ATTRIBUTE-BASED ENCRYPTION (ABE) METHOD WITH MULTIPLE TRACING ATTRIBUTE AUTHORITIES FOR CLOUD-ASSISTED INTERNET-OF-THINGS (IOT)

Abstract

An ABE method with multiple tracing attribute authorities: performing, by a central authority, system initialization to generate a public parameter and disclosing the public parameter; performing, by each of attribute authorities, initialization to generate a key pair, and disclosing a public key in the key pair; performing, by a data owner, symmetric encryption on plaintext data, performing ABE on a symmetric key based on a hidden access structure, and generating an integrity verification value; requesting, by a data user, a decryption key to the attribute authority according to an own attribute; restoring, by the data user in response to decryption, an access structure, generating an outsourcing decryption key, sending the outsourcing decryption key to a cloud storage center for semi-decryption; generating, by the cloud storage center, a semi-decrypted ciphertext, and feeding the semi-decrypted ciphertext back to the data user; fully decrypting the semi-decrypted ciphertext according to a private decryption key.

Claims

1. An attribute-based encryption (ABE) method with multiple tracing attribute authorities for cloud-assisted Internet-of-things (IoT), comprising the following steps: performing, by a central authority, system initialization to generate a public parameter and disclosing the public parameter; performing, by each of attribute authorities, initialization based on the public parameter to generate a key pair, and disclosing a public key in the key pair; performing, by a data owner, symmetric encryption on plaintext data according to a symmetric key to generate a first ciphertext, generating an integrity verification value according to the first ciphertext, performing ABE on the symmetric key based on a hidden access structure to generate a second ciphertext, and uploading the first ciphertext, the second ciphertext and the integrity verification value to a cloud storage center; requesting, by a data user, a decryption key to the attribute authority according to an own attribute, generating an outsourcing decryption key based on the decryption key and a restored hidden access structure, and sending the outsourcing decryption key to the cloud storage center; performing, by the cloud storage center, semi-decryption on a ciphertext according to the outsourcing decryption key to generate a semi-decrypted ciphertext and feeding the semi-decrypted ciphertext back to the data user; decrypting, by the data user, the semi-decrypted ciphertext according to a private decryption key to obtain the plaintext data; and searching, by the attribute authority through a white-box traceback algorithm in response to key leakage, an identity of a data user corresponding to a leaked key.

2. The ABE method according to claim 1, wherein the public parameter PP is expressed as: PP={G, G.sub.T, p, e, g, H, H.sub.0, H.sub.1, H.sub.2}, wherein G and G.sub.T each are a multiplicative group of a prime order p, and g is a generator of G; e is a symmetric bilinear map, e:G×G.fwdarw.G.sub.T; and H, H.sub.0, H.sub.1, and H.sub.2 each are a collision-resistant hash function, H: {0,1}.fwdarw.*G, H.sub.0:G.sub.T.fwdarw.{0,1}.sup.nH.sup.0, H:G.sub.T.fwdarw.{0,1}*, H.sub.2: {0,1}*.fwdarw.{0,1}.sup.nH.sup.2.

3. The ABE method according to claim 2, wherein the performing, by a jth attribute authority AA.sub.j, initialization based on the public parameter PP comprises: randomly selecting three elements h.sub.j, a.sub.j and b.sub.j from a group Z.sub.p*; randomly selecting, for each of attributes i in an attribute set SAA controlled by the attribute authority AA.sub.j, two elements α.sub.i and β.sub.i from the group Z.sub.P*; and generating a key pair (PK.sub.AAj, S.sub.KAAj) of the jth attribute authority AA; according to the parameters h.sub.j, a.sub.j, b.sub.j, α.sub.i and β.sub.i, the key pair (PK.sub.AAj, SK.sub.AAj) being expressed as: $P{K}_{AAJ}=\left({\left\{g^{{\alpha }_i},g^{{\beta }_i}\right\}}_{i\in S_{{\mathrm{AA}}_j}},g^{\mathrm{hj}},g^{{\alpha }_j},g^{b_j}\right)$ $S{K}_{AAJ}=\left({\left\{{\alpha }_i,{\beta }_i\right\}}_{i\in S_{{\mathrm{AA}}_j}},\mathrm{hj},{\alpha }_j,b_j\right).$

