Enabling Efficient Decentralized and Privacy Preserving Data Sharing in Mobile Cloud Computing

Mobile cloud computing (MCC) is embracing rapid development these days and able to provide data outsourcing and sharing services for cloud users with pervasively smart mobile devices. Although these services bring various conveniences, many security concerns such as illegally access and user privacy leakage are inflicted. Aiming to protect the security of cloud data sharing against unauthorized accesses, many studies have been conducted for fine-grained access control using ciphertextpolicy attribute-based encryption (CP-ABE). However, a practical and secure data sharing scheme that simultaneously supports fine-grained access control, large university, key escrow free, and privacy protection in MCC with expressive access policy, high efficiency, verifiability, and exculpability on resource-limited mobile devices has not been fully explored yet. Therefore, we investigate the challenge and propose an Efficient and Multiauthority Large Universe Policy-Hiding Data Sharing (EMALUPHDS) scheme. In this scheme, we employ fully hidden policy to preserve the user privacy in access policy. To adapt to large scale and distributed MCC environment, we optimize multiauthority CP-ABE to be compatible with large attribute universe. Meanwhile, for the efficiency purpose, online/offline and verifiable outsourced decryption techniques with exculpability are leveraged in our scheme. In the end, we demonstrate the flexibility and high efficiency of our proposal for data sharing in MCC by extensive performance evaluation.


Introduction
As an emerging paradigm, mobile cloud computing (MCC) is growing exponentially and facilitates the deployment of enormous mobile devices covering public and private sectors [1]. The MCC systems provide not only strong mobility but also abundant computing and storage capacity for these resourcelimited devices which prefer to outsource their data to MCC for cost saving [2]. Moreover, assisted by the data sharing service of MCC, users are able to conveniently enjoy various applications, such as smart home, smart office, and intelligent transportation, with pervasive and smart mobile devices [3]. In particular, this trend is being accelerated with the implementation of 5G communication network offering massive high-speed access capacity [4]. As shown in Figure 1, users can share their data in MCC conveniently with different kinds of mobile devices, e.g., laptops, cellphones, through gNBs (i.e., next generation NodeB) of 5G network, or even satellites receiving station on various sites (e.g., home, hotel, plain, or car). Although MCC, such as iCloud and OneDrive, can provide a variety of benefits to mobile users, the data security issues, i.e., data confidentiality and fine-grained access control, have become important stumbling blocks for the usage of MCC [5]. The data outsourced to MCC may contain numerous sensitive information or significant assets relevant to mobile users and terminates [6]. Thus, the most critical data security concern is the data access control issues that allows only authorized users while prevents unauthorized ones from accessing the shared data in MCC as it will cause severe consequences if the private information is leaked. Therefore, how to protect these sensitive data outsourced in MCC remains an urgent challenge. As a promising technique, ciphertext-policy attribute-based encryption (CP-ABE) [7][8][9] can be adopted to provide fine-grained data access control when user data is shared with multiple users. Nevertheless, the conventional CP-ABE schemes are unsuitable to be directly utilized in secure data sharing of the MCC system as there still exist several issues. First of all, in general CP-ABE schemes, ciphertexts are stored in Cloud Service Provider (CSP) and shared with multiple users together with the access policies which are in plaintext and may cause user privacy leakage [7]. Moreover, a MCC system involves large amount of mobile devices and users, and standard CP-ABE schemes with bounded attribute universe and single attribute authority are no longer satisfactory due to their inflexibility, key escrow, and single-point failure problems [10]. Furthermore, as the CSPs are untrusted in terms of users, they may misbehave in outsourced decryption by returning previous results or even random and false results to users [2]. In addition, the low efficiency in encryption and decryption is an inferior drawback for traditional CP-ABE schemes when used in MCC with enormous resource-limited mobile devices. Thus, it is urgent to design a practical data access control scheme for data sharing in MCC that can address these issues.
To find out a solution, many works have made great progresses. The scheme in [11] solves the problem of bounded attribute universe, key escrow, and single-point failure problem while it cannot support policy privacy preserving and decryption verifiability. Meanwhile, the schemes in [12,13] support efficient encryption and exculpable decryption as well as multiauthority and policy hidden, respectively. Recently, the authors in [6,7] proposed two CP-ABE schemes with privacy preserving and expressive policy, but both of them do not support large attribute universe and exculpability of decryption. Then, the scheme in [1] provides features of multiauthority, large attribute universe, and high efficiency to resist key escrow problem, but it cannot satisfy policy preserving and verifiability with exculpability. Besides, such schemes do not consider the issue of exculpability as in some cases, and CSP acts honestly may be framed by users. Although the scheme in [14] fixed this problem, it fails to protect the user privacy in policies. Hence, it is urgent to devise a significant data sharing scheme that is addressing all these drawbacks in traditional CP-ABE schemes at the same time when used in MCC, including key escrow resistance, large attribute universe, privacy preserving, expressive policy, and efficiency.
1.1. Our Contributions. Confronting the above problems, we propose an Efficient and Multiauthority Large Universe Policy-Hiding Data Sharing (EMA-LUPHDS) scheme to achieve key escrow resistance, expressive access policies, and high efficiency for data sharing of MCC with resourcelimited mobile devices by extending the decentralized CP-ABE scheme [15]. In particular, our main contributions are listed as follows: (i) Single-Point Failure and Key Escrow Free. To adapt to decentralized environment of the MCC system, EMA-LUPHDS introduces the architecture of multiple authority for user key distribution so as to prevent single-point failure and key escrow problem in a centralized single authority.
(ii) Hidden Access Policy over Large Attribute Universe. EMA-LUPHDS leverages fully hidden access policy to solve the user privacy leakage problem in most of current CP-ABE schemes with cleartext access policy shared with the ciphertexts in CSP which may lead to private information leakage. To be flexible in the setup of large-scale MCC systems, EMA-LUPHDS supports large attribute universe with constant size of system parameter.
(iii) Cost Saving in Encryption and Decryption. To save the computation cost in both encryption and decryption, online/offline technique is introduced into EMA-LUPHDS for efficient data encryption. Moreover, EMA-LUPHDS achieves outsourced decryption in order to improve efficiency by moving a majority of computation cost of mobile devices with poor resources to CSP.
(iv) Verifiability and Exculpability. To guarantee the correctness of outsourced decryption executed by CSP, EMA-LUPHDS can check the result of partially decrypted ciphertext transformed by untrusted CSP with a data verification approach. For the exculpability of CSP, it achieves a commitment mechanism using Pedersen commitment approach.
(v) Security and Efficiency. We present security analysis and performance evaluation of the proposed scheme. The result demonstrates that our proposal is secure and efficient, which is extremely practicable and suitable for MCC systems.
1.2. Organization. The remainder of the article is outlined below. Some relevant studies are reviewed in Section 2, and the preliminaries including related definitions and notations  Wireless Communications and Mobile Computing are introduced in Section 3. In Section 4, we give the system model, threat model, and design goals of our scheme together with the system definition. Based on this, we describe in detail the constructions of the proposal in Section 5. Section 6 follows this to discuss the security of the scheme, and its performance evaluation is conducted in Section 7. Finally, Section 8 makes a conclusion for the work in this article.

