Compulsory traceable ciphertext-policy attribute-based encryption against privilege abuse in fog computing

Compulsory traceable ciphertext-policy attribute-based encryption against privilege abuse in fog computing

Accepted Manuscript Compulsory traceable ciphertext-policy attribute-based encryption against privilege abuse in fog computing Huidong Qiao, Jiangchun...
Download PDF
572KB Sizes 0 Downloads 33 Views
Report

Accepted Manuscript Compulsory traceable ciphertext-policy attribute-based encryption against privilege abuse in fog computing Huidong Qiao, Jiangchun Ren, Zhiying Wang, Haihe Ba, Huaizhe Zhou

PII: DOI: Reference:

S0167-739X(17)32882-0 https://doi.org/10.1016/j.future.2018.05.032 FUTURE 4207

To appear in:

Future Generation Computer Systems

Received date : 15 December 2017 Revised date : 13 April 2018 Accepted date : 15 May 2018 Please cite this article as: H. Qiao, J. Ren, Z. Wang, H. Ba, H. Zhou, Compulsory traceable ciphertext-policy attribute-based encryption against privilege abuse in fog computing, Future Generation Computer Systems (2018), https://doi.org/10.1016/j.future.2018.05.032 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Compulsory traceable ciphertext-policy attribute-based encryption against privilege abuse in fog computing Huidong Qiaoa,b,*, Jiangchun Rena, Zhiying Wanga, Haihe Baa, Huaizhe Zhoua a

College of Computer, National University of Defense Technology, Changsha 410073, China b College of Computer and Communication, Hunan Institute of Engineering, Xiangtan 411100, China

Abstract. Due to the structure of fog systems, ciphertext-policy attribute-based encryption (CP-ABE) is regarded as a promising technique to address certain security problems present in the fog. Unfortunately, in most traditional CP-ABE systems, a user can deliberately leak his attribute keys to others or use his private key to build a decryption device and provide a decryption service with little risk of being caught (untraceable). We refer to this behavior as privilege abuse. The privilege abuse problem will seriously hinder the adoption of CP-ABE. To address the problem, we propose a novel black-box traceable CP-ABE scheme that is much simpler than the existing white-box traceable schemes. A malicious user who builds a decryption black-box can be tracked and exposed by our scheme. Due to its scalability and relatively high efficiency, the scheme could be practical for fog systems. Furthermore, we point out that, if the adversary can distinguish the tracing ciphertext from the normal ciphertext, he can frustrate tracking by outputting incorrect decryption results. Thus, the traceability must be compulsory, so as to ensure that the adversary cannot distinguish between the tracing ciphertext and the normal ciphertext. Therefore, we present a formal definition of compulsory traceability with a new security game, and our scheme is proved to be secure and compulsory traceable under the generic group model. Keywords: ciphertext-policy attribute-based encryption; fog computing; blackbox traceability; compulsory traceability

1.

Introduction

Fog computing extends the cloud computing paradigm to the edge of the network, thus enabling a new breed of applications and services [1]. The concept of fog computing was proposed by Cisco, and it is thought to be a promising computing paradigm. Fog devices are heterogeneous devices such as access points, routers, set-top box, roadside units, base stations and so on. These fog nodes are usually deployed as a layered structure between cloud computing and end users. While the central cloud

provides a wide range of computingg services, fog g nodes are im mplemented aat the edge of the nettworks so as to provide direect support for computing for f the end devvices. The three layeers of hierarch hy formed byy the end deviices, the fog and a the cloudd can meet the Qualiity of Servicees (QoS) enhaancement requ uirements, by providing low w latency, location awareness, a an nd mobility suupport servicee to end userss. Yet, in spitte of these advantages, due to its complicated c in innards, securiity issues may y become morre troublesome in fog f computing g, which has lled to a signifficant amount of research annd discussion [2-5,, 18-22, 39]. First, the t fog nodess are geograpphically disperrsed and positioned in vari rious locations, in order to brin ng cloud servvices and reso ources closer to the end uusers. This makes it very difficultt to enforce sttrict security management m with w consistennt security policy orr to guard agaainst physicall invasions. Thus, T the fog nodes are m much more vulnerablle than cloud servers, whichh are usually physically iso olated from thhe outside. For exam mple, using ph hysical attackss, an attacker might refresh h the ROM off an access m a roadside unit. Thus, co point or steal s the storaage device from ompared to clloud infrastructuress, there are many m more vaalid "paths" to o compromise the fog nodee. Second, fog compputing allows multiple orgaanizations and d individuals with their ow wn fog deploymentts to collaboraate with each oother in the op pen ecosystem m. So, the mulltiple trust domains are controlled d by different iinfrastructure owners in thee fog. As a ressult of this, and becauuse of the dyn namic deployyment of fog nods, n it is imp possible to knnow in advance whhether or not a certain fog nnode is trustwo orthy. For the reasons men ntioned abovee, the security y issues becom me much morre complicated in the t fog. For example, e as shhown in Fig. 1, sometimes a fog node m may cache certain reesource (such as a relativelly big file) from the centraal cloud severrs or from the other fog nodes, to o improve the response speed to some reequests, or to avoid service failuure when the connection tto the central sever is dow wn. Meanwhille, the resource ow wner or the seervice provideer need to ensu ure that the caached sensitivee resource can only be accessed by b the authoriized users. Ob bviously, the centralized acccess control methhods (such as role-based acccess control)) that are useed widely in ttraditional systems are a no longer suitable s in thi s case, becausse the fog nod des could be suuspicious.

Fig.1. Accesss control of senssitive file cacheed on the suspiccious fog node

To sattisfy the securrity requiremeents in such a context, a cry yptographic acccess control schem me can be ap pplied to this situation. Thee main idea of o cryptographhic access

