Home | About | Journals | Submit | Contact Us | Français |

**|**Sensors (Basel)**|**v.17(7); 2017 July**|**PMC5551097

Formats

Article sections

- Abstract
- 1. Introduction
- 2. Preliminaries
- 3. System Model and Framework
- 4. VO-MAACS: Verifiable Outsourced Multi-Authority Access Control Scheme
- 5. Analysis of Our Scheme
- 6. Conclusions
- References

Authors

Related links

Sensors (Basel). 2017 July; 17(7): 1695.

Published online 2017 July 24. doi: 10.3390/s17071695

PMCID: PMC5551097

Received 2017 May 31; Accepted 2017 July 21.

Copyright © 2017 by the authors.

Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

With the rapid development of big data and Internet of things (IOT), the number of networking devices and data volume are increasing dramatically. Fog computing, which extends cloud computing to the edge of the network can effectively solve the bottleneck problems of data transmission and data storage. However, security and privacy challenges are also arising in the fog-cloud computing environment. Ciphertext-policy attribute-based encryption (CP-ABE) can be adopted to realize data access control in fog-cloud computing systems. In this paper, we propose a verifiable outsourced multi-authority access control scheme, named VO-MAACS. In our construction, most encryption and decryption computations are outsourced to fog devices and the computation results can be verified by using our verification method. Meanwhile, to address the revocation issue, we design an efficient user and attribute revocation method for it. Finally, analysis and simulation results show that our scheme is both secure and highly efficient.

Recently, fog computing has drawn a great deal of attention. It is a quite novel computing paradigm that extends cloud computing facilities and services to the edge of the network to provide computing, networking, and storage services between end devices and data centers [1,2]. Fog computing devices are located between endpoints and the traditional cloud, thus resources and services are available and are closer to the end-users, and the delays induced by service deployments can be reduced [3,4]. Compared with the cloud computing concept, which is more centralized, fog computing provides resources and services in a distributed way. Combined with the traditional cloud, faster and more convenient computing services are provided to nearby devices based on their own computing, storage and network capacity [5]. Since fog devices are localized, it provides low-latency communication and more context awareness [6]. With all these advantages, the fog computing paradigm is well positioned for big data and real time analytics.

Fog computing is a quite novel computing paradigm that aims at moving the cloud computing (CC) facilities and services to the access network, in order to reduce the delays induced by service deployments. Although big data and the Internet of things (IOT) still rely on cloud computing, as the number of networking devices and data volume are increasing dramatically, fog-cloud computing can effectively solve the bottleneck problem of data transmission and data storage. However, since fog devices are located at the edge of the network and are of much lower cost than cloud servers, they are more easily compromised and have lower trustworthiness [7,8], especially in the process of data sharing. Therefore, secure and efficient access control schemes in fog-cloud computing environment need to be implemented [9,10]. Compared with traditional data access control schemes in cloud computing, the network structures and system models in the fog-cloud computing environment are different. Fog devices can provide computing, networking, and storage services for users, such that less communication and computational cost is left for users to do, therefore, cloud, fog and end-users should be considered in the new access control scheme.

Ciphertext-policy attribute-based encryption (CP-ABE) [11] is regarded as one of the most suitable technologies to realize fine-grained access control. This technique allows data owners to implement access control by setting up access structures. Compared with single-authority CP-ABE schemes, in multi-authority CP-ABE schemes, attributes are from different domains and managed by different authorities. Moreover, it does not have the single point of failure and system bottleneck problem, which makes multi-authority CP-ABE schemes more practical for data access control in the fog-cloud computing environment.

However, the processes of encryption and decryption in CP-ABE systems are time-consuming. The computation for data owners and users is a great overhead. To outsource part of the encryption and decryption computation to a cloud server is a solution. However, the server may be “lazy”. It may not follow the algorithm, and only execute part of the computations or deliberately return incorrect results. Therefore, a verification method of the outsourced encryption and decryption needs to be proposed. Besides, user and attribute revocation is another issue in CP-ABE systems. On the one hand, the users in the system may change frequently, and on the other hand, the attributes of users may also change, and revocation of any attribute may affect other users who share the same attribute. However, most existing schemes cannot support flexible and efficient user and attribute revocation in multi-authority cloud storage systems. The key update and ciphertext re-encryption operations are time-consuming. Therefore, verifiable outsourced multi-authority CP-ABE schemes with efficient and flexible user and attribute revocation need to be proposed.

In 2007, Bethencourt et al. [11] put forward the first CP-ABE scheme. Over the last decade, many CP-ABE schemes [12,13,14,15,16,17] were proposed. However, most of them are time-consuming and lack efficiency. To improve the efficiency and reduce the overhead of users, several schemes which support outsourced computation and revocation are proposed:

Green et al. [18] proposed an outsourcing decryption ABE scheme. In their scheme, the traditional private keys are divided into user keys and transformation keys. Thus, complex decryption computations are outsourced to the cloud server, and users only need one exponentiation operation to recover the plaintext. However, their scheme cannot be applied to multi-authority systems. Based on this method, Yang et al. [19,20] put forward two multi-authority CP-ABE schemes which support outsourced decryption. Li et al. [21] also proposed an outsourced ABE scheme which supports both outsourced key-issuing and decryption. However, they did not consider the correctness of results from the cloud server.

To solve this problem, Lai et al. [22] introduced the verifiability of ABE and proposed a verifiable outsourced decryption ABE scheme. But in their scheme, both the length of the ciphertext and the computational of encryption are doubled. Later, Li et al. [23] presented an outsourcing ABE scheme with checkability which supports both outsourced key-issuing and decryption. However, the length of ciphertext and the amount of expensive pairing computations grow with the number of attributes.

To address this problem, two ABE schemes [24,25] in which the length of ciphertext is constant are put forward. However their constructions cannot be applied to ABE schemes with Linear Secret Sharing Schemes (LSSS). Mao et al. [26] proposed a generic construct of attribute-based encryption with verifiable outsourced decryption. Their CPA-secure construct has more compact ciphertext and less computational costs. Users only need a constant number of simple computations to decrypt the ciphertext.

Ostrovsky et al. [27] first proposed a fine-grained user revocation scheme based on CP-ABE that supports negative clauses. With the help of a semi-trusted service provider, Ibraimi et al. [28] put forward a CP-ABE scheme which achieved immediate attribute revocation for the first time, but their construct cannot be applied to an outsourcing environment. Yu et al. [29] presented a CP-ABE scheme where proxy encryption technology was introduced. The scheme achieves immediate attribute revocation, at the same time, the proxy server also share the authority job, hoowever, the proxy server needs to be online all the time. Another CP-ABE scheme with fine-grained attribute revocation was put forward by Hur et al. [30]. They use attribute group keys to re-encrypt the ciphertext, but their scheme cannot prevent collusion attacks. Another revocable CP-ABE scheme was proposed by Xie et al. [31]. In their scheme, the key update computations are greatly reduced. Later, Yang et al. [32] put forward a proxy-assisted CP-ABE scheme which provides efficient cloud data sharing and user revocation.

