be an LSSS for the access structure A. Let S ∈ A be any authorized set, and let I ⊂ f1, 2, ⋯, lg be defined as I = fi : ρðiÞ ∈ Sg. Then, there exist constants fω i ∈ ℤ p g i∈I such that if fλ i g are valid shares of any secret s according to Q , then ∑ i∈I ω i λ i = s. It is shown in [9] that these constants fω i g can be found in polynomial time in the size of the share-generating matrix M.
3.4. One-Way Anonymous Key Agreement. One-way anonymous key agreement [15] scheme can be used to guarantee anonymity of the access structure. This scheme only ensures the anonymity of one participant. Assume that there are two participants Alice (ID A ) and Bob (ID B ) in this scheme. And the master secret of the key generation center (KGC) is s. When Alice wants to keep anonymity, the process is listed as follows: (1) Alice calculates Q B = HðID B Þ. A random number r a ∈ ℤ * p is choosed to generate the pseudonym P A = Q r a A and computes the session key K A,B = eðd A , Q B Þ r a = eðQ A , Q B Þ s·r a . Finally, she sends her pseudonyms P A to Bob (2) Bob uses his secret key d B to calculate the session key is his private key for i ∈ fA, Bg, and H : f0, 1g * → G is a strong collision-resistant hash function

Complexity Assumptions
Definition 3. Strong Diffie Hellman problem (q-SDH). Let G be a multiplicative cyclic group of order p with a generator g. Given a random x ∈ ℤ * p and a q + 1 tuple ðg, g x , g x 2 , ⋯, g x q Þ, 3 Wireless Communications and Mobile Computing the problem of computing a pair ðc, g 1/x+c Þ, where c ∈ ℤ * p , is called the q-strong Diffie Hellman problem [13]. Let G be a multiplicative cyclic group of order p with a generator g. Given two group elements g a , g b ∈ G where a, b ∈ ℤ p are two random integers. The problem of calculating g ab from g a and g b is called Computational Diffie Hellman problem [11].
Definition 5. Decisional Bilinear Diffie Hellman problem (DBDH). Let G be a multiplicative cyclic group of order p with a generator g. Given three group element g a , g b , and g c ∈ G where a, b, and c ∈ ℤ * p are three random integers. The problem of distinguishing tuples of the form ðg a , g b , g c , eðg, gÞ abc Þ and ðg a , g b , g c , eðg, gÞ z Þ for some random integer z is called the Decisional Bilinear Diffie Hellman problem [11].

System Definition
4.1. System Model. The system model of our scheme is illustrated in Figure 1, and the associated five entities are described as follows: (1) Central Trusted Authority (CTA): the CTA is only used to generate the public parameter, and it cannot decrypted any data (2) Attribute authorities (AAs): each AA controls a set of attributes. Multiple attribute authorities work together to generate the user's decryption key. Besides, attribute authorities can use a trace algorithm to recover the global identity of the guilty user who leaks its private decryption key  Table 2 summarizes notations used in our scheme. Assume that there are n authorities in our scheme and each attribute is associated with an unique AA, such that

