 Research
 Open Access
An efficient traceable access control scheme with reliable key delegation in mobile cloud computing
 Zhitao Guan^{1}Email authorView ORCID ID profile,
 Jing Li^{1},
 Ying Zhang^{1},
 Ruzhi Xu^{1},
 Zhuxiao Wang^{1} and
 Tingting Yang^{1}
https://doi.org/10.1186/s1363801607052
© The Author(s). 2016
 Received: 1 February 2016
 Accepted: 26 August 2016
 Published: 5 September 2016
Abstract
With the increasing number of mobile applications and the popularity of cloud computing, the combination of these two techniques that named mobile cloud computing (MCC) attracts great attention in recent years. However, due to the risks associated with security and privacy, mobility security protection in MCC has become an important issue. In this paper, we propose an efficient traceable access control scheme with reliable key delegation named KDTABE in MCC. Firstly, we present a traceable CPABE system and realize key delegation without loss of traceability. Secondly, a new type of reencryption method is proposed, which is based on an intuitive method that supports any monotonic access tree instead of the reencryption key. Lastly, to reduce trust on authority, we separate the authority into three parts, and each authority is responsible for generating different components of the key. The analysis shows that the proposed scheme can meet the security requirement of MCC. In addition, it cost less compared with the other popular models.
Keywords
 Mobile cloud computing
 Key delegation
 Ciphertext delegation
 Reencryption
1 Introduction
With the increasing number of mobile applications and the popularity of cloud computing, the combination of these two techniques that named mobile cloud computing (MCC) attracts great attention listed by in recent years [1, 2]. MCC is a service that allows mobile users constrained with resources to adaptively adjust processing and storing capabilities by transparently partitioning and offloading the computationally intensive and storage demanding jobs on traditional cloud resources by providing ubiquitous wireless access [2]. In the former mobile computing paradigm, there are some problems such as resource scarcity, frequent disconnections, and mobility. With the support of MCC, the aforementioned problems can be addressed and the mobile users can achieve seamless access and handover for services, since mobile applications are executed on resource providers external to the mobile device.
However, the concerns with data privacy and security threats have become an obstacle to hinder MCC from being widely used [3]. According to the recent survey conducted by the International Data Corporation, most IT Executives and CEOs are not interested in adopting such services due to the risks associated with security and privacy [4, 5]. Therefore, it is necessary to eliminate the potential security threats in MCC.

We construct a traceable CPABE system with the access tree and realize the key delegation at servers without loss of traceability. We encrypt some components of the key to prevent the key from being maliciously delegated by malicious users or traitors.

We propose a new type of reencryption method, which is based on an intuitive method that supports any monotonic access tree, instead of the reencryption key.

To reduce trust on authority, we separate the authority into three parts, and each authority is responsible for generating different components of the key. One is trusted and responsible for user identity management; the other two are semitrusted and responsible for generating temporary parameters.
The rest of this paper is organized as follows. Section 2 introduces the related work. Then, in Section 3, some preliminaries have been given. Our scheme is stated in Section 4. In Section 5, security analysis has been provided. In Section 6, we evaluate the performance of the proposed schema. Finally, the paper is concluded in Section 7.
2 Related work
Attributebased encryption (ABE) is firstly proposed by Sahai and Brent in [12]. A user’s identity is viewed as a set of descriptive attributes, the attributes are taken as public key, and the ciphertext will be decrypted as long as the number of user’s attributes reaches a certain value which is set in the encryption process. Since then, ABE has become a research focus of the public key encryption field. Very soon afterwards, two ABE variants are proposed: keypolicy attributebased encryption (KPABE) and CPABE. In KPABE scheme [13], the data access policy (denoted as Au_KP) is specified by data users; the ciphertext is labeled by a set of attributes (denoted as A_o). The data user can decrypt the ciphertext only if A_o satisfies A_KP. While, in CPABE scheme [14], the data access policy (denoted as Ao_CP) is specified by data owners; the key is relevant to the attribute set A_u (A_u is holded by the data user). Only if A_u satisfies A_CP can the ciphertext be decrypted. Both KPABE and CPABE can achieve data confidentiality and finegrained access control.