In this paper, we propose a verifiable outsourced multi-authority access control scheme, named VO-MAACS. In our construct, most of the encryption and decryption computation is outsourced to fog devices and the computation results can be verified by using our verification method. Meanwhile, to address the revocation issue, we design an efficient user and attribute revocation method for it. Our contributions can be summarized as follows:

- (1)We propose the verifiable outsourced multi-authority access control scheme (VO-MAACS), which is secure against collusion attacks. Most of the encryption and decryption computation is outsourced to fog devices, which greatly reduces the computation on the user side.
- (2)We provide a verification method for the outsourced encryption and decryption. If a fog device returns incorrect results, users can notice it immediately by running the corresponding verification algorithm.
- (3)We design an efficient user and attribute revocation method for our scheme. During the process of attribute revocation, most of the update and re-encryption operations are outsourced to the cloud server, and only a few components which are associated with the revoked attribute need to be updated, while the other components are not changed.
- (4)We provide a security and performance analysis of our scheme, which shows that our scheme is both secure and highly efficient.

The remainder of this paper is organized as follows: we first give some preliminaries in Section 2. Then, we give the definition of the system model and framework in Section 3. In Section 4, we propose our VO-MAACS construct. Section 5 describes the security and performance analysis of our scheme. Finally, the conclusions are given in Section 6.

In this section, some fundamental background used in this paper is provided, including bilinear maps, access structure and linear secret sharing scheme (LSSS).

*Let*
${\mathbb{G}}_{1}$, ${\mathbb{G}}_{2}$
*and*
${\mathbb{G}}_{T}$
*be three cyclic groups of prime order*
$p$. *A bilinear map is a map*
$e:{\mathbb{G}}_{1}\times {\mathbb{G}}_{2}\to {\mathbb{G}}_{T}$
*with the following properties:*

*(1)*Bilinearity: for all ${g}_{1}\in {\mathbb{G}}_{1}$, ${g}_{2}\in {\mathbb{G}}_{2}$ and $a,b\in {\mathbb{Z}}_{p}$, $e({g}_{1}^{a},{g}_{2}^{b})=e{({g}_{1},{g}_{2})}^{ab}$.*(2)*Non-degeneracy: there exists ${g}_{1}\in {\mathbb{G}}_{1}$, ${g}_{2}\in {\mathbb{G}}_{2}$ such that $e({g}_{1},{g}_{2})=1$.*(3)*Computability: there is an efficient algorithm to compute $e({g}_{1},{g}_{2})$ for any ${g}_{1}\in {\mathbb{G}}_{1}$ and ${g}_{2}\in {\mathbb{G}}_{2}$.

*Let*
$\{{P}_{1},{P}_{2},\cdots ,{P}_{n}\}$
*be a set of parties. A collection*
$\mathbb{A}\subseteq {2}^{\{{P}_{1},{P}_{2},\cdots ,{P}_{n}\}}$
*is monotone if*
$\forall B,C$*: if*
$B\in \mathbb{A}$
*and*
$B\subseteq C$
*then*
$C\in \mathbb{A}$*. An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection)*
$\mathbb{A}$
*of non-empty subsets of*
$\{{P}_{1},{P}_{2},\cdots ,{P}_{n}\}$*, i.e.,*
$\mathbb{A}\subseteq {2}^{\{{P}_{1},{P}_{2},\cdots ,{P}_{n}\}}\backslash \{\varphi \}$*. The sets in*
$\mathbb{A}$
*are called the authorized sets, and the sets not in*
$\mathbb{A}$
*are called the unauthorized sets.*

*We recall the description of LSSS as follows [33]. Let*
$\Pi $
*be a secret sharing scheme over a set of parties*
$\mathcal{P}$
*with realizing an access structure*
$\mathbb{A}$. *We say that*
$\Pi $
*is a linear secret sharing scheme over*
${\mathbb{Z}}_{p}$
*if:*

*(1)*The piece for each party forms a vector over ${\mathbb{Z}}_{p}$.*(2)**During the generation of the pieces, the dealer chooses independent random variables, denoted*${r}_{2},\cdots ,{r}_{n}$, each one distributed uniformly over ${\mathbb{Z}}_{p}$.*Each coordinate of the piece of every party is a linear combination of*${r}_{2},\cdots ,{r}_{n}$*and the secret*$s$.*That is, let*$M$*denotes a matrix with*$l$*rows and*$n$*columns. For the vector*${\overrightarrow{v}}^{T}=(s,{r}_{2},\cdots ,{r}_{n})$*and any authorized set, there exist constants*${\{{w}_{i}\in {\mathbb{Z}}_{p}\}}_{i\in I}$*such that, if*$\left\{{\lambda}_{i}\right\}$*are valid shares of any secret*$s$*according to*$\Pi $,*then*$\sum _{i\in I}{w}_{i}{\lambda}_{i}}=s$,*where*${\lambda}_{i}={(M\overrightarrow{v})}_{i}$*and*$I\subset \{1,2,\cdots ,l\}$.

In this section, the system model and framework of our scheme are described.

A simple three level hierarchy is adopted in our fog-cloud system as illustrated in Figure 1. In this framework, each terminal device is connected to a nearby fog device. Fog devices are interconnected and each of them is linked to the cloud.

In general, a layer of fog is added between the cloud server and terminal devices so that some computations on the cloud server can be delegated to the fog devices which are closer to the terminal devices. Thus, different tasks from different regions can be executed by the corresponding fog devices simultaneously, which greatly improves the efficiency. Fog devices are responsible for data transmission and data storage. Moreover, they are also in charge of part of the encryption and decryption computations. The cloud server is responsible for storing the ciphertext and the user proxy keys, as well as the ciphertext re-encryption operations and user proxy keys update operations when revocation occurs.

Our multi-authority fog-cloud system consists of six entities: a cloud service provider (CSP), fog devices (FDs), a global certificate authority (CA), attribute authorities (AAs), data owners (DOs) and data users (DUs), as shown in Figure 2.

CA is a fully trusted global certificate authority in the system. It accepts the registration of all AAs and DUs in the system, and it is responsible for issuing a global unique identity $uid$ for each DU and a unique identity $aid$ for each AA. However, it does not participate in any attribute management and any generation of secret keys associated with attributes.

Each AA is an independent attribute authority that is responsible for issuing, revoking and updating users’ attributes within its administration domain. In our scheme, each AA is responsible for generating a public attribute key $P{K}_{x}$ for each attribute it manages and a user private key which consists of user proxy key $PxK$ and user secret key $SK$ for each DU. Especially, $PxK$ is stored at CSP and $SK$ is kept by DU.

DOs define access control policies over attributes from multiple attribute authorities and then encrypts the data following those policies. After that, they upload the encrypted data to the CSP.

The CSP is responsible for storing the ciphertext and the user proxy keys, and provides data access service to DUs. It is also in charge of the ciphertext re-encryption operations and user proxy key update operations when revocation occurs.

FDs are responsible for data transmission and data storage. Moreover, they are also in charge of part of the encryption and decryption computations. They can help generate part of the ciphertext for DOs, as well as decrypt part of the ciphertext for DUs. Only for those DUs whose attributes satisfy the access policy will FDs decrypt the ciphertext with their proxy keys. After that, they send the partially decrypted data to the corresponding DUs.

