1 Introduction

With the increasing number of mobile applications and the popularity of cloud computing, the combination of these two techniques that named mobile cloud computing (MCC) attracts great attention listed by in recent years [1, 2]. MCC is a service that allows mobile users constrained with resources to adaptively adjust processing and storing capabilities by transparently partitioning and offloading the computationally intensive and storage demanding jobs on traditional cloud resources by providing ubiquitous wireless access [2]. In the former mobile computing paradigm, there are some problems such as resource scarcity, frequent disconnections, and mobility. With the support of MCC, the aforementioned problems can be addressed and the mobile users can achieve seamless access and handover for services, since mobile applications are executed on resource providers external to the mobile device.

However, the concerns with data privacy and security threats have become an obstacle to hinder MCC from being widely used [3]. According to the recent survey conducted by the International Data Corporation, most IT Executives and CEOs are not interested in adopting such services due to the risks associated with security and privacy [4, 5]. Therefore, it is necessary to eliminate the potential security threats in MCC.

Lots of researchers devote to security issues in MCC, such as secure MCC framework [4], access control [68], authentication [9], trust [10], and so on. The abovementioned works all focus on protecting MCC from external security threats. In [11], Liu et al. take insider threats into consideration and propose a solution named traceable ciphertext-policy attribute-based encryption (CP-ABE), which can trace the malicious users or traitors who intentionally leak the partial or modified decryption keys for profits. While, in traceable CP-ABE, key delegation is not supported, as they consider that key delegation will prevent most of the expressive ABE systems and their variants from being traceable [11]. Without key delegation, each new user has to apply to the authority for his own unique key. The overhead will be very heavy due to the large number of mobile users in MCC. In this paper, we propose an efficient traceable access control scheme with reliable key delegation named Key Delegation-Traceable Attributed Based Encryption (KD-TABE) to tackle with the aforementioned problems. And, the main contributions of this paper can be summarized as follows:

  • We construct a traceable CP-ABE system with the access tree and realize the key delegation at servers without loss of traceability. We encrypt some components of the key to prevent the key from being maliciously delegated by malicious users or traitors.

  • We propose a new type of re-encryption method, which is based on an intuitive method that supports any monotonic access tree, instead of the re-encryption key.

  • To reduce trust on authority, we separate the authority into three parts, and each authority is responsible for generating different components of the key. One is trusted and responsible for user identity management; the other two are semi-trusted and responsible for generating temporary parameters.

The rest of this paper is organized as follows. Section 2 introduces the related work. Then, in Section 3, some preliminaries have been given. Our scheme is stated in Section 4. In Section 5, security analysis has been provided. In Section 6, we evaluate the performance of the proposed schema. Finally, the paper is concluded in Section 7.

2 Related work

Attribute-based encryption (ABE) is firstly proposed by Sahai and Brent in [12]. A user’s identity is viewed as a set of descriptive attributes, the attributes are taken as public key, and the ciphertext will be decrypted as long as the number of user’s attributes reaches a certain value which is set in the encryption process. Since then, ABE has become a research focus of the public key encryption field. Very soon afterwards, two ABE variants are proposed: key-policy attribute-based encryption (KP-ABE) and CP-ABE. In KP-ABE scheme [13], the data access policy (denoted as Au_KP) is specified by data users; the ciphertext is labeled by a set of attributes (denoted as A_o). The data user can decrypt the ciphertext only if A_o satisfies A_KP. While, in CP-ABE scheme [14], the data access policy (denoted as Ao_CP) is specified by data owners; the key is relevant to the attribute set A_u (A_u is holded by the data user). Only if A_u satisfies A_CP can the ciphertext be decrypted. Both KP-ABE and CP-ABE can achieve data confidentiality and fine-grained access control.

However, ABE allows users to share the same sets of attributes, and the decryption keys are generated with attributes sets without any identification information, which cause a problem: once the malicious key delegation happens, we cannot determine the owner’s identification of the given key. To address this problem, there are two main ideas: one is to prevent the key from being cloned and misused, just like [1519], the other one is to provide traceability, proposed and improved in [2025]. In [20], the scheme proposes methods to trace the source of leaks and traitors in broadcast encryption; an index identifying a user is the foundation of realizing traceability. In [25], Ma et al. propose a new notion called multi-authority attribute-based traitor tracing. A pair of elements is introduced to describe a user, one represents its attribute set while the other one indicates its identity information. Based on the white box traceable CP-ABE [11], Liu et al. propose the black box traceable CP-ABE in 2015 [26]. In [11], the traceability is added to the CP-ABE scheme without weakening its security. Although the length of the ciphertext and decryption key is changed, the overhead is not increased significantly. In [27], the white-box traceable CP-ABE in large universe is realized and the storage for traitor tracing is constant. Katz et al. introduce the traceability into predicate encryption schemes in [28], which has the general applicability. Ning et al. firstly propose an accountable authority CP-ABE scheme that supports white box traceability in [29], which solved two types of key abuse problems simultaneously.

There are several studies on ciphertext delegation, and one of the approaches is to utilize proxy re-encryption. The proxy re-encryption(PRE) technique encrypts the ciphertexts with re-encryption keys and makes it possible for users to decrypt the re-encrypted ciphertexts with their own original decryption keys without changing. In [30], Luo et al. realize proxy re-encryption in CP-ABE scheme, with AND-gates that support multi-value attributes, negative attributes, and wildcards, the encryptor could choose any ciphertext to re-encrypt as they like. Lai et al. formalize a new cryptographic primitive called adaptable ciphertext-policy attribute-based encryption, which allows a semi-trusted proxy to modify a ciphertext under one access policy into another one of the same plaintext under any other access policies [31]. In [32, 33], Kaitai Liang et al. further optimize the system security and integrate the dual system encryption technology to realize the adaptively CCA secure in the standard model.

