Multi-Authority Criteria-Based Encryption Scheme for IoT

Currently, the Internet of (ings (IoT) provides individuals with real-time data processing and efficient data transmission services, relying on extensive edge infrastructures. However, those infrastructures may disclose sensitive information of consumers without authorization, which makes data access control to be widely researched. Ciphertext-policy attribute-based encryption (CP-ABE) is regarded as an effective cryptography tool for providing users with a fine-grained access policy. In prior ABE schemes, the attribute universe is only managed by a single trusted central authority (CA), which leads to a reduction in security and efficiency. In addition, all attributes are considered equally important in the access policy. Consequently, the access policy cannot be expressed flexibly. In this paper, we propose two schemes with a new form of encryption named multi-authority criteria-based encryption (CE) scheme. In this context, the schemes express each criterion as a polynomial and have a weight on it. Unlike ABE schemes, the decryption will succeed if and only if a user satisfies the access policy and the weight exceeds the threshold. (e proposed schemes are proved to be secure under the decisional bilinear Diffie–Hellman exponent assumption (qBDHE) in the standard model. Finally, we provide an implementation of our works, and the simulation results indicate that our schemes are highly efficient.


Introduction
As an emerging concept, the Internet of ings (IoT) offers great convenience to our daily lives since it provides individuals with ultra-fast data transmission and quality storing services by edge infrastructure. Many well-known IT enterprises such as Google, Microsoft, and Amazon have deployed edge computing platforms to integrate edge infrastructure and various devices, so that individuals can benefit in many fields [1]. Unfortunately, due to the complexity of architecture, there are inevitably some security risks in IoT, especially that some unsupervised edge infrastructures may quietly capture users' sensitive information or be compromised by malicious users, which poses a severe threat to individuals [2,3]. For example, edge devices may reveal sensitive data such as health records and personal finances to the public. erefore, data security in IoT has become a significant concern for many enterprises or individuals.
To alleviate this situation, Yeh et al. [4] proposed an access control framework for IoT with the property of attribute revocation. Qiu et al. [5] constructed an authentication and key agreement (AKA) protocol for lightweight devices in IoT. e protocol was proved to be secure in the random oracle model and enjoyed desirable computing efficiency. Wang et al. [6] conducted a detailed analysis of the vulnerability for IoT devices and offered targeted countermeasures depending on the types of attacks. However, traditional public-key techniques only support one-toone encryption, i.e., messages encrypted by public keys can only be decrypted by their corresponding private keys. is means that there needs to be sufficient storage space to store the ciphertext in practical applications, whereas edge devices generally have limited storage capacity.
Attribute-based encryption (ABE) is an effective encryption tool that provides fine-grained and one-to-many access control for outsourcing data in IoT [7]. According to different encryption mechanisms, ABE can be divided into ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). In CP-ABE, the data owner can construct an access policy and embed it into the ciphertext, and the user's attribute set is embedded in the secret key. On the contrary, the private keys in KP-ABE are associated with the access policy, and the ciphertext is labeled with attributes. A user can successfully recover messages if and only if his/her attributes satisfy the access policy. Many excellent ABE schemes for access control in IoT have been proposed [8][9][10][11]. However, most of them have two problems. On the one hand, only a single attribute authority (AA) manages the whole attribute set and generates the secret keys. If a large number of users request private keys, the server will be at risk of crashing. Furthermore, once the attribute authority is compromised, any user with unauthorized attributes will be able to decrypt the ciphertext. erefore, ABE schemes supporting multiple authorities should be considered, i.e., the attribute universe should be managed by multiple attribute authorities. In this way, even if an authority compromises or collapses, a user can still obtain the secret key from other authorities. On the other hand, all attributes in the access policy of the previous schemes are regarded at the same level, which ignores the scenario that some attributes may be more important than the others. More precisely, in an IoT-based medical system, it is desirable to grant doctors higher weights than the nurses.
In order to distinguish the importance among attributes, some weighted ABE schemes [12][13][14] have been proposed. Liu et al. [12] proposed a weighted CP-ABE scheme. However, in the scheme, the attribute universe is managed by a single central authority. Wang et al. [13] constructed a multi-authority weighted ABE scheme in cloud computing. In the scheme, CA is still required in the key generation phase, which reduces the security of the scheme. Yan et al. [14] introduced a weighted attribute-based encryption scheme. However, the weight corresponding to each attribute is specified by a central authority, while in the actual scenario of encryption, the data owner should be allowed to decide the weight of each attribute in the access policy. To address the above problems, Phuong et al. [15] first proposed criteria-based encryption (CE) scheme, which supports the weighting of each criterion in the access policy. To be precise, each criterion is expressed as a polynomial, each root of which corresponds to a case satisfying the polynomial-associated criterion. e access policy consists of a series of weighted criteria containing at least one case. For this, the main difference between ABE and CE is that each criterion contains multiple satisfying cases and has a reasonable weight specified by the encryptor. An instance of intuition is provided as follows. Suppose that in a smart medical system, the government needs to monitor the health of community members. Since medical data involve sensitive information of individuals and are not available to others, the receivers need to meet certain restrictions to make access possible ((the receiver must be an authorized chief physician, weighted 5, and marked as a criterion P 1 ) AND (the receiver has more than 5 years of work experience, weighted 2, and marked as a criterion P 2 ) OR (the receiver is a community manager employed by the government, weighted 1, and marked as a criterion P 3 ) OR (the receiver is a community member holding a legal device, weighted 6, and marked as a criterion P 4 )). And in order to access the data, the cumulative weight of the receiver must be more than 5. Bob is a community manager hired by the government and has 6 years of work experience related to medical treatment. He cannot obtain approval for not reaching the cumulative weight threshold as required. Alice is a chief physician who has served the community for seven years. She satisfies both the access policy and the threshold, so she can be authorized. As shown in Figure 1, the criterion P 3 corresponds to two cases (roots): the receiver is a community manager and appointed by the government. But unfortunately, the issue of generating keys by only a single authority is still unsolved in their scheme.
In this paper, we propose two types of multi-authority criteria-based encryption schemes, named MA-CE-Verify Root and MA-CE-Root Equality, respectively, which aim to solve the problems we mentioned above. Specifically, we denote each criterion as a polynomial. One can assign a weight for each criterion freely according to demands. In addition, the corresponding cases of satisfying the criteria are represented as the roots of polynomials. In the first scheme, at least a case (or root) of each criterion specified in the access policy should be held by the decryptor, and the cumulative weight needs to exceed the threshold as well for successful decryption, while in the second scheme, only if the decryptor satisfies all the cases (or all roots) for each criterion and the cumulative weight exceeds the threshold, he/ she can decrypt correctly. Moreover, in our schemes, multiple authorities manage the global criterion universe and perform key generation, which solves the bottleneck of performance and improves the security of the system.

