Computer Networks 195 (2021) 108196

Contents lists available at ScienceDirect

Computer Networks
journal homepage: www.elsevier.com/locate/comnet

A revocable and outsourced multi-authority attribute-based encryption

scheme in fog computing
Shanshan Tu a , Muhammad Waqas a,b , Fengming Huang a ,∗, Ghulam Abbas b , Ziaul Haq Abbas c
a
Engineering Research Center of Intelligent Perception and Autonomous Control, Faculty of Information Technology, Beijing University of
Technology, Beijing, 100124, PR China
b
Faculty of Computer Science and Engineering, Ghulam Ishaq Khan Institute of Engineering Sciences and Technology, Topi, 23460, Pakistan
c
Faculty of Electrical Engineering, Ghulam Ishaq Khan Institute of Engineering Sciences and Technology, Topi, 23460, Pakistan

ARTICLE INFO ABSTRACT

Keywords: Fog computing is a revolutionary technology for the next generation to bridge the gap between cloud data
Mobile fog computing centers and end-users. Fog computing is not a counterfeit for cloud computing but a persuasive counterpart. It
Multi-authority attribute-based encryption also accredits by utilizing the network edge while still rendering the possibility to interact with the cloud.
Attribute revocation
Nevertheless, the features of fog computing are encountering several security challenges. The security of
end-users and/or fog servers brings a significant dilemma in implementing fog computing. Moreover, in
conventional cloud computing, the attribute-based encryption (ABE) technology is not appropriate for end-
users due to restricted computing resources, i.e., limited resources, high end-to-end delay, and transmission
capability. Hence, the revocation and outsourcing mechanisms become inappropriate between end-users and
cloud servers. In this regard, this paper recommends a multi-authority attribute-based encryption (MA-ABE)
technique to support revocation and outsource the attributes to fog computation. We present an attribute
revocation scheme based on cipher-text attribute-based encryption by introducing the attribute group keys.
In this process, the secret keys are dynamically altered and realized the requirement of immediate attribute
revocations. Hence, we provide the complete encryption and decryption process for end-users and fog servers
based on multi-authority, attribute revocation, and outsourcing computation, while most of the existing
scheme lack to incorporate all these parameters. Our scheme also outsources the complicated encryption and
decryption tasks to the fog server that significantly improves the overall computation efficiency compared to
the state-of-the-art work.

1. Introduction The concept of attributes is introduced into the crypto-system, and

With the exponential growth of the Internet of Things (IoT) ap-
plications, massive data, system accessibility and real-time processing
requirements pose a severe challenge to cloud computing [1]. The
static cloud computing constraints and the longer distance between
cloud servers and end-users make cloud computing insufficient for
a wide range of mobile applications [2]. Therefore, the data should
be processed in geographically distributed data centers. These limi-
tations have led to the emergence of a novel research arena called
fog computing [3]. Fog Computing is an excellent paradigm for cloud
computing at network edges that enables seamless integration of cloud
computing and end-users. Fog computing provides low latency, location
awareness, mobility to support, heterogeneity, and offloading [4].
a series of attributes can be described by end-users [5]. The encryptor
does not need to know the specific identifying information of the recipi-
ent. It embeds the attribute or access structure into the cipher-text when
encrypting. The decryptions are satisfied if the user’s attributes meet
the defined access structure by achieving fine-grained access control.
However, the traditional attribute-based encryption (ABE) technology
in cloud computing is challenging to apply in fog computing [6,7].
The reason is that the conventional ABE technology mainly adopts the
single authorization center method, which has an efficient bottleneck
and single point attack. In addition, the traditional attribute revocation
scheme is neither flexible nor efficient enough and is unsuitable for end-
users with frequent changes of locations. Furthermore, the conventional

∗ Corresponding author at: Engineering Research Center of Intelligent Perception and Autonomous Control, Faculty of Information Technology, Beijing
University of Technology, Beijing, 100124, PR China.
E-mail addresses: sstu@bjut.edu.cn (S. Tu), muhammad.waqas@giki.edu.pk (M. Waqas), huangfm@emails.bjut.edu.cn (F. Huang), abbasg@giki.edu.pk
(G. Abbas), ziaul.h.abbas@giki.edu.pk (Z.H. Abbas).