4. The ABE method according to claim 3, wherein the performing, by a data owner, symmetric encryption on plaintext data according to a symmetric key to generate a first ciphertext comprises: randomly selecting an element R from the multiplicative group G.sub.T, and calculating the symmetric key K.sub.sym and a parameter R.sub.0 based on the element R and the collision-resistant hash functions H.sub.0 and H.sub.1, both the symmetric key and the parameter being respectively pressed as:
Ksym=H.sub.1(R)
R.sub.0=H.sub.0(R); and performing the symmetric encryption on the plaintext data MSG according to the symmetric key K.sub.sym to generate the ciphertext CT.sub.sym, and generating the integrity verification value, the integrity verification value V being expressed as:
V=H.sub.2(R.sub.0∥CT.sub.sym)

5. The ABE method according to claim 4, wherein the performing ABE on the symmetric key based on the hidden element R in a hidden access structure to generate a second ciphertext, the element R being used to calculate the symmetric key K.sub.sym, comprises: hiding an access structure (M, ρ) according to a one-way anonymous key agreement protocol, and converting the hidden access structure (M, ρ) into a linear secret sharing scheme (LSSS) access matrix, a replacement value q.sub.i for an ith attribute in the hidden access structure (M, ρ) being expressed as:
q.sub.i=e(g.sup.hj.Math.a,H(i)), wherein, g.sup.hj is a parameter of a public key PK.sub.AAJ of the jth attribute authority, and H(i) is a hash value of the ith attribute; randomly selecting an element s from the group Z.sub.P* as a shared key seed, and generating two random vectors {right arrow over (v)} and {right arrow over (w)}, {right arrow over (v)} and {right arrow over (w)} being respectively expressed as:
{right arrow over (v)}=[s,v.sub.1, . . . , v.sub.n]∈Z.sup.p.sup.n
{right arrow over (w)}=[0,w.sub.1, . . . , w.sub.n]∈Z.sup.p.sup.n; randomly selecting an element p.sub.i from the group Z.sub.P* for each row M.sub.i in the access matrix, and calculating following two elements:
λ.sub.i=M.sub.i×{right arrow over (v)}
w.sub.i=M.sub.i×{right arrow over (w)}; and performing the ABE on the element R to generate the ciphertext CT.sub.ABE, the ciphertext CT.sub.ABE=(h,C.sub.0,({C.sub.1,i,C.sub.2,i,C.sub.3,i,C.sub.4,i,C.sub.5,i}.sub.i∈[1,I]) being expressed as:
h=g.sup.a
C.sub.0=R.Math.e(g,g)s
C.sub.1,i=g.sup.λig.sup.α.sup.ρi.Math.Pi
C.sub.2,i=g.sup.pi
C.sub.3,i=g.sup.wig.sup.β.sup.ρi.Math.Pi
C.sub.4,i=g.sup.a.sup.j.sup..Math.pi
C.sub.5,i=g.sup.b.sup.j.sup..Math.pi.

6. The ABE method according to claim 5, wherein the requesting, by a data user, a decryption key to the attribute authority according to an own attribute comprises: making a data user registered to the central authority; and feeding, by the central authority, an identity back to a legal data user, the identity comprising an identity number GID and an attribute set S.sub.GID; requesting, by the data user, the decryption key to the attribute authority, the attribute authority generating the decryption key for a controlled attribute in the attribute set S.sub.GID, and a decryption key sk.sub.{GID,j}=(K.sub.1,i, K.sub.2,i, K.sub.3,i) generated by the jth attribute authority for the data user having the identity number of GID being expressed as:
sk.sub.{GID,j}=(K.sub.1,I,K.sub.2,I,K.sub.3,i)
K.sub.2,i=H(i).sup.hj
K.sub.3,i=r, wherein, an element r is an element randomly selected from a group $Z_P\setminus \left\{-\frac{a_j+\mathrm{GID}}{b_j}\right\};$ and combining the decryption key corresponding to the attribute authority to form a final decryption key sk.sub.GID.

