Practical Multiauthority Attribute-Based Access Control for Edge-Cloud-Aided Internet of Things

With the assistance of edge computing which reduces the heavy burden of the cloud center server by using the network edge servers, the Internet of +ings (IoTs) architectures enable low latency for real-time devices and applications. However, there still exist security challenges on data access control for the IoT. Multiauthority attribute-based encryption (MA-ABE) is a promising technique to achieve access control over encrypted data in cross-domain applications. Based on the characteristics and technical requirements of the IoT, we propose an efficient fine-grained revocable large universe multiauthority access control scheme. In the proposed scheme, the most expensive encryption operations have been executed in the user’s initialization phase by adding a reusable ciphertext pool besides splitting the encryption algorithm to online encryption and offline encryption. Massive decryption operations are outsourced to the near-edge servers for reducing the computation overhead of decryption. An efficient revocation mechanism is designed to change users’ access privileges dynamically. Moreover, the scheme supports ciphertext verification. Only valid ciphertext can be stored and transmitted, which saves system resources. With the help of the chameleon hash function, the proposed scheme is proven CCA2-secure under the q-DPBDHE2 assumption.+e performance analysis results indicate that the proposed scheme is efficient and suitable in edge computing for the IoT.


Introduction
With the development of the 5G network and the Internet of ings (IoTs) technology, more and more objects are connected to the network via information sensing devices which generate a huge amount of data [1,2]. Cisco predicted that the total amount of data created (and not necessarily stored) by any device will reach 847 ZB per year by 2021 [3].
In traditional cloud computing modes, these massive data are all sent to the cloud for storing and processing, which consumes a large amount of network bandwidth and computing resources. Moreover, massive access requests from users may lead to service interruption and generate traffic overload or even network delay, etc. As a result, the edge computing model is proposed to offload computing tasks to edge servers [4][5][6][7][8][9].
In an edge computing model, the network edge servers near the data source will preliminarily handle the data and tasks and serves the adjacent devices in time. en, it selectively sends the important data to the core network (cloud). Consequently, the edge servers reduce the load of cloud centers and ensure efficient network operation for improved services.
However, edge computing is facing some new challenging issues [4][5][6][7][8][9]. On the one hand, the users' data are mostly privacy-sensitive. A good way to ensure data security and privacy protection is that the data are encrypted before being outsourced and only allow authorized users to access it. On the other hand, users frequently enter and leave the network, and their access privileges change dynamically, which makes the access control of users' data complex and dynamic. Unfortunately, it is difficult for traditional access control technology to deal with the above problems in such a complex edge computing environment. erefore, an efficient lightweight data encryption mechanism with finegrained access control is indispensable for the IoT.
Attribute-based encryption (ABE) is a promising technique (cryptosystem) for protecting data confidentiality and dynamic fine-grained authorized access control through the attribute management, with which the data owners can encrypt data files according to the attribute of the target recipients without knowing their exact identities.
In 2005, Sahai and Waters introduced fuzzy identitybased encryption (FIBE) which can be applied to enable encryption using error-tolerance biometric inputs as identities. Moreover, FIBE is extended into attribute-based encryption (ABE) by defining the biometric identity as a set of attributes [10]. In 2006, Goyal et al. distinguished ABE into key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE) [11]. In KP-ABE, secret keys are associated with access policies, and ciphertexts are associated with attributes, while in CP-ABE, the ciphertexts are associated with access policies, and secret keys are associated with attributes. Decryption is enabled if and only if the user's attribute set satisfies the ciphertext access structure. Goyal et al. gave a secure construction of KP-ABE [11], and Bethencourt et al. presented a secure CP-ABE construction against collusion attacks in the generic group model [12]. In 2008, Goyal et al. presented the first construction of a ciphertext-policy attribute-based encryption scheme with a security proof based on a numbertheoretic assumption [13]. In 2011, Waters presented the first CP-ABE construction which is proven selectively secure under the decisional parallel bilinear Diffie-Hellman exponent (PBDHE) assumption in the standard model. In 2013, Rouselakis and Waters proposed two large universe attribute-based encryption constructions (CP-ABE and KP-ABE) on prime-order bilinear groups. Both schemes are selectively secure in the standard model under two "q-type" assumptions [14]. However, all these schemes are singleauthority ABE.