Related Work
Mobile cloud computing (MCC) is widely utilized in various applications in which huge number of data plays an important role. Thus, how to protect the security of such large volume data is a big challenge for MCC [3]. CP-ABE is a promising technique for data confidentiality and finegrained access control which is first introduced in [16] based on the scheme in [17] aside from the user authentication protocols [18][19][20][21] as user-centric access control. Due to the data-centric and flexible access control, CP-ABE has been broadly studied and applied [8,9,[22][23][24][25][26]. However, MCC is a large scale and distributed system involving mobile and resource-limited user devices with much privacy in their data, and the standard CP-ABE schemes cannot be directly employed in MCC applications due to their high cost in computation and dependence on centralized authority. To confront the bottleneck of single authority, the study in [15] designed a scheme based on [27,28] with fully multiauthority, but it is inefficient and cannot resist collusion attack. As a solution, borrowing the idea of outsourced decryption proposed in [29][30][31][32][33] based on [34], the scheme in [29] improved the decryption efficiency and the DACC in [35] utilized Key Distribution Centres (KDC) for user key generation across multiple groups to resist collusion attack. Later, the proposals in [30,36] enhance the DACC scheme in addressing both user collusion and revocation problems. Recently, to solve the problem of deploying CP-ABE in MCC applications for data access control, the schemes in [2] proposed a solution based on [37] and outsourced decryption with anonymous techniques to achieve high decryption efficiency in distributed MCC systems, but it only improves efficiency in decryption and cannot support large attribute universe. Thus, motivated by online/offline CP-ABE proposed in [14,38,39] based on [40][41][42], De and Ruj [1] designed a multiauthority CP-ABE with outsourced decryption to achieve high efficiency in both encryption and decryption, whereas it fails to protect user privacy in access policy which is important for MCC applications containing massive private data.
To protect user privacy in plaintext access policy of standard CP-ABE schemes, the research in [43] first presents the idea of partial hidden-policy CP-ABE, but it only supports AND gate policy with weak security. Later, the study in [44] devised a fully secure and partial hidden-policy CP-ABE, but it still suffers from restricted expressiveness in access policy. Then, the scheme in [45] improves its expressiveness, and the work in [46] introduces decryption testing and large universe to improve efficiency and flexibility, but it is computation consuming with composite order groups. To solve this problem, the studies in [47,48] design two efficient and partial hidden-policy CP-ABE schemes based on prime order groups that support expressive access policy and verifiable outsourced decryption. However, they are weak in the protection of access policy due to their partially hidden policies. As a solution, the research in [49] proposed fully hidden policy for CP-ABE, but it incurs high computation cost. Then, the work in [50] proposed an efficient fully hidden-policy CP-ABE scheme, while it only supports restricted access policy. Recently, the studies in [6,7] devise two efficient CP-ABE schemes that support fully hidden and expressive access policy, but both schemes do not overcome the efficiency issue in encryption and small attribute universe. Moreover, these schemes fail to support exculpability which guarantees an authorized user has no way to accuse the cloud of outputting incorrect results in outsourced decryption while it was not the case. As a whole, these schemes cannot be used in MCC applications.
To seek a better solution, we propose EMA-LUPHDS for data access control in MCC applications. We make a function comparison in Table 1 between our scheme and several related state-of-the-art schemes in [1,2,6,7,10,[12][13][14] in the functionalities of access policy, large attribute universe, multiauthority, hidden access policy, efficient encryption, efficient decryption, verifiability, and exculpability. This demonstrates that our EMA-LUPHDS is more versatile and flexible than other schemes with richer advantages and satisfies the requirements of data access control in MCC applications.
In Table 1, the schemes are compared from the features of access policy, attribute universe, authority, policy hidden, encryption, and decryption efficiency as well as verifiability and exculpability. First of all, from Table 1, we note that the majority of schemes support expressive LSSS access policy which are flexible and expressive in access policy design. Only two schemes in comparison support "AND" threshold access policy which are lack in expressiveness and flexibility. Moreover, from the aspect of attribute universe, the schemes in [1,7,10,14] and ours all support large universe, while only our scheme and the schemes in [6,7,13] provide the features of multiple authorities and hidden policy, which can prevent sensitive information leakage from access policy and resist single authority failure. Furthermore, from the aspect of efficiency, it is well accepted to adopt outsourced encryption and decryption in CP-ABE schemes. And we conclude that most of the schemes in Table 1 support outsourced decryption and verifiability simultaneously, while only our scheme and the schemes in [1,2,14] also improve the efficiency in encryption by introducing online/offline technique. In addition, to support a strong verifiability and exculpability for outsourced decryption, we also note that the feature of exculpability is only supported by our scheme and those in [12,14], while the scheme in [12] does not support expressive policy and the scheme in [14] failed to protect sensitive data in policy and is lack of large attribute universe. In general, our proposal can simultaneously support all the features mentioned above.