Our Contributions.
In this work, our main contributions can be summarized as follows: (1) We propose two types of multi-authority criteriabased encryption schemes, which support the weighting of each criterion. In our schemes, multiple AAs jointly manage the criterion universe using the (t, n)-threshold sharing technology. Furthermore, data owners can freely set the weight of each criterion as required. us, flexible access control is provided by our schemes. (2) e security proof shows that our schemes achieve indistinguishability under chosen-plaintext attack (IND-CPA) under the decisional bilinear Diffie-Hellman exponent assumption (q-BDHE). (3) We implement the proposed schemes and provide theoretical analysis. e results show that our constructions have desirable performance in practical situations.

Related Work.
Goyal et al. [16] proposed attribute-based encryption (ABE) that provides one-to-many encryption. In their works, ABE is divided into two forms: ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). Sahai et al. [17] realized a revocable ABE (RABE) scheme, in which the outsourcing server updates the encrypted data to revoke the user's decryption permission. On the downside, the complexity of bilinear-pairing operations makes it difficult to directly apply this scheme to IoT. Agrawal et al. [18] proposed two versatile ABE architectures with short ciphertext and key. One limitation is that the scheme does not consider that different attributes in the access policy are at different levels of importance, i.e., the attributes do not carry reasonable weights. Waters [19] and Agrawal et al. [20] proposed ABE schemes that support arbitrary length input and provide a general ABE structure. In these schemes, the management of attribute universe and key generation are only implemented by a single attribute authority. Once the authority is corrupted, the adversary can directly generate the key of any user with legal status to decrypt the message [21]. ABE schemes with multiple authorities have been proposed to solve this issue. Lewko et al. [22] constructed an ABE scheme in which any party can become an attribute authority. Moreover, the scheme can resist collision attacks. However, the construction based on composite order group seriously affects the execution efficiency of the scheme. In [23][24][25][26], the schemes are provided for different practical application scenarios. Unfortunately, these schemes are limited by some security issues or computational complexity. In this context, there are obstacles to directly applying them in IoT scenarios. Sandor et al. [27] presented an efficient decentralized multi-authority ABE scheme that can significantly solve the key escrow problem for mobile devices. Generally, decentralizing ABE solves the problem of accessing encrypted data when the attributes of users come from multiple authorities, in which each authority is only in charge of issuing attributes and keys in its domain. However, in the schemes, an adversary can still compromise the server of AA to obtain some information that he should not have. e issue can be solved by using (t, n)-threshold sharing in our works. e adversary cannot get any information related to the key unless the number of corrupted authorities is greater than t.

Organization.
In Section 2, we present the notation and preliminaries. In Section 3, we provide three components.
e system model and some requirements of the schemes are described in Section 3.1. We define the framework of the schemes in Section 3.2, while the security model is given in Section 3.3. In Section 4, we illustrate how to construct our two schemes. We give the security proof of our schemes in Section 5. e performance analysis of proposed schemes is represented in Section 6. At the end of our work, the conclusions and extensions are put forward in Section 7.