Issues and Related Work.
Attribute-based access control in the IoT should efficiently address some practical issues in the following details.
Firstly, the massive data produced in the IoT are used in large-scale cross-domain applications. Multipart collaborative (MPC) is one of the motivating scenarios, where data owners want to share their data across different domains and organizations. To illustrate, in a multiexpert cooperative diagnosis system, a patient Alice may need to share her medical data generated by medical wearing equipment with different experts in different affiliations. She defines the access policy as "surgeon@hospital A" or "surgeon@hospital B and medical researcher@research center C," where the attributes "surgeon@hospital A," "surgeon@hospital B," and "medical researcher@research center C" are issued by "hospital A," "hospital B," and "research center C," respectively. In this scenario, three authorities, "hospital A," "hospital B," and "research center C," are needed.
Meanwhile, in ABE schemes, if the system attribute universe is "small," the attributes are fixed and enumerated at system setup, which is not practical in the IoT. Conversely, in "large universe" construction, any string can be used as an attribute, and the attributes are not necessarily enumerated at system setup, which is more flexible and practical for the IoT.
To deal with the scenario that the users' attributes are issued by different authorities in the same system, Chase proposed multiauthority attribute-based encryption, which is the first construction to support multiple attribute authorities in 2007 [15]. In 2009, Chase and Chow proposed a solution that removes the trusted central authority and protects the users' privacy by preventing the authorities from pooling their information on particular users [16]. In 2011, Lewko and Waters proposed the first fully secure multiauthority ciphertext-policy attribute-based encryption system which does not require any central authority and collision resistance. ey proved their system secure using the dual system encryption methodology in the random oracle model [17]. In 2011, Liu et al. proposed a new multiauthority CP-ABE system which is adaptively secure in the standard model with adaptive authority corruption and can support the large attribute universe [18]. In 2015, Rouselakis and Waters proposed an efficient large-universe multiauthority ciphertext-policy attribute-based encryption system, which uses the significantly faster prime-order bilinear groups rather than composite order groups [19].
Secondly, in the IoT, data users may change their subscription or leave the system, which results in losing part of the access privileges or all the access privileges. To protect the interests of the data owners, an efficient and secure revocation mechanism must be designed. In the above example, an expert Bower with the attribute set "surgeon@ hospital B, medical researcher@research center C" departures from research center C, then he loses the privilege to access Alice's encrypted data. To avoid Alice's privacy disclosure, the authority "research center C" should revoke Bower's attribute "medical researcher@research center C." Similarly, when Bower departures from the multiexpert cooperative diagnosis system, Bower should be revoked from the system. When the attribute "medical researcher@ research center C" is dropped by the authority "research center C," it also should be revoked.
To solve the security problems brought by the dynamic change in users' access privilege, researchers have come up with revocable ABE. In 2008, Boldyreva et al. firstly proposed an ABE scheme with indirect user revocation. e sender encrypts with the present time slot regarded as an attribute. e authority who possesses the current revocation list, periodically announces the key update material so that only unrevoked users can update their key and decrypt ciphertexts [20]. In 2009, Attrapadung and Imai proposed an ABE system with direct user revocation. It allows senders to specify the revocation list directly when encrypting [21]. e authority does not need to update the secret key concerning the revoked attribute for each nonrevoked user. But it should publish a revocation list and the data users are required to synchronize this revocation list all the time, which makes it not suitable for large-scale systems. It still faces a backward security problem that the revoked users can access the old data they were authorized to access before being revoked. In 2009, Attrapadung and Imai presented the first hybrid revocable ABE scheme that allows senders to select on-thefly whether to use either direct or indirect revocation mode when encrypting [22]. In 2011, based on the subset-cover revocation framework [23], Hur et al. proposed an access control mechanism using CP-ABE to enforce access control policies with efficient attribute and user revocation capability [24]. In 2012, Sahai et al. introduced the concept of revocable storage and proposed the revocable ABE by updating keys and CSP by updating ciphertext without accessing any secret information, and the updated ciphertexts are no longer decryptable by revoked users, but the schemes are inefficient [25]. In 2013, Yang et al. constructed a new multiauthority CP-ABE scheme and designed an attribute revocation method that can achieve both forward security and backward security, which is secure under weaker security assumptions [26]. However, the scheme only supports the small attribute universe. In 2017, Li et al. provided a CP-ABE scheme with efficient user revocation by introducing the concept of user group [27].
irdly, in ABE, bilinear pairing operation is an expensive computation cost, and its number increases along with the number of attributes involved in the access structure. e drawback of high computation overhead in the ABE schemes with multifunction becomes more serious for resource-constrained users such as mobile devices, sensors, and medical wearing equipment [28]. To save energy for the resource-constrained users and ensure the rapid generation and acquisition of the data, some technologies should be used to reduce the computational overhead both in the encryption phase and the decryption phase.
For eliminating the overhead of decryption for users, Matthew Green et al. [29] gave the methods for efficiently and securely outsourcing decryption which offloads most decryption operations to a third-part server provider and returns a partial decryption ciphertext. e user performs only a little time of exponential operation to recover the plaintext. In 2013, Lai et al. firstly constructed a concrete ABE scheme with verifiable outsourced decryption which allows for verifiability of the partial decryption ciphertext [30]. Li et al. proposed a new secure outsourced ABE system, which supports both secure outsourced key-issuing and decryption with checkability of the outsourced computation results in an efficient way [31]. ere are also some works to make verifiable outsourced decryption more efficiently and securely in ABE [32][33][34].
Meanwhile, for saving online computation, Hohenberger and Waters proposed the first online/offline ABE [35] which splits the encryption into two phases: the data owner does as much precomputation as possible to encrypt a message or create a secret key in the offline phase and rapidly assembles a ciphertext or key in the online phase. It is a promising technique for resource-limited devices. In 2018, Li et al. proposed a new scheme that eliminates a majority of the encryption computation task by adding system public parameters [36].
Last but not the least, it may be that the data owner device makes an error to generate the wrong ciphertext, or the malicious user generates many wrong ciphertexts to attack the system. ese wrong ciphertext not only waste system resources but also waste user resources. For example, it wastes data user resources to decrypt the error ciphertext which returns an error result even though his attributes satisfy the access structure. A ciphertext verification algorithm should be used to eliminate invalid ciphertexts as much as possible. In 2014, Liu et al. proposed a KP-ABE scheme with the public ciphertext test, but the verify equations grow linearly with the number of the attributes involved in the access structure, which requires high computation overhead [37].

Motivation and Contributions.
Recently, there have been many researchers who proposed the multifunctional MA-ABE system trying to meet the above needs, but no one solving all the issues simultaneously. In 2017, De and Ruj proposed a decentralized attribute-based encryption scheme with online/offline encryption, outsourced decryption, and user revocation, but their scheme only supports the small universe [38]. In 2018, Liu et al. designed an MA-ABE scheme that simultaneously supports the large attribute universe, outsourcing decryption, and attribute revocation, but their scheme is statically secure, without online/offline encryption and ciphertext publicly verifiable [39]. In 2019, Li et al. constructed a CCA2-secure publicly verifiable revocable large-universe multiauthority attribute-based encryption, but their scheme does not support online/offline encryption and outsourcing decryption [40]. In their scheme, the verify equations grow linearly with the number of the attributes involved in the access structure, which require high computation overhead. Moreover, if the user's some attributes involved in the ciphertext are revoked, she/ he will fail to verify the validity of the ciphertext even though her/his rest attributes still have the access privilege to the ciphertext.
As we revisited the existing ABE schemes, no one simultaneously solves all the practical issues. Most of them only concentrate on solving one specific issue. A few schemes try to solve some issues but cause new problems. erefore, we designed an efficient, CCA2-secure, flexible, fine-grained access control scheme for the IoT using edge computing, which can solve the above issues efficiently. e proposed scheme meets the need of the large-scale multidomain collaboration in the IoT by using multiauthority attribute-based encryption with the large attribute universe. More contributions are as follows: (1) By adding a reusable ciphertext pool, the most expensive encryption operations have been executed in the user's initialization phase, which minimizes the offline/online encryption computation. At the same time, the near-edge servers can perform the major decryption with the help of transformed keys given by the data user. As a result, the computation overhead of encryption and decryption is substantially reduced both on the data owner and user sides, Security and Communication Networks 3 so the scheme is suitable for the resource-constrained users in the IoT. (2) e proposed scheme designs a fine-grained revocation mechanism to revoke an attribute from the user, by which the user or the attribute can be revoked from the system. So, it can change the user's access privilege timely and is fit for the dynamic IoT. (3) e scheme supports efficient ciphertext verification, and only valid ciphertext can be stored and transmitted, which saves the system resources. For reducing the computation overhead, we combine all the verify equations into one equation like a "hash function" which reduces expensive pairing operation. Moreover, the user can verify the validity of the ciphertext even though some attributes involved in the ciphertext are revoked, only if the rest of her/his attributes still have the access privilege to the ciphertext. (4) With the help of the chameleon hash function, the simulator successfully prepares the challenge ciphertext with the dummy attribute in the security proof. Consequently, the proposed scheme is proven CCA2-secure under the q-DPBDHE2 assumption, which is more secure than the previous scheme. e performance analysis results indicate that the proposed scheme is efficient and suitable in edge computing for the IoT.

