An Efficient ECC-Based CP-ABE Scheme for Power IoT

Abstract

The rapid development of the power Internet of Things (IoT) has greatly enhanced the level of security, quality and efficiency in energy production, energy consumption, and related fields. However, it also puts forward higher requirements for the security and privacy of data. Ciphertext-policy attribute-based encryption (CP-ABE) is considered a suitable method to solve this issue and can implement fine-grained access control. However, its internal bilinear pairing operation is too expensive, which is not suitable for power IoT with limited computing resources. Hence, in this paper, a novel CP-ABE scheme based on elliptic curve cryptography (ECC) is proposed, which replaces the bilinear pairing operation with simple scalar multiplication and outsources most of the decryption work to edge devices. In addition, time and location attributes are combined in the proposed scheme, allowing the data users to access only within the range of time and locations set by the data owners to achieve a more fine-grained access control function. Simultaneously, the scheme uses multiple authorities to manage attributes, thereby solving the performance bottleneck of having a single authority. A performance analysis demonstrates that the proposed scheme is effective and suitable for power IoT.

1. Introduction

Power Internet of Things (IoT) connects power users, grid enterprises, generation enterprises, suppliers, and their equipment to generate shared data and serve users, power grids, power suppliers, and the government and society in return [1].

With the construction and promotion of the power IoT, hundreds of millions of IoT terminals are deployed in the areas of power generation-transmission-substation-distribution-consumption. These power IoT terminals can collect multidimensional data from the electricity infrastructure and equipment effectively, and then, the data are uploaded to a cloud platform of the state grid for use in other business systems, such as smart energy service platforms, asset management systems, and power markets. Meanwhile, kinds of electric smart devices generate massive data, thus bringing new challenges to the data storage and management for smart grid and promoting the integration of power IoT and smart grid. Hence the privacy security of data storage is becoming an attractive research area in power IoT. The effective access control is the key method to achieve the privacy security of the cloud storage. In addition, the traditional power grid access control technology has been unable to meet the practical needs due to the large number of users and devices, small grain size and large scale of data and distributed characteristics of access control in power IoT.

What is more, the data of power IoT may contain some sensitive information (such as customer electricity usage and voltage data for a certain place) and private information (such as user identity and location information). Therefore, it is necessary to protect the security of data generating in power generation–transmission–substation–distribution–consumption. Due to the opening of power IoT, the network of power IoT has lots of potential attack points, and a breach of one device could leave the entire grid vulnerable to cyber-attack. Therefore, the power IoT is vulnerable to malicious damage and illegal access. It is also necessary to limit the access of authorized users by time and location. For example, a legitimate employee of an electric power company can only access certain user data in the office during working hours. Therefore, the fine-grained access control for power IoT needs to meet stricter requirements. The traditional one-to-one access mode between data and users by public key encryption schemes cannot satisfy the requirements of complex power IoT systems. However, ciphertext-policy attribute-based encryption (CP-ABE) with fine-grained access control can support a one-to-many access mode between data and multiple users, which can solve the problems mentioned above.

However, the implementation of CP-ABE relies on the bilinear pairing operation, which has high computational cost and requires too many computing resources. In contrast, scalar multiplication based on elliptic curve cryptography (ECC) consumes much fewer resources, and the computational overhead of bilinear pairing is two or three times higher than that of scalar multiplication with the same elliptic curve. In addition, because the computing resources of the power IoT terminals are limited, they are not suitable for large data encryption and decryption operations. To reduce the computational overhead of power terminals, the calculation can be outsourced to the edge IoT agent based on edge computing and the framework of power IoT [2]. Therefore, the scheme proposed here, which combines the CP-ABE based on ECC and edge computing, can effectively provide information security protection for power IoT.

The major contributions of this paper include the following:

(1)

We propose an efficient CP-ABE scheme, which uses simple scalar multiplication based on ECC instead of complex bilinear pairing to reduce the computational overhead and make it more suitable for power IoT terminals with resource constraints.

(2)

The proposed scheme uses multiple authorities to manage the attributes, which avoids the problems of the single point and key escrow of the single authority scheme and improves the security of the system.

(3)

The access control of the proposed scheme is more fine-grained by combining the time and location domain information as dynamic attributes into the proposed CP-ABE scheme. The data users can only access the relevant cipher text within the valid range of time and location, thus improving the security of the power data.

(4)

We adopt the linear secret sharing scheme (LSSS) access structure to enhance the expressiveness of the access policy and provide an elaborate security and performance analysis between the proposed scheme and existing schemes. The experimental results demonstrate that the proposed scheme is effective.

In this paper, Section 1 and Section 2 present the introduction and related work on power IoT and CP-ABE. The preliminaries of the scheme are presented in Section 3. Section 4 introduces the details of design of the proposed scheme based on ECC. The security and performance analysis are given in Section 5 and Section 6. Section 7 presents the conclusions of this paper.

2. Related Work

After Bethencourt et al. gave the first concrete construction of CP-ABE [3], there have been many works enhancing the CP-ABE scheme; for example, Lewko et al. presented an ABE scheme in composite order bilinear groups with low practical efficiency [4]. Although these IPE constructions achieve attribute hiding properties, the security of their scheme is not high under well-known standard assumptions. Li et al. presented a new CP-ABE system based on the ordered binary decision diagram (OBDD) [5]. Deng et al. extended ABE to CP-HABE to support hierarchical attributes and focused on the problem of key management [6]. Goyal et al. adopted a bounded access tree structure and proposed a CP-ABE scheme with a more flexible access policy under the DBDH assumption [7]. In addition, Yan et al. proposed a multi-authority attribute encryption scheme with dynamic policy updates in personal health record systems [8]. These schemes enhance the CP-ABE scheme, but the performance of CP-ABE is not improved or mentioned.

The CP-ABE scheme usually requires the calculation of bilinear pairing, which demands a very large amount of computation resources. In the IoT system, edge computing technology can reduce the resources consumption of terminals by outsourcing encryption and decryption to edge devices. Belguith et al. proposed a multi-authority access control scheme with hidden access policies and outsourced decryption computing to the cloud [9]. The concept of user groups was adopted by Li et al. to solve the permission revocation problem and outsource the computation to improve the efficiency and performance of the scheme [10]. Yu et al. proposed a scheme that allows the data owner to delegate most of the computation to untrusted cloud servers without any information disclosing by combining techniques of ABE with proxy re-encryption and lazy re-encryption [11]. However, these schemes increase the overhead of the communication and encryption/decryption of the cloud service provider.

