Ciphertext-Policy Attribute-based Encryption with Hidden Sensitive Policy for Recruitment in Smart City

Smart city, as a promising technical tendency, greatly facilitates citizens and generates innumerable data, some of which is very private and sensitive. To protect data from unauthorized users, ciphertext-policy attribute-based encryption (CP-ABE) enables data owner to specify an access policy on encrypted data. However, There are two drawbacks in traditional CP-ABE schemes. On the one hand, the access policy is revealed in the ciphertext so that sensitive information contained in the policy is exposed to anyone who obtains the ciphertext. For example, both the plaintext and access policy of an encrypted recruitment may reveal the company’s future development plan. On the other hand, the decryption time scales linearly with the complexity of the access, which makes it unsuitable for resource-limited end users. In this paper, we propose a CP-ABE scheme with hidden sensitive policy for recruitment in smart city. Speciﬁcally, we introduce a new security model chosen sensitive policy security : two access policies embedded in the ciphertext, one is public and the other is sensitive and fully hidden, only if user’s attributes satisfy the public policy, it’s possible for him/her to learn about the hidden policy, otherwise he/she cannot get any information (attribute name and its values) of it. When the user satisﬁes both access policies, he/she can obtain and decrypt the ciphertext. Compared with other CP-ABE schemes, our scheme supports a more expressive access policy, since the access policy of their schemes only work on the “AND-gate” structure. In addition, intelligent devices spread all over the smart city, so partial computational overhead of encryption of our scheme can be outsourced to these devices as fog nodes, while most part overhead in the decryption process is outsourced to the cloud. Therefore, our scheme is more applicable to end users with resource-constrained mobile devices. We prove our scheme to be selective secure under the decisional bilinear Diﬃe-Hellman (DBDH) assumption.


Introduction
Smart city is a new concept brought up with the technological revolution. It can provide various digital services for citizens to make their life more convenient among all aspect of daily life including education, health care, traffic transport, job recruitment and so on. Based on the Internet of Things (IoT), thousands of smart devices underlying these services produce outsource large amounts of data to a cloud server. Cloud server is an internet-based paradigm that provides massive data storage and processing services for innumerable enterprises and individuals. Fog computing [1] as an extension of cloud computing provides resource services at the edge of the network, such as access points, routers and base stations. As shown in Fig. 1,such devices can be found everywhere in the smart city bringing about many attractive features, such as low latency, mobility and location-awareness.
Generally speaking, data and services on the cloud are open and accessible to anyone, and data owner will lose any control on the data as soon as it uploaded to the cloud. In many distributed applications, it is necessary to enforce a specific access control policy on sensitive data which is intended to be read only by authorized users.
To solve these problems, attribute-based encryption (ABE) [2] is initially introduced by Sahai et al. to achieve scalable and fine-grained access control on encrypted data. ABE schemes are generally divided into two types: key-policy ABE (KP-ABE) [3] and ciphertext-policy ABE (CP-ABE) [4]. In CP-ABE, the data owner specifies an access policy in the ciphertext and the private key of end user is associated with an attribute set. Anyone can decrypt the ciphertext if his/her attributes satisfy the access policy. It is on the contrary for the KP-ABE. Since the access policy is defined by the data owner, CP-ABE is more suitable for the data sharing in cloud storage scenario.
One problem in traditional CP-ABE scheme [4,5] is that the access policy is sent along with a ciphertext to inform end users which attributes satisfy the access policy so that sensitive information contained in the policy will be revealed to anyone who obtains the ciphertext. However, this property is not suitable for many application scenarios, such as medical, industrial and financial fields. For example, the access policy of patient's medical file may expose individual privacy; a company may hire some certain qualified people who satisfy a specific policy and this policy may expose the company's future development strategy.
If it is not known which attributes should be used for decryption, the decryption will be infeasible for authorized users. As a trade-off between the policy privacy and the feasibility, Nishide et al. [6] first introduced the notion of CP-ABE with partially hidden access policy. In their scheme, each attribute consists of two parts: attribute name and its values, instead of hiding the whole attribute, only attribute value is concealed in the access policy. Although this method protects the privacy of the policy to some extent, it also has some drawbacks: in some cases, the attribute name still contains sensitive and valuable information, and it's still revealed in the access policy; If the end user has multiple values for each attribute, the decryption time maybe super-polynomial, since he/she has to guess which attribute value is exactly embedded in the ciphertext. Inner-product predicate encryption (IPE) [7] can also be applied to construct a CP-ABE scheme with fully hidden policy, but the access structure must be transformed to an inner-product predicate, which give rise to a super-polynomial blow up in ciphertext size.
Sometimes, one part of information of the access policy is very sensitive and should be kept secret while another part is not. For example: sharing a recruitment in the cloud, and it can only be accessed by specific applicants. The access policy may be defined as {[ Gender: male or female ] AND [ Education: M.D. or PH.D. ]} AND { [ Probability and statistics: statistics or econometrics] AND [ Computer science and technology: data mining or machine learning ]}. In this case, the "Probability and statistics: statistics or econometrics" and "Computer science and technology: data mining or machine learning" in the access policy are obviously more sensitive, since it may reveal commercial confidentiality that the company is managing to achieve transformation with the help of IoT.
Another problem in the existing ABE schemes [3][4][5] is that the number of pairing and exponentiation operations for ciphertext decryption is linear with the complexity of access policy, which means the computation cost of end user is quite expensive. This property is not suitable for users on their resource-constrained mobile devices. To reduce the computational overhead of end user, some cryptographic operations with heavy computational load can be outsourced to third-party service [8,9].