Notations.
In order to facilitate the understanding, we explain some notations used throughout this article in Table 1.

Bilinear Pairings and Complexity Assumption
Definition 1 (bilinear pairings). Let G and G T be the cyclic multiplicative groups with prime order p. e identities of G and G T are denoted as 1 G and 1 G T , respectively. We say a map e: G × G ⟶ G T is a bilinear pairing if it satisfies the following properties: (1) Bilinear.
Definition 2 (q-DPBDHE2 problem [41]). Let G and G T be the bilinear groups with prime order p and g be a generator of G. e: G × G ⟶ G T is a bilinear map defined on G. Pick s, a, b 1 , b 2 , . . . , b q ← R Z p and R← R G T . Given D � G, p, e, g, g s , g a i , g a i b j , g s/b j , and the algorithm is asked to distinguish (D, e(g, g) sa q+1 ) from (D, R).
Definition 3 (q-DPBDHE2 assumption [41]). e q-DPBDHE2 assumption holds in G if no probabilistic polynomial time algorithm has probability at least (1/2) + ε in solving the q-DPBDHE2 problem in G for nonnegligible ε.

Access Structures and Linear Secret-Sharing Schemes
Definition 4 (access structure [42]). Let P � P 1 , P 2 , . . . , P n be a set of parties. A collection A⊆2 P is monotone if ∀B, C: if B ∈ A and B⊆C then C ∈ A. An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A of nonempty subsets of P, i.e., A ∈ 2 P \ ∅ { }. e sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets.
In the attribute-based encryption scheme, the parties are replaced by the attributes. An access structure A will contain some authorized sets of attributes. Similarly, we restrict our attention to monotone access structures. From now on, by an access structure, we mean a monotone access structure.
Definition 5 (linear secret-sharing schemes (LSSS)) [42]). Let p be a prime and U the attribute universe. A secretsharing scheme π with domain of secrets Z p realizing access structures on U is linear over Z p if the following holds: (1) e shares of a secret s ∈ Z p for each attribute form a vector over Z p . (2) For each access structure A on U, there exists a matrix M ∈ Z l×n p , called the share-generating matrix, and a function ρ that labels the rows of M with attributes from U, i.e., ρ: [l] ⟶ U, which satisfies the following: during the generation of the shares, we consider the column vector v → � (s, where r 2 , . . . , r n ← $ . en, the vector of l shares of the "belongs" to attribute ρ(j). We will be referring to the pair (M, ρ) as the policy of the access structure A.

Chameleon Hash Functions.
A chameleon hash function consists of three polynomial time algorithms as follows [43]: KeyGen(1 λ ) ⟶ (SK ch , PK ch ): it takes the security parameter λ as input and outputs a secret key SK ch and the corresponding public key PK ch .
H ch (PK ch , m, r ch ) ⟶ v: it takes in the public key PK ch , a message m, and an auxiliary parameter r ch and then outputs the hashed value v. TCollision ch (SK ch , m, r ch , m ′ ) ⟶ r ch ′ : it takes as inputs the secret key SK ch , a message m with its auxiliary parameter r ch , and another m ′ � m and outputs another auxiliary parameter A secure chameleon hash function satisfies the requirements of collision resistance and uniformity. All messages m induce the same probability distribution on H ch (PK ch , m, r ch ) for r ch chosen uniformly at random. ere is no efficient algorithm that takes as input the Chameleon hash public key PK ch to find two pairs (m, Only the one who knows the chameleon hash secret key can find collision for every given input efficiently.

Subset-Cover Revocation
Framework. Naor et al. proposed the subset-cover revocation framework [23] and described two algorithms: the complete subtree method and the subset difference method. We can realize the revocation in ABE based on the complete subtree method.
As shown in Figure 1, firstly, it establishes a binary state tree BT. Each user is assigned as a leaf node u. Let v i denote a node and v il (v ir ) denote the left (right) child of v i . P(v i ) records all the nodes which are on the path from v i to the root. If a user v i is revoked, v i will be added into the revocation list RL. MinSubCover(BT, RL) is an algorithm to generate the minimum subset cover whose descendant nodes cover all the unrevoked users (Algorithm 1).
As shown in Figure 1, there are eight users u 1 , u 2 , u 3 , u 4 , u 5 , u 6 , u 7 , u 8 . If the user u 2 is revoked, N 9 would be added into RL � N 9 , and the MinSubCover (BT, RL) outputs N 3 , N 5 , N 8 . Figure 2, our efficient CCA2-secure flexible fine-grained access control for the IoT by using edge computing consists of the following entities:

System Model. As shown in
Central authority (CA): CA is a trusted entity that initializes the system by setting up the global public parameters. Moreover, it is responsible for the registration of users and authorized attribute authorities. CA assigns each user a unique identity UID, and each attribute authority is a unique identity AID.
Attribute authority (AA): AA is a trusted entity that manages the users' attributes. Each AA is an independent attribute authority and manages a disjoint attribute set, respectively, which means that each Set of matrices of size m × n with elements in Z p AID/UID Attribute authority global identity/User global identity U/U AA System attribute/authority universe MK System master key GP Global public parameter H/F Function maps each UID/attribute to an element of G T Function maps each attribute to the unique attribute authority who controls it SK AID /PK AID Secret key/public key for authority AID SK UID,a /P UID,a Private key/path key of attribute a for user UID CPool UID Immediate ciphertext pool of user UID CT off /CT on Offline/online ciphertext CT Original ciphertext generated by the data owner CT CSP Ciphertext generated after ESP re-encrypts CT by using the latest attribute key S UID Attribute set of user UID AT a Binary state tree of attribute a AK a Attribute key of attribute a RL a Revocation list of attribute a UpAK a Update key of attribute a TK UID Transformation key for user UID RK UID,a Retrieving key of attribute a for user UID CT out Partial decrypted ciphertext generated by ESP Figure 1: Binary state tree BT. attribute is associated with a single AA. Each AA issues its public key, authenticates users' attribute sets, and generates the corresponding private keys for them. It also can revoke and update users' attributes by using attribute keys. Cloud service provider (CSP): CSP is semitrusted (honest-but-curious). It will honestly and correctly execute the tasks but be curious about the data messages which it receives. CSP will not conclude with the malicious users. It stores the valid ciphertexts which are sent from ESP. Edge service provider (ESP): ESP is semitrusted (honestbut-curious) and will not conclude with the malicious users. It has both computing capability and large storage. It is geographically close to the users (data owners and data users). ESP receives the ciphertext from users and re-encrypts the valid ciphertext by using attribute keys after verifying the validity of ciphertext and then sends the legal data to CSP for permanent storage. It is also in charge of re-encrypting and updating the ciphertext when a revocation happens. Furthermore, it provides partial decryption of ciphertext for some resourcelimited users if they require it. Data owner (DO): to ensure data confidentiality and achieve flexible access to data, DO has two methods to encrypt data before uploading data to ESP. One is DO directly encrypting the data file under an access policy about who can get access to the data. e other is DO firstly encrypting the data file using a symmetric encryption algorithm which is a lightweight encryption method and then encrypting the symmetric key under the access policy. Data user (DU): each DU is assigned a global user identity UID by CA. DU obtains a set of attributes privileges and corresponding decryption private keys from authorities. DU can freely get any encrypted data from ESP and decrypt the ciphertext if and only if his/her attribute set satisfies the access policy. Moreover, some resource-limited users can outsource decryption to ESP.

Framework.
is system mainly contains the following polynomial time algorithms: GlobalSetup(1 λ ) ⟶ (MK, GP): the global set up algorithm is run by CA to set up the system. It takes the system security parameter λ as input and outputs the system master key MK and the global public parameters GP. AASetup(GP, AID) ⟶ (PK AID , SK AID ): the attribute authority set up algorithm is run by attribute authorities. It takes the authority's identity AID as input and sets up the authority's public key and secret key. e authority keeps the secret key SK AID and publishes the public key PK AID . UKeyGen(UID, AID, a ∈ U) ⟶ SK UID,a : the user key generation algorithm is run by the authority AID. It takes the data user's identity UID, his attribute a, and the authority's secret key as input and outputs the private key SK UID,a � < K T(a),a,1 , K T(a),a,2 , P UID,a > for the user UID, where the path key P UID,a is generated by the attribute key generation algorithm. AttrKeyGen(UID, AID, a ∈ U) ⟶ P UID,a : the attribute key generation algorithm is run by the authority AID. Firstly, if the binary state tree AT a has not been set up, it establishes an AT a and initializes a revocation list RL a � ∅, then chooses a random number AK a ∈ Z * p as the attribute key. Each user with the attribute a is assigned as a leaf node, and it increases the height with users increasing. For each node N i in the tree, it randomly picks NK a,i ∈ Z * p . Path(UID, a) denotes the path of the user UID from its leaf node to the root node, then P UID,a � NK a,i i∈Path(UID,a) is the path key for the user UID which is the key used to recover AK a . Finally, it sends P UID,a to the user and then publishes AK a · NK a,i i∈MinSubCover(AT a ,RL a ) and shares (AT a , AK a ) with ESP and CSP. CPoolGen(UID, GP, PK AID AID∈U AA ) ⟶ CPool UID : the ciphertext pool generation algorithm is run by data owners. It takes the data owner's identity UID, the global public parameters GP, the authorities' public keys PK AID AID∈U AA as input and chooses an integer N to determine the size of the attributes will be associated with any ciphertext and then outputs the immediate ciphertext pool CPool UID . CPool UID is saved in the encryption algorithm and can be reused. Moreover, it can be updated by the user UID whenever a new attribute authority joins the system or the data owner increases the size of attributes for improving the expressiveness. Enoff(GP) ⟶ CToff: the offline encryption algorithm is run by data owners. It takes the global public parameters GP as input and outputs the offline ciphertext CToff. Enon(m, (M, ρ), GP, CPool UID , CToff) ⟶ CT: the online encryption algorithm is run by data owners. It takes a plaintext message m, an access structure (M, ρ), the global public parameters GP, the immediate ciphertext pool CPool UID , and an offline ciphertext CToff as input and outputs the ciphertext CT. PublicTest( GP, PK AID AID∈δ( I ) , CT, I ) ⟶ True/ False: the public test algorithm can be run by any role in the system if she/he feels she/he needs it. It takes the global public parameters GP, part of ciphertext which is to be tested, the authorities' public keys PK AID AID∈δ(I) as input, and outputs True if the ciphertext is valid. CReEnc( CT, AK ρ( i ) ) ⟶ CT CSP : the algorithm is run by ESP. It firstly verifies the validity of the ciphertext by the algorithm PublicTest (GP, PK AID , CT, I), where I � [l]. If the public test algorithm outputs True, it re-encrypts the ciphertext CT by using the latest attribute keys AK ρ(i) and outputs the new ciphertext CT CSP . At last, ESP sends the ciphertext CT CSP to CSP and drops the original ciphertext CT. Decrypt ( CT CSP , UID, GP, AK ρ( i ) , SK UID,a a∈S UID ) ⟶ m: the decryption algorithm is run by the data user UID with a set of attributes S UID which wants to decrypt the ciphertext CT CSP . If S UID ⊭(M, ρ), the algorithm outputs ⊥. Otherwise, it outputs the message m.
e data user can choose to outsource decryption if he owns limited resource or for saving resource. is feature is implemented in the following three algorithms: TKGen(CT CSP , UID, GP, AK ρ( i ) , SK UID,a ) ⟶ ( TK UID,a , CT): this algorithm is run by data users. It chooses a random numbers as the retrieving key RK UID , takes the unrevoked attributes private key AK ρ(i) , SK UID,a , and CT CSP as input, then outputs the transformation key TK UID,a and the primitive ciphertext CT. PartialDec( TK UID,a ∀a∈J , CT, GP, AK ρ( i ) } ) ⟶ CT out : this algorithm is run by ESP. It takes TK UID,a and CT as input and then outputs the partial decrypted ciphertext CT out to the user. FullDec(CT out , RK UID ) ⟶ m: this algorithm is run by data users. It works out the massage m by using CT out and RK UID .
Revoke (UID, a, RL a ) ⟶ UpAK a : this algorithm is run by attribute authorities. It takes the attribute a and the user UID as input then publishes AK a ′ · NK a,i i∈MinSubCover(AT a ,RL a ) and outputs the update key UpAK a for ESP and CSP to update the ciphertext and the attribute key, where AK a ′ is the new attribute key.
If T(a) wants to revoke the attribute a from the system, it only sets all the users who own a into RL a and run the above operation.
If the system wants to revoke the user UID from the system, it asks all the involved attribute authorities to revoke all the involved attributes from the user UID, by running the above operation.