https://doi.org/10.1016/j.comnet.2021.108196
Received 18 February 2021; Received in revised form 29 April 2021; Accepted 20 May 2021
Available online 27 May 2021
1389-1286/© 2021 Elsevier B.V. All rights reserved.
S. Tu et al.
ABE technology is not ideal for end-users with limited computing
resources and complex operation [8].
Besides the benefits brought by fog computing, the security issues
are yet to mature [9]. These include the data confidentiality and
access control for resource-constraint devices [10]. As fog servers are
distributed on the network edge and less expensive as compared to
cloud servers, resource-constraint devices are more readily vulnerable
and low-trustworthy. Encrypting data in advance prior to upload is one
innovative way of solving such challenges. Hence, ABE’s concept is a
one-to-many cryptographic method that satisfies these criteria [11]. A
series of attributes can describe each entity. The encryptor does not
require recognizing the user’s specific identity information. However,
it only requires embedding the attribute or access structure into the
cipher-text during encryption. The users only decrypt the data when the
users’ attribute meets the defined access structure. It has a process that
allows access control between secret keys and cipher-texts over data
encryption through access policies and ascribed attributes. To decrypt
the cipher-text, the ABE offers data owners the capability to specify the
access policy over the range of users’ attributes. The data security and
fine-grained access control must be ensured in this manner.
The ABE technology is to embed a series of attributes or access
control structures in the cipher-text by exploiting public key encryp-
tion. In this process, the attributes must satisfy the defined access
structure before decryption to describe the end-user’s identity char-
acteristics. For instance, the authors in [12] classified the ABE into
key policy attribute-based encryption and cipher-text policy ABE (CP-
ABE) according to the access control structure’s location. In another
article [13], the authors proposed the attribute-based broadcast encryp-
tion for lightweight devices. In addition, the authors in [14] applied
an attribute encryption method to fog computing to realize secure key
sharing between fog servers and cloud servers. However, these related
and existing works do not explain the multi-authority and attribute
revocation.
In Multi-authority attribute-based encryption (MA-ABE), various
attribute authorities (which may be independent of each other) control
different attribute universe. MA-ABE is also involved in the adminis-
tration of attribute keys for decryption [15]. It provides the necessary
platform to undertake the implementation of fine-grained access regu-
lation over shared data while achieving single-to-numerous encryption.
In recent years, research into MA-ABE has seen rapid advancement. The
researchers believe that MA-ABE is a suitable solution to thwarting the
key escrow problem as well as the problem of distributed management
of attributes [16]. Furthermore, the data owner encrypts data under
the access structure over attributes and a set of attributes assigned
to users is embedded in users’ secret key. A user is able to decrypt
if his attributes satisfy the cipher-text access structure. Hence, the
processes of user’s attribute revocation and grant are concentrated on
the authority and the data owner [17].
The authors of [18] proposed MA-ABE technique. In this work, the
MA-ABE consists of a completely trusted authorization center that could
decode the network’s cypher-text. Furthermore, the authors of [19]
proposed a protected MA-ABE scheme under the random oracle model
(ROM). In [20], the authors also suggested an MA-ABE scheme for
multi-authority to support large attribute domains. In another arti-
cle [21], an MA-ABE technique is investigated to support decryption
offloading compute-intensive tasks. However, it does not achieve en-
cryption offloading compute-intensive tasks, and hence, it is not suit-
able for fog environments. Although the authors incorporate the ABE
technique’s multi-authority, none of the existing methods realize the
attribute revocation and outsourcing computation in their work.
Due to the frequent changes of the user’s permissions, the sys-
tem must revoke the user’s attributes [22]. In this regard, most of
the ABE schemes focus on how to implement more abundant access
strategies. However, most of them also ignore the attribute revocation
in the encryption stage [23]. For instance, the proxy re-encryption
technology is introduced into attribute revocation in [24]. The main
2
Computer Networks 195 (2021) 108196
point is to utilize a version number to define the framework master
key evolution process. At the same time, public key, private key, and
cipher-text are all related to a version number. However, it requires
real-time proxies. In [25], the authors proposed the concept of the
attribute group key. The system generates the corresponding group key
according to the revocation list. Hence, only legitimate users can obtain
the group key. The authors of [26] implemented attribute revocation
using the attribute group key and proved that it is selective security
under the standard model. However, its complex computing overhead
is not suitable for devices with limited resources and cannot be directly
used in fog computing. Moreover, the above works do not consider the
outsourcing mechanisms in their work.
With the rapid development of fog computing, the enterprises and
individuals can outsource their sensitive data into the fog server where
they can enjoy high quality data storage and computing services in a
ubiquitous manner [27]. This is known as the outsourcing computa-
tion paradigm. Recently, the problem for securely outsourcing various
expensive computations or storage has attracted considerable attention
in the academic community [28,29]. In contrast, the authors of [30]
proposed outsourcing decryption operations in attribute-based encryp-
tion technology. The authors proposed the CP-ABE privacy protection
technique in [31]. The authors allow the devices to outsource cloud
service providers encryption and decryption without data leakage.
However, the difficulty of the data owner’s access structure increases