DUs can request their secret keys from the relevant authorities. After downloading any encrypted data from the CSP, a DU first asks a FD to decrypt it with his proxy key. If the attribute set of the DU meets the access policy, then the FD decrypts the ciphertext and sends the partially decrypted data to the DU. Upon receiving the partially decrypted data from the FD, the DU can recover the data with his secret key.

In our multi-authority fog-cloud system, we assume that the CA is fully trusted in the system. Each AA is also trusted, but it can be corrupted by an adversary. The CSP and FDs are semi-trusted. They may leak the encrypted data to some malicious users, but will execute the tasks assigned by each authority. DUs are assumed dishonest and may collude to obtain unauthorized access to data.

** Global Setup**
$(\lambda ,U)\to \{GP,uid,aid\}$.

** Authority Setup**
$(aid)\to \{P{K}_{aid},S{K}_{aid},{\left\{P{K}_{{x}_{k}}\right\}}_{aid\in {I}_{A}}\}$

** Encrypt_out**
$(GP,{\left\{P{K}_{{x}_{k}}\right\}}_{aid\in {I}_{A}})\to C{T}_{out}$

** Verify_enc**
$(GP,C{T}_{out})\to b$

** Encrypt_user**
$(GP,P{K}_{aid},{\left\{P{K}_{{x}_{k}}\right\}}_{aid\in {I}_{A}},C{T}_{out},M,(\mathbb{A},\rho ))\to CT$

** KeyGen**
$(GP,uid,{S}_{uid,aid},S{K}_{aid},{\left\{P{K}_{{x}_{k}}\right\}}_{aid\in {I}_{A}})\to \left\{Px{K}_{uid,aid},S{K}_{uid}\right\}$

** Decrypt_out**
$(GP,CT,Px{K}_{uid,aid},{\left\{P{K}_{{x}_{k}}\right\}}_{aid\in {I}_{A}})\to C{T}^{\prime}$

** Verify_dec**
$(GP,CT,C{T}^{\prime})\to b$

** Decrypt_user**
$(CT,C{T}^{\prime},S{K}_{uid})\to M$.

** URev**
$(uid,{L}_{PxK})\to {{L}^{\prime}}_{PxK}$

** ReKeyUpdate**
$(uid,Px{K}_{uid,aid},{v}_{{\tilde{x}}_{k}})\to \{VU{K}_{{\tilde{x}}_{k}},PxU{K}_{{\tilde{x}}_{k}}\}$

** CTUpdate**
$(VU{K}_{{\tilde{x}}_{k}},C{T}_{out})\to \left\{CU{K}_{{\tilde{x}}_{k}}\right\}$

** PxKUpdate**
$(uid,Px{K}_{uid,aid},PxU{K}_{{\tilde{x}}_{k}})\to Px{K}_{uid,aid}^{*}$

** ReEnc**
$(CT,CU{K}_{{\tilde{x}}_{k}})\to C{T}^{*}$

In this section, we give the concrete construction of VO-MAACS which is based on [14], together with the verification method and revocation scheme.

*Global Setup*
$(\lambda ,U)\to \{GP,uid,aid\}$. The global setup algorithm takes a security parameter $\lambda $ and a small attribute universe description $U$ as input. Let ${\mathbb{G}}_{1}$, ${\mathbb{G}}_{2}$ and ${\mathbb{G}}_{T}$ be the multiplicative groups with the same prime order $p$, and $e:{\mathbb{G}}_{1}\times {\mathbb{G}}_{2}\to {\mathbb{G}}_{T}$ be the bilinear map. Let ${g}_{1}$ be the generator of ${\mathbb{G}}_{1}$ and ${g}_{2}$ be the generator of ${\mathbb{G}}_{2}$. Let $G:{\mathbb{G}}_{T}\to {\mathbb{Z}}_{p}$ be a hash function and $H:{\left\{0,1\right\}}^{*}\to {\mathbb{Z}}_{p}$ be a hash function which maps attributes to an element in ${\mathbb{G}}_{2}$, such that the security will be modeled in the random oracle. CA then chooses a random number $a\in {\mathbb{Z}}_{p}$ and sets the global parameter as $GP=\{p,{\mathbb{G}}_{1},{\mathbb{G}}_{2},{\mathbb{G}}_{T},e,{g}_{1},{g}_{2},{g}_{2}^{a},H,G\}$. Each authority, fog device and user should register itself with the global authority during the global setup process. CA then assigns a unique global authority identity $aid$ to each legitimate authority and a unique global user identity $uid$ to each legitimate user.

*Authority Setup*
$(aid)\to \{P{K}_{aid},S{K}_{aid},{\left\{P{K}_{{x}_{k}}\right\}}_{aid\in {I}_{A}}\}$. Let ${S}_{{A}_{aid}}$ denote the set of all attributes managed by $A{A}_{aid}$ and ${I}_{A}$ denote the involved authority set. $A{A}_{aid}$ first chooses two random exponents ${\alpha}_{aid},{\beta}_{aid}\in {\mathbb{Z}}_{p}$. For each attribute ${x}_{k}\in {S}_{{A}_{aid}}$, $A{A}_{aid}$ chooses an attribute version key as $V{K}_{{x}_{k}}={v}_{{x}_{k}}$ and generates the public attribute keys as ${\left\{P{K}_{{x}_{k}}\right\}}_{aid\in {I}_{A}}={g}_{2}^{{v}_{{x}_{k}}}\xb7{g}_{2}^{H({x}_{k})}$. Then it publishes $P{K}_{aid}=e{({g}_{1},{g}_{2})}^{{\alpha}_{aid}}$ as its public key and keeps $S{K}_{aid}=\left\{{\alpha}_{aid},{\beta}_{aid}\right\}$ as its secret key.

*Encrypt_out*
$(GP,{\left\{P{K}_{{x}_{k}}\right\}}_{aid\in {I}_{A}})\to C{T}_{out}$. FD first chooses a random number ${s}^{\prime}\in {\mathbb{Z}}_{p}$ and computes ${C}_{0}={g}_{1}^{{s}^{\prime}}$. For $i\in \{1,\cdots ,l\}$, it randomly picks ${{\lambda}^{\prime}}_{i},{\gamma}^{\prime}\in {\mathbb{Z}}_{p}$ and computes:

$${C}_{i,1}={g}_{2}{}^{a{{\lambda}^{\prime}}_{i}}\xb7{({g}_{2}^{{v}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{-{{\gamma}^{\prime}}_{i}},{C}_{i,2}={g}_{1}^{{{\gamma}^{\prime}}_{i}},{s}^{\prime},{{\lambda}^{\prime}}_{i},{{\gamma}^{\prime}}_{i}$$

(1)

Then, it outputs the partially encrypted ciphertext $C{T}_{out}=\left\{{s}^{\prime},{C}_{0},{({C}_{i,1},{C}_{i,2},{{\lambda}^{\prime}}_{i},{{\gamma}^{\prime}}_{i})}_{i\in \{1,\cdots ,l\}}\right\}$.