Preliminaries
This section provides several notions and definitions in our proposal including access structure and bilinear maps.

Access Structure
Definition 1 (Access structures [8]). Let E = E 1 , ⋯, E n be a entity collection. Given a set Then, the set C is also a monotonic access structure, and the subsets in C are called the authorized sets, otherwise the unauthorized sets.

Linear Secret Sharing Schemes (LSSSs)
Definition 2 (LSSS [25]). Given the attribute universe U a , an LSSS on it involves ðB, δÞ, where B is an l × n sharegenerating matrix on Z p and the function δ maps a row of B into an attribute in U a . There are two algorithms: Share and Reconstruction in an LSSS. The former is to create the shares for a secret value s based on as a share of the secret s, while the latter reconstructs s with the secret shares of an authorized set E by finding I = fi | δðiÞ ∈ Eg ⊆ f1, 2,⋯lg and constances ω i ∈ Z p to make ∑ i∈I w i B i = ð1, 0,⋯,0Þ hold and compute ∑ i∈I w i λ i = s.

System Model and Design Goals
This section presents the system model, threat model, and design goals of our proposed system before giving the formal definition and security model for EMA-LUPHDS. Figure 2, our system involves Cloud Service Provider (CSP), trusted authority (TA), attribute authorities (AAs), data owner (DO), and data user (DU).