Green et al. proposed a CP-ABE scheme with outsourcing decryption computing [12]. In this scheme, the cipher text is sent to the decryption outsourcing server. Then, the decryption outsourcing server pre-decrypts the cipher text to obtain the intermediate cipher text, which is sent to the data user, thus reducing the user’s computation. However, the revoked user is still able to decrypt the new cipher text. Furthermore, this scheme cannot defend against the attack of forward security. Li et al. proposed an improved CP-ABE scheme for hybrid cloud computing, which supports outsourcing encryption and decryption and provides a data validation mechanism to ensure the correctness of outsourced data [13]. However, the performance of encryption and decryption is still limited by the number of attributes. Zhang et al. proposed an access control scheme that outsourced the encryption and decryption to fog nodes, which reduced the encryption and decryption operations of terminals [14]. The scheme can update system attributes effectively. However, the fog nodes are close to the terminal side, so they are easily attacked. Zuo et al. proposed a more secure outsourcing decryption scheme, which can resist the attack of selective cipher text [15]. Fan et al. proposed an efficient and privacy-preserving outsourced access control scheme with multiple authorities, named PPO-MACS [16]. All attributes of users are transformed to be anonymous and authenticable to realize privacy preservation. Zhong et al. also proposed an efficient ABE scheme that can outsource part of the encryption and decryption to the edge nodes and support the update of attributes, making access control flexible [17]. Although these schemes achieve computing outsourcing, terminals still need to compute bilinear pairing, and the performance bottleneck of CP-ABE remains.

With the research of elliptic curves, many researchers have combined elliptic curves with ABE and adopted elliptic curve algorithms to replace complex bilinear pair operations so that they can be applied in resource-constrained IoT systems.

Table 1. Feature-based comparison.

Pairing Free ABE Schemes	Advantages	Disadvantages
Odelu et al. [18]	Bilinear pairing free and ECC based CP-ABE scheme with constant size ciphertext and keys. The time complexity for encryption and decryption is O(1).	The AND GATE access structure is not well expressed. Since the fully-trusted Attribute Authority generates the secret master keys, this scheme suffers from the key-escrow problem.
Yao et al. [20]	An ECC based lightweight ABE scheme without bilinear pairing operations. Selectively secured against CPA under Elliptic Curve Decisional Diffie—Hellman assumption.	Access tree access structure is less insufficient. Poor flexibility in revoking attribute.Poor scalability and generality.
Sowjanya et al. [21]	A lightweight ECC-based key-policy ABE without bilinear pairing and with a key refresh/update mechanism.	KP-ABE is not suitable for IoT systems with many terminals. The AND GATE access structure is not well expressed.
Qin et al. [22]	Lightweight KP-ABE based on ECC and ELGamal. Can provide mutual authentication and conditional anonymity.	The performance is worse than traditional ECQV certificate scheme.
Ding et al. [23]	Lightweight without pairing ECC based CP-ABE scheme with LSSS access matrix. Resistant to collusion attack.	Suffers from the key-escrow problem.
Samarati et al. [24]	A CP-ABE scheme based on ECCwith a constant-size secret key. Can be capable of addressing the collusion attack.	The extra validate phase may be the bottleneck while the device’s amount increase.
Junejo et al. [25]	A leightweight ABE scheme Based on ECC and fog computing. Provide secure key pair update approach.	The constraints of access time and location are not being taken into consideration. AND GATE access control structure is not well expressed.

illustrates the feature-based comparison of some pairing free ABE schemes, highlighting the advantages and disadvantages of the respective works. Odelu et al. proposed a CP-ABE scheme based on ECC with constant key size and applied it to the designed lightweight CP-ABE scheme for battery-limited mobile devices in the IoT based on cloud computing [18]. However, the AND GATE access structure adopted by Odelu et al. is not well expressed and is not suitable for complex access structures [19]. Yao et al. proposed an ECC-based lightweight KPABE technique for IoT without bilinear pairing, but there are some limitations in their scheme; it is unable to support outsourcing decryption and has poor scalability [20]. Sowjanya et al. proposed a lightweight ECC-based key-policy ABE without bilinear pairing and with a key refresh/update mechanism. However, KP-ABE is not suitable for IoT systems with many terminals [21]. Qin et al. proposed a scheme that integrates an elliptic curve Qu-Vanstone implicit certificate with the ELGamal encryption algorithm to achieve both mutual authentication and conditional privacy protection [22]. Ding et al. proposed a scheme that replaces complicated bilinear pairing with simple scalar multiplication on elliptic curves, thereby reducing the overall computational overhead [23]. Samarati et al. [24] proposed a CP-ABE scheme based on the ECC with a constant-size secret key, which is capable of addressing the collusion attack security issue. A lightweight attribute-based security scheme based on ECC was proposed by Junejo et al. for fog-enabled cyber physical systems (Fog-CPS) [25]. Tian et al. proposed a scheme that replaces complicated bilinear pairing with simple scalar multiplication on elliptic curves to realize cipher text policy attribute-based encryption of cloud data while solving the security problem of shared data [26].

However, the access policies of these schemes are only based on regular attributes (such as the department and occupation, etc.) of users to generate access policies while ignoring the access constraints of time and location, so they are not applicable to meet the real-time and mobility requirements of edge computing. To share time-sensitive data, Hong et al. proposed an access control scheme combining time and attributes [27]. If an attribute has a time limit, the CA generates a time token that is used to transform the state of the time trap gate generated by the data owner at the cloud server. However, if the CA is maliciously corrupted, the time token and the private key of the property is leaked, causing the whole system to crash.

3. Preliminaries

3.1. Elliptic Curve Cryptography

ECC was first proposed by Neal Koblitz and Victor Miller in 1985. ECC is an important branch of public key cryptography, and its security is based on the difficulty of the elliptic curve discrete logarithm problem (ECDLP). An elliptic curve $E$ defined on the finite field $FG\left(p\right)$ can be expressed as $y^2=x^3+ax+b\left(mod p\right)$ and $4a^3+27b^2\ne 0$. If $G$ is a generator of the group with prime order $r$, it is extremely difficult to compute $k$ in polynomial time for the given point $Q=kG$. Compared with RSA, ECC is able to ensure the same security with smaller key sizes because it is more difficult to solve ECDLP than to decompose integers in RSA. ECC encryption protocols are generally divided into three steps. First, the plain text data are mapped to the point $Q$ on the elliptic curve. Then, the encryption protocol between the two entities, such as Alice and Bob, performs as follows:

(1)

Key Generation

(a)

Alice and Bob agree to use the same elliptic curve $y^2=x^3+ax+b\left(mod p\right)$ and a generator $G$.

