Efficient access control with traceability and user revocation in IoT

With the universality and availability of Internet of Things (IoT), data privacy protection in IoT has become a hot issue. As a branch of attribute-based encryption (ABE), ciphertext policy attribute-based encryption (CP-ABE) is widely used in IoT to offer flexible one-to-many encryption. However, in IoT, different mobile devices share messages collected, transmission of large amounts of data brings huge burdens to mobile devices. Efficiency is a bottleneck which restricts the wide application and adoption of CP-ABE in Internet of things. Besides, the decryption key in CP-ABE is shared by multiple users with the same attribute, once the key disclosure occurs, it is non-trivial for the system to tell who maliciously leaked the key. Moreover, if the malicious mobile device is not revoked in time, more security threats will be brought to the system. These problems hinder the application of CP-ABE in IoT. Motivated by the actual need, a scheme called traceable and revocable ciphertext policy attribute-based encryption scheme with constant-size ciphertext and key is proposed in this paper. Compared with the existing schemes, our proposed scheme has the following advantages: (1) Malicious users can be traced; (2) Users exiting the system and misbehaving users are revoked in time, so that they no longer have access to the encrypted data stored in the cloud server; (3) Constant-size ciphertext and key not only improve the efficiency of transmission, but also greatly reduce the time spent on decryption operation; (4) The storage overhead for traceability is constant. Finally, the formal security proof and experiment has been conducted to demonstrate the feasibility of our scheme.


Introduction
With the rapid development of network and smart devices, Internet of Things (IoT) has penetrated into people's daily life, such as smart cars, smartphones, wearable devices and industrial Internet of Things.In the IoT, mobile devices are connected through the Internet and exchange data with each other.With the development of the IoT, privacy-preserving has become the focus of attention, so the secure information exchange between mobile devices determines the smooth implementation of the Internet of things system.However, most mobile devices are resource-constrained, the storage and processing of massive information data brings heavy expenses to mobile devices.Fortunately, cloud computing can provide reliable computing services for most users, regardless of time and place.With the help of cloud computing, a large amount of data collected is outsourced to the cloud.On the other hand, for mobile devices that exit the system, their system permissions need to be reclaimed, so that the users who exit the system no longer have access to the system.In addition, there are some situations that we need to pay attention to.Some mobile devices disclose their keys for profit, which is likely to cause unauthorized users to access the system, so it is necessary to trace the subject of the leak.Therefore, there is a growing need to design an efficient CP-ABE scheme that supports user revocation and user traceability for the IoT.
Public key encryption is extensively regarded as one of the core technologies to prevent user privacy from being disclosed, but the traditional public key encryption system can only achieve one-to-one encryption.One-to-many encryption is implemented in the ABE scheme.The existing ABE schemes are divided into key policy attribute-based encryption (KP-ABE) [8] and ciphertext policy attribute-based encryption (CP-ABE) [3].Among them, KP-ABE associates the access policy with the user's private key and the user attribute with the ciphertext.On the contrary, CP-ABE associates the access policy with the ciphertext, and the user attribute with the user's private key.Because CP-ABE is more in line with the actual application scenario, CP-ABE has attracted more attention from the industry and academic community.Taking an IoT based CP-ABE as an example, cloud service provider A stores large amounts of encrypted data.All users in the system can download the encrypted data on the cloud server.However, only users whose attributes satisfy the access policy in ciphertext can decrypt the data.A detailed instance is shown in Fig. 1.The data owner stores the encrypted data on cloud service provider A. The attribute set of the data user is {Name: "Bob", Age: 22, Identity: "student", Gender: "male"}.The access policy made by the data owner is (Identity: "student") AND (Gender: "male").Because Bob satisfies the condition that the identity is a student and the gender is male, Bob can access the ciphertext and perform decryption operations.Data users who have the right to decrypt can download and decrypt the ciphertext from A. And, in CP-ABE, different users can have the same decryption rights as long as they have the same attributes.Some users in the system disclose their private keys for profit without the risk of being caught.In the face of the temptation of economic interests and "0" risk, many users are willing to disclose their decryption keys.This illegal disclosure of the key seriously threatens the privacy of data owners and system security.Therefore, it is necessary to implement a traceable CP-ABE scheme.In order to ensure that the caught malicious user no longer attack the security of the system, malicious users should be revoked in time.Once the revocation occurs, the revoked user can no longer access the system data.And due to the update of the ciphertext, even if the unauthorized user has an illegally obtained key, s/he cannot successfully decrypt the ciphertext.Moreover, in most existing ABE systems, the ciphertext and the key will grow with the increase of the corresponding attributes.The increasing ciphertext and key length have caused a huge computing burden for users, especially for mobile device users.The above problems hinder the wide application of CP-ABE encryption mechanism in IoT.

