Traceable ciphertext-policy attribute-based encryption scheme with attribute level user revocation for cloud storage

In a ciphertext-policy attribute-based encryption (CP-ABE) scheme, a user may have multiple attributes, and each attribute may be shared simultaneously by many users. The decryption key of an attribute can thus be shared by many users who all possess the attribute. For monetary gain, a malicious authorized user may reveal his/her decryption key to a third party, and it is difficult to trace the owner of primitive secret key from an exposed key. At the same time, this situation may also limit commercial applications of CP-ABE systems. To solve these problems and enable fine-grained access control for the encrypted data, we propose a traceable CP-ABE scheme with attribute-level user revocation for cloud storage (TUR-CPABE). Our scheme enjoys four advantages. First, it has the ability to trace malicious users who have leaked key information from the system. Second, it supports attribute-level user revocation for malicious users and allows ABE fine-grained access control. Third, it allows secret key updates and ciphertext updates to resist collusion attacks between users. Fourth, outsourcing encryption, decryption and attribute revocation are used to reduce the computational burden on data owners, data users and the trust authority, respectively. In addition, our scheme has been proven to be secure against chosen plaintext attacks under a selective access policy based on decisional q – BDHE assumption in the standard model.


Introduction
In a cloud storage system, the cloud server must be able to provide data storage and other services for end users. Increasingly, companies and individuals prefer to store their valuable data in cloud servers due to limited equipment resources and the need to process big data. Due to security and privacy concerns, data owners always encrypt their data before outsourcing it to the cloud server. Encrypting data is a valid way to prevent information leakage, but encrypting messages hampers the sharing of messages with fine-grained access control. To solve this problem, Sahai and Waters [1] proposed the concept of attribute-based encryption (ABE), which can provide a "one-to-many" encryption scheme with fine-grained access control. PLOS

Our contribution
Scheme [25] only considered trace malicious users, and scheme [29] can support attributelevel user revocation. Inspired by [25] and [29], we provide a traceable ciphertext-policy attribute-based encryption scheme with attribute-level user revocation for cloud storage (TUR-C-PABE). Our main contributions are as follows.
1. In this paper, we formally propose the definition of a traceable ciphertext-policy attributebased encryption scheme with attribute-level user revocation for cloud storage. In our scheme, we adopt linear secret sharing schemes (LSSS) as an access structure. This provides attribute-level user revocation for malicious user and fine-grained access control for ABE. In our scheme, the trust authority can trace defectors and send the identity of a defector to the attribute manager. The attribute manager is responsible for revoking the defector's attributes and updating the related decryption key and ciphertext. A user in the system could decrypt ciphertext successfully if and only if his/her identity was absent from the revocation list and his/her attributes can satisfy the access policy.
2. In the scheme, we distribute the identity of each user on a leaf node in the KEK tree. We can revoke a user by revoking his/her attributes. When the attribute manager revokes a malicious user's attribute i, it will update i's users group G i and the corresponding group key GSK, re-encrypted ciphertext CT 0 and the header of the message Hdr. Thus, our scheme can resist collusion attacks between users.
3. In the proposed scheme, outsourcing encryption, decryption and attribute revocation are used to reduce the computational burden of data owners, users and trust authority, respectively. Moreover, the experimental results show that the time spent in the decryption phase is constant. 4. The scheme is proven to be secure against a chosen plaintext attack under decisional q -BDHE assumption in the standard model.

Related work
Sahai and Waters first presented the concept of ABE [1], and then, the ideas of KP-ABE and CP-ABE were formally proposed by Goyal et al.in [3]. After that, many cryptography researchers focused on KP-ABE and CP-ABE schemes [30][31][32][33][34].
In 2007, Abdalla et al. [35] proposed a traitor trace identity-based encryption scheme, and that was the original work on traitor tracing. In 2011, Wang et al. [36] presented another traitor tracing ABE scheme that can recognize a user's identity. This scheme could employ the technique of betrayer tracing and combine with a security coding technique to ensure the identity of the key abuser. Subsequently, Ning [37] proposed a traceable CP-ABE scheme; this scheme can catch malicious users effectively. A commitment scheme is used to trace defectors, but the method does not support the malicious user revocation.
To expand the commercial applications of ABE systems and combine them with user revocation mechanisms, Liu [38] presented a white-box traceable dynamic ABE scheme. The scheme can support user revocation and outsourcing decryption. However, it can neither resist collusion attacks between users nor support key and ciphertext updates. Jiang [39] proposed a traceable CP-ABE scheme that can resist key abuse. A betrayer who wants to leak a decryption key must abandon the whole key and give an exclusive dummy attribute set. Yang [40] presented a traceable scheme supporting search encryption and user revocation; it can perform efficient keyword search and provides fine-grained access control for encrypted data. At the same time, a large proportion of cryptographic computing is being outsourced to the cloud server, and this alleviates the computational burden on end-user devices. Zhang et al. [41] used a composite order bilinear group to construct an effective white-box traceable CP-ABE scheme with a large universe and multiple authorities. Although this scheme can be used to trace malicious users and resist collusion attacks between users, it cannot support malicious user revocation.

