Offline/Online Outsourced Attribute-Based Encryption with Partial Policy Hidden for the Internet of Things

In the Internet of Things (IoT) environment, the intelligent devices collect and share large-scale sensitive personal data for a wide range of application. However, the power of storage and computing of IoT devices is limited, so the mass perceived data will be encrypted and transmitted to a cloud platform-interconnected IoT devices. Therefore, the concern how to save the encryption/decryption cost and preserve the privacy of the sensitive data in IoT environment is an issue that deserves research. To mitigate these issues, an offline/online attribute-based encryption scheme that supports partial policy hidden and outsourcing decryption will be proposed. This scheme adopts offline/online attribute-based encryption algorithms; then, the key generation algorithm and encryption algorithm are divided into two stages: offline stage and online stage. Meanwhile, in order to solve the problem of policy disclosure under the cloud platform, the policy hidden is supported, that is, the attribute is divided into the attribute value and the attribute name. For the pairing operation involved in decryption process, a verifiable outsourced decryption is implemented. Our scheme is constructed based on composite bilinear groups, which meets full security under the standard model. Finally, by comparing with other schemes in terms of functionality and computational overhead, it is shown that the proposed scheme is more efficient and applicable to the mobile devices with limited computing and storage functions in the Internet of Things environment.


Introduction
With the continuous development of the Internet of Things technology, it has been widely used in the fields of health care, smart home, industrial manufacturing, and environmental monitoring. But the computing and storage resources of Internet of Things equipment are often limited; an increasing number of individuals or organizations are outsourcing the storage of personal information to the cloud server to achieve lower cost. However, due to the cloud server being not completely trusted, therefore, how to protect the private information contained in the data and how to deal with the huge computing cost for the mobile devices with limited resources are the problems that should be solved in the current research.
In the application of intelligent medicine, personal health information records are collected through wearable devices (e.g., smart bracelets); then, it will be solved by a medical information integration platform. Personal Heath Record (PHR) is the core basic component of intelligent medical, which involves a lot of personal privacy information of users. The data need to be shared with relevant doctors, relatives, and friends, so it is important to achieve the fine-grained access control of data and related equipment. Sahai and Waters proposed a new public key cryptosystem called attribute-based encryption (ABE) [1]. Subsequently, it can be divided into two categories according to the location of the access policy: key policy attribute-based encryption (KP-ABE) [2] and ciphertext policy attribute-based encryption (CP-ABE) [3]. In CP-ABE schemes, access policy is embedded in ciphertext implicitly and outsourced to Cloud Service Provider (CSP) together with ciphertext in cloud environment. Because access policies are publicly available, everyone can access policies that contain some private information. For example, in the intelligent medical system, the patient authorized the cardiologist to access the encrypted data through the access policy as {Department: Cardiology; Doctor: Alice}. If anyone sees the encrypted data, it would still be concluded that the patient obtained "heart disease" without decryption. If the content of the attribute value in the policy is not visible, that is, the policy is set as {Department: ×××; Doctor: ×××}, then the patient's privacy can be guaranteed.
In order to avoid leaking the sensitive information implicit in the strategy, how to hide the access strategy has become a concern of many scholars. Nishide et al. [4] first proposed the ciphertext policy attribute-based encryption with hiding access structure. The implicit access structure in the ciphertext is not sent along with the ciphertext, that is, no one can obtain the access structure information. But the policy in the scheme only supports the "AND" gate structure. Lai et al. [5] proposed a CP-ABE with partial access structure hidden which achieved better policy expression. Different from the previous schemes, the attribute is divided into two parts: attribute name and attribute value. The attribute name can be publicized, while the attribute value is hidden. Li et al. [6] proposed an efficient attribute-based encryption scheme with partial hiding policy. The scheme has less decryption cost, but the public parameters, ciphertext, and attribute information related to the policy are easily obtained by arbitrary malicious users. Therefore, Yin et al. [7] proposed a more efficient scheme for the deficiency of Li et al.'s [6] scheme in the standard model. It is successfully reduced to the DBDH assumption. Cui et al. [8] constructed a scheme based on a composite order group supporting hidden attribute value, but it only achieves selective security. In the application scenario of the electronic medical system, Zhang et al. [9] not only implements the policy semiconcealment but also takes less computing cost and storage overhead during the decryption process. In addition, the scheme is fully secure under the standard model. However, the bilinear pairing operation and modular power operation involved in decryption process are still associated with numbers of attribute. For decreasing the complicate pairing operation, Hu et al. [10] proposed a semihiding attribute-based encryption scheme with constant pairing operation, but the modular power operation is still linearly related to the number of attributes. However, the above scheme only realizes access structure hidden, and the computing overhead relates to the complexity of access structure and the number of attributes; what is more, the process of encryption and decryption also needs a large number of modular power operation and pairing operation.
It is a fact that IoT devices need to be in real-time online when generating policy-related ciphertext, but the IoT devices with limited computing and storage are not always online. In order to solve this problem, Li et al. [11] put forward an offline/online attribute-based encryption supporting the access policy invisible. The key generation and encryption operation are divided into offline and online phases. That is to say, the key and ciphertext are precalculated in the offline phase, while a small amount of overhead is calculated to complete all the key components and ciphertext in the online phase. However, the pairing operation involved in decryption is still linearly related to the number of attributes required for decryption. In this paper, we propose an offline/online attribute-based encryption scheme which can not only hide access structure but also support outsourcing decryption. The main contributions are as follows.
(1) Partial access policy hidden: different from the technology of hiding access structure adopted by Li et al. [11], it divides attributes into two parts: attribute name and attribute value. Attribute name can be disclosed, and attribute value can be hidden. Hence, attribute name can be uploaded to cloud server provider (CSP) together with ciphertext, but attribute value is not visible (2) Outsourced decryption: in the decryption process, the bilinear pair operation and modular power operation are outsourced to the CSP for execution. The user only needs to verify the returned results and perform constant exponential operation to recover the plaintext (3) Fully secure: in this paper, our scheme is based on composite order groups and proved to be fully secure by the dual-system encryption technology [12] (4) Performance advantages: by comparing with the previous schemes from the aspects of function and performance, the proposed scheme has more advantages. And it is shown that our scheme is feasible in IoT by carrying out simulation experiments based on the PBC function library.