System
Procedure. Our MAABE scheme with outsourced decryption and hidden policy contains the following five phases: (1) System initialization : this phase includes two algorithms. Firstly, the CTA runs the setupðλÞ → PP algorithm to generate the global parameters PP, where λ is the security parameter. Then, each AA runs the Setup auth ðPPÞ → ðsk AAj , pk AAj Þ algorithm to generate their own key pairs, which is consisted with a private key and a public key (2) Encryption : the DO runs the EncryptðPP, fpk AAj g, MSG, ðM, ρÞÞ → CT algorithm to encrypt the message MSG, and then it uploads the ciphertext to the cloud server (3) Keygeneration : this phase contains two algorithms. Firstly, each related AA runs the KeygenðPP, fsk AAj , pk AAj g, GID, S GID,j Þ → sk GID,j algorithm independently to generate the decryption key for the DU with identity GID. Then, all results are sent to the user To outsource the decryption work to the cloud, the user runs the Keygen out ðPP, sk GID , ðM, ρÞ, CTÞ → ok GID algorithm to generate its outsourced decryption key.
(4) Decryption : this phase is divided into two steps.
Firstly, the CS runs the Decrypt out ðPP, opk GID , ðM, ρÞ, CTÞ → CT ′ algorithm to partially decrypt the ciphertext. The second step is performed by the user, who runs the DecryptðCT ′ , osk GID Þ → MSG algorithm to get the plaintext (5) Trace : to begin with, each AA j verifies the format of the decryption key that needed to be traced, and then it runs the TraceðPP, sk GID , fpk AAj gÞ → GID algorithm to output the global identity (GID) of the guilty user 4.3. Security Models. We define four security models of our MAABE scheme in this section.
(1) Confidentiality: the confidentiality of data is the basic security requirement of a scheme, which is used to resist malicious adversaries to gain extral information from The selective secure against chosen ciphertext attack of our scheme is achieved if no probabilistic polynomial time (PPT) adversary can win the Exp Conf security experiment described in Figure 2 between an adversary A and a challenger ℂ with nonnegligible advantage.
(2) Verifiability: our scheme is verifiable if there is no PPT adversary that can win the Exp Verif security experiment described in Figure 3 between an adversary A and a challenger ℂ with nonnegligible advantage.
(3) Fully hidden: in our scheme, the CS knows nothing about the access policy, and the user only knows if his/her attributes satisfy the access policy. Our scheme is an outsourced ABE with fully hidden policy if there is no PPT adversary that can win the Exp Hide security experiment described in Figure 4 between an adversary A and a challenger ℂ with nonnegligible advantage. The goal of the adversary is to recover the correct access policy without the required decryption key.
(4) Traceability: our scheme is a traceable ABE if there is no PPT adversary can win the Exp Trace security experiment described in Figure 5 between an adversary A and a challenger ℂ with nonnegligible advantage.

Construction and Application
The concrete construction of our MAABE scheme is presented in this section. Firstly, the CTA and all AA perform initialization and generate the PP and the public keys of AAs. Then, the DO can encrypt its data with an access structure. Before accessing the data, the DU needs to request its decryption key to the AAs. Next, the DU can access the data and decrypt successfully with the help of the cloud predecrypting for the DU first. Finally, the trace algorithm is used to reform the global identity of a guilty data user by the AAs. This section also contains a simple application in the end.   Table T Restriction: do not satisfy the challenge access structure q-th decryption query Search table T for dec key.
Not exist, abort Query phase II Query phase I Query a polynomially bounded number of queries as in query phase I with two restrictions: 1) Attribute sets do not satisfy the challenge access strcture.
2) e results of dec query cannot be either R 0 or R 1 .

Guess
Guess b based on CT b . The advantage of the adversary to win is: The advantage of the adversary to win is: Query a polynomially bounded number of queries as in query phase I with the restriction that attribute sets do not satisfy the challenge access strcture. (1) System set − up : this step is performed by the CTA It defines two multiplicative group G, G T of prime order p, and g is a generator of G.
It defines a CPA-secure symmetric encryption scheme ð Enc sym , Dec sym Þ.
It outputs the global pubic parameter PP: PP = G, G T , p, e, g, H, H 1 , H 2 , Enc sym , Dec sym À Á È É ð1Þ (2) Authority set − up : each attribute authority performs this step to get their key pair. We take the A A j as an example It chooses two random numbers α i , β i ∈ ℤ * p for each attribute i ∈ S A,AA j .
It chooses three random numbers h j , a j , b j ∈ ℤ * p .
It generates its pair of private key sk AAj and public key pk AAj as follows: 5.1.2. Phase II: Encryption. We assume that the DO encrypts a message MSG with an self-defined access structure Ψ, and S Ψ is the attribute set which contains all attributes in the access structure Ψ. This phase contains three steps defined below: (1) Fully Hide the access policy It chooses a random number a ∈ ℤ * p and then computes q i = eððg h j Þ a , HðiÞÞ where i ∈ S Ψ .
It replaces each attribute in S Ψ with the corresponding q i . It converts the access policy to a LSSS access matrix ð M l×n , ρÞ.