System Model. As detailed in
(i) CSP provides users with data outsourcing, sharing, and outsourced decryption services as well as unlimited storage and computational resources (ii) TA is responsible for initiating whole system by generating global public parameters for the whole system and its master keys (iii) AA takes charges of managing a disparate set of attributes and generating and distributing secret key and transformation key of the authenticated cloud users. The attribute sets managed by any two or more AAs are different from each other (iv) DO collects important information from mobile devices in MCC and uploads the massive data to CSP. Before outsourcing, DO converts the data with symmetric algorithm and a symmetric key encrypted by a fully hidden access policy for fine- Wireless Communications and Mobile Computing grained access control and user privacy preserving. Besides, DO prepares ciphertext components while accessing the power source offline to save computational resource of mobile devices (v) DU accesses the shared data in CSP on demand with his transformation key for outsourced decryption and recovers the symmetric key if authorized to further decrypt the partially decrypted ciphertext from CSP after verifying its correctness Based on the above system model, we design our data sharing scheme suitable for the MCC system involving four phases as below.
(i) Initialization. TA creates the system global public parameters and master key at the first. All entities can obtain the global public parameters with which each AA can generate their public and secret key pair.
(ii) User Enrollment. Each AA issues a secret key and a pair of transformation key for DUs after receiving the joining requests from these DUs. Each AA manages the enrolled DUs as well as their attribute sets.
(iii) Encryption. DO encrypts the data (usually in form of files) collected from the smart mobile devices in MCC systems based on a designated access policy and outsources the final ciphertext with fully hidden policies to CSP for data sharing.
(iv) Decryption. DU downloads ciphertexts from CSP with his transformation public key for outsourced decryption by CSP. After receiving the partially decrypted data, the DU decrypts it based on transformation private key and checks its correctness.

Threat Model and Design Goals.
In our EMA-LUPHDS, TA, AA, and DO are trusted entities while CSP is deemed to be a semihonest entity which is willing to act with honesty but may leak the private information in an "honest-butcurious" manner. In supplying the outsourced decryption service, CSP may misbehave in returning the result of the partially decrypted ciphertext to DU, such as returning false results or be lazy to return previous results. DUs are regarded as untrusted as they may illegally access the shared data in CSP without authorization or try to break the data security and privacy. Due to these threats on data sharing in MCC, we have the following design goals for our system: (i) Data Confidentiality. The proposed scheme should protect sensitive information in the outsourced data from being leaked or eavesdropped during data sharing and outsourced decryption in CSP and the communication between DU and CSP.
(ii) Fine-Grained Access Control and Collusion Resistance. Malicious users who are unauthorized or intend to collude with each other in data access should have no way to recover the ciphertext by aggregating their keys while anyone of them is unauthorized to decrypt the ciphertext alone.
(iii) Access Policy Hiding. On account of the access policy shared with ciphertext, those sensitive or privacy-aware information contained and exposed in access policies should be concealed for the purpose of user privacy preserving (iv) Verifiability and Exculpability. Due to the misbehaving CSP, the correctness of outsourced decryption by CSP should be verified. Also, any DU with authorized secret key cannot accuse the CSP of performing incorrectly in outsourced decryption while it acts honestly.
(v) Efficient Encryption and Decryption. With respect of resource-limited mobile devices in the MCC system, the computation should be as little as possible for (viii) Decrypt U ðpp, tsk i,GID , CT * Þ. The user decryption algorithm is run by DU. It takes the system global public parameters pp, transformation private key tsk i,GID , and partially decrypted ciphertext CT * as input and outputs the recovered ciphertext components R * and key * .
(ix) DecVerif yðpp, C, V m , key * , R * Þ. The user decryption verification algorithm is executed by DU. Given the recovered random element R * and encapsulated key key * , the DU checks if the session key and encrypted data are valid and output the plaintext M.

The Proposed EMA-LUPHDS Scheme
In this section, we describe the overview of our EMA-LUPHDS scheme and its concrete construction.

Overview.
To adapt to the large-scale MCC system, we first design a large universe multiauthority hidden-policy CP-ABE scheme with verifiable and exculpable outsourced decryption to realize efficient data sharing in MCC. Each user in such a distributed architecture is bound up with a global identity (GID) [51] to avoid collision. Moreover, we introduce online/offline technique to further reduce the overhead in data encryption. Before displaying the detailed construction of EMA-LUPHDS scheme, we define that in our EMA-LUPHDS, U a is the attribute universe which contains arbitrary string, U A is the authority universe with N different AAs and a public function F : U a ⟶ U A , which maps each attribute j ∈ U a to a specific authority AA i ∈ U A , denoting that the attribute j is managed by authority AA i , and I AA is the index of relevant authorities of a user. For simplicity, here we introduce another symbol δðjÞ = FðjÞ, j ∈ U a .

Construction of EMA-LUPHDS.
Here, the detail of each phase and corresponding algorithms in the formal definition of our proposal are given.

