Ciphertext-policy attribute-based encryption with hidden sensitive policy from keyword search techniques in smart city

Countless data generated in Smart city may contain private and sensitive information and should be protected from unauthorized users. The data can be encrypted by Attribute-based encryption (CP-ABE), which allows encrypter to specify access policies in the ciphertext. But, traditional CP-ABE schemes are limited because of two shortages: the access policy is public i.e., privacy exposed; the decryption time is linear with the complexity of policy, i.e., huge computational overheads. In this work, we introduce a novel method to protect the privacy of CP-ABE scheme by keyword search (KS) techniques. In detail, we define a new security model called chosen sensitive policy security: two access policies embedded in the ciphertext, one is public and the other is sensitive and hidden. If user's attributes don't satisfy the public policy, he/she cannot get any information (attribute name and its values) of the hidden one. Previous CP-ABE schemes with hidden policy only work on the “AND-gate” access structure or their ciphertext size or decryption time maybe super-polynomial. Our scheme is more expressive and compact. Since, IoT devices spread all over the smart city, so the computational overhead of encryption and decryption can be shifted to third parties. Therefore, our scheme is more applicable to resource-constrained users. We prove our scheme to be selective secure under the decisional bilinear Diffie-Hellman (DBDH) assumption.

networks, Fab Lab, Living Lab and integrated integration methods to facilitate residents' lives and economic activities. To build a smart city, enormous data will be generated, processed and analysed.
Cloud server is an internet-based paradigm that provides massive data storage and processing services for innumerable enterprises and individuals. Fog nodes [1] are physical components (such as gateways, switches, routers, servers, etc.) or virtual components (such as ED switches, virtual machines, Cloudlet 9, etc.) that are tightly connected with the network and provide computing resources. As shown in Fig. 1, such devices can be found everywhere in the smart city providing more efficient and convenient services.
Generally speaking, data and services on the cloud are open and accessible to anyone, and data owner will lose any control on the data as soon as it uploaded to the cloud. In many distributed applications, it is necessary to enforce a specific access control policy on sensitive data, and only authorized users can access these data.
In this case, Sahai et al. [2] first introduced the concept of attribute-based encryption (ABE) achieving both scalable and fine-grained access control on ciphertext. ABE schemes are generally divided into two types: ciphertext-policy ABE (CP-ABE) [3] and key-policy ABE (KP-ABE) [4]. In CP-ABE, the access policy is embedded in the ciphertext and anyone can decrypt it as long as his/her attributes satisfy the policy.
One problem in traditional CP-ABE scheme [4,5] is that the access policy is sent along with a ciphertext to inform end users which attributes satisfy the access policy, therefore the privacy in the policy could be exposed. However, this property is not suitable for many application scenarios, such as medical, industrial and financial fields. For instance, the access policy of an encrypted files of patient's medical record may reveal individual privacy; a company may hire eligible staff with specific qualification (i.e., attributes) which may expose the company's future development strategy.
If it is not known which attributes should be used for decryption, the decryption will be infeasible for authorized users. So, Nishide et al. [6] introduced the notion of partially hidden access policy in CP-ABE. In their scheme, the attribute is defined by two parts, attribute name and attribute values and only attribute value is concealed in their shceme. Although this method protects the privacy of the policy to some extent, it also has some drawbacks: in some cases, the attribute name still contains sensitive and valuable information, and it's still revealed in the access policy; If the end user has multiple values for each attribute, the decryption time maybe super-polynomial, since he/she has to guess which attribute value is exactly embedded in the ciphertext. Inner-product predicate encryption (IPE) [7] is another method to protect policy privacy, but it could cause the ciphertext size to be super-polynomial.
Besides attribute values, sometimes, attribute names are also sensitive and should be kept secret. For example: a recruitment sharing in the cloud can only be accessed by specific applicants.The access policy may be defined as {[Gender: male or female] AND [Education: M.D. or PH.D.]} AND {[Probability and statistics: statistics or econometrics] AND [Computer science and technology: data mining or machine learning]}. In this case, the "Probability and statistics: statistics or econometrics" and "Computer science and technology: data mining or machine learning" in the access policy are obviously more sensitive, since it may reveal commercial confidentiality that the company is managing to achieve transformation with the help of IoT.
Another problem in the existing ABE schemes [3][4][5] is that the number of pairing and exponentiation operations for ciphertext decryption is linear with the complexity of access policy, which means the computation cost of end user is quite expensive. This property is not suitable for users on their resource-constrained mobile devices. To reduce the computational overhead of end user, some cryptographic operations with heavy computational load can be outsourced to third-party service [8,9]. In smart cities, countless IoT devices connected to the Internet in every corner of the city can be utilized to provide much more convenient and faster computing resources for resourcelimited end users.