control iss to encrypt seensitive data bbefore data sh haring, then diistribute the seecret keys to authoriized data userrs by certain m means. With cryptographic c access controol, the data owner cann prevent the data from beiing illegally acccessed by un nauthorized ennd users or fog nodess, even if the data d is stored in a suspiciou us fog node. In n the implemeentation of cryptograaphic access control, c the crritical problem m is how to diistribute the seecret keys to those authorized a useers; the publicc key algorithm named ciph hertext-policyy attributebased encryption (CP--ABE) [6-12]] is thought to o be an ideal means of soolving this problem. In the CP-ABE systtem, each useer is assigned a set of attrib butes S, the ddata owner can perfoorm the encryption and impplement the access a control policy by im mposing an access strructure on thee ciphertext, and a user will w be able to decrypt the ciphertext only if hiis attribute set S satisfies thhe access stru ucture. Thus, CP-ABE C is reegarded as one of the most fine-grained access control techn niques. Due to o the advantagges of CPABE, maany studies on CP-ABE havve already been conducted in cloud compputing [1317]. Receently, CP-ABE E has also beeen suggested for f use in handling the acceess control problem in i the fog [21, 22]. In addittion, CP-ABE E can also be applied a to othher aspects of the foog. For examp ple, using thee CP-ABE sch heme, Huang et al. [20] pproposed a stand-alone authenticaation (SAA) tto realize useer authenticattion for the ssmart grid when connnectivity is not n stable. Stoojmenovic et al. a [19] condu ucted similar w work with the CP-A ABE system in n the fog. Furtthermore, the CP-ABE systtem was also applied to secure fog communications in [18]. Howevver, there is still a major seecurity probleem that may hinder h the utillization of CP-ABE in the fog. The T problem inncludes two factors: f 1) illeegal sharing oof attribute private keys among ussers, and 2) bbuilding a deccryption devicce/black-box tto provide decryptioon privileges to t others, as shhown in Fig. 2. 2 The formerr means that a user may deliberateely leak his atttribute keys tto others to help h them obtaain access priivilege for certain reesources. The latter meanss that a maliciious user can n use his privaate key to build a deecryption deviice and make a profit by providing a decryption servicce. Indeed, this is a common c prob blem for mostt CP-ABE sysstems, because attribute priivate keys directly im mply users’ co orresponding privileges.

(a) Illlegal sharing o f attribute privaate keys among users

(b) Building a decryption devvice to provide decryption d priv vileges to otherss Fig. 2. P Privilege abuse problem

In this paper, we refer to the problem as privilege abuse, if it is not possible to track the adversary who performs the illegal sharing or who builds the decryption black-box. Consider the following scenario. A service provider assigns Alice the private key for an attribute set S ={Washington area, New York area, movie, music, e-book}. In most CP-ABE systems, it is easy for Alice to generate a new key for an attribute set ′ (such as {New York area, movie}), if ′ ⊆ , and sell it to others. In addition, Alice can also build a decryption black-box and provide a decryption service for profit. If Alice is untraceable, she will be able to compete with the original service provider while keeping her privilege. Unfortunately, the privilege abuse problem exists in most CP-ABE schemes. In cloud computing, the cloud service provider (CSP) can implement additional operations (such as identity authentication) complementary to the CP-ABE system, which alleviates the problem to some extent. However, in fog computing, since the operations performed by fog nodes could be suspicious (a fog node might be compromised, or the owner of the node might be malicious), the security of resources that are cached in fog nodes are totally dependent on the security of the CP-ABE system. Therefore, dealing with the privilege abuse problem in the fog computing paradigm becomes more important, and actually critical. Our contribution. Motivated by addressing the privilege abuse problem of CP-ABE and ensuring that CP-ABE is suitable for implementation in the fog, we propose a novel CP-ABE scheme based on the works present by [6]. The key points of our work are as follows: 1.

2.

We design a novel black-box traceable CP-ABE scheme that can prevent the abuse of privilege. Our scheme, distinct from most existing black-box traceable CP-ABE schemes, is scalable and relatively lightweight. This makes it truly practical and efficient for the highly dynamic fog system. For the first time, we propose the concept of compulsory traceable property for the CP-ABE scheme, and make it clear that this property is necessary for any black-box traceable CP-ABE scheme. The compulsory traceable property guarantees that the adversary cannot distinguish the tracing ciphertext from the normal ciphertext, and so is unable to frustrate tracking. In addition, our CP-ABE scheme is proved to be compulsory traceable under the generic group heuristic.

Organization. This paper is structured as follows. We discuss related work in Section 2. In Section 3, the background, definitions and security models are presented. We then present our CP-ABE construction in Section 4. Section 5 provides the results of our experiment and the performance analysis. In Section 6, we present the formal secure proof and show that our scheme is compulsory traceable. Finally, in Section 7, the paper concludes with some discussions and suggestions for future work. 2.

Related work

The first CP-ABE scheme, proposed by Bethencourt, Sahai and Waters (BSW) [6], is an expressive scheme that enables fine-grained access control over ciphertext. Then, various CP-ABE schemes [7-12] are proposed.

Recently, due to their significant advantages, ABE schemes [18-20, 37] have been applied to various aspects of mobile edge computing, including fog computing. For example, Arwa et al. [18] proposed an encrypted key exchange protocol based on CPABE, in order to achieve authentic and confidential communications between fog nodes and the cloud. Stojmenovic et al. [19] used the approaches introduced by Huang et al. [20] to realize user authentication in case the fog node loses connection with the cloud authentication server. Their scheme encrypts (using CP-ABE) the authentication information of the user and stores it in the user’s smart card. Therefore, only a designated device (whose attributes satisfy the access policy) can decrypt the information and authenticate the user when the connection to the cloud authentication server is down. Later, to cut down on the computation costs of the end user, Peng Zhang et al. [21] proposed a CP-ABE scheme supporting outsourcing capability and attribute updates for fog computing. In their scheme, a major part of the heavy computation of encryption and decryption is outsourced to fog nodes, so as to make it efficient for end users to perform CP-ABE operations. Similarly, a verifiable outsourced multi-authority access control scheme was proposed by Kai Fan et al. [22]. In their scheme, most encryption and decryption computations are also outsourced to fog devices. However, as we have shown in Section 1, if the privilege abuse problem is not resolved, CP-ABE-based applications will remain unsecure in fog computing. In fact, to support traceability for ABE systems, Jin Li et al. [23] have already proposed an accountable CP-ABE scheme by embedding additional user-specific information in the attribute private key issued to the user; thus, a malicious user can be caught through his leaked key. Later, Zhen Liu et al. [24] summarized that there are two levels of traceability. Level one is the white-box, by which, given a well-formed decryption key as the input, a tracing algorithm can find the key owner. This includes the scenario in which a malicious user leaks a new key created from his original key. Level two is black-box traceability, by which given a decryption black-box/device, while the decryption key and even the decryption algorithm can be hidden, the tracing algorithm can still find out the malicious user whose key must have been used to construct the decryption black-box. The scheme in [23] is a white-box traceable system, as are the works in [25-29]. Obviously, black-box traceability is much more difficult to achieve than white-box traceability. The first black-box traceable CP-ABE was presented by Zhen Liu et al. [24], and the key-like decryption black-box can be tracked in their scheme. Key-like means that the black-box behaves as a decryption key associated with an attribute set. Another type of decryption black-box is the policy-specific decryption black-box, which is associated with an access policy, and only ciphertext encrypted with this policy can be decrypted by the black-box. Based on their former works, Zhen et al. [30] proposed another CP-ABE scheme that can track the policyspecific decryption black-box; they proved that traceability against policy-specific decryption implies traceability against key-like decryption. Then, to improve the efficiency of the ciphertext, Ning et al. [31] proposed another scheme that is also traceable against the policy-specific decryption black-box. However, none of the black-box traceable schemes mentioned above can be implemented in the fog because they are not scalable. In [24, 30], the ciphertext length and public key length are sub-linear in N (N denotes the number of users), and in [31], the public key length and private key length are linear in N. This means that the sys-

