Efficient Hierarchical and Time-Sensitive Data Sharing with User Revocation in Mobile Crowdsensing

Recently, cloud-based mobile crowdsensing (MCS) has developed into a promising paradigm which can provide convenient data sensing, collection, storage, and sharing services for resource-constrained terminates. Nevertheless, it also inflicts many security concerns such as illegal access toward user secret and privacy. To protect shared data against unauthorized accesses, many studies on Ciphertext-Policy Attribute-Based Encryption (CP-ABE) have been proposed to achieve data sharing granularity. However, providing a scalable and time-sensitive data-sharing scheme across hierarchical users with compound attribute sets and revocability remains a big issue. In this paper, we investigate this challenge and propose a hierarchical and time-sensitive CP-ABE scheme, named HTR-DAC, which is characteristics of time-sensitive data access control with scalability, revocability, and high efficiency. Particularly, we propose a time-sensitive CP-ABE for hierarchical structured users with recursive attribute sets. Moreover, we design a robust revocable mechanism to achieve direct user revocation in our scheme. We also integrate verifiable outsourced decryption to improve efficiency and guarantee correctness in decryption procedure. Extensive security and performance analysis is presented to demonstrate the security requirement satisfaction and high efficiency for our data-sharing scheme in MCS.


Introduction
As a promising paradigm, the adoption of the Mobile Crowdsensing (MCS), which can take advantage of individual resource-limited mobile terminals to sense, collect, and analyze data rather than massive static sensors deployment, grows rapidly, and a large number of mobile users are willing to enjoy the convenient services of MCS, such as smart health, smart cities, and intelligent transportation [1]. ese days, the wide spread of Internet of ings [2] and the emerging 5G communication network which can support fast speed and massive access [3] also facilitate the application of MCS. us, the cloud-based mobile crowdsensing is proposed for optimizing data collection and minimizing the cost in both sensing and reporting [4]. As shown in Figure 1, the sensing data gathered by mobile terminals (e.g., laptops, vehicles, and IoT devices) are transmitted to cloud via 5G communications network or even satellites for data collection, storage, and sharing. However, the sensitive and private in such sensing data may be breached in untrusted cloud, which may prevent the further participation of mobile users, especially when their data are illegally accessed.
ere have been many data access control solutions, such as access control list (ACL), Bell-La Padula (BLP), BiBa, and role-based access control (RBAC). Nevertheless, all of these solutions suffer from different drawbacks, such as inflexibility, high computation complexity, and coarsegrained access control [5]. In recent years, prospective ciphertext-policy attribute-based encryption (CP-ABE) is proposed to control data access based on attributes to achieve flexibility and fine granularity [6][7][8][9]. In CP-ABE, data producers are required to designate a specific access policy to obtain the ciphertext of their data before outsourcing. When accessing these shared contents, users need to decrypt the data with their secret keys and recover the plaintext if and only if they are authorized. However, these solutions cannot be directly utilized in the applications of time-sensitive data sharing across hierarchical users with revocability and recursive attribute set as some challenges remain unsolved.
Let us take an example of the smart health record (SHR) sharing system [10]. In general, the mobile users in the SHR system are usually in hierarchical structure and large scale which need a scalable architecture. In the meantime, these users may have the following attribute set: (1) is recursive attribute set indicates the user that holds corresponding recursive key structure is both an intermediate dean and a senior surgeon of cardiac surgery in central hospital. Furthermore, the SHRs contain a lot of sensitive and private data, such as social security number, health condition, and disease, which need to be protected with finegrained access control. Besides, many SHRs are time sensitive, that is, the data in high confidentiality are generally accessed by part of users (e.g., the hospital director) at the first time and following another part of users in a timed sequence. In addition, the mobile users in the system are dynamically changing, which requires an effective revocation mechanism. erefore, it is the key to design a datasharing scheme that deals with time-sensitive data and supports hierarchical and revocable users with recursive key structure efficiently in MCS.
Although these days, the authors in [11] have solved the issues of hierarchical users with compound key structure in CP-ABE by combining the scheme of HIBE and ASBE, and the scheme in [12] proposed a time-based ABE by introducing time-releasing encryption (TRE) into CP-ABE. However, these schemes cannot support user dynamicity. e work in [13] proposed an effective direct user revocation, but it cannot achieve effective security as the revoked users can neglect the related mechanism in decryption to recover the plaintext. us, the security cannot be guaranteed. Moreover, all the above schemes incur high computation cost, which cannot adapt to the environment of MCS with resource-limited mobile terminals. Comprehensively, how to design an efficient access control scheme towards time-sensitive data with fine granularity, hierarchical users holding recursive attribute set, and user revocability simultaneously is still a big challenge.
In this paper, inspired by the above scenario and the challenges in existing related work, a hierarchical and timesensitive revocable data access control (HTR-DAC) scheme is put forward. Specifically, we present a scalable CP-ABE scheme for time-sensitive data-sharing service across hierarchical users that holds compound attribute set and can be revoked directly if they conduct malicious activities for illicit purpose. Besides, our scheme can improve efficiency and guarantee the correctness of decryption. Our main contributions are three folds: (i) We put forward a scalable sharing scheme for time-sensitive data across hierarchical users with structured keys. e users' keys are issued by the delegation of the domain authorities they belong to. Moreover, a cloud user can access ciphertexts if and only if he is authorized with correct attribute sets and exposed time trapdoors, which ensures the fine-grained and time-sensitive data access control. (ii) We design a new approach to realize user revocability and high efficiency of our scheme. We integrate the verifiable outsourced decryption and a direct user revocation mechanism into our scheme. e approach can not only greatly improve the efficiency in decryption but also guarantee the correctness of decryption result. (iii) We present the security analysis for our proposal to show the scheme achieves its security goals. We also implement our scheme and conduct extensive experimental simulations with performance evaluations to display our proposal with better efficiency and practicality.
Our paper is outlined as follows. Section 2 reviews some related work, and Section 3 gives several relevant notations together with definitions.
e system model, adversary model, and design goals are shown in Section 4 following the system definition and of our scheme with its security model presented in Section 5. Based on this, we show the concrete description for our scheme in Section 6. Section 7 presents a thorough analysis for security, and Section 8 displays the performance evaluation for our scheme. In the end, we make a summary for our work in Section 9.