Organization
The remainder of our paper is summarized as follows. We provide some necessary background knowledge that will be applied to our scheme in Section 2. We describe the system model and security model of our scheme in Section 3. We present a TUR-CPABE scheme and the proof of its security based on security games in Section 4 and 5, respectively. In Section 6, we provide a theoretical performance analysis of our scheme. Finally, we conclude the paper in Section 7.

Preliminaries
In this section, we give some necessary background information used in our scheme, including information about bilinear maps, binary trees, access structures and complexity assumptions.

Bilinear maps
Let G and G T be two multiplication cyclic groups of prime order p, and g be a generator of G.
A map e : G Â G G T ! is a bilinear map [42] with the following properties: 2. Nondegeneracy: e(g,g) 6 ¼ 1; 3. Computability: There is an efficient polynomial time algorithm to compute the value of e(u, v) for all u; v 2 G.

Access structure
Definition 1 (Access structure [43]). Let P = {P 1 ,P 2 ,Á Á Á,P n } be a set of parties. A collection A 2 P is called monotone for 8B,C: if B 2 A and B C then C 2 A. An (monotone) access structure is a (monotone) collection A of non-empty subsets of P, i.e.,A 2 P f0g. The sets in A are called the authorized sets, or else the sets are called the unauthorized sets. In this paper, we only consider the monotone access structure.

Linear secret sharing scheme
Definition 2 (linear secret sharing scheme (LSSS) [43]). A LSSS over a group of parties P can be defined as follows: 1. The shares for each party from a vector over Z p .
2. For a LSSS, there is a matrix M with l rows and n columns referred to as the share generating matrix. For i 2 [1,l], we define a function ρ that labels the i-th row of matrix M as attribute ρ(i). We consider a column vector v = (s,v 2 ,v 3 ,. . .,v n ), where s 2 Z p is a secret value to be shared and we choose random v 2 ; v 3 ; . . . ; v n 2 Z p . Then Mv is the vector of l shares of the secret s, and the share (Mv) i belongs to attribute ρ(i).
Each LSSS in the above definition also enjoys the linear reconstruction property, defined as follows: Let A be an access structure for the LSSS and S 2 A be any authorized sets, and let I {1,2,. . .,l} be defined as I = {i: ρ(i) 2 S}. There exists a set of constants {ω i |i 2 I} such that ∑ i2I ω i M i = (1,0,. . .,0). Thus ∑ i2I ω i λ i = s if λ i = M i Á v is a valid share of any secret s.

Binary tree
Definition 3 (Binary tree [44]). We denote U be a group of users in the system, a user u k 2 Uð1 k jUjÞ and G x U be users group for attribute x. We describe the binary tree below: 1. We assign a user u k for every leaf node and allocate a unique value v j for every node in the tree.
2. We define path(i) as a Dijkstra from the root node to the node i.
3. The minimal covering set node(G x ) is the minimal set of nodes, and it is able to cover all of the leaf nodes that have users connected in G x .
4. To consider the intersection of path(u k ) and node(G x ), we have β x = node(G x ) \ path(u k ). As shown in Fig 1, we give an example: suppose that the users group for attribute x is G x = {u 1 ,u 3 ,u 4 ,u 5 ,u 6 ,u 8 } and u 8 is a user connected with leaf node 14, then compute node(G x ) = {v 7 ,v 4 ,v 5 ,v 14 }, path(u 8 ) ={v 0 ,v 2 ,v 6 ,v 14 }, we have β x = {v 14 }.

