Multiauthority Attribute-Based Encryption with Traceable and Dynamic Policy Updating

Ciphertext policy attribute-based encryption (CP-ABE) is an encryption mechanism that can provide fine-grained access control and adequate cloud storage security for Internet of )ings (IoTs). In this field, the original CP-ABE scheme usually has only a single trusted authority, which will become a bottleneck in IoTs. In addition, different users may illegally share their private keys to obtain improper benefits. Besides, the data owners also require the flexibility to change their access policy. In this paper, we construct a multiauthority CP-ABE scheme on prime order groups over a large attribute universe. Our scheme can support whitebox traceability along with policy updates to solve the abovementioned three problems and, thus, can fix the potential requirements of IoTs. More precisely, the proposed scheme supports multiple authority, white box traceability, large attribute domains, access policy updates, and high expressiveness. We prove that our designed scheme is static secure and traceable secure based on the state-of-the-art security models. Moreover, by theoretical comparison, our scheme has better performance than other schemes. Finally, extensive experimental comparisons show that our proposed algorithm can be better than the baseline algorithms.


Introduction
With the help of cloud computing technology, Internet of ings (IoTs) [1] can bridge physical devices and virtual objects, which has become a promising networking scenario in the cyber world. In IoTs, more and more companies and individuals store data in the cloud, requiring the cloud servers to provide data access services. However, cloud servers are generally considered to be untrustworthy for the reason that the data of IoTs often contain sensitive information. In order to protect the privacy of these data, one of the traditional technologies is to encrypt the data, and data owners need to be online at all times to distribute their secret keys. Although these technologies achieve access control, the management of these keys will become a bottleneck when more and more users joined the system. In addition, for each type of data, it is necessary to maintain one or more copies of the ciphertext for different users with different keys, which will cause a waste of storage overhead in an IoTs system [2].
To this end, Sahai et al. [3] firstly proposed attribute-based encryption.
e concept of attribute-based encryption (ABE) is a one-to-many encryption mechanism that can provide fine-grained access control and data security. Goyal et al. [4] further proposed the key policy ABE (KP-ABE) and ciphertext policy ABE (CP-ABE). en, Bethencourt et al. [5] studied the CP-ABE scheme with a complete description, showing that CP-ABE allows data owners to define access strategies under the user's attributes. Once the user encrypts specific data, other users can decrypt them if and only if their attributes meet the access policy. anks to these characteristics, the CP-ABE scheme is considered a more suitable encryption mechanism for cloud storage access control than KP-ABE.
However, the original CP-ABE scheme only has a single, trusted authority dealing with the user's key distribution and attribute management, which will become a bottleneck in the cloud, especially in an IoTs system. Liu et al. [6] proposed a scheme under a different hierarchy of attributes with the name of ciphertext-policy hierarchical attribute-based encryption. Deng et al. [7] elaborate on ABE and propose a new versatile cryptosystem referred to as ciphertext-policy hierarchical ABE. Wang et al. [8], based on the access structure layered model, proposed a novel access control scheme about file hierarchy by using ABE to solve the problem. Liu et al. [9] propose a novel T-CP-ABE system that gives high policies expressiveness in any monotone access structures and add traceability. Liang et al. [10] propose a CP-ABPRE to deal with the security problem by using the dual system encryption technology with the selective proof technique. But, the schemes mentioned above are all single attribute authorization (AA) ABE schemes. It is completely borne in the cloud environment, which not only brings a serious burden to the authorization center but also requires the authorization center to be completely trusted. Single-attribute authority cannot meet the development needs of practical applications because different attributes in different fields in many application scenarios are caused by different environments. For example, there is a situation that the data owner wants to share data with the researchers in the research institutes and the managers in the government departments. In this case, the attributes of researchers are determined by the research institutes. At the same time, the "government attributes" are managed by the government department.
e abovementioned ABE schemes are not suitable for this situation where the attributes need to be managed by multiple agencies.
On the other side, in some CP-ABE schemes, it is easy to discover their attributes in the private key. ere may be another situation that some malicious users illegally share their private keys to obtain economic benefits. us, the features of the CP-ABE scheme that can track leaked secret keys are particularly important. erefore, we also need a traceability mechanism to track these malicious users. For example, attackers can access critical vulnerabilities in a wide variety of IoTs applications and devices to perform their malicious activities.
is requires the design of effective security mechanisms in an IoTs-related application.
Except for the traceability, the policy update of the CP-ABE system also needs to be considered for supplying more functions. For instance, when addressing security, trust, and privacy in IoTs, the data owner may need to alter the access policy stored on the cloud. In that case, the traditional solution is to let the data owner find the cloud storage server's relevant ciphertext and decrypt it, then encrypt the ciphertext using a new access strategy, and upload the newly encrypted ciphertext back to the cloud server. It, thus, brings much computational burden to the system. erefore, the policy update is another important characteristic of the actual system.
To sum up, there are three major challenges in CP-ABE that we need to solve as follows: (1) How to solve the bottleneck of single authority authorization in cloud storage applications, especially in an IoTs system? (2) How to prevent some malicious users from illegally sharing their private keys?
(3) How to propose an algorithm that makes the data owner's access control more flexible in IoTs-enabled applications?