Restriction:
Either all the attribute sets queried in query phase I satisfy none of the policy or all the attribute sets satisfy both the policies Ψ 0 , Ψ 1 .
Query a polynomially bounded number of queries as in query phase I with the same restriction defined in the challenge phase.
Guess b based on CT ⁎ .
The advantage of the adversary to win is: Restriction: It selects a p i ∈ ℤ p for each row M i of M and two random It outputs the tuple CT ABE = ðh, ðM l×n , ρÞ, C 0 , fC 1,i , C 2,i , C 3,i , C 4,i , C 5,i g i∈½1,l Þ where i presents a matrix row corresponding to an attribute.
Details of the ciphertext are presented as follows: (3) Encrypt the message Uses K sym to encrypt the message MSG by the symmetric encryption algorithm Enc sym and denote the result as CT sym = Enc sym ðK sym , MSGÞ.
It uploads CT = fCT ABE , CT sym g to the CS.

Phase III: Key Generation
(1) Decryption key Each user owns an unique global identity GID ∈ ℤ * p and an attribute set S GID where each attribute is associated with a designed attribute authority. Let S AA,GID be the set of related attribute authorities. According to S AA,GID , we divide S GID into fS GID,j g j∈S AA, GID . When the user queries its decryption key, each related AA runs the key generation algorithm. We take the AA j as an instance. It chooses a random number r ∈ ℤ * p \ f−a j + GID/b j g for each i ∈ S GID,j .
It computes and returns the decryption key sk GID,j = fK 1,i , K 2,i , K 3,i g i∈S GID : K 1,i = g α i /a j +GID+b j r H GID ð Þ β i /a j +GID+b j r , The decryption key of the user GID is noted as (2) Outsourced decryption key: the data user runs this algorithm (a) Reconstructs the access policy It computes q i ′= eðh, HðiÞ h j Þ = eðg a , HðiÞ h j Þ, ∀i ∈ S GID . It uses q i ′ to replace the attribute i to get the attribute set S GID ′ .
It gains the access structure ðM l×n , ρÞ from CT. It identifies the set of attributes L ′ = fi : ðρðiÞ ∩ S GID ′ Þ i∈½l g required for the decryption.

(b) Generates the outdec key
Chooses a random number z ∈ ℤ * p to compute the outsourced decryption key fok GID g = ðfopk GID g, osk GID Þ as

Phase IV: Decryption
(1) Outsourced decryption : the CS performs outsourced decryption for the user It computes the following equation for each matrix row corresponding to an attribute i: It chooses a set of constants fc i g i∈½1,l ∈ ℤ p such that ∑ i where l is the row number of the access matrix. It returns CT ′ = Q l i=1 Q c i = eðg, gÞ s/z to the user.

Wireless Communications and Mobile Computing
(2) Uer decryption : this phase contains the following two steps (a) Recovers the message R based on the partially decrypted ciphertext CT ′ by computing the following equation Correctness of Equation (7): Proof. First for each attribute i ∈ L ′ , the CS uses ðfopk GID g to compute: Then, it chooses a set of constants fc i g i∈½1,l ∈ ℤ p such that Hence, we can get Then, based on CT ′ , the user recovers 5.1.5. Phase V: Trace. The TraceðPP, sk GID , fpk AAj gÞ algorithm is performed by all attribute authorities. The input is the private key sk GID = ðfsk GID,j g j∈S AA ′ , GIDÞ = ðfK 1,i , K 2,i , K 3,i g i∈S GID , GIDÞ of a user. Firstly, the AA checks the form of the key. If the key does not satisfies the form, this algorithm aborts.
Then, the AA searches its database to find if ∃i ∈ S GID , s.t.
If yes, the global identity GID of the guilty user will be output.