Preliminaries
We now introduce some notations and preliminaries.

Notation.
For a positive integer n, [1, n] , v → 〉 be the inner product of two vectors. We use a∈ R S to denote a random element a drawn from set S uniformly. For a matrix M, its i-th row is denoted by M i , and its (i, j)-element is M i,j . We use the symbol C⊨A to denote the criterion set C satisfies the access structure A. Note that the (monotonic) access structure used in this work is similar to that in literature [8], so the concrete concept is not repeated here. For any set S, len(S) denotes the number of its elements.

Bilinear Maps.
Let G and G T be two multiplicative cyclic groups of order p, where p is a large prime number and G is generated by g. Let e: G × G ⟶ G T be an admissible bilinear map, if it satisfies the following properties: (1) Bilinearity: for any g, h ∈ G and a, b ∈ Z p , e(g a , h b ) � e(g, h) ab . (2) Nondegeneracy: for any g ∈ G, e(g, g) ≠ 1.
(3) Computability: for any g, h ∈ G, there is an efficient algorithm to calculate e(g, h).

2.3.
(t, n)reshold Secret Sharing. Suppose that several participants intend to share a secret with each other, while they do not hope that any one of them can obtain the secret independently, due to the privacy requirement of the secret. Secret sharing is a technique proposed to be used in the scenario above. In the secret-sharing scheme, each party can obtain a share of the secret, which is actually a part of information about the secret, and the whole secret can be reconstructed only by the cooperation of participants, which means that any party cannot know what the secret is individually. ere have been many various secret-sharing schemes suitable for different situations proposed, and the (t, n)-threshold sharing is one of the most widely applicable and basic schemes among them. It was first proposed by Shamir [28] and then improved into many practical schemes, such as [21,29]. In this work, we adopt the definition in [21].
We take the set P � P 1 , P 2 , . . . , P n as n members of the system. e identity of each member x i (i ∈ [1, n]) is taken from the finite field GF(p). Let the positive integer t (t ≤ n) denote a threshold. Additionally, let S i represent the subsecret of each member, such that S � n i�1 S i . e (t, n)-threshold secret sharing can be described as follows. Security and Communication Networks member calculates subshare η ij � q i (x j ) and assigns (x j , η ij ) to member P j .

Reconstruction. Suppose that there is a function
. Each member calculates the share η i � n j�1 η ji � n j�1 Q(x i ). e shares of any t members are sufficient to reconstruct the function Q(x) according to the Lagrange interpolating formula. e master secret S can be constructed by S � Q(0).

Linear Secret-Sharing Schemes.
We make use of Linear Secret-Sharing Schemes (LSSSs) in [22]. A secret-sharing scheme Π defined on a set of parties P is linear over Z p if (1) e shares for each party constitute a vector over Z p .
(2) e matrix M with ℓ rows and n columns is called the share-generating matrix. And the function ρ maps When it comes to the column vector v → � (s, r 2 , r 3 , . . . , r n ) ∈ Z n p , where s ∈ Z p is the secret to be shared and Linear reconstruction is defined as follows: suppose that Π is an LSSS of the access structure A. Let S ∈ A be any authorized set, and define I ⊂ 1, 2, . . . , ℓ { } as I � i: ρ(i) ∈ S}. en, there exists a set of constants ω i ∈ Z p i∈I that satisfy the proposition; if λ i are valid shares of any secret s according to Π, then s � i∈I ω i λ i .

Definition 1 (Decisional Bilinear Diffie-Hellman Exponent
Assumption (q-BDHE)). Let G be a group of prime order p and g i be short for g a i . Given a, s ∈ Z p and h � g s , the decision q-BDHE problem [30] can be defined as follows: the adversary is given a vector y → � g, g s , g 1 , . . . , g q , g q+2 , . . . , g 2q , and it is hard to distinguish e(g q+1 , h) ∈ G T from a random e decisional q-BDHE assumption holds if there is no polynomial-time algorithm that can solve the (decision) q-BDHE problem with non-negligible advantage.
Mathematically, the Vieta's theorem is used to express the relationship between the root of a polynomial and its coefficients. In our schemes, it is a building block for computing the elements of the ciphertext/secret key.
Definition 2 (Vieta's theorem) (see [15]). Let P i � (a n x n + a n−1 x n− 1 + . . . + a 1 x + a 0 ) represent a polynomial of degree n, and its coefficients are expressed as the vector u → � a n , a n−1 , . . . , a 1 , a 0 . (3) For any x → , we represent as follows: where element x is a root of P i , if the inner product [1,n] are the roots of P i ; then, we have x 1 + x 2 + · · · + x n � − a n−1 a n , x n x n−1 � a n−2 a n ,