(b)

Alice selects an integer $S_a\in Z_p$ randomly as the private key, calculates $P_a=S_{a}G$ as the corresponding public key and makes it public.

(c)

Bob also selects an integer $S_b\in Z_p$ randomly as the private key, calculates $P_b=S_{b}G$ as the corresponding public key and exposes it.

(2)

Encryption

To encrypt $Q$, Alice first selects an integer $k\in Z_p$ at random, then calculates the cipher text with two parts: $C_1=kG$, $C_2=Q+k{P}_b$ and sends $C_1$ and $C_2$ to Bob.

(3)

Decryption

After receiving the cipher text, Bob obtains $Q$ by calculating $C_2-S_b{C}_1=Q+k{P}_b-S_{b}kG=Q$. Finally, Bob can obtain the plain text data by mapping the point $Q$ on the elliptic curve.

3.2. Decisional Diffie–Hellman Assumption

The definition of the decisional Diffie–Hellman (DDH) problem is described below: The challenger chooses a cyclic group $P$ with prime order $r$. $G$ is one generator of cyclic group $P$, and $a$ and $b$ are randomly selected from $Z_r$. If the challenger gives the adversary a tuple $\left(G,aG,bG\right)$, it is difficult for the adversary to distinguish the valid element $abG\in P$ from a random element $R\in P$ in polynomial time. The advantage of algorithm $\mathcal{B}$ to solve the DDH problem under $P$ is $\epsilon$ if $\left|Pr\left[\mathcal{B}\left(G,aG,bG,Z=abG\right)=0\right]-Pr\left[\mathcal{B}\left(G,aG,bG,Z=R\right)=0\right]\right|\ge \epsilon$, which indicates that algorithm $\mathcal{B}$ can overcome the DDH problem with the advantage of $\epsilon$.

Definition 1.

The DDH assumption holds if the advantage of the algorithms in solving the DDH problem in polynomial time is negligible.

3.3. Linear Secret Sharing Scheme

If a secret sharing scheme $\Pi$ based on a member set $P$ satisfies the following conditions, then scheme $\Pi$ is called a LSSS on $Z_p$.

(1)

The secret shares of all participating members constitute a vector on $Z_p{}^{*}$

(2)

In the secret sharing scheme $\Pi$, there is a sharing $l\times n$ matrix $M$. The row $i$ in $M$ represents the member $i$ of the set $P$ where $i=1,2,\dots l$, and this member can be found through the $\rho \left(i\right)$, $\rho \left(i\right)$ is a function that maps from $\left\{1,2,\dots l\right\}$ to $P$. Let $\overrightarrow{v}=\left(s,y_2,y_3,\dots ,y_n\right)$ be a random vector, where $s\in Z_p{}^{*}$ is the shared secret message and $y_2,y_3,\dots ,y_n\in Z_p{}^{*}$ is an arbitrary random number. Then, ${(M\cdot \overrightarrow{v})}_i$ divides the secret $s$ into $l$ parts according to the sharing scheme $\Pi$, where ${(M\cdot \overrightarrow{v})}_i$ belongs to $i$.

(3)

The linear secret sharing scheme defined above should also satisfy the linear reconstruction property. For any authorized set $S\in \Lambda$, $I\subset \left\{1,2,\dots l\right\}$ and $I=\left\{i:\rho \left(i\right)\in S\right\}$ where $\Lambda$ is the access structure, a constant set ${\{w_i\in Z_p{}^{*}\}}_{i\in I}$ can be found in polynomial time, and the secret $s$ can be recovered by computing ${\sum }_{i\in I}{w}_i\left(M\cdot \overrightarrow{v}\right)=\epsilon \cdot \overrightarrow{v}=s$ and $\epsilon =\left(1,0,\dots ,0\right)$. For the unauthorized set, there exists vector ${\{{\omega }_i\in Z_p{}^{*}\}}_{i\in I}$ leading to ${\omega }_i\cdot M^T=0$.

3.4. System Model

The architecture of the proposed scheme in this paper includes power terminals/users, edge IoT agents, and clouds of state grids. There are six roles in the scheme, including cloud server provider (CSP), central authority (CA), attribute authority (AA), edge node (EN), data owner (DO), and data user (DU). The framework of the scheme is shown in Figure 1. The functions of each role are as follows:

(1)

CSP: The CSP is an “honest but curious” data storage organization that honestly performs the tasks assigned by the system and provides services reliably. However, it may be interested in the information stored by users and may try to steal some privacy data.

(2)

CA: The CA is fully trusted and generates public parameters for the entire system.

(3)

AA: The AAs are fully reliable as well. Each AA is responsible for managing attributes that belong to its own domain. The AA generates a pair of public and private key pairs for its attributes in the domain. The public key is sent to the DO for encryption, while the private key generates the attribute private key for the DU. The AA decides to generate and distribute the private key of the relevant attributes to the DU depending on the validity of the request time and location of the DU.

(4)

EN: The ENs are capable of storage and computation, filling the gap between users and cloud servers. They can process the requests of a DU in real time and retrieve cipher text from adjacent nodes or cloud servers when necessary. In addition, they are also responsible for pre-decrypting the cipher text and then returning the results to DU.

(5)

DO: The DO is in charge of formulating the access structure, calculating the cipher text and uploading the cipher text to the CSP.

(6)

DU: The DU can obtain the pre-decrypted results from the EN and then decrypt the data to obtain the plain text data.

The algorithms of the scheme are defined below:

(1)

Global Initialization $\left(k\right)\to PP$: The CA chooses a security parameter $k$ and executes the global initialization algorithm and then outputs the system public parameter $PP$ for the system.

(2)

Authority Initialization $\left(PP\right)\to \left(PK,MSK\right)$: The Attribute Authority inputs the public parameter $PP$ and outputs the public key (PK) and master secret key (MSK) for the authority and its attributes.

(3)

Data Encrypt $\left(PP,PK,M,\left(\Lambda ,\rho \right)\right)\to CT$: The data owner inputs the public parameter $PP$, the corresponding $PK$, the given plain message $M$ and the access policy $\left(\Lambda ,\rho \right)$, and then the cipher text $CT$ is output.

(4)

General Key Generation $\left(PP,S_{i,GID},GID,MSK\right)\to US{K}_{i,GID}$: The algorithm is executed by $A{A}_i$. Then, $A{A}_i$ can obtain the general attribute key $US{K}_{i,GID}$ by inputting $PP$, general attribute set $S_{i,GID}$ of $A{A}_i$, and $GID$ of the data user and master key $MSK$.