However, ABE allows users to share the same sets of attributes, and the decryption keys are generated with attributes sets without any identification information, which cause a problem: once the malicious key delegation happens, we cannot determine the owner’s identification of the given key. To address this problem, there are two main ideas: one is to prevent the key from being cloned and misused, just like [15–19], the other one is to provide traceability, proposed and improved in [20–25]. In [20], the scheme proposes methods to trace the source of leaks and traitors in broadcast encryption; an index identifying a user is the foundation of realizing traceability. In [25], Ma et al. propose a new notion called multiauthority attributebased traitor tracing. A pair of elements is introduced to describe a user, one represents its attribute set while the other one indicates its identity information. Based on the white box traceable CPABE [11], Liu et al. propose the black box traceable CPABE in 2015 [26]. In [11], the traceability is added to the CPABE scheme without weakening its security. Although the length of the ciphertext and decryption key is changed, the overhead is not increased significantly. In [27], the whitebox traceable CPABE in large universe is realized and the storage for traitor tracing is constant. Katz et al. introduce the traceability into predicate encryption schemes in [28], which has the general applicability. Ning et al. firstly propose an accountable authority CPABE scheme that supports white box traceability in [29], which solved two types of key abuse problems simultaneously.
There are several studies on ciphertext delegation, and one of the approaches is to utilize proxy reencryption. The proxy reencryption(PRE) technique encrypts the ciphertexts with reencryption keys and makes it possible for users to decrypt the reencrypted ciphertexts with their own original decryption keys without changing. In [30], Luo et al. realize proxy reencryption in CPABE scheme, with ANDgates that support multivalue attributes, negative attributes, and wildcards, the encryptor could choose any ciphertext to reencrypt as they like. Lai et al. formalize a new cryptographic primitive called adaptable ciphertextpolicy attributebased encryption, which allows a semitrusted proxy to modify a ciphertext under one access policy into another one of the same plaintext under any other access policies [31]. In [32, 33], Kaitai Liang et al. further optimize the system security and integrate the dual system encryption technology to realize the adaptively CCA secure in the standard model.
3 Preliminaries
3.1 Bilinear maps and complexity assumptions
Let G _{0} and G _{1} be two multiplicative cyclic groups of prime order p and g be the generator of G _{0.}
 1.
Bilinearity: ∀u, v ∊ G _{1}, e(u ^{ a }, v ^{ b }) = e(u, v)^{ ab }
 2.
Nondegeneracy: e(g, g) ≠ 1
 3.
Symmetric: e(g ^{ a }, g ^{ b }) = e(g, g)^{ ab } = e(g ^{ b }, g ^{ a })
Definition 1 Discrete logarithm (DL) problem:
Let G be a multiplicative cyclic group of prime order p and g be its generator, given y ∊ _{ R } G as input, try to get x ∈ ℤ _{ p } that y = g ^{ x }.
The DL assumption holds in G if it is computationally infeasible to solve DL problem in G.
3.2 Access structure
Let P = {P _{1}, P _{2},…, P _{n}} be a set of participants, let U = 2^{{P1,P2,…, Pn}} be the universal set. If ∃ AS ⊆ U\{∅}, then AS can be viewed as an access structure.
If A ∊ AS, ∀B ∊ U, A ⊆ B, and B ∊ AS, then AS is monotonic.
If AS is an access structure, then the sets in it are called the authorized sets, and the sets not in it are called the unauthorized sets.
The access structure in our system is an access tree, which is the same as in [14]. The tree includes a root node, some interior nodes and some leaf nodes. The leaf nodes are associated with descriptive attributes while the interior nodes represent the logic operation, such as AND (n of n), OR (1 of n), n of m (m > n). A user can decrypt the ciphertext correctly only if the access tree is satisfied by his attributes set.