Related work
In order to achieve flexible access control and assure data confidentiality, Sahai and Water [18] proposed the first attribute-based encryption scheme.Later, inspired by this scheme [18], some scholars carried out a series of related research on attribute-based encryption(ABE).Because ABE implements fine-grained access control, it is considered to be one of the most promising cryptographic primitives for flexible and secure data sharing.Because CP-ABE is more in line with the actual application scenario, CP-ABE has attracted more attention from the industry and academic community.Nonetheless, there are three obstacles that limit the research and practical application of traditional ABE, including efficiency, key abuse and user revocation.
The computing time of encryption and decryption in most CP-ABE scheme will increase with the number of access policy related to ciphertext in the system, which requires huge storage space and computation resource for mobile devices with limited capability.Some existing schemes have focused on this problem and given solutions.Outsourcing computing is one of the ways to solve this problem.Considering the decryption burden of data users, Green et al. [9] proposed an outsourced decryption ABE scheme.In addition to outsourced computing, constant-size ciphertext and key are also essential to improve the efficiency of CP-ABE schemes.In the traditional CP-ABE scheme, the size of ciphertext and key will increase with the increase of the number of attributes, resulting in a sharp decline in the performance of the system.Therefore, how to control the size of ciphertext and key is an urgent problem to be solved.Some schemes [2,6,7,23] implement constant-size ciphertext, while others [10] implement constant-size key.For those who support both constant-size ciphertext and key, there has been a lot of research here [15,16].Among them, the constant-size ciphertext and Fig. 1 An IoT system based on CP-ABE key scheme [15] proposed by Odelu solves the efficiency problem in IoT, but neither of them solved the problems of key abuse and user revocation.
Key abuse is another common problem in CP-ABE.For a CP-ABE scheme, as long as the user's attributes meet the access policy in the ciphertext, the user can perform the decryption operation.Therefore, there may be multiple users with access to the same ciphertext.Once the key disclosure occurs, the system will not be able to identify who leaked the key.Because users have no risk of being caught, users often sell their keys for economic gain in CP-ABE.In order to solve the above problem, Li et al. [12] proposed the first key accountability ABE scheme, but the access policy of this scheme can only be expressed as "AND gate and wildcard".In order to achieve stronger expression ability, Liu et al. [13] and Zhen et al. [24] successively implemented white-box traceability ABE and black-box traceability ABE which support arbitrary monotonous access structure.White-box traceability and black-box traceability are the two existing traceability methods.If the user in the system deliberately leaks his decryption key to the unauthorized user, then the system traces back to the malicious user according to the information contained in the key, which is called white-box traceability.Besides, if the user leaks the decryption device rather than the decryption key, the system finds out the identity of the user according to the device, which is called black-box traceability.To put it simply, the biggest difference between white-box traceability and black-box traceability is whether the malicious user leaks the decryption key or the decryption device.Li et al. [11] proposed a CP-ABE scheme with multiple authorities and accountable malicious users for the first time, but the access policy of this scheme can only be expressed as "AND" gate.After that, Ning et al. [14] proposed a white-box accountable CP-ABE scheme and the storage overhead for traitor tracing is constant.
In addition, for an ABE system, there are often some problems, such as user exit, traitor revoke and so on.Therefore, revocation is a problem that a perfect ABE system has to solve.Peng et al. [17] proposed a scheme to realize user revocation without redistributing the key or re-encrypting all the ciphertext.In this scheme, the user revocation is realized by integrating the unique identity of the revocation user in the ciphertext.Attrapadung et al. [1] utilize the linear secret sharing technique and identity-based multicast encryption technology [4] to propose two ABE revocation modes: direct revocation and indirect revocation.At present, most schemes adopt the way of indirect revocation, which is carried out by the authority, and the attribute revocation is realized by changing the key periodically.Indirect revocation does not need to introduce the revocation list, and the operation is flexible, but its disadvantage is that the revocation cost is high.On the other hand, the direct revocation is performed by the data owner, and the revocation list is embedded in the ciphertext to realize the revocation.Xu and Martin [19] proposed a dynamic user revocation scheme, which uses the cloud server to re-encrypt the ciphertext, and the cloud server updates the user revocation list.Once the user is added to the user revocation list, the user will lose all access to the system.Zhang et al. [22] proposed a CP-ABE scheme to realize both attribute revocation and user revocation.This scheme introduces an auxiliary function to specify the ciphertext related to revocation, and then uses the broadcast encryption technology to update only the ciphertext specified by the auxiliary function, so as to realize the attribute revocation and the direct revocation of the user.
From what has been discussed above, it can be seen that constant-size ciphertext and keys, traceability and revocability are critical to CP-ABE, but unfortunately, as far as we know, there is no solution that implements all three properties at the same time.