Application in the EHR System.
In this section, we describe a simple application of our scheme based on the electronic health record (EHR) system. The basic procedures are presented in Figure 6, and the details are described as follows: (1) The central trusted authority (the government) performs the system set-up algorithm to generate and publish the global parameters PP (2) A set of management companies act as attribute authorities, and each attribute authority needs to set up first. Then, they publish their public keys while keeping private keys secret (3) A hospital encrypts a patient's medical records Rd based on a user-defined access structure M and sends the ciphertext CT along with the fully hidden access structure n to the cloud storing server to store (4) Before a data user (a doctor) requests the wanted records from the cloud server, he/she needs to get the decryption key sk GID from the attribute authorities first (5) To outsource the decryption work to the cloud server, the doctor generates the outsourced decryption key opk GID based on sk GID . Then, he/she sends opk GID to the cloud server (6) The cloud server will partially decrypt for the doctor as long as his/her attribute set satisfies the encryption (1) Initialization: the adversary A submits a challenge access policy Ψ * = ðM * , ρ * Þ to the challenge ℂ through B (2) Set-Up: ℂ runs the SetupðλÞ algorithm to generate the global parameter PP It chooses two multiplicative cyclic groups G, G T of prime order p with a generator g of G.
It sends the global parameter PP = fG, G T , p, e, g, H * , H * 1 , H * 2 , ðEnc sym , Dec sym Þg to A through B. It runs the Setup auth algorithm to generate the key pairs of the noncorrupted authorities: It chooses two random numbers α i and β i ∈ ℤ * p for each attribute i ∈ S A,AA j .
It chooses three random numbers h j , a j , and b j ∈ ℤ * p to compute the public key pk AA j = ðfg α i , g β i g i∈S A,AA j , g h j , g a j , g b j Þ.
It sends all attribute authorities' public keys to A through B. A runs the Setup auth algorithm to generate the key pairs of the corrupted authorities in the same way.  (b) Key query: In the q-th query, A queries the decryption key related with an attribute set S GID q by sending S GID q and GID q to B. B calls ℂ to generate the decryption key and sends it to A. ℂ chooses a random number r ∈ ℤ * p \ f−a j + GID q /b j g to compute the decryption key sk GID q = ðfsk GID q ,j g j∈S AA,GID , GIDÞ = ðfK 1,i , K 2,i , K 3,i g i∈S GID , GIDÞ while setting D = D ∪ S GID q K 1,i = g α i /a j +GID q +b j H * GID q À Á t i /a j +GID q +b j , B chooses a random element a ∈ ℤ * p to compute h = g a to simulate the output of the encryption algorithm. B calls ℂ to run the outsourced decryption key generation algorithm: ℂ chooses a random number z ∈ ℤ * p to compute osk GID q = z: Sends ok GID q = ðopk GID q , osk GID q Þ to B. B stores the entry ðq, S GID q , sk GID q , ok GID q Þ in the table T . Finally, B returns the key to A.
(c) Decryption query: without loss of generality, we assume that all ciphertexts input to this query have been partially decrypted. For instance, we assume that CT ′ was correctly decrypted by opk of the entry ðq, S GID q , sk GID q , ok GID q Þ. Let CT ′ be associated with a structure ðM, ρÞ which is not equal with ðM * , ρ * Þ.
Let opk be associated with a set of attributes which satisfies ðM, ρÞ and not satisfies ðM * , ρ * Þ Search (4) Challenge: A chooses two message MSG 1 , MSG 2 ∈ f0, 1g * with same length then sends them to B. B chooses two message R 0 , R 1 ∈ G T with same length and then sends them to ℂ. ℂ chooses a random bit b ∈ f0, 1g, then ℂ encrypts R b under the access structure ðM * , ρ * Þ by running Lewko's scheme. Finally, Query phase II: the adversary A can query a polynomially bounded number of queries as in query phase II after receiving the ciphertext CT * b with restrictions that the queried attribute set cannot satisfy the challenge access structure, and the response of the decryption query cannot be either MSG 0 or MSG 1 (6) Guess: A tries to guess b ′ based on CT * b . Then, A sends b ′ to ℂ through B. If b ′ = b, we say that A wins this experiment We can easily get that the advantage of A to win the experiment Exp conf is smaller than the advantage of B to win the experiment Exp Lewko , because A has to be based on the right CT * b provided by B to guess b successfully. In other words, Pr ½Exp A Lewko ð1 ξ Þ > Pr ½Exp A Conf−Real ð1 ξ Þ and our scheme achieve selectively replayable CCA secure.