Our Contribution.
is paper addresses the abovementioned challenges by proposing a scheme named T-DPU-MCP-ABE (Traceable and Dynamic Policy Updating Multiauthority Attribute-based Encryption). More precisely, we propose a T-DPU-MCP-ABE based on the prime order bilinear group, and we prove its static security and resistance to traceable attacks under two related security models. Our security assumption utilizes the q-type hypothesis [11] and is based on the LRSW hypothesis [12]. As far as we know, we are the first one to support the properties of large attribute domain, policy update, white box traceability, multiauthorization, and high expressiveness and still have good performance. Especially, the features are described in detail as follows: (1) Large attribute domain: the size of public parameters is affected by the number of authorized institutions and will not increase linearly with the number of attributes. ere is no need to determine the system attribute domain when the system is established. (2) Policy update: data owners may often need to modify the ciphertext access policy according to various requirements. Policy updates provide flexibility and allow data owners to adjust their encrypted data access policies to achieve fine-grained control. (3) White box Traceability: it can track malicious users who illegally share private keys. rough white box tracking that does not need to maintain a user list, the efficiency of the solution is improved, and no additional storage overhead is consumed. (4) Multiple authorized authorities: multiple authorized authorities undertake the key distribution work and, thus, reduce the workload and solve the problem of incomplete trustworthiness of the single authority. (5) High expressiveness: supports flexible access control and supports any monotonous access structure access strategy.

1.2.
Organization. e rest of this paper is arranged as follows. In Section 3, we introduce the necessary background knowledge. In Section 4, we give the formal definition and security model of auditable ABE. In Section 5, we give the main constructions and security analysis. In Section 6, we provide a performance and experiment evaluation. Finally, Section 7 presents a brief conclusion and future work.

Related Work
Melissa [13] proposed a ciphertext strategy-based multiagency authorization attribute-based encryption (MCP-ABE) scheme. e scheme has a central authority with the ability to decrypt each ciphertext, which reduces the security of decryption key storage. Lewko et al. [14] proposed a multiagency authorization scheme that supports arbitrary access structures based on the groups in composite order, resulting in a low efficiency. In order to improve the efficiency of the scheme, Yannis et al. [15] proposed a CP-ABE scheme based on prime order groups and made it support large attribute domains. en, Yannis et al. [11] proposed a multiagency authorization CP-ABE scheme based on prime order groups and also support large attribute domains. In this scheme, the authors used the linear secret-sharing scheme (LSSS) to improve expression ability. However, none of the abovementioned studies support traceability. e traceability in ABE is divided into white-box traceable and black-box traceable [16]. In this field, Ning et al. [17] proposed a white-box traceable method that enables large attribute domains and high expressive capability. eir white-box traceable scheme is based on a single authorization center. To improve this, Li et al. [18] proposed a CP-ABE scheme with multiauthorization centers. However, this scheme only supports the access strategy of the AND gate, which limits in low expressive capability. en, Zhou et al. [19] proposed a multiagency authorization CP-ABE scheme with white-box traceable that supports high expressive capability on medical cloud systems. However, their scheme does not support large attribute domains, and each authorization center has to maintain an identification table, which increases the storage overhead for tracking.
In the study of policy update, Ying et al. [20] proposed the first CP-ABE scheme that supports the modification of any form of fine-grained access control policy, and it is proved to be adaptive and secure under the standard model, but the system's communication overhead and storage overhead are high. After that, Liu et al. [21] proposed an ABE scheme that supports outsourcing decryption, attribute revocation, and policy update. is scheme is more flexible and practical in practice, but its privacy-protection capabilities are slightly lacking. Recently, Jing et al. [22] proposed a CP-ABE scheme that supports access policy update and rapid expansion of attributes but did not consider the application scenarios of multiauthorization agencies.

Background
3.1. Access Structure. We define U as a set of attributes, an access structure A is a collection of nonempty subsets of U, that is, A ∈ 2 U / ϕ , and the collection contained in A is called an authorization set. If the user has an authorized attribute set, the user can perform decryption, but not vice versa.
For all B and C, B ∈ A, and B⊆C, if C ∈ A, we say that the access structure A is monotonous. We restrict to a monotone access structure in this paper.