Related Work
2.1. Policy Hidden. In order to preserve the privacy of user attributes in the cloud environment, Nishide et al. [4] first proposed a CP-ABE scheme with access structure hidden. Lewko et al. [13] proposed a fully secure CP-ABE scheme by using a dual-system encryption technology under the standard model. Subsequently, Lewko and Waters [14] put forward a new proof method to achieve full security; however, the efficiency is lower. Lai et al. [5] and Jin et al. [15] gave a CP-ABE scheme supporting partial policy hidden. The scheme is proved to satisfy fully secure, but the access structure only support the "AND" gate structure. In order to reduce the bilinear pairwise operation and modular exponentiation involved in decryption process, the schemes [5,16] gave the specific scheme. It is judged whether the attribute of users is matched with access policy before decryption first; if matched successfully, then the decryption operation is performed. But the scheme [16] only supports the "AND" gate structure, and the linear pair operation and modular exponentiation are still linearly related to the number of attributes during decryption period. At the same time, the scheme is proved to be selective secure, while Lai et al. [5] adopts more flexible LSSS structure, and the scheme is fully secure under the standard model. But the bilinear pairing operations and modular exponentiations involved in the user testing phase and the decryption phase increase linearly with the complexity of the policy. Yan et al. [17] introduced a multiauthority attribute-based encryption of partial policy hidden with dynamic policy updating. In the scheme, the policy hiding is only to hide the attribute value, so it is called semihidden policy. The function of hidden attribute completely can also be realized by the inner product predicate encryption technology [18], but most of them only support the "AND" gate structure with weak expression ability, so there is a range of limitation in the actual application process.

Offline/Online
Attribute-Based Encryption. The offline/online encryption, namely, preprocesses a lot of heavy work in the offline phase and responds to key requests or encryption tasks rapidly in the online phase. Even et al. [19] first proposed the offline/online digital signature technology. Liu et al. [20] gave an identity-based offline/online signature scheme in a wireless sensor network environment. Guo et al. [21] proposed an identity-based offline/online encryption scheme. Most of the computational work is preprocessed in the offline stage, and the actual encryption operation is completed in the online stage. Hohenberger and Waters [22] introduced an offline/online attribute-based encryption scheme in 2014, which is the first scheme that adopted the offline/online technology. Liu et al. [23] proposed a new ciphertext attribute-based encryption scheme by combining the offline/online technology and verification outsourcing technology. Wang et al. [24] proposed an offline/online attribute-based encryption scheme that achieved full security under the standard model. However, there was no verification of the part decryption results which is completed by cloud. Among existing intrusion prevention systems available, an industrial network intrusion detection algorithm is proposed based on the multifeatured data clustering optimization model [25]. With the development of electronic chip technologies of IoT, Liang et al. [26] introduced a fast deep reinforcement learning-(DRL-) based detection algorithm for virtual IP watermarks, by combining the technologies of mapping function and DRL to preprocess the ownership information of the IP circuit resource.