Motivation
In the above mentioned example, data owner could encrypt the data in a different way such that any one obtaining the ciphertext can only learn about the public access policy (i.e., [ Gender: male or female ] AND [ Education: M.D. or PH.D. ]), while the sensitive information in the secret policy ( i.e., [ Probability and statistics: statistics or econometrics] AND [ Computer science and technology: data mining or machine learning ]) including attribute name and its values should be fully hidden. Fig. 2 and 3 graphically shows this example.
There seems to be a simple solution to protect the privacy of sensitive policy. Specifically, one can use a classic CP-ABE to encrypt the sensitive access policy under the public access policy as first part of the ciphertext, and use CP-ABE to encrypt the message under the secret-access-policy as the second part. However, in this method, the cloud can't check whether the end user has sufficient authorities to access the ciphertext, since we want the ciphertext can only be obtained by authorized end users. Another drawback of this method is that the decryption overhead of the second part ciphertext can't be outsourced to the cloud.

Contributions
Motivated by the above observation, in this paper, to protect the privacy of recruitment, we propose a ciphertext-policy attribute-based encryption with hidden sensitive policy for recruitment in smart city. In our scheme, company, as a data owner, publishes an encrypted recruitment for the applicant, as the end user, in the cloud. Only authorized end user can access the encrypted recruitment, and the privacy of the sensitive access policy is preserved from authorized end users. The contribution of our scheme is shown as follow. Hidden sensitive policy: There are two access policies in the encrypted recruitment, one is public and the other is secret and fully hidden. Anyone satisfies both access policies, he/she can decrypt the ciphertext. For the privacy of sensitive policy, we propose a new security model i.e., chosen sensitive policy attack (CSPA): only if user's attributes satisfy the public policy, it's possible for him/her to learn the secret policy, otherwise he/she cannot get any information of it. Specifically, the end user generates two sets of randomized secret keys, where each component of the one set corresponds to a public attribute name (or value) and each component of the other set corresponds to an attribute index (user-generated hash value). The end user uploads the two sets to the cloud to check whether he/she has authority to decrypt the ciphertext with double policies. Only on the premise that user's attribute set satisfies the public access policy, the cloud can detect whether the attribute contained in each leaf node in the access tree of secret policy exists in the user's attribute set, and then inform the user of the corresponding relationship between the leaf node and the attribute index. In this process, since the cloud does not know which attribute the attribute index corresponds to , it cannot learn about which attribute the leaf node in the access tree of secret policy stands for. An unauthorized end user can't obtain the ciphertext or learn the secret policy either. Therefore, our scheme protects the privacy in sensitive access policy of the recruitment from unauthorized applicants. Expressive and efficient: Our scheme is expressive and efficient. Our scheme supports any monotone access structure instead of restricted policy such as AND-gates on multi-values. The size of the ciphertext scales linearly with the complexity of the access policy. End user doesn't need to test several times, which cloud be super-polynomial in some previous schemes, before finding the attributes for successful decryption, even if he/she has multiple values for each attribute. Applicable for resource-limited end user: With the help of thousands of fog nodes in the smart city, the computational overhead of data owner generating the sub-ciphertext of the public access policy can be outsourced, and most computational overhead of decryption is shifted from end user to the cloud, leaving a constant number of operations to decrypt the ciphertext. Therefore, it is more suitable for resource-constrained end users.