Related Work
is section reviews some related works on attribute-based encryption (ABE) technique.
As a prospective technique, ABE was first introduced in [14] for access control in fine granularity. Later, Goyal et al. [15] divided ABE into two types: CP-ABE and KP-ABE (keypolicy ABE). In the former, data owner can flexibly designate the access policy for ciphertext. us, we focus on this technique for data access control in MCS. Subsequently, a great many studies were dedicated on CP-ABE, such as large universe CP-ABE [16], multiauthority CP-ABE [17], traceable CP-ABE, and revocable CP-ABE [18].

Hierarchical ABE and Time-Release Encryption.
Currently, many ABE schemes only support single authority for managing users' secret keys. While, in a large scale, it is not suitable to fulfill the large number of user key management tasks. To find out a solution, the researchers in [19] raised the first hierarchical ABE scheme with the idea of hierarchical identity-based encryption. e scheme in [11] solves the problem of hierarchical user structure with key structure by combining the concept of HABE and ASBE (ABE with the attribute set). Recently, Wang and Gao [20] propose a CP-HABE scheme to solve the user privacy in Bitcoin Financial Systems. However, the scheme incurs continuous auxiliary input leakage. To solve the problem, the scheme [21] proposed a leakage-resilience CP-HABE scheme by introducing continuous leakage-resilience mechanism into the CP-ABE scheme. Later on, the work in [8] proposes a lightweight CP-HABE scheme to support flexibility and scalability and user revocation.
As many applications in cloud is time-sensitive, timerelease encryption (TRE) was first introduced in [22] which introduces a trust time agent to release the access right at a specific time point uniformly. Later, many schemes [23,24] have integrated TRE to different cryptographic schemes to adapt to different application scenarios. ese days, some studies try to combine TRE with ABE. e scheme in [25] proposes a time-sensitive data-sharing scheme in cloud. However, it merely supports coarse-grained access control and incurs a heavy burden for cloud users. en, the work in [26] proposes a CP-ABE-based data access control scheme with time domain by combining the attribute set of users and access time inspired by [27]. Although the scheme eliminates much of work for data owner, it brings extra overhead for authority. Recently, the work in [12] proposes a time-sensitive CP-ABE scheme with high efficiency and fine-grained access control.

Revocable ABE and Verifiable Outsourced Computing.
Current revocable schemes can be classified as user-level and attribute-level ones in which the former involves direct revocation and indirect revocation. In direct user revocation schemes [13,[28][29][30], the data producer can integrate revocation list into ciphertext and requires no key updates in revocation. While, the indirect user revocation schemes [30][31][32] periodically update nonrevoked users' secret key without data producers knowing the revocation list. In particular, the work in [13] proposes a novel direct user revocation CP-ABE scheme. However, the scheme suffers from a low security as, in their revocation mechanism, any data user including revoked and nonrevoked user can recover the plaintext by skipping the revocation procedure in decryption. Later, the proposals in [28][29][30] extend the direct user revocation mechanisms, but they fail to solve the problem in [13] and the low efficiency caused by direct revocation.
As the decryption cost in ABE is very high, many researchers have studied on this topic. e scheme in [33] introduced outsourced computing into ABE scheme to improve the decryption efficiency. Later, many studies are in this direction. In these schemes, the ciphertexts can be translated to a constant-sized ElGamal-typed ones and cloud gains nothing about the content. However, this kind of schemes cannot ensure the ciphertexts are decrypted by the cloud correctly. To overcome this flaw, Lai et al. [34] raise an outsourced decryption scheme with verifiability that ensures the decryption is executed correctly. en, the scheme in [35] proposes another verifiable scheme by introducing token mechanism which eliminates the pairing computations. e work in [36] proposes a verifiable scheme with exculpability, while the scheme incurs heavy computational overhead. To improve efficiency, the scheme in [37] introduces a verification code for correctness of decryption with high efficiency.

Preliminaries
is section presents several relevant notions and definitions employed in our paper.

Notations.
We summarize several notations used in our scheme as well as their descriptions in Table 1.

