Fine-Grained Task Access Control System for Mobile Crowdsensing

. Mobile crowdsensing enables people to collect and process a massive amount of information by using social resources without any cost on sensor deployment or model training. Many schemes focusing on the problems of task assignment and privacy preservation have been proposed so far. However, the privacy-preserving of requesters and task access control, which are vital to mobile crowdsensing, is barely considered in the literature. To address the aforementioned issues, a ﬁne-grained task access control system for mobile crowdsensing is proposed. In particular, the requester can decide the group of task performers who can access the task by utilizing attribute-based encryption technology. T he untrusted crowdsensing platform cannot obtain any sensitive information concerning the requester or the task, while the qualiﬁed task performers are capable of retrieving tasks within 0.85 ms. Security analysis and experimental results are presented to show the feasibility and eﬃciency of the proposed system.


Introduction
e evolution of mobile device promotes a new sensing paradigm called mobile crowdsensing. Integrated with a set of powerful sensors (e.g., camera, recorder, and GPS), the mobile device is capable of collecting different kinds of information for specific purposes [1]. Formally, mobile crowdsensing refers to a group of mobile users being coordinated to perform large-scale sensing tasks over urban environments by using their mobile devices [2]. Figure 1 shows a typical workflow of mobile crowdsensing. As we can see, there are three kinds of participants: the requester, the crowdsensing platform, and the task performer. e process of mobile crowdsensing consists of eight stages: design task, release task, scan task, choose task, resolve task, submit result, accept/refuse, and integration. If a requester wants to launch a task, he needs to submit his requirement about the task to the crowdsensing platform. e task performers in the crowdsensing platform scan the tasks and choose appropriate ones. After accomplishing the task, the task performers submit the results back to the platform, and the requester can decide whether the results are qualified. If yes, all the results are integrated, and the task is finished [3].
Due to the convenience of deployment and communication, mobile crowdsensing has been applied in a large number of scenarios such as smart transportation, environmental monitoring, and data labelling [4][5][6][7]. Although mobile crowdsensing provides an unprecedented solution for data collecting and processing, it brings many new challenges as well. Privacy preservation is one of the main problems that need to be considered when designing a mobile crowdsensing scheme. Most of the previous studies focus on protecting task performers [8,9].
at is, they mainly consider how to preserve the privacy of task performers in the stage of submit result. For some specific tasks, the privacy leakage may also occur in the stage of release task since the platform is not fully trusted. e platform may deduce the privacy of requesters according to their tasks. Besides, task access control is another problem that needs to be addressed. In mobile crowdsensing, the tasks are stored on the platform. Anyone in the system can access and accept the task. For the tasks that require users with specific conditions, it may lead to poor quality of task results if task performers are not qualified. Moreover, task access control can efficiently prevent the task information from been obtained by irrelevant entities (e.g., the crowdsensing platform).
us, task access control is vital to mobile crowdsensing.
Attribute-based encryption (ABE) [10][11][12] is a promising data-sharing tool that provides fine-grained access control over the encrypted data.
ere are mainly two branches: ciphertext policy ABE (CP-ABE) [11] and key policy ABE (KP-ABE) [10]. In CP-ABE, the user secret key is associated with an attribute set, and the ciphertext is associated with an access policy. Only when the attribute set satisfies the access policy can the ciphertext be decrypted [13]. In KP-ABE, the situation is reversed. e user secret key and ciphertext are associated with an attribute set and access policy, respectively. Apparently, data owners in CP-ABE can decide the access policy, which makes CP-ABE more suitable for mobile crowdsensing. However, there still exist some problems if it is directly used in mobile crowdsensing [14].
A Motivating Story. Consider a researcher who would like to collect the heart rate record of people in region A for research. To achieve the purpose, he decides to issue his requirement to a crowdsensing platform. To encourage task performers in the system, everyone who contributes to this task will get some allowance. e researcher needs to encrypt the task with ABE technology, and the corresponding access policy is {"region A" AND "male"}. us, only male users in region A can accept this task. As the platform is not fully trusted, the access policy should not be included in the ciphertext. Otherwise, the platform may deduce the privacy of the researcher or task performers who accepted this task. e crowdsensing platform is public, which contains a variety of task performers. Generally speaking, the more the task performers take part in the task, the better the result is.
However, the requester may get a contrary result without a selecting mechanism for task performers. To address this problem, many task allocation algorithms have been proposed [2,3,15,16]. Most of them let the crowdsensing platform perform the task allocation. Since the crowdsensing platform is not fully trusted, it may collect the attributes of the task and thus deduce the privacy of the requester or task performers who are qualified to accept this task. erefore, we need to design a better solution that achieves fine-grained task access control without loss of confidentiality by using ABE technology. However, the following two issues arise.
By employing ABE technology, the content of the task is unknowable to the crowdsensing platform. However, the encrypted information is also difficult for task performers to browse. A task performer may need to download all the ciphertexts and try to decrypt them one by one, which is inefficient especially in the scenario of mobile crowdsensing where the devices are resource-limited [17]. How can we let the task performers get the appropriate tasks efficiently when the tasks are encrypted? Besides, in ABE, the access policy embedded in the ciphertext is sent to the crowdsensing platform. Since it is directly connected to the task, the crowdsensing platform may deduce the privacy of requesters and task performers from it. To protect the content of the ciphertext, ABE schemes supporting hidden access policy are needed.