tem has to be reset if a new user joins; thus, the schemes are unsuitable for fog systems, which are highly dynamic. To apply a secure CP-ABE system in fog computing, Jiang et al. [32] proposed a new scheme against key-delegation abuse, in which users cannot illegally generate new private keys associated with a subset of the users’ original sets of attributes. Therefore, a malicious user can only leak his whole original key to others; based on this property, Jiang et al. [32] designed a traceable CP-ABE scheme for fog computing. However, their scheme is white-box traceable, and a malicious user can still build a decryption device/black-box online and illegally decrypt ciphertext for others with little risk of being caught. Thus, a black-box traceable scheme is much more meaningful than a white-box scheme in the fog. To the best of our knowledge, we present the first such practical CP-ABE scheme for fog computing, which is black-box traceable and scalable. 3.

Background

In this section, we first review the background information on bilinear map and access structure. Then, formal definitions for the security models are presented. 3.1. Bilinear map Let , be two multiplicative cyclic groups of prime order and be a genhas the following properties: erator of . The bilinear map : → 1. Bilinearity: for all , ∈ 2. Non-degeneracy: , 3. Computability: for any ,

and , ∈ 1. ∈ , ,

, we have

,

,

.

is computable.

3.2. Access structure , ,…, be a set of parties. A collecDefinition 1. (Access Structure [36]) Let , ,…, tion ⊆ 2 is monotone if for ∀ , : if ∈ and ⊆ then ∈ . , , … , . The An access structure is a collection of non-empty subsets of sets in are called authorized sets, and the sets that are not in are called unauthorized sets. In our context, the parties are represented as the attributes. Thus, the access structure will specify the authorized sets of attributes. We restrict our attention to monotonic access structures. 3.3 CP-ABE and security definitions A ciphertext-policy attribute-based encryption system consists of four algorithms: Setup, Encrypt, KeyGen, and Decrypt. Setup λ → , .  The setup algorithm takes the security parameter λ as inputs, and outputs the public parameter and a master secret key .

KeyGen Encrypt

Decrypt

, → . This algorithm takes as input the master key and a set of attributes . It outputs a private decryption key described by . , , → . The encryption algorithm takes as inputs the public parameter , a message , and an access structure over the universe of attributes. The encrypting procedure produces a ciphertext such that only the user whose attribute satisfies the policy of access structure will be able to decrypt the message. , , → . This algorithm takes the public parameters , a private key , and a ciphertext as inputs. If the attribute set associated with satisfies the access structure of , then the algorithm will decrypt and return a message ; otherwise, it outputs .

3.3.1. Security model for CP-ABE We now give the security definition for the CP-ABE system using the following game, which is a semantic security game. Setup: The challenger runs the Setup algorithm and gives the public parameter to the adversary. Phase 1: The adversary queries the challenger for private keys corresponding to sets of attributes , … , . Challenge: The adversary submits two equal length messages , and an access structure ∗ . The challenger flips a random coin ∈ 0,1 , and enunder ∗ . The challenger gives the ciphertext to the advercrypts sary. Phase 2: The adversary queries the challenger for private keys corresponding to sets of attributes ,…, . Guess: The adversary outputs a guess ′ for . under the restriction that ∗ cannot be The adversary wins the game if satisfied by any of the attribute sets , … , . The advantage of the adversary is de. fined as Definition 2. A CP-ABE scheme is chosen-plaintext attack (CCA) secure if all polynomial time adversaries have, at most, a negligible advantage in the above game. 3.3.2. Traceability for CP-ABE The concept of the decryption black-box in our context is different from that in [24, 30, 31]. We regard as a relative simple device described with a non-empty . It takes a ciphertext CT as input, and correctly performs the decrypattribute set satisfies the access structure of CT; tion to output the corresponding message M if otherwise, it outputs . Under this assumption, in order to illustrate the collusion of malicious users, we consider the following scenario. Assuming that the attribute set of Alice is , and . If the CP-ABE scheme satisfies Definition 2, it is clear that Alice that of Bob is colluding with Bob can only build a black-box that can decrypt the ciphertext satisfied or the ciphertext satisfied by . That is to say, they cannot advertise the by ∪ . The decryption ability of this device that black-box with the attribute set they build together is equal to that of the two black-boxes that they build respectively. Thus, the collusion can be simply considered as putting their independent black-boxes

together. Therefore, in this work, we focus on tracing the decryption black-box that is constructed by an adversary alone. To trace a black-box, one always has to interact with the decryption black-box. Just as in the methods of [24, 30, 31], one will send the tracing ciphertext to the black-box and analyze the collected information that returns from the decryption of the blackbox. Thus, we need a kind of special encryption algorithm to produce the tracing ciphertext whose decryption results can be used to trace the decryption private key. We define the algorithm as follows: , , → , . The algorithm takes as inputs the public Encrypt parameter , a message , and an access structure over the universe of attributes. The encrypting procedure produces a tracing ciphertext such that only the user whose attribute satisfies will be able to decrypt. The is a parameter that will be used in the analysis of the outcomes of the decryption to find the private key. , one can Therefore, to trace a decryption black-box with the attribute set choose a random message M, and construct an access structure that can be satis. Then, one utilizes the Encrypt algorithm to produce the tracing fied by ciphertext and sends it to for decryption. The output of the black-box decryption will be applied in tracking the private decryption key that is used to build the blackbox . 3.3.3. Security model for compulsory traceability To trace a decryption black-box by interacting with it, we have to consider the following situation. If the adversary can distinguish the tracing ciphertext from the normal ciphertext, he will be able to deliberately output the incorrect decryption results to frustrate tracking, and correctly decrypt the normal ciphertext for his subscribers. Thus, we need to ensure that the adversary cannot distinguish between the tracing ciphertext and the normal ciphertext; in this case, the traceability will be compulsory. We now give this security definition for the CP-ABE system. The compulsory traceable property is described using a security game between a challenger and an adversary. The intuition behind this game is that any of the users whose attribute set satisfies the policy of tracing ciphertext still cannot determine whether the ciphertext is a normal ciphertext or a tracing ciphertext, even if all of them collaborate by combining all of their keys. Setup: The challenger runs the Setup algorithm and gives the public parameter to the adversary. Phase 1: The adversary queries the challenger for private keys corresponding to sets of attributes , … , . Challenge: The adversary submits an access structure ∗ that can be satisfied by ,…, . The challenger randomly chooses a each attribute set of message M from the message space. The challenger flips a random coin b ∈ 0,1 ; if b 0 , the challenger performs , , ∗ → , ; otherwise, the challenger perEncrypt . Then, the challenger gives the ciforms Encrypt , , ∗ → to the adversary. phertext