the computational overhead of the encryption. The authors of [32]
also introduced a general system of attribute-based encryption to out-
source the decryption process to cloud servers. However, it leaves the
end-users with a constant number of calculations to decrypt the cipher-
text. The scheme in [33] also illustrated the outsourced decryption
mechanism to fog servers but did not achieve encryption outsourcing.
Keeping the problems mentioned above in mind, we propose an MA-
ABE scheme to resolve the literature’s limitations that support attribute
revocation and computation outsourcing in fog computing. Due to the
limited computing resources of end-users, computing efficiency needs
to be improved. Fog servers are located at the edge of the cloud,
closer to the end-user, and most appropriate to serve as outsourcing
agents [34]. The fog servers can perform a large amount of computing
to alleviate the end-users computational overhead. Hence, we propose
an MA-ABE scheme that outsources both encryption and decryption
operations to fog servers. As a result, it significantly alleviates the
computing burden of terminal equipment and improves overall compu-
tational efficiency. The key contributions of our work are summarized
as follows.
• We describe a three-layer system model based on ‘‘cloud-fog-
terminal’’ and introduce the attribute-based encryption/
decryption method of traditional cloud computing into fog com-
puting. Besides, we adopt the multi-authority mechanism and sup-
port large attribute domains that effectively adapt to distributed
computing requirements.
• For the problem of dynamic change of user attributes, we propose
an attribute revocation mechanism based on CP-ABE. It conducts
the instant attribute revocation through the group key attribute
and retains the control of fine-grained access.
• Our proposed CP-ABE scheme supports the outsourcing mecha-
nisms for both encryption and decryption process. It reduces the
computational burden of the end-users and improves the overall
computational efficiency of the system.
• We compare our scheme with an existing state-of-the-art scheme
[13]. The results indicate that our mechanism is reliable and
efficient than an existing method.
The rest of the paper is written as follows. After the introduction in
Section 1, the system model is explained in Section 2. Section 3 intro-
duces our suggested algorithm. The simulation results are presented in
Section 4. Finally, the paper is concluded in Section 5.
S. Tu et al.
Fig. 1. System model.
2. System model
The system and security models are discussed in this section. First,
we propose a three-layer system model based on ‘‘cloud–fog-terminal’’
as depicted in Fig. 1. The system model is comprised of central au-
thority, attribute authority, cloud service provider, fog server, and
end-users. The fog servers are the base stations (BSs) and are responsi-
ble for connecting the end-users through the wireless network. In our
proposed system model, the central Authority (𝐶𝐴) is accountable to
set global public parameters (𝐺𝑃 ). In addition, it is responsible for
both end-users and attributes authority (𝐴𝐴𝑠) registration queries. For
each end-user, the 𝐶𝐴 creates a unique global user identity (𝑢𝑖𝑑) and
a unique authority identity (𝑎𝑖𝑑) for every 𝐴𝐴.
The attribute authority (𝐴𝐴) performs the attribute authority’s duty
to control the end-users attributes. The 𝐴𝐴 can approve, revoke, and
upgrade the user’s attributes in compliance with the end-users identity
identifier and attribute characteristics. It is to be noted that every 𝐴𝐴
determines the public key (𝐴𝑃 𝐾) and provides end-users with secret
keys (𝐴𝑆𝐾). The cloud service provider (𝐶𝑆𝑃 ) has the data storage and
management functions’ responsibility, including data storage server
and data management server. In the attribute revocation stage, the
revoked user’s access can be prevented by re-encrypting the cipher-
text by the 𝐶𝑆𝑃 . Moreover, the fog servers involved in the process of
encryption and decryption tasks. The data owners (𝐷𝑂𝑠) outsources a
part of the cipher-text to the fog servers, and the end-users outsources
a part of the decryption process. Consequently, it alleviates the compu-
tational burden of the end-users. The 𝐷𝑂𝑠 define the data access policy
that needs to be encrypted. It also specifies the authentic end-users that
can access and define the scope of the authorized user. Once the end-
users identified, the private data can then be encrypted. The end-users
can download and decrypt the data from cloud server via fog servers
if they want to access the data. The data can only be viewed by those
who adhere to the access policies, thereby ensuring fine-grained access
control. In the next section, we will explain our proposed MA-ABE
technique.
3
Computer Networks 195 (2021) 108196
3. Proposed MA-ABE technique
Our proposed MA-ABE technique includes six steps, i.e., initializa-
tion (𝑆𝑒𝑡𝑢𝑝), Key Generation (𝐾𝑒𝑦𝐺𝑒𝑛), Encryption (𝐸𝑛𝑐.),
Re-Encryption (Re-Enc), Decryption (𝐷𝑒𝑐) and Attribute Revocation.
3.1. Phase 1: initialization (𝑆𝑒𝑡𝑢𝑝)
Let 𝑔 be a generator of 𝐺, and 𝑈 denotes the set (universe) of
attributes. 𝐴𝐼𝐷 denotes the set of all attribute authorities, and 𝑈 𝐼𝐷
denotes the set of global identities of all end-users. In the rest of the
initialization (𝑆𝑒𝑡𝑢𝑝) phase, we have the following steps.
3.1.1. Global initialization (𝐺𝑙𝑜𝑏𝑎𝑙𝑆𝑒𝑡𝑢𝑝)
According to the security parameters (𝜆), 𝐶𝐴 chooses a bilinear
map, i.e., 𝑒 ∶ 𝐺 ∗ 𝐺 → 𝐺𝑇 , where 𝐺 and 𝐺𝑇 are two multiplicative
cyclic groups of prime order 𝑝. The function 𝐻 maps user identities
𝑢𝑖𝑑 𝜖 𝑈 𝐼𝐷 to the elements of 𝐺. Also, the function 𝐹 maps the users’
attributes to the elements of 𝐺. The 𝑇 is the mapping of end-user
attributes to the 𝐴𝐴. Hence, the global public parameters (𝐺𝑃 ) are
given as follows.
( )
𝐺𝑃 = 𝐺, 𝐺𝑇 , 𝑝, 𝑔, 𝑒, 𝑈 , 𝐴𝐼𝐷, 𝑈 𝐼𝐷, 𝐻, 𝐹 , 𝑇 . (1)
3.1.2. Attribute authority initialization (𝐴𝐴𝑆𝑒𝑡𝑢𝑝)
For the identity authority, i.e., 𝑎𝑖𝑑 𝜖 𝐴𝐼𝐷, 𝐴𝐴 chooses two random
numbers, i.e., 𝛼𝑎𝑖𝑑 , 𝛽𝑎𝑖𝑑 𝜖 Z𝑝 and the corresponding public key (𝐴𝑃 𝐾)
and secret key (𝐴𝑆𝐾) are generated as follows.
( )
𝐴𝑃 𝐾𝑎𝑖𝑑 = 𝑒 (𝑔, 𝑔)𝛼𝑎𝑖𝑑 , 𝑔 𝛽𝑎𝑖𝑑 , (2)
and
( )
𝐴𝑆𝐾𝑎𝑖𝑑 = 𝛼𝑎𝑖𝑑 , 𝛽𝑎𝑖𝑑 . (3)
The overall description for the initialization (𝑆𝑒𝑡𝑢𝑝) phase is sum-
marized in our proposed Algorithm 1.
S. Tu et al. Computer Networks 195 (2021) 108196