Verifiability
Theorem 2. If H 1 and H 2 are two collision-resistant hash functions, our scheme is verifiable against malicious servers.
Proof. We define a PPT adversary A running the experiment defined in Section 4.3(2) with an entity B. B tries to break the collision resistance of the two hash functions H * 1 and H * 2 .
(1) Initialization: the adversary A submits a challenge access policy Ψ * = ðM * , ρ * Þ to the entity B  Query: A runs the adversary queries as defined in query phase I and query phase II through B to get the related decryption keys and outsourced decryption keys (4) Challenge: A sends the challenge message MSG * to B , and B answers as follows It chooses a random message R * ∈ G T to run Lewko's encryption scheme to encrypt R * under the access policy ð M * , ρ * Þ.

Fully Hiding
Theorem 3. Our scheme is an outsourced ABE with fully hidden policy if the one-way anonymous key agreement protocol [15] is IND-CPA secure.
Proof. The purpose of this proof is that no PPT adversary can recover the access policy without the right decryption key. The setup phase and the query phase 1 are same as the confidentiality experiment.
In the challenge phase, the adversary A chooses two challenge messages R * 0 , R * 1 and two valid access policies Ψ 0 , Ψ 1 , and then it sends them to the challenger ℂ. Notice, Ψ 0 and Ψ 1 satisfy the following restriction: either all the attribute sets queried in query phase 1 satisfy none of the policy or all attribute sets satisfy both the policies. Then, ℂ computes q ′ ðiÞ = eððg h j Þ a , HðiÞÞ based on the one-way anonymous key agreement protocol where a ∈ ℤ * p is a random number. This step is used to hide the real policy by replacing each attributes in the policy with the corresponding q ′ ðiÞ. Then, ℂ chooses a random bit b ∈ f0, 1g and encrypts the message R * b under the access policy Ψ b . Finally, ℂ sends CT * to A. After that, A still can query a polynomially bounded number of queries as in query phase I. The none-or-both principle still works in this phase.
In the guess phase, A outputs b ′ . When A tries to decrypt CT * , it has to recover the access policy first. In our scheme, the decryption key K 2,i = HðiÞ h j is necessary for it to compute q′ðiÞ because we computed the q′ðiÞ based on the one-way anonymous key agreement protocol before we encrypted the message. It means only the authorized user can get the right access policy. And due to the random value a, unauthorized user cannot guess attribute i from q ′ ðiÞ which prevents the collusion of the users. Hence, the advantage of the adversary to win the experiment Adv A ½ Exp Priv ð1 ξ Þ is negligible, and our scheme ensures the privacy preservation of the access policy against adaptive chosen plaintext attack. Scheme [11] [13] [14] Our scheme Decryption key length Outdec key length

12
Wireless Communications and Mobile Computing 6.4. Traceability. In this section, we prove that our scheme is fully traceable under the q-SDH assumption.