Phase 2:

The adversary queries the challenger for private keys corresponding to the sets of attributes , … , , and each attribute set of ,…, satisfies the access structure ∗ . Guess: The adversary outputs a guess ′ for . . The advantage of the adversary is defined The adversary wins the game if . as Definition 3. A black-box traceable CP-ABE scheme is compulsory traceable if all polynomial time adversaries have, at most, a negligible advantage in the above game. 4. Our construction Now, we construct a black-box traceable CP-ABE scheme based on the works in [6], because, to the best of our knowledge, the BSW scheme is the most efficient and expressive scheme. Although the BSW scheme is not “fully” secure (proved secure under the generic group model), in fog computing, the relative lightweight scheme is more suitable for end users’ devices that are usually resource-limited and powerlimited. In fact, we first tried to design the trace algorithm for the BSW scheme. However, we found it impossible to implement the compulsory traceable property in BSW. We then proposed a new scheme, so as to provide compulsory traceability. 4.1. Access structure In our construction, we adopt an access structure that is the same as the access tree of BSW. The access tree can be described as follows: Access tree . Let tree represent an access structure. In tree , each non-leaf node represents a threshold gate, which is described by its children and a threshold denotes the number of children of a node x and devalue. The variable 1, the threshold gate is an “OR” gate, and if notes its threshold value. If , it is an “AND” gate. Each leaf node of the tree represents an attribute. In the next description, denotes the parent of the node x, and denotes the attribute of the node x ( must be a leaf node). In the tree, the children of a node are numbered from 1 to num. When node x is a child of a certain node, the function returns the number of the node x. 4.2. Our CP-ABE construction be two multiplicative cyclic groups of prime order p, and let Let and denote the bilinear map. The size of the groups will be determined by : → and the security parameter. We also define the Lagrange coefficient ∆ , for ∈ a certain set

: ∆,

, which consists of elements in ∗



∈ ,

. In our construc-

tion, we use two hash functions , : 0,1 → to map any attribute described as a binary string to a random group element in . The concrete construction is described as follows:

Setup λ →

KeyGen

Encrypt

Decrypt

, .The algorithm chooses bilinear group of prime order p (which is determined by the security parameter λ) with generator . Then, it chooses two random exponents , ∈ . The public key will be published as: , , , , , , and the master . key is , . This algorithm takes as input the master key , → , and a set of attributes . It randomly chooses ∈ and ∈ for each attribute ∈ . Next, it outputs the private decryption key as: / , ∀ ∈ : ∙ , , , , in a The algorithm sends to the user, and records . list with the access tree , , , → . To encrypt a message ∈ the algorithm takes the following steps. For each node x of the tree , the of the polynomial algorithm chooses a polynomial . The degree is set as: 1. These polynomials are chosen in a top-down manner, starting from the root node R. The algorithm first chooses a ran0 , then randomly chooses other and sets dom ∈ points of the polynomial to completely define . Then, for any oth0 and chooses er node x, the algorithm sets other points of randomly to completely define . Note that, if 0, we will have is an OR gate, due to 0 0 Let be the set of leaf nodes in . The algorithm randomly chooses ∈ for each node ∈ , and constructs the ciphertext as: , , , , ∈ : ∙ , , , , , → . This algorithm takes the public parameters , a private key , and a ciphertext as inputs. We first define a recursive algorithm DecryptNode , , . If the node x is a leaf node and ∈ (the attribute set of ), then , DecryptNode , , ′ ′′ ′′′ ′ , , ′′ , ′′′ , If ∉ , then DecryptNode , , 1 (x is an OR gate), for each node z When x is a non-leaf node and that is the child of x, the algorithm continues to compute DecryptNode , , , until the output of DecryptNode , , denote the output of DecryptNode , , , then it is not . Let computes , , ,

and returns . If, for all child nodes z, DecryptNode , , out. puts , it returns 1 (x is an AND gate), for all nodes z When x is a non-leaf node and that are the children of x, the algorithm computes DecryptNode , , and stores the output . If, for any child node z, DecryptNode , , outputs , then the algorithm returns . Otherwise, it continues to compute as follows. Let be the set : ∈ and that consists of all child nodes z, and . It computes ∆,





,

∆,



∈ ∆,

,





,

∆,





, and returns . Thus, if the access tree computes

is satisfied by

, the algorithm Decrypt

DecryptNode , , , , R is the root node of the tree . Then, it decrypts the message by computing / , / . 4.3. Traceability The purpose of the tracing operation is to find out the decryption key that is used to build the decryption black-box; thus, the owner of the black-box can be exposed. We design a special encryption algorithm to produce the tracing ciphertext. It is described as follows: , , → , . To encrypt a message ∈ with the Encrypt access tree and produce a tracing ciphertext , the algorithm takes the same steps as the algorithm Encrypt , , → , except for 0 . This algorithm chooses another random the step of setting 0 . The output ciphertext is constructed as: number , and sets , , , , ∈ : ∙ , , , . And it outputs instead of to be shared secretly in the ciphertext. Thus, The algorithm makes we can track a decryption black-box with the following steps. First, we construct , and randomly choose a an access tree that can be satisfied by the attribute set

∈ . Then, we perform Encrypt , , → , to , and send to and keep the . Therefore, if computes , , → ′ as follows: ′ / , / / ′ , / , / , , ′ We will get the message ′ and set / , . Then, for each in , we compute , until is equal to . At this as the key information of the decryption private key . If point, we output when performing the system authority records the user’s ID according to his the KeyGen, we will be able to expose the owner of . . The assumpIn this context, we make an assumption that the message space is , ∈ . tion ensures that ′ is always a valid message, due to ′ Therefore, will not be able to distinguish the tracing ciphertext from the normal ciphertext by determining whether or not the outcome of the decryption is valid. Efficient tracking. In fact, to improve the performance, we can set the parameter 1. In this case, the value of is fixed at 1, and the computation of for each will be eliminated. We simply compare to each , until equals . Thus, the tracking will be very efficient. in list message produce Decrypt

5.