Contributions.
In this paper, we propose a fine-grained task access control system for mobile crowdsensing called FGTAC. e contributions are summarized as follows: (1) Fine-Grained Task Access Control. Considering the situation that the requester needs to recruit a group of users with specific attributes for his task, a fine-grained task access control mechanism is needed. By employing ABE technology, the tasks are encrypted under the access policy defined by requesters. Only users with appropriate attributes can retrieve the encrypted task. In FGTAC, an AND-gate access policy with a wildcard is employed. Every attribute in the access policy has three kinds of possible values: positive, negative, and wildcard. As a result, the proposed system can achieve both fine-grained access control and flexibility.
(2) Privacy Preservation. One of the main purposes of our system is to preserve the privacy of requesters and task performers. To the best of our knowledge, barely of the existing literature pay attention to preserve the privacy of requesters. However, the crowdsensing platform is not fully trusted. If tasks are sent to the crowdsensing platform without any protection, the crowdsensing platform may deduce the information about requesters and thus threaten their privacy. To address this problem, we employ ABE technology in our system. Nevertheless, the access policy in ABE is sent to the crowdsensing platform together with the ciphertext, which may help the crowdsensing platform deduce the content  of the task. us, we employ Vie ' te's formulas [18] to hide access policy in the ciphertext. (3) Task Search. As the tasks are encrypted and the access policies are hidden, the task performers cannot search the tasks as usual [19]. In our FGTAC system, an efficient search function is provided. e keyword is encrypted and stored in the ciphertext. Before the search algorithm is performed, the user keyword is transferred into the trapdoor. As a result, the crowdsensing platform cannot obtain any useful information from it. Moreover, the search algorithm only costs two bilinear pairing operations, which can be performed within 9 ms. e predecryption algorithm is performed once search algorithm finishes. (4) Ciphertext Predecryption. In the scenario of mobile crowdsensing, devices cannot afford the high computational overhead of bilinear pairing operations.
To reduce their computational overhead, we design the function of ciphertext predecryption in FGTAC.
On the user side, the decryption algorithm only costs two exponentiation operations in G T , which can be performed efficiently by mobile devices.

Related Works.
Task assignment and privacy-preserving are the two main problems in mobile crowdsensing [20,21]. In task assignment, the crowdsensing platform needs to determine who is suitable to perform the task. To find the appropriate performers, many solutions are proposed in the literature [15,22,23]. Wu et al. [15] proposed two approximate task assignment algorithms for sweep coverage. Different from the schemes valuing the point of interest, they designed a model that weighs the quality of coverage from the perspective of the area. In Ref. [22], Karaliopoulos et al. employed opportunistic networking technology in choosing performers for crowdsensing tasks. In Ref. [23], the authors designed a crowdsensing system that mainly considers the location and profits of performers. However, the crowdsensing platform is hard to trust in reality. It may threaten the security of task performers and requesters if the crowdsensing platform obtains private information. Wang et al. [24] enabled the performers to select the personal privacy level so that they do not need to upload their true location to the crowdsensing platform. Ni et al. [16] introduced a strong privacy-preserving scheme for mobile crowdsensing called SPOON. Specifically, proxy re-encryption and BBS + signature are used to protect the tasks and results. Sei et al. [9] proposed a data collecting scheme, which is anonymized, by improving the traditional randomized response scheme. Unfortunately, none of the aforementioned schemes is designed to protect the privacy of requesters. In the workflow of mobile crowdsensing, both the privacy of performers and requests can be obtained by the crowdsensing platform through the task information and thus threaten their security.
To handle the problems above, ABE technology, which was firstly proposed by Sahai and Water [25], is a promising tool. As a well-known data-sharing tool, many ABE schemes aiming at settling the challenges of confidentiality and flexibility in data access control have been proposed [26][27][28][29][30]. To enable the users to search on the encrypted files, Sun et al. [26] proposed a fine-grained keyword search scheme. With the technologies of lazy re-encryption and proxy re-encryption, the expensive computation cost of ABE is delegated to other entities. As the access policy may leak the privacy, a partially hidden access policy ABE scheme is proposed in Ref. [27]. e access policy in their scheme only consists of the attribute names, and the corresponding values are not provided. Further in Ref. [28], a fully hidden access policy ABE scheme is introduced. Compared with Ref. [27], the scheme in Ref. [28] is more secure. To handle the expensive computation in ABE, Ning et al. set a secret value for users to protect ciphertexts in Ref. [29]. In the stage of decryption, the cloud server performs the decryption algorithm to generate the transformed ciphertext. e cloud server cannot get any useful information from the transformed ciphertext, while users can retrieve the encrypted data efficiently.