Table 1 shows the comparison between our work and other related works.

Table 1 Comparison with other related works
Full size table

3 Preliminaries

3.1 Bilinear maps and complexity assumptions

Let G 0 and G 1 be two multiplicative cyclic groups of prime order p and g be the generator of G 0.

The bilinear map e is, e:G 0 × G 0 → G 1, for all a, b ∈  p :

  1. 1.

    Bilinearity: ∀u, v ∊ G 1, e(u a, v b) = e(u, v)ab

  2. 2.

    Non-degeneracy: e(g, g) ≠ 1

  3. 3.

    Symmetric: e(g a, g b) = e(g, g)ab = e(g b, g a)

Definition 1 Discrete logarithm (DL) problem:

Let G be a multiplicative cyclic group of prime order p and g be its generator, given y ∊  R G as input, try to get x ∈  p that y = g x.

The DL assumption holds in G if it is computationally infeasible to solve DL problem in G.

3.2 Access structure

Let P = {P 1, P 2,…, P n} be a set of participants, let U = 2{P1,P2,…, Pn} be the universal set. If ∃ AS ⊆ U\{∅}, then AS can be viewed as an access structure.

If A ∊ AS, ∀B ∊ U, A ⊆ B, and B ∊ AS, then AS is monotonic.

If AS is an access structure, then the sets in it are called the authorized sets, and the sets not in it are called the unauthorized sets.

The access structure in our system is an access tree, which is the same as in [14]. The tree includes a root node, some interior nodes and some leaf nodes. The leaf nodes are associated with descriptive attributes while the interior nodes represent the logic operation, such as AND (n of n), OR (1 of n), n of m (m > n). A user can decrypt the ciphertext correctly only if the access tree is satisfied by his attributes set.

3.3 Notations

In Table 2, the notations used in this paper are listed. DO and DR are cloud users. DR1, DR2, and DR3 denote different data receivers. IA, RA, and AA are responsible for generating essential components of SK. KDS plays a role of generating new SK for new coming users based on the given SK if and only if new user’s attribute set is the subset of the attribute set of the data owner that owns the given SK. CDS supports the user to re-encrypt his ciphertext with his own new access structure (AS) without the need to decrypt it.

Table 2 Notations
Full size table

4 Our system

We construct a new traceable CP-ABE system with access tree and focus on how to realize the key delegation and the ciphertext delegation based on our system. In order to achieve all this, our system is composed of the following parties: a Data Owner, some Data Receivers, and three authorities, the Key Delegation Servers, the Ciphertext Delegation Servers, the Cloud Server and two Decryption Servers.

DO sends his ciphertext to CS. We list three users in Fig. 1, which are viewed as the different participants in three functions. DR1 applies to authorities for decryption key, and the three authorities (IA, RA, AA) collaborate to generate a complete decryption key. Different authority outputs different key components. DR2 is a new user whose attributes set is a subset of DR1. KDS can be viewed as a substitute for AA, which is used for generating attribute-related components according to the DR1’s key and finally outputs a DSK for DR2. There are some ciphertexts that can be decrypted by DR1, but DR1 wants some other users who belong to some attributes sets to decrypt them without changing the users’ decryption keys. At this point, the CDS will handle the request and finally outputs a DCT for DR3 (DR3 denotes the eligible).

Fig. 1
figure 1

System model

Full size image

We use an access tree \( \tilde{T} \) to express the access policy specified by data owners. We introduce a hash function H:{0, 1}* → G 0 and view it as a random oracle, which maps any attribute described as a binary string to a random group element.

4.1 Setup

When the system starts up, the setup algorithm will choose a multiplicative cyclic group G 0 of prime order p with generator g and three random numbers a, α, β ∈  P .

The public key is:

$$ PK=\left\{{G}_0,g,h={g}^{\beta },e{\left(g,g\right)}^{\alpha },k={g}^{\omega },l={k}^a\right\} $$

The master key is:

$$ MK=\left\{\beta, {g}^{\alpha },a,\omega \right\} $$

This paper uses the Shamir’ \( \left(\overline{t},\overline{n}\right) \) threshold gates scheme to store tracing information that proposed in [27].

IA receives all MK components and keeps f(x)7 and \( \overline{t}-1 \) points \( \left\{\left({x}_1\;{y}_1\right),\left({x}_2\;{y}_2\right),\dots, \left({x}_{\overline{t}-1}\;{y}_{\overline{t}-1}\right)\right\} \) as secret [27], while AA and RA get one of the MK component a, which is used to protect the parameters transmitted between them.

A symmetric encryption algorithm is introduced into the three authorities to encrypt the components of a secret key. The symmetric encryption keys are assigned to the three authorities, IA receives K 1 and K 2, RA receives K 3, and AA receives K 4. KDS receives K 4, TDS receives K 2, and SDS receives K 3 and K 4. CDS acquires the Hash function.

4.2 Encrypt (PK, M, T)

The encryption algorithm receives message M and access structure T (denoted by an access tree) from DO. First, the algorithm chooses a random number s ∈  P for root node R polynomial, which means q R (0) = s. Then, it chooses a polynomial q x for each node x (leaf or none-leaf node) in top down manner, with the same method to construct the polynomials proposed in [25].