7. The ABE method according to claim 6, wherein the generating, by the data user, an outsourcing decryption key based on the decryption key and a restored hidden access structure comprises: restoring, by the data user, the hidden access structure, a restored value q.sub.i′ of the ith attribute in the restored hidden access structure being expressed as:
q′.sub.i=e(h,H(i).sup.hj). searching, by the data user, a subscript set L′={i:(ρ.sub.(i)∩S′.sub.GID).sub.i∈[1]} of decrypting attributes in the attribute set S.sub.GID according to the restored access structure; and randomly selecting an element z from the group Z.sub.P*, and calculating an outsourcing decryption key pair ok.sub.GID based on the element z, the outsourcing decryption key pair ok.sub.GID (opk.sub.GID, osk.sub.GID) being expressed as: ${\mathrm{opk}}_{\mathrm{GID}}=\left({\left\{K_{1,i}^{\frac{1}{z}}\right\}}_{i\in L^{\prime }}{g}^{\frac{1}{z}},{H\left(\mathrm{GID}\right)}^{1/Z}\right)$
osk.sub.GID=z.

8. The ABE method according to claim 7, wherein the semi-decrypted ciphertext CT′ is expressed as: ${\mathrm{CT}}^{\prime }=\underset{i=1}{\overset{1}{.Math.}}{Q}^{\mathrm{ci}}={e\left(g,g\right)}^{s/z}Q=\frac{e\left(g^{\frac{1}{Z}},C_{1,i}\right)e\left({H\left(\mathrm{GID}\right)}^{\frac{1}{Z}},C_{3,i}\right)}{e\left(g^{\frac{\alpha i}{Z\left(\mathrm{aj}+\mathrm{GID}+\mathrm{bj}.Math.r\right)}}{H\left(\mathrm{GID}\right)}^{\frac{\beta }{Z\left(\mathrm{aj}+\mathrm{GID}+\mathrm{bj}.Math.r\right)}},C_{2,i}^{K_3}{C}_{4,i}{C}_{5,i}^{K_{4,i}}\right)},$ where, a constant {c.sub.i}.sub.iε[1,l]∈Z.sub.p, and the constant {c.sub.i}.sub.iε[1,l]∈Z.sub.p satifies Σ.sub.i=1.sup.Ic.sub.i M.sub.i=[1,0, . . . , 0].

9. The ABE method according to claim 8, wherein the decrypting, by the data user, the semi-decrypted ciphertext according to a private decryption key comprises: calculating, by the data user, the element R according to an outsourcing private decryption key osk.sub.GID, the element R being expressed as: $R=\frac{C_0}{{\left({\mathrm{CT}}^{\prime }\right)}^{{\mathrm{osk}}_{\mathrm{GID}}}};$ calculating the element R.sub.0 according to the element R, the element R.sub.0 being expressed as:
R.sub.0=H.sub.0(R); verifying an integrity verification value through a following equation:
V=H.sub.2(R.sub.0∥CT.sub.sym); calculating a symmetric decryption key K.sub.sym upon verification, the symmetric decryption key K.sub.sym being calculated by:
K.sub.sym=H.sub.1(R); and performing symmetric decryption on the semi-decrypted ciphertext CT′ according to the symmetric decryption key K.sub.sym to obtain the plaintext data MSG.

10. The ABE method according to claim 1, wherein the searching, by the attribute authority through a white-box traceback algorithm in response to key leakage, an identity of a data user corresponding to a leaked key comprises: verifying whether a structure of the decryption key satisfies a standard through a following equation:
K.sub.1,i,K.sub.2,i∈G;
K.sub.3,i,GID∈Z.sub.p*; determining, if yes, whether a following equation is satisfied;
e(K.sub.1,i,g.sup.ajg.sup.bj*K3,ig.sup.GID)=e(g,g).sup.∂ie(H(GID),g.sup.β.sup.i); and outputting an identity number GID if yes, the identity number GID being an identity number of a data user leaking the key.