3.3 Notations
Notations
Acronym  Descriptions 

PK  Public key 
MK  Master key 
SK  Secret key 
CT  Ciphertext 
M  Plaintext 
AS  Access structure 
DSK  Delegated secret key 
DCT  Delegated ciphertext 
DO  Data owner 
DR  Data requester/receiver 
IA  Identification authority 
RA  Random number authority 
AA  Attribute authority 
KDS  Key delegation server 
CDS  Ciphertext delegation server 
CS  Cloud server 
TDS  Trusted decryption server 
SDS  Semitrusted decryption server 
4 Our system
We construct a new traceable CPABE system with access tree and focus on how to realize the key delegation and the ciphertext delegation based on our system. In order to achieve all this, our system is composed of the following parties: a Data Owner, some Data Receivers, and three authorities, the Key Delegation Servers, the Ciphertext Delegation Servers, the Cloud Server and two Decryption Servers.
We use an access tree \( \tilde{T} \) to express the access policy specified by data owners. We introduce a hash function H:{0, 1}^{*} → G _{0} and view it as a random oracle, which maps any attribute described as a binary string to a random group element.
4.1 Setup
When the system starts up, the setup algorithm will choose a multiplicative cyclic group G _{0} of prime order p with generator g and three random numbers a, α, β ∈ ℤ _{ P }.
This paper uses the Shamir’ \( \left(\overline{t},\overline{n}\right) \) threshold gates scheme to store tracing information that proposed in [27].
IA receives all MK components and keeps f(x)^{7} and \( \overline{t}1 \) points \( \left\{\left({x}_1\;{y}_1\right),\left({x}_2\;{y}_2\right),\dots, \left({x}_{\overline{t}1}\;{y}_{\overline{t}1}\right)\right\} \) as secret [27], while AA and RA get one of the MK component a, which is used to protect the parameters transmitted between them.
A symmetric encryption algorithm is introduced into the three authorities to encrypt the components of a secret key. The symmetric encryption keys are assigned to the three authorities, IA receives K _{1} and K _{2}, RA receives K _{3}, and AA receives K _{4}. KDS receives K _{4}, TDS receives K _{2}, and SDS receives K _{3} and K _{4}. CDS acquires the Hash function.
4.2 Encrypt (PK, M, T)
The encryption algorithm receives message M and access structure T (denoted by an access tree) from DO. First, the algorithm chooses a random number s ∈ ℤ _{ P } for root node R polynomial, which means q _{ R } (0) = s. Then, it chooses a polynomial q _{ x } for each node x (leaf or noneleaf node) in top down manner, with the same method to construct the polynomials proposed in [25].
4.3 Key generation (MK, PK, id, S)
Recording and encrypting the random number r aim to prevent the decryption key from being rerandomized at the user side. u2 will be decrypted when the decryption starts, and the random number r got from u _{2} is used for decrypting. If the rerandomization occurs, the random number in keys will be changed, it will differ from r. Thus, decryption will be failed.
4.4 Key trace (SK)
The trace algorithm reference the method proposed in [27]. First, the algorithm decrypts u _{1} to get (x,y) from D _{0} in user’s key, and then, it checks whether SK is issued by system.
If \( \left(x\;y\right)\in \left\{\left({x}_1\;{y}_1\right),\left({x}_2\;{y}_2\right),\dots, \left({x}_{\overline{t}1}\;{y}_{\overline{t}1}\right)\right\}, \) the algorithm decrypts x to get id of the user. Otherwise, the algorithm computes the secret of INS \( \left(\overline{t},\overline{n}\right) \) by interpolating with \( \overline{t} \) points \( \left\{\left(x\;y\right),\left({x}_1\;{y}_1\right),\left({x}_2\;{y}_2\right),\dots, \left({x}_{\overline{t}1}\;{y}_{\overline{t}1}\right)\right\}. \) If the recovered secret is equal to f(0), the algorithm decrypts x to get id of the user. If not, SK is not issued by the system and cannot be traced.
IA stores the f(x) when system sets up, and it holds the symmetric keys K _{1} and K _{2} that can decrypt x. So, IA runs the algorithm when a key needs to be traced.