Discussion
Sahai et al. [2] first introduced the concept of attribute-based encryption (ABE), which can be divided into two forms: ciphertext-policy ABE (CP-ABE) [4] and key-policy ABE (KP-ABE) [3] . Bethencourt et al. [4] proposed the first CP-ABE scheme, in which the access policy is very expressive and specified by the data owner. From then on, ABE schemes with various functionalities have been widely constructed, e.g., supporting regular languages [10,11], with unbounded attribute size [10,12,13], with constant-size ciphertext [14], with multi-authority [15][16][17], and with adaptive security [18][19][20]. One drawback in traditional CP-ABE schemes [4,5] is that the number of pairing and exponentiation operations for ciphertext decryption is linear with the complexity of access policy, which means the computation cost of end user is quite expensive. This defect in attribute encryption makes it unsuitable for users with resource-constrained devices. To reduce the computation cost of end user, Green et al. [9] provided a new methods for efficiently and securely outsourcing decryption of ABE ciphertexts. In their scheme, most of the heavy cryptographic operations of decryption algorithm are outsourced to the cloud, leaving only a small number of operations for the end user. Li et al. [21] also considered to outsource key-issuing and decryption simultaneously for ABE schemes by introducing two cloud service providers. In the wake of 5G and IoT techniques, fog computing [1] is considered to be a new data resource that can provide high-quality outsourcing services. In fog computing environment, Zuo et al. [22] proposed a practical CP-ABE scheme with outsourced decryption, while Zhang et al. [23] supports outsourced encryption, outsourced decryption and attribute update.
However, the access policy must be revealed in most of these schemes, since end users need to know how they combine their secret key components for decryption. This may lead to privacy disclosure, so research on the anonymity of access policies is necessary. Nishide et al. [6] first introduced the concept of partially hidden access policy to achieve anonymity, in which the attribute is split into an attribute name and its values, and only the attribute values are hidden. Some other works [24][25][26] improved the efficiency and security of [6], but their policies are all restricted with AND-gates on multi-values as in [6]. Later, Lai et al. [27] proposed an expressive fully secure CP-ABE scheme with the LSSS-based partially hidden policy in composite order groups. Based on Lai's scheme, Cui et al. [28] proposed a more efficient one in prime order groups. However, looking for the correct attributes for successful decryption, both [27] and [28] need authorized users to test several times, which cloud be super-polynomial in special cases, for instance, user has many values for each attribute. All the above schemes focus on the partially hidden access policy, while the public attribute names may also lead to the leakage of sensitive information. Some other schemes based on the inner-product predicate encryption [18,29] and hidden vector encryption [30] are proposed to protect the policy privacy, but their efficiency are seriously restricted, which means that the size of ciphertext could be super-polynomial.

Result
In this paper, we propose a ciphertext-policy attribute-based encryption with hidden sensitive policy for recruitment in smart city. In our scheme, sensitive access policy of encrypted recruitment is fully hidden; expressive policy is supported; the ciphertext size is polynomial; the most computational overhead of decryption is outsourced to the cloud server, leaving a constant number of operations for the end user. We summarize the comparisons of various CP-ABE schemes with hidden policy in Table 1.

Preliminaries
In this section, we introduce some background knowledge, which includes access structure, access tree, bilinear maps, Diffie-Hellman assumption and its variants.