Access Structure and Key Structure
Definition 1 (access structures, see [38]). Suppose L 1 , . . . , L n is a party set. One of the collection L⊆2 L 1 ,...,L n { } is considered to be monotone if ∀M, N: M ∈ L and M⊆M; then, N ∈ L. An access structure that is monotone is defined as one of the nonempty subsets L of L 1 , . . . , L n , i.e., (L⊆2 L 1 ,...,L n { } /∅). e elements in L are defined as authorized sets and the other sets are defined as unauthorized sets. Without loss of generality, we can describe users with their attribute set.
Definition 2 (key structure, see [11]). As for most of the practical situations, each user's attribute set A is organized in a tree-like recursive set structure in which each element of A is an attribute set or a single attribute. As a result, the corresponding key structure of each user is similar to the attribute structure. e depth of A (also, the key structure) is the number of levels for the recursive set. Suppose a 2 − depth key structure; the level 1 members can be either attribute sets or attributes, while the level 2 members may only be attributes. e key structure in Figure 2 is of depth � 2, denoting that the user is both an intermediate dean and a senior surgeon in cardiac surgery in central hospital. Moreover, in the key structure, each set is assigned a unique label which is a unique index of the recursive set, and each attribute in an element set is labeled by the set's index together with its name. Suppose a key structure of depth � 2 with m attribute sets is represented by

Access Policy Tree
Definition 3 (access tree, see [39]). Similar to [39], suppose R is a policy tree with each node x ∈ R, where we use a threshold gate to represent nonleaf nodes and a leaf node is an attribute att(x). As to a threshold gate x ∈ R, we use num(x) which is the number of children and the threshold value th x ∈ [1, num(x)] to depict it. Specifically, if th x � 1, it is an OR gate, and if th x � num(x), it is an AND gate. If x ∈ T is a leaf node, its threshold value is th x � 1.
Moreover, suppose r ∈ R is the root node. If x ∈ T is a nonleaf node, child(x) is a collection of its children and parent(x) denotes the parent node of x. us, we can infer that |child(x)| � num(x). We use the function index(x) to signify the unique index value of each node x ∈ T.
Access Tree Satisfaction. Suppose R is an access tree rooted from node r; then, we use R x to denote a subtree rooted from node x ∈ R. Here, we define R x (A) � 1 when and only when A (a attribute set) is satisfactory to the subtree R x , that is, when a leaf node x has att(x) � att i ∈ A, then R x (A) � 1, and when a nonleaf node has ∀z x ∈ child(x), the number of Moreover, consider the key structure A � A 0 , A 1 , . . . , A m } with depth � 2, where A i denotes the ith attribute set and i(0 ≤ i ≤ m) denotes the index of each set. If A satisfies R, then R(A) will return a nonempty label set S. Here, R(A) is also computed recursively as before and A satisfies access tree T if and only if it consists of at least one set A i (0 ≤ i ≤ m) having all elements required to be satisfactory to R. Generally, combining attributes in different attribute sets of A that are satisfactory to R is impossible without translating nodes in R. Given a is a translating node x ∈ R, the attributes needed to meet R x belonging to different sets in A can be combined to make the predicate with parent(x) hold.

Cryptographic Background
Definition 4 (bilinear maps, see [39]). We consider two p-ordered G 0 and G 1 groups that are multiplicative cyclic, where p is a prime. ε and ϵ are two generators of group G 0 . If e: G 0 × G 0 ⟶ G 1 satisfies the following properties, ε, ϵ ∈ G 0 then, we call it a bilinear map.
Definition 5 (decisional bilinear Diffie-Hellman (DBDH) assumption, see [40] It is considered that DBDH assumption holds when no probabilistic polynomial time (PPT) adversaries can deal with the DBDH problem whose advantages are nonnegligible.

System Model
We present the system and adversary model as well as corresponding design goals for our proposal in this section. Figure 3 shows the model of our system for HTR-DAC. It consists six entities: Cloud Service Provider (CSP), Trusted Authority (TA), several Domain Authorities (DAs), Data User (DU), and Data Owner (DO), which are described below:

System Model.
(i) CSP: the CSP has unlimited resources, such as computation and storage resources. It can provide cloud users with centralized service, e.g., storage service, data-sharing service, and outsourced computing.
(ii) TA: this entity takes charge of initializing the system with parameters and the master key for the whole system. It also supports user authentication in its domain and enrollment of domain authorities of top level.
(iii) DAs: DAs are in hierarchical structure involving several domain authorities of the top level and authorities of the low level. Each domain authority is responsible for managing the lower level domain authority, i.e., authenticating and generating master keys for the lower-level authorities in its domain. Moreover, each domain authority also takes charge of assigning secret attribute keys and transformation keys for cloud users. (v) DU: the DU downloads the data from CSP according to his requirements and decrypts the data if he has enough rights. He then recovers the correct plaintext after verification. If any DU has malicious activities, it will be revoked directly.
en, we depict an overview for our HTR-DAC scheme based on the above system model involving the following four phases:    Security and Communication Networks (iv) Decryption. In this phase, DU requests data files that he needs from CSP. After outsourced decryption, CSP returns the DU with the partially decrypted ciphertexts. en, the DU verifies if the outsourced decryption is correct and recovers the plaintext according to the result of verification.