Prime-Order Bilinear Groups.
Let p be a big prime and G and G T be cyclic groups with prime order p; we say that e: G × G ⟶ G T is a computable bilinear map if it has the following properties: (1) Bilinear, i.e., (e(P a , Q b ) � e(P, Q) ab ) for all P, Q ∈ G, a, b ∈ Z q (2) Nondegeneracy, i.e., there exists P, Q ∈ G such that e(P, Q) ≠ 1, namely, the map does not send all pairs in G × G to the identity in G T (3) Computability, i.e., there is an efficient algorithm to compute e(P, Q) for all P, Q ∈ G 3.3. Linear Secret-Sharing Schemes. Let U be the set of attributes, as shown in [23]; is a linear secret-sharing scheme (LSSS) on U if it has the following properties: (1) For each attribute form of a vector over Z p , there is a secret share s ∈ Z p . (2) e matrix for is called a share-generating matrix meaning a matrix M with l rows and n columns for each access structure A on S. For i � 1, . . . , l, we define a function ρ labels row i of M with attribute ρ(i). We consider the column vector υ → � (s, r 2 , . . . , r n ), where s ∈ Z p is the secret to be shared and r 2 , . . . , r n ∈ Z p are randomly chosen.
en, M υ → ∈ Z l×1 p is the vector of l shares of the secret s according to .
For the LSSS scheme, it enjoys the linear reconstruction property. More precisely, let be an LSSS for the access structure A, S * ∈ A be an authorized set, and let I ⊂ 1, 2, . . . , l { } be defined as I � i ∈ [l] ∧ ρ(i) ∈ S * . en, for constants ω i ∈ Z p i∈I such that, for any valid shares λ i � (M υ → ) i i∈I of a secret s according to , we have

Problem Assumption.
Decisional q-parallel bilinear Diffie-Hellman exponent (q-PBDHE) assumption: the decisional q-parallel bilinear Diffie-Hellman exponent (decisional q − PBDHE) problem [11] is saying that, given the tuple (G, p, e, g, g s ), it satisfies if we can distinguish Z � e(g, g) a q+1 s from a random value in we say that an algorithm A has advantage ε in solving the abovementioned decisional q − PBDHE problem. en, if all probabilistic polynomial time (PPT) algorithms have, at most, a negligible advantage in solving the decisional q − PBDHE problem, we say that the decisional q − PBDHE assumption holds.
LRSW assumption [12]: let G be the cyclic group of order p, g be a generator of G, and two random values x, y ∈ Z p satisfy X � g x and Y � g y . Let O X,Y (·) be the random oracle, which inputs m ∈ Z p and outputs a triplet

Security and Communication Networks
A � (a, a y , a x+mxy ), where a ∈ G. If there is no probability polynomial time algorithm that can generate m, a, b, c sat- c � a x+mxy with probability at the least ε, then the LRSW assumption in group G is said to be true.

System Model.
We show the framework of our system in Figure 1.
ere are six main entities, namely, cloud storage provider, attribute authorities (AAs), data owners, data users, system party, and trusted party.
e system party will invoke the system setup algorithm and generate the public parameters (PP). e PP is then firstly distributed to the attribute authorities, data owners, data users, and the trusted party. en, the AAs invoke the authority setup process to generate public keys (PKs) and send their public keys to the data owners, data users, and the trusted party. Also, if the data users possess valid credentials, AAs will assign the attributes to them according to their request. e data owner generates ciphertext (CT) for the message he wants to encrypt and uploads to the cloud storage provider. Once the data owner wishes to alter the access policy over the existing CT, he/she sends a policy update key to the cloud storage provider. en, in the cloud storage, the ciphertext will be updated accordingly. Subsequently, if the users' attributes satisfy the access policy of the CT, they can use the components of secret key to generate their secret key SK and perform decryption operation. Finally, the trusted party invokes the tracing algorithm if there is dispute or suspicion and reports the suspected user's ID (gid) to the AAs.

Definition.
Our proposed cryptosystem according to the abovedescription consists of the following eight algorithms: Setup(λ) ⟶ (PP): on input of a security parameter λ, the algorithm (run by the system) outputs the global PPs. AuthoritySetup(aid, PP) ⟶ (SK aid , PK aid ): we assume each authority is recognized by an identifier aid. On input of the global PPs and aid, the algorithm outputs the public key PK aid and the cloud secret key SK aid . KeyGen(gid, S, SK aid , PP) ⟶ SK S,gid : on input of the user identity (gid), a set of user's attributes S, and the corresponding authority's secret keys SK aid and PP, the algorithm outputs the private key SK S,gid for user matching his/her attribute set S. Encrypt(msg, (M, ρ), PK aid , PP) ⟶ (CT): this algorithm is run by a data owner who wants to share the data in the cloud. e algorithm inputs the message (msg) concerning an access policy (M, ρ), a set of respective public keys PK aid and PP, and outputs the ciphertext CT. Decrypt(CT, SK S,gid , PP) ⟶ msg: this algorithm is run by a data user. On input of the global PPs, a ciphertext CT and a private key SK S,gid matching an attribute set S and the algorithm outputs the message msg if decryption is possible. PolicyUpdateKeyGen (PP, PK aid , SharesInfo(msg), (M, ρ), (M ′ , ρ ′ )) ⟶ UK msg : this algorithm is run by a data owner. On input of the global PPs, a set of public keys PK aid , the encryption information SharesInfo(msg), the old access policy (M, ρ), and new access policy (M ′ , ρ ′ ), the algorithm outputs the policy update key UK msg . CTUpte(CT, UK msg ) ⟶ CT ′ : this algorithm is run by the cloud storage provider. On input of the ciphertext CT and updated key UK msg , the algorithm outputs an updated ciphertext CT ′ . Trace(SK S,gid , PK aid , PP) ⟶ gid or ⊥: this algorithm is run by the trusted party. On input of the decryption key SK S,gid and the public keys PK aid for corresponding authorities and PPs, the algorithm outputs an authority gid.