Access Structures
Definition 1 (Access structure [4]) Let {P 1 , P 2 , . . . , P n } be a set of parties. A collection A ⊆ 2 {P1,P2,...,Pn} is monotone if ∀B, C: if B ∈ A and B ⊆ C then C ∈ A. An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A of non-empty subsets of {P 1 , P 2 , . . . , P n }, i.e., The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets. In this paper, attributes take the role of the parties and we only focus on the monotone access structure A, which consists of the authorized sets of attributes. Obviously, attributes can directly reflect a user's authority. Definition 2 (Access tree [4]) Let T be a tree representing an access structure. Each non-leaf node of the tree represents a threshold gate, described by its children and a threshold value. If num x is the number of children of a node x and k x is its threshold value, then 0 ≤ k x ≤ num x . When k x = 1, the threshold gate is an OR gate and when k x = num x , it is an AND gate. Each leaf node x of the tree is describe by an attribute and a threshold value k x = 1.
We introduce a few functions defined in [4] as follows. parent(x) denotes the parent of the node x in the tree. The access tree T also defines an ordering between the children of every node, that is, the children of a node are numbered from 1 to num. The function index(x) returns such a number associated with the node x, where the index values are uniquely assigned to nodes in the access structure for a given key in an arbitrary manner. Each leaf node x corresponds to an attribute a j , and this relationship should be revealed in the access tree T . To protect the privacy of access policy, we defined the access tree with hidden attributes T . Definition 3 (Access tree with hidden attributes T ) T is an access tree with structure the same as normal access trees, except that it doesn't reveal any information about the correspondence between leaf nodes and attributes.
For better understanding, assuming that x i , y i are the indexes of leaf nodes and a i is the corresponding attribute, the comparison of two kinds of access tree is shown as following Fig. 4 and 5. Definition 4 (Satisfying an access tree [4]) Let T be an access tree with root r. Denote by T x the subtree of T rooted at the node x. Hence T is the same as T r . If a set of attributes γ satisfies the access tree T x , we denote it as T x (γ) = 1. We compute T x (γ) recursively as follows. If x is a non-leaf node, evaluate T x (γ) = 1 for all children x of node x. T x (γ) returns 1 if and only if at least k x children return 1. If x is a leaf node, then T x (γ) returns 1 if and only if att(x) ∈ γ.

Bilinear Map and DBDH Assumption
We briefly recall the definitions of the bilinear map and the decisional bilinear Diffie-Hellman (DBDH) assumption. Let G 0 and G T be two multiplicative cyclic groups of prime order p. Let g be a generator of G 0 and e be a efficient computable bilinear map, e : G 0 × G 0 → G T . The bilinear map e has a few properties: (1) Bilinearity: for all u, v ∈ G 0 and a, b ∈ Z p , we have e(u a , v b ) = e(u, v) ab . (2) Nondegeneracy: e(g, g) = 1. We say that G 0 is a bilinear group if the group operation in G 0 and the bilinear map e : G 0 × G 0 → G T are both efficiently computable. Notice that the map e is symmetric since e(g a , g b ) = e(g, g) ab = e(g b , g a ).
Given the bilinear map parameter (G 0 , G T , p, e, g) and three random elements (x, y, z) ∈ Z 3 p , if there is no probabilistic polynomial time (PPT) adversary B can distinguish between the tuple (g, g x , g y , g z , e(g, g) xyz ) and the tuple (g, g x , g y , g z , ϑ), we say that the DBDH assumption holds, where ϑ is randomly selected from G T . More specifically, the advantage of B in solving the DBDH problem is defined as Pr[A(g,g x ,g y ,g z ,e(g, g) xyz ) = 1]−Pr[A(g,g x ,g y ,g z ,ϑ) = 1] . (1)

Definition 5 (DBDH)
We say that the DBDH assumption holds if no PPT algorithm has a non-negligible advantage in solving DBDH problem.

System and Security Model
In this section, we introduce the system description, system model, threat model and security model of our scheme.

System Description
As shown in Fig. 6, we consider a ciphertext retrieval scenario in fog computing environment. It consists of five parties: Key Authority Center (KAC), Data Owner (DO), Cloud Server (CS), End User (EU), and Fog Nodes (FN). The specific role of each party is given as follows: • Key Authority Center (KAC): The KAC is a fully trusted third party which is in charge of generating public parameters and secret keys. • Data Owner (DO): The DO defines the access structure to encrypt a ciphertext CT with the help of fog nodes. • Cloud Server (CS): The CS has huge computing power and storage capacity, it can provide computing and storage services to both data owner and end user, especially to help end user partially decrypt the ciphertext.
• End User (EU): Resource-constrained user submits a trapdoor to the CS, which will help him/her to partially decrypt the ciphertext. • Fog Nodes (FN): Some computational overheads can be outsourced from the DO to the fog nodes during the encryption process.