Adversary
Model. In our proposal, the TA, DAs, and DO are regarded as the fully trusted entities, while the CSP is considered to be untrusted which may intentionally leak or modify the content of sensitive data. Moreover, some unauthorized DU may illegally access the sensitive data which will break the data security and privacy. Besides, some DU may conduct malicious activities for extrainterest revenues.
According to the ability of adversary, we consider classifying the attacks into two types: (1) Type-A attack: the adversary has insufficient privileges for data access, even he is not revoked or arrives at release time (2) Type-B attack: the adversary has enough rights but he conducts accesses before relevant releasing time arrives Focusing on these attacks, we take the following security requirements into consideration: (i) Data confidentiality: the data generated by DO and outsourced in CSP should be secured against illegal sniffering and eavesdropping by attackers. Moreover, the outsourced data should also not be accessed by any malicious access without enough access rights. (ii) Collusion-resistance: the scheme should prevent users anyone of whom is not authorized from colluding through combining their secret keys to access the shared data. (iii) Revocability: any malicious cloud users that conduct malicious activities should be revoked and the revoked users should get rid of all the access rights.
In addition, the following aspects are also in our consideration: (i) Efficiency: as the resource-limited mobile devices are utilized in cloud-based mobile crowdsensing, it is preferable for DU to outsource the high-computational burden in decryption to CSP to improve efficiency (ii) Verifiability: due to the untrusted CSP, DU should have the ability to check if the result of outsourced decryption procedure is correct

Security Model
is section presents the formal definition and the security model for our proposed scheme.

Definition of Our HTR-DAC Scheme.
We propose a CP-ABE scheme in which the authorities and users are in the hierarchical structure each of which manages the domain authorities at lower level and cloud users in its charge. Moreover, the attribute set of each user is formed in recursive attribute sets. Besides, the scheme can revoke users in a direct way. Specifically, the algorithms in our scheme are as follows: (i) Setup(λ, d) ⟶ PK, MSK 0 : this procedure is executed by TA to initialize whole system. Given system security parameter λ and d-depth of key structure, it outputs the system public parameters PK and the master key MSK 0 . (ii) Create Top DA(PK, MSK 0 , A) ⟶ MSK i : the procedure is executed by TA. Given PK, MSK 0 , and the compound attribute set A of authority DA i which is at the top level, it outputs the master key MSK i for (iv) TKey Gen(PK, SK u ) ⟶ TK u : the procedure is executed by the corresponding domain authority to create transformation key pair for the cloud user. Given PK and the secret attribute key of the cloud user, it outputs the transformation key pair TK u . (v) Encrypt(PK, M, T, RL) ⟶ CT: this algorithm is run by DO to generate ciphertexts for fine-grained access control. It takes the system public parameters PK, the message M to be encrypted, the designated access policy tree T, and user revocation list R as input and returns the ciphertext CT of M. (vii) Token Gen(PK, t) ⟶ Tok t : the procedure is executed by TA to create time token at different fixed time points orderly. On inputting the system public parameters PK and the time point t, the algorithm outputs the time token Tok t of the time point t.
(vii) Trap(PK, Tok t ) ⟶ TD x ′ : the procedure is run by CSP to expose the trapdoor in the access policy tree T of ciphertexts stored in it. Given the system public parameters and time token Tok t , the algorithm outputs the exposed trapdoor TD x ′ .
(viii) Decrypt OUT (PK, TPK u , CT) ⟶ CT ′ : the procedure is executed by CSP to partially decrypt the ciphertext. Given PK, the public transformation key TPK u of DU, and the ciphertext CT to be decrypted, it outputs the partially decrypted ciphertext CT ′ .
(ix) Decrypt U (PK, TSK u , CT ′ ) ⟶ M or null: this algorithm is executed by DU to recover the plaintext of the ciphertext. On inputting PK, the secret transformation key TSK u of DU, and CT ′ denoting the partially decrypted ciphertext, the algorithm returns the plaintext M. (x) Dec Verify(PK, R * , VC, CT s ) ⟶ True/False: the procedure is executed by DU to verify if the outsourced decryption is correct. Given the system public parameters PK, the recovered random R * , verification code VC, and the symmetric ciphertext CT s , the algorithm checks if the recovered random is correct, i.e., if CSP correctly executes outsourced decryption. Finally, it outputs the result True/False of verification.