Organization.
In Section 2, we state the preliminaries, including notations, bilinear map, complexity assumption, Vie ' te's formulas, access structure, and the definition of CP-ABE. e system model, definition, and security model are outlined in Section 3. Section 4 gives detailed construction and the security analysis of FGTAC. Section 5 evaluates the proposed system in terms of feature comparison, theoretical analysis, and experimental analysis. A brief conclusion is presented in Section 6.

Preliminaries
2.1. Notations. Some frequently used notations are given in Table 1.

Bilinear Map.
Let G and G T be two cyclic groups with prime order p, g be the generator of G, and e: G × G ⟶ G T be a bilinear map. e has the following properties: (1) Bilinearity: ∀x, y ∈ G and α, β ∈ Z p , the equation (3) Computability: ∀x, y ∈ G, the computation of bilinear pairing (e(x, y)) can be performed efficiently.

Complexity Assumption. We use decisional q-bilinear
Diffie-Hellman inversion (q-BDHI) problem in our scheme. A challenger selects two groups G and G T . Let g be a generator of G and x ∈ Z p . Given the tuple y � (g, g x , . . . , g x q ) as input, it must be difficult for adversaries to distinguish e(g, g) 1/x from R ∈ G T . An algorithm B has advantage ε in breaking it if |Pr[B(y, e(g, g) Definition 1. (q-BDHI). e decisional q-BDHI assumption holds if all probabilistic polynomial-time (PPT) algorithms have at most a negligible advantage in breaking it.

Viete's Formulas. Consider two vectors
Vector v → contains both alphabets and wildcards, and vector z → only contains alphabets. Let J � To hide the computation, we can choose a random group element H i and put v i , z i as the exponents of H i . en, the above

By using Vie
' te's formulas, we can construct the coefficient where n � |J|.

Access Structure.
Let W � S 1 ∧S 2 ∧ · · · ∧S L be an AND-gate access policy. Every attribute S i has three kinds of states. ' + ' stands for positive, ' − ' stands for negative, and ' * ' stands for wildcard. If a user wants to join the system. An attribute set S will be assigned to him, where S � S 1 , S 2 , . . . , S L . Similar to the access policy, every attribute has two kinds of states. ' + ' stands for positive and ' − ' stands for negative. e notation S⊨W means that S satisfies W.

CP-ABE definition.
ere are four algorithms in a basic ciphertext policy attribute-based encryption scheme: Setup, KeyGen, Encrypt, and Decrypt.
(1) Setup (λ) ⟶ (PK, MSK): It takes the secure parameter λ as input and outputs the public key PK and the master secret key MSK.

System Model and Security
In this section, we give out the system model, definition, and security model of FGTAC.

System Model.
In Figure 2, we show the system model of FGTAC. It consists of four entities: the key generation center (KGC), the crowdsensing platform, the requester, and task performers.
(1) KGC needs to generate the system parameters and distribute secret keys for task performers in FGTAC.
As the core management entity, KGC is trusted by other entities. (2) Crowdsensing Platform is responsible for storing the tasks and receiving the sensing data. When a task performer queries for a task, the crowdsensing platform will perform the predecryption algorithm to relieve his computational overhead. It is semitrusted in the sense that the crowdsensing platform may collect private information for its own interest. (3) Requester is the entity that issues crowdsensing tasks via the crowdsensing platform to collect sensing data. Since the requester is able to issue tasks at will, we assume the requester has sufficient computation ability. In addition, the requester may have some special requirements on task performers and do not hope the crowdsensing platform knows the content of his task. us, the requester needs to encrypt his tasks with ABE technology. (4) Task Performers are workers in FGTAC. ey would like to accomplish the requesters' tasks to get the allowance. e tasks are encrypted by ABE technology. All the task performers in the system are assigned a set of attributes. Only task performers whose attribute set satisfies the access policy can retrieve the task in the crowdsensing platform. e task performers are untrusted for they may collude to get the tasks that they are not qualified to obtain.