Let Y be the set of leaf nodes in T. The structure of the ciphertext is as follows:

$$ CT=\left(\begin{array}{l}\overset{\sim }{T},\overset{\sim }{C}= Me{\left(g,g\right)}^{\alpha s},C={h}^s,\\ {}\kern1.25em \forall y\in Y:{C}_y={g}^{qy(0)},{C}_y\hbox{'}=H{\left(att(y)\right)}^{qy(0)}\end{array}\right) $$

4.3 Key generation (MK, PK, id, S)

As shown in Fig. 2, to reduce trust on authority, we split the authority into three: IA, RA, and AA. They generate different decryption key components respectively: encrypted random number r, encrypted id, and attribute-related components. Assume that collusion is prohibited, none of them will get complete key information.

Fig. 2
figure 2

Key generation

Full size image

When a user DR1 submits his id and attributes set to IA and AA, both of them run the algorithm to compute the id and attributes. RA chooses a random number r ∈  P and transmits to DR1 after encrypting it:

$$ {u}_2=En{c}_{K_3}(r) $$

Recording and encrypting the random number r aim to prevent the decryption key from being re-randomized at the user side. u2 will be decrypted when the decryption starts, and the random number r got from u 2 is used for decrypting. If the re-randomization occurs, the random number in keys will be changed, it will differ from r. Thus, decryption will be failed.

The parameter g will be received at IA, and IA computes as follows:

$$ \begin{array}{l}x=En{c}_{K_1}(id)\\ {}y=f(x)\\ {}c=x\left|\right|y\\ {}{u}_1=En{c}_{K_2}(c)\\ {}D={g}^{\frac{\alpha }{\beta }}{\left({g}^{r\omega}\right)}^{\frac{\left(a+c\right)}{\beta }}{\left({g}^{r\omega}\right)}^{\frac{1}{\omega }}={g}^{\frac{\alpha +\left(a+c\right)\omega r}{\beta }}{g}^r\\ {}{\left({g}^{r\omega}\right)}^c={k}^{rc}\end{array} $$

u 1 and D will be sent to DR1, and k rc will be sent to AA.

AA gets the parameters from IA, chooses random numbers r j  ∈  P , ∀ j ∈ S, and computes as follows:

$$ \begin{array}{l}{D}_j={k}^{rc}H{(j)}^{r_j}\\ {}{D}_j\hbox{'}=En{c}_{K_4}\left({g}^{r_j}\right)\end{array} $$

DR1 merges the key components from IA, RA, and AA:

$$ SK=\left(\begin{array}{l}D={g}^{\frac{\alpha +\left(a+c\right)\omega r}{\beta }}{g}^r,{D}_0=u={u}_1\left|\right|{u}_2,\ \\ {}\kern1.25em \forall j\in S,{D}_j={k}^{rc}H{(j)}^{rj},{D}_j\hbox{'}=En{c}_{K_4}\left({g}^{rj}\right)\end{array}\right) $$

4.4 Key trace (SK)

The trace algorithm reference the method proposed in [27]. First, the algorithm decrypts u 1 to get (x,y) from D 0 in user’s key, and then, it checks whether SK is issued by system.

If \( \left(x\;y\right)\in \left\{\left({x}_1\;{y}_1\right),\left({x}_2\;{y}_2\right),\dots, \left({x}_{\overline{t}-1}\;{y}_{\overline{t}-1}\right)\right\}, \) the algorithm decrypts x to get id of the user. Otherwise, the algorithm computes the secret of INS \( \left(\overline{t},\overline{n}\right) \) by interpolating with \( \overline{t} \) points \( \left\{\left(x\;y\right),\left({x}_1\;{y}_1\right),\left({x}_2\;{y}_2\right),\dots, \left({x}_{\overline{t}-1}\;{y}_{\overline{t}-1}\right)\right\}. \) If the recovered secret is equal to f(0), the algorithm decrypts x to get id of the user. If not, SK is not issued by the system and cannot be traced.

IA stores the f(x) when system sets up, and it holds the symmetric keys K 1 and K 2 that can decrypt x. So, IA runs the algorithm when a key needs to be traced.

4.5 Key delegation (SK, id’)

As shown in Fig. 3, KDS runs this algorithm when a new user’s attribute set is a subset of the given key’s owner. Let us assume that DR1 is the given key’s owner and DR2 is the new user whose set is a subset of DR1.

Fig. 3
figure 3

Key delegation

Full size image

IA and RA can decrypt u 1 and u 2, respectively; the former will compute new (x,y) according new user’s id, and the latter will re-randomize the random number.

The parameter generation and transmission process of this section is similar to the key generation. RA gets the random number r from the given key SK and chooses a new random number r ' ∈  P for DR2, passing g (r+r’)ω, g to IA.

$$ {u}_2=En{c}_{K_3}\left(r+r\hbox{'}\right) $$

IA gets the parameter from RA, gets c from the given key SK, and computes as follows: (id’ denotes the DR2’s id)

$$ \begin{array}{l}{\left({g}^{r\omega}\right)}^c={k}^{rc}\\ {}x=En{c}_{K_1}\left( id\hbox{'}\right)\\ {}y=f(x)\\ {}c\hbox{'}=x\left|\right|y\\ {}{u}_1=En{c}_{K_2}\left(c\hbox{'}\right)\\ {}{\left({g}^{\left(r+r\hbox{'}\right)\omega}\right)}^{c\hbox{'}}={k}^{\left(r+r\hbox{'}\right)c\hbox{'}}\\ {}D={g}^{\frac{\alpha }{\beta }}\left({g}^{\frac{\left(r+r\hbox{'}\right)\left(a+c\right)}{\beta }}\right){g}^{r+r\hbox{'}}={g}^{\frac{\alpha +\left(a+c\right)\omega \left(r+r\hbox{'}\right)}{\beta }}{g}^{r+r\hbox{'}}\end{array} $$