11. The ABE method according to claim 2, wherein the searching, by the attribute authority through a white-box traceback algorithm in response to key leakage, an identity of a data user corresponding to a leaked key comprises: verifying whether a structure of the decryption key satisfies a standard through a following equation:
K.sub.1,i,K.sub.2,i∈G;
K.sub.3,i,GID∈Z.sub.p*; determining, if yes, whether a following equation is satisfied;
e(K.sub.1,i,g.sup.ajg.sup.bj*K3,ig.sup.GID)=e(g,g).sup.∂ie(H(GID),g.sup.β.sup.i); and outputting an identity number GID if yes, the identity number GID being an identity number of a data user leaking the key.

12. The ABE method according to claim 3, wherein the searching, by the attribute authority through a white-box traceback algorithm in response to key leakage, an identity of a data user corresponding to a leaked key comprises: verifying whether a structure of the decryption key satisfies a standard through a following equation:
K.sub.1,i,K.sub.2,i∈G;
K.sub.3,i,GID∈Z.sub.p*; determining, if yes, whether a following equation is satisfied;
e(K.sub.1,i,g.sup.ajg.sup.bj*K3,ig.sup.GID)=e(g,g).sup.∂ie(H(GID),g.sup.β.sup.i); and outputting an identity number GID if yes, the identity number GID being an identity number of a data user leaking the key.

13. The ABE method according to claim 4, wherein the searching, by the attribute authority through a white-box traceback algorithm in response to key leakage, an identity of a data user corresponding to a leaked key comprises: verifying whether a structure of the decryption key satisfies a standard through a following equation:
K.sub.1,i,K.sub.2,i∈G;
K.sub.3,i,GID∈Z.sub.p*; determining, if yes, whether a following equation is satisfied;
e(K.sub.1,i,g.sup.ajg.sup.bj*K3,ig.sup.GID)=e(g,g).sup.∂ie(H(GID),g.sup.β.sup.i); and outputting an identity number GID if yes, the identity number GID being an identity number of a data user leaking the key.

14. The ABE method according to claim 5, wherein the searching, by the attribute authority through a white-box traceback algorithm in response to key leakage, an identity of a data user corresponding to a leaked key comprises: verifying whether a structure of the decryption key satisfies a standard through a following equation:
K.sub.1,i,K.sub.2,i∈G;
K.sub.3,i,GID∈Z.sub.p*; determining, if yes, whether a following equation is satisfied;
e(K.sub.1,i,g.sup.ajg.sup.bj*K3,ig.sup.GID)=e(g,g).sup.∂ie(H(GID),g.sup.β.sup.i); and outputting an identity number GID if yes, the identity number GID being an identity number of a data user leaking the key.

15. The ABE method according to claim 6, wherein the searching, by the attribute authority through a white-box traceback algorithm in response to key leakage, an identity of a data user corresponding to a leaked key comprises: verifying whether a structure of the decryption key satisfies a standard through a following equation:
K.sub.1,i,K.sub.2,i∈G;
K.sub.3,i,GID∈Z.sub.p*; determining, if yes, whether a following equation is satisfied;
e(K.sub.1,i,g.sup.ajg.sup.bj*K3,ig.sup.GID)=e(g,g).sup.∂ie(H(GID),g.sup.β.sup.i); and outputting an identity number GID if yes, the identity number GID being an identity number of a data user leaking the key.

16. The ABE method according to claim 7, wherein the searching, by the attribute authority through a white-box traceback algorithm in response to key leakage, an identity of a data user corresponding to a leaked key comprises: verifying whether a structure of the decryption key satisfies a standard through a following equation:
K.sub.1,i,K.sub.2,i∈G;
K.sub.3,i,GID∈Z.sub.p*; determining, if yes, whether a following equation is satisfied;
e(K.sub.1,i,g.sup.ajg.sup.bj*K3,ig.sup.GID)=e(g,g).sup.∂ie(H(GID),g.sup.β.sup.i); and outputting an identity number GID if yes, the identity number GID being an identity number of a data user leaking the key.