Our contribution
In this article, we focus on three common problems of CP-ABE applications in IoT: efficiency, key abuse and user revocation.In order to solve the three problems mentioned above, we propose an efficient CP-ABE scheme with constant-size ciphertext and key that supports user traceability and user revocation in IoT.
(1) High efficiency.We utilize the constant-size ciphertext and key scheme constructed by Odelu et al. [16] to improve the efficiency of this scheme, so as to maintain the local computing overhead in the decryption phase at a lightweight constant value.It not only improves the communication efficiency but also saves the decryption time.
(2) White-box traceability.Shamir's ( t, n ) threshold scheme is used to achieve white-box traceability.It can track those users who maliciously disclose their decryption keys, so as to solve the problem of key abuse.And our scheme only needs to store t − 1 points on the polynomial f(x) and the value f(0) without maintaining a user table.The storage overhead of the scheme for tracing is constant.(3) User revocation.For the revocation of malicious users, our scheme only requires the third-party server to update the ciphertext when it receives the revocation signal, and does not need the user to update the key periodically.Once the user is revoked, the user can no longer access to all the data in the system.(4) Secure and experimental analysis.What's more, in this paper, we prove that our proposed scheme is chosen ciphertext attack (CCA) secure.Finally, we compare with other related schemes from the two aspects of theoretical analysis and simulation experiments.The results show that our scheme is not only functional but also efficient.

Preliminary
In this section, we list the mathematical primitives and basic definitions related to our scheme.

Access structure and attribute
We define the AND gate access structure similar to the method in [10] and [16].The access structure is represented by attributes in the attribute field = {A 1 , A 2 , … , A n } .S ∈ is a user's attribute set.And S is an n-byte string such as c 1 c 2 … n .The definition is as follows: (1) P ∈ S is equivalent to having c i > b i for any i = 1, 2, … , n .If P ∈ S , we say that the attribute set S satisfies the access policy P.

Bilinear group
Given two multiplicative cyclic groups, G, G T .p is the prime order of G and G T .g is a gen- erator of G.The bilinear group G × G → G T satisfies the following properties

Lagrange Interpolation Theorem
Let p be a prime, f(x) be a k-order polynomial, j 0 , … , j k be different elements in the field of Z p integers, and . By using the Lagrange interpolation theorem, the polynomial f(x) can be expressed as: where is the Lagrange coefficient.

Shamir (t, n) threshold scheme
Shamir threshold scheme (t, n) is widely used in cryptography.The scheme utilizes the following principle: t points on the t − 1 order curve can determine the curve, that is, t points are sufficient to determine a t − 1 order polynomial.For a ( t, n ) threshold scheme, (2) a secret can be divided into n parts (or more), each of which is distributed to members as a separate part.All members can restore the secret of sharing.Suppose the secret is an element over a finite field and set the secret to constant a 0 .Notice that we have the following polynomials: Each member is given a point on the curve (x, y), where x is the input of the polynomial and y = f (x) is its corresponding output.Given any t points, we can restore the constant a 0 by Lagrange Interpolation Polynomial.

l-SDH assumption
G is a bilinear group with generator g and p is the order of G, the l-SDH (l-Strong Diffie-Hellman) problem in G is defined as below: provided a (l + 1)-tuple (g, g y , g y 2 , … , g y l ) as input, output a pair (c, g where the probability is over the random bits employed by A and the random option of y in ℤ p .