Motivation
In the above-mentioned example, data owner could encrypt the data in a different way such that any one obtaining the ciphertext can only learn about the public access policy (i.e., [Gender: male or female] AND [Education: M.D. or PH.D.]), while the sensitive information in the secret policy (i.e., [Probability and statistics: statistics or econometrics] AND [Computer science and technology: data mining or machine learning]) including attribute name and its values should be fully hidden. Figures 2 and 3 graphically show this example.
There seems to be a simple solution to protect the privacy of sensitive policy. Specifically, one can use a classic CP-ABE to encrypt the sensitive access policy under the public access policy as first part of the ciphertext and use CP-ABE to encrypt the message under the secret-access-policy as the second part. However, in this method, the cloud can't check whether the end user has sufficient authorities to access the ciphertext, since the ciphertext can only be obtained by authorized end users. Another drawback of this method is that the decryption overhead of the second part ciphertext can't be outsourced to the cloud.

Contributions
Motivated by the above observation, in this paper, we propose a ciphertext-policy attribute-based encryption with hidden sensitive policy from keyword search techniques in smart city. In our scheme, data owner (employer) publishes an encrypted recruitment for the end user (potential employee) in the cloud. Only authorized end user can access the ciphertext, and the privacy of the sensitive access policy is preserved from unauthorized end users. The contribution of our scheme is shown as follows.
• Hidden sensitive policy We embed two access policies in the encrypted data, one is public and the other is secret and hidden. When satisfying both policies, he/she can decrypt the ciphertext. For the privacy of sensitive policy, we propose a new security model i.e., chosen sensitive policy attack (CSPA): if user's attributes don't satisfy the public policy, he/she cannot learn anything of the secret one. Specifically, the end user generates two sets of randomized secret keys, where each component of the one set corresponds to a public attribute name (or value) and each component of the other set corresponds to an attribute index (user-generated hash value). The end user uploads the two sets to the cloud to check whether he/she has authority to decrypt the ciphertext with double policies. If user satisfies the public policy, the cloud can detect whether the attribute contained in each leaf node of secret policy belongs the user's attributes. This process is essentially a attribute-based keyword search (ABKS) mechanism. By keyword search (KS) methods, the cloud cannot learn about which attribute the leaf node in the access tree of secret policy stands for and unauthorized end users also can't obtain the ciphertext or learn about the secret policy. Therefore, our scheme protects the privacy in sensitive access policy of the ciphertext from unauthorized applicants. • Expressive and efficient Our scheme is expressive and efficient. It supports any monotone access structure instead of restricted policy such as AND-gates on multi-values. The size of the ciphertext scales linearly with the complexity of the access policy. End user doesn't need to test several times, which could be super-polynomial in some previous schemes, before finding the attributes for successful decryption, even if he/ she has multiple values for each attribute. • Applicable for resource-limited end user With the help of thousands of fog nodes in the smart city, the computational overhead of data owner generating the sub-ciphertext of the public access policy can be outsourced, and most computational overhead of decryption is shifted from end user to the cloud, leaving a constant number of operations to decrypt the ciphertext. Therefore, it is more suitable for resource-constrained end users.

Discussion
Sahai et al. [2] first introduced the concept of attribute-based encryption (ABE), which can be divided into two forms: ciphertext-policy ABE (CP-ABE) [4] and key-policy ABE (KP-ABE) [3] . Bethencourt et al. [4] proposed the first CP-ABE scheme, in which the access policy is very expressive and specified by the data owner. From then on, ABE schemes with various functionalities have been widely constructed, e.g., supporting regular languages [10,11], with unbounded attribute size [10,12,13], with constant-size ciphertext [14], with multi-authority [15][16][17], and with adaptive security [18][19][20]. One drawback in traditional CP-ABE schemes [4,5] is that the number of pairing and exponentiation operations for ciphertext decryption is linear with the complexity of access policy, which means the computation cost of end user is quite expensive. This defect in attribute encryption makes it unsuitable for users with resource-constrained devices. To reduce the computation cost of end user, Green et al. [9] provided a new methods for efficiently and securely outsourcing decryption of ABE ciphertexts. In their scheme, most of the heavy cryptographic operations of decryption algorithm are outsourced to the cloud, leaving only a small number of operations for the end user. Li et al. [21] also considered to outsource key-issuing and decryption simultaneously for ABE schemes by introducing two cloud service providers. In the wake of 5G and IoT techniques, fog computing [1] is considered to be a new data resource that can provide high-quality outsourcing services. In fog computing environment, Zuo et al. [22] proposed a practical CP-ABE scheme with outsourced decryption, while Zhang et al. [23] support outsourced encryption, outsourced decryption and attribute update. However, the access policy must be revealed in most of these schemes, since end users need to know how they combine their secret key components for decryption. This may lead to privacy disclosure, so research on the anonymity of access policies is necessary. Nishide et al. [6] first introduced the concept of partially hidden access policy to achieve anonymity, in which the attribute is split into an attribute name and its values, and only the attribute values are hidden. Some other works [24][25][26] improved the efficiency and security of [6], but their policies are all restricted with AND-gates on multi-values as in [6]. Later, Lai et al. [27] proposed an expressive fully secure CP-ABE scheme with the LSSS-based partially hidden policy in composite order groups. Based on Lai's scheme, Cui et al. [28] proposed a more efficient one in prime order groups. However, looking for the correct attributes for successful decryption, both [27] and [28] need authorized users to test several times, which cloud be super-polynomial in special cases; for instance, user has many values for each attribute. All the above schemes focus on the partially hidden access policy, while the public attribute names may also lead to the leakage of sensitive information. Some other schemes based on the inner-product predicate encryption [18,29] and hidden vector encryption [30] are proposed to protect the policy privacy, but their efficiency is seriously restricted, which means that the size of ciphertext could be super-polynomial.
The keyword search techniques enables the cloud to search over encrypted data without revealing any sensitive information of the keyword. In 2000, Song et al. [31] initially introduced a searchable encryption (SE) technique. Boneh et al. [32] proposed the first public key encryption with keyword search. To achieve both fine-grained access control and keyword search simultaneously, attribute-based encryption with keyword search [33][34][35][36] was proposed. Among them, [35,36] are constructed in fog computing environment.