4.5 Key delegation (SK, id’)
IA and RA can decrypt u _{1} and u _{2}, respectively; the former will compute new (x,y) according new user’s id, and the latter will rerandomize the random number.
4.6 Ciphertext delegation (CT, PK, AS, D _{0}, D _{j}, D _{j}’)
CDS is a trusted server, it stores the Hash function H : {0, 1}* → G _{0} to generate new access tree according the given access structure. It receives some decryption key components and a new access structure AS from DR1, while D _{0} includes the owner’s identity information and random number, which can be used for decrypting.
We first decrypt the access tree embedded in the ciphertext and get two expressions. Next, the ciphertext will be reencrypted with AS. Then, D _{0}, the expressions, and reencrypted ciphertext make up the new delegated ciphertext.
Otherwise,
i ∉ S, DecryptNodeL_A’(CT, PK, SK, x) = ⊥ When x is an interior node, call the algorithm DecryptNodeNL(CT,D_{0},D_{i},D_{i}’,x).
For all nodes z that are children of x, it calls DecryptNodeL_A’(CT,PK,D_{0},D_{i},D_{i}’,z) and stores the output as Fz. Let S _{ x } be a k _{ x } (the threshold value of interior node) random set and let F _{ z } ≠ ⊥. If no such set exists, the function outputs ⊥.
A _{0} and A _{1} are the expressions mentioned above; they will become the components of the delegated ciphertext with D _{0}.
4.7 Decrypt (PK, CT, SK)
In fact, decryption can be viewed as two parts: satisfying the access tree and decrypting the ciphertext.
We introduce two servers to carry on the process respectively. SDS possesses symmetric key K _{4} and K _{3} so that it can get random number and verify whether his set satisfies the access tree or not and run the algorithms: DecryptNodeL_A’, DecryptNodeL_A_{0}, DecryptNodeNL. TDS possesses symmetric key K _{2} so that it can decrypt u _{1}.
The general decryption process is described as follows:
Otherwise, i ∉ S DecryptNodeL_A’(CT, PK, SK, x) = ⊥
When x is an interior node, call the algorithm DecryptNodeNL(CT,SK,x).
For all nodes z that are children of x, it calls DecryptNodeL_A’(CT,PK,SK,z) and stores the output as Fz. Let S _{ x } be a k _{ x } (the threshold value of interior node) random set and let F _{ z } ≠ ⊥. If no such set exists, the function outputs ⊥.
Compared with the original ciphertext, the massage M is encrypted with (s + s’) instead of s, and the access structure is replaced by AS. DR3 decrypts the access tree and get an expression related to s’, which can be used for decrypting correctly with C’ and C0 in DCT.
We can get Ĉ from CT’: Ĉ = A _{0}A _{1}D _{0},
5 Security analysis
5.1 Traceability
In [22], the access structure is a sharegenerating matrix, while in our system, the access structure is an access tree.
Theorem 1 The security of traceability in our system is no weaker than that of [ 22 ].
Proof The decryption key in our system has partially similar structure with the key in [22]. \( D={g}^{\frac{\alpha +\left(a+c\right)\omega r}{\beta }}{g}^r \) includes master keys β, g ^{ α }, a, ω, a random number r, and a parameter c that denotes the user’s identity information. \( K={g}^{\frac{\alpha }{\left(a+c\right)}}{h}^tR \) includes master keys α, a, public key h, random numbers t and R, and a parameter c that denotes the user’s identity information. Compared with K in [22], we construct D with extra master keys β and ω, without any public keys. It is pretty difficult to get anyone of \( {g}^{\frac{\alpha }{\beta }},{g}^r,{g}^{\frac{\left(a+c\right)}{\beta }}. \)
According to security proof in [22], the design of the decryption key is secure. Thus, \( D={g}^{\frac{\alpha +\left(a+c\right)\omega r}{\beta }}{g}^r \) in our system is secure.
Theorem 2 The security of the traceable decryption key in our system is no weaker than that of [ 25 ].