Security Model.
In this section, our security model is similar to that in [40] which is named indistinguishability against selective authority and access policy and statically chosen-ciphertext attacks (IND-sAA-sCCA2). At the beginning of the security game, the adversary should claim the access policy which it will challenge, and it should also claim the corrupt authorities. e challenge message can be encrypted by some attributes from some of these corrupt authorities but should at least one attribute from an honest authority, which means that the ciphertext still cannot be attacked successfully if only part of the encrypted attributes is from corrupted authorities. e security game played between adversary A and challenger C is as follows: Init: adversary A selects a challenge access policy (A * , δ * ) and a set of corrupt authorities C AA and sends it to the challenger C. Global setup: the challenger C runs the GlobalSetup (1 λ ) algorithm to get a system master key MK and the global public parameters GP. It keeps MK and sends GP to A. Phase 1: the adversary A issues a polynomially bounded number of queries statically: Authority's public key queries: A submits a set of the noncorrupt authorities, and C replies to A with the corresponding public keys. A can create the public keys of the corrupt authorities by itself. User's secret key queries: A submits some users identity and a set of his all attributes S * , C gives A the secret keys. If S * satisfies (A * , δ * ), C revokes one of these attributes from all users. TransformKey queries: A submits some users with a set of his all attributes S * , where there is no sense querying the transformation key for the same user who has been queried the secret key. en, C gives A the transformation keys. CReEncryption queries: A submits some ciphertext, then C re-encrypts the ciphertext with the latest attribute keys and return them to A. Decryption queries: A submits a ciphertext and C returns the message if the ciphertext is legitimate. Revocation queries: A queries to revoke some users with a set of attributes. C runs the algorithm Revoke (UID i , u, RL u ) ⟶ UpAK u to get the update keys and then re-encryptes the ciphertext with the latest update keys.
Challenge: A submits to C two equal-length messages m 0 and m 1 . C firstly randomly flips coin b ∈ 0, 1 { } and encrypts m b with (A * , δ * ).
en, it re-encryptes the ciphertext by the latest attribute keys and sends to A. Phase 2: the same as Phase 1, except that A cannot make the secret key query for the selected access policy or make decryption query for the challenge ciphertext. Guess: A outputs a guess bit b ′ ∈ 0, 1 { } and wins the game if b ′ � b.

Definition 6.
e proposed scheme is indistinguishable against selective authority and access policy and statically chosen-ciphertext attacks if no probabilistic polynomial time adversary can break the above security game with a nonnegligible advantage.

Concrete Scheme
In this section, we present the concrete construction of our efficient CCA2-secure flexible fine-grained access control scheme for the IoT using edge computing based on primeorder bilinear groups which perform more efficiently than composite-order bilinear groups as follows: 8 Security and Communication Networks GlobalSetup(1 λ ) ⟶ (MK, GP): this algorithm is run by CA. It takes the system security parameter λ as input. It chooses two suitable multiplicative cyclic groups G and G T with large prime-order p ∈ Θ 2 λ . Let g be a generator of G and defines a bilinear map e: G × G ⟶ G T on G. e attribute universe is U � Z p . U AA denotes the set of all attribute authorities. Additionally, it chooses three functions H, F, and T. H maps user identities to elements of G. F maps attributes to elements of G. T maps each attribute to the unique attribute authority who controls it. It picks a secure chameleon hash function H ch : 0, 1 { } * ⟶ U and runs the KeyGen ch (1 λ ) algorithm to obtain a chameleon hash key pair (SK ch , PK ch ). Finally, it picks two random numbers α 0 , β 0 ∈ Z * p and computes e(g, g) α 0 and g β 0 . is algorithm outputs the system master key MK � < α 0 , β 0 , SK ch > and the global public parameters GP � < p, g, G, G T , e, e(g, g) α 0 , g β 0 , U, U AA , PK ch , H, F, T, H ch > . AASetup(GP, AID) ⟶ (PK AID , SK AID ): this algorithm is run by attribute authorities. For each authority AID ∈ U AA , it chooses two α AID , β AID ∈ Z * p as its secret key SK AID and publishes the public key: UKeyGen(UID, AID, a ∈ U) ⟶ SK UID,a : since the attribute a is managed by the authority T(a), then this algorithm is run by the authority T(a). Firstly, it chooses a random number t a ∈ Z * p . en, it computes