Security Model.
We focus on two types of adversaries as follows: (1) We consider the malicious data users as the static adversary. For static adversaries [11], we request that no unauthorized user can decrypt encrypted data stored in the cloud. In addition, we request that the collusion of a group of unauthorized malicious users is still unable to obtain unauthorized decryption privileges, which means our scheme needs to have collusion resistance. (2) We consider the "honest but curious" cloud provider as the traceable adversary. We assume that the traceable adversary [24] will follow the protocol's specification but will collect as much information as possible, i.e., secret/private keys. e traceable adversary is not allowed to obtain more secret information than it already has. In addition, it cannot identify "who has accessed the encrypted data" and "who has requested the decryption service." Also, it cannot link a valid decryption request to a previous decryption request. en, we have the following two security models.

Model 1: Security for Static Adversary.
e security model for static adversary is based on the static security model [11]. To define the security of our scheme (satisfying the abovementioned requirements), we design the following security games: Init.
e adversary A selects a set of corrupted authorization agencies, records it as C aid ⊆U aid , and keeps it unchanged throughout the game.
e normal authorized agencies are recorded as N aid ⊆U aid with N aid ⊆ U aid � ∅; A knows the secret key of each corrupted organization SK aid aid∈C aid .
Setup. e challenger C runs the system Setup of the solution in this article and sends the global PP to the opponent. Query. A requests (gid j , S j ) j∈ [m] as the relevant private key, where S j ⊆ U is the attribute set of the user with identity gid j . All users' identities are unique, and for arbitrary i ∈ S, there holds T(i) ∉ C aid . en, the adversary sends two messages msg 0 and msg 1 with the same length and a set of challenges . For each challenge, the access policy must satisfy the nonauthorization set. Finally, the ciphertext policy is requested to update any two access policies of the query challenge message and among them. Challenge.
e challenger C randomly selects and responds to the adversary according to the RW scheme [11], including a set of public keys of the normal authority, a satisfied user private key, and a set of verification ciphertexts used to challenge the adversary. We use the simulator to convert the adversary's query into a form that the challenger can recognize as a RW scheme and also convert the challenger's response to the adversary.
As can be seen in this game, the advantage of A is defined as Adv According to [11], we have the following definition.

Definition 1.
e T-DPU-MCP-ABE scheme is static secure if all PPT adversaries have at most a negligible advantage in the abovementioned game.

Model 2: Security for Traceable Adversary.
e security game for traceable adversary is similar to the game of the static one except the Setup, Query, and Forgery (identical to Guess) as follows: Setup. C runs Setup(λ) and AuthoritySetup(aid, PP) and sends the PP and the authority public key PK aid to A. Query. A requests (gid j , S j ) j∈ [m] as the relevant private key, where S j ⊆ U is the attribute set of the user with identity gid j . en, C runs KeyGen (gid j , S j , SK aid , PP) and sends SK S j ,gid j j∈ [m] to A.
According to [24], we have the following definition.

Traceable and Dynamic Policy Updating Multiauthority Attribute-Based Encryption
Here, we present our attribute-based key encryption scheme. Our scheme is constructed on the bilinear group G with a large prime order p and utilizes the LSSS access strategy together with two random oracle hash functions H 1 and H 2 . We realize the traceability by adopting the CL (Camenisch-Lysyanskaya) signature scheme [25]. Our scheme has two domains, namely, the attribute domain U and the authority domain U aid . ere is a corresponding authorized authority aid releasing an effective attribute set to the users for each attribute. en, our scheme is specifically constructed as follows.