Algorithm 1 Phase 1: Initialization (𝑆𝑒𝑡𝑢𝑝) contained in the access policy, 𝑛 reflects the amount of computation
required for secret reconstruction, and function 𝜌 maps each row 𝑀𝑖
Require:
of 𝑀 to an attribute 𝜌 (𝑖). Next, the data owner sends access policy
𝑝: Prime order,
𝐴 = (𝑀, 𝜌) to the fog server. The following steps are involved in this
𝑔: Generators,
phase.
𝑒: A bilinear map,
𝑒 ∶ 𝐺 ∗ 𝐺 → 𝐺𝑇 ;
𝑈 : Set (universe) of attributes, 3.3.1. Fog node encryption (𝐹 𝑜𝑔𝐸𝑛𝑐.)
𝐴𝐼𝐷: Set of all attribute authorities, The fog server chooses a random number 𝑟1 , … , 𝑟𝑙 𝜖 Z𝑝 , and two
( )𝑇 ( )𝑇
𝑈 𝐼𝐷: Set of global identities of all users, random vectors 𝑧 = 0, 𝑧2 , … , 𝑧𝑛 and 𝑣 = 𝑠, 𝑣2 , … , 𝑣𝑛 , where 𝑠
∗
𝜖 Z𝑝 is the secret to being shared. It computes 𝜆𝑖 = 𝑀𝑖 𝑣 and 𝑤𝑖 =
𝐻: Maps user identities 𝑢𝑖𝑑 𝜖 𝑈 𝐼𝐷 to elements of 𝐺,
𝐹 : Maps users’ attributes to elements of 𝐺, 𝑀𝑖 𝑧, 𝑖 = 1, 2, … , 𝑙. The function 𝐻 maps each row 𝑀𝑖 of 𝑀 to the
𝑇 : Maps users’ attributes to the attribute authority, authority who issues attribute 𝜌 (𝑖). Consequently, it computes 𝐶1,𝑖 =
𝛼𝑎𝑖𝑑 , 𝛽𝑎𝑖𝑑 𝜖 Z𝑝 : random numbers, 𝑒 (𝑔, 𝑔)𝜆𝑖 𝑒 (𝑔, 𝑔)𝛼𝛿(𝑖) 𝑟𝑖 , 𝐶2,𝑖 = 𝑔 −𝑟𝑖 , 𝐶3,𝑖 = 𝑔 𝛽𝛿(𝑖) 𝑟𝑖 𝑔 𝑤𝑖 and 𝐶4,𝑖 = 𝐹 (𝜌 (𝑖))𝑟𝑖 ,
Ensure: the cipher-text is computed as follows.
( ) ( {
Compute 𝐺𝑃 = 𝐺, 𝐺𝑇 , 𝑝, 𝑔, 𝑒, 𝑈 , 𝐴𝐼𝐷, 𝑈 𝐼𝐷, 𝐻, 𝐹 , 𝑇 , 1
} )
𝐶𝑇𝑜𝑢𝑡 = 𝐴, 𝐶1,𝑖 , 𝐶2,𝑖 , 𝐶3,𝑖 , 𝐶4,𝑖 𝑖𝜖[𝑙] . (5)
for 𝑎𝑖𝑑 𝜖 𝐴𝐼𝐷 do
( )
Compute 𝐴𝑃 𝐾𝑎𝑖𝑑 = 𝑒 (𝑔, 𝑔)𝛼𝑎𝑖𝑑 , 𝑔 𝛽𝑎𝑖𝑑 ,
( ) 3.3.2. Data Owner Encryption (𝐷𝑂𝐸𝑛𝑐.)
Compute 𝐴𝑆𝐾𝑎𝑖𝑑 = 𝛼𝑎𝑖𝑑 , 𝛽𝑎𝑖𝑑 ,
end for The 𝐷𝑂 chooses a random 𝐷𝐾 ∈ Z𝑝 , and encrypts the data 𝑚
with 𝐷𝐾 using symmetric encryption algorithm 𝑆𝐸, denoted as 𝐶 =
𝑆𝐸𝐷𝐾 (𝑚). Then, it computes 𝐶0 = 𝐷𝐾 ⋅ 𝑒 (𝑔, 𝑔)𝑠 . The 𝐷𝑂 outputs to
cipher-text 𝐶𝑇 is given as
3.2. Phase 2: key generation (𝐾𝑒𝑦𝐺𝑒𝑛) ( { } )
𝐶𝑇 = 𝐴, 𝐶, 𝐶0 , 𝐶1,𝑖 , 𝐶2,𝑖 , 𝐶3,𝑖 , 𝐶4,𝑖 𝑖𝜖[𝑙] . (6)
The key generation (𝐾𝑒𝑦𝐺𝑒𝑛) algorithm includes two parts, i.e., the
The 𝐷𝑂 sends the cipher-text 𝐶𝑇 to the fog server, and the fog
private key generation algorithm and the attribute group key genera-
server uploads the received cipher-text 𝐶𝑇 to the 𝐶𝑆𝑃 , which then
tion algorithm. The entire process is as follows.
re-encrypts the cipher-text as summarized in Algorithm 3.
3.2.1. User private key generation (SKGen)
𝑆𝑢𝑖𝑑,𝑎𝑖𝑑 is a set of attributes owned by end-user 𝑢𝑖𝑑. For each Algorithm 3 Phase 3: Encryption (𝐸𝑛𝑐.)
attribute 𝑖𝜖𝑆𝑢𝑖𝑑,𝑎𝑖𝑑 , 𝐴𝐴 first chooses a random number 𝑡𝑖 𝜖 Z𝑝 . Then, Require:
it computes 𝐾𝑢𝑖𝑑,𝑖 = 𝑔 𝛼𝑎𝑖𝑑 𝐻 (𝑢𝑖𝑑)𝛽𝑎𝑖𝑑 𝐹 (𝑖)𝑡𝑖 and 𝐾𝑢𝑖𝑑,𝑖
′ = 𝑔 𝑡𝑖 . Finally, it 𝐴 = (𝑀, 𝜌): An access policy,
outputs the end-user secret key as given by 𝑟1 , … , 𝑟𝑙 𝜖 Z𝑝 : Random numbers,
({ } ) ( )𝑇
′ 𝑧 = 0, 𝑧2 , … , 𝑧𝑛 : A random vector,
𝑆𝐾𝑆,𝑢𝑖𝑑,𝑎𝑖𝑑 = 𝐾𝑢𝑖𝑑,𝑖 , 𝐾𝑢𝑖𝑑,𝑖 . (4) ( )𝑇
𝑖𝜖𝑆𝑢𝑖𝑑,𝑎𝑖𝑑 𝑣 = 𝑠, 𝑣2 , … , 𝑣𝑛 : A random vector,
𝐷𝐾: A random number,
3.2.2. Attribute group key generation (AttrGroupKeyGen)
𝑚: Data,
First, 𝐴𝐴 generates a binary 𝐾𝐸𝐾 tree for all users. In the 𝐾𝐸𝐾
𝑆𝐸: Symmetric encryption algorithm,
tree, each node is set to a random number [35]. Each end-user is
Ensure:
assigned to the leaf node of the tree. Afterwards, each end-user receives
Compute 𝐶 = 𝑆𝐸𝐷𝐾 (𝑚),
the path key 𝑃 𝐴𝑇 𝐻𝑡 from its leaf node to the tree’s root node [36].
{ Compute 𝐶0 = 𝐷𝐾 ⋅ 𝑒 (𝑔, 𝑔)𝑠 ,
For example, the path key of 𝑢2 is 𝑃 𝐴𝑇 𝐻2 = 𝐾𝐸𝐾9 , 𝐾𝐸𝐾4 , 𝐾𝐸𝐾2 ,
} for 𝑖 𝜖 [𝑙] do
𝐾𝐸𝐾1 . Finally, the attribute authority, 𝑎𝑖𝑑, selects random numbers
Compute 𝐶1,𝑖 = 𝑒 (𝑔, 𝑔)𝜆𝑖 𝑒 (𝑔, 𝑔)𝛼𝛿(𝑖) 𝑟𝑖 ,
𝐴𝐺𝐾𝑥 𝜖 Z𝑝 as attribute group keys as described in Algorithm 2. In the
Compute 𝐶2,𝑖 = 𝑔 −𝑟𝑖 ,
Re-Enc. phase, the path key is used by 𝐶𝑆𝑃 to encrypt the attribute
Compute 𝐶3,𝑖 = 𝑔 𝛽𝛿(𝑖) 𝑟𝑖 𝑔 𝑤𝑖 ,
group key.
Compute 𝐶4,𝑖 = 𝐹 (𝜌 (𝑖))𝑟𝑖 ,
( {
1 = 𝐴, 𝐶 , 𝐶 , 𝐶 , 𝐶
})
Compute 𝐶𝑇𝑜𝑢𝑡 4,𝑖 ,
( 1,𝑖
{
2,𝑖 3,𝑖
} )
Algorithm 2 Phase 2: Key Generation (𝐾𝑒𝑦𝐺𝑒𝑛)
Compute 𝐶𝑇 = 𝐴, 𝐶, 𝐶0 , 𝐶1,𝑖 , 𝐶2,𝑖 , 𝐶3,𝑖 , 𝐶4,𝑖 𝑖𝜖[𝑙] .
Require: end for
𝑡𝑖 𝜖 Z𝑝 : A random number;
Ensure:
for 𝑖 𝜖 𝑆𝑢𝑖𝑑,𝑎𝑖𝑑 do 3.4. Phase 4: Re-Encryption ( Re-Enc.)
Computes 𝐾𝑢𝑖𝑑,𝑖 = 𝑔 𝛼𝑎𝑖𝑑 𝐻 (𝑢𝑖𝑑)𝛽𝑎𝑖𝑑 𝐹 (𝑖)𝑡𝑖 ,
′ 𝜌 (𝑖) linked with the access policy 𝐴 of 𝐶𝑇 for each attribute.
Computes 𝐾𝑢𝑖𝑑,𝑖 = 𝑔 𝑡𝑖 ,
( ′
) The appropriate attribute group key 𝐴𝐺𝐾𝜌(𝑖) is utilized to re-encrypt
Compute 𝑆𝐾𝑆,𝑢𝑖𝑑,𝑎𝑖𝑑 = 𝐾𝑢𝑖𝑑,𝑖 , 𝐾𝑢𝑖𝑑,𝑖 , the ciphertext, 𝐶𝑇 . The re-encrypted ciphertext 𝐶𝑇 ′ is calculated as
end for follows.
( { )
Generates a binary KEK tree ∀ users, ( )𝐴𝐺𝐾𝜌(𝑖) }
Selects random numbers 𝐴𝐺𝐾𝑥 𝜖 Z𝑝 as attribute group keys. 𝐶𝑇 ′ = 𝐴, 𝐶, 𝐶0 , 𝐶1,𝑖 , 𝐶2,𝑖 , 𝐶3,𝑖 , 𝐶4,𝑖
′
= 𝐶4,𝑖 . (7)
𝑖𝜖[𝑙]