Complexity assumptions
Now we briefly introduce the l-Strong Diffie-Hellman (l − SDH) assumption and the q-Bilinear Diffie-Hellman exponent (q − BDHE) assumption. Assumption 1 (l − SDH assumption [24]). Let G be a bilinear group of prime order p and let g be a generator of G. A l − SDH problem can be described as follows: Randomly choose exponent x 2 Z p Ã and given a l + 1-tuple ðg; g x ; g x 2 ; . . . ; g x l Þ, output a pair ðc; g 1=ðxþcÞ Þ 2 Z p Â G. Algorithm A can solve the l − SDH problem with the advantage ε if Pr Aðg; g x ; g x 2 ; . . . ; g x l Þ ¼ ðc; g 1=ðxþcÞ Þ ! ε: Definition 4. We say that the l − SDH assumption holds if no polynomial time algorithm A can solve the l − SDH problem with a non-negligible advantage.
Assumption 2 (q − BDHE assumption [4]). Let G be a bilinear group of prime order p and g be a generator of G. A decisional q − BDHE problem can be described as follows: Randomly choose exponent d; s 2 Z p Ã , given It is difficult for the algorithm A to distinguish eðg; gÞ d qþ1 s 2 G T from the random element Definition 5. We say that the q − BDHE assumption holds if no polynomial time algorithm A has a non-negligible advantage in solving the q − BDHE problem.

System model
In this section, we first account the system architecture of TUR-CPABE and then provide the formal definition and security model of TUR-CPABE.

System architecture
As shown in Fig 2, the system architecture of the TUR-CPABE scheme has the following six entities.
Trust authority (TA): TA can produce the public parameters and the master key, and it is in charge of distributing private keys to users in the system. In our scheme, the TA is fully trusted.
Attribute manager (AM): The AM has users groups for every attribute, and it generates the manager public key, the manager master key and the group key for the users in each group. In addition, AM is responsible for re-encrypting local ciphertext, updating the key, updating the ciphertext and obtaining an attribute revocation list.
Data owner (DO): The DO takes charge of defining the access policy, encrypting data under the access policy and uploading the local ciphertext to the attribute manager.
Data user (DU): This is an entity who wants to access outsourced data. A user in the system can decrypt the ciphertexts successfully if and only if his/her identity is absent from the revocation list and his/her attributes can satisfy the access policy.
Cloud server provider (CSP): We suppose that a CSP is honest but curious. In other words, it can execute every authorization request honestly but it obtains as much information as possible in the process and from the result.
Outsourcing decryption server provider (ODSP): The server can provide outsourcing decryption service for the user to generate a partially decrypted ciphertext.

Formal definition
A TUR-CPABE involves eight algorithms: system setup, manager setup, key generation, encryption, decryption, key sanity check, trace and update. re-encrypted ciphertext CT 0 and the header of message Hdr. This algorithm is performed by the AM and the DO. Decryption (PP,CT 0 ,Hdr,SK)!m: This algorithm is carried out by the DU and the ODSP. The algorithm inputs the public parameters PP, the re-encrypted ciphertext CT 0 , the header of the message Hdr and the decryption key SK. The algorithm outputs plaintext m if and only if the user's identity is absent from the revocation list and his/her attributes can satisfy the access policy.
Key sanity check (PP,SK)!1 or 0: TA performs this algorithm. If a user's decryption key SK is suspected, then it must be determined whether it is a well-formed decryption key by means of the key sanity check. If SK cannot pass the key sanity check, it outputs 0. Otherwise, it outputs 1.
Trace (PP,SK)! id or ?: TA runs this algorithm. If a user's decryption key SK is a wellformed decryption key, then TA sends his/her identity id to the AM. Finally, the AM revokes the attribute for the malicious user.
Update ðCT 0 ; Hdr; GSK; RLÞ ! ðCT 0 ; Hdr ; GSK; RL 0 Þ: AM can perform attribute revocation for the malicious user, add the malicious user's id and revoke the attribute into the revocation list to get a new revocation list RL 0 . Finally, the AM inputs the group key GSK, the reencrypted ciphertext CT 0 and the header of message Hdr to obtain the updated CT 0 , Hdr and GSK.

Security model
In this section, we propose the security model for our TUR-CPABE system.

Traceability.
In this subsection, we present a traceability definition of our TUR-C-PABE system. We describe it by considering a security game between an adversary A and a simulator B as follows: Initialization: Simulator B executes System setup (λ,U) as well as Manager setup (PP) to obtain the public parameters PP and the manager public key MPK. After that, B sends PP as well as MPK to A.
Key query: A submits a series of attributes sets (id 1 ,S 1 ),. . .,(id q ,S q ) to request the corresponding decryption keys, where (u i ,x) 2 RL (it denotes revoke attribute x for user u i whose identity is is a challenge access policy), i = 1,2,. . .,q. Then simulator B performs the key generation algorithm and returns the result to A Key forgery: Adversary A outputs a decryption key SK Ã . If Trace(PP,SK Ã ) 6 ¼ ? (i.e., SK Ã is a well-formed decryption key) and Trace(PP,SK Ã ) 6 ¼ {id 1 ,. . .,id q }, then A wins the game. The advantage of A wins the game is defined as: Definition 6. A TUR-CPABE scheme is traceable if no polynomial time adversary has at most negligible advantage in this game.