Performance analysis

5.1. Comparison with other traceable schemes The performance of a CP-ABE scheme can be measured in the following ways: the size of the ciphertext, the size of the public key and the private key, the scalability, traceability, the computation costs of encryption and decryption and so on. In Table 1, we compare our scheme with some of the existing traceable CP-ABE schemes. denotes the number of users, l denotes the size of the access policy, | | denotes the size of the attribute universe, |S| denotes the size of the user’s attribute set, and | | denotes the number of leaf nodes of the access tree. Table 1 Comparison with related works [24] [31] [32] This work

Ciphertext Size 2 17√ 2 5 2| | 1 | | 2

Public Key Size | | 3 4√ | | 8 2| | 1 3

Private Key Size | | 4 | | 6 | | 4| | 1

Traceability

Scalability

black-box black-box white-box black-box

√ √

Scalability. Comparing these schemes, it is clear that our scheme is more suitable for fog computing. It is scalable because the size of the ciphertext, the size of the public key and the size of the private key are all independent of or | |. In contrast, most of the existing black-box traceable schemes are not scalable; therefore, when a new user joins the system, the whole system needs to be reset. This makes such

schemes impractical for fog systems, which are highly dynamic. Although the scheme in [32] is scalable, it is white-box traceable, so the decryption black-box remains untraceable in this scheme. Meanwhile, the system of [32] still needs to be reset if a new attribute is added to the system. This is because the size of the ciphertext, the size of the public key and the size of the private key are all linear in | |. Compulsory traceability. To the best of our knowledge, all of the black-box traceable CP-ABE schemes trace the black-box device by interacting with the device with the tracing ciphertext. However, if an adversary can distinguish the tracing ciphertext from the normal ciphertext, he is able to frustrate the tracing by outputting the abnormal decryption result or simply stopping the decryption when he receives the tracing ciphertext, which keeps the black-box untraceable. Therefore, we believe that compulsory traceability is necessary in any black-box traceable system, because it guarantees that the adversary is unable to distinguish the tracing ciphertext from the normal ciphertext. So far, our scheme is the first black-box traceable CP-ABE scheme that has proved to be compulsory traceable; the proof is presented in Section 6. Tracing efficiency. To trace a black-box in CP-ABE schemes such as [24, 30, 31], the tracing steps need to be performed 1 times, and each time the encryption ⁄ times, where and are security algorithm needs to be performed 8 parameters. On the contrast, to trace a black-box in our scheme, the Encrypt is alalgorithm needs to be performed only one time, and the cost of Encrypt most equivalent to the cost of normal encryption algorithm Encrypt. Thus, in a system which has a large number of users, the tracing of our scheme is much more efficient than the tracing of most existing black-box traceable schemes.

5.2. Performance measurements The existing black-traceable CP-ABE schemes are much more complicated than our scheme. Most (such as the schemes in [24, 30, 31]) are based on composite order bilinear groups, while our scheme is based on prime order bilinear groups. To provide the same level of practical security as a 160 bits prime order elliptic curve group, the order n of composite order bilinear groups must be no less than 1024 bits. When compared with prime order bilinear groups, the group operations, and especially pairing computations, are prohibitively slow. For example, a Tate pairing on a 1024-bit composite order elliptic curve is roughly 50 times slower than the same pairing on a comparable prime order curve [41]. Thus, our scheme is much more efficient than those black-box traceable schemes; in addition, such schemes are all unscalable. Therefore, we provide just the performance evaluation of our scheme in this section. Because the setup operation is performed only when the whole system is constructed and the key generation is performed only when a new user is added to the system, the performance of the access control system depends mainly on the efficiency of the encryption and decryption operation. Therefore, we provide information on the encryption and decryption performance achieved in the experiments. Because the access tree can be satisfied by different private keys, the decryption time may depend significantly on the set of attributes involved. To avoid the difference caused by the differ-

ent decryyption keys an nd to ensure unniformity of th he decryption tests, we set tthe access tree as a single s AND gate g in the expperiments. The exxperiments use an elliptic ccurve group based on the cu urve . The group sizze is 160 bits long and the rrepresentation ns are 512 bits long, and thhe security is equivalent to 1024 bits b discrete loog. The experrimental progrrams are Javaa programs that use the t Java Pairiing Based Crryptography (JJPBC) library y [40]. We coonduct the T experimeents on the sam me machine, which has an n Intel® CoreTM i7-3520M CPU running at 2..9GHz with 8GB RAM. Thhe experimenttal programs are a run on a W Windows 7 x64 systeem. All the programs are im mplemented in n a single threead to measure re absolute time conssumption.

(a)

Encryp ption time

(b) Deccryption time

Fig. 3. Peerformance of our o scheme

As shoown in Fig. 3,, just like the BSW schemee, the encryption time of ouur scheme is a prediictable amoun nt of time baseed on the num mber of leaf nodes n in the acccess tree, and the decryption d tim me is almost liinear in the nu umber of leaff nodes involvved. In our experimeent, the averag ge cost of enccryption increeases to 4998 ms when theere are 50 leaf nodees in the acceess tree. In faact, unlike thee decryption that will be ffrequently performed by the userrs when they access the daata, the encryption operatioon is only performed when data needs to be cached in a suspicious fog node. Therrefore, although the encryption is much costllier than the decryption, d th he efficiency oof the encryption is still acceptaable. On the oother hand, thee number of leaf nodes invvolved in a decryptioon may be mucch less than thhe leaf nodes of o the access tree. t For exam mple, in an access treee as shown in i Fig. 4, a m manager can conduct c the deecryption withh one leaf node, othhers can cond duct the decryyption with tw wo leaf nodes, while there are seven leaf nodees in the acceess tree. In m most cases, users may decry ypt the cipheertext with small num mbers of leaf nodes. Thus, the decryption n is relatively y efficient (aboout 120ms when the number of leeaf nodes invoolved is five). In particular, when the cacched file is big, the communication c n and computtation can procceed in paralleel.