3.2.
Definition. According to the system model, the definition of the proposed system is designed as follows: e setup algorithm is run by KGC. It takes a secure parameter λ as input and outputs the public key PK and the master secret key MSK. KGC keeps MSK private and publishes PK.
(2) UserReg (PK) ⟶ (UK, USK): e user registration algorithm is run by task performers. It takes PK as input and outputs the user public key UK and the user master secret key USK. e task performers keep USK private and publish UK. (3) KeyGen (PK, MSK, UK, S) ⟶ SK: e key generation algorithm is run by KGC. It takes PK, MSK, and UK, and an attribute set S as input, outputs the user secret key SK. KGC distributes SK to corresponding task performers in the system. (4) Encrypt (PK, W, msg, KW) ⟶ CT: e encryption algorithm is run by the requester. It takes PK, an access policy W, a message msg, and the keyword KW defined by the requester as input and outputs the ciphertext CT. Note that all the ciphertexts are transferred to the crowdsensing platform for storage. (5) Trapdoor (PK, KW u ) ⟶ td: e trapdoor generation algorithm is run by task performers. It takes PK and the user keyword KW u as input and outputs the trapdoor td. (6) Search (PK, CT, td) ⟶ 1 or 0: e search algorithm is run by the crowdsensing platform. It takes PK, CT, and td as input and outputs 1 if td matches CT. Otherwise, the algorithm outputs 0. (7) PreDecrypt (PK, SK, CT) ⟶ preCT or ⊥: e predecryption algorithm is run by the crowdsensing platform. It takes PK, SK and CT as input and outputs the predecrypted ciphertext preCT if the attribute set S in SK satisfies W in CT. Otherwise, the algorithm outputs ⊥. (8) Decrypt (PK, preCT, USK) ⟶ msg: e decryption algorithm is run by task performers. It takes PK, preCT, and USK as input and outputs the message msg.

Security
Model. According to the system model in Section 3.1, we say that KGC is fully trusted, the crowdsensing platform is semitrusted, and requesters and task performers are untrusted. We define the security of FGTAC by the security games as follows:

Chosen-Plaintext Attack
Security. e security game of chosen-plaintext attack (CPA) is designed between a challenger C and an active adversary (malicious user) A. e interaction is as follows: Initialization: A declares the challenge access policy W * , challenge user public key UK * , and sends them to C. Setup: C first runs the Setup algorithm to get the public key PK and the master secret key MSK. After that, PK is sent to A. Query Phase 1: Let T be an empty set and c � 0 be an integer counter. A launches queries as follows: Generate.SK(S): C sets c � c + 1. It runs the UserReg algorithm to get the tuple of user public key and user secret key (UK, USK), and runs the KeyGen algorithm with attribute set S and UK to get the user secret key SK. C stores (c, UK, USK, S, SK) to T. Besides, the situation that S⊨W * is not allowed. e probability for A to win the security game is

Chosen Keyword Attack Security.
e security game of chosen keyword attack (CKA) is designed between a challenger C and an active adversary (malicious user) A. e interaction is as follows: Setup: C first runs the Setup algorithm to get the public key PK and the master secret key MSK. en, C returns PK to A. Query Phase 1: Let T 1 , T 2 be two empty sets, c � 0 be an integer counter. A launches queries as follows: Generate.Trapdoor(KW): C sets c � c + 1. It runs the Trapdoor algorithm with keyword KW to get the trapdoor td. C stores (c, KW, td) to T 1 . Corrupt.Trapdoor(i): C checks whether T 1 contains (i, KW, td). If it is, C returns td to A and sets T 2 � T 2 ∪ KW. Otherwise, C returns ⊥.
Challenge: A declares two equal-length keywords kw 0 , kw 1 and sends them to C. Note that kw 1 , kw 2 ∉ T 2 . C randomly selects b ∈ 0, 1 { } and runs the Encrypt algorithm to get challenge ciphertext CT e probability for A to win the security game is