KDS receives D, u 2, u 1, k rc, k(r+r’)c and chooses r j  ' ∈  P , then computes as follows:

$$ \begin{array}{l}{r}_j{r}_j\hbox{'}={r}_m\\ {}{D}_m={k}^{\left(r+r\hbox{'}\right)c\hbox{'}}{\left(\frac{D_j}{k^{rc}}\right)}^{r_j\hbox{'}}={k}^{\left(r+r\hbox{'}\right)c\hbox{'}}H{(m)}^{r_m}\\ {}De{c}_{K_4}\left({D}_m\hbox{'}\right)={g}^{r_j{r}_j\hbox{'}}={g}^{r_m}\end{array} $$

We assume that KDS does not keep any information about the Hash function, so Dk cannot be calculated like this:

$$ \begin{array}{l}{D}_m={k}^{\left(r+r\hbox{'}\right)c\hbox{'}}\left(\frac{D_j}{k^{rc}}\right)H{(m)}^{r_j}H{(m)}^{r_j\hbox{'}}\\ {}\kern1em ={h}^{\left(r+r\hbox{'}\right)c\hbox{'}}H{(m)}^{r_j+{r}_j\hbox{'}}\end{array} $$

The new delegation key is:

$$ SK\hbox{'}=\left(\begin{array}{l}D={g}^{\frac{\alpha +\left(a+c\right)\omega \left(r+r\hbox{'}\right)}{\beta }}{g}^{r+r\hbox{'}},{D}_0=u={u}_1\left|\right|{u}_2,\\ {}\forall m\in S,{D}_m={k}^{\left(r+r\hbox{'}\right)c\hbox{'}}H{(m)}^{r_m},{D}_k\hbox{'}=En{c}_{K_4}\left({g}^{r_m}\right)\end{array}\right) $$

4.6 Ciphertext delegation (CT, PK, AS, D 0, D j, D j’)

CDS is a trusted server, it stores the Hash function H : {0, 1}* → G 0 to generate new access tree according the given access structure. It receives some decryption key components and a new access structure AS from DR1, while D 0 includes the owner’s identity information and random number, which can be used for decrypting.

We first decrypt the access tree embedded in the ciphertext and get two expressions. Next, the ciphertext will be re-encrypted with AS. Then, D 0, the expressions, and re-encrypted ciphertext make up the new delegated ciphertext.

When x is a leaf node, let i = att(x). Function att(x) denotes the attribute associated with the leaf node x in the tree. The ciphertext is not required to be decrypted completely, the components D 0, D j, D j’ are enough. Both of DecryptNodeL_A’ DecryptNodeL_A0 and DecryptNodeNL are run in SDS. It can decrypt u 2 to get r.

$$ \begin{array}{rr}\hfill \mathrm{If}\kern0.5em i\in S& \hfill \begin{array}{l} DecryptNode L\_A\hbox{'}\left(CT,PK,SK,x\right)\\ {}\kern5.25em =\frac{e\left({D}_i{(l)}^r,{C}_x\right)}{e\left({D}_i\hbox{'},{C}_x\hbox{'}\right)}\\ {}\kern5.25em =\frac{e\left({k}^{rc}H{(i)}^{r_i}{\left({g}^{\omega a}\right)}^r,{g}^{q_x(0)}\right)}{e\left({g}^{r_i},H{(i)}^{r_i}\right)}\\ {}\kern5.25em =\frac{e\left({k}^{r\left(a+c\right)},{g}^{q_x(0)}\right)e\left(H{(i)}^{r_i},{g}^{q_x(0)}\right)}{e\left({g}^{r_i},H{(i)}^{r_i}\right)}\\ {}\kern5.25em =\frac{e\left({k}^{r\left(a+c\right)},{g}^{q_x(0)}\right)e{\left(H(i),{g}^{q_x(0)}\right)}^{r_i{q}_x(0)}}{e\left(g,H{(i)}^{r_i{q}_x(0)}\right.}\\ {}\kern5.25em =e\left({g}^{\omega r\left(a+c\right)},{g}^{q_x(0)}\right)\\ {}\kern5.25em =e{\left(g,g\right)}^{\omega r\left(a+c\right){q}_x(0)}\\ {} DecryptNode\left(CT,{D}_0,{D}_i,{D}_i\hbox{'},R\right)=e{\left(g,g\right)}^{\omega r\left(a+c\right)s}\end{array}\end{array} $$

Otherwise,

i ∉ S, DecryptNodeL_A’(CT, PK, SK, x) = ⊥ When x is an interior node, call the algorithm DecryptNodeNL(CT,D0,Di,Di’,x).

For all nodes z that are children of x, it calls DecryptNodeL_A’(CT,PK,D0,Di,Di’,z) and stores the output as Fz. Let S x be a k x (the threshold value of interior node) random set and let F z  ≠ ⊥. If no such set exists, the function outputs ⊥.