Our Construction
Setup(λ) ⟶ (PP): this algorithm takes as input the security parameter λ and gets D � (G, G T , p, e), where p is the prime order and G T , e is the bilinear mapping e: G × G ⟶ G T . It sets the attribute universe be U � Z p . It then chooses random g ∈ G and three cryptographic hash functions H 1 , H 2 , and T, where H 1 , H 2 : 0, 1 { } * ⟶ G are used to hash the identity and the attribute of a user into an element of G, respectively. Also, T: 0, 1 { } * ⟶ Z * q is used to hash the attribute i into the corresponding aid. Finally, this algorithm sets the global public parameters PP � (G, G T , p, e, g, H 1 , H 2 , T) as output. AuthoritySetup(aid, PP) ⟶ (SK aid , PK aid ): the algorithm chooses three random α aid , β aid , c aid ∈ Z p . Together with the inputs aid and PP, it then publishes the public key PK aid � e(g, g) α aid , g β aid , g c aid of the AU and sets the secret key as SK aid � α aid , β aid , c aid . KeyGen(gid, S, SK aid , PP) ⟶ SK S,gid : the algorithm chooses random t ∈ Z p , u ∈ G, u ∉ H 1 (gid) and computes It outputs the secret key SK S,gid � K 1,i,gid , K 2,i,gid , K 3,i,gid , K 4,i,gid } i∈S , K 5,gid }. Encrypt(msg, (M, ρ), PK aid PP) ⟶ (CT): on input of the message (msg), the PPs and an access policy (M, ρ) (where M is an l × n matrix), the public key of the agency PK aid , and the public parameters PP, the algorithm firstly chooses a random s ∈ Z p . en, it chooses random x 2 , . . . , x n ∈ Z p , sets two vectors v � (s, x 1 , x 2 , . . . , x n ) and υ � (0, υ 2 , . . . , υ n ), and computes the vectors of shares of s and 0 as λ x � M x v T and ω x � M x υ T , respectively (where T denotes the transpose of the matrix). Finally, it chooses random r x ∈ Z p and computes Security and Communication Networks C 0 � msg · e(g, g) s , S, SK S,gid , and PP, the algorithm sets the identification set as I⊆ 1, . . . , l { }. For all x ∈ I and x: ρ(x) ∈ S , the algorithm computes where c x x∈I and x∈I c x M x � (1, 0, . . . , 0). Finally, the message is recovered by computing PolicyUpteKeyGen(PP, PK aid , Shares, (M, ρ), (M ′ , ρ ′ )) ⟶ UK msg : M is a generator matrix of 1, . . . , n, and Shares represents the information of the two random vectors v and υ contained in the encryption algorithm. We define the function δ(i) � T(ρ(i)) i∈ [I] and δ ′ (j) � T ′ (ρ(j)) j∈ [I] . First, the new access strategy and the old access strategy are used as input through the strategy comparison method in the literature [26] to generate three subset record rows indexes I 1,M , I 2,M , I 3,M . en, it picks two random vectors v ′ � (s, v 2 ′ , . . . , v n ′ ) and υ ′ � (0, υ 2 ′ , . . . , υ n ′ ) and then calculates λ j ′ � M j ′ v ′ T and When the row index satisfies (j, i) ∈ I 1,M′ (marked as module 1), the algorithm generates the update key as When the row index satisfies (j, i) ∈ I 2,M′ (marked as module 2), the algorithm randomly picks a j ∈ Z p and calculates the update key as When the row index satisfies (j, i) ∈ I 3,M′ (marked as Module 3), the algorithm randomly picks r j ′ ∈ Z p and generates the update key as Finally, the data owner sends the updated key UK msg to the cloud storage service provider with UK msg � UK j,i,msg 1 , UK j,i,msg 2 , UK j,i,msg 3 . CTUpdate(CT, UK msg ) ⟶ CT ′ : after the cloud storage service provider receives the update key, it updates the ciphertext CT to CT ′ . By doing so, the cloud storage service provider cannot obtain relevant information during the re-encryption process of the ciphertext. e specific updates are as follows: When the row index belongs to module 1, the update parameter is C 1,j ′ � C 1,i · e g, UK 1,j,i,msg � e(g, g) When the row index belongs to module 2, the update parameter is C 1,j ′ � C 1,i a j · e g, UK 1,j,i,msg � e(g, g) When the row index belongs to module 3, the update parameter is Finally, } . Trace(SK S,gid , PK aid , PP) ⟶ gid or ⊥: the algorithm inputs the decryption key SK S,gid and the public key PK aid associated with the global public parameter PP. If the decryption key SK S,gid is not in the form SK S,gid � K 1,i,gid , K 2,i,gid , K 3,i,gid , K 4,i,gid i∈S , K 5,gid or cannot pass the key integrity check, the algorithm will output a special symbol to indicate that there is no need to trace SK S,gid .

(14)
If there is an attribute i ∈ S that satisfies equations (14), it is considered that the key SK S,gid passes the integrity check, and the identity gid is output as the trace identity.