Security Model.
Here, we describe the IND-CPA security model for our HTR-DAC scheme corresponding to the attacks described before and conduct a selective security game between an adversary A and a challenger C specified as follows: Init: A sends a challenge access policy tree T and user revocation list RL to C. Setup 1: C executes the Setup algorithm of our scheme and outputs the public parameters to A. Phase 1: A issues a polynomial number of queries q i i∈ [n] , where q i belongs to the following queries: (1) SK query: A requests C for secret key with an identity ID ∉ RL and a recursive attribute set A that is unsatisfactory to T before arriving at a time point t 1 . As a response, C outputs the secret key and publishes a series of time tokens before t 1 and returns them to A. (2) TK query: A issues queries for transformation key similar to that in SK Query. C executes TKeyGen to generate transformation key pairs and send it to A.
Challenge: A finishes the above phase and issues two equal-length data M 0 and M 1 to C. en, C randomly picks a bit ϵ ∈ [0, 1] and encrypts M ϵ according to T and ID and sends it to A. Phase 2: it is similar to Phase 1 and before a later time point t 2 > t 1 .
Guess: A publishes his guess ϵ ′ for ϵ. If ϵ ′ � ϵ, he wins the security game. e advantage of A is defined as Definition 6. A HTR-DAC scheme is indistinguishable against chosen-plaintext attack (CPA) if all probabilistic polynomial adversaries cannot break the security game.

Proposed HTR-DAC Scheme
is section describes the concrete construction of our proposal. In particular, our scheme involves the following algorithms: Setup, Create Top DA, Create Entity, TKey Gen, Encrypt, Token Gen, Trap, Decrypt OUT , Decrypt U , and Dec Verify, which are described in detail below.

Initialization Phase
(i) Setup(λ, d) ⟶ PK, MSK 0 : on inputting the security parameter λ and the depth of the key structure d, the algorithm generates two multiplicative bilinear groups G 0 and G 1 of prime order p with a generator g of bilinear group G 0 and a bilinear map e: G 0 × G 0 ⟶ G 1 and selects random numbers which is used to represent the depth of key structure. Here, we take d � 2 as an example. e algorithm chooses a probabilistic symmetric encryption scheme (Enc, Dec) from a binary string to Z * p and selects collision-resistant hash functions where l 1 and l 2 are the output length of hash function H 0 and H 3 , respectively. en, the algorithm sets the time format F T . Next, it computes and outputs the system public key and master key as follows: Finally, TA publishes PK and stores MSK 0 locally in secret.

Domain/User Enrollment Phase.
In this phase, TA invokes the algorithm Create Top DA to generate the master key for a new valid top domain authority DA i after receiving the request to take part in the system from DA i . Subsequently, DA i can manage the next-level domain authorities or users within its domain by calling the algorithm Create Entity. As to a cloud user, TA also takes charge of the generation of transformation keys for users after they get their secret attribute keys from their domain authority: (i) Create Top DA(PK, MSK 0 , A) ⟶ MSK i : on receiving the request from a domain authority at top level DA i to take part in the system after being checked by TA, the algorithm generates master key for DA i by selecting a random number r △ ∈ Z p . en, it picks r △,i ∈ R Z p according to A i ∈ A, where A i is each attribute set. Moreover, the algorithm picks r △,i,j ∈ R Z p according to att i,j ∈ A i , where att i,j is each attribute and 0 ≤ i ≤ m and 1 ≤ j ≤ n i . e algorithm computes the master key for DA i as follows:

Security and Communication Networks
In the master key of a top-level domain authority, E i is used to translate r △,i of A i to r △ of A 0 at the translating node. Meanwhile, E i and E i′ can translate r △,i′ to r △,i by computing (E i /E i′ ). (ii) Create Entity(MSK i , I D, A) ⟶ MSK i+1 /SK u : the algorithm is used to generate master key for a new domain authority or the attribute secret key of a user. Given the master key MSK i � (A, D 0 , of DA i , the algorithm picks r △ ∈ R Z p for the user or domain authority, r △,i ∈ R Z p for each attribute set A i ∈ A, and r △,i,j ∈ R Z p for each attribute att i,j ∈ A i . For different kinds of entity, the algorithm generates corresponding key for the entity. (1) If the entity is a domain authority (i.e., DA i+1 ), the algorithm generates the master key MSK i+1 for DA i+1 as follows: (2) If the entity is a user with identity ID, the algorithm generates the attribute secret key SK u for the user as follows: (iii) TKey Gen(PK, SK u ) ⟶ TK u : TA selects z∈ R Z * p as the secret transformation key TSK u of the user and computes the public transform key Finally, the algorithm outputs the transformation key pair TK u � (TPK u , TSK u ) for the cloud user who keeps the TSK u secret and publishes TPK u .

Encryption Phase
(1) Encrypt(PK, M, T, RL) ⟶ CT: on inputting PK, the data M to be encrypted, the designated access policy tree T, and the revocation list RL � ID 1 , . . . , ID K , the algorithm consists the following steps: (i) e algorithm chooses a random R ∈ G T and computes ck � H 2 (R) as the symmetric encryption key. en, it encrypts the data M with ck to get CT s � Enc(M, ck), where Enc is the symmetric encryption algorithm of our scheme. Moreover, the algorithm computes the verification code VC � H 3 (R ′ � � � �CT s ) for CT s , where R ′ � H 0 (R). (ii) With the designate access policy tree T whose root node is denoted by R, the algorithm chooses a random number s 0 R ∈ Z p as the base secret value of T and computes C 0 � R · e(g, g) αs 0 R . en, for each node x in T, the algorithm picks two random number s 1 x ∈ Z p and s 2 x ∈ Z * p , which satisfy the following equation: x is linked to a time trapdoor, (iii) Given the user revocation list RL � ID 1 , . . . , ID K }, the algorithm selects a random δ k for ID k ∈ RL, where K k�1 δ k � s 0 R . en, the algorithm computes the corresponding ciphertext (iv) en, for a trapdoor TD x related to the time release t ∈ F T and a secret parameter s 2 x , DO picks a random number r t ∈ Z p and generates TD x of node x as follows: (9) (v) Next, the algorithm computes the ciphertext in a top-to-bottom way by executing the following steps: (1) For each nonleaf node x with s 1 x , the DO chooses a polynomial q x whose degree d x � th x − 1 and q x (0) � s 1 x . For each of x's child node y ∈ child(x) with a unique index index(y), DO sets s 0 y � q x (index(y)).
(2) For a leaf node x with s 1 x and related attribute att(x), the algorithm generates corresponding ciphertext components C x and C x ′ as follows: where X is the leaf node set in T.
(3) For each translating node x ′ in T, the algorithm computes the corresponding ciphertext component C x′ as follows: where X is the translating node set in T.