(5)

Time Key Generation $\left(PP,S{T}_{i,GID},GID,MSK\right)\to TS{K}_{i,GID}$: $A{A}_i$ is able to obtain the time attribute key $TS{K}_{i,GID}$ by the $PP$, time attribute set of $S{T}_{i,GID}$, $GID$ of data user and master secret key $MSK$.

(6)

Location key generation $\left(PP,S{L}_{i,GID},GID,MSK\right)\to LS{K}_{i,GID}$: $A{A}_i$ takes the public parameter $PP$, location attribute set $S{L}_{i,GID}$, and $GID$ of the data user and master key $MSK$ as input and then outputs the attribute key $LS{K}_{i,GID}$ of the location.

(7)

Edge IoT agent pre-decryption $\left(PP,PK,SK,CT\right)\to C{T}^{\prime }$: The edge IoT agent terminals perform the pre-decryption operation and input the pre-decryption key and cipher text to obtain the cipher text $C{T}^{\prime }$.

(8)

Local Decryption $\left(DSK,C{T}^{\prime }\right)\to M$: The data user performs the decryption operation, inputs $DSK$ and $C{T}^{\prime }$, and calculates the final plain text $M$.

3.5. Security Model

To prove the security under a chosen-cipher text attack, we now give the security model of our CP-ABE scheme. The model between adversary $\vartheta$ and challenger $\mathcal{B}$ is described as follows:

Initialization. The adversary $\vartheta$ outputs the challenge as an access structure $\left({\Lambda }^{*},\rho \right)$ and sends it to the challenger $\mathcal{B}$.

Setup. Challenger $\mathcal{B}$ runs the initialization algorithm to generate the necessary public parameter for the system as well as the public and secret key pair for each attribute. The challenger gives the public keys to the adversary $\vartheta$.

Phase 1. The adversary $\vartheta$ can adaptively make queries for the secret keys of the attributes with the restriction that no set of the keys can decrypt the challenge’s cipher text. The challenger records the attributes in the attribute list corresponding to the adversary’s $GID$.

Challenge Phase. In this phase, adversary $\vartheta$ outputs $\left(M_0,M_1\right)$ for challenge, and $M_0,M_1\in Z_p$ are two equal-length messages. Then, the challenger picks a coin $\beta \in \left\{0,1\right\}$ and sends the encryption of $M_{\beta }$ under access matrix $\left({\Lambda }^{*},\rho \right)$ to adversary $\vartheta$.

Phase 2. The adversary $\vartheta$ can continue with the secret key queries and decryption queries with the same restriction in Phase 1.

Guess. The adversary may output a guess ${\beta }_0$ of $\beta$.

The advantage of the adversary in this game is defined as $\left|Pr[{\beta }_0=\beta ]-\frac{1}{2}\right|$.

Our CP-ABE would be selective CPA secure if the adversary can win this security game with a negligible advantage in polynomial time.

4. Proposed Scheme

In this paper, we propose a novel outsourced CP-ABE scheme that supports multi-authority and dynamic time and location attributes. The scheme not only considers the general attributes of data users but also incorporates time and location domain information into the attributes of access time and location so that the data users can only access legitimate data according to their own existing attributes, making access control more flexible and fine-grained. We simplify the calculation process by using simple scalar multiplication based on ECC instead of complex bilinear pairings. Our scheme is composed of the following five parts: global initialization, authority initialization, data encryption, key generation, and data decryption. Data decryption consists of two processes: pre-decryption on the edge IoT agent and user decryption. The algorithms can be reformulated in more detail as follows.

• Global Initialization

The algorithm is executed by CA, CA inputs the security parameter $k$ and selects a finite field $GF\left(q\right)$ of order $r$, $E$ is an elliptic curve defined over the finite field $GF\left(q\right)$, and $G$ is a generator of cyclic subgroups with prime order $r$ on the elliptic curve $E$, where the ECDLP is difficult to solve.

In addition, the hash function $H:{\left\{0,1\right\}}^{*}\to Z_r^{*}$ is chosen to map the $GID$ of the user to the elements in $Z_r$. Define the set of global attributes $\Lambda =\left\{a_1,\cdot \cdot \cdot ,a_n\right\}$, and these attributes are managed by multiple authorities and generate keys for users associated with their attributes.

The public parameter is $PP=\left\{GF\left(q\right),G,E,\Lambda ,H\right\}$, and the CA sends $PP$ to $A{A}_i$ in the system.

2.

Authority Initialization

The algorithm is run by each authority in the system, and the input is the public parameter $PP$ that is initialized by CA. The system has multiple authorities, and each authority takes attributes that do not overlap with others and needs to maintain a list of attributes corresponding to the $GID$ of the user. The authority selects two random values $y_i,k_i\in Z_r$ to generate the master secret key $MSK=\left\{y_i,k_i,\forall i\right\}$ and public key $PK=\left\{y_{i}G,k_{i}G,\forall i\right\}$ for attribute $i$.

3.

Data Encryption

(1)

The DO uses a symmetric encryption algorithm $E$ (such as SM1/SM4) and randomly symmetric key $ck$ to encrypt the message $M$, calculating $C{T}_{DATA}=E_{ck}\left(M\right)$ to obtain the cipher text $C{T}_{DATA}$ and calculating $H_{CT}=H\left(C{T}_{DATA}\right)G$ to ensure the integrity of the data.

(2)

The DO selects a unique number $DAT{A}_{ID}$ for the cipher text $C{T}_{DATA}$; if the data cipher text $DAT{A}_{ID}$ has limited the access time, then the DO should add the valid time range $\lceil T_{begin}, T_{end}\rceil$ to the time attributes $S{T}_{i,DAT{A}_{ID}}$ belonging to cipher text $DAT{A}_{ID}$. The DO selects a random value $t_i\in Z_p$ to encrypt the symmetric key and calculates $t_{i}G$ to generate the private key for the time attributes. Similarly, if $DAT{A}_{ID}$ has a limited access location, then the DO should add the valid time range $\lceil L_{begin}, L_{end}\rceil$ to the location attributes $S{L}_{i,DAT{A}_{ID}}$ belonging to $DAT{A}_{ID}$. The DO selects $l_i\in Z_p$ to encrypt the symmetric key and calculates $l_{i}G$ to generate the private key for the location attributes.

(3)

The DO defines an LSSS access structure $\left(\Lambda ,\rho \right)$ to restrict the user who can decrypt data with corresponding attributes. $\Lambda$ is the $l\ast m$ access matrix, and $\rho \left(x\right)$ represents the attribute corresponding to row $x$ of access matrix $\Lambda$. Then, the data owner sends the access structure $\left(\Lambda ,\rho \right)$ to the edge IoT agent.