17. The ABE method according to claim 8, wherein the searching, by the attribute authority through a white-box traceback algorithm in response to key leakage, an identity of a data user corresponding to a leaked key comprises: verifying whether a structure of the decryption key satisfies a standard through a following equation:
K.sub.1,i,K.sub.2,i∈G;
K.sub.3,i,GID∈Z.sub.p*; determining, if yes, whether a following equation is satisfied;
e(K.sub.1,i,g.sup.ajg.sup.bj*K3,ig.sup.GID)=e(g,g).sup.∂ie(H(GID),g.sup.β.sup.i); and outputting an identity number GID if yes, the identity number GID being an identity number of a data user leaking the key.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0025] In order to describe the technical solutions in the embodiments of the present disclosure more clearly, the accompanying drawings required for describing the embodiments are briefly described below. Obviously, the accompanying drawings in the following description show merely some embodiments of the present disclosure, and those of ordinary skill in the art would also be able to derive other accompanying drawings from these accompanying drawings without creative efforts.

[0026] The present disclosure is further described with reference to the accompanying drawings.

[0027] FIG. 1 is a flowchart of an ABE method with multiple tracing attribute authorities for cloud-assisted IoT according to an embodiment of the present disclosure.

[0028] FIG. 2 is an architecture diagram of a system for performing the ABE method of the present disclosure

DETAILED DESCRIPTION OF THE EMBODIMENTS

[0029] The present disclosure is described in further detail below in combination with the accompanying drawings and specific embodiments so as to enable those skilled in the art to better understand and implement the present disclosure, and the illustrated embodiments should not be construed as any limitation to the present disclosure. Embodiments and technical features in the embodiments of the present disclosure may be combined with each other without any conflict.

[0030] It is to be understood that terms such as “first” and “second” in the description of the present disclosure are merely for distinguishing the description, rather than understanding as indicating or implying a relative importance, or indicating or implying a sequence. In the embodiments of the present disclosure, “a plurality of” means at least two.

[0031] The present disclosure provides an ABE method with multiple tracing attribute authorities for cloud-assisted IoT, to realize secure, decryption outsourced and leakage traced ABE with the multiple attribute authorities.

EMBODIMENT

[0032] As shown in FIG. 1, the ABE method with multiple tracing attribute authorities for cloud-assisted IoT provided by the present disclosure includes the following steps:

[0033] S100: A central authority performs system initialization to generate a public parameter and discloses the public parameter.

[0034] S200: Each of attribute authorities performs initialization based on the public parameter to generate a key pair, and discloses a public key in the key pair.

[0035] S300: A data owner performs symmetric encryption on plaintext data according to a symmetric key to generate a first ciphertext, generates an integrity verification value according to the first ciphertext, performs ABE on the symmetric key based on a hidden access structure to generate a second ciphertext, and uploads the first ciphertext, the second ciphertext and the integrity verification value to a cloud storage center.

[0036] S400: A data user requests a decryption key to the attribute authority according to an own attribute, generates an outsourcing decryption key based on the decryption key and a restored hidden access structure, and sends the outsourcing decryption key to the cloud storage center.

[0037] S500: The cloud storage center performs semi-decryption on a ciphertext according to the outsourcing decryption key to generate a semi-decrypted ciphertext and feeds the semi-decrypted ciphertext back to the data user.

[0038] S600: The data user decrypts the semi-decrypted ciphertext according to a private decryption key to obtain the plaintext data.

[0039] S700: The attribute authority searches, through a white-box traceback algorithm in response to key leakage, an identity of a data user corresponding to a leaked key.

[0040] In Step S100, a security parameter is input, and two p-order multiplicative groups G and G.sub.T are selected, where g is a generator of the G. Asymmetric bilinear map e:G×G.fwdarw.G.sub.T is selected. Four collision-resistant hash functions H, H.sub.0, H.sub.1, and H.sub.2 are selected, specifically: H: {0,1}.fwdarw.G,H.sub.0:G.sub.T.fwdarw.{0,1}.sup.nH.sup.0, H.sub.1:G.sub.T.fwdarw.{0,1}*, H.sub.2:{0,1}*.fwdarw.{0,1}.sup.nH.sup.2. The central authority is initialized to generate the public parameter PP, the public parameter PP being expressed as: PP={G, G.sub.T, p, e, g, H, H.sub.0, H.sub.1, H.sub.2}.