System Model and Requirements.
In this section, we define the notion of the system model and illustrate some requirements in our multi-authority criteria-based encryption schemes. As shown in Figure 2 [31], the system consists of a global central authority (CA), multiple criterion authorities (AAs), the edge infrastructures, data owners (DO), and data consumers (user). Here, we give the formal definition of them as follows.
(1) e central authority (CA) in the whole system is considered to be completely trusted and in charge of system establishment and initialization, including the generation of system parameters and the master public key. When a user (or AA) requests registration, CA verifies the legitimacy of his identity and assigns a unique gid for the user and an aid for the AA, respectively. Besides, CA determines the threshold t in threshold sharing among attribute authorities, which is necessary for the process of secret key generation. In contrast, we note that CA is not responsible for any other issues in the system except for what has been described above. In other words, CA does not participate in the threshold sharing among AAs and key generation, which is the core of decentralization. (2) A criterion authority (AA) mainly generates the component of the user secret key associated with the criteria in its domain and plays a role in system establishment as well. What's worthy of mention is that, compared with common multi-authority CP-ABE, in our proposed system, all AAs manage the entire criterion universe together. We use the technique of threshold sharing among AAs so that each AA shares a piece of secret key calling its private key, which can ensure that a malicious user cannot get any information unless the number of corrupted authorities exceeds t. After that, CA accepts public keys from all AAs to generate the system public key. Finally, when a user requests for his/her user's secret key, each AA only distributes its corresponding share of user secret key. Namely, there is no need for an AA to communicate with any other AA during the period of encryption and key generation. (3) A data owner (DO) encrypts the data. He/she specifies the access policy over criteria, the weight of each criterion, and the cumulative weight threshold that a user needs to satisfy. Concretely, DO runs the encryption algorithm and generates a ciphertext associated with all these requirements above and then uploads the ciphertext to edge infrastructure. (4) e user obtains a global identity gid issued by CA and AAs. Besides, any user in the system can download the encrypted data but can get access to the plaintext only when he/she satisfies both the access policy and weight requirement that the data owner specifies. (5) Each edge infrastructure is an entity that provides storage and computing services for DO. It accepts encrypted data sent by DO. en, the data can be obtained by any registered user in the system.
For precision and unambiguity, some default definitions and requirements in our proposed schemes are provided here. In the system model, we suppose that CA is unconditionally credible and cannot be compromised. On the other hand, a user can download whichever encrypted data he wants but can recover the corresponding plaintext if and only if he/she satisfies both the access policy and the cumulative weight threshold. Moreover, since the weights reflect the difference in importance among criteria when formulating an access policy, the ideal situation is that the user criteria that satisfy the policy contain more relatively significant (higher weight) criteria rather than a simple patchwork of low-weight criteria. erefore, we consider that data owners are all sufficiently rigorous to design access policies, endue weight on each criterion, and set the thresholds over criteria. Furthermore, there are at least two authorities in the system.

Syntax of Scheme.
e syntax of the multi-authority criteria-based encryption scheme consists of the following PPT algorithms: (1) GlobalSetup(1 λ ) ⟶ pp: the algorithm is performed by CA. It takes as input security parameter λ. It consists of three steps. CA first performs the group generation algorithm G(1 λ ) to obtain GP � (G, G T , e, g, p) and defines criterion universe U with size n. en, it chooses φ i ∈ R Z p to label each polynomial P i . Eventually, CA receives registration requests from users and AAs and records the number of AAs as n θ . It outputs public parameter pp � (GP, n, t, φ i i∈ [1,n] , n θ ).
(2) AASetup(pp) ⟶ (pk θ , sk θ ): the algorithm is performed by CA. For each authority AA θ , it first chooses α θ at random, such that α � n θ θ�1 α θ . Note that the value of α is secret to any AA θ . en, all the    , (A, ρ), w → , τ) ⟶ CT: the algorithm is performed by DO. It takes in public parameter pp, the public key PK, a message m, an access structure (A, ρ), a weight vector w → , and weight threshold τ. It outputs a ciphertext CT. For the correctness of our schemes, we require that for the CT←Encrypt(PK, m, (A, ρ), w → , τ) and the SK gid ←KeyGen(pp, PK, gid, C gid ), one can execute Decrypt(pp, SK gid , CT) algorithm to obtain the correct message m with overwhelming probability.

Security Model.
Here, the IND-CPA security [16] for proposed scheme is defined in the following game which has a challenger C and an adversary A.
Init. C performs the algorithm GlobalSetup, AA Setup, and CA Setup and then sends the pp and PK to A. Phase 1. A repeatedly performs private key associated with sets of case C.