The encryption algorithm consists of the following stages:

• Calculate $C_0=ck+sG$ where $s\in Z_p$ is a random number.
• Select two random vectors $\overrightarrow{v}=\left(s,v_2,\dots ,v_m\right)\in Z_p$ and $\overrightarrow{u}=\left(0,u_2,\dots ,u_m\right)\in Z_p$, then calculate ${\lambda }_x={\Lambda }_x\cdot \overrightarrow{v}$, ${\omega }_x={\Lambda }_x\cdot \overrightarrow{u}$ and $\left(C_{1,x}={\lambda }_{x}G+{\gamma }_x{y}_{\rho \left(x\right)}G,C_{2,x}={\gamma }_{x}G,C_{3,x}=\left\{\begin{array}{c}{\omega }_{x}G+{\gamma }_x{k}_{\rho \left(x\right)}G, if\rho \left(x\right)\in normal attrs\hfill \\ {\omega }_{x}G+{\gamma }_x\left(k_{\rho \left(x\right)}+t_{\rho \left(x\right)}\right)G, if\rho \left(x\right)\in time attrs\hfill \\ {\omega }_{x}G+{\gamma }_x\left(k_{\rho \left(x\right)}+l_{\rho \left(x\right)}\right)G, if\rho \left(x\right)\in location attrs\hfill \end{array}\right.\right)$, ${\gamma }_x\in Z_p$ is a random number, where $x\in \left[1,l\right]$ and ${\Lambda }_x$ is the row $x$ of $\Lambda$.

Finally, the cipher text is $CT=\left\{\left(\Lambda ,\rho \right),C_0,\left\{C_{1,x},C_{2,x},C_{3,x}\right\},C{T}_{DATA},H_{CT}\right\}$. DO uploads the cipher text $CT$ to the cloud server.

4.

Key Generation

The key generation algorithm is executed by $A{A}_i$ and DU. The key includes the general key, time key and location key.

(1)

Key Generation for General Attributes

$A{A}_i$ generates the general key $US{K}_{i,GID}{}^{\prime }=y_i+H\left(GID\right)k_i$ of attribute $i$ for the DU with $GID$ and records it in the list of $GID$. Then, the temporary conversion key $US{K}_{EN,GID}{}^{\prime }=\left\{US{K}_{i,GID}{}^{\prime },i\in S_{j,GID}\right\}$ is generated for the edge IoT agent. $A{A}_i$ sends the generated $US{K}_{EN,GID}{}^{\prime }$ to the corresponding DU, and the DU calculates $US{K}_{i,GID}=y_i+H\left(GID\right)k_i+z$ by choosing a random $z\in Z_r$ to obtain the private key $US{K}_{EN,GID}=\left\{US{K}_{i,GID},i\in S_{j,GID}\right\}$ for the general attribute $i$.

(2)

Key Generation for Time and Location Attributes

If a cipher text has a limited access time and location, the DU needs to request the private key of the time and location from the corresponding $A{A}_i$ within the valid time and location range. $A{A}_i$ calculates $TS{K}_{i,GID}{}^{\prime }=y_i+H\left(GID\right)\left(k_i+t_i\right)$ for time attributes and $LS{K}_{i,GID}{}^{\prime }=y_i+H\left(GID\right)\left(k_i+l_i\right)$ for location attributes. Similarly, DU uses the temporary keys $TS{K}_{EN,GID}{}^{\prime }=\left\{TS{K}_{i,GID}{}^{\prime },i\in S{T}_{j,GID}\right\}$ and $LS{K}_{EN,GID}{}^{\prime }=\left\{LS{K}_{i,GID}{}^{\prime },i\in S{L}_{j,GID}\right\}$ to calculate the private key $TS{K}_{i,GID}=y_i+H\left(GID\right)\left(k_i+t_i\right)+z$ and $LS{K}_{i,GID}=y_i+H\left(GID\right)\left(k_i+l_i\right)+z$ for the time and location attribute $i$.

5.

Data Decryption

Due to the limited resources of power IoT terminals, we divide the decryption process into two stages: pre-decryption on the IoT agent and local decryption at the DU.

First, the DU and edge node obtain the cipher text $CT$ from the cloud server. The edge node runs the pre-decryption algorithm to decrypt the cipher text and sends the partial decryption result to the DU. Then, the DU obtains the correct message by one simple scalar multiplication.

(1)

Pre-decryption

The edge IoT agent inputs the attribute set $S$ of the DU and generates the set $X=\left\{x\right|\rho \left(x\right)\in S\}$. If the DU’s attributes satisfy the access structure, then there must exist a constant set ${\{c_x\in Z_r\}}_{x\in X}$ that can be found in polynomial time, making ${\sum }_{x\in X}{c}_x{\Lambda }_x=\epsilon =\left(1,0,\dots ,0\right)$, which means ${\sum }_{x\in X}{c}_x{\lambda }_x=s$ and ${\sum }_{x\in X}{c}_x{\omega }_x=0$. The edge IoT agent obtains the result $D_x=C_{1,x}-S{K}_{\rho \left(x\right),GID}{C}_{2,x}+H\left(GID\right)C_{3,x}$ since there are three types of attributes; the calculation is as follows:

(a)

If $\rho \left(x\right)$ is a general attribute

$$\begin{array}{c}{P}_x=D_x=C_{1,x}-S{K}_{\rho \left(x\right),GID}{C}_{2,x}+H\left(GID\right)C_{3,x}\hfill \\ ={\lambda }_{x}G+{\gamma }_x{y}_{\rho \left(x\right)}G-\left(y_i+H\left(GID\right)k_i+z\right){\gamma }_{x}G+H\left(GID\right)\left({\omega }_{x}G+{\gamma }_x{k}_{\rho \left(x\right)}G\right)\hfill \\ ={\lambda }_{x}G+H\left(GID\right){\omega }_{x}G-z{\gamma }_{x}G\hfill \end{array}$$

(b)

If $\rho \left(x\right)$ is a time attribute

$$\begin{array}{c}{P}_x=D_x=C_{1,x}-S{K}_{\rho \left(x\right),GID}{C}_{2,x}+H\left(GID\right)C_{3,x}\hfill \\ ={\lambda }_{x}G+{\gamma }_x{y}_{\rho \left(x\right)}G-\left(y_i+H\left(GID\right)\left(k_i+t_i\right)+z\right){\gamma }_{x}G+H\left(GID\right)\left({\omega }_{x}G+{\gamma }_x\left(k_{\rho \left(x\right)}+t_{\rho \left(x\right)}\right)G\right)\hfill \\ ={\lambda }_{x}G+H\left(GID\right){\omega }_{x}G-z{\gamma }_{x}G\hfill \end{array}$$