Secret Key Exposure Attack Security.
e security game of secret key exposure attack is designed between a challenger C and an active adversary (semitrusted crowdsensing platform) A. e interaction is as follows: Initialization: A declares the challenge access policy W * and sends it to C. Setup: C first runs the Setup algorithm to get the public key PK and the master secret key MSK. C returns PK to A. Query Phase 1: Let T 1 , T 2 be two empty sets, c 1 � 0, c 2 � 0 be two integer counters. A launches queries as follows: Generate.SK (S): C sets c 1 � c 1 + 1. It runs the UserReg algorithm to get (UK, USK), and runs the KeyGen algorithm with attribute set S and UK to get the secret key SK. It stores (c 1 , UK, USK, S, SK) to T 1 . Besides, the situation that S⊨W * is not allowed. Generate.CT(W, KW): C sets c 2 � c 2 + 1. It runs the Encrypt algorithm to get the ciphertext CT. It stores (c 2 , W, KW, CT) to T 2 . Besides, the situation that W � W * is not allowed. Corrupt (i, j): C checks whether T 1 contains (i, UK, USK, S, SK) and T 2 contains (j, W, KW, CT). If it is, C returns the tuple (SK, CT) to A. Otherwise, C returns ⊥.

PreDecrypt(SK, CT):
A runs the PreDecrypt algorithm to get the predecrypted ciphertext preCT.
Challenge: A declares two equal-length plaintexts m 0 , m 1 to C. C randomly selects b ∈ 0, 1 { } and runs the Encrypt algorithm to get ciphertext CT * b . C runs the UserReg algorithm and KeyGen algorithm to get SK. It sends SK, CT * b to A, and A performs PreDecrypt algorithm to get the challenge predecrypted ciphertext preCT b . Query Phase 2: A adaptively queries SK and CT as in Query Phase 1.
e probability for A to win the security game is

Collude Attack Security.
e security game of collude attack is designed between a challenger C and an active adversary (malicious user) A. e interaction is as follows: Initialization: A declares the challenge access policy W * and sends it to C. Setup: C first runs the Setup algorithm to get the public key PK and the master secret key MSK. C returns PK to A. Query Phase: Let T be an empty set, c � 0 be an integer counter. A launches queries as follows: Generate.SK(S): C sets c � c + 1. It runs the UserReg algorithm to get the tuple of user public key and user secret key (UK, USK), and runs the KeyGen algorithm with attribute set S and UK to get the user secret key SK. C stores (c, UK, USK, S, SK) to T. Besides, the situation that S⊨W * is not allowed. Corrupt.SK(i): C checks whether T contains (i, UK, USK, S, SK). If it is, C returns (UK, USK) to A. Otherwise, C returns ⊥.

Construction.
e attribute universe contains L attributes. For each of the attributes, there are three kinds of states. ' + ' stands for positive, ' − ' stands for negative, and ' * ' stands for wildcard. Let N 1 , N 2 , and N 3 be the three upper bounds defined as follows: N 1 is the maximum number of the wildcard (N 1 ≤ L); N 2 is the maximum number of positive attributes (N 2 ≤ L); N 3 is the maximum number of negative attributes (N 3 ≤ L). e detailed construction of the proposed system consists of the following eight algorithms: Setup (λ) ⟶ (PK, MSK). e setup algorithm is run by KGC. It takes secure parameter λ as input, generates a bilinear pairing group (G, G T , p, e) and sets n � N 1 + 3. It randomly selects g, h, v, w ∈ G, α ∈ Z p . For ∀i ∈ [n], the algorithm selects r i , u i , t i ∈ Z p randomly and calculates R i � g r i , { } * ⟶ Z p is a hash function. e public key PK and the master secret key MSK are set as UserReg (PK) ⟶ (UK, USK). e user registration algorithm is run by task performers in system. A task performer randomly selects β ∈ Z p and calculates g β . e user public key UK and the user master secret key USK are set as e algorithm creates vectors x V �→ and x Z �→ as e key generation algorithm randomly selects r ∈ Z p , and computes K 0 � UK α w 1/r . For ∀i ∈ [n], it sets K i,1 � �→ +t x Z i �→ )/r . e user secret key is set as follows: Encrypt (PK, W, msg, KW) ⟶ CT: e encryption algorithm is run by the requester. Let the access policy W contains w 1 wildcards, w 2 positive attributes and w 3 negative attributes.
′ }, and Z ′ � z 1 ′ , z 2 ′ , . . . , z w 3 ′ represent the positions where ' * ', ' + ', and ' − ' attributes are, respectively. According to Vie ' te's formulas, the algorithm computes the coefficients a k k∈[0,n 1 ] as a n 1 � 1, It computes as follows: e encryption algorithm randomly selects s ∈ Z p and computes C � msgY 1/s , According to the keyword KW, the algorithm calculates C 4 � h H(KW)/s e ciphertext CT is set as follows: Trapdoor(PK, KW u ) ⟶ td: e trapdoor generation algorithm is run by task performers. e trapdoor is used to search the tasks about the keyword KW u specified by task performers. e algorithm randomly selects t ∈ Z p and computes TD 1 � g t , and TD 2 � h H(KW u )t . e trapdoor is set as follows: Search(PK, CT, td) ⟶ 1 or 0: e search algorithm is run by the crowdsensing platform. On receiving td, the crowdsensing platform checks if e(C 0 , TD 2 ) � e(C 4 , TD 1 ) holds. If yes, the crowdsensing platform performs the PreDecrypt algorithm. PreDecrypt(PK, SK, CT) ⟶ preCT or ⊥: e predecryption algorithm is run by the crowdsensing platform. If S embedded in SK satisfies the W inCT, the algorithm returns the predecrypted ciphertext preCT. Otherwise, it returns ⊥. e computing process is as follows:

Security and Communication Networks
preCT � e C 0 , K 0 P . (11) Decrypt(PK, preCT, USK) ⟶ msg: e decryption algorithm is run by task performers. To retrieve the predecrypted ciphertext preCT, the algorithm performs the following operations: Note that the proposed system supports multikeyword search if KW in Encrypt and KW u in Trapdoor consist of a set of keywords.

Theorem 1. e proposed system is chosen-plaintext attack secure for PPT adversaries (malicious users).
Proof. Let A be a PPT adversary who attacks the FGTAC system. e security game is played between A and a simulator B as follows: Initialization: A declares the challenge access policy W * , challenge user public key UK * � g β 1 , and sends them to B. Setup: B sets n � N 1 + 3 and randomly selects g, h, v, w ∈ G, α ∈ Z p . en, it selects r i , u i , t i ∈ Z p and calculates , Y, H〉 and the master secret key is MSK � 〈α, r i , u i , t i i∈[n] 〉. PK is sent to A. Query Phase 1: Let T be an empty set, c � 0 be an integer counter. A launches queries as follows: Generate.SK(S): B sets c � c + 1. It runs the UserReg algorithm to generate UK � g β and USK � β. en, B runs the KeyGen algorithm to get the corresponding user secret key SK � 〈K 0 � UK α w 1/r , K i,1 � g x V i → /r , Challenge: A declares two equal-length plaintexts m 0 , m 1 and sends them to B. B randomly selects b ∈ 0, 1 { } and runs the Encrypt algorithm to get Query Phase 2: A adaptively queries SK as in Query Phase 1.
A wins the game if b ′ is the same as b. Since the distribution of PK, UK, SK, and CT are identical to that in the real world, the advantage of the adversary to win this game is ignorable.

Chosen Keyword Attack Security
Theorem 2.
e proposed system is chosen keyword attack secure for PPT adversaries (malicious users).
Proof. Let A be a PPTadversary who attacks FGTAC system. e security game is played between A and a simulator B as follows: Setup: B sets n � N 1 + 3 and randomly selects g, h, v, w ∈ G, α ∈ Z p . en, it selects r i , u i , t i ∈ Z p and calculates , Y, H〉 and the master secret key is MSK � 〈α, r i , u i , t i i∈[n] 〉.
en, B returns PK to A. Query Phase 1: Let T 1 , T 2 be two empty sets, c � 0 be an integer counter. A launches queries as follows: Generate.Trapdoor(KW): B sets c � c + 1. It randomly selects t ∈ Z p and computes TD 1 � g t and TD 2 � h H(KW u )t .td is set as 〈TD 1 , TD 2 〉. B stores (c, KW, td) to T 1 . Corrupt.Trapdoor(i): B checks whether T 1 contains (i, KW, td). If it is, B returns td to A and sets T 2 � T 2 ∪ KW. Otherwise, B returns ⊥.