System Model
Our scheme includes the following six algorithms:

Threat Model
In this paper, we assume that the KAC is a fully trusted third party, while the CS and FN are honest-but-curious entities, which exactly follow the protocol specifications but also are curious about the sensitive information of ciphertexts and trapdoors. Users are not allowed to collude with CS or FN. Nevertheless, malicious users may collude with each other to access some unauthorized ciphertexts.

Security Model
Our scheme achieves chosen plaintext security by the following security game between a PPT adversary A and a challenger C.
• Initialization: A chooses and submits two challenge access policies T * 1 and T * 2 to its challenger C. • Setup: C runs Setup algorithm and returns the public key P K to A. • P hase 1: A adaptively submits any attribute set S to C with the restriction that (S T * 1 S T * 2 ). In response, C runs KeyGen algorithm and answers A with the corresponding SK.
• Challenge: A chooses two equal-length challenge messages (m 0 , m 1 ), and submits them to C. Then C picks a random bit ϑ ∈ {0, 1}, runs Enc algorithm to encrypt m ϑ with T * 1 and T * 2 , and returns the challenge ciphertext CT * to A. • P hase 2: This phase is the same as Phase 1.
• Guess: A outputs a guess bit ϑ of ϑ. We say that A wins the game if and only if ϑ = ϑ. The advantage of A to win this security game is defined as Adv(A) = Pr[ϑ = ϑ] − 1 2 . Definition 6 Our scheme achieves IND-CPA security if there exist no PPT adversary winning the above security game with a non-negligible advantage under the DBDH assumption.
In addition, we define a new security model chosen sensitive policy attack (CSPA) for our scheme by the following security game between A and C.
• Initialization: A chooses and submits a challenge access structure T * 1 to its challenger C.
• Setup: C runs Setup algorithm and gives P K to A. • P hase 1: A adaptively submits any attribute set S with the restriction that S T * 1 . In response, C runs Trap algorithm and responds A with the corresponding trapdoor T r.
• Challenge: A submits m * and two challenge hidden policies T 0 * 2 and T 1 * 2 with the same structure. Then, C picks a random bit ϑ ∈ {0, 1}, and returns the challenge ciphertext CT * encrypted with T * 1 and T ϑ * 2 . • P hase 2: This phase is the same as Phase 1.
• Guess: A outputs a guess bit ϑ of ϑ. We say that A wins the game if and only if ϑ = ϑ. The advantage of A to win this security game is defined as Adv(A) = Pr[ϑ = ϑ] − 1 2 . Definition 7 Our scheme achieves IND-CSPA security if there exist no PPT adversary winning the above security game with a non-negligible advantage under the DBDH assumption.