Lemma 1.
Our scheme achieves fully user traceability based on that the Boneh-Boyen fully signature scheme [31] is strong existential forgery secure against adaptive chosen message attack.
Proof. We define a PPT adversary A running the experiment defined in Section 4.3(4) to attack our scheme through an entity B by B breaking the Boneh-Boyen fully signature scheme with the same advantage under adaptive chosen message attacks. Assuming the advantage of the adversary A to break our scheme is ε, and B can access a random oracle H.
Let ℂ be the challenger in the B-B scheme, Sig j ∈ G be the signature of AA j , and pk sig AA j = fG, p, g, g a j , g b j g is the associated public key of Sig j .
(1) Set-up: the challenger ℂ runs the Setup algorithm to generate the global parameter PP and sends PP to B . For each noncorrupted authorities in the set S′, ℂ sends pk sig AAj to B. Then, B chooses two random numbers α i , β i for each attribute in the attribute set of the authority, and then B chooses a random number h j to generate the public key of the authority pk AAj = ð fg α i , g β i g i∈S A,AA j , g h j , g a j , g b j Þ. Finally, B returns PP and fpk AAj g j∈S′ to A. For corrupted authorities, A runs the Setup auth algorithm to generate the key pairs for them (2) Key query: A runs m queries. In the q-th query, A sends ðS GID q , GID q Þ to B. B initiates an empty table T and do the following steps (a) Accesses the random oracle HðGID q Þ: B searches the entry ðGID q , t GID q , g t GID q Þ in the table T , and if it exists, B outputs g t GID q . Else, B chooses a random (b) Generates the decryption key sk GID q,j : ℂ chooses a random number r ∈ ℤ * p \ f−a j + GID q /b j g for each attribute i ∈ S GID q ,j and returns the signature ðr, σ = g 1/a j +GID q +b j r Þ. Then, B computes the components of sk GID q ,j Then, B sets D = D ∪ S GID q . Finally B returns the following result to A: (3) Key forgery: A sends a sk * to B. The advantage of the adversary to win is defined as where ðGID 1 , ⋯, GID m Þ is mGID queried in the last phase. If TraceðPP, fpk AAj g,sk * Þ∈f⊥,GID 1 , ⋯, GID m g, it means sk * = ðfK 1,i , K 2,i , K 3,i g i∈S GID , GIDÞ passed the form check and GID∈f⊥,GID 1 , ⋯, GID m g. Hence, ∃i ∈ S, s.t.
Without loss of generality, we assume the adversary A accessed the random oracle HðGIDÞ before it outputs the s k * . B obtains the entry ðGID, t GID , g t GID Þ from the table T . According to eðK 1,i , g a j g ðb j Þ K 3,i g GID Þ = eðg, gÞ α i eðHðGIDÞ, g β i Þ, we can get K 1,i = g α i +t GID β i /a j +b j K 3,i +GID . Then, B computes the signature σ j = ðK 1,i Þ 1/α i +t GID β i . Because GID, K 3,i ∈ ℤ * p , hence ðK 3,i , σ j Þ is a valid signature on message GID in the B-B signature scheme. Because GID∈fGID 1 , ⋯, GID m g, it means B never queried the signature of GID before, and the advantage of B to break the B-B scheme is equal with the advantage of the adversary A to break our scheme, which is ε.

Wireless Communications and Mobile Computing
According to the Boneh-Boyen signature scheme, we can also get the following lemma.

Lemma 2.
If the q-SDH assumption holds in the group G, the full signature scheme of Boneh and Boyen is strong existential forgery secure against adaptive chosen message attacks.

Theorem 4.
If the q-SDH assumption holds in the group G, our scheme achieves fully user traceability.
Proof. It follows directly from the above Lemma 1 and Lemma 2.