[0041] In Step S200, each of attribute authorities performs initialization based on the public parameter PP. With initialization of a jth attribute authority AA.sub.j as an example, the step includes: Three elements h.sub.j, a.sub.j and b.sub.j are randomly selected from a group Z.sub.P*, the group Z.sub.P* being a group consisting of modulo-p integers without an integer 0. For each of attributes i in an attribute set S.sub.AAj controlled by the attribute authority AA.sub.j, two elements α.sub.i and β.sub.i are randomly selected from the group Z.sub.P*. A key pair (PK.sub.AAJ, SK.sub.AAj) of the jth attribute authority is generated according to the parameters h.sub.j, a.sub.j, b.sub.j, α.sub.i and β.sub.i, the key pair (PK.sub.AAJ, SK.sub.AAj) being expressed as:

[00007]$P{K}_{AAJ}=\left({\left\{g^{{\alpha }_i},g^{{\beta }_i}\right\}}_{i\in S_{{\mathrm{AA}}_j}},g^{\mathrm{hj}},g^{{\alpha }_j},g^{b_j}\right)$$S{K}_{AAJ}=\left({\left\{{\alpha }_i,{\beta }_i\right\}}_{i\in S_{{\mathrm{AA}}_j}},\mathrm{hj},{\alpha }_j,b_j\right).$

[0042] In Step S300, a data owner encrypts plaintext data to generate a ciphertext, and uploads the ciphertext to a cloud storage center. Specifically, the step includes:

[0043] S311: An element R is randomly selected from the multiplicative group G.sub.T, and a symmetric key K.sub.sym and a parameter R.sub.0 are calculated based on the element R and the collision-resistant hash functions H.sub.0 and H.sub.1, both the symmetric key and the element being respectively pressed as:

Ksym=H.sub.1(R)

R.sub.0=H.sub.0(R).

[0044] S312: Symmetric encryption is performed on the plaintext data MSG according to the symmetric key K.sub.sym to generate the ciphertext CT.sub.sym.

[0045] Upon generation of the ciphertext CT.sub.sym, an integrity verification value V is further calculated through Step S320, specifically:

[0046] S320: A verification value Vis calculated through the collision-resistant hash function H.sub.2 based on the ciphertext CT.sub.sym and the element R.sub.0, the verification value V being expressed as:

V=H.sub.2(R.sub.0∥CT.sub.sym).

[0047] In order to ensure the security of the symmetric key, and enable a data user having an access right to own the symmetric key, ABE is performed on the symmetric key K.sub.sym based on a hidden access structure. Specifically, the element R for calculating the symmetric key K.sub.sym is hidden as follows:

[0048] S331: An access structure (M, ρ) is hidden according to a one-way anonymous key agreement protocol, and the hidden access structure (M, ρ) is converted into an LSSS access matrix, a replacement value q.sub.i for an ith attribute in the hidden access structure (M, ρ) being expressed as:

q.sub.i=e(g.sup.hj.Math.a,H(i)),

where, g.sup.hj is a parameter of a public key PK.sub.AAJ of the jth attribute authority, and H(i) is a hash value of the ith attribute.

[0049] S332: An element s is randomly selected from the group Z.sub.P* as a shared key seed, and two random vectors {right arrow over (v)} and {right arrow over (w)} are generated, {right arrow over (v)} and {right arrow over (w)} being respectively expressed as:

{right arrow over (v)}=[s,v.sub.1, . . . , v.sub.n]∈Z.sup.p.sup.n

{right arrow over (w)}=[0,w.sub.1, . . . , w.sub.n]∈Z.sup.p.sup.n.

[0050] S333: An element p.sub.i is randomly selected from the group Z.sub.P* for each row M.sub.i in the access matrix, and following two elements are calculated:

λ.sub.i=M.sub.i×{right arrow over (v)}

w.sub.i=M.sub.i×{right arrow over (w)}.