Otherwise, compute as follows and return the result:

$$ \begin{array}{l}{F}_x={\displaystyle \prod_{z\in {S}_x}{F_z}^{\varDelta_i,{S}_x{{}^{\hbox{'}}}^{(0)}}},\kern0.5em \mathrm{where}\kern0.5em \left\{\begin{array}{l}i=\mathrm{index}(z)\\ {}{S}_x^{\hbox{'}}=\left\{\mathrm{index}(z):z\in {S}_x\right\}\end{array}\right.\\ {}\kern1.25em ={\displaystyle \prod_{z\in {S}_x}{\left(e{\left(g,g\right)}^{r.{q}_z(0)\omega \left(c+a\right)}\right)}^{\varDelta_{i,{S_x^{\hbox{'}}}^{(0)}}}}\\ {}\kern1.25em ={\displaystyle \prod_{z\in {S}_x}{\left(e{\left(g,g\right)}^{\omega \left(c+a\right)r.{q}_{\mathrm{parent}(z)}\left( index(z)\right)}\right)}^{\varDelta_{i,{S_x^{\hbox{'}}}^{(0)}}}}\\ {}\kern1.25em ={\displaystyle \prod_{z\in {S}_x}{\left(e{\left(g,g\right)}^{\omega \left(c+a\right)r.{q}_x(i)}\right)}^{\varDelta_{i,{S_x^{\hbox{'}}}^{(0)}}}}\\ {}\kern1.25em =e{\left(g,g\right)}^{\omega \left(c+a\right)r\cdot {q}_x(0)}\end{array} $$

For root node R,

$$ A\hbox{'}=e{\left(g,g\right)}^{\omega sr\left(c+a\right)} $$

Repeat the steps described above, however, DecryptNodeL_A’ algorithm is changed to DecryptNodeL_A0:

$$ \begin{array}{l} DecryptNodeL\_{A}_0\left(CT,{D}_0,{D}_i,{D}_i\hbox{'},x\right)\\ {}\kern6.25em =\frac{e\left({D}_i,{C}_x\right)}{e\left(De{c}_{K_4}\left({D}_i\hbox{'}\right),{C}_x\hbox{'}\right)}\\ {}\kern6.5em = e{\left(g,g\right)}^{\omega {q}_x(0)rc}\end{array} $$

For root node R,

$$ {A}_0=e{\left(g,g\right)}^{\omega src} $$

Then, \( {A}_1=\frac{A\hbox{'}}{A_0}=e{\left(g,g\right)}^{\omega sra} \)

$$ \widehat{C}={A}_0\left|\right|{A}_1\left|\right|{D}_0 $$

A 0 and A 1 are the expressions mentioned above; they will become the components of the delegated ciphertext with D 0.

Next, CDS re-encrypts the other CT components as the Encrypt algorithm does. It constructs an access tree \( \tilde{T} \) for AS specified by DR1 and chooses a new random number s ' ∈  p :

$$ \begin{array}{l}\overset{\sim }{C}=\left( Me{\left(g,g\right)}^{\alpha s}\right)e{\left(g,g\right)}^{\alpha s\hbox{'}}\\ {}C={h}^s{h}^{s\hbox{'}}\\ {}\widehat{C}={A}_0\left|\right|{A}_1\left|\right|{D}_0,\\ {}{C}_z={g}^{q_z(0)},z\in {S}_{AS}\\ {}{C}_z\hbox{'}=H{\left(att(z)\right)}^{q_z(0)},z\in {S}_{AS}\end{array} $$

We get the delegated ciphertext as follows:

$$ CT\hbox{'}=\left(\overset{\sim }{T},\overset{\sim }{C},\widehat{C},C,{C}_z,{C}_z\hbox{'}\right) $$

4.7 Decrypt (PK, CT, SK)

In fact, decryption can be viewed as two parts: satisfying the access tree and decrypting the ciphertext.

We introduce two servers to carry on the process respectively. SDS possesses symmetric key K 4 and K 3 so that it can get random number and verify whether his set satisfies the access tree or not and run the algorithms: DecryptNodeL_A’, DecryptNodeL_A0, DecryptNodeNL. TDS possesses symmetric key K 2 so that it can decrypt u 1.

The general decryption process is described as follows:

When x is a leaf node, let i = att(x). Function att(x) denotes the attribute associated with the leaf node x in the tree. SDS decrypts u 2 to get random number r.

$$ \begin{array}{rr}\hfill \mathrm{If}\kern0.5em I\mathrm{f}\kern0.5em i\in S& \hfill \begin{array}{l} DecryptNode L\_A\hbox{'}\left(CT,PK,SK,x\right)\\ {}\kern5.25em =\frac{e\left({D}_i{(l)}^r,{C}_x\right)}{e\left({D}_i\hbox{'},{C}_x\hbox{'}\right)}\\ {}\kern5.25em =\frac{e\left({k}^{rc}H{(i)}^{r_i}{\left({g}^{\omega a}\right)}^r,{g}^{q_x(0)}\right)}{e\left({g}^{r_i},H{(i)}^{r_i}\right)}\\ {}\kern5.25em =\frac{e\left({k}^{r\left(a+c\right)},{g}^{q_x(0)}\right)e\left(H{(i)}^{r_i},{g}^{q_x(0)}\right)}{e\left({g}^{r_i},H{(i)}^{r_i}\right)}\\ {}\kern5.25em =\frac{e\left({k}^{r\left(a+c\right)},{g}^{q_x(0)}\right)e{\left(H(i),{g}^{q_x(0)}\right)}^{r_i{q}_x(0)}}{e\left(g,H{(i)}^{r_i{q}_x(0)}\right.}\\ {}\kern5.25em =e\left({g}^{\omega r\left(a+c\right)},{g}^{q_x(0)}\right)\\ {}\kern5.25em =e{\left(g,g\right)}^{\omega r\left(a+c\right){q}_x(0)}\\ {} DecryptNode\left(CT,{D}_0,{D}_i,{D}_i\hbox{'},R\right)=e{\left(g,g\right)}^{\omega r\left(a+c\right)s}\end{array}\end{array} $$

Otherwise, i ∉ S DecryptNodeL_A’(CT, PK, SK, x) = ⊥

When x is an interior node, call the algorithm DecryptNodeNL(CT,SK,x).