Definition 1
In G, if no t-time A has advantage of greater than to break this assumption, we say that (l, t, )-SDH assumption stand in G.

System model and security model
In this section, we will introduce the entities contained in our system, as well as the system model, security model, and traceability model.

Entities in the system
In our newly proposed IoT system based on CP-ABE, there are four entities involved, namely, authority (AT), data user (DU), data owner (DO), cloud service provider (CSP).
Figure 2 shows our system model.Next we will introduce the rights of each entity one by one.
Authority.Authority, like the manager of a system, is a completely trusted entity.AT is responsible for generating the user's private key, system parameters and system master key.
In addition, AT participates in user revocation.AT is responsible for deleting all the information of the revoked user in the system and notifying the cloud service provider to perform revocation.
Data user.DU has a series of attributes and attempts to access data in the system.DU is divided into revoked users and unrevoked users.If the attributes of the data user meet the access policy in the ciphertext and are not revoked, DU can decrypt the ciphertext.

Data owner.
The data owner is the owner of the data transmitted in the system.DO has the right to determine the access policy.In order to ensure the security of the data, DO encrypts the data and stores it on the cloud server provider.The ciphertext contains the access structure set by DO.

Cloud service provider.
Because the cloud service provider is not trusted, the data is stored in encrypted form in CSP.In addition, in our system, CSP is also used to implement user revocation.In the event of user revocation, CSP will perform revocation algorithm so that the revoked user cannot decrypt the new ciphertext and the system permissions of the unrevoked user will not be affected.

System model
As far as we know, our scheme is the first to achieve constant-size ciphertext, constant-size key, user traceability and user revocation at the same time.Therefore, different from the ordinary CP-ABE scheme, our scheme adds revocation and traceability algorithms in order to achieve high efficiency, traceability and user revocation.Next, we will specifically introduce the six algorithms included in our scheme.
Setup ( , S) → (pp, msk).AT executes algorithm Setup and inputs the security parameter and the universe attribute set S = {S 1 , S 2 , … , S n } and output public parameters pp and master secret key msk.
KeyGen (pp, id, S, msk) → dk.The algorithm is launched by AT.It takes public parameters pp, the user identity id, an attribute string S, master secret key msk as input, and outputs the decrypt key dk.
Encrypt (ℙ, pp, m) → ct.The algorithm inputs an access policy ℙ , the public paremeters pp, plaintext m and outputs the ciphertext ct.
Revocation (id, U, s i , ct) → ct � .This algorithm is a revocation algorithm implemented by CSP.By updating the ciphertext, the revoked user cannot decrypt the updated ciphertext even if he or she has the corresponding key before revocation.The decryption rights of unrevoked users are not affected.The algorithm inputs user identity id, unrevoked user list U, user's secret s i , ciphertext ct, output updated ciphertext ct ′ .Decrypt (dk, ct, pp, id, S) → m.The algorithm takes the decryption key dk, ciphertext ct, public parameters pp, user identity id, an attribute set S as input and outputs plaintext m.
Trace (dk, pp, msk) → (id∕⊤).AT implements this algorithm.It inputs the decrypt key dk, public parameters pp, master secret key msk and outputs the malicious user id or ⊤.

Security model
In order to prove the security of the system, we give the following selective CCA security game.The participants of the game are challenger C and attacker A.

Initialization.
At the beginning of the game, attacker A first declares the access structure ℙ * s/he wants to attack and sends it to challenger C.