Security and Communication Networks
Finally, the DO outputs the ciphertext CT � T, RL, { CT s , VC, C 0 , C x , C x ′ x∈X , TD x TD x ∈T , C x′ x′∈X , C k , C k ′ } ID k ∈RL } and uploads it to CSP.

Time-Release Phase
en, the CSP replaces these TD x with TD x ′ for the ciphertexts of related files. us, if the above equation is correctly executed, the related trapdoor will be exposed to be TD x ′ � s 2 x .

Decryption
Phase. e decryption phase involves the following algorithms: (i) Decrypt OUT (PK, TPK u , CT) ⟶ CT ′ : the algorithm is executed by CSP for outsourced decryption of CT. As to each node x ∈ T, we have the exposed trapdoor, i.e., TD x ′ � s 2 x , as follows: x is related to an exposed trapdoor, x is related to no trapdoor.

⎧ ⎨ ⎩
e algorithm first runs T(A) to check if the key structure A in TPK u satisfies the policy tree T in CT. en, the algorithm gets a label set S x for each node x ∈ T when it recursively runs T x (A). If A does not satisfy T, then the algorithm returns null; Otherwise, the algorithm chooses i from label set returned by T(A) and performs Decrypt Node(CT, TPK u , x, i) as follows. For each leaf node x ∈ T, if att(x) � att i,j ∈ A i , where A i ∈ A belongs to the attribute set A of DU and the trapdoor set upon the node has been correctly exposed, the CSP can execute Decrypt Node(CT, TK u , x, i) as follows: For each nonleaf node x ∈ T with label i, the algorithm directly executes Decrypt Node(CT, TK u , x, i) as follows: (i) Firstly, assume L x be arbitrary th x -sized set of child nodes y of the node x, and we have y ∈ L x only if i ∈ S y or i ′ ∈ S y (i ′ ≠ i) and x is a translating node. If no such set exists, it returns null. (ii) Moreover, for each node y ∈ L x , if i ∈ S y , the algorithm executes Decrypt Node(CT, TK u , y, i) and gets its output P y , and if i ′ ∈ S y (i ′ ≠ i), the algorithm executes Decrypt Node(CT, TK u , y, i ′ ) and gets P y ′ . en, the algorithm translates P y ′ to P y by computing the following: (iii) Furthermore, the algorithm computes P x according to polynomial interpolation by P x � y∈L x P △ j,L x ′ y , where j � index(y) and L x ′ � index(y): y ∈ L x . us, it gets the result as P x � e(g, g) s 0 (iv) In addition, the algorithm executes DecryptNode(CT, TK u , R, i) on root node and gets P R in a bottom-up way. en, it outputs the final result P as follows: (v) Later, the algorithm computes: Security and Communication Networks 9 Finally, the CSP sends partially decrypted ciphertext CT ′ � C ′ , CT s , VC, C 0 to the DU.
(i) Decrypt U (PK, TSK u , CT ′ ) ⟶ M or null: after receiving the system public parameters PK, the secret transformation key TSK u , and the partially decrypted ciphertext CT ′ , the algorithm gets the random element R * by computing R * � C 0 / (C ′ ) TSK u . If the algorithm Dec Verify returns True, it computes ck * � H 2 (R * ) and recovers the plaintext M � Dec(CT s , ck * ). Otherwise, it outputs null. (ii) Dec Verify(PK, R * , VC, CT s ) ⟶ True/False: on inputting a recovered random element R * , the DU computes R * � H 0 (R * ) and checks the following equations: If equation (19) holds, the algorithm outputs True. Otherwise, it outputs False.

Security Analysis
is section presents the formal security analysis for HTR-DAC.