Proof In \( {D}_j={k}^{rc}H{(j)}^{r_j}, \) we add master key ω and the parameter c to D _{ j } in [25] \( \left({D}_j={g}^rH{(j)}^{r_j}\right). \) Additionally, the other components are protected by symmetric encryption. Thus, the security in this component is no weaker than that of [25].
5.2 Key delegation
This part of function is realized by KDS, IA and RA, which means AA is replaced by KDS to some extent. SK = (D, D _{0}, D _{ k }, D _{ k }’), D and D _{0} are generated by IA and RA, and D _{k} and D _{k}’ will be calculated by KDS according to the given key’s information.
Theorem 3 It is computationally infeasible to attack the calculation of KDS.
Proof KDS receives another two parameters k ^{ rc }, k ^{(r+r’)c’} from IA, which can be used for calculating and rerandomizing attributerelated components of the key. The values all of those KDS receives and retrieves are \( {k}^{rc},{k}^{\left(r+r\hbox{'}\right)c\hbox{'}},{k}^{rc}H{(j)}^{r_j},{g}^{r_j},H{(j)}^{r_j} \)
According to DL problem, it is computationally infeasible to retrieve r _{ j } , rc and (r + r’)c’, let alone r or c. Thus, a semitrusted server can be designated as KDS, which is competent in this work.
5.3 Ciphertext delegation
It can be considered as two parts: decrypting the access tree and reencrypting with another specified access tree. Decrypting the access tree in our system is analogous to the decrypt algorithm in [25]. And, reencryption is analogous to the encrypt algorithm in [25].
Theorem 4 The security in ciphertext delegation is no weaker than that in [ 25 ].
We reencrypt with a new s ' ∈ ℤ _{ p } chosen by CDS, \( \tilde{C},C \) have been proved to be secure in [25]. Thus, by that analogy, \( \tilde{C}\hbox{'},C\hbox{'} \) in our system is secure.
6 Performance evaluation
6.1 Setup
The Setup procedure includes defining multiplicative cyclic group and generating PK and MK that will be used in encryption and key generation. There are three exponentiation operations and one pairing operation; three random numbers are chosen in Setup procedure. Time complexity of the procedure is O(1).
6.2 Encrypt
6.3 Key generation
This algorithm includes three parts: RA tackles the random number computation; IA computes the id information; AA generates the attributerelated key components. The time complexity of RA and IA is O(1) as shown in Fig. 4b. Computation cost of AA is proportional to the number of attributes is DR’s set, when the attribute number is m, the time complexity is O(m) as shown in Fig. 4c.
We add the severe RA and IA to achieve the id embedding in SK, RA needs to store the computation result of u _{2}, IA stores results of u _{1}, D, k ^{ arc }, the total storage cost is proportional to the number of DR. If each result needs 2 bytes, the storage cost of RA and IA is shown in Fig. 4d.
6.4 Key delegation
For each DR, KDS computes the unique SK. The computation process and cost are similar to RA. The total cost is proportional to the number of DR.
6.5 Decrypt
This algorithm also includes three parts: SDS decrypts the access tree in CT, TDS decrypts the rest part, and DR retrieves the final message. Thus, computation cost of SDS is proportional to the attributes number in DR’s set, and computation cost of TDS is constant as shown in Fig. 4e.
In brief, our system costs no more than CPABE by analysis but achieves more functions compared with existing works [22, 25].
7 Conclusions
Traceable CPABE is an important branch of CPABE, retaining the characteristics of CPABE. However, it cannot trace the owner with a decryption key. In contrast, key delegation is not supported in traceable CPABE. Without key delegation, the overhead will be very heavy due to the large number of new coming mobile users in MCC. Therefore, we reconstructed a new traceable CPABE system that supported key delegation and ciphertext delegation. We realized key delegation without loss of the traceability with the same computation overhead. To realize ciphertext delegation, we abandoned the reencryption key and tried to decrypt the access tree first and reencrypt the ciphertext with any monotonic access tree specified by the user next. In the future, we will study on making our system work under large universe and support more functions such as revocation.