Setup.
After getting a security parameter , C executes algorithm Setup to obtain system parameters.Then, C sends public parameters to A.
Query phase 1.At this stage, A sends a key query request to C , and A can ask for keys other than those that satisfy the access policy ℙ * .After receiving the key query, C executes algorithm KenGen.C sends the private key returned by algorithm KenGen to A.
Challenge.After completing the key query, A chooses two plaintext messages of the same length, m 1 , m 2 .And m 1 , m 2 are sent to C together with the access policy P * .C tosses a coin at random b, b ∈ {0, 1} .Afterwards, C launched encryption algorithm with access policy ℙ * .Therefore, m b is encrypted as ciphertext ct.C returns the ciphertext ct to A.

Query phase 2.
The key query is performed as in Query phase 1.Similarly, the key queried does not include a key that satisfies the access policy ℙ * .Definition 2 If the advantages of A winning the above games can not be ignored in any probability polynomial time, then we say that the ABE scheme is CCA secure.

Guess
If Trace (dk * , pp, msk) ≠ ⊤ (that is, dk * is well-formed), and Trace (dk * , pp, msk) ∉ { id 1 , … , id q }, where id i is the user identity used for inquiry (i = 1, … , q) , the attacker wins the above game.The advantage for an attacker to win the above game is defined as Pr[Trace(dk * , pp, msk Definition 3 If all polynomial time attackers have negligible advantages in the above traceability games, the scheme in this paper is traceable.

Setup
Get a bilinear group map G = {e, G 1 , G 2 , G T , p} , where h, g are the generator of G 1 , G 2 sev- erally.The algorithm chooses a probabilistic encryption scheme (Enc, Dec) from binary string to Z * p , and makes a 1 and a 2 as its different keys.Furthermore, the algorithm ini- tializes an instance of Shamir's ( t, n ) threshold scheme, INS t,n , and secretly stores f(x) and t − 1 points {(x 1 , y 1 ), (x 2 , y 2 ), … , (x t−1 , y t−1 )} .AT computes e(h, g) and randomly selects 1 , 2 , ∈ Z p .Let selects the following four one-way anti-collision hash functions: Finally, the algorithm outputs the pub- lic parameters pp = {G, H 1 , H 2 , H 3 , H 4 , e(h, g), g , w i , u i , v i } and the master secret key msk = {g, , 1 , 2 , a 1 , a 2 }.

KeyGen
AT first calculates x = Enc a 1 (id) , y = f (x) , c = Enc a 2 (x||y) .Furthermore, for a user with iden- tity id and attribute string S = c 1 c 2 … c n , AT calculates the following: where f(x, S) is a polynomial of order n about x.
Then, the algorithm selects a random number r 1 and calculates the value of s according to the condition: Finally, the decryption key is set to dk = {K = a 1 +c g r 1 s , K � = c, L 1 = g r 1 , L 2 = g s } and output.

Encrypt
Given an access policy ℙ = b 1 b 2 … b n , the algorithm calculates a polynomial function f (x, ℙ) with the highest order n − 1 as below: where f i is the coefficient of x i .DO selects a random number from {0, 1} l and calculates r m = H 2 (ℙ, m, ) and e(h, g) r m .The ciphertext ct is computed as: The algorithm outputs ciphertext ct = {ℙ, C 0 , C 1 , C 2 , C 3 , C 4 }

Revocation
When the user enters the system, CSP randomly selects the personal secret s i for each user (with identity information id), and then sends the personal secret s i to the user through the secure channel.Let U = {U 1 , U 2 , … , U t } represent a collection of unrevoked users in the sys- tem.Once a is revoked, CSP updates the ciphertext.CSP randomly selects a secret value , followed by two random numbers 1 , 2 .Next, CSP extracts the secret of the unrevoked user and removes the secret of the revoked user from the system.Then, CSP calculate the following polynomials. where CSP can dynamically prevent revoked users from accessing the system.Once user revocation occurs, CSP updates the list of unrevoked users, recalculates authorization polynomials, and updates the ciphertext with new random secrets.

Decrypt
First, it is determined whether the user's attribute S satisfies the access policy ℙ and whether the user is a unrevoked user.If any one of them is not satisfied, the algorithm is terminated.Otherwise, it calculate where F i is the coefficient of x i and F(0) ≠ 0 .Then, the algorithm computes the following formulas.
Because the following equation holds, = f (s i ).