Correctness.
e correctness of our scheme can be obtained from the following equations. It is known that · e K 2,ρ(x),gid · K K 5,gid 3,ρ(x),gid , C 3,x · e C 4,x , K 4,ρ(x),gid · e K 1,ρ(x),gid , C 5,x . (15) According to the corresponding values of CT and SK S,gid , we can obtain Security and Communication Networks en, for c x x∈I and x∈I c x M x � (1, 0, . . . , 0), we have Hence, we have is proves that the message can be correctly restored to

Security Analysis
Theorem 1. Assume the CP-ABE system in [11] is statically secure; then, the T-DPU-MCP-ABE system is static secure with respect to Definition 1.
Proof. For simplicity, we use Σ RW , Σ tdpum to denote the CP-ABE system in [11] and our T-DPU-MCP-ABE system, respectively. We suppose there exists a static polynomial time attacker A that breaks Σ RW with a nonnegligible advantage in selectively with a challenge LSSS access policy (M * , ρ * ), where M * is an l × n matrix. We will build a PPT algorithm B that breaks Σ tdpum with a nonnegligible advantage.
Init: B gets a challenge LSSS access policy (M * , ρ * ) from A and transmits the received (M * , ρ * ) to the Σ e challenger C. Setup: C generates the common parameter PP � (G, G T , p, e, g, H 1 , H 2 , T) and sends it to A. Query: B initializes an integer counter j � 0 and an empty table T. en, A makes the following queries: Receiving A's decryption key query with an attribute does not satisfy (M * , ρ * ), B sets the attribute as S j and j � j + 1, then sends them to the Σ tdpum challenger, and obtains a secret key SK S,gid ′ � ( K 1,τ,gid ′ , K 2,τ,gid ′ , K 3,τ,gid ′ , K 4,τ,gid ′ } τ∈ [|S|] , K 5,gid ′ ). A chooses a corrupted AA C aid ∈ U aid and generates the corresponding public key PK aid ′ � (e(g, g) aid , g β aid ) in S RW . Also, for each aid ∈ C aid , A randomly chooses c aid ∈ Z * p and generates the system public key PK aid � (e(g, g) aid , g β aid , g c aid ).
en, A responses for the normal AA N aid , the corrupted AA C aid by interacting with B as follows. A requires (gid j , S j ) j∈ [m] , where S j ⊂ U is the corresponding attribute set of user gid j . All users' gid j are unique and for arbitrary i ∈ S, we have T(i) ∉ C aid . en, A fixes a coin b ∈ 0, 1 { }, which is used to generates message msg 0 or msg 1 with the same length. A chooses a set of challenge (M 1 , ρ), . . . , (M q , ρ q ) . Finally, A sends all the chosen parameters to B.
Challenge: A chooses two same length messages (m 0 , m 1 ) and sends to B. en, B submits (m 0 , m 1 ) to the Σ tdpum challenger, obtains a challenge common public key PK aid ′ � (e(g, g) aid , g β aid ), and generates a ciphertext ct * � ( x x∈ 1,...,l { } ) to A. Guess: finally, after receiving the abovementioned responses, A outputs a guess b A ∈ 0, 1 { }. If b A � 1, it means that A guesses that key b B is a random key, and B outputs 1 − b B . If b A � 0, meaning that A guesses that key b B is the key from ct * new , B outputs b B . Since the real system is the same as the distributions of the challenge ciphertext, if A breaks the security of S RW with a nonnegligible advantage, then the simulator B can selectively break S tdpum with the same advantage. □ Theorem 2. Assume the CL signature scheme in [25] is against existing forgery, and the T-DPU-MCP-ABE system in Section 5.1 is traceable secure with respect to Definition 2. Proof.
e security proof of the T-DPU-MCP-ABE system with respect to Definition 2 (i.e., for traceable adversary) is identical to the abovementioned proof except that the adversary runs the Forgery phase instead of the Guess phase. Here, we suppose there exists a PPT attacker A that selectively breaks the CL scheme with a nonnegligible advantage. We can build a PPT simulator algorithm B that selectively breaks Σ tdpum with a nonnegligible advantage. It is proved that the CL scheme is secure against existential forgery under adaptive chosen message attack with LRSW assumption.
Setup: the CL scheme challenger C delivers each authority's public keys G, G T , p, g, g β aid , g c aid to the simulator algorithm B. B chooses random values α aid ∈ Z * p for each authority, runs Setup(λ) and AuthoritySetup(aid, PP) to generate the public key PK aid � e(g, g) α aid , g β aid , g c aid , and sends the public parameter PP and the authority public key PK aid to A. e two hash functions H 1 and H 2 of our scheme are managed by simulator B. Query. A requests (gid j , S j ) j∈ [m] as the relevant private key, where S j ⊆ U means the attribute set of the user gid j . Before A forges the key, to maintain hash functions H 1 and H 2 , B will set two empty tables, T 1 and T 2 , respectively, and update them according to the query of A. When the gid queried by A does not exist in the table of T 1 and T 2 , B will select a random element t gi d ∈ Z * p and a random element t i ∈ Z * p and then record (t gid , g t gid ) and (t i , g t i ) with T 1 and T 2 , respectively. At the same time, simulator B will return the hash value of H 1 or H 2 according to opponent the query of A. For each i ∈ S j , if the attribute authority aid � T(i), then B will submit (gid j , aid) to Challenger C according to the query of A so as to obtain the signature (u, u c aid , u β aid ·((c aid /gid j )+1) ) in the CL scheme. en, B takes the random value t ∈ Z * p and runs KeyGen(gid j , S j , SK aid , PP) as well as sends SK S j ,gid j j∈ [m] to A. In this step, B should computes the following: en, the final calculation is SK S j ,gid j as K 1,i,gid j , K 2,i,gid j , K 3,i,gid j , K 4,i,gid j i∈S j , K 5,gid j .
Forgery. in this step, A already queries from simulator B the value of H 1 (gid) and H 2 (i) and obtains H 1 (gid) as g t K 5,gid and H 2 (i) as g t i . A assumes the unknown K 3,i,gid � g t 3 and K 4,i,gid � g t 4 . rough formula (14) in Section 5.1, we could get that K 2,i,gid � (K 3,i,gid ) � g t 3 c aid . Also through formula (14) in Section 5.1, we could get that K 1,i,gid � g α aid +t K 5,gid β aid · (K 4,i,gid ) t i · (K 3,i,gid ) β aid (K 5,gid +c aid ) . en, B calculates a legal signature σ according to the CL scheme, and the calculation process is as follows: en, A picks a gid as a message and gives σ � (K 3,i,gid , K 2,i,gid , (σ 1 /K gid 3,i,gid )) as the signature of the message gid according to the CL scheme.
Finally, A outputs a forgery secret key SK * , if Trace(SK S,gid , PK aid , PP) ∉ Δ and gid ∉ gid 1 , . . . , gid m . As gid ∉ gid 1, . . . , gid m , we know that the signature of message gid is not invoked by B yet. us, the simulator B breaks the CL scheme with the same advantage.
Since in the abovementioned game the whole system has the decryption keys, the distributions of the public parameters, and challenge ciphertext, if A breaks the security of the CL scheme, then the simulator B can selectively break S tdpum with the same advantage. Hence, if the LRSW assumption holds true, the proposed cryptosystem is against forgery, meaning that our scheme is traceable secure for the adversary.