Declarations
Acknowledgements
This work was jointly supported by the National Natural Science Foundation of China (No. 61402171, No. 61305056, and No. 61300132), Beijing Higher Education Young Elite Teacher Project (No. YETP0702), and the Fundamental Research Funds for the Central Universities (Nos. 2015MS35 and 2016MS29).
Competing interests
The authors declare that they have no competing interests.
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
Authors’ Affiliations
References
 N Fernando, SW Loke, W Rahayu, Mobile cloud computing: a survey[J]. Future Generation Comput. Syst 29(1), 84–106 (2013)View ArticleGoogle Scholar
 AN Khan, MLM Kiah, SU Khan, SA Madani, Towards secure mobile cloud computing: a survey[J]. Future Generation Comput. Syst 29(5), 1278–1299 (2013)View ArticleGoogle Scholar
 D Zissis, D Lekkas, Addressing cloud computing security issues[J]. Future Generation Comput. Syst 28(3), 583–592 (2012)View ArticleGoogle Scholar
 S Subashini, V Kavitha, A survey on security issues in service delivery models of cloud computing[J]. J. Netw. Comput. Appl 34(1), 1–11 (2011)View ArticleGoogle Scholar
 R Buyya, CS Yeo, S Venugopal, J Broberg, L Brandic, Cloud computing and emerging IT platforms: vision, hype, and reality for delivering computing as the 5th utility[J]. Future Generation Comput. Syst 25(6), 599–616 (2009)View ArticleGoogle Scholar
 Z Guan, T Yang, X Du, Achieving secure and efficient data access control for cloudintegrated body sensor networks[J]. Int. J. Distributed Sensor Netw 2015, 142 (2015)Google Scholar
 F Li, Y Rahulamathavan, M Conti, M Rajarajan, Robust access control framework for mobile cloud computing network[J]. Comput. Communicat 68, 61–72 (2015)View ArticleGoogle Scholar
 YA Younis, K Kifayat, M Merabti, An access control model for cloud computing[J]. J. Inf. Secur. Appl 19(1), 45–60 (2014)Google Scholar
 Alizadeh M, Abolfazli S, Zamani M, et al. Authentication in mobile cloud computing: A survey[J]. J. Netw. Comput. Appl 29(1), 84106 (2016)Google Scholar
 Lin H, Xu L, Mu Y, et al. A reliable recommendation and privacypreserving based crosslayer reputation mechanism for mobile cloud computing[J]. Future. Generation. Comput. Syst 52(C), 125136 (2014)Google Scholar
 Z Liu, Z Cao, D Wong, Whitebox traceable ciphertextpolicy attributebased encryption supporting any monotone access structures[J]. Inf. Forensics Secur. IEEE Trans 8(1), 76–88 (2013)View ArticleGoogle Scholar
 A Sahai, B Waters, Fuzzy identitybased encryption[M]//Advances in Cryptology–EUROCRYPT 2005 (Springer, Berlin Heidelberg, 2005), pp. 457–473MATHGoogle Scholar
 Goyal V, Pandey O, Sahai A, Waters B. Attributebased encryption for finegrained access control of encrypted data[C]// ACM Conference on Computer and Communications Security, CCS 2006. (Alexandria, 2006), p. 8998Google Scholar
 Bethencourt J, Sahai A, Waters B. Ciphertextpolicy attributebased encryption[C]//Security and Privacy, 2007. SP’07. IEEE Symposium on. (Oakland, IEEE, 2007), p. 321334Google Scholar
 MJ Hinek, S Jiang, R SafaviNaini, SF Shahandashti, Attributebased encryption with key cloning protection[J]. IACR Cryptol. ePrint Arch 2008, 478 (2008)MATHGoogle Scholar
 J Li, K Ren, K Kim, A2BE: accountable attributebased encryption for abuse free access control[J]. IACR Cryptol. ePrint Arch 2009, 118 (2009)Google Scholar