Outsourced
Attribute-Based Encryption. Green et al. [27] proposed the first outsourced attribute-based encryption scheme which is secure in a random oracle model. The scheme commits the decryption operation to the decrypt server provider, so the ciphertext was converted into the type by ElGamal encryption, and then delivered to users so as to reduce computing cost of data user. Lai et al. [28] realized the outsourcing decryption and provided the accuracy verification of outsourcing calculation. Li et al. [29] presented an offline/online attribute-based encryption scheme, which will reduce the computational overhead during encryption phase with the offline/online technology. Also, the "chameleon" hash function was introduced to implement verification before the decryption phase. What is more, the scheme was proved to satisfy the adaptive chosen ciphertext attack security, but the bilinear pairing operation involved in decryption procession was still a large overhead for the user. Fan et al. [30] introduced a verifiable outsource scheme for multiauthorization in cloud-fog computing, which outsources encryption and decryption to fog nodes closed to the end user. Relative to the remote cloud sever provider, fog nodes can handle data with low latency, which was an ideal choice for real-time calculation of data. Zhang et al. [31] proposed an access control of full outsourcing scheme for the first time, in which the key generation, encryption, and decryption operations are all handled by the cloud, but it lacks verification mechanism. Zhao et al. [32] put forward a verifiable full outsourcing scheme based on the original scheme [31]. The scheme supports verifiable and optimized performance that the computational cost does not increase significantly with the number of attributes or access policy complexity. Yu et al. [33] introduced a verifiable outsourced attribute-based encryption with partial policy hidden. In the particularity of blockchain-based industrial network, the data storage management faces enormous challenges. Liang et al. [34] focuses on data security issues in the industrial network and designs a storage and repair scheme for fault-tolerant data coding.

Composite Order Bilinear Group.
The proposed scheme is based on the composite order bilinear group whose order is the product of three distinct primes. Let Φ be an algorithm that inputs security parameter 1 λ and outputs a tuple ðp 1 , (2) Nondegenerate: if ∃g ∈ G such that the order of e ðg, gÞ is N in G T .
Assuming that there is an group operation in G, G T and the mapping function e, it is computable in polynomial time in λ. Let G p 1 , G p 2 , G p 3 represent subgroups of G, the subgroups have order p 1 , p 2 , p 3 , respectively, then G = G p 1 × G p 2 × G p 3 . If g 1 ∈ G p 1 , g 2 ∈ G p 2 , then eðg 1 , g 2 Þ = 1. If the elements in the mapping function e are elements of different subgroups, the equation still hold; thus, the composite order bilinear group is said to satisfy its orthogonality.

Linear Secret Sharing Scheme (LSSS).
The secret sharing scheme on the participant set P is called the linear secret sharing scheme if the following conditions are met.
(1) A vector can be formed by the secret share of each party over ℤ p (2) For the secret sharing scheme Π, there is a matrix M of size ℓ × n that maps each row of the matrix to an associated participant P. For i = 1, ⋯, ℓ, ρðiÞ is the party associated with the i-th row of M. We first generate a column vector v = ðs, y 2 , y 3 , ⋯, y n Þ, where s ∈ ℤ p is a shared secret andr i is randomly selected, i = 2, ⋯, n. According to scheme Π, Mv is ℓ secret shares of the shared secret s, which indicates λ i = 3 Journal of Sensors ðMvÞ i is held the secret share by the participants ρðiÞ.
The linear secret sharing scheme has the characteristics of linear reconstruction. If S ∈ A is an access authorization set, then there is a constant fω i ∈ ℤ p g i∈I that let ∑ i∈I ω i λ i = s hold, where λ i is the effective share of the secret s, I = fi : ρ ðiÞ ∈ Sg.
3.3. Key Derivation Function (KDF). KDF algorithm outputs bit string by inputting original secret key DK and length l. KDF algorithm is secure if it has following negligible advantage for adversary in any probability polynomial time.

Complexity
Assumption. The order of group G is defined as the product of three different prime numbers. For any nonempty set Z ⊆ f1, 2, 3g, the order of subgroup of group G is Q i∈Z p i . In this paper, the subgroup is denoted by G Z . The security is based on the following complexity assumptions, and a detailed description of the complexity assumptions is given.
Definition 2. For any probability polynomial time, if Adv 1 Φ,A ðλÞ is a negligible function, then the algorithm meets Assumption 1.