Proof of Collusion Prevention.
In our scheme, we use the unique gid and construct the hash function value corresponding to gid to resist collusion attack, which has been proved to be feasible by Allison and Waters [14]. In the process of decryption, the data user needs to calculate D x � e(g, g) λ x · e(H 1 (gid), g) ω x . For a single user with the access policy satisfaction attribute set, since ω x are the shares of secret value 0, e(H 1 (gid), g) ω x can be eliminated, where e(H 1 (gid), g) ω x � 1. In case of collusion attack, two or more users will have different gid; thus, the value of H 1 (gid) will also be different; e(H 1 (gid), g) ω x with a secret value of 0 cannot be constructed, and thus, it cannot be eliminated. erefore, two or more users cannot share their attribute key values to generate collusion attacks, which means this scheme is resistant to collusion attack.

Performance Evaluations
eoretical Analysis. We first theoretically make a comparison of our scheme with others. e comparison of feature and performance of our work and related works is given in Tables 1 and 2 . It can be seen from Table 1 that the YB scheme [11] does not realize the traceability, nor does it have the function of dynamic access policy update; although the JZXL scheme [27] has both traceability and large attribute domains, it is constructed based on composite orders and is a single authorization which will become a bottleneck. Since the QLZH scheme [28] and the YLLT scheme [29] are based on tree access structure, they do not have the functions of large attribute domain, dynamic access strategy update, and traceability. e YLMH scheme [30] can realize the dynamic access strategy update but does not support traceability; while the ZLML scheme [31] does not have the function of dynamic access policy update. Compared with the abovementioned related schemes, our scheme not only supports traceability, large attribute domain, and dynamic access policy update at the same time under multiple authorization agencies but also is based on the prime order bilinear group structure, which is more efficient.
Let G and G T be the size of elements in G and an exponentiation in G T , respectively. Let e be a pairing and exp be the maximum amounts of time to compute an exponentiation in G. Let A be the number of ciphertext attributes, |S| be the size of the attribute set of a private key, and l be the Security and Communication Networks output size of a function. Let I be the number of rows of the matrix when decrypting.
In Table 2, we show the communication cost and the computing cost comparison. Compared with other solutions, our scheme is relatively better in the process of adding multiple functions. On the one hand, for the communication cost, we can draw the following conclusions: Firstly, our scheme has the advantages in the length of the private key that our scheme supports big attribute universe. More precisely, the public key of our scheme does not increase linearly with the size of the attribute domain in an attribute authority, while that of the YLMH scheme will, and the storage occupied by our public key is smaller than that of the SPB scheme [32] and the ZLML scheme. Secondly, although the user's private keys in the YB scheme and the YLMH scheme are relatively small, none of these schemes support traceability. In order to enhance the security of the system, the scheme in this paper supports the traceability function, and the user's private key does not increase too much. Furthermore, compared to the YLMH scheme and the ZLML scheme, the length of the ciphertext in our scheme is optimized, which is only linearly related to the number of rows from the generator matrix. On the other hand, for the calculation cost, our scheme supports an access strategy update algorithm, while the YB scheme and the YLMH scheme do not support this function. Finally, for the decryption cost, our scheme is much smaller than that of the YLMH scheme. e decryption cost in our scheme is only related to the number of attribute organizations where the attributes belong. Although the decryption cost in our scheme is slightly higher than that of the YB scheme and the ZLML scheme, the YB scheme does not support traceability and the ZLML scheme does not support access policy update.