For all nodes z that are children of x, it calls DecryptNodeL_A’(CT,PK,SK,z) and stores the output as Fz. Let S x be a k x (the threshold value of interior node) random set and let F z  ≠ ⊥. If no such set exists, the function outputs ⊥.

Otherwise, compute as follows and return the result:

$$ \begin{array}{l}{F}_x={\displaystyle \prod_{z\in {S}_x}{F_z}^{\varDelta_i,{S}_x{{}^{\hbox{'}}}^{(0)}}},\kern0.5em \mathrm{where}\kern0.5em \left\{\begin{array}{l}i=\mathrm{index}(z)\\ {}{S}_x^{\hbox{'}}=\left\{\mathrm{index}(z):z\in {S}_x\right\}\end{array}\right.\\ {}\kern1.25em ={\displaystyle \prod_{z\in {S}_x}{\left(e{\left(g,g\right)}^{r.{q}_z(0)\omega \left(c+a\right)}\right)}^{\varDelta_{i,{S_x^{\hbox{'}}}^{(0)}}}}\\ {}\kern1.25em ={\displaystyle \prod_{z\in {S}_x}{\left(e{\left(g,g\right)}^{\omega \left(c+a\right)r.{q}_{\mathrm{parent}(z)}\left( index(z)\right)}\right)}^{\varDelta_{i,{S_x^{\hbox{'}}}^{(0)}}}}\\ {}\kern1.25em ={\displaystyle \prod_{z\in {S}_x}{\left(e{\left(g,g\right)}^{\omega \left(c+a\right)r.{q}_x(i)}\right)}^{\varDelta_{i,{S_x^{\hbox{'}}}^{(0)}}}}\\ {}\kern1.25em =e{\left(g,g\right)}^{\omega \left(c+a\right)r\cdot {q}_x(0)}\end{array} $$

For root node R,

$$ A\hbox{'}=e{\left(g,g\right)}^{\omega sr\left(c+a\right)} $$

Then, TDS decrypts u 1 and computes as follows:

$$ \begin{array}{l}r=Dec\left({u}_1\right)\\ {}B=\frac{\overset{\sim }{C}}{e\left(C,\frac{D}{g^r}\right)}=\frac{Me{\left(g,g\right)}^{\alpha s}}{e\left({h}^s,{g}^{\frac{\alpha +\left(a+c\right)\omega r}{\beta }}\right)}\\ {}=\frac{Me{\left(g,g\right)}^{\alpha s}}{e\left({g^{\beta}}^s,{g}^{\frac{\alpha +\left(a+c\right)\omega r}{\beta }}\right)}=\frac{Me{\left(g,g\right)}^{\alpha s}}{e{\left(g,g\right)}^{\left(\alpha +\omega r\left(a+c\right)\right)s}}\end{array} $$

The user gets A’ from SDS and gets B from TDS:

$$ A\hbox{'}=e{\left(g,g\right)}^{\omega r\left(a+c\right)s} $$

When a user DR3 try to decrypt a delegated ciphertext from DR1, the structure of the ciphertext is as follows: r’ and c’ denote DR1’s random number and identity information and r and c denote DR3’s random number and identity information.

$$ CT\hbox{'}=\left(\overset{\sim }{T},\overset{\sim }{C},\widehat{C},C,{C}_z,{C}_z\hbox{'}\right) $$

Compared with the original ciphertext, the massage M is encrypted with (s + s’) instead of s, and the access structure is replaced by AS. DR3 decrypts the access tree and get an expression related to s’, which can be used for decrypting correctly with C’ and C0 in DCT.

We can get Ĉ from CT’: Ĉ = A 0||A 1||D 0, 

SDS computes (we only consider when the user’s set satisfies the access tree):

$$ \begin{array}{l} DecryptNodeL\_{A}_0\left(CT\hbox{'},SK\hbox{'},x\right)\\ {}\kern5.75em =\frac{e\left({D}_i,{C}_x\right)}{e\left(De{c}_{K4}\left({D}_i\hbox{'}\right),{C}_x\hbox{'}\right)}\\ {}\kern5.75em = e{\left(g,g\right)}^{\omega {q}_x\hbox{'}(0)r\hbox{'}c\hbox{'}}\\ {} DecryptNodeL\_A\hbox{'}\left(CT\hbox{'},SK\hbox{'},z\right)\\ {}\kern5.75em =\frac{e\left({D}_i{\left({h}^a\right)}^{r\hbox{'}},{C}_z\right)}{e\left(De{c}_{K_4}\left({D}_i\hbox{'}\right),{C}_z\hbox{'}\right)}\\ {}\kern5.75em =e{\left(g,g\right)}^{\omega {q}_z\hbox{'}(0)r\hbox{'}\left(c\hbox{'}+a\right)}\end{array} $$

For root node R’, the intermediate calculation process is omitted.

$$ \begin{array}{l}{B}_0=e{\left(g,g\right)}^{\omega s\hbox{'}r\hbox{'}c\hbox{'}}\\ {}B\hbox{'}=e{\left(g,g\right)}^{\omega s\hbox{'}r\hbox{'}\left(a+c\hbox{'}\right)}\\ {}\widehat{B}=\frac{B\hbox{'}}{B_0}=e{\left(g,g\right)}^{\omega s\hbox{'}r\hbox{'}a}\end{array} $$