If the equation e(h, g) r m = e(h, g) r �
m holds, the algorithm outputs plaintext m.Otherwise, the algorithm output ⟂. Correctness.

Trace
First, the algorithm executes key sanity check.If dk id doesn't passes the following check, the algorithm output is ⊤ .Otherwise, it takes the next step.
The algorithm restores the secret a 0 * of INS t,n based on t − 1 point and (x * = x, y * = y) .If a 0 * = f (0) , the algorithm calculates the Dec(x * ) and gets the mali- cious user id.Otherwise, it output ⊤.

Security analysis
In this section, we will give the security analysis of the proposed scheme.The security proof of our efficient scheme depends on the scheme [16].In order to express conveniently and succinctly, we use CSCK to express the scheme [16] and RAT-CSCK to express our scheme that implements user revocation, user traceability, constant-size ciphertext and key.
Theorem 1 If CSCK is selectively CCA secure, then RAT-CSCK is also selectively CCA secure.
Proof Assuming A who has a non-negligible advantage to win the selectively CCA game of RAT-CSCK, we construct a PPT simulator algorithm T to break CSCK.T plays both the adversary of CSCK and the challenger of RAT-CSCK.

Initialization.
A announces the access policy ℙ * s/he wants to attack and sends ℙ * to T .T receives and sends ℙ * to challenger C .C runs algorithm Setup and sends the out- put public parameters pp = {G, H 1 , H 2 , H 3 , H 4 , e(h, g), g , w i , u i , v i } and master secret key msk = {g, , 1 , 2 } to T .

Query Phase 1.
A sends a query request to T , and T responds as follows according to the type of query.
• Decryption key query (id, S).Once T receives the decryption key query request, T gives S to C .C sends the corresponding decrypt key dk C = {g r 1 , g s } to T .T first calcu- lates x = Enc a 1 (id) , y = f (x) , c = Enc a 2 (x||y) .AT calculates the following: ) is a polynomial of order n about x.Then, the algorithm selects a random number r 1 and calculates the value of s according to the condition: For a user with identity id and attribute string S = c 1 c 2 … c n , T calculates the decryption key Then, T sends dk to A.
• Decryption query (dk, id, S).When T receives the decryption request from A , T checks the validity of the user.T finds out whether there is a corresponding id in the system according to the user's s i .If the corresponding s i does not exist, then T returns ⊤ .Oth- erwise, T executes the decryption algorithm and sends the decrypted plaintext m to A.

Challenge.
A sends two adaptively selected challenge messages of equal length m 0 , m 1 to T .Afterwards, T submits m 0 , m 1 to C .C flips a coin and encrypts m b .T obtains the cipher- text T randomly selects a secret value , followed by two random numbers 1 , 2 .Next, T extracts the secret of the unrevoked user and calculates the following polynomial: Query Phase 2. The operation at this stage is the same as that of Query Phase 1, but there's two conditions: (1) when initiating a decryption key query, A cannot enter the attribute S that satisfies the access policy ℙ * ;(2) when initiating a decryption query, A can- not enter m * as the challenge plaintext.

Guess.
A sends his/her guess b ′ of b to T and T gives b ′ to C.

Traceability
In this section, based on the l − SDH assumption, we give the traceability proof of our scheme.We resort to the method of proof in [5] and [14].
Theorem 2 If the l − SDH assumption holds, then our scheme is traceable ( q < l , q is the number of inquiries by the adversary).
Proof Assuming that there is a PPT adversary A who can win the traceability game in D with an non-negligible advantage after q key queries (let l = q + 1), then we can construct a PPT algorithm B which can break the l − SDH assumption with same non- negligible advantages.T is the challenger who interacts with the simulator B in this game.
Let G 1 , G 2 and G T be bilinear cyclic groups of order p, and h, ̇g are the genera- ̇g , ̇g 2 , … , ̇g l ) , is given.The goal of B is to output ĉ ∈ Z p and r ∈ G 2 , and (ĉ, r) satisfy the following equation: r = ̇g 1 +ĉ so as to solve the l − SDH assumption.Let ) and starts the traceability game with A.
Setup.B selects q different random numbers ĉ1 , ĉ2 , … , ĉq from Z * p .Let the polynomial f (z) = q ∏ i=1 (z + ĉi ) .By expanding the polynomial, B can get an expression in the following form: f (z) = q ∑ i=0 i z i .i is the corresponding coefficient of the polynomial expansion.B cal- culates g and g .
After that, the algorithm selects the following four one-way anti-collision hash functions: Key Query.A submits i , S i ) to B and queries the associated user private key dk.Suppose this is the i-th ( i ≤ q ) inquiry of A.
(z + ĉj ) .Expand the polynomial and get an expres- sion in the following form f i (z) = z j .j is the corresponding coefficient of the polyno- mial expansion.B calculates Then, B selects a random number r 1 and calculates the value of s according to the condi- tion: Next, B calculates the user pri- vate key component: B passes the user's private key dk i = {K, K � , L 1 , L 2 } to A .dk i represents the user's private key obtained by the i-th query of A.