Fig. 4. A An access tree example

It is easy to see that the computation cost of the tracing operation Encrypt is almost equivalent to the computation cost of the encryption operation. Meanwhile, if in the list using the efficient tracking, the cost of the search for a target is negligible. Therefore, the tracing can be very efficiently completed by a single interacting with the black-box device. 6. Security analysis In this section, by using the generic group model [33, 34] and the random oracle model [35], we argue that no efficient adversary can break the security of our scheme, if he acts generically on the groups underlying our scheme. In addition, our scheme is proved to be compulsory traceable by completing the proof of Theorem 2. The generic bilinear group model [6]. Consider two random encodings , , which is injective maps , : → 0,1 where of the additive group 3log . For 0,1, we write : ∈ : ∈ and . We are given oracles to compute the induced group action on , and an oracle to compute a non-degenerate bilinear map ∶ → . We refer to as a generic bilinear group. We are also given random oracles to represent the hash func, . tions , , , be defined as above. Let be the adversary that Theorem 1. Let receives, at most, group elements from the quest he makes to the oracles for the hash function, group , , and the bilinear map , and from its interaction with the CP-ABE security game. Then, in the CP-ABE security game, the advantage of is / . Proof. This theorem gives a lower bound on the advantage of a generic adversary in breaking our CP-ABE scheme. We introduce some notations for the next simulation. 1 , and in the next part we use to denote and , to Let . denote Since this work is based on the BSW scheme, the proof is similar to its proof. In the CP-ABE security game, we consider replacing the component that is randomly , or , with the new , which is randomly either either , or , . is a uniformly random number that is chosen from . The adversary who has advantage in the original CP-ABE game will have at least /2 advantage in the modified CP-ABE game. This is because the modified game can be considered as two hybrids: one in which must distinguish between , and , ; and another in which must distinguish between , and , . From now on, we will simulate the modified security game in our proof. At the setup, the simulation performs computing and , , and sends . them to , where , are chosen randomly from When calls for the evaluation of or on any attribute string i, a new (unless it has already been chorandom value , or , will be chosen from

, or , , respectively, as the response to the sen), and the simulation provides request. When makes the k’th key generation query for the attribute set , the simulator chooses a random value ∈ , and for each ∈ , it chooses a random

value



/

. Then, it computes ,

,

,

,

,

, and for each ,



we have

. The simulator sends the

values to . , ∈ and the access When asks for a challenge, giving two messages . Then, tree , the simulator performs as follows. First, it chooses a random s from it uses the linear secret sharing scheme associated with (described in Section 4) to 0 of s for each leaf node i of . We denote 0 as compute the secret shares in the following proof. Subject to the linear conditions imposed on by the are all chosen uniformly and indesecret sharing scheme, the secret shares pendently at random from . Finally, the simulator randomly selects ∈ and constructs the ciphertext , , . For each leaf node i, it computes: , , , , , , , where are random values chosen from . The simulator sends the ciphertext to . Now, we proceed with the proof under the condition that (1) to make queries, only takes as input the values it receives from the simulation or intermediate values it has already obtained from the oracles, and (2) there are p distinct values in the ranges of both and . Thus, we consider the oracle query to be a rational function in the variables , , , , , ’s, , ’s, ’s, ’s, ’s, and ’s. We will show that ’s view is identically distributed to what its view would have , unless there happens to be an “unexpected been if it had been given , collision” in the queries. We now consider what the view of would have been if we had set . Because we are in the generic group model, the only way in which ’s view can such that differ in the case of is to construct two queries and ′ into ′| . However, we will find that can never construct ′ but | two such queries. Due to only occurring as , , or ′ can only have certain additive , where is a constant. Thus, there must be terms of the form , for some constant . This means that is able to construct a query . However, we will show that can never construct such a query of the . For ease of reference for the reader, in Table 2, we enumerate all form into possible terms of the rational function queries into . Therefore, all possible terms of can be obtained by multiplying any two items the rational function queries into in in Table 2. In addition to these polynomials, also has access to 1, and . Thus, can make a query into for any arbitrary linear combinations group of these types. It is obvious that the only way to create a query containing is by pairing / . will get the term . Therefore, could create a with ∑ ∈ query polynomial γ , for some set and constants , 0. In order to cancel the term ∑ ∈ , has to cancel for all ∈ .

Table 2. Possible query types ,

/

, ,

, ,

,

,

,

Using Table 2, we find that the only way to cancel the term is by pairing with some items of , since is the sharing of s. This , , means that has to construct a polynomial in the form: ,

,

, ∈ ,

,

,

,

, ∈

for some set . Then, uses to cancel the term . Let the set :∃ : , ∈ . We present the proof in two cases: 1. does not allow for the reconstruction of the secret s; in this case, cannot be canceled by . 2. does allow for the reconstruction of the secret s. We denote the set of attributes corresponding to the k’th key request as , By the properties of the secret sharcannot satisfy the access tree , we know ing scheme, and based on the fact that : ∈ cannot allow for the reconstruction of s. Thus, that the set there must be at least one share in , with ∉ . If so, in the polynomial , there must be a term of the form , and it cannot be canceled by any term , to which

has access. This is because, in order to cancel

can use is

,

. However, due to



,

and

, the only term ∈

,

,

cannot be canceled by . , On the basis of the analysis above, we conclude that can never be canceled, and will not be able to construct a query of the form γ . This means that ’s view will not differ in the case of , and that ’s view is identically dis, unless tributed to what its view would have been if it had been given , there happens to be an “unexpected collision” in the queries. However, an unexpected collision would happen when two distinct queries and ′ evaluate to the same value. It means that ′, but because the variables are , the value of is equal to that of ′. In a collision, we have chosen at random in 0. For the non-zero polynomial , the probability of 0 is, at most, 1/ [34]. By a union bound, the probability that any such collision hap/ . Thus, the advantage of the adversary is, at most, / . pens is, at most, This concludes the proof for Theorem 1. , , , be defined as above. Let be the adversary that Theorem 2. Let receives, at most, group elements from the quest he makes to the oracles for the hash function, group , , and the bilinear map , and from its interaction with the compulsory traceable security game. Then, in the compulsory traceable security game, the advantage of is / .

Proof. Because the simulation in this proof is similar to that in the proof for Theorem 1, we omit the description of the setup and key generation simulation and focus on the challenge simulation process. When asks for a challenge in this simulation, only submits the access tree , and the simulator performs as follows. First, it chooses two random values (de, ∈ . Then, it uses the linear secret sharing scheme associated with scribed in Section 4) to compute the secret shares of for each leaf node i of . and computes the ciphertext Finally, the simulator randomly selects ∈ , , , . For each leaf node i, it computes , , , , , , where are random numbers chosen from . The simulator sends the ciphertext to . We will show that ’s view is identically distributed to what its view would have , unless there happens to be an “unexpected collision” in the queries. been if Now, we consider what the view of would have been if the simulation had set in the challenge. Because we are in the generic group model, the only way in is to construct two queries and which ’s view can differ in the case of , such that ′ but | ′| . Therefore, there must be ′ into , where is a polynomial. This means that is able to conand , struct two such queries: where the two queries contain the same polynomial . However, we will show that can never construct such two queries, which leads to a contradiction. Since the attribute sets of all decryption keys satisfy the access tree , can , to construct the polynomial perform the algorithm DecryptNode , is the decryption key corresponding to the ( is the root node of the tree and k’th key request). In this way, could create the polynomial as the form ∑ ∈ for some set and constants 0. However, it is clear that ∑ ∈ is the only polynomial form that can construct to satisfy the form . Therefore, if is able to construct such queries and , of polynomial must have the ability to construct a query as the form ∑ ∈ . It is obvious that is to pair with / . the only way to create a query containing will get the term . However, the term can never be canceled by the terms to which has access; thus, will not be able to construct two such queries and , and so and ′. This means that ’s view is identically distributed to what its view would have been if , unless there happens to be an “unexpected collision” in the queries. Therefore, this is similar to the proof for Theorem 1, as the probability of any unex/ . Therefore, the advantage of the pected collision happening is, at most, / . This concludes the proof for Theorem 2. adversary is, at most, Following the methods above, we will also be able to prove that can never de1. Thus, setting 1 in the tracking is also termine whether or not compulsory traceable.