System Algorithm and Security Model
4.1. Algorithm Definition. The algorithm included in this scheme is composed of the following seven algorithms: Setupðλ, UÞ ⟶ PK, MSK : the algorithm inputs the security parameters λ, attributes universe U, and outputs master key MSK and the public parameter PK including the Key Derivation Function (KDF) Of f line:KeyGenðPK, ςÞ ⟶ IK : this algorithm is implemented by the attribute authority in the offline phase. Input the public parameter PK and attribute set ς, and return the intermediate key IK Online:KeyGenðPK, MSK, IK, ςÞ ⟶ SK, TK : this algorithm is implemented by the attribute authority in the online phase. It inputs the public parameter PK, master key MSK, attribute set ς, and intermediate key IK, then returns the transformed key TKand secret key SK, where TK is used for outsourced decryption and SK is used for user local decryption Of f line:EncðPK, AÞ ⟶ IC : the algorithm is run by the data owner in the offline stage. Input public parameters PK and access policy A; it will output intermediate ciphertext IC Online:EncðPK, ðM, ρÞ, IC, mÞ ⟶ CT : the algorithm is run by the data owner in the online stage. Input public parameters PK, intermediate ciphertext IC, and message m; then, it outputs complete ciphertext CT Transf orm out ðTK, CTÞ ⟶ CT ′ : the algorithm is executed by the cloud server provider (CSP) to generate partial decryption ciphertext CT ′ by inputting the transformed key TK and the ciphertext CT DecryptðSK, CT, CT ′ , PKÞ ⟶ m : the algorithm is executed by the local user to generate m by inputting secret key SK, complete ciphertext CT, and partial decryption ciphertext CT ′ , then returns m.

Security Model.
We define the security model of this paper through the security game between Challenger (Simulator) B and Adversary A. The game process is as follows: Setup. Challenger B performs the Setup algorithm and outputs the public parameter PK to the Adversary A Phase 1. Challenger B initializes empty table T, empty set D, and integer i = 0. Adversary A can repeatedly ask any of the following queries: Create (ς ). The challenger sets i = i + 1 run the key generation algorithm on the attribute set S to obtain the key set (SK, TK), and finally storesði, ς, SK, TKÞ in table T Corrupt (x ). If there is an x-th entity in table T, then the challenger obtains the entity ðx, ς, SK, TKÞ and sets D ≔ D ∪ fςg, and then outputs the key set ðSK, TKÞ to Adversary A. If it does not exist, then outputs "⊥"

Journal of Sensors
Challenge. For all ς ∈ D, ς ∉ A * , Adversary A submits two equal-length messages m * 0 , m * 1 and access structures A * to B, the Challenger B selects b ∈ f0, 1gand encrypts the messages m b in the access structure A * , then sends the generated ciphertext CT * to the Adversary A.
Phase 2. The Challenger B continues to respond to the adversary's queries in the way of Phase 1, but the adversary cannot ask the challenger the attribute set ςthat satisfies the policyA * Guess. The Adversary A outputs the guess value b ′ ∈ f0, 1g, and if b ′ = b, then the Adversary A wins the game.

Our Construction
The offline/online attribute-based encryption scheme which supports the partial policy hidden and outsourced decryption proposed in this paper is inspired based on references [14,24] and consists of the following seven algorithms. The scheme is constructed as follows: Setupðλ, UÞ ⟶ PK, MSK : the algorithm inputs the security parameters λ, attributes universe U, and selects a linear group G of order N = p 1 p 2 p 3 , where U = ℤ N , p 1 , p 2 , p 3 are three different prime numbers, and p i represents the order of subgroup G p i . Then, it randomly selectsα, a, k, u, r ∈ ℤ N and g ∈ G p 1 , meanwhile setting the key derivation function KDF with the output length l and the resistant-collusion hash function H : f0, 1g * ⟶ ℤ N , and finally outputs the public parameters PK = ðN, g, g a , g k , eðg, gÞ α , u, r, KDF, l, HÞ and the master key MSK = ðg α , g 3 ∈ G p 3 Þ.
The user attribute set is defined as ς = ðχ S , SÞ, where χ S represents the attribute name index, χ S ⊆ ℤ N , and S = fs i g i∈χ S represents the attribute value set Of f line:KeyGenðPK, ςÞ ⟶ IK : the algorithm selects t′ ∈ ℤ N and calculatesK i ′= ðg s i Þ t ′ , wherei ∈ χ S , then outputs IK = ðfK i ′g i∈χ S , t′Þ Online:KeyGenðPK, MSK, IK, ςÞ ⟶ SK, TK : it randomly selects h, z ∈ ℤ N ,R, R′, R″, fR i g i∈χ S ∈ G p 3 and calculates Transf orm out ðTK, CTÞ ⟶ CT ′ : after receiving the transformed key TK and the ciphertext CT, if the attribute set ς satisfies access policy A, there is a subset χ ∈ I ðM,ρÞ that satisfies fρðiÞ | i ∈ χg ⊆ χ S , where I ðM,ρÞ ⊆ f1, 2, ⋯, ℓg denotes the subset of f1, 2, ⋯, ℓg that meets ðM, ρÞ, and then there exists a set of constants fω i g i∈χ such that ∑ i∈χ ω i λ i = s holds, and λ i is the valid share of the secret s. The procedure of transformed ciphertext CT transf orm follows the steps below:

Security Proof
Theorem 5. If the Assumption 1 and Assumption 3 hold, then the proposed scheme based on the defined security model is fully secure and satisfies CPA (Chosen-Plaintext Attack) security.
Proof. The security proof of the scheme is similar to that in literature [14], that is, the dual-system encryption technology is used to prove its security. First, define two semifunctional structures: semifunctional ciphertext and semifunctional key. The normal secret key can decrypt normal ciphertext and semifunctional ciphertext, but the semifunctional secret key cannot decrypt semifunctional ciphertext. And semifunctional key and semifunctional ciphertext are only used in security proof and do not appear in actual systems.
Semifunctional key: it first calls the normal key generation algorithm to generate a normal key K, K ′, K″, fK i g i∈χ S and then randomly selects elementsη, η′ ∈ G p 2 to generate a semifunctional key: Kη, K ′η′, K″, fK i g i∈χ S ; in other words, except for K, K ′, the remaining components are multiplied by the elements inG p 2 . Semifunctional ciphertext: first call the normal encryption algorithm to generate a normal ciphertext: C, C ′ , C ″ , fC 1,x , D 1,x g x∈½1,ℓ , then select a random exponent a ′ , k ′ , s ′ ∈ ℤ N , and random vector ω ∈ ℤ N , where s ′ is the first element 5 Journal of Sensors in the set, random exponent η i , γ x ∈ ℤ N , then the semifunc- The element structure in group G p 2 here is similar to the element structure in G p 1 , but not related to public parameters.
First, let Q denote the total number of key queries made by the adversary, and define the game Game k , wherek ∈ ½0, Q.
Game k : in this game, the ciphertext obtained by to the attacker is a semifunctional ciphertext, the first k keys are also semifunctional, and the remaining keys are normal.
The security proof of the scheme based on Assumption 1 and Assumption 3 is demonstrated through a series of games. We first transition from Game real to Game 0 , then to Game 1 , and until to Game Q , where the key and ciphertext submitted to the attacker are semifunctional. Finally, to Game f inal stop, the ciphertext obtained by to the attacker at this time is generated by semifunctional encryption of random messages. Because the attacker does not have any advantages in the final game, the security proof of the scheme in this paper ends here.

Lemma 6.
Under Assumption 1 (the general subgroup decision assumption), no polynomial time attacker can achieve a nonnegligible difference in advantage between Game real and Game 0 .
Proof. We first create an algorithm B in probabilistic polynomial time to break the general subgroup decision assumption and set Z 0 ≔ f1g, Z 1 ≔ f1, 2g, Z 2 ≔ f1g, Z 3 ≔ f3g. Let g 1 , g 3 , T input to Algorithm B, where g 1 is the generator of the group G p 1 , g 3 is the generator of the group G p 3 , and T is the random element of the group G p 1 or the random element of the group G p 1 p 2 . B can act as a simulator to interact with the adversary, and B can simulate or interact with the Adversary A, depending on the nature of T.
B chooses a random exponent α, a, k ∈ ℤ N and sets public parameters PK = ðN, g = g 1 , g a = g a 1 , g k = g k 1 , eðg, gÞ α = e ðg 1 , g 1 Þ α , u, r, KDF, l, HÞ to submit PK to Adversary A. We notice that Simulator B knows the master key MSK. When A makes a secret key query, B will call the normal key generation algorithm to create a secret key.
The adversary requests a challenge ciphertext and message related to the access policy A = ðM, ρ, ΨÞ. B randomly selects bit b and generates the ciphertext m b ; then, g s of implicit setting is equivalent to the part ofG p 1 in T. B randomly selects the vectorṽ ∈ Z n N , and the first element of the vector has a value of 1. At the same time, let v = sṽ and select r x ∈ ℤ N , x ∈ ½1, ℓ randomly, then set r x = sr x . We should note that the elementss, v, r x are distributed randomly, and then, the corresponding ciphertexts are C = T, C ′ = m b ⋅ eðg 1 , TÞ α , C ″ = T k , C 1,x = T a⋅M x ⋅ṽ T −r x ⋅η ρðxÞ , D 1,x = Tr x .
If T ∈ G p 1 , the ciphertext is normal ciphertext, and B simulates the game Game real and interacts with A. If T ∈ G p 1 p 2 , it is a semifunctional ciphertext. And the elements in G p 2 are set as follows: g s ′ is the components of G p 2 in T, k ′ is equivalent to the value of k mod p 2 , a ′ is equivalent to a mod p 2 , ω is equivalent to sṽ mod p 2 , η ρðxÞ is equivalent to t ρðxÞ mod p 2 , and γ x is equivalent to s ′r mod p 2 . We note that these values are generated by proper distribution, and the values of the element mod p 1 , p 2 uniformly selected at random mod N are independently and uniformly distributed. We also notice that public parameters will leak the value of a, k mod p 1 , so when T ∈ G p 1 p 2 , B and A simulate gameGame 0 , and then B can use adversary's nonnegligible distinction in these games to obtain a nonnegligible advantage to break Assumption 1 (general subgroup decision assumption).