*Encrypt_user*
$(GP,P{K}_{aid},{\left\{P{K}_{{x}_{k}}\right\}}_{aid\in {I}_{A}},C{T}_{out},M,(\mathbb{A},\rho ))\to CT$. Let $\mathbb{A}$ be a $l\times n$ matrix, where $l$ denotes the total number of all the attributes. The function $\rho $ maps rows of the matrix $\mathbb{A}$ to attributes. DO first chooses a random secret exponent $s\in {\mathbb{Z}}_{p}$ and a random vector $\overrightarrow{v}=\left(s,{y}_{2},\cdots ,{y}_{n}\right)\in {\mathbb{Z}}_{p}^{n}$ with $s$ as its first entry, where ${y}_{2},\cdots ,{y}_{n}$ are used to share the secret exponent $s$. For $i=1,\cdots ,l$, it computes ${\lambda}_{i}={A}_{i}\xb7\overrightarrow{v}$, where ${A}_{i}$ is the vector corresponding to the i-th row of $\mathbb{A}$. After that, it randomly chooses ${\gamma}_{1},{\gamma}_{2},\cdots ,{\gamma}_{l}\in {\mathbb{Z}}_{p}$ and computes:

$$C{T}_{user}=\left\{\begin{array}{l}C=M\xb7e{({g}_{1},{g}_{2})}^{{\displaystyle \sum _{aid\in {I}_{A}}{\alpha}_{aid}s}},\text{}{C}^{\prime}=s-{s}^{\prime},\text{}{\left({C}_{i,3}={\lambda}_{i}-{{\lambda}^{\prime}}_{i},{C}_{i,4}={\gamma}_{i}-{{\gamma}^{\prime}}_{i}\right)}_{i\in \{1,\cdots ,l\}},\\ {C}_{v}=G(e{({g}_{1},{g}_{2})}^{{\displaystyle \sum _{aid\in {I}_{A}}{\alpha}_{aid}s}}),\text{}(\mathbb{A},\rho )\end{array}\right\}$$

(2)

${C}^{\prime},{C}_{i,3},{C}_{i,4}$ are used to correct the shares of $s$ and randomize ${\gamma}_{i}$. ${C}_{v}$ is used to verify the result of outsourced decryption. Then, it outputs the intact ciphertext $CT=\{C,{C}^{\prime},{C}_{0},{({C}_{i,1},{C}_{i,2},{C}_{i,3},{C}_{i,4})}_{i\in \{1,\cdots ,l\}},{C}_{v},(\mathbb{A},\rho )\}$.

*KeyGen*
$(GP,uid,{S}_{uid,aid},S{K}_{aid},{\left\{P{K}_{{x}_{k}}\right\}}_{aid\in {I}_{A}})\to \left\{Px{K}_{uid,aid},S{K}_{uid}\right\}$. $A{A}_{aid}$ first assigns a set of attributes ${S}_{uid,aid}$ to each legal user, then chooses a random number ${z}_{uid}\in {\mathbb{Z}}_{p}$ for each user and let $S{K}_{uid}=\left\{{z}_{uid}\right\}$ as the user secret key. Then, $A{A}_{aid}$ runs the key generation algorithm to generate the user proxy key as:

$$Px{K}_{uid,aid}=\left\{{K}_{uid,aid}={g}_{2}^{\frac{{\alpha}_{aid}}{{z}_{uid}}}{g}_{2}^{\frac{a{\beta}_{aid}}{{z}_{uid}}},{L}_{uid,aid}={g}_{1}^{\frac{{\beta}_{aid}}{{z}_{uid}}},{\left\{{K}_{uid,{x}_{i}}\right\}}_{{x}_{i}\in {S}_{uid,aid}}={({g}_{2}^{{v}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{\frac{{\beta}_{aid}}{{z}_{uid}}},{S}_{uid,aid}\right\}$$

(3)

The proxy keys $\left\{Px{K}_{uid,aid}\right\}$ are sent to CSP who will add them in its proxy key list ${L}_{PxK}$ as ${L}_{PxK}={L}_{PxK}\cup \{uid,Px{K}_{uid,aid}\}$, and the user secret keys are sent to the corresponding DUs.

*Decrypt_out*
$(GP,CT,Px{K}_{uid,aid},{\left\{P{K}_{{x}_{k}}\right\}}_{aid\in {I}_{A}})\to C{T}^{\prime}$. When a user queries the encrypted data in the system, CSP will first check his attribute set. If his attributes does not satisfy the access policy, CSP outputs $\perp $. Otherwise, it sends the ciphertext and the corresponding proxy keys to FD. FD first chooses a set of constants ${w}_{i}\in {\mathbb{Z}}_{p}$ such that, if ${\lambda}_{i}$ are valid shares of the secret $s$ according to $\mathbb{A}$, then $\sum _{i\in I}{w}_{i}{\lambda}_{i}}=s$, where $I=\{1,\cdots ,l\}$. Then it computes:

$$C{T}^{\prime}={\displaystyle \prod _{aid\in {I}_{A}}\frac{e({C}_{0}\xb7{g}_{1}^{{C}^{\prime}},{K}_{uid,aid})}{{\displaystyle \prod _{i\in I}\left(e({({C}_{i,1}\xb7{g}_{2}^{a{C}_{i,3}}\xb7{({g}_{2}^{{v}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{-{C}_{i,4}})}^{{\omega}_{i}},{L}_{uid,aid})\xb7e({({C}_{i,2}\xb7{g}_{1}^{{C}_{i,4}})}^{{\omega}_{i}},{K}_{uid,{x}_{i}})\right)}}}=e{({g}_{1},{g}_{2})}^{{\displaystyle \sum _{aid\in {I}_{A}}\frac{{\alpha}_{aid}s}{{z}_{uid}}}}$$

(4)

After that, FD sends the partially decrypted ciphertext $C{T}^{\prime}=e{({g}_{1},{g}_{2})}^{{\displaystyle \sum _{k\in {I}_{A}}\frac{{\alpha}_{k}s}{{z}_{j}}}}$ to the user.

*Decrypt_user*
$(CT,C{T}^{\prime},S{K}_{uid})\to M$. Upon receiving the partially decrypted ciphertext from FD, the user runs the user decryption algorithm to decrypt the ciphertext by using its secret key $S{K}_{uid}$. It computes $M$ as:

$$M=\frac{C}{C{{T}^{\prime}}^{{z}_{uid}}}$$

(5)

There exists such a situation that the FD may be “lazy”. It may not follow the algorithm, only execute part of the computations or deliberately returns incorrect results. If this happens, a DO cannot notice the error, and large part of the computations will be affected. Therefore, we propose a verification method which can verify the result of outsourced encryption and outsourced decryption.