Theorem 1. Our scheme achieves soundness if and only if the data user has enough rights and correct exposed trapdoors.
Proof. If and only if the data user has enough rights and correct exposed trapdoors, we have the following equations.
For each node x ∈ T, suppose Y � e(g, g), and we have en, for each y ∈ L x , if i ′ ≠ i, the translating procedure is performed as follows: Finally, we have erefore, the proposed HTR-DAC is sound if and only if the data user has enough rights and correct exposed trapdoors. □ Theorem 2. No PPT adversaries can selectively win the security game of our scheme with an advantage that is nonnegligible on condition the DBDH assumption holds.
Proof. When the advantage ς of adversary A is nonnegligible when he selectively breaks the security game against our scheme, we can create a simulator B who is able to distinguish a DBDH parameter from a random parameter with an identical advantage to that of A. □ Init: the simulator B of DBDH game creates the bilinear group G 0 , G 1 , e, p, g , where e: G 0 × G 0 ⟶ G 1 and g ∈ G 0 . It then selects randoms c, d, m, ] ∈ Z p and ε ∈ [0, 1]. If ε � 0, the challenger B generates a tuple (C, D, M, V) � (g c , g d , g m , e(g, g) cdm ); otherwise, it generates (g c , g d , g m , e(g, g) ] ). B then sends the tuple to C. In the meantime, the adversary A submits a selected challenging access policy tree T, a revocation list RL � ID 1 , . . . , ID n , and a time point t 1 ∈ F T to challenger C of our scheme. Setup 2: after the challenger C gets the DBDH tuple (C, D, M, V) and bilinear group from B, it randomly chooses α, β 1 , β 2 , c ∈ Z p and hash functions H 0 , H 1 , H 2 , and H 3 . en, for Type-A attack, C computes δ � g c , and for Type-B attack, it simulates δ � D. C also simulates H 1 (x) � g q x , where q x ∈ Z p . Finally, C generates system public parameters PK � G 0 , G 1 , p, g, e, e(g, , δ}, and the master key MSK � g α , β 1 , β 2 , c, H 1 . It keeps the MSK privately and sends the PK to the adversary A.
Phase 3: the adversary A submits a series of queries q i for secret key and transformation key as follows: (i) SK query: A requests for secret key with his identity ID that ID ∉ RL and a recursive attribute set A that is unsatisfactory to T at time t 1 . en, C computes D 0 � g (α+m/β 1 ) � (M · g α ) (1/β 1 ) and D 1 � D I D 0 . For all att i,j ∈ A, it generates D i,j � g r △,i · (H 1 (att i,j )) r △,i,j , D i,j ′ � g r △,i,j , and for all A i ∈ A, it computes E i � g (m+r △,i /β 2 ) , where r △,i and r △,i,j are randomly picked. For Type-B attack, C designate a time point t 1 ′ > t 1 at which the recursive attribute set A satisfies T and computes H 1 (t) � g q t and Tok t � B q t , where t < t 1 and q t ∈ R Z p . Finally, C returns SK u to A and publishes Tok t t < t 1 .
(ii) TK query: similar to the SK query, the challenger C runs TKeyGen algorithm to generate transformation key pair and sends them to A.
Challenge: the adversary A finishes the Phase 1 and submits two data M 0 and M 1 with equal length to C. First, C picks ϵ∈ R [0, 1] and computes C 0 � M ϵ · (e(M · g α , C)/V). For each ID k in the submitted user revocation list RL, C chooses a random number δ k ∈ Z p so that K k�1 δ k � c and computes C k � h . en, according to the challenging access policy tree T, ∀x ∈ T, if it is related to a trapdoor, C chooses a random s 2 x ∈ Z p ; otherwise, it sets where q x (0) � s x /s 2 x and q x is a th x -sized polynomial. It also designates the translating node set X in T and computes C x′ � h s 1 x′ 2 for each node x ′ ∈ X. Finally, the challenger C returns the ciphertext CT * � T, RL, C 0 , C x , C x ′ , TD x , C x′ , C k , C k ′ to C. For Type-B attack, C acts as [12].
With respect to the adversary A, when ε � 0, V � e(g, g) cdm , and according to the decryption procedure, the adversary can get M ϵ from CT. Nevertheless, when ε � 1, V ∈ G 1 is a random element. us, A cannot get any information about M ϵ from CT.
Phase 4: the adversary A repeats the procedures in Phase 1 with the same restriction that the ID ∉ RL and the attribute set S in queries do not satisfy T.
Guess: the adversary A outputs the guess of bit ϵ ′ . If ϵ � ϵ ′ , the challenger C guesses Z � e(g, g) cdm with his output 0; otherwise, it guesses Z as a random element. If the adversary A has the advantage of ς, then the challenger C can break the DBDH game with advantage (ς/2) given that the variables ϵ and ε are independent. e computation of the advantage for C is the same as in [12].
In conclusion, if an adversary A can win the security game of our scheme with a nonnegligible advantage ς, then the challenger C can break the DBDH game with identical advantage. erefore, our scheme is IND-CPA secure in our security model.