Lemma 7.
Under Assumption 1 (the general subgroup decision assumption), no polynomial time attacker can achieve a nonnegligible difference in advantage between Game k−1 and Game k .
Proof. We first create an algorithm B in probabilistic polynomial time to break the general subgroup decision assumption and set Z 0 ≔ f1, 3g, T input to Algorithm B, where g 1 , X 1 is the generator of the group G p 1 , X 2 , Y 2 is the generator of the group G p 2 , g 3 , Y 3 is the generator of the group G p 3 , and Tis the random element of the group G p 1 or the random element of the group G p 1 p 2 p 3 . And B can simulate Game k−1 or Game k to interact with Adversary A, depending on the nature of T.
B chooses a random exponent α, a, k ∈ ℤ N and sets public parameters PK = ðN, g = g 1 , g a = g a 1 , g k = g k 1 , eðg, gÞ α = e ðg 1 , g 1 Þ α , u, r, KDF, l, HÞ to submit PK to Adversary A. We noticed that Simulator B knows the master key MSK. When A makes a secret key request, B will call the normal key generation algorithm to create a private key in response to A's key query. In response to the first k − 1 key query of a, B generates a semifunctional key according to the following. First, the normal key generation algorithm is called to generate the normal keyK, K ′ , K ″ , fK i g i∈χ S , and then the random value τ, τ ′ is selected to generate the semifunctional key: K are distributed uniformly and randomly in G p 2 . In order to generate semifunctional challenge ciphertext, the adversary requests a challenge ciphertext and message m 0 , m 1 related to access policyA = ðM, ρ, ΨÞ. B randomly selects bit b and generates the ciphertext of m b , and the g s is equivalent to the part of G p 1 in T. B randomly selects the vectorṽ ∈ Z n N and the first element value of the vector is 1, and set g s = X 1 , v = sṽ, g r x = Xr x 1 ; then, the corresponding ciphertext calculated is as follows: C = X 1 X 2 , C ′ = m b ⋅ e ðg 1 , X 1 X 2 Þ α , C ″ = ðX 1 X 2 Þ k , C 1,x = ðX 1 X 2 Þ a⋅M x ⋅ṽ ðX 1 X 2 Þ −r x ⋅η ρðxÞ , D 1,x = ðX 1 X 2 Þr x , where set g s ′ 2 = X 2 , k ′ = k mod p 2 , a ′ = a mod p 2 , η ρðxÞ = t ρðxÞ mod p 2 , g r x 2 = Xr x 2 implicitly. In order to create a semifunctional ciphertext, the value of a, k mod 6 Journal of Sensors p 2 will not be revealed by the public parameters. To generate the k-th key request query for the associated attribute set, B randomly selects t, z ∈ ℤ N and the random element R, R ′ , R ″ , fR i g ∈ G p 3 and calculates the following the distributed key is a normal key. If T ∈ G p 1 p 2 p 3 , the distributed key is a semifunctional key, so when T ∈ G p 1 p 3 , B simulates the game Game k−1 to interact with adversary. When T ∈ G p 1 p 2 p 3 , B simulates the game Game k . Then, B can take advantage of adversary's nonnegligible difference in these games to obtain a nonnegligible advantage to break Assumption 1 (general subgroup decision assumption).