Our verification method includes two algorithms:

*Verify_enc*
$(GP,C{T}_{out})\to b$. Upon receiving the partially encrypted ciphertext $C{T}_{out}$ from FD, DO first verify whether ${C}_{0}={g}^{{s}^{\prime}}$ holds. If it does not holds, DO outputs $b=0$, which indicates FD returns incorrect result. Otherwise, DO computes ${t}_{i}=(a{{\lambda}^{\prime}}_{i}-{v}_{\rho (i)}\xb7{\gamma}_{i}-H(\rho (i))\xb7{\gamma}_{i})\mathrm{mod}p$ and ${C}_{i}={C}_{i,1}\xb7{C}_{i,2}={g}_{1}^{{{\gamma}^{\prime}}_{i}}\xb7{g}_{2}^{{t}_{i}}$, where $i\in \{1,\cdots ,l\}$. Then, it picks a security parameter $r$, and randomly chooses ${s}_{1},\cdots ,{s}_{l}\in {\{0,1\}}^{r}$. After that, it computes $x={\displaystyle \sum _{i=1}^{n}{{\gamma}^{\prime}}_{i}{s}_{i}}\mathrm{mod}p,y={\displaystyle \sum _{i=1}^{n}{t}_{i}{s}_{i}}\mathrm{mod}p$ and $\widehat{C}={\displaystyle \prod _{i=1}^{n}{C}_{i}^{{s}_{i}}}\mathrm{mod}p$. If $\widehat{C}={g}_{1}^{x}\xb7{g}_{2}^{y}$, DO outputs $b=1$, which indicates the FD returned the correct result. Otherwise, it outputs $b=0$.

Here, we adopt the idea of [34]. We do not check the results in the ciphertext one by one. Instead, we use the batch verification algorithm to check ${C}_{i,1},{C}_{i,2}$ together. Obviously, our solution is much more efficient than the normal verification method.

*Verify_dec*
$(GP,CT,C{T}^{\prime})\to b$. Upon receiving the partially decrypted ciphertext $C{T}^{\prime}$ from FD, the user computes $G(C{{T}^{\prime}}^{{z}_{uid}})$, if $G(C{{T}^{\prime}}^{{z}_{uid}})={C}_{v}$ holds, it outputs $b=1$, which indicates FD returns the correct result. Otherwise, it outputs $b=0$, which indicates that the FD has returned an incorrect result.

In our scheme, when user revocation happens, we do not need to re-encrypt the ciphertext and update other non-revoked users’ secret keys. The only operation we need is to send a user revocation message which contains the $uid$ of the revoked user to the CSP, and then let the CSP delete the revoked user’s proxy key $Px{K}_{uid,aid}$. Without the correct $Px{K}_{uid,aid}$, the FD cannot perform the outsourced decryption algorithm for the revoked user. Thus, the revoked user cannot recover the original data. The user revocation algorithm is described as follows:

*URev*
$(uid,{L}_{PxK})\to {{L}^{\prime}}_{PxK}$. When the CSP receives the user revocation message from a DO, it then deletes the proxy key $Px{K}_{uid,aid}$ corresponding to the $uid$ from the list and outputs the updated proxy key list ${{L}^{\prime}}_{PxK}$.

There are two phases in attribute revocation: Key update and Ciphertext re-encryption.

Phase 1: Key update

The key update in turn includes three steps: RekeyUpdate, CTUpdate and PxKUpdate.

(1)*ReKeyUpdate*
$(uid,Px{K}_{uid,aid},{v}_{{\tilde{x}}_{k}})\to \{VU{K}_{{\tilde{x}}_{k}},PxU{K}_{{\tilde{x}}_{k}}\}$.

Let $uid$ denotes all other non-revoked users except the revoked user with $ui{d}^{\prime}$. The involved authority $A{A}_{aid}$ first generates a new attribute version key ${{v}^{\prime}}_{{\tilde{x}}_{k}}$. It then computes the version update key as $VU{K}_{{\tilde{x}}_{k}}={{v}^{\prime}}_{{\tilde{x}}_{k}}-{v}_{{\tilde{x}}_{k}}$. After that, it applies $VU{K}_{{\tilde{x}}_{k}}$ to compute the proxy update key as $PxU{K}_{{\tilde{x}}_{k}}={g}_{2}^{\frac{{\beta}_{aid}}{{z}_{uid}}\xb7VU{K}_{{\tilde{x}}_{k}}}$ for each non-revoked user who has the attribute ${\tilde{x}}_{k}$. Then $A{A}_{aid}$ updates the public attribute key of the revoked attribute as $P{K}_{{\tilde{x}}_{k}}^{*}=P{K}_{{\tilde{x}}_{k}}\xb7{g}_{2}^{VU{K}_{{\tilde{x}}_{k}}}$, and broadcast a message for each DO such that they can get the updated public attribute key of the revoked attribute. After that, $PxU{K}_{{\tilde{x}}_{k}}$ is sent to the CSP to update $Px{K}_{uid,aid}$ and $VU{K}_{{\tilde{x}}_{k}}$ is sent to the DO.

(2)*CTUpdate*
$(VU{K}_{{\tilde{x}}_{k}},C{T}_{out})\to \left\{CU{K}_{{\tilde{x}}_{k}}\right\}$.

Upon receiving the version update key $VU{K}_{{\tilde{x}}_{k}}$ and the partially encrypted ciphertext $C{T}_{out}$, DO computes the ciphertext update key as $CU{K}_{{\tilde{x}}_{k}}={g}_{2}^{{}^{-{{\gamma}^{\prime}}_{i}\xb7AU{K}_{{\tilde{x}}_{k}}}}$. Then, $CU{K}_{{\tilde{x}}_{k}}$ is sent to the CSP to update the ciphertext.

(3)*PxKUpdate*
$(uid,Px{K}_{uid,aid},PxU{K}_{{\tilde{x}}_{k}})\to Px{K}_{uid,aid}^{*}$.

Upon receiving the proxy update key $PxU{K}_{{\tilde{x}}_{k}}$, CSP updates the corresponding proxy keys as ${K}_{x={\tilde{x}}_{k},uid}^{*}={K}_{x={\tilde{x}}_{k},uid}\xb7PxU{K}_{{\tilde{x}}_{k}}$ for each non-revoked user who has the attribute ${\tilde{x}}_{k}$. Then the proxy keys $Px{K}_{uid,aid}$ are updated as:

$$Px{K}_{uid,aid}^{*}=\left\{\begin{array}{l}{K}_{uid,aid}={g}_{2}^{\frac{{\alpha}_{aid}}{{z}_{uid}}}{g}_{2}^{\frac{a{\beta}_{aid}}{{z}_{uid}}},{L}_{uid,aid}={g}_{1}^{\frac{{\beta}_{aid}}{{z}_{uid}}}\\ {K}_{uid,x\ne {\tilde{x}}_{k}}={({g}_{2}^{{v}_{x}}{g}_{2}^{H(x)})}^{\frac{{\beta}_{aid}}{{z}_{uid}}}\\ {K}_{uid,x={\tilde{x}}_{k}}^{*}={({g}_{2}^{{{v}^{\prime}}_{{\tilde{x}}_{k}}}{g}_{2}^{H({\tilde{x}}_{k})})}^{\frac{{\beta}_{aid}}{{z}_{uid}}}\end{array}\right\}$$

(6)

Phase 2: Ciphertext re-encryption

*ReEnc*
$(CT,CU{K}_{{\tilde{x}}_{k}})\to C{T}^{*}$.