Construction of Our Scheme
In this section, we present the concrete construction of CP-ABE scheme with hidden sensitive policy.
Without loss of generality, we suppose that there are n possible attributes in total and L = {a 1 , a 2 , · · · , a n } is the set of all possible attributes. Assume G 0 , G T are multiplicative cyclic groups with prime order p and the generator of G 0 is g. Let λ be the security parameter which determines the size of groups. Let e : G 0 × G 0 → G T be a bilinear map and H : {0, 1} * −→ Z p be a hash function which maps any string to a random element of Z p . We also define the Lagrange coefficient ∆ i,L (x) = j∈L,j =i x−j i−j , where i ∈ Z p and a set L, of elements in Z p . The details of our scheme are as follows.
• Setup(1 λ , L) → (P K, M SK): Given a security parameter λ and all possible attributes L, the KAC chooses a bilinear group G 0 with prime order p and generator g. Next, it picks α, β ∈ R Z * p and h ∈ R G 0 . For each attribute a j ∈ L, it selects v j , v j ∈ R Z * p . Finally, it generates the public key P K and master secret key M SK as P K =    G 0 , g, h, g α , e(g, g) β , e(g, h) β , (2) • KeyGen(M SK, S) → SK: While receiving an attribute set S from the EU, the KAC selects r, r ∈ R Z * p and returns the secret key SK as SK =    g β+αr , h β+αr , g αr h r , h αr+r , g r , • Enc(P K, T 1 , T 2 , M ) → CT : The DO chooses ck ∈ R Z * p as a symmetric encryption key and encrypts message M with ck, E ck (M ), by using symmetric encryption (AES). Then, it encrypts ck with the help of the FN as follows: 1 The DO sends T 1 to the FN. The FN randomly choose a polynomial q x for each node x of T 1 from the root node R 1 in a top-down manner: where k x is the threshold value of x; beginning with root node R 1 , the FN pick s 1 ∈ R Z * p , sets q R1 (0) = s 1 and randomly choose d R1 = k R1 − 1 other points of q R1 to define the polynomial completely; for any other node x, they set q x (0) = q parent(x) (index(x)) and choose d x other points to define q x completely. The FN generate the CT 1 as where X 1 is a set of attributes corresponding with all leaf nodes in T 1 and each x ∈ X 1 is corresponding with attribute a j . Note that T 1 is stored in CT 1 in the form of plaintext, so the privacy of the access policy of T 1 is exposed. 2 The DO picks s 2 ∈ R Z * p and sends g s2 , h s2 to FN to generate CT 1 as 3 The DO picks s 3 , s 4 ∈ R Z * p and generates the ciphertext CT 2 corresponding with the T 2 in the same way of CT 1 . For each node y of T 2 , q y (0) and d y are defined exactly the same with above q x (0) and d x ; for the root node R 2 of T 2 , q R2 (0) = s 3 . Then, and where each leaf node y is corresponding with attribute a j and X 2 is a set of all leaf nodes in T 2 . Since T 2 is just the structure of T 2 , T 2 can not reflect the corresponding relationship between leaf nodes and attributes. Therefore, the privacy of the access policy of T 2 can be preserved. 4 The DO computes C = ck · e(g, g) β(s2+s4) and sends E ck (M ), C, CT 2 to FN, which generate and upload to the final ciphertext CT to the CS, where • Trap(SK) → T r: The Trap algorithm proceeds as follows. The EU chooses x , y , z , k ∈ R Z * p , and computes the attribute index H j = H(k j) for each a j ∈ S, and generates the following trapdoor T r with its SK as where the set {T access verification and ciphertext precomputation.
-Access Verification: Due to this process is a recursive procedure, we first define a recursive algorithm F x = F x (C x 1 , C x 2 , T j 10 , T j 11 , x) intaking (C x 1 , C x 2 , x) in CT 1 and (T j 10 , T j 11 ) in T r respectively. For each node of T 1 , the CS runs a recursive algorithm as follows: (1) If x is a leaf node of T 1 . Let a j is the corresponding attributes of node x. If a j ∈ S, the CS computes If a j ∈ S, set F x = null.
(2) If x is a non-leaf node, the recursive algorithm is defined as: for all child nodes z of x, where a i is the corresponding attributes of node z, the CS computes F z = F z (C z 1 , C z 2 , T i 10 , T i 11 , z) recursively. Let S x be an arbitrary k x -sized set of child nodes z satisfying F z = null. If S x doesn't exist, F x = null. Otherwise, the CS calculates where i = index(z) and S x = {index(z) | ∀z ∈ S x }.
Then, for each leaf node y ∈ T 2 , the CS defines and checks whether there exists an H j ∈ {H j } aj ∈S such that If S |= T 1 and there exists an H j ∈ {H j } aj ∈S such that the a j is the corresponding attribute of leaf node y, then = e(g (β+αr)x , h qy(0) ) · e(h (β+αr)y , g qy(0) ) = e(T 3 , C y 4 ) · e(T 4 , C y 3 ).
By running the above functions recursively, the CS can find out whether this EU has the attribute corresponding to each leaf node of T 2 , and then check out whether it has the authority to access the ciphertext CT , e.t., S |= T 1 and S |= T 2 . If CT is accessible, CS outputs the following Table 2. Otherwise, the algorithm outputs ⊥. Assume that the EU has the attributes corresponding to t leaf nodes in T 2 .