Key Forgery.
A submits the user's private key dk * to B .It is worth noting that the public parameters and user private keys simulated by B in the traceability game are the same as the distribution in the actual scheme.
Let P A means A wins the traceability game,i.e.dk * satisfies the key sanity check and K ′ in dk * does not belong to {ĉ 1 , ĉ2 , … , ĉq } .From the assumption at the beginning of the proof, there is Pr[P A ] = .When the event P A occurs, B calculates this formula f (z) z+K � .The quotient is Because p is a prime, ∈ Z p and ≠ 0 , and p are mutually prime, i.e. their greatest common divisor gcd( , p) = 1.Therefore, has an inverse element 1 modp under module p.At this point, B can calculate (ĉ, r) as follows.
According to the key format check condition, let's assume L 2 = g s , then we have K = g a 1 +K � g r 1 s .B computes 1 modp and To sum up, the probability of B breaking the l − SDH assumption is Among them, the probability of B solving the l − SDH assumption without any help is considered to be negligible, and for the convenience of calculation, it is set to 0. Then the advantage of B in breaking the l − SDH assumption is Therefore, B has the advantage that can not be ignored to break l − SDH assumption.

Comparison
In this part, our scheme will be compared with other related schemes [21,20,16] in terms of performance.The content of comparison mainly involves two aspects, theoretical analysis and experimental comparison.Among them, the theoretical analysis is mainly through the artificial calculation of the ciphertext length, the key length and the operation decryption.Because the calculation time of exponentiation operation and pairing operation is much longer than that of other operations, we only consider exponentiation operation and pairing operation.As for the experimental comparison, we will give the encryption time complexity and decryption time complexity of each scheme through experimental simulation.

Theoretical analysis
In Table 1, we compare the functional features of different schemes.Scheme [21] implements traceable users, but it does not achieve constant-size ciphertext and key.This scheme takes a lot of computing time and storage space.Meanwhile, for the users with malicious behavior, the revocation is not realized, which affects the confidentiality of the scheme.Although scheme user revocation, it is time-consuming, equal to (5l + 4 + 2I)E G + P + E G T , where I represents the number of all i such that t[i] = 0 , and l represents the number of attributes in the access policy.The cost of our scheme for user revocation is 2O, that is, the cost of two XOR operations.It can be seen that the cost of user revocation in our scheme is much lower than that in scheme [20].In addition, scheme [20] does not take into account the problem of key abuse, in addition, the scheme does not achieve constant-size ciphertext and constant-size key.Scheme [16], like scheme [20], does not consider the problem of malicious users abusing keys.
In addition, the problem of user rights change in ABE system has not been solved.Our scheme realizes constant-size ciphertext and constant-size key, which not only ensures the of the scheme, but also solves the problem of key abuse and user permission change in the system, which can not only trace malicious users, but also revoke the system permissions of malicious users in a timely manner.By comparison, it is found that our scheme is the most comprehensive and functional.The comparative result of theoretical analysis is shown in Table 2.Because cloud servers are considered to have strong storage and computing capacity, we only consider local computing in computing.L G , L G T and L Z p denote the length of an element on G, G T and Z p , respectively.Use E G to denote the time it takes to perform a exponential operation on G. Use E G T to denote the time of an exponential operation on G T .P is used to denote the time consumed by a pairing operation.D represents the length of the time code in the scheme.l represents the number of attributes in the access policy.n is used to represent the number of attributes in the global attribute set.We can see from Table 2 that the key length and ciphertext length of our scheme are much smaller than those of scheme [21,20].And they do not increase with the increase in the number of global attributes and the number of attributes in the access policy.In terms of the time consumed by encryption and decryption, our scheme and scheme [16] are the same, and both are lower than schemes [21] and [20].This shows that our scheme is efficient enough and requires less storage space and transmission time.