[0051] S334: The ABE is performed on the element R to generate the ciphertext CT.sub.ABE, the ciphertext CT.sub.ABE=(h,C.sub.0,({C.sub.1,i,C.sub.2,i,C.sub.3,i,C.sub.4,i,C.sub.5,i}.sub.i∈[1,I]) being expressed as:

h=g.sup.a

C.sub.0=R.Math.e(g,g)s

C.sub.1,i=g.sup.λig.sup.α.sup.ρi.Math.Pi

C.sub.2,i=g.sup.pi

C.sub.3,i=g.sup.wig.sup.β.sup.ρi.Math.Pi

C.sub.4,i=g.sup.a.sup.j.sup..Math.pi

C.sub.5,i=g.sup.b.sup.j.sup..Math.pi

[0052] The ciphertext CT.sub.sym, the integrity verification value V and the ciphertext CT.sub.ABE are uploaded to the cloud storage center.

[0053] In Step S400, a data user requests a decryption key to the attribute authority, which specifically includes:

[0054] S411: A data user is registered to the central authority, and the central authority feeds an identity back to a legal data user, the identity including an identity number GID and an attribute set S.sub.GID.

[0055] S412: The data user requests the decryption key to the attribute authority, the attribute authority generating the decryption key for a controlled attribute in the attribute set S.sub.GID. For the ith attribute, an element r is randomly selected from a group

[00008]$Z_P\setminus \left\{-\frac{a_j+\mathrm{GID}}{b_j}\right\};$

to calculate a decryption key, and a decryption key sk.sub.{GID, j}=(K.sub.1,i, K.sub.2,i, K.sub.3,i) corresponding to the jth attribute authority is expressed as:

[00009]$K_{1,i}=g^{\frac{\alpha i}{\mathrm{aj}+\mathrm{GID}+\mathrm{bj}}}{H\left(\mathrm{GID}\right)}^{\text{?}}$$\text{?}\text{indicates text missing or illegible when filed}$
K.sub.2=H(i).sup.hj

K.sub.3,i=r

[0056] S413: The data user receives corresponding decryption keys from multiple attribute authorities. Decryption keys of all attribute authorities are combined to generate a final decryption key sk.sub.GID.

[0057] Upon generation of the decryption key, Step S420 is proceeded to generate an outsourcing decryption key, which specifically includes:

[0058] S421: A restored value is calculated for each of attributes in the access structure, and a corresponding attribute in the hidden access structure is replaced with the restored value. With the ith attribute as an example, a restored value is calculated by:

q.sub.i′=e(h,H(i).sup.hj);

[0059] S422: The data user searches a subscript set L′={i:(ρ.sub.(i)∩S′.sub.GID).sub.i∈[1]} of decrypting attributes in the attribute set S.sub.GID according to a restored access structure.

[0060] S423: An element z is randomly selected from the group Z.sub.P*, and the outsourcing decryption key ok.sub.GID is calculated based on the element z, the outsourcing decryption key ok.sub.GID (opk.sub.GID, osk.sub.GID) being expressed as:

[00010]${\mathrm{opk}}_{\mathrm{GID}}=\left({\left\{K_{1,i}^{\frac{1}{z}}\right\}}_{i\in L^{\prime }}{g}^{\frac{1}{z}},{H\left(\mathrm{GID}\right)}^{1/Z}\right)$
osk.sub.GID=z.

[0061] After the outsourcing decryption key is obtained, Step S500 is proceeded to perform semi-decryption on a ciphertext through the cloud storage center, which specifically includes:

[0062] S510: A following equation is calculated with the outsourcing decryption key ok.sub.GID:

[00011]$Q=\frac{e\left(g^{\frac{1}{Z}},C_{1,i}\right)e\left({H\left(\mathrm{GID}\right)}^{\frac{1}{Z}},C_{3,i}\right)}{e\left(g^{\frac{\alpha i}{Z\left(\mathrm{aj}+\mathrm{GID}+\mathrm{bj}.Math.r\right)}}{H\left(\mathrm{GID}\right)}^{\frac{\beta }{Z\left(\mathrm{aj}+\mathrm{GID}+\mathrm{bj}.Math.r\right)}},C_{2,i}^{K_3}{C}_{4,i}{C}_{5,i}^{K_{4,i}}\right)}.$

[0063] S520: A set of constants {c.sub.i}.sub.iε[1,l]∈Z.sub.p are searched, a semi-decrypted ciphertext CT′ is calculated according to Σ.sub.i=1.sup.Ic.sub.i M.sub.i=[1,0, . . . , 0], and the semi-decrypted ciphertext is fed back to the data user.