-Ciphertext Precomputation:
If CT is accessible, i.e., S |= T 1 and S |= T 2 , the algorithm is similar to the recursive procedure defined in the above algorithm.
(1)If x is a leaf node of T 1 . If a j ∈ S, the CS sets G x = G x (C x 1 , T j 10 , x) and computes If a j ∈ S, set G x = null.
(2) If x is a non-leaf node, for all child nodes z of x, the CS computes G z = G x (C z 1 , T j 10 , z) recursively. Let S x be an arbitrary k x -sized set of child nodes z satisfying G z = null. If S x doesn't exist, G x = null. Otherwise, the CS calculates where i = index(z) and S x = {index(z) | ∀z ∈ S x }. Then CS gets G R1 = e(g, g) αrs1x , and computes A = G R1 · e(T 6 , h s1+s2 ) e(T 5 , g s1+s2 ) = e(g, g) αrs1x · e(g r x , h s1+s2 ) e(g αrx h r x , g s1+s2 ) = e(g, g) αrs2x .
Finally, the CS returns the precomputed ciphertext to the EU. • Dec(( CT , x ) → M : The EU derives the symmetric secret key ck as and uses ck to decrypt E c k(M ) by symmetric decryption.
Remark 1 Different from previous schemes, we let the attribute a j (or leaf node x, attribute index H j ) appear in the component of secret key (or ciphertext, trapdoor) just to make it clearer which attribute (or leaf node, attribute index) the component of secret key (or ciphertext, trapdoor) corresponds to.

Remark 2
Once the EU has access to the ciphertext, the CS will find out that the leaf nodes in the access tree must correspond to some attributes in S. Therefore, we made a small modification to the Trap algorithm, replacing {T j 10 , T j 11 , a j | ∀a j ∈ S} with {T j 10 , T j 11 , a j | ∀a j ∈ S 1 }, where S 1 ⊆ S. Since the public access policy is revealed in the ciphertext, the end user can decide the attribute set S 1 by their own. In addition, the Trap algorithm can be run offline while the device is charging.

Remark 3
The computational overhead of the CS to run the Access Verification algorithm scales linearly with | T 1 | + | S | · | T 2 |, supposed that | S | is the number of attributes the EU owned and | T 1 |, | T 2 | is the number of leaf nodes in the access tree T 1 , T 2 respectively. Thus, it doesn't need a super-polynomial time to find out the correct attributes for successful decryption.

Analysis of Our Scheme
In this section, we provide a formal security analysis of our scheme.