Upon receiving the ciphertext update key $CU{K}_{{\tilde{x}}_{k}}$, CSP updates the corresponding ciphertext as ${C}_{i,1}^{*}={C}_{i,1}\xb7CU{K}_{{\tilde{x}}_{k}}$. Then the new ciphertext $C{T}^{*}$ is published as:

$$C{T}^{*}=\left\{\begin{array}{l}C,{C}^{\prime},{C}_{0},{({C}_{i,2},{C}_{i,3},{C}_{i,4})}_{i\in \{1,\cdots ,l\}},{C}_{v},(\mathbb{A},\rho )\\ {\left({C}_{i,1}={g}_{2}{}^{a{{\lambda}^{\prime}}_{i}}\xb7{({g}_{2}^{{v}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{-{{\gamma}^{\prime}}_{i}}\right)}_{{x}_{i}\ne {\tilde{x}}_{k},i\in \{1,\cdots ,l\}}\\ {\left({C}_{i,1}^{*}={g}_{2}{}^{a{{\lambda}^{\prime}}_{i}}\xb7{({g}_{2}^{{{v}^{\prime}}_{{x}_{k}}}{g}_{2}^{H({x}_{k})})}^{-{{\gamma}^{\prime}}_{i}}\right)}_{{x}_{i}={\tilde{x}}_{k},i\in \{1,\cdots ,l\}}\end{array}\right\}$$

(7)

Apparently, we can conclude that most of the update and re-encryption work is outsourced to the CSP, which greatly reduces the overhead of DOs. Meanwhile, we do not need to update the entire ciphertext and user proxy keys. Only those components which are involved with the revoked attribute need to be updated. In this way, our scheme can greatly improve the efficiency of attribute revocation.

In this section, a comprehensive analysis of VO-MAACS is provided, including security analysis and performance analysis.

The correctness of our scheme can be easily proved by the following equations:

When there is no attribute revocation:

$$\begin{array}{ll}C{T}^{\prime}& ={\displaystyle \prod _{aid\in {I}_{A}}\frac{e({C}_{0}\xb7{g}_{1}^{{C}^{\prime}},{K}_{uid,aid})}{{\displaystyle \prod _{i\in I}\left(e({({C}_{i,1}\xb7{g}_{2}^{a{C}_{i,3}}\xb7{({g}_{2}^{{v}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{-{C}_{i,4}})}^{{\omega}_{i}},{L}_{uid,aid})\xb7e({({C}_{i,2}\xb7{g}_{1}^{{C}_{i,4}})}^{{\omega}_{i}},{K}_{uid,{x}_{i}})\right)}}}\\ & ={\displaystyle \prod _{aid\in {I}_{A}}\frac{e({g}_{1}^{s},{g}_{2}^{\frac{{\alpha}_{aid}}{{z}_{uid}}}{g}_{2}^{\frac{a{\beta}_{aid}}{{z}_{uid}}})}{{\displaystyle \prod _{i\in I}\left(e(({g}_{2}{}^{a{\lambda}_{i}{\omega}_{i}}\xb7{({g}_{2}^{{v}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{-{\gamma}_{i}{\omega}_{i}},{g}_{1}^{\frac{{\beta}_{aid}}{{z}_{uid}}})\xb7e({g}_{1}^{{\gamma}_{i}{\omega}_{i}},{({g}_{2}^{{v}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{\frac{{\beta}_{aid}}{{z}_{uid}}})\right)}}}\\ & =e{({g}_{1},{g}_{2})}^{{\displaystyle \sum _{aid\in {I}_{A}}\frac{{\alpha}_{aid}s}{{z}_{uid}}}}\end{array}$$

When the attribute ${\tilde{x}}_{k}$ is revoked from a user whose identity is $uid$:

For ${x}_{i}\ne {\tilde{x}}_{k}$:

$$\begin{array}{ll}C{T}_{i}& =\frac{e({C}_{0}\xb7{g}_{1}^{{C}^{\prime}},{K}_{uid,aid})}{\left(e({({C}_{i,1}\xb7{g}_{2}^{a{C}_{i,3}}\xb7{({g}_{2}^{{v}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{-{C}_{i,4}})}^{{\omega}_{i}},{L}_{uid,aid})\xb7e({({C}_{i,2}\xb7{g}_{1}^{{C}_{i,4}})}^{{\omega}_{i}},{K}_{uid,{x}_{i}})\right)}\\ & =\frac{e({g}_{1}^{s},{g}_{2}^{\frac{{\alpha}_{aid}}{{z}_{uid}}}{g}_{2}^{\frac{a{\beta}_{aid}}{{z}_{uid}}})}{e(({g}_{2}{}^{a{\lambda}_{i}{\omega}_{i}}\xb7{({g}_{2}^{{v}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{-{\gamma}_{i}{\omega}_{i}},{g}_{1}^{\frac{{\beta}_{aid}}{{z}_{uid}}})\xb7e({g}_{1}^{-{\gamma}_{i}{\omega}_{i}},{({g}_{2}^{{v}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{\frac{{\beta}_{aid}}{{z}_{uid}}})}\\ & =e{({g}_{1},{g}_{2})}^{\frac{{\alpha}_{aid}s}{{z}_{uid}}}\end{array}$$

For ${x}_{i}={\tilde{x}}_{k}$:

$$\begin{array}{ll}C{T}_{i}& =\frac{e({C}_{0}\xb7{g}_{1}^{{C}^{\prime}},{K}_{uid,aid})}{\left(e({({C}_{i,1}\xb7{g}_{2}^{a{C}_{i,3}}\xb7{({g}_{2}^{{{v}^{\prime}}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{-{C}_{i,4}})}^{{\omega}_{i}},{L}_{uid,aid})\xb7e({({C}_{i,2}\xb7{g}_{1}^{{C}_{i,4}})}^{{\omega}_{i}},{K}_{uid,{x}_{i}})\right)}\\ & =\frac{e({g}_{1}^{s},{g}_{2}^{\frac{{\alpha}_{aid}}{{z}_{uid}}}{g}_{2}^{\frac{a{\beta}_{aid}}{{z}_{uid}}})}{e(({g}_{2}{}^{a{\lambda}_{i}{\omega}_{i}}\xb7{({g}_{2}^{{{v}^{\prime}}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{-{\gamma}_{i}{\omega}_{i}},{g}_{1}^{\frac{{\beta}_{aid}}{{z}_{uid}}})\xb7e({g}_{1}^{{\gamma}_{i}{\omega}_{i}},{({g}_{2}^{{{v}^{\prime}}_{{x}_{i}}}{g}_{2}^{H({x}_{i})})}^{\frac{{\beta}_{aid}}{{z}_{uid}}})}\\ & =e{({g}_{1},{g}_{2})}^{\frac{{\alpha}_{aid}s}{{z}_{uid}}}\end{array}$$

Therefore:

$$C{T}^{\prime}={\displaystyle \prod _{aid\in {I}_{A}}C{T}_{i}}={\displaystyle \prod _{aid\in {I}_{A}}e{({g}_{1},{g}_{2})}^{\frac{{\alpha}_{aid}s}{{z}_{uid}}}}=e{({g}_{1},{g}_{2})}^{{\displaystyle \sum _{aid\in {I}_{A}}\frac{{\alpha}_{aid}s}{{z}_{uid}}}}$$

Then:

$$\frac{C}{C{{T}^{\prime}}^{{z}_{uid}}}=\frac{M\xb7e{({g}_{1},{g}_{2})}^{{\displaystyle \sum _{aid\in {I}_{A}}{\alpha}_{aid}s}}}{e{({g}_{1},{g}_{2})}^{{\displaystyle \sum _{aid\in {I}_{A}}{\alpha}_{aid}s}}}=M$$

Therefore, VO-MAACS satisfies correctness.