[00012]${\mathrm{CT}}^{\prime }=\underset{i=1}{\overset{1}{.Math.}}{Q}^{\mathrm{ci}}={e\left(g,g\right)}^{s/z}$

[0064] Upon the semi-decryption of the cloud storage center, the data user decrypts the semi-decrypted ciphertext to obtain the plaintext data, which specifically includes:

[0065] S610: The data user calculates the element R according to the outsourced decrypting key osk.sub.GID, the element R being expressed as:

[00013]$R=\frac{C_0}{{\left({\mathrm{CT}}^{\prime }\right)}^{{\mathrm{osk}}_{\mathrm{GID}}}}.$

[0066] S620: The element R.sub.0 is calculated according to the element R, the element R.sub.0 being expressed as:

R.sub.0=H.sub.0(R).

[0067] S630: A verification value is verified through a following equation:

V=H.sub.2(R.sub.0∥CT.sub.sym).

[0068] S640: Upon verification of the verification value, a symmetric decryption key K.sub.sym is calculated, the decryption key K.sub.sym being calculated by:

Ksym=H.sub.1(R)

[0069] S650: Symmetric decryption is performed on the semi-decrypted ciphertext CT′ according to the decryption key K.sub.sym to obtain the plaintext data MSG.

[0070] Step S700 includes:

[0071] S710: Whether a structure of the decryption key satisfies a standard through a following equation:

K.sub.1,i,K.sub.2,i∈G;

K.sub.3,i,GID∈Z.sub.p*;

[0072] S720: If yes, whether a following equation is satisfied is determined:

e(K.sub.1,i,g.sup.ajg.sup.bj*K3,ig.sup.GID)=e(g,g).sup.∂ie(H(GID),g.sup.β.sup.i).

[0073] S730: An identity number GID is output if yes, the identity number GID being an identity number of a data user leaking the key.

[0074] In the embodiment, pseudo-random permutation is used to simulate true random selection.

[0075] In the embodiment, the ABE in Step S300 and the attribute-based decryption in Step S500 and Step S600 are based on decisional bilinear Diffie-Hellman (DBDH). The security of the decryption key and the outsourcing decryption key in Step S400 is based on a discrete logarithm (DL) hypothesis.

[0076] If the legal data user leaks an own private key to an illegal data user, the right and interest of the data owner are damaged. The white-box traceback algorithm is used to trace an identity to realize accountability in key leakage.

[0077] FIG. 2 is an architecture diagram of a system 100 for performing the ABE method of the present disclosure. The central authority 101, the attribute authority 102, the data owner 103, the data user 104 and the cloud storage center 105 may be communicatively coupled together via network 106. Network may be a wired network wireless network or combination of the wired and wireless networks. Network may be a local area network a corporate intranet a wide area network or the Internet.

[0078] The data user and data owner may be a user device with clients, including but not limited to a desktop, a laptop, a netbook, a tablet, a smartphone, a mobile device, and/or any other type of computing system in accordance with one or more example embodiments. The cloud storage center may be a cloud-based server, a server, a workstation and/or any other type of an Elastic Compute Service (ESC).

[0079] The central authority and the attribute authority may be computing devices or servers at least including a processing unit (processors) and a storage.

[0080] The aforementioned embodiments are only preferred embodiments illustrated for fully explaining the present disclosure, and the claimed scope of the present disclosure is not limited thereto. Equivalent substitutions or transformations made by those skilled in the art on the basis of the present disclosure are both within the claimed scope of the present disclosure. The claimed scope of the present disclosure shall be determined by the claims.