In the 𝐾𝐸𝐾 tree, 𝐶𝑆𝑃 selects the minimum root coverage set,
( )
3.3. Phase 3: encryption (𝐸𝑛𝑐.) i.e., 𝐾𝐸𝐾 𝐺𝑖 . It can cover all leaf nodes associated with the user
{ } ( ) {
set. For example, 𝐺𝑖 = 𝑢1 , 𝑢2 , 𝑢3 , 𝑢4 , 𝑢7 , 𝑢8 , and 𝐾𝐸𝐾 𝐺𝑖 = 𝐾𝐸𝐾2 ,
}
The encryption algorithm includes fog server encryption and 𝐷𝑂𝑠 𝐾𝐸𝐾7 . Finally, the header information is generated by
encryption algorithms. First, the 𝐷𝑂𝑠 defines an access policy 𝐴 = ( { ( )} )
(𝑀, 𝜌), where 𝑀 is the 𝑙 × 𝑛 matrix, where l is the number of attributes 𝐻𝑑𝑟 = ∀𝑦𝜖𝑌 ∶ 𝐸𝐾 𝐴𝐺𝐾𝜌(𝑦) 𝐾𝜖𝐾𝐸𝐾 (𝐺 ) , (8)
𝑦

4
S. Tu et al. Computer Networks 195 (2021) 108196

where Y is the set of attributes contained in the access policy and Algorithm 5 Phase 5: Decryption (𝐷𝑒𝑐.)
( )
𝐸𝐾 𝐴𝐺𝐾𝜌(𝑦) is symmetric encryption algorithms. The summary of the
Require:
overall process of phase 4 is given in Algorithm 4.
𝐴𝐺𝐾𝜌(𝑖) : Attribute group key,
𝑧 𝜖 Z𝑝 : A random number,
Algorithm 4 Phase 4: Re-Encryption (Re-Enc.)
Require: 𝐴𝐺𝐾𝜌(𝑖) : attribute group key, Ensure:
Ensure: for 𝜌 (𝑖) 𝜖 𝑆𝑢𝑖𝑑,𝑎𝑖𝑑 do
( ′ )1∕𝐴𝐺𝐾𝜌(𝑖)
for 𝑖 𝜖 [𝑙] do
( { ∗
′ ( )𝐴𝐺𝐾𝜌(𝑖) }) Compute 𝐾𝑢𝑖𝑑,𝜌(𝑖) = 𝐾𝑢𝑖𝑑,𝜌(𝑖)
{
,
}
𝐶𝑇 ′ = 𝐴, 𝐶, 𝐶0 , 𝐶1,𝑖 , 𝐶2,𝑖 , 𝐶3,𝑖 , 𝐶4,𝑖 = 𝐶4,𝑖 , ′ ∗
Compute 𝑆𝐾𝑆,𝑢𝑖𝑑,𝑎𝑖𝑑 = 𝐾𝑢𝑖𝑑,𝜌(𝑖) , 𝐾𝑢𝑖𝑑,𝜌(𝑖) ,
end for ( )
1 1∕𝑧
for 𝑦 𝜖 𝑌 do Compute 𝐾𝑢𝑖𝑑,𝜌(𝑖) = 𝐾𝑢𝑖𝑑,𝜌(𝑖) ,
({ ( )} ) ( )1∕𝑧
compute 𝐻𝑑𝑟 = 𝐸𝐾 𝐴𝐺𝐾𝜌(𝑦) 𝐾𝜖𝐾𝐸𝐾 (𝐺 ) . 2
Compute 𝐾𝑢𝑖𝑑,𝜌(𝑖) ∗
= 𝐾𝑢𝑖𝑑,𝜌(𝑖) ,
𝑦
end for { }
1
Compute 𝑂𝑆𝐾𝑆,𝑢𝑖𝑑 = 𝐾𝑢𝑖𝑑,𝜌(𝑖) 2
, 𝐾𝑢𝑖𝑑,𝜌(𝑖) ,
𝜌(𝑖)
3.5. Phase 5: Decryption (𝐷𝑒𝑐.) end for
for 𝑖 𝜖 [𝑙] do
′ 1∕𝑧
The decryption algorithm includes three parts, i.e., pre-decryption Compute 𝐶1,𝑖 = 𝐶1,𝑖 ,
′ 1∕𝑧
algorithm, fog server decryption algorithm, and user decryption algo- Compute 𝐶3,𝑖 = 𝐶3,𝑖 ,
( { ′ })
rithm. The following steps are involved in this phase. ′′ ′ ′
Compute 𝐶𝑇 = 𝐴, 𝐶, 𝐶0 , 𝐶1,𝑖 , 𝐶2,𝑖 , 𝐶3,𝑖 , 𝐶4,𝑖 ,
end for
3.5.1. Pre-decryption (pre-dec)
Compute 𝐵 = 𝑒 (𝑔, 𝑔)𝑠∕𝑧 ,
If the user attribute set does not satisfy the access policy, i.e., 𝑆𝑢𝑖𝑑 ∋ {
2 = 𝐴, 𝐶, 𝐶 , 𝐵 ,
}
Compute 𝐶𝑇𝑜𝑢𝑡 0
𝐴, end-user outputs invalid sign, i.e., ⊥. Otherwise, the end-user de- ( )𝑧
crypts the header information by using the intersection of the path key Compute𝐷𝐾 = 𝐶𝑜 ∕𝐵 = 𝐶0 ∕ 𝑒 (𝑔, 𝑔)𝑠∕𝑧 .
𝑧

and the minimum root node coverage set to obtain the attribute group
key. The end-user takes the attribute group key 𝐴𝐺𝐾𝜌(𝑖) to compute
( )1∕𝐴𝐺𝐾𝜌(𝑖)
∗
𝐾𝑢𝑖𝑑,𝜌(𝑖) ′
= 𝐾𝑢𝑖𝑑,𝜌(𝑖) . Finally, the user updates the private key 3.6. Phase 6: Attribute revocation
by
{ }
′ ∗ The attribute revocation phase is illustrated in algorithm 6 and
𝑆𝐾𝑆,𝑢𝑖𝑑,𝑎𝑖𝑑 = 𝐾𝑢𝑖𝑑,𝜌(𝑖) , 𝐾𝑢𝑖𝑑,𝜌(𝑖) . (9)
𝜌(𝑖)𝜖𝑆𝑢𝑖𝑑,𝑎𝑖𝑑 includes two parts, i.e., attribute group key update algorithm and
The user chooses the random number 𝑧 𝜖 Z𝑝 to compute 𝐾𝑢𝑖𝑑,𝜌(𝑖) 1 = cipher-text update algorithm. The attribute revocation phase has the
( )1∕𝑧 ( )1∕𝑧 following steps.
𝐾𝑢𝑖𝑑,𝜌(𝑖) 2 ∗
and 𝐾𝑢𝑖𝑑,𝜌(𝑖) = 𝐾𝑢𝑖𝑑,𝜌(𝑖) , and generate the outsourcing
private keys as given by 3.6.1. Attribute group key update (KeyUpdate)
{ }
1
𝑂𝑆𝐾𝑆,𝑢𝑖𝑑 = 𝐾𝑢𝑖𝑑,𝜌(𝑖) 2
, 𝐾𝑢𝑖𝑑,𝜌(𝑖) . (10) When user attribute 𝑥 is revoked, 𝐴𝐴 re-selects the new attribute
𝜌(𝑖)𝜖𝑆𝑢𝑖𝑑 group key 𝐴𝐺𝐾𝑥′ 𝜖 Z𝑝 for attribute 𝑥, then sends the new attribute group
Next, the user computes ′
𝐶1,𝑖
1∕𝑧 ′ =𝐶
= 𝐶1,𝑖 and 𝐶3,𝑖
1∕𝑧
, and modify the key and the updated attribute user group to 𝐶𝑆𝑃 .
3,𝑖
cipher-text as
( { } ) 3.6.2. Cipher-text update (CTUpdate)
𝐶𝑇 ′′ = 𝐴, 𝐶, 𝐶0 , 𝐶1,𝑖
′ ′
, 𝐶2,𝑖 , 𝐶3,𝑖 ′
, 𝐶4,𝑖 , [𝑙] = {1, 2, … , 𝑙} . (11) When 𝐶𝑆𝑃 receives a revocation request, it selects randomly 𝑟′1 , … ,
𝑖𝜖[𝑙] ( )𝑇 ( )𝑇
𝑟𝑙 ∈ Z𝑝 , 𝑣′ = 𝑠′ , 𝑣′2 , … , 𝑣′𝑛
′ and 𝑧′ = 0, 𝑧′2 , … , 𝑧′𝑛 , and computes
Finally, end-users outsourced the private key. The modified cipher- 𝜆′𝑖 = 𝑖 𝑣′ and 𝑤′𝑖 = 𝑖 𝑧′ . Then, it updates the cipher-text as
text is sent to the fog server.
⎛ 𝐴, 𝐶 = 𝑆𝐸𝐷𝐾 (𝑚) , 𝐶0 = 𝐷𝐾 ⋅ 𝑒 (𝑔, 𝑔)𝑠′ , ⎞
⎜ 𝜆′ 𝛼 𝑟′ ⎟
3.5.2. Fog Server Decryption (Fog.Dec)
{ } ⎜ ⎧ 𝐶1,𝑖 = 𝑒 (𝑔, 𝑔) 𝑖 𝑒 (𝑔, 𝑔) 𝛿(𝑖) 𝑖 , ⎫ ⎟
The fog server sets 𝐼 = 𝑥 ∶ 𝜌 (𝑥) 𝜖𝑆𝑢𝑖𝑑 and computes constants ⎜ ⎪ ′ ⎪ ⎟
{ } ∑ 𝐶 = 𝑔 𝑟𝑖 ,
𝑐𝑥 𝜖Z𝑝 𝑥𝜖𝐼 , such that 𝑥𝜖𝐼 𝑐𝑥 𝑀𝑥 = (1, 0, … , 0). It then computes 𝐶𝑇 ∗ = ⎜ ⎪ 2,𝑖 ′ ′
⎪ ⎟. (14)
⎜ ⎨ 𝐶3,𝑖 = 𝑔 𝛽𝛿(𝑖) 𝑟𝑖 𝑔 𝑤𝑖 , ⎬ ⎟
∏( ( ) ( ) ( ))𝑐𝑥 ⎜ ⎪ ( ) ′
′ 𝐴𝐺𝐾𝑢
⎪ ⎟
𝐵= ‘ ⋅ 𝑒 𝐾1
𝐶1,𝑥 ′
, 𝐶2,𝑥 ⋅ 𝑒 𝐻 (𝑢𝑖𝑑) , 𝐶3,𝑥 2
⋅𝑒 𝐾𝑢𝑖𝑑,𝜌(𝑖) ′
, 𝐶4,𝑥 , ⎜ ⎪⎩ 𝐶4,𝑖 = 𝐹 𝜌 (𝑖) 𝑖 𝑟 ⎪
⎭𝑖∈[𝑙] ⎟
𝑥𝜖𝐼
𝑢𝑖𝑑,𝜌(𝑖) ⎝ ⎠
∏( )𝑐
= 𝑒 (𝑔, 𝑔)𝜆𝑥 ∕𝑧 𝑒 (𝐻 (𝑢𝑖𝑑) , 𝑔)𝑤𝑥 ∕𝑧 𝑥 , Finally, the header information is regenerated as
𝑥∈𝐼 ( { ( )} )
𝐻𝑑𝑟 = ∀𝑦𝜖𝑌 ∶ 𝐸𝐾 𝐴𝐺𝐾𝜌(𝑦) ‘ (15)
= 𝑒 (𝑔, 𝑔)𝑠∕𝑧 . (12) ( ) .
𝐾𝜖𝐾𝐸𝐾 𝐺𝑦
2
{ }
Finally, the fog server sends the cipher-text 𝐶𝑇𝑜𝑢𝑡 = 𝐴, 𝐶, 𝐶0 , 𝐵 to
the end-user. 4. Performance analysis