Security Analysis
Theorem 1 Supposed that a PPT adversary A can break the IND-CPA security of our scheme with a non-negligible advantage > 0, then there exists a PPT simulator B that can distinguish a DBDH tuple from a random tuple with an advantage 2 .
Proof 1 Given the bilinear map parameter (G 0 , G T , p, e, g). The DBDH challenger C selects a , b , c ∈ Z p , θ ∈ {0, 1}, R ∈ G T at random. Let Z = e(g, g) a b c , if θ = 0, R else. Next, C sends B the tuple g, g a , g b , g c , Z . Then, B plays the role of challenger in the following security game.
• Initialization: A submits two challenge access policy T * 1 and T * 2 to B. • Setup: B chooses β , x ∈ Z p at random and sets h = g x , g α = g a , e(g, g) β = e(g, g) β +a b = e(g, g) β e(g a , g b ), e(g, h) β = e(g, g) βx . For each attribute a j ∈ L, B picks s j , s j ∈ R Z p . If a j ∈ T * 1 , set g vj = g a s j , otherwise g vj = g sj ; if and sends P K to A, where P K = G 0 , g, h, g α , e(g, g) β , e(g, h) β , • P hase 1: A adaptively submits any attribute set S ∈ L to B with the restriction that (S T * 1 S T * 2 ). In response, B picksr,r ∈ Z p at random, computes g r = gr g b = gr −b , g β+αr = g β +a b +a (r−b ) = g β +a r , h β+αr = g (β +a r)x = h β +a r , g αr hr, h αr hr, gr. For each a j ∈ S, if a j ∈ T * 1 , B computes g answers A with the corresponding secret key SK =    g β +αr , h β +a r , g αr hr, h αr hr, gr, • Challenge: A submits two equal-length challenge messages {m 0 , m 1 } to B. Then, B chooses s 1 , s 2 ∈ R Z p and generates where X * 1 is a set of attributes corresponding with all leaf nodes in T * 1 and each x * ∈ X * 1 is corresponding with attribute a j . The B sets and generates CT * 2 in a similar method. B picks s 3 ∈ R Z p and sets g s4 = g c g s 2 , h s4 = g s4x , e(g, g) β(s2+s4) = Z · e(g, g) β c . So, where Finally, B randomly picks θ ∈ {0, 1}, sets C * = m θ · Z · e(g, g) β c , and returns A the final challenge ciphertext CT * = {T * 1 , T * 2 , C * , CT * 1 , CT * 2 }. • P hase 2: This phase is the same as Phase 1.
• Guess: A outputs a guess bit θ of θ . If θ = θ , B guesses θ = 0 which indicates that Z = e(g, g) a b c in the above game. Otherwise, B guesses θ = 1 i.e., Z = R.
If Z = R, then CT * is random from the view of A. Hence, B s probability to guess θ correctly is Else Z = e(g, g) a b c , then CT * is available and A s advantage of guessing θ is . Therefore, B s probability to guess θ correctly is In conclusion, B s advantage to win the above security game is Theorem 2 Supposed that a PPT adversary A can break the IND-CSPA security of our scheme with a non-negligible advantage > 0, then there exists a PPT simulator B that can distinguish a DBDH tuple from a random tuple with an advantage 2 . Proof 2 The proof process of this theorem is similar to that of Theorem 1. The DBDH challenger C sends B the tuple g, g a , g b , g c , Z , in which Z = e(g, g) a b c or R. A chooses a challenge access structure T * initially. B returns public key in the same way as in Theorem 1. Then A adaptively submits any attribute set S with the restriction that S T * . Since B can generate secret keys as in Theorem 1, it can naturally answer A with the corresponding trapdoor T r. In the challenge phase, A submits m * and two challenge policies T * 0 and T * 1 with the same structure, i.e., T * 0 = T * 1 . B randomly picks θ ∈ {0, 1}, generates CT * 2 with T * θ and returns the challenge ciphertext CT * . If A's advantage of guessing θ is , then B's advantage to distinguish a DBDH tuple from a random tuple is 2 .

Complexity Analysis
In this section, we compare the computational overhead with some other related schemes with hidden policy from a technical point of view. Some schemes only supports AND-gate policies, to represent an expressive policy f , we transmute it to a disjunctive normal form and f = f 1 · · · f n , and then represent each f i by a conjunctive clause as f i = att i,1 · · · att i,l . Without loss of generality, we suppose each attribute att i has two values att i,1 , att i,2 , and consider such a simple access policy f = (att 1,1 att 1,2 ) (att 2,1 att 2,2 ) · · · (att n,1 att n,2 ), which means that there are 2 n access strategies. Now, we discuss the computational overhead of each scheme as following Table. 3.
As shown in Table. 3, schemes [6,24,25] restricted with AND-gates on multivalues give rise to an exponential size of ciphertext for supporting an expressive  access policy. Since the attribute value is hidden in [28], for finding the correct attribute value for successful decryption, [28] needs end user to test super-polynomial times. In addition, all the above schemes only protect the privacy attribute value, but expose the information of attribute name. Some other schemes based on the inner-product predicate encryption [18,29] that we haven't discussed in detail here, because transform an inner-product predicate to an expressive access policy will also cause an exponential size of ciphertext. In our scheme, the size of ciphertext, test time and decryption time are all polynomial. Partial overhead for generating the ciphertext is outsourced to fog nodes and most overhead during test and decryption is outsourced from end user to the cloud.

Conclusion
In this paper, we propose a CP-ABE scheme with hidden sensitive policy for recruitment in smart city. To protect the sensitive policy of encrypted recruitment from unauthorized applicants, two access policies embedded in the ciphertext, one is public and the other is sensitive and fully hidden, only if user's attributes satisfy the public policy, it's possible for him/her to learn about the hidden policy, otherwise he/she cannot get any information (attribute name and its values) of it. When the user satisfies both access policies, he/she can obtain and decrypt the ciphertext. The access policy in our scheme is expressive and computational overhead of encryption (half part) and decryption (most part) can be outsourced to fog nodes and cloud server respectively. Thus, our scheme is more applicable for resource-limited end users.

Competing interests
The authors declare that they have no competing interests.