All of them are transferred to SDS:

$$ \begin{array}{l}r\hbox{'}=Dec\left({u}_2\hbox{'}\right)\kern13.75em \\ {}r=Dec\left({u}_2\right)\\ {}{B}_1={\left({A}_0\right)}^{\frac{r\hbox{'}}{r}}={\left(e{\left(g,g\right)}^{\omega ras}\right)}^{\frac{r\hbox{'}}{r}}=e{\left(g,g\right)}^{\omega r\hbox{'}as}\\ {}{B}_2=\widehat{B}=e{\left(g,g\right)}^{\omega r\hbox{'}as\hbox{'}}\\ {}{B}_3={\left({A}_1\right)}^{\frac{r\hbox{'}}{r}}={\left(e{\left(g,g\right)}^{\omega rcs}\right)}^{\frac{r\hbox{'}}{r}}=e{\left(g,g\right)}^{\omega r\hbox{'}cs}\\ {}{B}_4=I{R}_1\hbox{'}=e{\left(g,g\right)}^{\omega r\hbox{'}c\hbox{'}s\hbox{'}}\\ {}A=\frac{\overset{\sim }{C}{B}_1{B}_2}{e\left(C,\frac{D}{g^{r\hbox{'}}}\right)}=\frac{Me{\left(g,g\right)}^{\alpha \left(s+s\hbox{'}\right)}\left(e{\left(g,g\right)}^{\omega r\hbox{'}as}\right)\left(e{\left(g,g\right)}^{\omega r\hbox{'}as\hbox{'}}\right)}{e\left({h}^{\left(s+s\hbox{'}\right)},{g}^{\frac{\alpha +\left(a+c\hbox{'}\right)\omega r\hbox{'}}{\beta }}\right)}\\ {}\kern0.5em =\frac{Me{\left(g,g\right)}^{\alpha \left(s+s\hbox{'}\right)}e{\left(g,g\right)}^{\omega r\hbox{'}a\left(s+s\hbox{'}\right)}}{e\left({g^{\beta}}^{\left(s+s\hbox{'}\right)},{g}^{\frac{\alpha +\left(a+c\hbox{'}\right)\omega r\hbox{'}}{\beta }}\right)}=\frac{Me{\left(g,g\right)}^{\left(\alpha +\omega r\hbox{'}a\right)\left(s+s\hbox{'}\right)}}{e{\left(g,g\right)}^{\left(\alpha +\omega r\hbox{'}\left(a+c\hbox{'}\right)\right)\left(s+s\hbox{'}\right)}}\end{array} $$

A and B 3 will be sent to TDS:

$$ \begin{array}{l}c=Dec\left({u}_1\right)\kern2.25em c\hbox{'}=Dec\left({u}_1\hbox{'}\right)\\ {}{B}_5={\left(e{\left(g,g\right)}^{\omega r\hbox{'}cs}\right)}^{\frac{c\hbox{'}}{c}}=e{\left(g,g\right)}^{\omega r\hbox{'}c\hbox{'}s}\\ {}M\hbox{'}=A{B}_5=\frac{Me{\left(g,g\right)}^{\left(\alpha +\omega r\hbox{'}a\right)\left(s+s\hbox{'}\right)}e{\left(g,g\right)}^{\omega r\hbox{'}c\hbox{'}s}}{e{\left(g,g\right)}^{\left(\alpha +\omega r\hbox{'}\left(a+c\hbox{'}\right)\right)\left(s+s\hbox{'}\right)}}\end{array} $$

The user will get M’ from TDS and B 4 from SDS; thus, the message can be calculated as follows:

$$ \begin{array}{l}M=M\hbox{'}{B}_4=\frac{Me{\left(g,g\right)}^{\left(\alpha +\omega r\hbox{'}a\right)\left(s+s\hbox{'}\right)}e{\left(g,g\right)}^{\omega r\hbox{'}c\hbox{'}s}e{\left(g,g\right)}^{\omega r\hbox{'}c\hbox{'}s\hbox{'}}}{e{\left(g,g\right)}^{\left(\alpha +\omega r\hbox{'}\left(a+c\hbox{'}\right)\right)\left(s+s\hbox{'}\right)}}\\ {}\kern1em =\frac{Me{\left(g,g\right)}^{\left(\alpha +\omega r\hbox{'}\left(a+c\hbox{'}\right)\right)\left(s+s\hbox{'}\right)}}{e{\left(g,g\right)}^{\left(\alpha +\omega r\hbox{'}\left(a+c\hbox{'}\right)\right)\left(s+s\hbox{'}\right)}}\end{array} $$

5 Security analysis

5.1 Traceability

In [22], the access structure is a share-generating matrix, while in our system, the access structure is an access tree.

Theorem 1 The security of traceability in our system is no weaker than that of [ 22 ].

Proof The decryption key in our system has partially similar structure with the key in [22]. \( D={g}^{\frac{\alpha +\left(a+c\right)\omega r}{\beta }}{g}^r \) includes master keys β, g α, a, ω, a random number r, and a parameter c that denotes the user’s identity information. \( K={g}^{\frac{\alpha }{\left(a+c\right)}}{h}^tR \) includes master keys α, a, public key h, random numbers t and R, and a parameter c that denotes the user’s identity information. Compared with K in [22], we construct D with extra master keys β and ω, without any public keys. It is pretty difficult to get anyone of \( {g}^{\frac{\alpha }{\beta }},{g}^r,{g}^{\frac{\left(a+c\right)}{\beta }}. \)

According to security proof in [22], the design of the decryption key is secure. Thus, \( D={g}^{\frac{\alpha +\left(a+c\right)\omega r}{\beta }}{g}^r \) in our system is secure.