Initialization Phase.
In this phase, TA generates system global public parameters and master key and each AA generates their public and secret key pair by the following steps.
(i) Setup Global ðλÞ. Given the security parameter λ, TA generates groups G and G T of prime order p with a bilinear mapê : G × G ⟶ G T . Then, it chooses random generators g, g 1 , g 2 ∈ G and four collision- where M is the message universe and n 1 and n 2 are output sizes of H 2 and H 3 hash functions, respectively. Next, TA creates a L -length key derivation function (KDF) K, where L = |key | + | p | and set the global public parameters as follows: H, H 0 , H 1 , H 2 , H 3 , F, K, L,ê, g, g 1 , Finally, TA publishes the global public parameters pp.
(ii) Setup AA ðppÞ. Each AA AA i manages a set of attributes S AA i . As to each attribute authority AA i , it 6 Wireless Communications and Mobile Computing chooses two random number y i , α i , β i , t i ∈ Z p * for itself. Thus, each attribute authority AA i generates its key pair as follows: Finally, the attribute authority AA i outputs their public and secret key pair ðpk AA i , sk AA i Þ.

User Enrollment
Phase. Upon receiving the enrollment request from DU with their global identities and attribute sets, attribute authorities generate a secret key and a transformation key pair for DU based on the following algorithms.
(i) KeyGenðpp, sk AA i , GID, S i,GID Þ. If a DU has a global identity GID and a set of attributes S i,GID which is related to an attribute authority AA i , the AA i chooses a random number t ∈ Z * p and computes the secret key sk i,GID for the DU as follows: Finally, the attribute authority AA i outputs sk i,GID and sends it to the DU identified by GID through secure channel.
(ii) TKeyGenðpp, sk i,GID Þ. The authority AA i generates transformation key for DU identified by GID on giving the DU's secret key sk i,GID . We assume that as for each attribute j ∈ S i,GID , if FðjÞ = i, the attribute set S i,GID of DU with GID is managed by AA i . The authority AA i chooses a random number μ ∈ Z * p and computes the transformation key tk = ðtpk, tskÞ as follows: Finally, AA i outputs transformation key tk = ðtpk, tskÞ for DU with identity GID.

Encryption Phase.
On input globally public parameters pp and public key of AA i , the encryption process contains the following three steps: (i) Encrypt of f ðppÞ. DO selects a random secret s∈ R Z p to compute the encapsulated key key. Then, the DO generates the corresponding session key ssk for data encryption/decryption and the commitment C (e.g., Pedersen commitment algorithm) for key verification. The algorithm is executed as follows: As a result, the DO sets Key off = ðs, key, ssk, CÞ and creates a pool of offline keys. Next, the DO picks a random element R ∈ G T and computes R′ = H 2 ðRÞ. Finally, the DO sets VC off = ðR, R′Þ and constructs a pool of offline verification code. (iii) Encrypt on ðpp, M, ðA, ρÞÞ. DO chooses any one pair of offline components Key off = ðs, key, ssk, CÞ and VC off = ðR, R ′ Þ to encrypt the data M gathered from smart devices to generate encryped data C T s = E symm ðM, sskÞ with the symmetric encyption algorithm and the symmetric key ssk and compute the verification code V m = H 3 ðR ′ kCT s Þ for CT s . With the specific access policy ðA, ρÞ, where A is a l × n matrix and ρ is a mapping from each row A x to a certain attribute att x , DO picks p x ∈ R Z p * for each row A x of A and computes λ x = A x tpk i,GID = TK 1,j , TK 2,j , TK 3 , TK 4 , TK 5 È É Wireless Communications and Mobile Computing · γ, where γ = fs, γ 2 ,⋯,γ l g∈ R Z p l and θ x = A x · ν, where ν = f0, ν 2 ,⋯,ν l g∈ R Z p l . Next, DO outputs ciphertext CT = fðA, ρÞ, C, CT s , V m , C ′ , C 0 , fC 1,x , C 2,x , C 3,x , C 4,x g x∈½l g, where Finally, the DO uploads the ciphertext CT to CSP. (ii) Decrypt OUT ðpp, tpk i,GID , CTÞ. Let each matrix row A x of access policy ðA, ρÞ correspond to an attribute ρðxÞ, and CSP executes as follows: Then, as mentioned before, λ x = A x · γ, where γ = fr, γ 2 , ⋯,γ l g ∈ Z p l and θ x = A x · ν, where ν = f0, ν 2 ,⋯,ν l g ∈ Z p l , we note that there exists coefficients ω x ∈ Z p where x ∈ I s ′ such that ∑ x∈I s ′ ω x A x = ð1, 0,⋯,0Þ. Thus, we have ∑ x∈I s ′ ω x λ x = s and ∑ x∈I s ′ ω x θ x = 0.
Subsequently, the DU can computes Q x∈I s ′ ðC * Þ ω x , so that, Let i = δðxÞ, and we have the following equation: Finally, the CSP returns partially decrypted ciphertext CT * = fC 0 , C, CT ′ , CT s , V m g to the DU.
(i) Decrypt U ðpp, tsk i,GID , CT * Þ. After receiving the partially decrypted ciphertext CT * , the DU recovers the random element R and the encapsulated key key used for generating symmetric session key as follows: Finally, DU outputs the recovered random element R * and encapsulated key key * .
(ii) DecVerif yðpp, C, V m , key * , R * Þ. On input recovered encapsulated key key * and random element R * , the DU computes as follows: Then, the DU checks if the following equations hold, and it outputs M = D symm ðCT s , ssk * Þ, otherwise ⊥.