K T(a),a,1 � g α T(a) H(UID) β T(a) F(a) t a , K T(a),a,2 � g t a .
(3) e path key P UID,a is generated by the attribute key generation algorithm. AttrKeyGen(UID, AID, a ∈ U) ⟶ P UID,a : since the attribute a is managed by the authority T(a), this algorithm is run by the authority T(a). Firstly, if the binary state tree AT a has not been set up, it establishes an AT a , initializes a revocation list RL a � ∅, and then chooses a random number AK a ∈ Z * p as the attribute key. Each user with the attribute a is assigned as a leaf node, and it increases the height with users increasing. For each node N i in the tree, it randomly picks NK a,i ∈ Z * p . Path(UID, a) denotes the path of the user UID from its leaf node to the root node, and then, P UID,a � NK a,i i∈Path(UID,a) is the path key for the user UID which is used to recover AK a . Finally, it sends P UID,a to the user, publishes AK a · NK a,i i∈MinSubCover(AT a ,RL a ) , and then shares (AT a , AK a ) with CSP and ESP.
Finally, the private key of the attribute a for the data user UID is SK UID,a � < K T(a),a,1 , K T(a),a,2 , P UID,a > . (4) CPoolGen(UID, GP, PK AID AID∈U AA ) ⟶ CPool UID : this algorithm is run by data owners. e data owner UID chooses an integer N to determine the size of the attributes will be associated with any ciphertext. ∀j ∈ U AA , ∀i ∈ [N], the algorithm picks randomly numbers r i , x i , y i , ∈ Z * p , and computes then the immediate ciphertext pool for the data owner UID is Remark 1. CPool UID is generated when the data owner initializes her/his client. It is saved on the data owner's side and can be reused. Moreover, it can be updated by the data owner UID whenever a new attribute authority joins the system or the data owner increases the size of attributes for improving the expressiveness.
Remark 2. e offline ciphertext is used only one time. After it is used, the algorithm Enoff(GP) ⟶ CToff in the client Security and Communication Networks generates a new offline ciphertext for the next plaintext message.
Enon(m, (M, ρ), GP, CPool UID , CToff, PK AID ) ⟶ CT: this algorithm is run by data owners. It takes a plaintext message m, an access structure (M, ρ), and a set of authority public keys PK AID as input, where M ∈ Z l×n p and ρ is a map from each row M �→ i of M to an attribute ρ(i) ∈ U. Let δ be a function maps each row M �→ i to the authority who manages attribute ρ(i), i.e., δ(i) � T(ρ(i)). For encryption, the algorithm randomly picks numbers v 2 , . . . , v n , w 2 , . . . , , and w 0 � − n i�0 w i . en, the ciphertext is computed as follows: For i � 1, . . . , l, it randomly chooses immediate ciphertexts without repetition in IT δ(i) and an auxiliary parameter r ch ⟵ R Z p , then computes C 1,i � C 1,i ′ � e(g, g) x i e(g, g) α δ(i) r i , V � H ch PK ch , PK ch C 0 C 1,0 C 1,1 C 5,1 | · · · | C 1,l C 5,l , r ch , At last, the ciphertext is PublicTest(GP, PK AID , CT, I) ⟶ True/False: the public test algorithm can be run by any role in the system, if she/he feels she/he needs it. Suppose the components which to be tested is It firstly computes V′ � H ch PK ch , PK ch C 0 C 1,0 C 1,1 C 5,1 | · · · | C 1,l C 5,l , r ch , (14) and then If the above equation holds, it means that the ciphertext is legitimate. To be specific, it is encrypted exactly by the attribute set ρ(i) i∈I , and the legitimate private key set with respect to the attribute set ρ(i) i∈I can decrypt out the correct plaintext message when ρ(i) i∈I is an authorized set of (M, ρ). CReEnc( CT, AK ρ( i ) ) ⟶ CT CSP : this algorithm is run by ESP. After receiving the data owner's encrypted data, it first verifies the validity of the ciphertext by using the algorithm PublicTest (GP, PK AID , CT, I), where I � [l]. If the public-test algorithm outputs True, it re-encrypts the ciphertext by using the latest attribute keys as follows: CT CSP � (M, ρ), C 0 , C 1,0 , C 2,0 , C 3,0 , C 4,0 , Finally, ESP sends the ciphertext CT CSP to CSP. Decrypt( CT CSP , UID, GP, AK ρ( i ) , SK UID,a ) ⟶ m: this algorithm is run by data users. Suppose a user UID with a set of attributes S UID wants to decrypt the ciphertext CT CSP . If S UID ⊭(M, ρ), this algorithm outputs ⊥. Otherwise, it exist a subset ρ(i): i ∈ I ⊂ [l] of S UID satisfy the access policy (M, ρ). en, it calculates constants c i : i ∈ I such that i∈I c i M �→ i � (1, 0, . . . , 0). For each attribute ρ(i) ∈ ρ(i): i ∈ I , it recovers AK δ(i) by using the path keys and computes the original ciphertext CT � CT CSP except that (C 4,i ) � (C 4,i ) AK ρ(i) AK −1 ρ(i) for all i ∈ I. en, it can verify the validity of the ciphertext by the algorithm Pub-licTest(GP, PK AID , CT, I). If the public-test algorithm outputs True, it computes ∀i ∈ I, C 1,i e(g,g) C 5,i e( K δ( i ),ρ( i ),1 , C 2,i ) · e( H( UID ), C 3,i g C 6,i Finally, it sets CT out � (CT 1 , CT 2 ) and sends it to the data user. FullDec(CT out , RK UID ) ⟶ m: this algorithm is run by data users. It computes Revoke(UID, a, RL a ) ⟶ UpAK a : if the authority T(a) wants to revoke the attribute a from the data user UID, it adds UID into the revocation list RL a of the attribute a and chooses a new attribute key AK a ′ ← R Z * p . en, it sends the update keys to ESP and CSP and publishes AK a ′ · NK a,i i∈MinSubCover AT a ,RL a ( ) .
ESP or CSP updates the ciphertext related to a using UpAK a by calculating Security and Communication Networks and updates the attribute key by calculating If the authority T(a) wants to revoke the attribute a from the system, it only sets all the data users UID { } who own a into RL a and runs the above operation.
If the system wants to revoke the data user UID from the system, it asks all the involved attribute authorities to revoke all the involved attributes from the user UID, by running the above operation.