Performance Evaluation
Here, we analyze the performance for our scheme in functional, theoretical, and experimental respects.
First of all, we present the function comparison between our scheme and some existing related CP-ABE schemes, i.e., [8,12,37,[41][42][43], as shown in Table 2. We observe that our HTR-DAC scheme supports hierarchical authorities and users, time-sensitive data sharing, large universe, direct revocability, efficient decryption, and verifiability, simultaneously, which are more flexible and scalable than others. en, to demonstrate the theoretical performance evaluation, we compare the computation complexity and storage complexity of our scheme with that of the state-of-the-art scheme in [12]. e comparison results are shown in Table 3, which summarizes the complexity of Encrypt, Decrypt, KeyGen, PPSize, and UKeySize denoting the computation complexity of encryption, decryption, and key generation algorithms, as well as the storage complexity of the public parameter size and user key size, respectively.
To obtain precise evaluation of the performance, we implement our scheme and the scheme [12] using Java Programming Language and Java Pairing-Based Cryptography library (JPBC) [44] which supports operations of pairing, exponential, addition, multiplication, and inversion in finite field and groups. In our development, we adopt the Type A curve with prime order. It is defined over a 160 bit elliptic curve group and a 512 bit finite field. Moreover, our experimental simulations are conducted on Windows system equipped with CPU of Intel Core i5 CPU 2.13 GHz and RAM of 8.00 GB.
Before our analysis, we let |X|, k, |X|, |TD|, and |RL| denote the size of leaf node set, nonleaf node set, translating node set, trapdoor set in access policy tree T, and the size of revocation list. E G 0 , Mul G 0 , E G 0 , Mul G 1 , P, and H denote the exponential operation and the multiplication operation in G 0 and G 1 as well as the pairing and hash function operations. |G 0 |, |G 1 |, and |Z p | denote the length of elements in G 0 , G 1 , and Z p , respectively. e symbols |AS| and |S| denote the number of sets and attributes in an recursive attribute set. Figure 4 shows the actual performance of Encrypt in both schemes. We notice that the computational cost of encryption in the other scheme is affected by the factors of the number of leaf nodes and the number of trapdoors in access policy tree T, while our scheme is affected by the size of translating node set and revocation list in addition. ese two additional factors are brought about by the features of user key structure and direct revocation in our scheme and incur extracomputation in encryption. In our experiments, we set |RL| � 5 and adjust the value of |X|. Figure 4 shows the actual time cost in different numbers of translating nodes. With the same access policy and fixed size of revocation list, the time cost in our scheme is more, and as the number of translating nodes grows, the gap becomes larger. However, we notice that the difference between two schemes is tiny on the whole.
In Figure 5, we describe the comparison of time cost in Decrypt algorithm for the two schemes. We notice that, within the same size of user attribute set, the decryption time cost in our scheme is smaller and nearly constant as the number of ciphertexts grows, while in scheme [12], it is far more and linear with the growth of the number of ciphertexts. In theory, the computation complexity in our scheme and the other are E G 1 + Mul G 1 + 3H and (3|S| + k)E G 1 + (2|S| + 2)Mul G 1 + (2|S| + 1)P, respectively.
In our experiments, we set k � 2. It is obvious from the figure that the computation complexity in our scheme is constant and far smaller while that of the other scheme is affected by the size of the user attribute set. Moreover, within the same size of the user attribute set, the time cost of decryption for one data file is far more than that of our scheme, and as the number of ciphertexts grows, the gap becomes larger. Figure 6 shows the actual performance of key generation procedure in the two schemes. From the theoretical analysis, the computation complexity of our scheme and the other are (3|S| + |AS| + 1)E G 0 + (3|S| + |AS| + 1)Mul G 0 + |S|H and (3|S| + 1)E G 0 + |S|Mul G 0 + |S|H, respectively, which means the time cost in key generation in our scheme is affected by not only the number of attributes of a user but also the attribute sets of a user in his key structure A, which will incur extra time cost. Moreover, as the figure shows, the time cost in our scheme for key generation in the same number of user attributes is nearly the same as that of the scheme [12].  The size of public parameters (byte) Our scheme Scheme in [12]  The size of user secret key (byte) Our scheme Scheme in [12] (b)  As the number of attribute set in key structure grows, the gap is still very small. We can infer that the difference in time cost for key generation between the two schemes is tiny. Figure 7 depicts the storage overhead for our scheme and the scheme [12]. We notice that the actual storage overhead in system public parameters, as Figure 7(a) shows, is larger in our scheme as we takes the storage complexity of 6|G 0 | + |G 1 | in our scheme which is more than 3|G 0 | + |G 1 | of the other scheme. is is because, in our scheme, to adapt to hierarchical users, we need more parameters for each level of user hierarchy. Moreover, in Figure 7(b), the storage overhead of user key size in our scheme is both smaller and constant while that of the other scheme is far more and proportional to the size of user attribute set. As we introduce outsourced decryption, the user key size just costs |Z p | in storage while that of the other scheme costs (2|S| + 1)|G 0 |. us, we greatly lower the storage cost for key size.
In conclusion, our scheme outperforms existing related schemes no matter from the respects of efficiency or storage overhead. us, it is more suitable for the environment of mobile crowdsensing.

Conclusion
Ensuring fine granularity for time-sensitive data-sharing service in MCS across hierarchical users with recursive attribute sets and revocability is a big challenge. In our work, we propose a hierarchical and time-sensitive data access control scheme with revocability in cloud-based mobile crowdsensing. Our proposal realizes the properties of finegrained access control, large attribute universe, hierarchical user, and revocability, which suits for data-sharing applications in MCS. Besides, we discuss the security and display the precise performance evaluation by implementing our scheme and conducting extensive experimental simulations which demonstrates the efficiency and practicality.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.