Security Analysis
In this section, we present a brief security analysis of our proposed EMA-LUPHDS scheme concerning the design goals mentioned in Section 4.2.
Theorem 1. The proposed scheme satisfies the properties of correctness.
Proof. We can prove the correctness of outsourced decryption in our scheme by the following equation: ☐ Theorem 2. The proposed scheme satisfies the properties of data confidentiality.
Proof. In our scheme, the data is first encrypted using a symmetric encryption algorithm, and the key is encapsulated by access policy. As for the data confidentiality, the symmetric encryption algorithm, such as AES, can guarantee the feature. With respect to the fine-grained data access control, for the transformation public key tpk of a unauthorized DU whose attribute set does not satisfy the access policy, CSP cannot get an authorized index set I s ′ so as to calculate the correct constants fω x g to make the equation ∑ x∈I s ′ ω x A x = s holds. Thus, the CSP will fail to return a correct par-tially decrypted ciphertext, and the DU also cannot obtain the encapsulated symmetric key to further get the plaintext of data. Moreover, in outsourced decryption, the CSP also cannot get the symmetric key from partially decrypted ciphertext to recover plaintext of data because it cannot get the transformation secret key tsk of the DU to further decrypt the partially decrypted ciphertext. Furthermore, the secret key of each DU is embedded with his unique global identity, and the transformation public key of each DU is also confused with his unique transformation secret key tsk which is secret by the DU himself, and any two or more DUs have no way to collude for data access. ☐ Theorem 3. The proposed scheme satisfies the properties of access policy hiding.
Proof. In our scheme, when the DO encrypts the symmetric key used in symmetric encryption based on a designated access policy, he first transforms each attribute in access policy according to the one-way anonymous key agreement protocol in [52] by computing m x =êððg t i Þ a , H 0 ðρðxÞÞÞ for each row x of access policy, where a is a random number. Then, DO replaces each attribute in access policy by m x , which can obfuscate each attribute ρðxÞ in access policy. In decryption phase, the DU cannot compute m x only if he has the key component H 0 ðρðxÞÞ t i . Otherwise, DU cannot distinguish m x from x. Therefore, malicious DU cannot infer the access policy, and thus, the attribute information in access policy is protected. ☐ Theorem 4. The proposed scheme satisfies the properties of collusion resistance.
Proof. The malicious users may collude to combine their secret keys and transformation keys to access the shared data which they cannot access individually. In our scheme, different attribute authority generates secret keys for different users, and the secret keys are associated with users' GID, specific attribute set and random, which are uniquely related to each user and make the combination of attributes in different secret keys useless. As a result, collusive users cannot compute key * =êðg, gÞ ∑ i∈I AA α i s cooperatively in the outsourced decryption even if the combined attributes of these users satisfy the access policy. Thus, our scheme is collision-resistant. ☐ Theorem 5. The proposed scheme satisfies the properties of verifiability.
Proof. Suppose that KDF is secure and H, H 2 , and H 3 are three collision-resistant hash functions. Thus, the output of KDF is indistinguishable from a random string. In the encryption phase of our scheme, KDFðkey, LÞ = sskkd and C = g HðsskÞ 1 g HðdÞ 2 .
As it is difficult to distinguish the output of KDF from a random string and H is a deterministic collision-resisstant hash function, the untrusted CSP has no way to guess the random HðdÞ, HðsskÞ and thus fails to tamper the Pedersen commitment C which is 9 Wireless Communications and Mobile Computing computationally hiding. Moreover, since H 2 and H 3 are two collision-resistant functions, it is hard to guess a random R * to construct H 3 ðR * kCT s Þ = H 3 ðRkCT s Þ, which is in negligible probability. Therefore, the validity of key and ciphertexts CT s can be guaranteed. ☐ Theorem 6. The proposed scheme satisfies the properties of exculpability.
Proof. Suppose that KDF is secure and H is a deterministic collision-resistant hash functions. Thus, the output of KDF is indistinguishable from a random string. If a malicious DU with transformation secret key tsk wants to accuse CSP of returning incorrect results, he has to have the ability of forging a fake transformation secret key tsk * that can generate the same commitment. Suppose that g 1 = g φ , g 2 = g ψ and the malicious DU constructs KDFðkey, LÞ = sskkd and KDFðkey * , LÞ = ssk * kd * , where key and key * are partially decrypted results with tsk and tsk * , respectively. The commitment must be equal, that is, g . Then, the malicious DU can get φ = ψðHðd * Þ − Hðd ÞÞ/HðsskÞ − Hðssk * Þ, which means that the malicious DU can solve DL problem. However, it is of negligible probability according to DL assumption. Therefore, our scheme is exculpable for decryption. ☐