In our system, only for users whose attributes satisfy the access policy, will the FD decrypt the ciphertext for them by using their proxy keys. Users whose attributes do not satisfy the access policy, cannot receive the partially decrypted ciphertext from the FD. Thus, they are not able to recover the original data. When a user is revoked, his proxy key will be deleted by the CSP. Without the proxy key, he cannot obtain the partially decrypted ciphertext either. Therefore, for users whose attributes do not satisfy the access policy, our solution satisfies the data confidentiality.

In addition, although the CSP and FD can get user proxy keys, however, if they do not obtain the user secret keys, they still cannot decrypt the ciphertext. Similarly, they cannot collude with other users to recover the data either. Therefore, for the CSP and FD, our solution also satisfies the data confidentiality.

In our system, each user is assigned with a unique identity *uid*, and each key issued by different AA is associated with a *uid*. Therefore, only the keys associated with the same *uid* can be used to decrypt the ciphertext. Other users cannot collude to decrypt the ciphertext. In addition, there exists a situation that some AAs may issue the same attributes. Since each AA has a unique identity *aid*, all attributes are distinguishable. Therefore, users cannot replace some of the components in the keys from the AA by using the component in the key from another AA.

We implement our scheme in Charm [35], a framework developed to facilitate the rapid prototyping of cryptographic schemes and protocols. It is based on the Python language which allows the programmer to write code similar to the theoretical implementations. Charm also provides routines for applying and using LSSS schemes needed for Attribute-Based systems. All our implementations are executed on an Intel^{®} Pentium^{®} CPU G630@270 GHz with 4.00 GB RAM running Ubuntu14.04 64-bit system and Python 2.7.

In our experiment, access policies are generated in the form of *a*_{1}, *a*_{2}, …, *a _{n}*, where

Comparison of encryption time with different number of authorities. (**a**) Encrypt_out time; (**b**) Encrypt_user time.

In Figure 3a, the Encrypt_out time is approximately 0.1~1.4 s, and it increases almost linearly with the number of attributes. In Figure 3b, since major computations are outsourced to the FDs, only a few operations are left for DOs. Therefore, the Encrypt_user time in our scheme is much less than that in [14]. Similarly, Figure 4 describes the time for outsourced decryption and user decryption. In Figure 4a, the Decrypt_out time is approximately 0.3~3 s, and like the Encrpyt_time, it also increases linearly with the number of attributes. In Figure 4b, as major computations are outsourced to FDs, only a few operations are left for DUs, therefore, the Decrypt_user time in our scheme is much less than that in [14].

Comparison of decryption time with different number of authorities. (**a**) Decrypt_out time; (**b**) Decrypt_user time.

The computing cost for verification of outsourced encryption is shown in Figure 5. The time for Verify_enc is approximately 0.1~0.8 s and it increases almost linearly with the number of attributes. Figure 6 describes the comparison of computing cost of CSP, AA and DO in the attribute revocation process.

In fact, most computing overhead, such as proxy keys update and ciphertext re-encryption are outsourced to the CSP, and only a few computations are left for AAs and DOs. Therefore, the computing cost for DOs can be greatly reduced. Apparently, our scheme requires less time for both encryption and decryption than Lewko’s scheme, and the computing cost for DOs in the attribute revocation process is greatly reduced. Therefore, we can conclude that our scheme’s computation efficiency is much better than that of Lewko’s scheme.

To realize data access control in fog-cloud computing system, we have proposed a verifiable outsourced multi-authority access control scheme, named VO-MAACS. In our construct, most encryption and decryption computations are outsourced to fog devices and the computation results can be verified by using our verification method. Meanwhile, to address the revocation issue, we designed an efficient user and attribute revocation method for this. Finally, the analysis and simulation results show that our scheme is both secure and highly efficient.

This work has been financially supported by the National Key Research and Development Program under Grant 2017YFB0802304, the National Natural Science Foundation of China (No. 61303216 and No. 61272457), Natural Science Basic Research Plan in Shaanxi Province of China (No. 2017JM6004), the Open Research Project of the State Key Laboratory of Industrial Control Technology, Zhejiang University, China (No. ICT170312), the Research Project of National Time Service Center, Chinese Academy of Sciences, China (No. 2017FWCGCZ0124) and National 111 Program of China B16037 and B08038.

Author Contributions

K.F. and J.W. conceived and designed the experiments; K.F. and J.W. performed the experiments; X.W. contributed analysis tools; H.L. and Y.Y. analyzed the data; K.F. and J.W. wrote the manuscript. All authors read and approved the manuscript.

Conflicts of Interest

The authors declare no conflict of interest.

1. Bonomi F., Milito R., Zhu J., Addepalli S. Fog computing and its role in the internet of things; Proceedings of the First Edition of the MCC Workshop on Mobile Cloud Computing; Helsinki, Finland. 17 August 2012; pp. 13–16.

2. Shojafar M., Cordeschi N., Baccarelli E. Energy-efficient adaptive resource management for real-time vehicular cloud services. IEEE Trans. Cloud Comput. 2016;99:1. doi: 10.1109/TCC.2016.2551747. [Cross Ref]

3. Zaghdoudi B., Ayed H.K.B., Harizi W. Generic Access Control System for Ad Hoc MCC and Fog Computing; Proceedings of the International Conference on Cryptology and Network Security; Milan, Italy. 14–16 November 2016; pp. 400–415.

4. Baccarelli E., Naranjo P.G.V., Scarpiniti M., Shojafar M., Abawajy J.H. Fog of Everything: Energy-efficient Networked Computing Architectures, Research Challenges, and a Case Study. IEEE Access. 2017;5:9882–9910. doi: 10.1109/ACCESS.2017.2702013. [Cross Ref]

5. Hajibaba M., Gorgin S. A review on modern distributed computing paradigms: Cloud computing, jungle computing and fog computing. J. Comput. Inf. Technol. 2014;22:69–84. doi: 10.2498/cit.1002381. [Cross Ref]

6. Aazam M., Huh E.N. Fog Computing and Smart Gateway Based Communication for Cloud of Things; Proceedings of the International Conference on Future Internet of Things and Cloud IEEE; Barcelona, Spain. 27–29 August 2014; pp. 464–470.