3.5.3. User decryption (user dec.) We illustrate the security analysis and computational analysis in the
2 from the fog server, then
After the user receives the cipher-text 𝐶𝑇𝑜𝑢𝑡 performance analysis section.
compute,
( )𝑧 4.1. Security analysis
𝐷𝐾 = 𝐶𝑜 ∕𝐵 𝑧 = 𝐶0 ∕ 𝑒 (𝑔, 𝑔)𝑠∕𝑧 , (13)

Users can decrypt plain-text 𝑚 by using symmetric key 𝐷𝐾 as summa- The security analysis is divided into three aspects, i.e., data confi-
rized in Algorithm 5. dentiality, anti-collusion, and forward/backward security.

5
S. Tu et al. Computer Networks 195 (2021) 108196

Algorithm 6 Phase 6: Attribute Revocation Table 1

Symbols.
Require: Notation Description
′
𝐴𝐺𝐾𝑥 𝜖Z𝑝 : The new attribute group key,
′ ′ E Exponentiation operation
𝑟1 , … , 𝑟𝑙 ∈ Z𝑝 : A random vector, P Pairing operation
′
( ′ ′
)
′ 𝑇 𝑛𝑐 Number of attributes associated with previous access policy
𝑣 = 𝑠 , 𝑣2 , … , 𝑣𝑛 : A random vector; 𝑛𝑑 Number of attributes involved in decryption
′
( ′ )
′ 𝑇 𝑛𝑘 Number of attributes that a user holds
𝑧 = 0, 𝑧2 , … , 𝑧𝑛 : A random vector, 𝑛𝑟 Number of revoked attributes
Ensure:
for 𝑖 𝜖 [𝑙] do,
Table 2
⎞
⎟ Computational complexity.
⎛ ⎟ Algorithm Computational complexity
⎜ ⎟
⎜ 𝑠
′
⎟ 𝐺𝑙𝑜𝑏𝑎𝑙𝑆𝑒𝑡𝑢𝑝 O(1)P
⎜ 𝐴, 𝐶 = 𝑆𝐸𝐷𝐾 (𝑚) , 𝐶0 = 𝐷𝐾 ⋅ 𝑒 (𝑔, 𝑔) ; ⎟ 𝐴𝐴𝑆𝑒𝑡𝑢𝑝 O(1)E
⎜ ⎫ ⎟ 𝐾𝑒𝑦𝐺𝑒𝑛 O(𝑛𝑘 )E
⎜ ⎪ ⎟ 𝐸𝑛𝑐. O(𝑛𝑐 )E
𝐶𝑇 ∗ = ⎜ ⎧ ⎪ ⎟,
⎜ ⎪ ′ ′
⎟
𝐷𝑒𝑐. O(𝑛𝑑 )E+O(𝑛𝑑 )P
⎜ ⎪ 𝐶1,𝑖 = 𝑒 (𝑔, 𝑔)𝜆𝑖 𝑒 (𝑔, 𝑔)𝛼𝛿(𝑖) 𝑟𝑖 , ⎪ O(𝑛𝑟 )E
′ ⎪ ⎟ 𝐾𝑒𝑦𝑈 𝑝𝑑𝑎𝑡𝑒
⎜ ⎪ 𝐶 = 𝑔 𝑟𝑖 , ⎬ ⎟ 𝐶𝑇 𝑈 𝑝𝑑𝑎𝑡𝑒 O(𝑛𝑐 )E
⎜ ⎨ 2,𝑖 ′ ′ ⎪ ⎟
⎜ ⎪ 𝐶3,𝑖 = 𝑔 𝛽𝛿(𝑖) 𝑟𝑖 𝑔 𝑤𝑖 , ⎪ ⎟
⎜ ⎪ ( ⎪ ⎟
′ )𝐴𝐺𝐾𝑢
′
⎜ ⎪ 𝑟 ⎪ ⎟
⎝ ⎩ 𝐶4,𝑖 = 𝐹 𝜌 (𝑖) 𝑖 ⎭ ⎠ operation can be neglected. Therefore, the calculation amount of ex-
end for ponential operation and bilinear pairing operation is analyzed. The
for 𝑦 𝜖 𝑌 do, ({ ) description of each symbol is shown in Table 1. The computational
( )}
Compute 𝐻𝑑𝑟 = ‘
𝐸𝐾 𝐴𝐺𝐾𝜌(𝑦) ( ) . complexity of each algorithm is summarized in Table 2.
𝐾𝜖𝐾𝐸𝐾 𝐺𝑦
The experiments are carried out under the ubuntu 16.04 operating
end for
system, using a computer with a processor of 2.40 GHz, Intel Core i5,
and using Charm encryption library [40]. Charm Encryption Library is
4.1.1. Data confidentiality an open-source library that performs the core mathematical functions
The security of the data can be assured if the user does not have a of a pair-based crypto-system. The simulation results with symmetrical
set of attributes that match the access policies [37]. Although the fog bilinear pairings (SS512) is based on the elliptic curve 𝑦2 = 𝑥3 + 𝑥. The
server conducts 𝐷𝑂 encryption computation in the encryption process, proposed technique is compared with the scheme [13], and the number
it can still access the data because it has no key. The fog server cannot of attributes is selected from 2 to 20. The number of tenants is 10. In
decrypt the cipher-text in the decryption stage because the attribute addition, 5 fog servers and 20 end-users, respectively, are considered
set cannot satisfy the access strategy of cipher-text, and unknown to the in our work. We used tree structure topology. The fog servers and end-
user’s private key. Therefore, only users with acceptable access policy users are connected wirelessly. The transmission range between the fog
attributes can decode the cipher-text. servers and end-users is considered as 100m in the distance. The path
loss factor is taken as 4. The computational cost of the algorithm is
4.1.2. Anti-collusion shown from Fig. 2 to Fig. 5. The number of 𝐴𝐴𝑠 in the system is set to
5 to ensure the validity from Fig. 2 to Fig. 5.
The attribute authority creates private keys for various users in
We compare our results with the existing scheme in [13]. In [13],
this scheme. Private keys are associated with 𝑡𝑖 random numbers, and
the authors proposed a multi-authority cipher-text policy attribute-
each user has a unique relationship that makes it useless to combine
based encryption (MA-CP-ABE) scheme to allow multiple authorities to
components in various private keys. We assume two or more users with
control the key distribution for an exponential number of attributes. In
different attributes are combined to satisfy the access requirement. Dur-
MA-CP-ABE, any string can be used as an attribute of the system, and
ing the decryption process, the attacker cannot measure 𝐵 = 𝑒 (𝑔, 𝑔)𝑠∕𝑧 .
these attributes are not necessarily enumerated during setup. Moreover,
The technique is known as anti-collision.
the cipher-text policies in the MA-CP-ABE system are sufficiently ex-
pressive and overcome the restriction that each attribute is used only
4.1.3. Forward/backward security
once. In our proposed MA-ABE scheme, there is no central authority
In attribute-based encryption algorithms, backward security means that distributes the keys to users [41]. Instead, there are several author-
that any user who holds an attribute should be prevented from ac- ities, each of which is responsible for the authorized key distribution
cessing the plain-text of the previously exchanged data before con- of a specific set of attributes. In both works, i.e., our proposed scheme
taining the attribute. The forward security means that any end-user and scheme in [13] used faster prime order bilinear groups rather than
who discards attributes is prohibited from accessing the plain-text of composite order groups. The construction is non-adaptively secure in
the subsequent data exchanged after discarding attributes unless other the ROM under a non-interactive q-type assumption [42]. Both works
valid attributes comply with the access policy [38]. This scheme allows use Charm encryption library, a programming framework developed for
users who do not adhere to the access policy to decipher the cipher- rapid prototyping of cryptographic primitives [40].
text. The cipher-text is re-encrypted and modified after the attribute is Fig. 2 illustrates the time of key generation, 𝐾𝑒𝑦𝐺𝑒𝑛. versus the
revoked. The revoked user cannot recover the group key of attributes. number of attribute per 𝐴𝐴. Observe from Fig. 2, the operation time of
Hence, the cipher-text cannot be decrypted and thus ensures forward the 𝐾𝑒𝑦𝐺𝑒𝑛. algorithm and the number of attributes 𝐴𝐴 exhibit a linear
security. increase in both cases. However, the operating time in our scheme is
slightly longer than the method presented in [13]. This is because our
4.2. Computational analysis proposed scheme requires more time to produce the group key attribute
in the 𝐾𝑒𝑦𝐺𝑒𝑛 process, while the work in [13] does not produce the
The execution time of the scheme is mainly distributed in exponen- group key attributes. The difference is significantly less as our proposed
tial operation, and bilinear pairing operation [39]. The multiplication scheme is approximately 0.4s higher than [13] when the number of