(c)

If $\rho \left(x\right)$ is a location attribute

$$\begin{array}{c}{P}_x=D_x=C_{1,x}-S{K}_{\rho \left(x\right),GID}{C}_{2,x}+H\left(GID\right)C_{3,x}\hfill \\ ={\lambda }_{x}G+{\gamma }_x{y}_{\rho \left(x\right)}G-\left(y_i+H\left(GID\right)\left(k_i+l_i\right)+z\right){\gamma }_{x}G+H\left(GID\right)\left({\omega }_{x}G+{\gamma }_x\left(k_{\rho \left(x\right)}+l_{\rho \left(x\right)}\right)G\right)\hfill \\ ={\lambda }_{x}G+H\left(GID\right){\omega }_{x}G-z{\gamma }_{x}G\hfill \end{array}$$

The edge IoT agent calculates $T_1={\sum }_{x\in X}{c}_x{D}_x=sG-z{\sum }_{x\in X}{c}_x{\gamma }_{x}G$ and $T_2={\sum }_{x\in X}{c}_x{C}_{2,x}={\sum }_{x\in X}{c}_x{\gamma }_{x}G$ and sends the result $C{T}^{\prime }=\left\{C_0,C{T}_{DATA},H_{CT},T_1,T_2\right\}$ to the DU.

(2)

DU Decryption

DU only needs one simple scalar multiplication to obtain the plain text. DU calculates $c{k}^{\prime }=C_0-T_1+z{T}_2$ and calculates $H_{CT}{}^{\prime }=H\left(E_{c{k}^{\prime }}\left(M\right)\right)G$ by using $c{k}^{\prime }$. If $H_{CT}{}^{\prime }=H_{CT}$, it means the plain text is correct.

5. Security Analysis

This section proves the proposed CP-ABE access control scheme for power IoT systems to be secure under the DDH assumption.

Theorem 1.

If there is no adversary$\vartheta$that can win the security game with a non-negligible advantage in polynomial time, then there is no simulator$\mathcal{B}$that can selectively break the DDH assumption in polynomial time.

We can use apagoge to prove it, assume the adversary $\vartheta$ defined in the security game proposed in 3.2.3 has a non-negligible advantage $\epsilon >0$ to win the game, and $\vartheta$ can perform any private key query, but a limitation exists that obtained private keys still do not satisfy the requirements in the access structure. Therefore, the secure game of the multi-authority scheme is equivalent to the secure game of the single authority scheme under this constraint. We could challenge the DDH assumption by building a simulator $\mathcal{B}$.

(1)

Initialization

Adversary $\vartheta$ sends the DDH challenge to simulator $\mathcal{B}$ and selects the access structure $\left({\Lambda }^{*},\rho \right)$ for attacking.

(2)

Setup

Simulator $\mathcal{B}$ runs the authority initialization and selects two random numbers $k_i,y_i\in Z_r$ and exposes the public key $P{K}_i=\left\{k_{i}G, y_{i}G\right\}$ for each attribute $i$ in the system.

(3)

Phase 1

Adversary $\vartheta$ adaptively submits pairs $\left(i,GID\right)$ to $\mathcal{B}$ to request the corresponding secret key. However, there is a limitation that all obtained secret keys cannot satisfy the requirements in the access structure. Then, $\mathcal{B}$ chooses a random $z\in Z_r$ and computes $S{K}_{i,GID}$ SK as the secret key of $i$ with $\mathrm{GID}$.

$$S{K}_{i,GID}=\left\{\begin{array}{c}US{K}_{i,GID}=y_{i}a+H\left(GID\right)k_i+z, if i\in normal attrs\hfill \\ TS{K}_{i,GID}=y_{i}a+H\left(GID\right)\left(k_i+t_i\right)+z, if i\in time attrs\hfill \\ LS{K}_{i,GID}=y_{i}a+H\left(GID\right)\left(k_i+l_i\right)+z, if i\in location attrs\hfill \end{array}\right.$$

(4)

Challenge

Adversary $\vartheta$ selects two messages $M_0$, $M_1$ with equal length and sends them to simulator $\mathcal{B}$. Simulator $\mathcal{B}$ randomly selects a vector $\overrightarrow{v}=\left(s,v_2,\dots ,v_m\right)\in Z_p$ and calculates ${\lambda }_x={\Lambda }^{*}{}_x\cdot \overrightarrow{v}$, where ${\Lambda }_x{}^{*}$ is the row $x$ of matrix ${\Lambda }^{*}$. Then, $\mathcal{B}$ selects a random vector $\overrightarrow{u}=\left(0,u_2,\dots ,u_m\right)\in Z_p$ and calculates ${\omega }_x={\Lambda }^{*}{}_x\cdot \overrightarrow{u}$. Simulator $\mathcal{B}$ then obtains $\beta \in \left\{0,1\right\}$ by flipping a coin and calculates $C_0=M_{\beta }+sG$. Finally, simulator $\mathcal{B}$ generates a challenge cipher text according to the scheme and sends it to adversary $\vartheta$.

$$\left(C_{1,x}={\lambda }_{x}G+{\gamma }_x{y}_{\rho \left(x\right)}Z,C_{2,x}={\gamma }_{x}bG,C_{3,x}=\left\{\begin{array}{c}{\omega }_{x}G+{\gamma }_x{k}_{\rho \left(x\right)}bG\hfill \\ {\omega }_{x}G+{\gamma }_x\left(k_{\rho \left(x\right)}+t_{\rho \left(x\right)}\right)bG\hfill \\ {\omega }_{x}G+{\gamma }_x\left(k_{\rho \left(x\right)}+l_{\rho \left(x\right)}\right)bG\hfill \end{array}\right.\right)$$

(5)

Phase 2

Adversary $\vartheta$ can continue submitting $\left(i,GID\right)$ to simulator $\mathcal{B}$ for the secret key corresponding to $i$ without violating the constraints defined in Phase 1.