Experimental Analysis.
In this section, we conduct a simulation experiment to evaluate the comparison of our scheme and the baseline algorithms (the simulation code is available in (https://github.com/monzxcv/ABE)). We select the scheme in [11] (YB scheme) and the scheme in [30] (YLMH scheme) as our baseline algorithms and run the experiments in five aspects: system initialization, key generation, data encryption, user decryption, and access strategy re-encryption. All the experiments are run on a 64-bit operating system of the Ubuntu 14.04 platform with a core 1.8 GHz processor and 4 GB RAM. We used Charm version 0.50 and Python version 3.7 as our program languages. We first convert the YB scheme, YLMH scheme, and our scheme into asymmetric bilinear mapping and use the famous supersingular symmetric elliptic curve group ("SS512"). en, in the process of encryption and decryption, the YB scheme, YLMH scheme, and our scheme are only related to the number of access policy attributes. erefore, in this experiment, we change the number of user attributes and calculate the time of system initialization and user key generation under the same condition to get our first comparison. In addition, we change the access policy and calculate the time of the user encryption and decryption to get another comparison. Finally, the time consumed for updating ciphertext under the same condition is calculated. e experimental attributes are constructed with A N , N ∈ [1, . . . , 50]. e strategy set is selected (A 1 ∧A 2 ∧ · · · ∧A N ). We increase the number of attributes from 5 to 50, and there are ten different access strategies. In order to ensure the accuracy of the conclusion, every experiment is run 15 times. e system initialization cost and the average time cost of user private key generation are shown in Figures 2 and 3 when the number of attributes varies from 5 to 50. We fix the number of AAs in 8, and we also fix the number of attributes in the access policy in 8. Since both our scheme and YB scheme support large attribute domains, the system initialization process has nothing to do with the number of attributes, as is verified in Figure 2. It can be seen that as the number of attributes increases, the cost of the YLMH scheme increases, and the cost of our scheme still keeps a constant value, so the larger the number of attributes, the more the advantage in our scheme. It can be seen from Figure 3 that the cost of the user private key generation time in all the three schemes increases linearly with the increase of 3l exp + (l + 1)e 4l exp + (l + 1)e (2l + 1)exp + e 5l exp + (l + 1)e 4l exp + (l + 1)e Decryption cost 3|I| 4|I| 2|S| + 2|I| 3|I| 4|I| Security assumption q-type q-type q-PBDHE q-type q-type attributes. is is because each attribute in the user's private key must be calculated accordingly. Finally, the generation time cost is not much different from that of the YB scheme and the YLMH scheme. Figure 4 shows the average time cost of the encryption and decryption process when the number of attributes used in the access policy varies from 5 to 50. We fix the number of AAs in 8, and the number of attributes for each user is also fixed in 8. It can be seen from Figure 4 that the average execution time of the key generation and encryption/decryption process of the proposed scheme is equivalent to that of the YB scheme, while our scheme is more practical than the YB scheme, such as supporting traceability and dynamic access policy update. Although the YLMH scheme's encryption cost is the smallest, its decryption cost is the largest among the three schemes and is related to the number of attributes the user has. If the user's attributes increase, the decryption time cost of the YLMH scheme will be higher. Figure 5 shows the algorithms' average computing time in the YB scheme, YLMH scheme, and our scheme in policy update. Since the YB scheme does not support dynamic strategy updates, we use the traditional update method.
ere are three modes for updating of dynamic strategy in the YLMH scheme and our scheme. We use mode 3 (which has the highest cost) for comparison. In addition, the number of AAs is fixed in 8, and the number of attributes for each user is also fixed in 8. We vary the number of attributes by 5, 10, and 15. As it can be seen from Figure 5, our scheme and YLMH scheme can dynamically update the strategy. us, the time cost is less than that of the YB scheme. Although our scheme costs slightly more than the YLMH scheme, our scheme supports traceability, which is considered to be more practical.

Conclusions and Future Work
Regarding the three problems in the CP-ABE scheme of multiauthority, traceability, and the flexibility in changing the access policy, we propose a scheme to achieve good solutions. Our scheme supports multiple authorities, white box traceability, large attribute domains, access policy updates, and high expressiveness. en, we prove that our scheme is static secure and traceable secure based on the state-of-the-art security models. By supporting the traceability, there is no need to maintain the authorized institution's identity table; thus, our solution is more practical. e experimental results indicate that our scheme has efficient performance while enjoying the abovementioned features. In future work, we plan to conduct a study on computational outsourcing and hidden access strategies for CP-ABE.

Data Availability
No data were used to support this study.