Performance Evaluation
This section evaluates the performance by comparing our EMA-LUPHDS scheme with several existing schemes in efficiency aspects. We give the comparison in computation and space complexity in theoretical aspects between our scheme and the schemes in [6,7]. Furthermore, we focus on experiment implementation to precisely evaluate the efficiency of EMA-LUPHDS. By comparing with several excellent similar schemes, we demonstrate that our scheme is more efficient and practicable for data sharing in MCC.

Theoretical Analysis.
We thoroughly analyzes the computation and space complexity by comparing our EMA-LUPHDS and other schemes [2,6,7] in detail from the aspects of public parameter size (pp size), user key size (UKey size), transformation key size (TKey size), ciphertext size (ciphertext size), encryption cost, user decryption cost, and outsourced decryption cost (out decryption cost), as the former four metrics measure the space complexity of each scheme and the remains are used to evaluate the computation cost in execution of each scheme. The comparison result is summarized in Table 2.
Here, we first stipulate some denotions in the theoretical analysis. E G , E G T denotes the exponentiation operations in G, G T , M G , M G T denotes the multiplication operations in G , G T , P denotes the pairing operationê, H denotes the computation cost of a hash function and Enc sym , Dec sym denotes the computation costs of symmetric encryption and decryption. In addition, l denotes the number of attributes in access structure, |S | denotes the number of attributes owned by DU, jGj, jG T j denotes the length of elements in group G, G T , |A | denotes the number of attributes managed by each authority, |V | denotes the length of verification code, and |CT sym | denotes the length of symmetric encrypted ciphertext.
In Table 2, we first analyze the space complexity comparison. First of all, the pp size of schemes in [2,6,7] are | G | +1 + ð2 + jG T j + jGjÞjAj, |A | ðjGj + 1Þ + jG T j + 1, and jGj + jG T j + 2 + ð3 + jG T j + jGjÞjAj, respectively. We note that these sizes are all growing with the increase of access policy number. However, the pp size in our scheme is 3 | G | +4, which shows that our scheme can support large attribute universe because the public parameter size is constant and very small. Moreover, the transformation key sizes of the four schemes are jGjð2 + jSjÞ, 2jGjðjSj + 1Þ, 2jGjðjSj + 3/2Þ + 1, and 2jGjðjSj + 1Þ + 1, respectively. This means that the transformation key sizes in four related schemes are of the same case. Furthermore, we analyze the ciphertext size. In schemes [2,7], the ciphertext sizes are ð3jGj + 4Þl + jGj + j G T j and jG T j + jVj + jGj + ð3jGj + jG T jÞl, while the sizes in our scheme and the scheme [6] are 2jGjð1 + 2lÞ + jCT sym j + jVj + jG T j and jGjð3l + 1Þ + jG T j + jVj + jCT sym j. We note that the former two schemes support smaller ciphertext. However, as the latter two schemes are suitable for scalable plaintext encryption, the ciphertext size may be larger. Later, we will analyze the experiment result and use the base ciphertext size to compare the practical result.
Then, we analyze the computation complexity comparison. First, as for encryption time, the complexity in scheme is [2] while in our scheme and the schemes [6,7] are ð5E G + 2M G Þl + E G + P + M G T + H + Enc sym , 2M G T + H + E G + ð5 E G + 2M G + E G T Þl, and E G + M G T + ð6E G + 2M G Þl + Enc sym + H. We can infer that the computation complexity in [2] is a little less while the other three schemes cost more. Moreover, the user decryption in schemes [2,7] is E G T + M G T and E G T + M G T + H, while the schemes in [6] and our scheme cost E G T + M G T + Dec sym + 2H and E G T + M G T + Dec sym + 2 H + 2E G + M G . We note that the latter two schemes cost more than the former two schems because the latter two schemes support large plaintext encryption and decryption, which means that the user needs to decrypt the symmetric ciphertext after obtaining encapsulated symmetric key. In our scheme, we need more computation for commitment recover and add more computation overhead. Furthermore, as for out decryption, we infer from Table 2 that the four schemes outsource similar workload to third party.
In conclusion, we know that although in our scheme, the transformation key is a little larger than other schemes in Table 2, and it has far smaller public parameters in constant size. Also, our scheme supports scalable ciphertext though it may take up a lot of space. As our scheme supports flexible functions, to increase the efficiency, we also introduce online/offline and outsourced computing techniques. We note that from Table 2, the computation cost in encryption and user decryption of our scheme is greatly reduced and approaches other schemes in Table 2. In general, our scheme can achieve more reasonable computation complexity compared with other relevant schemes in theoretical analysis.