IND-CPA security.
In this subsection, we provide the IND − CPA security of our TUR-CPABE system. We describe it by a security game between an adversary A and a simulator B as follows: Initialization: Adversary A chooses a revocation list RL Ã as well as a challenge access policy Setup: Simulator B performs System setup (λ,U) as well as Manager setup (PP) to obtain the public parameters PP and the manager public key MPK, the master key MSK as well as the manager master key MMK. Finally B keeps MSK, MMK secret and sends PP, MPK to adversary A.
Phase 1: A submits a series of tuples (id 1 ,S 1 ),. . .,(id q ,S q ) to ask for corresponding to decryption keys.

If S =
2 (M Ã ,ρ Ã ) and (u,x Ã ) 2 RL Ã , simulator B generates a decryption key for each attributes set (id i ,S i ) and returns it to A.
Challenge: Adversary A submits two equal length messages m 0 ,m 1 to B. Then, B chooses υ 2 {0,1} randomly, encrypts the message m υ under the access policy (M Ã ,ρ Ã ) as well as computes the challenge ciphertext <Hdr υ Ã ,CT υ Ã >. Finally, B sends the challenge ciphertext to A. Phase 2: Same as Phase 1. Guess: A outputs a guess υ 0 of υ. If υ = υ 0 , A wins the game. The advantage of adversary A wins the game is defined as: If there is no polynomial time adversary who is able to break our scheme with a negligible advantage in this game, our scheme is said to be indistinguishable from a chosen plaintext attack under a selective access policy.

Construction of TUR-CPABE
In our scheme, user's decryption key consists of two parts. One is the user private key USK related to his/her attributes set, and the other is the group key GSK related to users group he/ she belongs to. Only by combining the corresponding USK and GSK is the user able to decrypt the ciphertext. In the proposed scheme, the encryption algorithm also has two steps: First, the data owner encrypts the message to obtain the local ciphertext. Then, the attribute manager re-encrypts the local ciphertext to gain the re-encrypted ciphertext and the header of the message, and the attribute manager uploads them to the cloud server provider. A user can decrypt the ciphertext when and only when the user's identity id is absent from a revocation list and his/her attributes can satisfy the access policy. In addition, our decryption algorithm can be stated as follows: the outsourcing decryption server provider performs the outsourcing decryption algorithm and then sends the partially decrypted ciphertext to users; and users execute the local decryption algorithm to recover the plaintext.
System setup (λ,U)!(PP,MSK): The algorithm inputs the security parameter λ and the attributes universe U = {1,2,. . .,x,. . .,n}. Let G and G T be two multiplication cyclic groups of prime order p, g be a generator of G. Function e : G Â G ! G T is a bilinear map. As shown in Fig 1, T is a binary KEK tree, and for every leaf node in the tree to assign a user u whose identity is id. RL = {(id,x)} is a revocation list (The initial is empty); this denotes the revoke attribute x for user u. The TA performs the following algorithms.
1. Randomly choose a; a 2 Z p and h 2 G.