Performance Analysis
The notations used in our performance analysis are summarized in Table 3.
The comparison of storage cost and computational cost between our scheme and some other ABE schemes is illustrated in Tables 4 and 5separately. Notice that all results do not contain the costs of the symmetric cryptography including hash operations.
From Table 4, we can see that the decryption key lengths of scheme [11] and ours are related to the number of attributes used in decryption as both scheme outsource the most decryption work to the cloud server, while the decryption key length of scheme [14] is related to the number of attributes in user attribute sets. Speaking of the length of the ciphertext, of all four schemes are associated with the row number of the encryption LSSS access matrix.
As we can see from Table 4, scheme [13] needs 5N u exponentiations in group G to generate the user decryption key. It needs 2N e + 1 exponentiations in group G T and 6N e exponentiations in group G in the encryption phase. Specially, 4 N d exponentiations in group G T and 3N d pairings are costed by a user who needs to decrypt in scheme [13], which is too heavy for resource-limited IoT devices. Scheme [11] is an ABE scheme with outsourced decryption which needs 3N u exponentiations in group G in the key generation phase. It requires N u + 5N e + 1 exponentiations in group G, one exponentiation in group G T , and N u pairings to encrypt. As the most pairing operations are done by the cloud server, users only cost one exponentiation in group G T to decrypt in [11].
Li et al. proposed a traceable ABE scheme which needs 4N u + 4 exponentiations in group G to generate the private key [14]. In encryption phase, users spends 5N e + 2 exponentiations in group G T and one exponentiation in group G, while the cloud server performs N d exponentiations in group G T as well as 3N d + 1 pairings to predecrypt in [14]. As a result, users only cost three exponentiations in group G T to fully decrypt.
Our scheme needs 3N u exponentiations in group G in the key generation phase. To achieve fully policy hidden which is deeply valuable in some healthy data application, our scheme requires N u + 7N e + 1 exponentiations in group G, one exponentiation in group G T , and N u pairings to encrypt. Meanwhile, our scheme realizes verifiable outsourced decryption. Our scheme outsources 3N d exponentiations in group G T and 3N d pairings to the cloud server. Thus, IoT devices in our scheme only require one exponentiation in group G T to decrypt, which dramaticlly reduces the computational overhead of resource-limited devices. Figure 7 illustrates the time overhead of decryption. The simulation is performed in a Ubuntu 16.4 desktop system with 3.0-GHz Intel Core (TM) i5-7400 CPU and 2-GB RAM, and all experiments are done by using the Charm (version 0.50) [37], a rapid prototyping framework for cryptographic schemes based with Python.
Compared with the outsourced multiauthority ABE scheme [11] with no traceability, our traceable MAABE scheme is with little extra computational cost. However, the user decryption cost of [11] and our scheme is same owing to the outsourced decryption. While comparing with the traceable single-authority ABE scheme [14], our multiauthority scheme can handle more attributes and is more suitable for a large number of devices of IoT systems. In addition, another traceable MAABE [13] is not applicable for resource-limited IoT devices due to its heavy decryption cost.
More importantly, our scheme costs barely one hash operation to achieve the verification of decryption results. About another practical function is achieved by our scheme, traceability, and the cost of our scheme is N a ð2E + H + 3PÞ. Although it looks like that this result is linear to the size of the attribute universe set, the real computational cost of this algorithm for each AA is linear to the size of its own attribute set as we assumed that attribute sets controlled by different attribute authorities are disjoint in our scheme.

Conclusion
In this paper, we propose a multiauthority ABE scheme supporting verifiable outsourced decryption and white-box traceability. Our scheme outsources most decryption works to the honest-but-curious resource-rich cloud server; thus, our scheme meets the special needs of resource-limited IoT devices. Moreover, our scheme protects the privacy of both the encryptor and the decryptor by the fully hiding policy technology. At the same time, another issue influences the application of ABE-the key leakage problem-which is In the future, we plan to improve the scheme with fixed key size and ciphertext size to further reduce equipment overheads. Moreover, we can also consider how to solve another difficulty of the practical application of the ABE-attribute revocation and user revocation. How to dynamically withdraw attributes or users without affecting other authorized users is the focus of our future works.

Data Availability
All data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
The authors declare that they have no conflicts of interest.