Theorem 2 The security of the traceable decryption key in our system is no weaker than that of [ 25 ].

Proof In \( {D}_j={k}^{rc}H{(j)}^{r_j}, \) we add master key ω and the parameter c to D j in [25] \( \left({D}_j={g}^rH{(j)}^{r_j}\right). \) Additionally, the other components are protected by symmetric encryption. Thus, the security in this component is no weaker than that of [25].

5.2 Key delegation

This part of function is realized by KDS, IA and RA, which means AA is replaced by KDS to some extent. SK = (D, D 0, D k , D k ’), D and D 0 are generated by IA and RA, and D k and D k’ will be calculated by KDS according to the given key’s information.

Theorem 3 It is computationally infeasible to attack the calculation of KDS.

Proof KDS receives another two parameters k rc, k (r+r’)c from IA, which can be used for calculating and re-randomizing attribute-related components of the key. The values all of those KDS receives and retrieves are \( {k}^{rc},{k}^{\left(r+r\hbox{'}\right)c\hbox{'}},{k}^{rc}H{(j)}^{r_j},{g}^{r_j},H{(j)}^{r_j} \)

According to DL problem, it is computationally infeasible to retrieve r j , rc and (r + r’)c’, let alone r or c. Thus, a semi-trusted server can be designated as KDS, which is competent in this work.

5.3 Ciphertext delegation

It can be considered as two parts: decrypting the access tree and re-encrypting with another specified access tree. Decrypting the access tree in our system is analogous to the decrypt algorithm in [25]. And, re-encryption is analogous to the encrypt algorithm in [25].

Theorem 4 The security in ciphertext delegation is no weaker than that in [ 25 ].

A’ = e(g, g)ωsr(c+a), A 1 = e(g, g)ωsra, A 0 = e(g, g)ωsrc are intermediate results in our system, compared with A = e(g, g)sr in [14], the extra master key β, a is introduced to further protect the random number s.

$$ \begin{array}{l}\tilde{C}\hbox{'}= Me{\left(g,g\right)}^{\alpha s}e{\left(g,g\right)}^{\alpha s\hbox{'}}= Me{\left(g,g\right)}^{\alpha \left(s+s\hbox{'}\right)}\\ {}C\hbox{'}={h}^s{h}^{s\hbox{'}}={h}^{\left(s+s\hbox{'}\right)}\end{array} $$

We re-encrypt with a new s ' ∈  p chosen by CDS, \( \tilde{C},C \) have been proved to be secure in [25]. Thus, by that analogy, \( \tilde{C}\hbox{'},C\hbox{'} \) in our system is secure.

6 Performance evaluation

6.1 Setup

The Setup procedure includes defining multiplicative cyclic group and generating PK and MK that will be used in encryption and key generation. There are three exponentiation operations and one pairing operation; three random numbers are chosen in Setup procedure. Time complexity of the procedure is O(1).

6.2 Encrypt

Plaintext and access tree are encrypted in this procedure, the computation cost is proportional to the number of attributes in the tree. If the universal attributes set in T is I (|I| denotes the total number of attribute in set I), for each element in I, it needs two exponentiation operations, totally, the computation complexity is O (|I|). Compared with CP-ABE, we add an exponentiation operation in this algorithm, and the added operation has no obvious influence on computation cost as shown in Fig. 4a.

Fig. 4
figure 4

a Encryption cost in CP-ABE and KD-TABE. b Computation cost of RA and IA is constant, which has no relationship with attributes number of DR’s attributes set. c Computation cost of AA grows with the rise of attributes number in DR’s attributes set. d Storage cost of RA and IA grows with the rising of DR. e Decryption cost of SDS (A) and TDS(B)

Full size image

6.3 Key generation

This algorithm includes three parts: RA tackles the random number computation; IA computes the id information; AA generates the attribute-related key components. The time complexity of RA and IA is O(1) as shown in Fig. 4b. Computation cost of AA is proportional to the number of attributes is DR’s set, when the attribute number is m, the time complexity is O(m) as shown in Fig. 4c.

We add the severe RA and IA to achieve the id embedding in SK, RA needs to store the computation result of u 2, IA stores results of u 1, D, k arc, the total storage cost is proportional to the number of DR. If each result needs 2 bytes, the storage cost of RA and IA is shown in Fig. 4d.

6.4 Key delegation

For each DR, KDS computes the unique SK. The computation process and cost are similar to RA. The total cost is proportional to the number of DR.

6.5 Decrypt

This algorithm also includes three parts: SDS decrypts the access tree in CT, TDS decrypts the rest part, and DR retrieves the final message. Thus, computation cost of SDS is proportional to the attributes number in DR’s set, and computation cost of TDS is constant as shown in Fig. 4e.

In brief, our system costs no more than CP-ABE by analysis but achieves more functions compared with existing works [22, 25].

7 Conclusions

Traceable CP-ABE is an important branch of CP-ABE, retaining the characteristics of CP-ABE. However, it cannot trace the owner with a decryption key. In contrast, key delegation is not supported in traceable CP-ABE. Without key delegation, the overhead will be very heavy due to the large number of new coming mobile users in MCC. Therefore, we re-constructed a new traceable CP-ABE system that supported key delegation and ciphertext delegation. We realized key delegation without loss of the traceability with the same computation overhead. To realize ciphertext delegation, we abandoned the re-encryption key and tried to decrypt the access tree first and re-encrypt the ciphertext with any monotonic access tree specified by the user next. In the future, we will study on making our system work under large universe and support more functions such as revocation.