7. Stojmenovic I., Wen S., Huang X., Luan H. An overview of Fog computing and its security issues. Concurr. Comput. Pract. Exp. 2015;28:2991–3005. doi: 10.1002/cpe.3485. [Cross Ref]

8. Yi S., Qin Z., Li Q. Security and privacy issues of fog computing: A survey; Proceedings of the International Conference on Wireless Algorithms, Systems, and Applications; Qufu, China. 10–12 August 2015; pp. 685–695.

9. Lu R., Rahulamathavan Y., Zhu H., Xu C., Wang M. Security and Privacy Challenges in Vehicular Cloud Computing. Mob. Inf. Syst. 2016;2016:1–2. doi: 10.1155/2016/6812816. [Cross Ref]

10. Lu R., Heung K., Lashkari A.H., Ghorbani A.A. A Lightweight Privacy-Preserving Data Aggregation Scheme for Fog Computing-Enhanced IoT. IEEE Access. 2017;5:3302–3312. doi: 10.1109/ACCESS.2017.2677520. [Cross Ref]

11. Bethencourt J., Sahai A., Waters B. Ciphertext-policy attribute-based encryption; Proceedings of the Security and Privacy; Berkeley, CA, USA. 20–23 May 2007; pp. 321–334.

12. Chase M. Multi-authority attribute based encryption. Theory Cryptogr. Conf. 2007;4392:515–534. doi: 10.1007/978-3-540-70936-7_28. [Cross Ref]

13. Waters B. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. Public Key Cryptogr. PKC. 2011;6571:53–70. doi: 10.1007/978-3-642-19379-8_4. [Cross Ref]

14. Lewko A., Waters B. Decentralizing attribute-based encryption; Proceedings of the Advances in Cryptology–EUROCRYPT; Tallinn, Estonia. 15–19 May 2011; pp. 568–588.

15. Ruj S., Nayak A., Stojmenovic I. DACC: Distributed access control in Clouds; Proceedings of the TrustCom; Changsha, China. 16–18 November 2011; pp. 91–98.

16. Zhou Z., Huang D., Wang Z. Efficient privacy-preserving ciphertext-policy attribute based-encryption and broadcast encryption. IEEE Trans. Comput. 2015;64:126–138. doi: 10.1109/TC.2013.200. [Cross Ref]

17. Wang S., Zhou J., Liu J.K., Yu J., Chen J., Xie W. An efficient file hierarchy attribute-based encryption scheme in cloud computing. IEEE Trans. Inf. Forensics Secur. 2016;11:1265–1277. doi: 10.1109/TIFS.2016.2523941. [Cross Ref]

18. Green M., Hohenberger S., Waters B. Outsourcing the decryption of abe ciphertexts; Proceedings of the USENIX Security Symposium; San Francisco, CA, USA. 8–12 August 2011; p. 34.

19. Yang K., Jia X. Attributed-based access control for multi-authority systems in cloud storage; Proceedings of the 32nd International Conference on Distributed Computing Systems (ICDCS); Macau, China. 18–21 June 2012; pp. 536–545.

20. Yang K., Jia X. Expressive, efficient, and revocable data access control for multi-authority cloud storage. IEEE Trans. Parallel Distrib. Syst. 2014;25:1735–1744. doi: 10.1109/TPDS.2013.253. [Cross Ref]

21. Li J., Chen X., Li J., Jia C., Ma J., Lou W. Fine-grained access control system based on outsourced attribute-based encryption; Proceedings of the European Symposium on Research in Computer Security; Egham, UK. 9–13 September 2013; pp. 592–609.

22. Lai J., Deng R.H., Guan C., Weng J. Attribute-based encryption with verifiable outsourced decryption. IEEE Trans. Inf. Forensics Secur. 2013;8:1343–1354. doi: 10.1109/TIFS.2013.2271848. [Cross Ref]

23. Li J., Huang X., Li J., Chen X., Xiang Y. Securely outsourcing attribute-based encryption with checkability. IEEE Trans. Parallel Distrib. Syst. 2014;25:2201–2210. doi: 10.1109/TPDS.2013.271. [Cross Ref]

24. Chen Y., Song L., Yang G. Attribute-Based Access Control for Multi-Authority Systems with Constant Size Ciphertext in Cloud Computing. China Commun. 2016;13:146–162. doi: 10.1109/CC.2016.7405733. [Cross Ref]

25. Li X., Tang S., Xu L., Wang H., Chen J. Two-Factor Data Access Control With Efficient Revocation for Multi-Authority Cloud Storage Systems. IEEE Access. 2017;5:393–405. doi: 10.1109/ACCESS.2016.2609884. [Cross Ref]

26. Mao X., Lai J., Mei Q., Chen K., Weng J. Generic and efficient constructions of attribute-based encryption with verifiable outsourced decryption. IEEE Trans. Dependable Secur. Comput. 2016;13:533–546. doi: 10.1109/TDSC.2015.2423669. [Cross Ref]

27. Ostrovsky R., Sahai A., Waters B. Attribute-based encryption with non-monotonic access structures; Proceedings of the 14th ACM Conference on Computer and Communications Security; Alexandria, VA, USA. 29 October–2 November 2007; pp. 195–203.

28. Ibraimi L., Petkovic M., Nikova S., Hartel P., Jonker W. Information Security Applications. Springer; Berlin/Heidelberg, Germany: 2009. Mediated Ciphertext-Policy Attribute-Based Encryption and Its Application; pp. 309–323.

29. Yu S., Wang C., Ren K., Lou W. Attribute based data sharing with attribute revocation; Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security; Beijing, China. 13–16 April 2010; pp. 261–270.

30. Hur J., Noh D.K. Attribute-based access control with efficient revocation in data outsourcing systems. IEEE Trans. Parallel Distrib. Syst. 2011;22:1214–1221. doi: 10.1109/TPDS.2010.203. [Cross Ref]

31. Xie X., Ma H., Li J., Chen X. New ciphertext-policy attribute-based access control with efficient revocation; Proceedings of the Information and Communication Technology-EurAsia Conference; Yogyakarta, Indonesia. 25–29 March 2013; pp. 373–382.

32. Yang Y., Liu J.K., Liang K., Choo K.R., Zhou J. Extended proxy-assisted approach: Achieving revocable fine-grained encryption of cloud data; Proceedings of the European Symposium on Research in Computer Security; Vienna, Austria. 21–25 September 2015; pp. 146–166.

33. Beimel A. Secure Schemes for Secret Sharing and Key Distribution. Technion-Israel Institute of Technology, Faculty of Computer Science; Haifa, Israel: 1996. pp. 22–28.

34. Bellare M., Garay J.A., Rabin T. Fast batch verification for modular exponentiation and digital signatures; Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques; Espoo, Finland. 31 May–4 June 1998; pp. 236–250.

35. Akinyele J.A., Garman C., Miers I., Pagano M.W., Rushanan M., Green M., Rubin A.D. Charm: A framework for rapidly prototyping cryptosystems. J. Cryptogr. Eng. 2013;3:111–128. doi: 10.1007/s13389-013-0057-3. [Cross Ref]

Articles from Sensors (Basel, Switzerland) are provided here courtesy of **Multidisciplinary Digital Publishing Institute (MDPI)**