Security Analysis
In this section, we prove the proposed scheme is IND-sAA-sCCA2 secure.
Lemma 1 ("zero-out" Lemma [19]). Let (M * ∈ Z l×n * p , ρ) be a linear secret sharing schemes of an access policy and C ∈ [l] be a nonauthorized set of rows. Let c ∈ N be the dimension of the subspace spanned by the rows of C. en, the distribution of the shares λ * x x∈ [l] sharing the secret s ∈ Z p generated with the matrix M * is the same as the distribution of the share λ x x∈ [l] sharing the same secret s generated with some matrix e main security theorem is shown as follows.

Theorem 1.
e proposed concrete scheme is IND-sAA-sCCA2 secure in the random oracle model if the (q + 1) − DPBDHE2 assumption holds, the chameleon hash function is secure, and the size of challenge matrix is at most q × q.
Proof. Suppose that there exists a PPT adversary A who can break the proposed scheme with nonnegligible advantage ε, then we can build a simulator B which can break the (q + 1) − DPBDHE2 assumption with the tuple (D, Y) as input and interact with A as follows: Init: initially, A gives B a set of corrupt authorities C θ and a challenge access policy (M * , ρ), where M * is a matrix whose size l × n is at most q × q and ρ: [l] ⟶ Z p which implies that its attribute set is . Let δ be a function map in each row M �→ i to the authority who manages attribute ρ(i), i.e., δ(i) � T(ρ(i)), and denote δ(i) { } i∈ [l] by δ[l]. Global setup: B gets (D, Y) from (q + 1) − DPBDHE2 challenger and substitutes M * with the matrix M according to "zero-out" lemma where denotes n − c by n ′ and restricts that, for each row M x∈C , there is only one "1" in one of the last c positions and "0" in others. It picks randomly a challenge message m * ← R G T and sets It selects a secure chameleon hash function H ch : 0, 1 { } * ⟶ U and then runs the algorithm KeyGen ch (1 λ ) to get the key pair (SK ch , PK ch ). It randomly chooses an auxiliary parameter r * ch ← R Z p and regarded as a challenge on-the-fly dummy attribute authorized by θ 0 controlled by B. It calculates a matrix M l+1 ⟵ R Z 1×n p representing the access policy of V * ; M l+1 is regarded as the l + 1 row of M, and then, M becomes a (l + 1) × n matrix. B randomly selects α 0 ′ , β 0 ′ ← R Z p and sets en, it calculates At last, B sends GP � < p, g, G, e, e(g, g) α 0 , g β 0 , U, U θ , PK ch , T > , (26) to A, where the random oracles H and F are programmed by the simulator. Phase 1: the adversary A issues a polynomially bounded number of queries statically: (i) Authority's public key queries: A submits a set of the noncorrupt authorities N θ ⊆ U θ and N θ ∩ C θ � ∅ since A can create the public keys of the corrupt authorities by himself. For each θ ∈ N θ , A considers two cases: (a) θ ∉ δ[l]: B randomly selects α θ , β θ ⟵ R Z p and outputs the public key 〈e(g, g) α θ , g β θ 〉.
en, it calculates e(g, g) α θ � e(g, g) (ii) H-oracle queries: A queries to oracle H for identity UID i with attribute set S i . ere are two cases: and computes (iii) F-oracle queries: A queries to oracle F for the attribute u whose authority is T(u). ere are two cases: (a) T(u) ∉ δ [l] or T(u) ∈ C θ : B randomly selects F(u)← R G if it has not been stored.
: let X ″ � x|δt(x)n � qTh(u) − x|ρt(x)n � qu and B randomly selects f u ← R Z p and outputs (iv) User's secret keys queries: A submits the user identity UID i and a set of his all attributes S i , and B gives A the secret keys for every u ∈ S i . Firstly, for each u ∈ S i , B runs the algorithm AttrKeyGen(UID, T(u), u) ⟶ P UID,u to generate a binary tree AT u with an attribute key AK u and the path key P UID,u . en, it considers the following three cases: it has not been stored. en, it outputs and S i ∩ ρ[l] � ∅: according to the authority public key queries and H-oracle and F-oracle phases, Security and Communication Networks and S i ∩ ρ[l] ≠ ∅: according to the authority public key queries and H-oracle and F-oracle phases, where At last, the secret key for u is If S i satisfies (M * , ρ), B revokes one of these attributes from all users. with a set of attribute S i . For every u ∈ S i , B runs the algorithm Revoke(UID i , u, RL u ) ⟶ UpAK u to get the update keys UpAK u , re-encrypts the ciphertext with the latest update keys, and then publishes AK u ′ · NK u,i i∈MinSubCover(AT u ,RL u ) to A. Challenge: A submits to B two equal-length messages m 0 and m 1 . C firstly randomly flips coin p and w → � (0, sa q+1 , . . . , sa q+n′− 1 , 0, . . . , 0) ∈ Z 1×n p . en, it produces the cipertexts by considering the following two cases: randomly selects z x * , y x * , t x * ← R Z p and calculates Since t x * l x * �0 are not properly distributed, B randomly selects s ′ , t x * ′ , t 0 ′ ← R Z p and random vectors v → ′ � (s ′ , v 2 , . . . , v n ), w → ′ � (0, w 2 , . . . , w n ) ∈ Z 1×n p . en, it computes the re-randomized ciphertext CT * , ∀x * ∈ [l]: . At last, it reencryptes the ciphertext CT * by the latest attribute keys and sends to A. Phase 2: the same as Phase 1, except that A cannot make the secret key query for the selected access policy or make decryption query for the challenge ciphertext. Guess: A outputs a guess bit b ′ ∈ 0, 1 { }. If b ′ � b, then B outputs that Y � e(g, g) sa q+2 . Otherwise, B outputs that Y � R.
If Y � e(g, g) sa q+2 , then B plays the proper security game with A, since CT * is a valid ciphertext for the message m b . Denote the advantage of A wins in this case by ε. Otherwise, Y � R, CT * is a ciphertext of a random message, so the advantage of A is 0. erefore, A has advantage Adv A (λ) � ε in breaking the concrete scheme, and then, B can break the (q + 1)-DPBDHE2 assumption with advantage Adv A (λ) � ε.