Lemma 8.
Under Assumption 3 (the general subgroup decision assumption), no polynomial time attacker can achieve a nonnegligible difference in advantage between Game Q and Game f inal .
Proof. We first create an algorithm B in probabilistic polynomial time to break the general subgroup decision Assumption 3. Letg 1 , g 2 , g 3 , g α 1 X 2 , g s 1 Y 2 , T input to Algorithm B, where T is the random element ofeðg 1 , g 2 Þ αs or the group G T . And B can simulate Game k−1 or Game k to interact with the Adversary A, depending on the nature of T.
B chooses a random exponent α, a, k ∈ ℤ N and sets public parameters PK = ðN, g = g 1 , g a = g a 1 , g k = g k 1 , eðg, gÞ α = e ðg 1 , g 1 Þ α , u, r, KDF, l, HÞ to submit PK to Adversary A. We noticed that Simulator B knows the master key MSK. When A generates the k-th key request query of the associated attribute set, B randomly selects exponent α, a, k ∈ ℤ N and random elements R, R ′ , R ″ , fR i g ∈ G p 3 , then calculates the following components (see the formula (6)): We note that the generated key is a semifunctional key. In response to the first k − 1 key query of a, B generates a semifunctional key according to the following. First, the normal key generation algorithm is called to generate the normal key K, K ′, K″, fK i g i∈χ S , and then, the random value τ, τ′ is selected to generate the semifunctional key: , where group elements Y τ 2 , Y τ ′ 2 are distributed uniformly and randomly in G p 2 .
To generate a semifunctional challenge ciphertext, B randomly selects a vectorṽ ∈ Z n N , and the first element of the vector has a value of 1, while lettingv = sṽ, randomly selects exponentr x ∈ ℤ N , x ∈ ½1, ℓ, and sets r x = sr x . We should note that the elements s, v, r x are distributed randomly; then, the corresponding ciphertext is This ciphertext is a semifunctional ciphertext, where g 2 s ′ is equivalent to Y 2 , a ′ is equivalent to a mod p 2 , ω is equivalent to sṽ mod p 2 , η ρðxÞ is equivalent tot ρðxÞ mod p 2 , and g r x 2 = Xr x 2 . These values are randomly distributed, because Y 2 are random elements in G p 2 , and the value of the k, s i ,r x ,ṽ modp 2 distributed is independent of the value of these elements modp 1 .
If T = eðg 1 , g 1 Þ αs , the generated ciphertext is a semifunctional ciphertext by encrypting m b , and B simulates the game Game Q and interacts with A. If Tis a random element in G T , then it is a semifunctional ciphertext generated by encrypting a random message, B simulation game Game f inal . Therefore, B can take advantage of A's nonnegligible difference in these games to obtain a nonnegligible advantage to break Assumption 3.
This completes proof of Theorem 5.

Performance Analysis
The proposed scheme is compared with the schemes [9,11,14,[22][23][24] from the perspectives of function and computing cost. In the comparison, G p i represents the subgroup of the order p i . N indicates the number of attribute universe. jℓj represents the number of the matrix M row, and jyj represents the number of attribute sets that satisfy the policy. We use E G ,E G T , and P to denote 1 module exponential time executed in G, a module exponential time executed in G T , and 1 bilinear pair time executed, respectively. Because the main computing overhead of this scheme contains linear pairwise operation and modular exponentiation, module multiplication and hash operation can be ignored.

Theoretical
Analysis. Table 1 mainly shows the comparison of the functionality of the scheme. It can be seen that Zhang et al. [9], Lewko and Waters [14], Wang et al. [24], and our scheme are constructed on the composite order group, and these schemes are proved to be fully secure, while the schemes of Li et al. [11], Waters et al. [22], and Liu et al. [23] do not achieve full security. In terms of attribute privacy protection, besides our scheme, Zhang et al. [9] and Li et al. [11] also implemented partial policy hidden. In terms of reducing computational overhead, Li et al. [11] and Waters et al. [22] adopt offline/online technology to solve the problem, while Liu et al. [23] and Wang et al. [24] not only adopt offline/online technology but also support outsourced decryption algorithms. However, the scheme of Liu et al. [23] supports the verification of outsourced decryption results, while the scheme of Wang et al. [24] does not implement verification mechanism. Based on the above analysis, the scheme proposed in this paper not only realizes the information hiding of attribute values but also adopts offline/online technology and verifiable outsourced decryption algorithms to reduce the user's local computational cost. Besides, it is proven to be fully secure. Table 2 gives the analysis from the computing cost. Since the literatures [14,22,23] do not support the policy hidden function, no analysis and comparison are listed in Table 2.

