1936 IEEE INTERNET OF THINGS JOURNAL, VOL. 4, NO. 6, DECEMBER 2017
outsourced decryption from CPA-secure ABE with outsourced
decryption, respectively.
Green and Ateniese [29] proposed a PRE in identity-based
encryption (IBE) scheme, in which the CTs can be transformed
from one identity to another. Canetti and Hohenberger [30]
proposed a definition of security against chosen CT attacks
for PRE schemes. An IBE PRE scheme was proposed in [31]
without random oracles. In [32], the first unidirectional PRE
scheme was proposed with chosen-CT security in the standard
model. Chow et al. [33] scheme gained high efficiency and
CCA security using the “token-controlled encryption” tech-
nique. Wang et al. [34] realized an identity-based PRE scheme
that can achieve IND-CCA2 secure. In contrast with requiring
users to be online all the time, a time-based PRE (Time-PRE)
scheme was presented in [35] to revoke a user’s access right
automatically after a predetermined period of time. In [36], the
PRE was proved to be useful as a method of adding access
control to the SFS read-only file system. This scheme also
achieves a stronger notion of security.
III. P
RELIMINARIES
A. Bilinear Maps
Let G
0
and G
1
be two multiplicative cyclic groups of prime
order p and g be the generator of G
0
. The bilinear map e is,
e : G
0
× G
0
→ G
1
, for all a, b ∈ Z
p
.
1) Bilinearity: ∀u, v ∈ G
1
, e(u
a
, v
b
) = e(u, v)
ab
.
2) Nondegeneracy: e(g, g) = 1.
3) Symmetric: e(g
a
, g
b
) = e(g, g)
ab
= e(g
b
, g
a
).
B. Discrete Logarithm Problem
Let G be a multiplicative cyclic group of prime order p and
g be its generator. Given a tuple <g, g
x
>, where g ∈
R
G and
x ∈ Z
P
are chosen as input uniformly at random, the discrete
logarithm (DL) problem is to recover x.
Definition 1: The DL assumption holds in G is that no
probabilistic polynomial-time algorithm A can solve the DL
problem with negligible advantage. We define the advantage
of A as follows:
Pr
A < g, g
x
>= x
.
The probability is over the generator g, randomly chosen x,
and the random bits consumed by A.
C. Structure in Ciphertext-Policy Attribute-Based Encryption
Definition 2: Let P ={P
1
, P
2
,...,P
n
} be a set of partic-
ipants, let U = 2
{P
1
,P
2
,...,P
n
}
be the universal set. If ∃AS ⊆
U\{∅}, then AS can be viewed as an access structure. If
A ∈ AS, ∀B ∈ U, A ⊆ B, and B ∈ AS, AS is considered as
a monotonic AS. Then the sets in AS are defined as authorized
sets, while the other sets are regarded as unauthorized sets.
To achieve fine-grained access control, we utilize the CT
policy ABE scheme. For ease of partition, we adopt the
Bethencourt’s scheme in [12], in which the AS is illustrated
by an access tree.
Let T be an access tree, and the root node is denoted by
R. All the leaves represent the attributes, while the interior
nodes represent the threshold gates, described by its children
and a threshold value, such as AND (n of n), OR (1 of n),
and n of m (m > n).
At the beginning of the encryption, we randomly choose
a secret s and conduct a polynomial for each node from top
to bottom, while the decryption order is reverse.
Additionally, some functions are necessary to be introduced.
We use parent(x) to get the parent of the node x. The func-
tion att(x) is used only if x is a leaf node and returns the
attribute associated with the leaf node x in the tree. The func-
tion index(x) returns the number associated with the node x,
where the index values are uniquely assigned to nodes in
the tree.
To retrieve the secret, we define the Lagrange coefficient
i,S
as follows.
For i ∈ Z
p
, and for ∀x ∈ S
i,S(x)
=
j∈S,j=i
x − j
i − j
.
D. (t, n) Threshold Secret Sharing
Secret sharing scheme is used for sharing a secret among
a group of parties, each of whom only obtain a piece of the
secret (namely a share of the secret). No single party can infer
any information about the secret with its own share. The only
way to reconstruct the secret is to combine a certain number
of shares.
The most basic secret sharing scheme is (t, n) threshold
scheme, which was first proposed by Shamir [37]. In his
scheme, a secret divided into n parts can be recovered only if
at least t parts are collected. This idea has already been used
to implement the tree-AS.
IV. D
EFINITIONS
A. Definition of System Model
Our system consists of four entities, namely DO, CS,
attribute authority (AA), and data requester/receiver (DR).
Both DOs and DRs are users.
1) Data Owners (DO): DO decide the access policy and
encrypt the data with CP-ABE. The encrypted data will be
uploaded to the CSs. DO are assumed to be honest in the
system.
2) Data Requester/Receivers (DRs): DR sends the decryp-
tion request to cloud and obtain the CTs over the Internet.
Only when their attributes satisfy the access policies of the
CT, can they get access to the plaintexts. DRs may collude to
access the data that is otherwise not accessible individually.
3) Cloud Servers (CSs): CSs are responsible for storing
a massive volume of data. They cannot be trusted by DO.
Hence, it is necessary for DO to define the access policy to
ensure the data confidentiality. CSs are assumed not to collude
with DR.
4) Attribute Authority (AA): AA is responsible for regis-
tering users, evaluating their attributes and generating their
SK accordingly. It runs the Setup algorithm, and issues public
key (PK) and master key (MK) to each DO. It is considered
as fully trusted.