For every attribute
3. TA chooses a probabilistic encryption scheme (Enc,Dec) [45] from {0,1} Ã to Z Ã p , it is a symmetric encryption with secret key k 2 Z p , and the scheme encrypts the same plaintext generating different ciphertext each time.
Then, the TA sets the public parameters PP ¼< p; e; G; G T ; g; h; g a ; eðg; gÞ a ; fU x g x2U > and the master key MSK ¼< a; a; k >. Finally, the TA publishes PP and keeps the MSK secret. Key generation (PP,MSK,MPK,MMK,S,id)!SK: In this algorithm, a decryption key SK consists of user private key USK produced by the TA and group key GSK generated by the AM. The specific steps are as follows: 1. USK generation: For the user u k 2 Uð1 k jUjÞ, the TA authenticates his/her attributes set S k (S k U) and generates a USK k connected with attributes set S k . This algorithm can be stated as follows: a. For each attribute x 2 S k (1 x |U|), the TA chooses r 0 ; r x 0 2 Z p randomly and com- where the user u k 's identity is id k and there is no distinction between the result c and a random number in Z p . Then, the private key USK k 0 is set as follows: TA randomly selects z 2 Z p Ã and sets the transformation key TK k as and u k 's user private key USK k is set as USK k = (K 1 = z,TK k ). c. For every attribute d. TA retains GSK k , then it sends USK k to the user and GSK k to the AM by the secure channel, respectively.
2. GSK generation: Every node in the tree is assigned an exclusive value v j and an exclusive sequence number sequence(v j ). For the user u k 2 Uð1 k jUjÞ, AM produces a group KEK x that can compute path nodes from a leaf node to the root node. The detailed algorithm is as follows: a. For each attribute x 2 S k (1 x |U|), AM computes a minimal covering set node(G x ) for G x and defines a Dijkstra path(u k ) for the user u k 2 Uð1 k jUjÞ, where G x is the users group for attribute x.
b. For every attribute x 2 S k (1 x |U|), AM executes an intersection operation β x = node (G x ) \ path(u k ). If β x = ϕ, AM doesn't compute a KEK x for the user u k . Otherwise, it 3. AM sends GSK k to the user and G x to the TA by the secure channel, respectively. Then, the user u k obtains an unbroken decryption key SK k = {USK k ,GSK k }. CT ¼< ðM; rÞ; C ¼ m Á eðg; gÞ as ; C 0 ¼ g s ; C 1 ¼ g as ; Then DO sends CT to the AM. 2. AM encrypts: For 8i 2 [1,l], AM randomly chooses k i 2 Z p and re-encrypts CT: For 8i 2 [1,l], AM computes node(G ρ(i) ) and sets the header of the message Hdr as: Hdr ¼< 8i 2 ½1; l; fsequenceðv j Þ; Eðk i Þ ¼ g k i v j =w rðiÞ g v j 2nodeðG rðiÞ Þ > : Finally, AM uploads the ciphertext <CT 0 ,Hdr> to the CSP. Decryption (PP,CT 0 ,Hdr,SK)!m: This algorithm has two steps. First, ODSP executes the outsourcing decryption operation. Second, DU performs the local decryption algorithm. For the user u k 2 Uð1 k jUjÞ, given the ciphertext <CT 0 ,Hdr> and the decryption key SK k = {USK k ,GSK k }, there are two cases: 1. If the user u k 's attributes set S k = 2 (M,ρ) (in other words, the user u k 's attributes set S k cannot satisfy the access policy (M,ρ))or u k 2 RL, the algorithm aborts.
2. If the user u k 's attributes set S k 2 (M,ρ) and u k = 2 RL, let I = {i:ρ(i) 2 S} and I [1,l], there exists a set of constants fo i 2 Z p g i2½1;l so that ∑ i2I ω i λ i = s. Then, DU sends the ciphertext <CT 0 ,Hdr>, the transformation key TK k and the group key GSK k to the ODSP. Finally, ODSP sends the partially decrypted ciphertext CT 1 to the DU, then DU recovers the message m. The algorithms are stated as follows.
3. eðK 2 K 1 ; g a g K 1 0 Þ ¼ eðg; gÞ a eðL 2 L 1 If USK k can pass the key sanity check, the algorithm outputs 1. Otherwise, it outputs 0. Trace (PP,SK)!id or ?: This algorithm is performed by the TA. If the user u k 's user private key USK k cannot pass the key sanity check, the algorithm outputs ?. Otherwise, the algorithm should be done as follows: 1. It extracts the user u k 's identity id k from Dec k ðK 1 0 Þ.

2.
Search id k from attribute x's users group G x . If TA can find id k , the algorithm outputs the corresponding malicious user u k . Otherwise, it outputs a user u Ã who is never appear in G x .
3. TA sends the malicious user's id k to the AM.
Update ðCT 0 ; Hdr; GSK; RLÞ ! ðCT 0 ; Hdr ; GSK; RL 0 Þ: In an ABE scheme, a user has multiple attributes. Usually, each attribute can be shared by many users. Thus, the decryption key of an attribute can be shared by many users. When the user u k 's attribute x is revoked, we can update other unrevoked users corresponding to GSK x . In the meantime, we need to update the ciphertext related to this attribute to make sure the user's decryption key connected to the attribute is useless. Thus, the user u k loses his/her decryption privilege. The attribute revocation algorithm includes the following steps.
1. Key update: In our system, AM performs the attribute revocation algorithm and updates the user's GSK k . The particular steps are as follows: a. For each tuple ðu k ; xÞ 2 RL 0 ð1 k jUj; 1 x jUjÞ, AM randomly chooses d x 2 Z p and for every tuple ðu k ; xÞ= 2RL 0 ð1 k jUj; 1 x jUjÞ, let δ x = 1. Then, for each attribute Finally, AM updates the manager public key as MPK ¼ fW x j1 x jUjg, and updates the manager master key as b. For each tuple ðu k ; xÞ 2 RL 0 ð1 k jUj; 1 x jUjÞ, AM updates the users group for attribute x as G x and computes nodeðG x Þ.
c. For every tuple ðu k ; xÞ= 2RL 0 ð1 k jUj; 1 x jUjÞ, AM performs an intersection d. AM replaces the group key GSK k with the updated group key GSK k ¼ fx; sequenceðv j Þ; kek x ; KEK x g.