Challenge.
A specifies two messages m 0 , m 1 ∈ G T , a challenge access structure A * , a vector w → * , and a weight threshold τ * to C. e default condition is that C cannot satisfy the access structure A * . en, C randomly picks an element b ∈ 0, 1 { } and executes Encrypt algorithm to generate m b ∈ G T under A * . Finally, A obtains the ciphertext CT * from C.

Phase 2.
A can repeatedly make the same queries as Phase 1, except that C cannot satisfy A * .
Guess. e adversary outputs a guess b ′ of b.
e advantage of the adversary A in this game is defined as

Definition 3.
e proposed multi-authority criteria-based encryption scheme is secure if all polynomial-time adversaries have at most a negligible advantage in the above game.

Construction
In this section, we first provide an overview of the proposed schemes and then give the detailed constructions of the two schemes.

4.1.
Overview. What we first consider is how to find a form to express the criteria. In our schemes, the criterion is related to a polynomial, and each root of the polynomial corresponds to a case that satisfies the criteria. e first scheme requires that the user satisfies at least one case of the criterion, while in the second, there is a stricter restriction that the user must satisfy all cases of the criteria. In this context, our scheme improves the flexibility of access policy in practical application. Specifically, recall the access policy described in Figure 1. DO specifies an access policy A � (P 1 )AND (P 2 )OR (P 3 )OR (P 4 ), and the cumulative weight threshold is set to τ � 6. e observation is that the criterion set with cumulative weight exceeding τ can be expressed as T � (4) e case set and criterion set can be described as She can successfully decrypt the data due to the fact that set C Alice ⊨A (i.e., Bob is a community manager hired by the government and has 6 years of work experience related to medical treatment. He cannot decrypt the message successfully, since W Bob � T ∩ S C Bob � ∅. From the practical perspective, the first scheme is suitable for edge computing platforms, while the second is suitable for users' private edge devices because those devices are more vulnerable to attacks by adversaries. Moreover, we introduce the multi-authority mechanism to solve the security problem caused by all attributes being managed by one authority. In this work, the criterion universe is jointly managed by n θ AAs. e restriction is that there is no collusion between AAs. Specifically, CA cannot interact with users except for generating global unique identities for them. e user can reconstruct the secret key, which has the term of e(g, g) α , after interacting with t different AAs. is way, we make it impossible for each AA to generate a valid key individually. Meanwhile, data owners can assign a reasonable weight for each criterion and the cumulative weight according to their requirements, which makes the scheme suitable for real application scenarios.

MA-CE-Verify Root Scheme.
Here, we provide our first multi-authority criteria-based encryption scheme that requires the user to have at least one root of a polynomial (or criterion).
(1) GlobalSetup(1 λ ) ⟶ pp: CA first runs G(1 λ ) to obtain GP � (G, G T , e, g, p), where g is a generator of G and G and G T are two multiplicative cyclic groups with the same order p, such that G × G ⟶ G T . en, CA defines the criterion universe U with size n and chooses φ i ∈ R Z p to label each polynomial P i . Moreover, CA receives registration requests from AAs and users, records the number of AAs as n θ , and generates the global unique identity aid, gid ∈ Z p for AA and user, respectively. At last, CA defines threshold t according to the value n θ . It outputs public parameter pp � (GP, n, t, φ i i∈ [1,n] , n θ ). (2) AA Setup(pp) ⟶ (pk θ , sk θ ): firstly, each authority AA θ (θ ∈ [1, n θ ]) chooses the secret α θ ∈ R Z p , such that master secret α � n θ θ�1 α θ . en, AA θ randomly sets a polynomial q θ (x) of degree t − 1 which satisfies α θ � q θ (0).
For i � 1 to n, CA computes g φ i P → i and g P → i ′ . It outputs PK � g, g a , e(g, g) α , g φ i P [1,n] , (8) and keeps the values (α, a) for secret. (4) Encrypt(PK, m, (A, ρ), w → , τ) ⟶ CT: in this phase, the encryption algorithm sets the access policy (A, ρ), where the size of the matrix A is ℓ × n, and the function ρ maps A i to a criterion. en, it specifies the weight vector w → � (w 1 , . . . , w n ), where the element w i represents the weight of each criterion. Also, it takes y 2 , y 3 , . . . , y n ∈ R Z p to construct vector v → � (s, y 2 , y 3 , . . . , y n ) ∈ Z n p , where the first element s∈ R Z p is the secret value to be shared. For i � 1 to ℓ, it computes λ i � v → · M i . After completing the above processes, it computes the set T � (k i 1 , k i 2 , . . . , k i μ i ) according to weight threshold τ, where μ i indicates the length of i-th subset and k i j ∈ 1, 2, . . . , n { } denotes index in U. Finally, the algorithm calculates C 0 � m · e(g, g) αs , i∈ [1,ℓ] , [1,ℓ] , C i i∈[1,len(T)] , T). (5) KeyGen(pp, PK, gid, C gid ) ⟶ SK gid : the key generation algorithm is implemented by the user interacting with t AAs according to the requirements. e restriction is that AA θ cannot communicate with each other. Let z φ x be a root of the polynomial at x. For each root z φ x that belongs to user, AA creates the vector . We use C gid ⊆ C x x∈ [1,n] to denote a set of cases, which belong to the user with gid. Let P � P 1 , P 2 , . . . , P len(C gid ) denote the set of criteria requested by the user and S � (P 1 ), (P 2 ), . . . (P len(C gid ) ), (P 1 , P 2 ), . . . , (P 1 , P 2 , . . . , P len(C gid ) )} � k l 1 , . . . , k l v l } be all combinations of entities in set P, where v l denotes the length of subset and k l j ∈ [1, n] denotes index in U. AA θ picks δ θ ∈ R Z p and calculates as After interacting with t AAs, the user constructs the secret key as Security and Communication Networks 7 For all C θ,x ∈ C gid , we have For simplicity, we make u � t θ�1 δ θ · t ξ�1,ξ ≠ θ aid ξ / aid ξ − aid θ . For this, the secret key of the user can be represented as Suppose that the ciphertext CT is encrypted under the access policy (A, ρ). We recall the definition of LSSS. Let I ⊂ 1, 2, . . . , ℓ { } represent a case such that ρ(i) ∈ C gid . To decrypt the ciphertext, the user with SK gid computes ω i ∈ Z p i∈I ; if λ i is valid share corresponding access policy (A, ρ), then the secret s � i∈I ω i λ i can be calculated. To summarize, the decryption process is as follows: Define set W � T ∩ S C⊨A . For each w ∈ W, let w T and w S denote the index w in set T and S, respectively. en, compute � w∈W e g s , g α · g au 1/W � e(g, g) αs · e(g, g) asu .
(15) e user can recover the plaintext m from the following equation:

MA-CE-Root Equality Scheme.
Here, we provide our second scheme, which needs all the roots (or cases) of each polynomial (or criterion) to be held by the user.
(1) Global Setup(1 λ ) ⟶ pp: this algorithm is similar to scheme MA-CE-Verify Root. CA runs G(1 λ ) to obtain GP � (G, G T , e, g, p) and defines the criterion universe U with size n. CA also generates unique identity for AAs and users, respectively. en, it chooses a threshold t and picks φ i i∈ [1,n] ∈ R Z p . Note that φ i is not used to label the polynomial P i . It outputs public parameter pp � (GP, n, t, φ i i∈ [1,n] , n θ ).
(2) AA Setup(pp) ⟶ (pk θ , sk θ ): the algorithm is similar to the AA Setup in the first scheme. For each authority AA θ , it inputs the public parameter pp and returns a pair of keys (pk θ , sk θ ), where sk θ is kept secret for other AAs. (3) CA Setup(pp, pk θ θ∈ [1,n θ ] , d) ⟶ (PK, MSK): CA randomly chooses t public keys from n θ AAs. In addition, it picks h 1 , . . . , h n ∈ R G and calculates en, CA randomly picks a ∈ Z p and computes g a . For i � 1 to n, it picks a set of d-degree polynomials P i i∈ [1,n] , which can be described as . . , a 2,0 a 2,d , P → n � 1, a n,d−1 a n,d , . . . , a n,0 a n,d .
It outputs PK � (g, g a , e(g, g) α , g φ i P [1,n] ) and keeps the values (α, a) for secret. (4) Encrypt (PK, m, (A, ρ), w → , τ) ⟶ CT: the encryption algorithm sets the access policy (A, ρ), the size of the matrix is ℓ × n, and the function ρ maps A i to a criterion.
en, it specifies the weight vector w → � (w 1 , . . . , w n ), where the element w i represents the weight of each criterion. Moreover, it constructs the vector v → � (s, r 2 , r 3 , . . . , r n ) ∈ Z n p . For i � 1 to ℓ, it computes . . , k i μ i ) according to the weight threshold τ, where μ i indicates the length of i-th subset and k i j ∈ 1, 2, . . . , n { } denotes index in U. Finally, the algorithm computes as [1,ℓ] , It outputs ciphertext as CT � (C 0 , C 0 ′ , C i i∈ [1,ℓ] , C i i∈ [1,

len(T)] , T).
(5) Key Gen(pp, PK, gid, C gid ) ⟶ SK gid : the user with gid interacts with any t AAs to obtain the key according to requirements. It takes the set Roots x � x 1 , x 2 , . . . , x d to represent all the roots of the polynomial at x. According to Vieta's theorem, AA uses Roots x to construct the following vector: Let C gid ⊆ C x x∈ [1,n] represent the cases belonging to the user with identity gid, set P � P 1 , P 2 , . . . , P len(C gid ) } denote the set of criteria requested by the user, and set S � (P 1 ), (P 2 ),. .., (P len(C gid ) ),(P 1 , P 2 ), .. ., (P 1 , P 2 , ... , P len(C gid ) )} � k l 1 ,. .., k l v l be all combinations of entities in set P, where v l denotes the Security and Communication Networks length of l-th subset and k l j ∈ [1, n] denotes index in U. AA θ picks δ θ ∈ R Z p and calculates as After interacting with t AAs, the user constructs the secret key SK gid as follows:  , ρ), the user first calculates constants ω i ∈ Z p i∈I and then computes For w ∈ W � T ∩ S C⊨A , the symbols w T and w S denote the index w in set T and S, respectively; then, compute � e g s , g α · g au |W|/|W| � e(g, g) αs · e(g, g) asu .