7. Conclusion In this paper, we analyzed the security issues in the fog system and found that traceability is necessary in the fog because of the vulnerability of the fog nodes that could be geographically dispersed over a vast area. However, most existing CP-ABE schemes that provide traceability are not suitable for applications that use the fog, due to their disadvantages in terms of scalability, traceability type (white-box traceable or black-box traceable) and efficiency. Thus, we proposed a novel CP-ABE scheme that is based on the BSW scheme. In our scheme, the key-like decryption black-box can be tracked. However, it is easy to see that the policy-specific black-box can also be tracked in our scheme. The scheme is proved secure under the generic group model, and it inherits the high efficiency of the BSW scheme. In addition, the cost of tracking could be lightweight in our scheme. Furthermore, we discussed the problem regarding the compulsory traceable property. To the best of our knowledge, this is the first time a study has taken into consideration the fact that a decryption black-box may frustrate tracking by identify the tracing ciphertext from the received ciphertext. We presented the definition of a compulsory traceable scheme with a security game. In the compulsory traceable scheme, an adversary will not be able to distinguish the tracing ciphertext from the normal ciphertext. We proved that our scheme satisfies this definition. Like the BSW scheme, our scheme is proved secure under the generic group model instead of the standard model. Constructing a black-box traceable system that is secure in a standard model may be important in the future. However, if it is to be practical for dynamic application scenarios such as the fog, the system must remain scalable and compulsory traceable, and must also be much simpler than the existing blackbox traceable systems in order to adapt for resource-limited and power-limited mobile devices. Acknowledgements We would like to thank the anonymous reviewers for their insightful suggestions on improving this paper. The research is funded in part by the National Natural Science Foundation of China, under Grant No. 61303191 and No. 61402508. And it is also supported by the National High Technology Research and Development Program of China (863), under Grant No.2015AA016010. References [1] F. Bonomi, R. Milito, J. Zhu, S. Addepalli, Fog computing and its role in the internet of things, in: Proceedings of the first edition of the MCC workshop on Mobile cloud computing, ACM, Helsinki, Finland, 2012, pp. 13-16. [2] M. Mukherjee, R. Matam, L. Shu, L. Maglaras, M.A. Ferrag, N. Choudhury, V. Kumar, Security and Privacy in Fog Computing: Challenges, IEEE Access, 5 (2017) 19293-19304.

[3] R. Roman, J. Lopez, M. Mambo, Mobile edge computing, Fog et al.: A survey and analysis of security threats and challenges, Future Generation Computer Systems, 78 (2018) 680-698. [4] S. Yi, Z. Qin, Q. Li, Security and privacy issues of fog computing: A survey, in: 10th International Conference on Wireless Algorithms, Systems, and Applications, WASA 2015, Springer, 2015, pp. 685-695. [5] I. Stojmenovic, S. Wen, The Fog computing paradigm: Scenarios and security issues, in: 2014 Federated Conference on Computer Science and Information Systems, FedCSIS 2014, IEEE, 2014, pp. 1-8. [6] J. Bethencourt, A. Sahai, B. Waters, Ciphertext-policy attribute-based encryption, in: S and P 2007: 2007 IEEE Symposium on Security and Privacy, SP'07, IEEE, 2007, pp. 321-334. [7] L. Cheung, C. Newport, Provably secure ciphertext policy ABE, in: 14th ACM Conference on Computer and Communications Security, CCS'07, ACM, 2007, pp. 456-465. [8] A. Balu, K. Kuppusamy, An expressive and provably secure Ciphertext-Policy Attribute-Based Encryption, Information Sciences, 276 (2014) 354-362. [9] C. Chen, Z. Zhang, D. Feng, Efficient ciphertext policy attribute-based encryption with constant-size ciphertext and constant computation-cost, in: 5th International Conference on Provable Security, ProvSec 2011, Springer, 2011, pp. 84-101. [10] B. Waters, Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization, in: 14th International Conference on Practice and Theory in Public Key Cryptography, PKC 2011, Springer, 2011, pp. 53-70. [11] L. Ibraimi, Q. Tang, P. Hartel, W. Jonker, Efficient and provable secure ciphertext-policy attribute-based encryption schemes, in: 5th International Conference on Information Security Practice and Experience, ISPEC 2009, Springer, 2009, pp. 112. [12] Q. Li, J. Ma, R. Li, J. Xiong, X. Liu, Provably secure unbounded multi-authority ciphertext-policy attribute-based encryption, Security and Communication Networks, 8 (2015) 4098-4109. [13] S. Kamara, K. Lauter, Cryptographic cloud storage, in: 14th Financial Cryptograpy and Data Security International Conference, FC 2010, Springer, 2010, pp. 136-149. [14] A.-P. Xiong, Q.-X. Gan, X.-X. He, Q. Zhao, A searchable encryption of CP-ABE scheme in cloud storage, in: 2013 IEEE 10th International Computer Conference on Wavelet Active Media Technology and Information Processing, ICCWAMTIP 2013, IEEE Computer Society, 2013, pp. 345-349. [15] Q. Yuan, C. Ma, J. Lin, Fine-grained access control for big data based on CPABE in cloud computing, in: International Conference of Young Computer Scientists, Engineers and Educators, ICYCSEE 2015, Springer, 2015, pp. 344-352. [16] Y. Cheng, Z.-Y. Wang, J. Ma, J.-J. Wu, S.-Z. Mei, J.-C. Ren, Efficient revocation in ciphertext-policy attribute-based encryption based cryptographic cloud storage, Journal of Zhejiang University: Science C, 14 (2013) 85-97. [17] V. Odelu, A.K. Das, Y.S. Rao, S. Kumari, M.K. Khan, K.-K.R. Choo, Pairingbased CP-ABE with constant-size ciphertexts and secret keys for cloud environment, Computer Standards and Interfaces, 54 (2017) 3-9.