(6)

Guess

Adversary $\vartheta$ submits a guess value ${\beta }^{\prime }\in \left\{0,1\right\}$. If ${\beta }^{\prime }=\beta$, simulator $\mathcal{B}$ outputs 0 to indicate that the guess result is $Z=abG$, which means adversary $\vartheta$ has won the game; otherwise, simulator $\mathcal{B}$ outputs 1 to indicate that the guess is $Z=R$. The advantage of attacker $A$ is $\epsilon$, as defined in Theorem 1. Therefore, the probability that adversary $\vartheta$ guesses $\beta$ correctly in this case is $Pr\left[\mathcal{B}\left(G,aG,bG,Z=abG\right)=0\right]=\frac{1}{2}+\epsilon$. If $Z=R$, adversary $\vartheta$ is not able to obtain any valuable information about $\beta$ since $R$ is selected at random. Therefore, the probability that adversary $\vartheta$ is correct about guessing $\beta$ is $Pr\left[\mathcal{B}\left(G,aG,bG,Z=R\right)=0\right]=\frac{1}{2}$ in this case. The advantage of simulator $\mathcal{B}$ to solve this security problem is

$$\begin{array}{c}\mathcal{B}=\frac{1}{2}(Pr\left[\mathcal{B}\left(G,aG,bG,Z=abG\right)=0\right]\hfill \\ +Pr\left[\mathcal{B}\left(G,aG,bG,Z=R\right)=0\right])-\frac{1}{2}\hfill \\ =\frac{1}{2} \left(\frac{1}{2}+\epsilon +\frac{1}{2}\right)-\frac{1}{2}=\frac{\epsilon }{2}\hfill \end{array}$$

In the hypothesis, the advantage $\epsilon$ of adversary $\vartheta$ is not negligible, so the advantage $\frac{\epsilon }{2}$ of simulator $\mathcal{B}$ is also not negligible. However, there is no algorithm that can solve DDH difficult problems with a non-negligible advantage in polynomial time, so there is no adversary that can break the proposed scheme with a non-negligible advantage in polynomial time. Therefore, the proposed scheme satisfies the selective plain text security under the DDH assumption.

5.1. Data Security

In this paper, the ECC algorithm based on ECDLP can ensure that users without corresponding attributes cannot obtain any information about their secret key $\left\{y_i,k_i,t_i,l_i\right\}$ from the corresponding public key $\left\{y_{i}G,k_{i}G,t_{i}G,l_{i}G\right\}$ in polynomial time. The data $M$ are encrypted through the symmetric key $ck$, which is implied in the cipher text $C_0$. Assuming the symmetric key $ck$ can be mapped to $cG$, where $c\in Z_r$, as $s$ is randomly selected by the data owner, $C_0=\left(c+s\right)G$ is a random point on the elliptic curve. The adversary is unable to obtain any valuable information about $ck$ and $M$ according to the ECDLP. In addition, $s$ is a shared secret divided by ${\lambda }_x$ and can only be recovered with enough parts, so the cipher text can only be decrypted if the access structure $\left(\Lambda ,\rho \right)$ is satisfied with the data user’s attributes. Any invalid user who does not have an attribute declared by the access policy does not have the attribute corresponding to row of ${\Lambda }_x$ making ${\sum }_{x\in X}{c}_x{\Lambda }_x=\epsilon =\left(1,0,\dots ,0\right)$, so the first element $s$ of vector $\overrightarrow{v}$ cannot be calculated. Therefore, the proposed scheme can ensure the security of the data.

5.2. Forward Safety

Forward security ensures that the revoked user cannot access the data again. The proposed scheme uses $GID$ to identify the data user and saves his attributes by the attribute list. When a user is revoked, the authority only needs to delete the attributes from the list corresponding to $GID$. When the revoked user tries to decrypt the data, the authority rejects his request because his $GID$ is not in the system, and the authority cannot determine whether the user has the attributes according to the attribute list. To revoke a user’s attributes, the authority can simply modify his attributes list. The decryption request is also rejected because the declared attributes are not in the list. Therefore, forward security is guaranteed in this scheme.

5.3. Collusion Attack

To ensure the security of data, the proposed scheme must be able to resist collusion attacks. In other words, if multiple users collude with each other, they cannot decrypt the cipher text unless at least one of them can decrypt the cipher text independently. In the stage of key generation, the scheme uses $GID$ to associate the attributes with the corresponding user so that the attributes cannot be combined successfully with other attributes during the decryption stage. For example, Alice intends to collude with Bob to decrypt the cipher text under the access policy $A\wedge B\wedge \left(C\vee D\right)$. Alice only owns properties A and B, and Bob only owns C. It is obvious that neither of them can decrypt the cipher text independently. If they collude with each other, Alice can only obtain part of the pre-decryption cipher text of $x$ from the edge IoT agent: ${\lambda }_{x}G+H\left(GI{D}_{Alice}\right){\omega }_{x}G+z{\gamma }_{x}G$. Bob can only get part of the cipher text ${\lambda }_{x}G+H\left(GI{D}_{Bob}\right){\omega }_{x}G+z{\gamma }_{x}G$ as well. As the users are unique in the system, which means $GI{D}_{Alice}\ne GI{D}_{Bob}$, Alice and Bob cannot collude to obtain ${\{c_x\in Z_r\}}_{x\in X}$ and make ${\sum }_{x\in X}{c}_x{\Lambda }_x=\epsilon =\left(1,0,\dots ,0\right)$ workable. In this way, collusion attack resistance is realized in the proposed scheme.

6. Performance Analysis

In this section, a detailed comparative analysis of the overhead of computation and cryptographic operations between the previous and proposed schemes is presented, which can evaluate the efficiency and security of the proposed CP-ABE scheme. First, we compare and depict the security and system features of the schemes in

Table 2. Comparison of the schemes.

Scheme	Access Structure	Pairing Free	Multi-Authority	Time and Location	Decryption Outsourcing	Environment
Odelu [18]	AND GATE	Yes	No	No	No
Yao [20]	access tree	Yes	No	No	No	Cloud
Ding [23]	linear secret sharing scheme (LSSS)	Yes	No	No	No	Cloud
Junejo [25]	AND GATE	Yes	No	No	Yes	Fog + Cloud
Our scheme	LSSS	Yes	Yes	Yes	Yes	Edge + Cloud

.

It can be observed from Table 2 that the schemes are all pairing free and ECC based, [18,20,25] adopt access tree and gate access which is less insufficient than LSSS to handle the fine-grained access control. The scheme proposed by Ding [23] and our scheme both adopt the LSSS access strategy, which has rich and flexible expression ability and meets the needs of fine-grained access control in the practical application of the IoT system. However, Ding’s scheme does not support multi-authority and is not capable of decryption outsourcing. The scheme proposed by [25] realizes an ECC-based attribute encryption scheme based on the fog environment. However, in the IoT environment, the constraints of access time and location also need to be taken into consideration. Our scheme is more suitable for resource-constrained power IoT by using edge computing technology to implement outsourcing encryption and decryption. Obviously, the system performance of our scheme in this chapter is better than that of the other four schemes.