6
S. Tu et al. Computer Networks 195 (2021) 108196

Fig. 2. Computing overhead of the KeyGen algorithm. Fig. 4. Computing overhead of the Dec algorithm.

Fig. 3. Computing overhead of the Enc algorithm. Fig. 5. The computational overhead of the attribute revocation algorithm.

attribute per 𝐴𝐴 is 20. Furthermore, the difference of key generation attributes per 𝐴𝐴, i.e., 20, the operation time is less than 0.1s in our
time is 0.25s between our proposed scheme and work are done in [13], case. Hence, our proposed scheme is better than the scheme presented
when the number of attribute per 𝐴𝐴 is 8.
in [13]. The results indicate that our proposed scheme outsources most
Fig. 3 describes the encryption algorithm’s operation time versus the
of the computation to the fog server for encryption and decryption
number of attributes per 𝐴𝐴. It is noticed that the operation time of
operations. Consequently, it decreases the overhead computation. Our
the encryption algorithm of schemes [13] increases linearly with the
proposed scheme is more acceptable for those devices with limited
number of attributes per 𝐴𝐴. On the other hand, the operation time
computing resources and, hence, meets fog applications’ requirements.
of the encryption algorithm of our scheme is approximately constant
Our final experiment is regarding the computation time and the
even if the number of attributes per 𝐴𝐴 increases. This is because,
number of revoked attributes. The computational overhead of the
in our proposed scheme, the encryption process is outsourced to the
attribute revocation algorithm is shown in Fig. 5. Observe from Fig. 5,
fog servers. For instance, the operation time of encryption algorithm
the operation time for the revocation algorithm increases linearly with
is 2.1s in the case of [13] at 20 attributes per 𝐴𝐴. At the same
the increase in the number of attributes to be revoked.
attributes per 𝐴𝐴, i.e., 20, the encryption process’s operation time is
approximately 0.5s. This shows that the operation time of encryption
in our proposed case is 1.5s lower than the existing scheme in [13]. 5. Conclusion
Hence, it is concluded that our proposed scheme outperforms [13].
From Fig. 4, it can be seen that the operation time of 𝐷𝑒𝑐. algorithm Several problems exist in the attribute-based encryption mechanism
of scheme [13] increases linearly with the increase of the number of at- for fog environments, such as the attribute revocation, computational
tributes. On the other side, the operation time of 𝐷𝑒𝑐. algorithm of our efficiency, and security issue of a single authorization center. There-
scheme is constant. This is because the decryption process is outsourced fore, we proposed multi-authority attribute-based encryption (MA-ABE)
to the fog servers. For example, the operation time of decryption scheme that supports an efficient attribute revocation, which out-
process is 1s at 20 attributes per 𝐴𝐴 in case of [13]. At the same sources a part of the encryption and decryption operations to the