Query Phase 2:
A adaptively queries td as in Query Phase 1. Challenge: A declares two equal-length keywords kw 0 , kw 1 and sends them to B. Note that kw 0 , kw 1 ∉ T 2 . B randomly selects b ∈ 0, 1 { } and runs the Encrypt algorithm to select s ∈ Z p and get the challenge ciphertext CT A wins the game if b ′ is the same as b. Since the distribution of PK, td, and CT are identical to that in the real world, the advantage of adversary to win this game is ignorable.

Secret Key Exposure Attack Security
Theorem 3.
e proposed system is secret key exposure attack secure for a PPT adversary (semitrusted crowdsensing platform).
Proof. Let A be a PPT adversary who attacks the FGTAC system. e security game is played between A and a simulator B as follows: Initialization: e adversary A declares the challenge access policy W * and sends it to B. Setup: B sets n � N 1 + 3 and randomly selects g, h, v, w ∈ G, α ∈ Z p . en it selects r i , u i , t i ∈ Z p and calculates , Y, H〉 and the master secret key is MSK � 〈α, r i , u i , t i i∈[n] 〉. en, B sends PK to A. Query Phase 1: Let T 1 and T 2 be two empty sets, c 1 � 0 and c 2 � 0 be two integer counters. A launches queries as follows: Generate.SK(S): B sets c 1 � c 1 + 1. It runs the UserReg algorithm to get the user public key UK � g β and the user secret key USK � β. en, B runs the KeyGen algorithm to get the corresponding user secret key It stores (c 2 , W, KW, CT) to T 2 . Besides, the situation that the access policy W � W * is not allowed.
to A, and A performs PreDecrypt algorithm to get the challenge predecrypted ciphertext preCT � e(C 0 , K 0 )/P. Query Phase 2: A adaptively queries SK and CT as in phase 1.
A wins the game if b ′ is the same as b. Since the distribution of PK, SK, UK, and CT are identical to that in the real world, the ciphertext is protected by the USK and the adversary A cannot obtain any sensitive information. □
e proposed system is colluding attack secure for PPT adversaries (malicious users).
Proof. Let A be a PPT adversary who attacks the FGTAC system. e security game is played between A and a simulator B as follows: Initialization: A declares the challenge access policy W * and challenge user public key UK * � g β 1 and sends them to B. Setup: B sets n � N 1 + 3 and randomly selects g, h, v, w ∈ G, α ∈ Z p . en, it selects r i , u i , t i ∈ Z p and calculates , Y, H〉, and the master secret key is MSK � 〈α, r i , u i , t i i∈ [n] 〉. After thatPK is sent to A. Query Phase: Let T be an empty set, c � 0 be an integer counter. A launches queries as follows: Generate.SK(S): C sets c � c + 1. It runs the UserReg algorithm to generate and . en, runs the KeyGen algorithm to get the corresponding user secret key SK � wins the game if the forged secret key is valid. Since all the secret keys in are randomized by the random number . e advantage for the adversary to forge a valid secret key is ignorable.

Feature Comparison.
e performance evaluation is performed among Ref. [26,28,[30][31][32] and our system. We mainly consider the following features in Table 2: hidden access policy, ciphertext search, predecryption, and access structure. Although ABE technology, which provides fine-grained access control, is employed in all the aforementioned schemes, only Ref. [28,30,32] and our system support hiding the access policy. Malicious users in Ref. [26,31] may deduce sensitive information about the ciphertext from the access policy. Compared with Ref. [28,30,31], [26,32], and our system enables users to Security and Communication Networks search specific ciphertexts according to the keyword they provide (ciphertext search). To achieve lightweight computation, predecryption is provided in Ref. [30] and our system. As a result, task performers in both of the two systems can decrypt the ciphertext with their mobile devices efficiently. Moreover, the access structure in Ref. [26,28] and our system are the same, while the other schemes use "And-Gate" or the "Tree" structure, which explains why we only compare our system with Ref. [26,28] in Tables 3 and 4. 5.2. eoretical Analysis. As mentioned above, Table 3 gives the comparison between Ref. [26,28] and our system. Five objects are selected to be compared. Specifically, the size of the public key in our system is the smallest among all three schemes when . When , Ref. [26] outperforms our system. When, Ref. [28] outperforms Ref. [26]. e size of the master secret key in our system is , which is superior to that in Ref. [26,28] when . e size of the secret key in Ref. [28] and our system are almost the same. It is less than that in Ref. [26]. For the size of ciphertext , our system is superior to Ref. [28]. We do not list in Ref. [26] for the reason that Ref. [26] only provides an algorithm to generate an encrypted index for a file waiting to be outsourced. e size of the trapdoor in Ref. [26] grows linearly with the number of attributes , while in our system, is constant . To sum up, the storage overhead in our system is significantly reduced compared to Ref. [26,28]. Table 4 compares the computation overhead of, and. Note that Ref. [26] only generates a secure index in the encryption algorithm, the function of decryption is not provided. e overhead of in our system is similar to that in Ref. [26], and Ref. [28] contains and which is expensive compare to our system. Both the overhead of in our system and Ref. [26] are less than that in Ref. [28]. In Ref. [26], the computational overhead of grows every time the attribute increases, while it is in our system. We allow the crowdsensing platform to perform the Predecrypt algorithm such that the computational overhead on the user side in our system is only. However, in Ref. [28], the overhead is (4n + 4)(G + G T ).