Security Proof
To prove the security of our constructions, the theorem in [8] is introduced as shown below.

Theorem 1.
If the decisional q-BDHE assumption holds, then any polynomial-time adversary cannot selectively break the MA-CE-Verify Root scheme with a challenge matrix of size ℓ * × n * , where n * ≤ q.
Here, we briefly overview the proof technique under the decisional q-BDHE assumption. Suppose that there exists an adversary A with a nonnegligible advantage ε can selectively break the proposed scheme. A is allowed to select a matrix with the size of at most q × q. Here, the restriction is that the key queried from the challenger cannot decrypt the message. en, we construct a PPT simulator B, which solves the q-BDHE assumption.

Phase 1. B replies private key queries for
. . , z φ x , 1 and chooses r∈ R Z p . en, according to the definition of LSSS, B calculates a vector ω → � (ω 1 , ω 2 , . . . , ω n * ) ∈ Z n * p such that ω 1 � −1. For all i such that ρ * (i) ∈ S, we have that the inner product 〈 ω → , A * i 〉 � 0. Finally, B implicitly defines u as u � r + ω 1 a q + ω 2 a q− 1 + · · · + ω n * a q− n * +1 ( ) . (27) erefore, the value L can be denoted as We now consider z φ x ∈ S for the case that there is no i such that ρ * (i) has a root equal to z φ x . B can simply take Note that by defining u, K x has the form of A * i,j a j w j a q− j+1 in the exponent for some j. However, we have that 〈 w → , A * i 〉 � 0, and the term of g a q+1 can be cancelled. Consequently, K x can be expressed as We now consider simulating the value of K l . Let P � P 1 , P 2 , . . . , P len(C gid ) be the set of criteria corresponding to the criterion universe U and S � k l 1 , . . . , k l v l (l ∈ [1, 2 len(C gid ) ]) be all combinations of entities in set P. For l � 1 to 2 len(C gid ) , we have K l � g α g au v l j�1 g η k j u � g α′ · g au · g ar · g a q+1 w 1 · g a q w 2 · · · g a q−n * +2 w n * · L v l j�1 η k j � g α′ · g ar · g a q w 2 · · · g a q−n * +2 w n * · L v l j�1 η k j � g α′ · g ar n * l�2 g a q−l+2 w l · L v l j�1 η k j .

(31)
Otherwise, we have · g ar · g a q+1 w 1 · g a q w 2 · · · g a q−n * +2 w n * L v l j�1 η k j /σ Challenge. We show how to build challenge ciphertext. A submits two messages m 0 and m 1 to B. e simulator B selects b ∈ 0, 1 { } at random and constructs en, it picks y 2 ′ , y 3 ′ , . . . , y n * ′ ∈ R Z p and secret s using the vector v → � s, sa + y 2 ′ , sa 2 + y 3 ′ , . . . , sa n− 1 + y n * ′ ∈ Z n * p . (33) Finally, B chooses threshold value τ * and performs Encrypt algorithm to construct C i , C i ′ , and C i as follows: Phase 2. A can adaptively make queries the same as Phase 1 with the restriction that none of those cases satisfy the access structure corresponding to the Challenge phase.

Guess.
e adversary A eventually outputs a guess bit b ′ ∈ 0, 1 { } of b. If A correctly guesses b ′ � b, then B returns 0 to guess that T � e(g, g) a q+1 s ; otherwise, it outputs 1 to Security and Communication Networks demonstrate that it considers T is a random element obtained from group G T . When T is a tuple, the simulator B performs a perfect simulation. In this case, we have that When T is a random element in G T , B simulates a completely random challenge ciphertext for adversary A, and we have Consequently, B can play the decisional q-BDHE game with non-negligible advantage.

Theorem 2.
If the decisional q-BDHE assumption holds, then no polynomial-time adversary can selectively break our MA-CE-Root Equality scheme with a challenge matrix of size ℓ * × n * , where n * ≤ q. e proof of this theorem is similar to eorem 1 (here we omit the proof process).