2.
Ciphertext update: After updating the group key, AM continues executing the ciphertext update algorithm, and the algorithm is described as follows.
a. First, AM randomly chooses an exponent s 2 Z p . Then AM selects a random k i 2 Z p for each tuple (u,ρ(i)) 2 RL 0 and updates CT 0 as CT 0 ¼< ðM; rÞ; C ¼ C Á eðg; gÞ as ;

Security analysis
In this section, we first provide a proof of traceability based on the l − SDH hardness assumption. Then, we prove that our scheme is able to achieve IND−CPA security if the q − BDHE assumption holds.

Traceability
Theorem 1. Suppose that q < l, our TUR-CPABE system is traceable if l − SDH assumption holds. Where q is the number of key queries that the attacker makes. Proof: Suppose there is a probabilistic polynomial time (PPT) adversary A capable of winning this traceability game with advantage ε, w.l.o.g., suppose l = q + 1, we can establish a PPT algorithm B to break the l − SDH hardness problem with a non-negligible advantage.
Let G and G T be two multiplication cyclic groups of prime order p, let g be a generator of G and let function e : G Â G ! G T be a bilinear map. The algorithm B receives a l − SDH challenge problem ðg ; g a ; g a 2 ; . . . ; g a l Þ, where a 2 Z Ã p , and the goal of B is to output a tuple ðc r ; o r ¼ g 1=ðaþc r Þ Þ. Let A i ¼ g a i ði ¼ 0; 1; . . . lÞ. To solve the l − SDH problem, algorithm B can imitate a challenger's role for adversary A. The specific processes are stated below: . . . ; a q 2 Z p are the coefficient of polynomial f (y). Then B performs the following algorithm: 2. B randomly picks a; y 2 Z p ; h 2 G. For each attribute x 2 U, B chooses a random number u x 2 Z p and establishes U x ¼ g u x . Finally, B publishes the public parameters as PP ¼< p; e; G; G T ; g; h ¼ g y ; g a ; eðg; gÞ a ; fU x g x2U >.
3. For each x 2 U, B randomly chooses w x 2 Z p and computes W x ¼ g w x , then publishes the manager public key as MPK = {W x |1 x |U|}.
4. Set up a binary KEK tree and assign a user u for every leaf node, and the user's identity is id. Every node possesses an exclusive value v j as well as an exclusive sequence number sequence (v j ) in the binary KEK tree.
Key query: Adversary A submits a set of attributes (id i ,S i ) to B and requests the corresponding decryption keys. When it goes on the i-th query, we suppose i q, let polynomial and B randomly selects z; r 0 ; r x 0 2 Z p , computes DSK i related to (id i ,S i ) as follows: First, B com- Then B sets the transformation key TK i as and builds the user private key as USK i = (K 1 =z,TK i ). Finally, B computes To define a function node(G x ) for attribute x's users group G x , where x 2 S i . For every user u i 2 Uð1 i jUjÞ, B defines a function path(u i ) and performs an intersection operation β where v j 2 β x . Then, B sets the group key as GSK i = {x,sequence(v j ),kek x ,KEK x }. Finally, B returns the decryption key SK i = {DSK i ,GSK i } to A. Key forgery: Adversary A submits a forged decryption key SK Ã to B. Here the distribution of the decryption key SK and the public parameters PP in the above game are the same as in the real system.
Let ε A denote the event that A wins the game, i.e., SK Ã can pass the key sanity check and K 1 0 = 2 {c 1 ,c 2 ,. . .,c q }. If the event ε A does not happen, B chooses a random tuple ðc r ; o r Þ 2 Z p Â G as a solution to the l − SDH hardness problem. If event ε A takes place, B writes the polynomial f putes the tuple ðc r ; o r Þ 2 Z p Â G as follows: Suppose L 1 = g r , where r 2 Z p is unknown, and let K 1 =z, where z 2 Z p Ã . According to the equality e(L 2 ,g) = e(L 1 ,g a ) from the key sanity check, we have L 2 = g ar . On the basis of the equality eðK 2 K 1 ; g a g K 1 0 Þ ¼ eðg; gÞ a eðL 2 L 1 Then B continues performing the following algorithm.
At present, we assess the superiority of B to break the l − SDH hardness problem. Suppose z denotes the event that (c r ,ω r ) is the solution to the l − SDH hardness problem and this solution can be checked by verifying whether the equality eðg a Á g c r ; o r Þ ¼ eðg ; g Þ holds. When B randomly selects (c r ,ω r ), z can happen with a negligible advantage. We denote this as 0 for simplicity. When the event Awin^gcdðg À 1; pÞ ¼ 1 occurs, B outputs a tuple (c r ,ω r ) and the probability of tuple (c r ,ω r ) satisfies the equality eðg a Á g c r ; o r Þ ¼ eðg ; g Þ is 1. Hence, the possibility of B solves l − SDH challenge problem is as follows:

IND − CPA security of the TUR-CPABE
Theorem 2. If the decisional q − BDHE assumption holds, then there are no PPT adversaries that have non-negligible advantages in breaking our TUR-CPABE scheme under selective access policy and chosen plaintext attacks, where q > 2jUj À 2 and jUj is the number of users in the system. Proof: Suppose there is a PPT adversary A able to break our TUR-CPABE scheme with an advantage ε. In this case, we could set up a simulator B who has an advantage ε/2 to break the decisional q − BDHE hardness problem. The simulation processes are described as follows: Let G and G T be two multiplication cyclic groups of prime order p, g be a generator of G and function e : G Â G ! G T be a bilinear map. Given y ! ¼ ðg; g s ; g d ; . . . ; g d q ; g d qþ2 ; . . . ; g d 2q Þ then simulator B casts a fair coin μ. If μ = 0, B sets T ¼ eðg; gÞ d qþ1 s . Otherwise, B sets T = Z, where Z is a random element in G T . Initialization: Adversary A chooses a challenge access policy (M Ã ,ρ Ã ) as well as a revocation list RL Ã , where M Ã is a l Ã × n Ã matrix and n Ã q.
Setup: To simulate public parameters as well as manager public key, simulator B needs to execute the following algorithms.
1. B chooses a random a 0 2 Z Ã p such that eðg; gÞ a ¼ eðg; gÞ 2. Randomly select a value z x 2 Z p for every attribute x 2 U(1 x |U|), then every group element U x 2 G is generated as follows. If there exists i 2 {1,2,. . .,l Ã } such that ρ Ã (i) = x, set 3. B randomly chooses a 2 Z p , then computes g a and sets h = g d . 4. Given a revocation list RL Ã . If (u,x) 2 RL Ã , B randomly chooses y x 2 Z Ã p and sets Traceable CP-ABE scheme with attribute level user revocation 5. Set up a binary KEK tree and assign a user u for every leaf node, and the user's identity is id. Every node has an exclusive value v j as well as an exclusive sequence number sequence(v j ) in the binary KEK tree.
Hence, the simulator publishes the public parameters as PP ¼< p; e; G; G T ; g; h; g a ; eðg; gÞ a ; fU x g x2U > and the manager public key as MPK = {W x |1 x |U|}. Phase 1: Adversary A commits a sequence of tuples (u 1 ,S 1 ),. . .,(u q ,S q ) to ask for the corresponding decryption keys, where (u,x) denotes revoke the user u's attribute x. B does the following in response: Case 1. If S 2 (M Ã ,ρ Ã ) and (u,x) = 2 RL Ã , the algorithm aborts. Case 2. If S 2 (M Ã ,ρ Ã ) and (u,x Ã ) 2 RL Ã , B chooses a random c; r x 0 2 Z p and implicit sets . Then, the simulator performs the following algorithm to setting decryption key.
1. B computes USK 0 as follows: 2. Choose a random exponent z 2 Z p , then let K 1 = z and set TK as Finally, obtain USK = (z,TK).

For have been revoked attribute
then computes a minimal covering set node(G x ) for the attribute x's users group G x and defines a Dijkstra path(u) for the user u, finally performs an intersection operation β x = node(G x ) \ path(u). If β x = ϕ, B does not compute KEK x for u.