The communication overhead depends on the length of the message that is being transmitted between the entities. And generally, this message consists of the ciphertext, public keys and private keys. Therefore, we compared with other CP-ABE schemes by using the size of the ciphertext, public and private keys. For the sake of comparison, it is assumed that all the schemes to be compared are at the same security level and the unit of comparison is considered as ECC based 160-bit, given by $\left|G\right|$. Consequently, the size of the point on 160-bit ECC is 2$\left|G\right|$. It is assumed for the sake of simplicity, that the length of the attribute set and the tree is $\left|G\right|$. Thus, the size of the ECC based public key is 2$\left|G\right|$ and the size of the private key is given by $\left|G\right|$ the communication overhead comparison is presented in

Table 3. Communication of computation overhead of the schemes.

Scheme	Ciphertext(Bits)	Public Key(Bits)	Private Key(Bits)
Odelu [18]	$\left(Na-\left|\Lambda \right|+3\right)\left|G\right|$	$\left(3Na+1\right)\left|G\right|$	$2\ast \left|G\right|$
Yao [20]	$\left(2Nr+2\right)\left|G\right|$	$\left(2Na+2\right)\left|G\right|$	$\left(Nr+1\right)\left|G\right|$
Ding [23]	$\left(2Nr+1\right)\left|G\right|$	$\left(2Na+2\right)\left|G\right|$	$\left(\left|\Lambda \right|\right)\left|G\right|$
Junejo [25]	$\left(Na-\left|\Lambda \right|+2\right)\left|G\right|$	$\left(Na+1\right)\left|G\right|$	$1\ast \left|G\right|$
Our scheme	$\left(3Nr+1\right)\left|G\right|$	$\left(2Na+2\right)\left|G\right|$	$\left(\left|\Lambda \right|\right)\left|G\right|$

Note: $Nr$: Number of rows in access matrix $\Lambda$, $Na$: Total number of attributes in the system, $Da$: Minimum number of attributes satisfying the access policy, $\left|\Lambda \right|$: number of attributes in the access policy, $\left|G\right|$: represents 160 bits considered as unit of measurement.

.

Compared with other schemes, the data user and edge agent in our scheme needs the attribute authority’s help to complete the decryption as the secret key is implicitly maintained in the attribute authority. It seems that our scheme increases the communication cost. However, most of the communication work is done by the edge agent and $A{A}_i$, and IoT terminals only need to save a private key of $\left|G\right|$. In addition, authority can just modify the attribute list of the one to be revoked to complete the attribute revocation without affecting others in the system. Therefore, our scheme reduces the communication pressure of the IoT terminals in fact.

The computational overhead of the schemes is mainly concentrated in the following three stages: encryption, pre-decryption, and local decryption. To compare our scheme with other schemes in terms of computational overhead, we consider scalar multiplication based on ECC as a unit of measurement. The comparison of computation overhead of the schemes is described in

Table 4. Comparison of computation overhead of the schemes.

Scheme	Encryption	Pre-Decryption	Local Decryption
Odelu [18]	$\left(Na-\left|\Lambda \right|+2\right)G$	\	$\left(Na-\left|\Lambda \right|+3\right)G$
Yao [20]	$\left(Nr+1\right)G$	\	$\left(Da+1\right)G$
Ding [23]	$\left(3Nr+1\right)G$	\	$\left(Da+1\right)G$
Junejo [25]	$\left(Na-\left|\Lambda \right|+1\right)G$	\	$\left(Na-\left|\Lambda \right|+2\right)G$
Our scheme	$\left(4Nr+1\right)G$	$(Da+1)G$	$\left(1\right)G$

Note: $Nr$: Number of rows in access matrix $\Lambda$, $Na$: Total number of attributes in the system, $Da$: Minimum number of attributes satisfying the access policy, $\left|\Lambda \right|$: number of attributes in the access policy, $G$: scalar multiplication based on ECC.

.

Table 4 shows the computational overhead of several schemes in the process of encryption and decryption. It can be concluded that [18] and [25] cost the least in encryption and decryption, as their computational overhead is independent of the number of attributes. However, the overhead is proportional to the difference between the number of attributes used in the access policy and the total number of attributes defined in the system. To decrease the computational overhead of encryption and decryption, the access policy needs to be quite complicated. Scheme [20] seems to have a higher encryption efficiency than our scheme because it uses the KP-ABE scheme, the devices encrypt the data by the required set of attributes, and the fine-grained access policy cannot be set. Scheme [23] also uses the LSSS structure and ECC algorithm. We take the time and location attributes into consideration in the encryption process, so we need to perform an extra scalar multiplication for the time and location attributes. To show the efficiency of the two schemes more intuitively, we conducted a simulation experiment on Ubuntu 18.04 x64, where the server is an Intel Xeon E3 at 3.4 GHz and 8 GB RAM. We used Python and Charm libraries, which provide simple scalar multiplication on groups of elliptic curves, to program the test routine. The size of the elliptic curve used was 512 bits, and the order of the elliptic curve group was 160 bits. We implemented [23] and our scheme and recorded the time spent on encryption and decryption in the case of different numbers of attributes. The results illustrated in the following diagrams are the average values of 50 program iterations.

Figure 2 shows that scheme [23] is superior to our scheme in terms of execution time of encryption because we take the time and location attributes into consideration, making access control more fine-grained. The encryption of the time and location attributes costs a few scalar multiplication operations. However, the decryption time of our scheme has no obvious linear relationship with the number of attributes, as we outsource most of the decryption operations to the edge IoT agent, which has powerful computing capacity, so the local decryption only needs to calculate the scalar multiplication operation one time, which greatly reduces the computing overhead of the power terminals. Moreover, in the scenario of power IoT, the terminals are generally set up to upload the data regularly, while users acquire data on demand. Therefore, users or terminals have much higher requirements for decryption performance than encryption performance. In conclusion, the scheme proposed in this paper can effectively improve the performance of the CP-ABE algorithm and is more suitable for power IoT.

7. Conclusions

In this paper, we propose a novel CP-ABE algorithm based on ECC combined with edge computing. The scheme considers the dynamic time and location attributes for fine-grained access control and outsources most computing to the edge IoT agent. The security of the proposed scheme is also proven under the DHH assumption. To avoid the problems of a single authority and key escrow, multiple authorities are used to manage the attributes. In addition, we restrict the access of the cipher text by the time and location of data users to achieve more fine-grained access control. Finally, the experimental analysis proves that our scheme is effective and suitable for the power IoT.

However, there are also some limits in our scheme. The calculation of ciphertext and key has linear relationship with the number of attributes, that is, the length of the ciphertext and key will increase with the number of attributes of the user and access structure, which causes the system less efficient. In the future, we are planning to enhance the performance of the proposed CP-ABE scheme with the constant-size key and ciphertext.