7
S. Tu et al.
fog servers. Hence, the outsourcing process reduces the computational
overhead of the end-users. After security analysis in our proposed
scheme, we also analyzed the computational overhead through simu-
lation results. The results indicate that our proposed scheme has better
efficiency and reliability than the existing scheme and meets the appli-
cation requirements of the actual fog environment. The communication
delays and the energy consumption due to the transmission process are
not considered in this work. Thus, we will consider the communications
delay and energy consumptions in the future work. .
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Acknowledgments
This work is supported in part by the Beijing Natural Science
Foundation, China (No. 4212015), Natural Science Foundation of China
(No. 61801008), China Ministry of Education - China Mobile Scientific
Research Foundation (No. MCM20200102), China Postdoctoral Sci-
ence Foundation (No. 2020M670074), Beijing Municipal Commission
of Education Foundation (No. KM201910005025).
References
[1] K. Tange, M. De Donno, X. Fafoutis, N. Dragoni, A systematic survey of industrial
internet of things security: requirements and fog computing opportunities, IEEE
Commun. Surv. Tutor. 22 (4) (2020) 2489–2520, (Fourthquarter).
[2] Y. Meng, S. Tu, J. Yu, F. Huang, Intelligent attack defense scheme based on
DQL algorithm in mobile fog computing, J. Vis. Commun. Image Represent. 65
(2019) 102656.
[3] S. Tu, M. Waqas, S.U. Rehman, M. Aamir, O.U. Rehman, Z. Jianbiao, C.C. Chang,
Security in fog computing: A novel technique to tackle an impersonation attack,
IEEE Access 6 (2018) 74993–75001.
[4] M. Waqas, Y. Niu, Y. Li, M. Ahmed, D. jin, S. Chen, Z. Han, A comprehensive sur-
vey on mobility-aware D2D communications: principles, practice and challenges,
IEEE Commun. Surv. Tutor. 22 (3) (2020) 1863–1886, (thirdquarter).
[5] S. Xu, J. Yuan, G. Xu, Y. Li, X. Liu, Y. Zhang, Z. Ying, Efficient ciphertext-policy
attribute-based encryption with blackbox traceability, Inform. Sci. 538 (2020)
19–38.
[6] M. Waqas, M. Ahmed, J. Zhang, Y. Li, Confidential information ensurance
through physical layer security in device-to-device communication, in: IEEE
Global Communications Conference, GLOBECOM, Abu Dhabi, U.A.E, 2019, pp.
1–7.
[7] M. Waqas, M. Ahmed, Y. Li, D. Jin, S. Chen, Social-aware secret key generation
for secure device-to-device communication via trusted and non-trusted relays,
IEEE Trans. Wireless Commun. 17 (6) (2018) 3918–3930.
[8] Y. Zhang, R.H. Deng, S. Xu, J. Sun, Q. Li, D. Zheng, Attribute-based encryption
for cloud computing access control: A survey, ACM Comput. Surv. 53 (4) (2020)
41.
[9] M. Haus, M. Waqas, A.Y. Ding, Y. Li, S. Tarkoma, J. Ott, Security and privacy
in device-to-device (D2D) communication: A review, IEEE Commun. Surv. Tutor.
19 (2) (2017) 1054–1079, (Secondquarter).
[10] S. Tu, M. Waqas, Y. Meng, S. Rehman, I. Ahmad, A. Koubaa, Z. Halim, M. Hanif,
C.C. Chang, C. Shi, Mobile fog computing security: A user-oriented smart attack
defense strategy based on DQL, Comput. Commun. 160 (2020) 790–798.
[11] M. Waqas, Y. Niu, M. Ahmed, Y. Li, D. Jin, Z. Han, Mobility-aware fog computing
in dynamic environments: Understandings and implementation, IEEE Access 7
(2018) 38867–38879.
[12] M. Ali, J. Mohajeri, M.R. Sadeghi, X. Liu, A fully distributed hierarchical
attribute-based encryption scheme, Theoret. Comput. Sci. 815 (2020) 25–46.
[13] Y. Rouselakis, B. Waters, Efficient statically-secure large-universe multi-authority
attribute-based encryption, in: Financial Cryptography and Data Security, in:
Lecture Notes in Computer Science, vol. 8975, Springer, Berlin, Heidelberg, 2015.
[14] A. Alrawais, A. Alhothaily, C. Hu, X. Xing, X. Cheng, An attribute-based
encryption scheme to secure fog communications, IEEE Access 5 (2017)
9131–9138.
[15] Y. Hei, J. Liu, H. Feng, D. Li, Y. Liu, Q. Wu, Making MA-ABE fully accountable: A
blockchain-based approach for secure digital right management, Comput. Netw.
191 (2021) 108029.
[16] L. Zhang, J. Ren, Y. Mu, B. Wang, Privacy-preserving multi-authority
attribute-based data sharing framework for smart grid, IEEE Access 8 (2020)
23294–23307.
Computer Networks 195 (2021) 108196
[17] J. Zhao, P. Zeng, K.K.R. Choo, An efficient access control scheme with out-
sourcing and attribute revocation for fog-enabled E-health, IEEE Access 9 (2021)
13789–13799.
[18] S. Banerjee, B. Bera, A.K. Das, S. Chattopadhyay, M.K. Khan, J.J.P.C. Rodrigues,
Private blockchain-envisioned multi-authority CP-ABE-based user access control
scheme in IIoT, Comput. Commun. 169 (2021) 99–113.
[19] P.S.K. Oberko, V.H.K.S. Obeng, H. Xiong, A survey on multi-authority and
decentralized attribute-based encryption, J. Ambient Intell. Humaniz. Comput.
(2021).
[20] Y. Rouselakis, B. Waters, Efficient statically-secure large-universe multi-
authority attribute-based encryption, in: International Conference on Financial
Cryptography and Data Security, 2015, pp. 315–332.
[21] Z. Liu, Z.L. Jiang, X. Wang, S.M. Yiu, Practical attribute-based encryption:
Outsourcing decryption, attribute revocation and policy updating, J. Netw.
Comput. Appl. 108 (2018) 112–123.
[22] R. Guo, G. Yang, H. Shi, Y. Zhang, D. Zheng, O-R-CP-ABE: An efficient and
revocable attribute-based encryption scheme in the cloud-assisted IoMT system,
IEEE Internet Things J. (2021).
[23] S. Tu, Y. Huang, C.M.S. Magurawalage, L. Peng, Z. Zhou, Access control system
based cloudlet and ABE on mobile cloud, Internet Technol. 17 (7) (2016)
1443–1451.
[24] Y. Tu, G. Yang, J. Wang, Q. Su, A secure, efficient and verifiable multimedia
data sharing scheme in fog networking system, Cluster Comput. 24 (2021)
225–247.
[25] J. Hur, D.K. Noh, Attribute-based access control with efficient revocation in
data outsourcing systems, IEEE Trans. Parallel Distrib. Syst. 22 (7) (2010)
1214–1221.
[26] S. Wang, X. Zhang, Y. Zhang, Efficient revocable and grantable attribute-based
encryption from lattices with fine-grained access control, IET Inf. Secur. 12 (2)
(2018) 141–149.
[27] H. Zheng, J. Shao, G. Wei, Attribute-based encryption with outsourced decryption
in blockchain, Peer-to-Peer Netw. Appl. 13 (2020) 1643–1655.
[28] S. Tu, et al., Tracking area list allocation scheme based on overlapping
community algorithm, Comput. Netw. 173 (2020) 107182.
[29] J. Li, et al., Efficient and secure outsourcing of differentially private data
publishing with multiple evaluators, IEEE Trans. Dependable Secure Comput.
(2020).
[30] M. Green, S. Hohenberger, B. Waters, et al., Outsourcing the decryption of abe
ciphertexts, in: USENIX Security Symposium, vol. 2011, no. 3, 2011.
[31] J. Li, Y. Zhang, J. Ning, X. Huang, G.S. Poh, D. Wang, Attribute based encryption
with privacy protection and accountability for cloudIoT, IEEE Trans. Cloud
Comput. (2020).
[32] X. Mao, J. Lai, Q. Mei, K. Chen, J. Weng, Generic and efficient constructions
of attribute-based encryption with verifiable outsourced decryption, IEEE Trans.
Dependable Secure Comput. 13 (5) (2015) 533–546.
[33] C. Zuo, J. Shao, G. Wei, M. Xie, M. Ji, CCA-secure ABE with out-
sourced decryption for fog computing, Future Gener. Comput. Syst. 78 (2018)
730–738.
[34] M. Sulaiman, Z. Halim, M. Lebbah, M. Waqas, S. Tu, An evolutionary computing-
based efficient hybrid task scheduling approach for heterogeneous computing
environment, J. Grid Comput. 19 (11) (2021).
[35] L. Li, Z. Wang, N. Li, Efficient attribute-based encryption outsourcing scheme
with user and attribute revocation for fog-enabled IoT, IEEE Access 8 (2020)
176738-176749.
[36] W. Zhao, X. Dong, Z. Cao, J. Shen, A revocable publish-subscribe scheme using
CP-ABE with efficient attribute and user revocation capability for cloud sys-
tems, in: IEEE 2nd International Conference on Electronics and Communication
Engineering, ICECE, Xi’an, China, 2019, pp. 31–35.
[37] M. Tanveer, G. Abbas, Z.H. Abbas, et al., Securing 6LoWPAN using authenticated
encryption scheme, Sensors 20 (9) (2020) 2707.
[38] M. Zeng, Y. Li, K. Zhang, M. Waqas, D. Jin, Incentive mechanism design
for computation offloading in heterogeneous fog computing: A contract-based
approach, in: IEEE International Conference on Communications, ICC, Kansas
City, MO, USA, 2018, pp. 1–6.
[39] M. Sulaiman, Z. Halim, M. Waqas, D. Aydin, A hybrid list-based task scheduling
scheme for heterogeneous computing, J. Supercomput. (2021).
[40] A. Bag, D. Basu Roy, S. Patranabis, D. Mukhopadhyay, Flexipair: An auto-
mated programmable framework for pairing cryptosystems, IEEE Trans. Comput.
(2021).
[41] S. Tu, et al., Reinforcement learning assisted impersonation attack detection
in device-to-device communications, IEEE Trans. Veh. Technol. 70 (2) (2021)
1474–1479.
[42] S. Lauer, On several verifiable random functions and the q-decisional bilin-
ear Diffie-Hellman inversion assumption, in: Proceedings of the 5th ACM on
ASIA Public-Key Cryptography Workshop, APKC’18, Association for Computing
Machinery, New York, NY, USA, 2018, pp. 45–51.