Experimental comparison
We have carried out simulation experiments on our scheme and these schemes [21,20,16].We use a symmetrical elliptic curve "SS512" with a base field of 512 bits to implement these four schemes.These experiments are run on a Windows 10 system with AMD8400U and 16GB RAM, which is configured with Matlab and PBC library.The experimental results are shown in Figs. 3 and 4. Generally speaking, our scheme has obvious advantages over [21,20] in terms of encryption complexity and decryption complexity.The complexity of encryption decryption is similar to that of scheme [16], but our scheme is more functional than scheme [16].In addition, we can see from Figs. 3 and 4 that the encryption complexity of our scheme do not increase with the increase of the number of attributes.It is a straight line approximately parallel to the axis of the number of attributes.At the same time, the [33] [17] Our decryption complexity of our scheme decreases with the increase of attributes.This is exactly what we hope to achieve an efficient ABE system.

Conclusion and future work
In this work, we propose a traceable and revocable attribute-based encryption system with constant-size ciphertext and key, which can be used in IoT.Specifically, we implement the traceability of misbehavior users in the system.During the traceability process, the storage overhead of the system used for traceability is constant and will not increase with the increase of users in the system.In addition, it implements the revocation of misbehavior users and users who log out of the system.By updating the ciphertext, even if the revoked user gets the updated ciphertext, s/he cannot decrypt the ciphertext with her/his own private key.Moreover, in order to make the system more efficient, we introduce the characteristics of constant-size ciphertext and key, so that the ciphertext length and key length are independent of the corresponding number of attributes, which significantly shortens the ciphertext, key transmission time and user decryption time, and improves the efficiency of the scheme.Compared with the existing schemes, we can see that our scheme has obvious advantages in terms of functional features and efficiency.Finally, we prove that our scheme is selectively CCA secure under the standard model.In this work, we implement white-box traceability for misbehavior users.In our future work, we will focus on a stronger concept of black-box traceability.In black-box traceability, misbehavior users disclose the decryption device rather than the decryption key.Specifically, the misbehavior users could hide the decryption key and decryption algorithm by tweaking it.In this case, because the decryption key and decryption algorithm are not well-formed, our proposed traceable and revocable attribute-based encryption scheme with constant-size ciphertext and key will fail.It will be necessary to construct a black-box traceable and revocable attribute-based encryption scheme with a constant-size ciphertext and key.In addition, the flexible access structure is the embodiment of the performance of a CP-ABE scheme.In the following work, we will try our best to achieve a more flexible access structure to improve the expression ability of the system.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material.If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.To view a copy of this licence, visit http:// creat iveco mmons.org/ licen ses/ by/4.0/.
Give the following specific example to explain.If n = 5 and a user's attribute string is S = c 1 c 2 c 3 c 4 c 5 = 10101 , then this means that the user has attributes A 1 , A 3 and A 5 .|S| is used to represent the number of attributes in S. P is used to represent the access policy made by the data owner.And the access policy is an n-byte string b 1 b 2 … b n .The definition is as follows: Similarly, we give a specific column to further illustrate the above definition.If n = 5 and specified access policy is P = b 1 b 2 b 3 b 4 b 5 = 11101 , then this means that the access policy includes attributes A 1 , A 2 , A 3 and A 5 .|P| is used to represent the number of attributes in P.
. A printed out his conjecture b ′ about b.If b = b � , then A wins this game.The probability of A winning the above game is defined as Adv A, = |Pr[b � = b] − 1 2 |.

Table 1
Function Comparison

Table 2
Efficiency Comparison