Experimental Analysis.
To precisely evaluate the performance of EMA-LUPHDS, we implement our scheme and the schemes in [6,7] and compare their actual computation and space cost with EMA-LUPHDS, and the result of which is summarized in Figures 3 and 4.
We implement and develop these schemes using Java Programming Language with the Java Pairing-Based Cryptography library (JPBC) [53] for various operations in finite field and groups. Type A pairing is adopted in our implementations which is defined over a 160-bit elliptic curve group over 512-bit finite field, that is, the supersingular elliptic curve EðF p Þ: y 2 = x 3 + x with embedding degree 2, where p is a 512-bit Solinas prime. Moreover, our simulation experiments are run on Windows10 system with Intel Core i5 CPU 2.13 GHz and 8.00 GB RAM. In addition, we use SHA256 algorithm to generate the V m for correctness verification of ciphertext in our experiments. Figure 3 shows the computation comparison from the point of the time cost in encryption, outsourced decryp-tion, and user decryption. We note that in Figure 3(a), our scheme performs approximate to that of schemes in [6] and is superior to the scheme in [7] in encryption. From Figure 3(b), we know that the computation cost of outsourced decryption for our scheme is a little larger than that of [6] and nearly the same as that of [7]. Figures 3(c) and 3(d) present the computation cost of Pedersen commitment for supporting exculpability. We note that in Figure 3(d), the three schemes perform similarly, and in Figure 3(c), the computation cost of our scheme is larger than the other two schemes, which shows the trade-off between the function of exculpability and efficiency cost.
From Figure 4, we note that the storage complexity of our scheme is approximate to that in [6,7] while takes only constant-sized public parameters that are far smaller than that in [6,7]. We can infer from Figure 4(a) that the size of public parameters in our scheme is very small and constant. Thus, in Figure 4(b), the public parameter size of our scheme is nearly invisible. In Figure 4(c), we  know that the three schemes take up similar size in transformation key. Figure 4(d) shows that our scheme takes up a little larger space for ciphertext as we support exculpability and flexible policy hiding. We also note that the ciphertext size is approximate to that of the scheme in [7] which is not flexible as our scheme. And both the scheme in and our scheme can support scalable ciphertext, which means that the user does not need to map plaintext to the bilinear group.
It is obvious that the results of our experiment simulation indicate that our scheme is flexible and versatile. It is also efficient in encryption cost, user decryption cost, and out decryption cost and has far smaller and constant public parameter size. Therefore, we argue that EMA-LUPHDS proposed in our work is more suitable for resourceconstraint mobile devices in MCC system.

Conclusion
In this paper, we propose an Efficient and Multiauthority Large Universe Policy-Hiding Data Sharing (EMA-LUPHDS) scheme to achieve key escrow resistance, expressive access policies without user privacy leakage, and high efficiency for data sharing of MCC with resource-limited mobile devices. In our proposal, we adopt fully hidden strategy to protect sensitive information about attributes of users and access policy. To achieve high efficiency, we introduce outsourced decryption to reduce the computational cost and the online/offline technique to trade off the overhead in encryption operation. In addition, we add into the ciphertext with verification code and Pedersen commitment to ensure the correctness of the partially decrypted result got from misbehaving CSP and the exculpability for CSP

13
Wireless Communications and Mobile Computing accused by DU maliciously. Moreover, the security analysis and thorough performance evaluation show that our proposal is practicable for resource-restraint mobile devices in the MCC system.
In our future work, we would dedicate into the efficient attribute and user revocation in data sharing scheme for mobile cloud environment.

Data Availability
No data were used to support this study.

Conflicts of Interest
The authors declare that they have no conflicts of interest.