 J Li, K Ren, B Zhu, Z Wan, Privacyaware attributebased encryption with user accountability[M]//Information Security (Springer, Berlin Heidelberg, 2009), pp. 347–362MATHGoogle Scholar
 MJ Hinek, S Jiang, R SafaviNaini, SF Shahandashti, Attributebased encryption without key cloning[J]. Int. J. Appl. Cryptography 2(3), 250–270 (2012)MathSciNetView ArticleMATHGoogle Scholar
 Chen C, Anada H, Kawamoto J, Sakurai K. Hybrid encryption scheme using terminal fingerprint and its application to attributebased encryption without key misuse[M]//Information and Communication Technology. Springer International Publishing (Springer, Berlin Heidelberg, 2015), pp. 255264.Google Scholar
 B Chor, A Fiat, M Naor, Tracing traitors[C]//Advances in cryptology—CRYPTO’94 (Springer, Berlin Heidelberg, 1994), pp. 257–270MATHGoogle Scholar
 S Mitsunari, R Sakai, M Kasahara, A new traitor tracing[J]. IEICE Trans. Fundamentals Electron. Commun. Comput. Sci 85(2), 481–484 (2002)Google Scholar
 R SafaviNaini, Y Wang, Sequential traitor tracing[C]//Advances in Cryptology—CRYPTO 2000 (Springer, Berlin Heidelberg, 2000), pp. 316–332MATHGoogle Scholar
 H Chabanne, DH Phan, D Pointcheval, Public traceability in traitor tracing schemes[M]//Advances in Cryptology–EUROCRYPT 2005 (Springer, Berlin Heidelberg, 2005), pp. 542–558MATHGoogle Scholar
 D Boneh, A Sahai, B Waters, Fully collusion resistant traitor tracing with short ciphertexts and private keys[M]//Advances in CryptologyEUROCRYPT 2006 (Springer, Berlin Heidelberg, 2006), pp. 573–592MATHGoogle Scholar
 H Ma, G Zeng, Z Wang, J Xu, Fully secure multiauthority attributebased traitor tracing[J]. J. Comput. Inf. Syst 9(7), 2793–2800 (2013)Google Scholar
 Z Liu, Z Cao, DS Wong, Traceable CPABE: how to trace decryption devices found in the wild[J]. Inf. Forensics Secur. IEEE Trans 10(1), 55–68 (2015)View ArticleGoogle Scholar
 J Ning, X Dong, Z Cao, L Wei, X Lin, Whitebox traceable ciphertextpolicy attributebased encryption supporting flexible attributes[J]. Inf. Forensics Secur. IEEE Trans 10(6), 1274–1288 (2015)View ArticleGoogle Scholar
 J Katz, D Schröder, Tracing insider attacks in the context of predicate encryption schemes, 2011Google Scholar
 Ning, Jianting, et al. Accountable authority ciphertextpolicy attributebased encryption with whitebox traceability and public auditing in the cloud. Computer Security  ESORICS 2015. Springer International Publishing (Springer, Berlin Heidelberg, 2015)Google Scholar
 S Luo, J Hu, Z Chen, Ciphertext policy attributebased proxy reencryption[M]//Information and Communications Security (Springer, Berlin Heidelberg, 2010), pp. 401–415Google Scholar
 Lai J, Deng R H, Yang Y, Weng J. Adaptable ciphertextpolicy attributebased encryption[M]//PairingBased Cryptography–Pairing 2013. Springer International Publishing (Springer, Berlin Heidelberg, 2013), pp. 199214.Google Scholar
 Liang K, Fang L, Susilo W, Wong DS. A CiphertextPolicy AttributeBased Proxy Reencryption with ChosenCiphertext Security[C]// International Conference on Intelligent NETWORKING and Collaborative Systems. (Xi'an, IEEE, 2013), pp. 552559Google Scholar
 Liang K, Au M H, Susilo W, Wong D S, Yang G, Yu Y. An adaptively CCAsecure ciphertextpolicy attributebased proxy reencryption for cloud data sharing[M]//Information Security Practice and Experience. Springer International Publishing (Springer, Berlin Heidelberg, 2014), pp. 448461Google Scholar