Performance Analysis
We now provide theoretical analysis and implementation evaluation of the two schemes in this section.

eoretical Analysis.
ere is the comparison of the four schemes, including [12][13][14] and our two schemes, in terms of storage overhead and computation cost. Let P indicate a pairing operation. E and E T denote an exponential operation of group G and G T , respectively. |g| and |g T | represent the size of elements in group G and G T , respectively. In our schemes, N represents the size of the criterion universe, while it represents attribute universe in [12][13][14]. n ℓ and n u denote the number of criteria (or attributes) in the access matrix and the number of criteria that are satisfied by the user, respectively. Let n a denote the number of attributes managed by attribute authority. l is the number of all criterion sets with cumulative weight greater than τ. l w is the size of the criterion set that satisfies the access policy and cumulative weight.
We first compare the storage overhead of the four schemes, as shown in Table 1. In terms of ciphertext size, our schemes are better than [12][13][14], since they require storing a large amount of leaf nodes information of the access tree. It can be observed that [13] is superior to our schemes in terms of key size and public key size. e reason is that the public key in our schemes needs to contain information corresponding to the criterion. All weights are specified by the trusted authority TA in [13]. Different from [13], the Key Gen phase of our schemes requires enumerating the criterion set that exceeds the weight. e performance of our schemes in terms of key size is comparable to that of [14].
However, the scheme in [14] cannot support multiple authorities, and the weight of each attribute is specified by TA.
is inevitably limits the ability of the scheme in practical scenarios. Table 2 shows the computation cost of these schemes in Key Gen, Encrypt, and Decrypt phases. In the Key Gen phase, the scheme in [13] performs better than other schemes, because the calculation of all the criterion sets takes up the main computation cost in our schemes and the scheme of [12]. In Encrypt and Decrypt phases, our schemes cost less time than [13] in practical application, since the computation cost of the latter is occupied by a large number of exponential and pairing operations. Moreover, it can be seen that the performance of [14] is similar to our first scheme and slightly inferior to the second scheme. e advantage of our schemes is that users can flexibly choose the weights in the access policy according to different application scenarios.

Implementation and Evaluation.
We implement the proposed schemes in Charm [32] using Python 3.6.5. e programs adopt the Pairing-Based Cryptography (PBC) library version-0.5.14. We pick the symmetric curve with a 512 bit base field, and it provides 160 bit group order. All our programs were executed on VMware @ Workstation Pro 15.5.5 with a dual core Intel (R) Core (TM) i7-7700HQ CPU @2.8 GHz and 2.0 GB RAM running Ubuntu 18.04. All experimental results are taken from the average value of the program executed 20 times. Figure 3 shows the value of key generation time with threshold t(t � 1, 2, . . . , 10). We set the number of AAs to 10 in the system. As known from the figure, with the increase of threshold t, the time consumed for key generation is fixed basically, due to the fact that the user requests keys from t AAs in the meantime, while the time consumption of each AA for calculating subshare of a key is almost the same. Moreover, the value of t is generally within 10 in actual application scenarios. In summary, it can be considered that the time consumption is hardly affected by the threshold t in the KeyGen phase. Figure 4 shows the time consumption of Key Gen, Encrypt, and Decrypt algorithms as the number of user attributes increases in the proposed schemes. We take the number n θ of AAs as 10 and the threshold τ as 6. e performance of scheme-2 is slightly better than scheme-1 because the former has shorter ciphertext and key, which reduces exponential and pairing operations. We observe that the time consumption of each stage shows a nonlinear increasing trend. What mainly affects computational efficiency are summarized as follows. e first aspect is that the encryption algorithm needs to calculate all cases T that exceed the cumulative threshold τ. Another reason is that calculating the criteria set S that belong to the user dominates the execution time of the key generation algorithm (see Section 4 (Key Gen)). In addition, it takes a relatively long time to evaluate the intersection of set T and S in the decryption phase. Nevertheless, our schemes enjoy tolerable computational efficiency for the following reasons. Clearly, the time consumption does not exceed 130 ms in all phases. To be precise, when a user owns 30 attributes, the time consumption of the first scheme is 123 ms, while that of the second scheme is 120 ms. erefore, the efficiency of our proposed schemes is acceptable in practical scenarios. Furthermore, we remark that in the IoT scenario, the relatively intensive computation can be offloaded to some outsourced equipment, and the rest of the operations remain on the receiver.

Conclusion
In this paper, we propose two multi-authority criteria-based encryption schemes that support data access control in IoT and are proved to be secure in the standard model. Specifically, they solve the problem of security bottleneck and server overload caused by involving only a single authority in the phase of key generation. Moreover, each criterion carries a weight specified by the encryptor, which allows the access policy to be expressed more flexibly. e theoretical analysis and simulation evaluation demonstrate that our schemes can conform to the actual application scenarios. e remaining problem is that the time consumption of each phase in the schemes increases nonlinearly, which limits the size of the criterion universe. In future work, we are committed to constructing more lightweight frameworks.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.