[18] A. Alrawais, A. Alhothaily, C. Hu, X. Xing, X. Cheng, An Attribute-Based Encryption Scheme to Secure Fog Communications, IEEE Access, 5 (2017) 91319138. [19] I. Stojmenovic, S. Wen, X. Huang, H. Luan, An overview of Fog computing and its security issues, Concurrency Computation, 28 (2016) 2991-3005. [20] X. Huang, Y. Xiang, E. Bertino, J. Zhou, L. Xu, Robust multi-factor authentication for fragile communications, IEEE Transactions on Dependable and Secure Computing, 11 (2014) 568-581. [21] P. Zhang, Z. Chen, J.K. Liu, K. Liang, H. Liu, An efficient access control scheme with outsourcing capability and attribute update for fog computing, Future Generation Computer Systems, 78 (2018) 753-762. [22] K. Fan, J. Wang, X. Wang, H. Li, Y. Yang, A secure and verifiable outsourced access control scheme in fog-cloud computing, Sensors (Switzerland), 17 (2017). [23] J. Li, K. Ren, K. Kim, A2BE: Accountable attribute-based encryption for abuse free access control, Iacr Cryptology Eprint Archive, (2009). [24] Z. Liu, Z. Cao, D.S. Wong, Blackbox traceable CP-ABE: How to catch people leaking their keys by selling decryption devices on eBay, in: 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, ACM, 2013, pp. 475-486. [25] Z. Liu, Z. Cao, D.S. Wong, White-box traceable ciphertext-policy attribute-based encryption supporting any monotone access structures, IEEE Transactions on Information Forensics and Security, 8 (2013) 76-88. [26] J. Ning, Z. Cao, X. Dong, L. Wei, X. Lin, Large universe ciphertext-policy attribute-based encryption with white-box traceability, in: 19th European Symposium on Research in Computer Security, ESORICS 2014, Springer, 2014, pp. 55-72. [27] J. Ning, X. Dong, Z. Cao, L. Wei, X. Lin, White-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes, IEEE Transactions on Information Forensics and Security, 10 (2015) 1274-1288. [28] K. Zhang, H. Li, J. Ma, X. Liu, Efficient large-universe multi-authority ciphertext-policy attribute-based encryption with white-box traceability, Science China Information Sciences, 61 (2018). [29] J. Zhou, Z. Cao, X. Dong, X. Lin, TR-MABE: White-box traceable and revocable multi-authority attribute-based encryption and its applications to multi-level privacy-preserving e-healthcare cloud computing systems, in: 34th IEEE Annual Conference on Computer Communications and Networks, IEEE INFOCOM 2015, IEEE, 2015, pp. 2398-2406. [30] Z. Liu, Z. Cao, D.S. Wong, Traceable CP-ABE: How to trace decryption devices found in the wild, IEEE Transactions on Information Forensics and Security, 10 (2015) 55-68. [31] J. Ning, Z. Cao, X. Dong, J. Gong, J. Chen, Traceable CP-ABE with short ciphertexts: How to catch people selling decryption devices on ebay efficiently, in: 21st European Symposium on Research in Computer Security, ESORICS 2016, Springer, 2016, pp. 551-569. [32] Y. Jiang, W. Susilo, Y. Mu, F. Guo, Ciphertext-policy attribute-based encryption against key-delegation abuse in fog computing, Future Generation Computer Systems, 78 (2018) 720-729.

[33] D. Boneh, X. Boyen, E.-J. Goh, Hierarchical Identity Based Encryption with Constant Size Ciphertext, in: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, Springer Berlin Heidelberg, 2005, pp. 440-456. [34] V. Shoup, Lower bounds for discrete logarithms and related problems, in: Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques, Springer, 1997, pp. 256-266. [35] M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in: Proceedings of the 1st ACM conference on Computer and communications security, ACM, 1993, pp. 62-73. [36] A. Beimel, Secure schemes for secret sharing and key distribution. PhD thesis, Israel Institute of Technology, Technion, Haifa, Israel, 1996. [37] M. Qiu, K Gai, B. Thuraisingham, L. Tao, H. Zhao, Proactive user-centric secure data scheme using attribute-based semantic access controls for mobile clouds in financial industry, Future Generation Computer Systems, 80 (2018) 421-429. [38] K. Gai, M. Qiu, Z. Ming, H. Zhao, L. Qiu, Spoofing-Jamming attack strategy using optimal power distributions in wireless smart grid networks, IEEE Transactions on Smart Grid, 8 (2017) 2431-2439. [39]K. Gai, M. Qiu, Blend arithmetic operations on tensor-based fully homomorphic encryption over real numbers, IEEE Transactions on Industrial Informatics, pp(2017)1. [40] http://gas.dia.unisa.it/projects/jpbc/ [41] D.M. Freeman, Converting pairing-based cryptosystems from composite-order groups to prime-order groups, in: 29th in the Series of European Conferences on the Theory and Application of Cryptographic Techniques, EUROCRYPT 2010, Springer, pp. 44-61.

Bioggraphical notes:

Huid dong Qiao reeceived the B.S. B from Xianngtan Univerrsity, and M.S S. from Centrral South Univversity and cuurrently is a PhD P candidatte in College of Computer, National Unniversity of Defeense Technollogy. His reseearch interestss include info ormation secu urity, cryptoggraphy, cloud secuurity and fog security. s

Jian ngchun Ren received r his PhD P in Collegge of Compu uter, National University off Defense Techhnology. He is i currently an Associate P Professor. Hiss research intterests are rellated to trusteed com mputing and syystem security. He has beeen responsiblle for Nationaal Natural Sciience Foundaation, 973 projects and so on. He has published reesearch paperrs at national and internatiional journalss, and conference proceedings p as well as chappters of book ks.

Zhiyying Wang reeceived his PhD P in Collegge of Computter, National University U off Defense Techhnology. He is i currently a professor. H His research in nterests are reelated to comp mputer architeccture and information security. s He has h been respponsible for National N Natu ural Science FFoundation, 973 9 projeects, 863 projjects and so on. o

Haih he Ba is a PhhD candidate in College off Computer, National N Univ versity of Deefense Techno ology. His rresearch interrests include issues relatedd to trusted co omputing, clo oud security aand system secuurity. He is the author of a great deal off research stud dies published at national and international journnals, conferennce proceedin ngs as well ass chapters of books.

Huaaizhe Zhou iss a Master can ndidate in Coollege of Com mputer, National Universitty of Defensee Techhnology. His research inteerests are relaated to high peerformance computing andd cryptogram m algebbraic analysis. He has pub blished researrch papers at national and internationall journals and d confference proceeedings.

Highlights  We propose a black-box traceable CP-ABE scheme against privilege abuse.  The scalability and the relatively high efficiency make our scheme suitable for fog computing.  We propose the concept of compulsory traceability for CP-ABE scheme, and present the new security game model for the property.  Our scheme is proved to be compulsory traceable.