Experimental Analysis.
We implement the scheme in Ref. [26,28] and our system with java pairing-based cryptography 2.0.0 (JPBC) [33] to evaluate their performance. Type A curves predefined in JPBC is used. e experimental environment we used is a MacBook Prolaptop with Intel Core i7 2.7 GHz processor and 16 GB RAM. To provide a fair condition for comparison, the access policies of ciphertexts are defined in the form of , where represent the position of wildcards, positive attributes, and negative attributes, respectively. Each kind of attributes in the access policy increases from 3 to 27, which means the total attributes increase from 9 to 81 in the experiment. To make the  |G|, |G T |, |Z p | stand for the size of an element in G, G T , Z p . ere are n positive attributes, n negative attributes, and n wildcards in our system, and [28], 3n attributes in Ref. [26].  [26] (6n + 2)G + (9n + 1)Z p (3n + 1)G + G T + 3nZ p (3n + 3)G T + (3n + 1)C e -- [28] (34n + 103)G + (2n G, G T stand for the exponentiation operation in G and G T . Z p stands for the operation in Z p . C e stands for the billnear pairing operation. ere are n positive attributes, n negative attributes, and n wildcards in our system, and [28], 3n attributes in Ref. [26]. Our.Setup [28].Setup [26].Setup Our.KeyGen [28].KeyGen [26].KeyGen Our.Knc [28].Knc [26].Knc Our.Trapdoor [26].Trapdoor experiment results convincing, we repeat all the algorithms 50 times and take the average. Figure 3 presents the time cost of algorithms in Ref. [26,28] and our system. As we can see, the time cost of Setup, KeyGen, and Encrypt, in Figures 3(a), 3(c), and 3(d), of all the three schemes, grow linearly with the number of policy attributes. Although Ref. [26] is 100 ms faster in the beginning, the time cost of KeyGen tends to the same afterward. In Figure 3(b), the time cost of UserReg in FGTAC is 8.5 ms on average, which is independent of the number of attributes. Similarly, the time cost of Trapdoor and Search in Figures 3(e) and 3(f) are both constant (about 16 ms and 9 ms, respectively). However, in Ref. [28], the time cost becomes unacceptable when the number of attributes is large. We give out the time cost of Decrypt in Figure 3(g). e time cost of Predecrypt in our system is the same as the Decrypt in Ref. [28]. However, the time cost for Decrypt on the user side in our system is about 0.56 ms on average, which can be performed efficiently by mobile devices. According to the experimental results, we demonstrate that our system achieves ciphertext search and predecryption without increasing computational overhead comparing to other schemes.

Conclusions
We have designed a fine-grained access control system called FGTAC in the scenario of mobile crowdsensing with an awareness of protecting the privacy of requesters. Specifically, the content of the task is encrypted by CP-ABE technology and only can be obtained by task performers who have appropriate attributes. In other words, the requester can decide the group of users who can access his task independently. To prevent the semitrusted crowdsensing platform from deducing the privacy of the requester and task performers, the access policy of the encrypted task is fully hidden in our system. For task performers, an efficient task search function, which can be conducted within approximately 9 ms, is provided. Moreover, considering the devices of task performers may be resourcelimited, we also developed the function of ciphertext predecryption. According to the analysis in Section 4.2, the proposed system is CPA secure, CKA secure, secret key exposure attack secure, and collude attack security. e experiment results demonstrate that the computational overhead of our system is efficient. In our future work, we will design the mobile crowdsensing system supporting audit and user tracking without yielding expensive computational overhead such that a feedback mechanism for the task performers can be achieved.

Data Availability
All data included in this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper. Our.Predec Our.Dec [28].Dec