Performance Analysis
In this section, we analyze and compare the proposed scheme with others in terms of characteristics and efficiency both in the theoretical method and in the experimental method.
6.1. eoretical Analysis. We compare the proposed scheme with several related MA-CP-ABE schemes in the terms of the feature, the computation, and the storage, respectively, in Tables 2-4. Table 5 summarizes notations.
In Table 2, we compare the properties of our scheme with other previous schemes. All these MA-CP-ABE access control schemes are constructed on the prime-order bilinear group and support the large universe. We can observe that our scheme is superior to other existing previous relevant schemes.
e schemes in [19,39] cannot filter illegal or invalid ciphertext because they do not support the ciphertext public test. e schemes in [19,40] deal with the scenario that dynamically change the users' access privilege since they support users' attribute revocation. ey also cannot support outsourcing decryption to reduce the computation overhead on the users' side. In the other schemes, the data owners will face a heavy computation load when encrypting the data. Only our scheme provides the online/offline encryption algorithm. Moreover, ours is CCA2-secure which is more secure than the other statically secure schemes.
In Table 3, we compare the computational complexity of our scheme with the previous schemes. As for the computation efficiency of the encryption, the proposed scheme is much more efficient than the other schemes since the expensive encryption operations have been executed in the user's initialization phase by adding the reusable ciphertext pool and split to online encryption and offline encryption. In comparison with the scheme in [39], the computation complexity of final decryption (the last step to recover plaintext for the user) is substantially reduced in our scheme. Moreover, our scheme is more efficient than the scheme in [40] when publicly verifying the ciphertext.
In Table 4, we compare the storage overhead of these above schemes on every entity. e main storage overhead of each AA comes from the master secret key is the same constant in every scheme. e data owner's storage overhead comes from the global public parameters and authority public keys. In our scheme, the data owner needs to shore the reusable ciphertext pool additionally. e data user's storage overhead mainly comes from the attribute-related secret keys. In these schemes [39,40], and our scheme, the data user needs to store the path key since they using the same revocation method.

Experimental Analysis.
To evaluate the performance of our proposed scheme, we implemented and compared the computation cost of the RW15 scheme [19], the LLWG19 scheme [40], and ours in Charm [44] from the Stanford Pairing-Based Crypto library [45]. e program was running on a supersingular symmetric elliptic curve group ("SS512"), over 512-bit base field size. e curve group has a 160-bit order. All the experiments were conducted on a virtual machine platform: Vmware@Workstation 15 Pro 15.5.2 build-15785246, equipped with a 2.30 GHz Intel Cored CPU with 2 GB RAM running 64-bit Linux Ubuntu 18.04.4. We run the schemes for 100 rounds and calculate the average execution time they took, where the number of attributes is ranging from 1 to 50. Finally, the graphs are shown in Figure 3. Figure 3, the encryption cost, the decryption cost, and the public ciphertext test cost grow linearly with the number of attributes in the access structure. From Figure 3(a), in the proposed scheme, the encryption is split into online encryption and offline encryption. e online encryption time grows with the number of attributes since the online encryption has to compute the hash operation and exponentiation operation related to attributes. However, the online encryption time can be nearly haft reduced. In Figure 3(b), the predecryption denotes the data user recovers the original ciphertext by the attribute keys when she/he chooses outsourcing decryption, so its time grows with the number of attributes. Moreover, the final decryption only requires a constant amount of computation, so its time is nearly constant. Taken together, the total decryption time in our proposed scheme is nearly a quarter of it in the RW15 scheme. Focusing on the public ciphertext test cost, Figure 3(c) shows that the public ciphertext test time in the proposed scheme is less than that in the LLWG19 scheme. erefore, the proposed scheme is very efficient in terms of the encryption cost, the decryption cost, and the public ciphertext test cost.

As shown in
In conclusion, our proposal is more flexible and supports more functions than other previous schemes, which is more suitable for the IoT.  [19] 2l Z p l G T + l G 2|S|l G × × (l + 1)l G T + 3ll G LJWY18 [39] 2l Z p l G T + l G 2|S|l G + |S|P a l Z p × × (l + 1)l G T + 3ll G LLWG19 [40] 2l Z p l G T + l G 2|S|l G + |S|P a l Z p × × (l + 2)l G T + (3l + 3)l G + l Z p Ours 2l Z p l G T + l G 2|S|l G + |S|P a l Z p Nl G T + 2Nl G + 3Nl Z p 2l G T + 2l G + 2l Z p (l + 2)l G T + (3l + 3)l G + 3l Z p Size of the path key for attribute a l Z p Size of an element in Z p l G Size of an element in G l G T Size of an element in G T

Conclusion
In this paper, we design an efficient, CCA2-secure, flexible fine-grained access control scheme to solve the practical issues efficiently for the IoT using edge computing. e proposed scheme meets the need of the large-scale multidomain collaboration in the IoT by using multiauthority attribute-based encryption with the large attribute universe.  By adding a reusable ciphertext pool, the most expensive encryption operations have been executed in the user's initialization phase which minimizes the online encryption computation. At the same time, the near-edge servers can perform the major decryption for the data user. As a result, the computation overhead of encryption and decryption is substantially reduced both on the data owner and user sides. A fine-grained revocation mechanism is designed to revoke an attribute from the user, by which the user or the attribute can be revoked from the system. So it can change user's access privileges timely and be suitable for the dynamic IoT. e scheme supports efficient ciphertext verification. Only valid ciphertext can be stored and transmitted, which saves the system resources. Moreover, the user can verify the validity of the ciphertext even though some attributes involved in the ciphertext are revoked, only if the rest of his attributes still has the access privilege to decrypt the ciphertext. e proposed scheme is proven CCA2-secure under the q-DPBDHE2 assumption, which is more secure than the previous scheme. e performance analysis results show that the proposed scheme is highly efficient and suitable in edge computing for the IoT.

Data Availability
No data were used to support the findings of this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.