Journal of Sensors
It can be seen that the amount of computing required in the data encryption and data decryption stages is linearly and positively related to the number of attributes. The literatures [11,24] and the proposed scheme use offline/online key generation and offline/online encryption technology. Therefore, most of the computing overhead in the data encryption process are performed in the offline phase, while it requires only a small amount of computing cost to complete key generation and data encryption operation in the online phase. In the scheme of [9], the modular exponentiation operation in the encryption process is much higher than other schemes. The literature [11] and our scheme have roughly the same modular exponentiation time. Although, the encryption cost of literature [24] is less than the jℓj modular exponentiation operation in literature [11] and our scheme. In the decryption process, our scheme is less than the jyj linear pair operation and jyj modular exponentiation operation in literature [24]. Compared with the scheme [11], our scheme is less than the jyj linear pair operation and ðjyj + 1Þ modular exponentiation operation. Compared with the scheme [9], our scheme is less than the jyj modular exponentiation operations. Therefore, the computational efficiency of our scheme is better than other related schemes.
7.2. Experiment Analysis. Through the above theoretical analysis, the proposed scheme has more advantages in term of function and efficiency. In order to evaluate the actual performance more accurately, we perform the experiment analysis. Because the literature [11] is based on prime order groups, and other schemes are based on composite order groups, for better comparison, we only analyze the time spent in literature [9] and literature [24] through simulation experiments, including the time required of offline encryption, online encryption, outsourced decryption, and local decryption.
Experimental environment: Windows 10, Inter® Core(TM) i5-8300H (2.30 GHz), memory 8GB, the experimental code is based on JPBC-2.0.0 (Java Pairing-Based Cryptography Library) function library and MyEclipse development environment. In the experiment, the paired structure of type A is used to construct an elliptic curve y 2 = x 3 + x on a finite field. The order of the group is r, and the order of the base field is q. Here, we take r = 160 bit, q = 512 bit, where the pairing operation and modular exponent invoked pairing.pairingð•Þ and G_1.powZnð•Þ respectively, in the library for testing.
Experimental setup: in CP-ABE, the number of attributes in the access policy affects the encryption and decryption time. In the experiment process, we set the number of attributes as 20 and increase by 5 number of attributes each time, so it is tested with 4 different access policies. By comparing the computing time of the terminal user under different access policies, we can obtain the required time. Figure 1 has four subfigures, Figures 1(a)-1(d), which represent the data owner's offline encryption, online encryption time, cloud server decryption time required for outsourced partial decryption, and local user's decryption time.
We can see in Figure 1(a) that the offline encryption time of our scheme is higher than the time of the literature [24]. In Figure 1(b), the online encryption process of the literature [24] does not involve modular exponentiation and pairing operation, so the computing time is 0, but compared with the literature [9], the encryption time of our scheme is constant, and its time of consumption is much lower than that of the literature [9]. In Figure 1(c), the decryption overhead performed by the cloud server is lower than that in the literature [24]. In Figure 1(d), the local decryption time of our scheme and that of the literature [24] are both constant, which is much lower than that of the scheme of literature Journal of Sensors [9]. The decryption time required is slightly higher than scheme of [24], but in [24], the partial decryption ciphertext returned by the cloud server is not supported verification; then, the correctness is not guaranteed. Meanwhile, Wang et al.'s scheme [24] cannot realize the policy hiding function. Since the proposed scheme supports outsourced decryption operations and verification operations, the user only needs to perform a constant number of exponential operations, which can not only reduce the user's calculation burden but also ensure the accuracy of partial decryption result returned. From the above comprehensive analysis, the proposed scheme is superior to other schemes in terms of function and performance, so it is more effective and feasible in the IoT environment.

Conclusion
In order to solve the problem of privacy leaking and heavy computing overhead in IoT environment, an offline/online outsourced ABE scheme with partial policy hidden is pro-posed in the paper. In the scheme, it divides attributes into two parts: attribute name and attribute value, attribute name is open and attribute value is hidden, to achieve the privacy of user attributes. Additionally, the offline/online technology is adopted to reduce the burden of encryption and decryption. A lot of heavy work can be preprocessed in the offline stage, and the rest computation only need to be done in the online stage. For the bilinear pairing operation and module power operation, the operation will be outsourced to the cloud server, and the user only needs to verify the outsourced calculation results to ensure the accuracy. It is proven that the scheme based on the static assumption problem can achieve full security under the standard model. Lastly, through theoretical and experiment analysis, it shows that our scheme has more advantages in the IoT environment.

Data Availability
The data used to support the findings of this study are included within the article.