Find a vector
, such a vector must exist.
2. B selects a random number c; r x 0 2 Z p , builds K 1 0 = c.
3. B chooses a random number t 2 Z p , implicit defines 0 are as follows:

5.
B chooses a random exponent z 2 Z p Ã , then builds K 1 = z. Compute the transformation key as and set USK = (K 1 = z,TK).Then, B computes kek x Ã and KEK x Ã as in case 2.
Case4. If S = 2 (M Ã ,ρ Ã ) and (u,x) = 2 RL Ã , the simulator computes USK as in case 3. First, B Then, B computes a minimal covering set node(G x ) for the attribute x's users group G x and defines a Dijkstra path(u) for the user u. Finally, B performs an intersection operation Challenge: Finally, we set the challenge ciphertext. Adversary A submits two equal length messages m 0 ,m 1 to B. Then,B casts a fair coin υ 2 {0,1} and performs the following algorithms.
The decryption key and public parameters generated by simulations in the above game are the same as those in the real system.
When μ = 1, the adversary cannot acquire any information about υ. Therefore, we have The advantage of simulator B in the decisional q − BDHE game is defined as:

Performance Analysis
In this section, our scheme is compared with several related schemes in terms of functionality and performance. The comparisons are listed in Tables 1and 2. Our experiment is realized by using of the Pairing Cryptography (PBC) library [46]. Our pairing is structured on an ellipse curve y 2 = x 3 + x in a finite field F q (q is a prime number and q 3 mod 4). The environment of the hardware runtime is Intel Core i5-3470 CPU @ 3.20GHz, and RAM is 4.00GB. The software runtime environment is JDK 1.7.5, JPBC 2.0.0 and MyEclipse 10. We compared our scheme with the other schemes [25,26,37,38,41] in Table 1. Those scheme can support traceability, and schemes [25,37,41] cannot support malicious user revocation. To achieve ABE fine-grained access control, our scheme can sustain the attribute level user revocation. In addition, we find that schemes [26,41] and our scheme both can resist collusion attacks between users. Only scheme [38] and our scheme can support an outsourcing decryption algorithm. Finally, Table 1 shows that our scheme can obtain a key update algorithm and a ciphertext update algorithm, and schemes [25,26,37,38,41] do not possess those functionalities.
From Table 2, we can find that our scheme is more efficient than those in [25,26,37,38,41] for the encryption algorithm. As our scheme only conducts one exponentiation operation and one multiplication operation in the decryption algorithm, our scheme and scheme [38] are much better than are other schemes [25,26,37,41]. In the trace algorithm, it is obvious that the schemes in [25,37,38] are less efficient than our scheme, and due to the cost of multiplication operations, it is much less expensive than a bilinear pairing operation so that our scheme is slightly lower in efficiency than that of the scheme [41]. Although our scheme is more efficient than are those schemes in [25,26,38,41] for the key generation algorithm, it is slightly less efficient than scheme [37]. It is worth noting that our scheme can perform the attribute-level user revocation and can resist collusion attacks with a lower key generation expenditure. Fig 3 compares the computational overheads in key generation time, encryption time, decryption time and trace time. Fig 3(A) compares key generation times between our scheme and the above schemes. We find that the key generation time in the proposed scheme is much less than that in other schemes [25,26,38,41] . Fig 3(B) shows the time required for the data owner to encrypt a message. Our scheme takes much less time than that of the others [25,26,37,38,41] . Fig 3(C) shows the time required for the data user to decrypt a message. Because our scheme and scheme [38] make use of outsourcing decryption algorithm, the decryption time is a constant. Compared with schemes [25,26,37,41], our scheme has an obvious advantages in the decryption time. Fig 3(D) compares the trace times in the above scheme. Our scheme's trace time is much less than those of other schemes [25,37,38]. Compared with scheme [41], although our scheme does not have a clear advantage in its trace time, our scheme can achieve user revocation and can resist user collusion. In brief, the results of our experiment agree with the above theoretical analysis. Traceable CP-ABE scheme with attribute level user revocation

Conclusion
In this paper, we propose a scheme called traceable CP-ABE with attribute-level user revocation for cloud storage (TUR-CPABE). In our construction, a user's decryption key and ciphertext both have two parts. A secret key update and a ciphertext update are used to resist collusion attacks between users. In addition, outsourcing encryption, decryption and attribute revocation are used to reduce the computational burden of data owners, users and the trust authority, respectively. Finally, the security of our scheme is demonstrated under a chosen plaintext attack based on a decisional q − BDHE hardness problem in the standard model.
Because a black-box traceable tool is much better than a white-box traceable tool, our future work will focus on constructing a black-box traceable CP-ABE tool with attribute-level user revocation.