Result
In our scheme, sensitive access policy of encrypted recruitment is fully hidden; expressive policy is supported; the ciphertext size is polynomial; the most computational overhead of decryption is outsourced to the cloud server, leaving a constant number of operations for the end user. We summarize the comparisons of various CP-ABE schemes with hidden policy in Table 1.

Preliminaries
In this section, we introduce some background knowledge, which includes access structure, access tree, bilinear maps, Diffie-Hellman assumption and its variants.

Access structures
Definition 1 (Access structure [4]) Let {P 1 , P 2 , . . . , P n } be a set of parties. A collection A ⊆ 2 {P 1 ,P 2 ,...,P n } is monotone if ∀B, C : if B ∈ A and B ⊆ C then C ∈ A . An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A of non-empty subsets of {P 1 , P 2 , . . . , P n } , i.e., A ⊆ 2 {P 1 ,P 2 ,...,P n } \{∅} . The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets.
In this paper, attributes take the role of the parties, and we only focus on the monotone access structure A , which consists of the authorized sets of attributes. Obviously, attributes can directly reflect a user's authority.
Definition 2 (Access tree [4]) Let T be a tree representing an access structure. Each non-leaf node of the tree represents a threshold gate, described by its children and a threshold value. If num x is the number of children of a node x and k x is its threshold value, then 0 ≤ k x ≤ num x . When k x = 1 , the threshold gate is an OR gate and when k x = num x , it is an AND gate. Each leaf node x of the tree is described by an attribute and a threshold value k x = 1.
We introduce a few functions defined in [4] as follows. parent(x) denotes the parent of the node x in the tree. The access tree T also defines an ordering between the children of every node, that is, the children of a node are numbered from 1 to num. The function index(x) returns such a number associated with the node x, where the index values are uniquely assigned to nodes in the access structure for a given key in an arbitrary manner. Each leaf node x corresponds to an attribute a j , and this relationship should be revealed in the access tree T . To protect the privacy of access policy, we defined the access tree with hidden attributes T . Definition 3 (Access tree with hidden attributes T ) T is an access tree with structure the same as normal access trees, except that it doesn't reveal any information about the correspondence between leaf nodes and attributes. It is very easy to check whether a combination of leaf nodes satisfies the access structure, but the information of attribute in these nodes is hidden. So, it is impossible to find out which attributes are embedded in the access tree just from the structure itself.
For better understanding, assuming that x i , y i are the indexes of leaf nodes and a i is the corresponding attribute, the comparison of two kinds of access tree is shown in Figs. 4 and 5. Specifically, the attribute name and its value in the dotted node in Fig. 4 are exposed. However, it is on the contrary in Fig. 5 and only the index of the node is revealed in Fig. 5. [4]) Let T be an access tree with root r. Denote by T x the subtree of T rooted at the node x. Hence, T is the same as T r . If a set of attributes γ satisfies the access tree T x , we denote it as T x (γ ) = 1 . We compute T x (γ ) Table 1 Comparison of CP-ABE schemes with hidden policy a "Deterministic and linear": end user needs to test fixed the number of times, usually is one, to look for the correct attributes for successful decryption, and the decryption time scales linearly with the complexity of the access policy. b "Deterministic and constant": the test time for the cloud is fixed and the decryption time is constant. c "Opportunistic and linear": several tests may be required, which could be super-polynomial when user has many values for each attribute. The decryption time scales linearly with the complexity of the access policy Yes recursively as follows. If x is a non-leaf node, evaluate T x ′ (γ ) = 1 for all children x ′ of node x. T x (γ ) returns 1 if and only if at least k x children return 1. If x is a leaf node, then T x (γ ) returns 1 if and only if att(x) ∈ γ.

Bilinear map and DBDH assumption
We briefly recall the definitions of the bilinear map and the decisional bilinear Diffie-Hellman (DBDH) assumption. Let G 0 and G T be two multiplicative cyclic groups of prime order p. Let g be a generator of G 0 and e be a efficient computable bilinear map, e : G 0 × G 0 → G T . The bilinear map e has a few properties: (1) Bilinearity: for all u, v ∈ G 0 and a, b ∈ Z p , we have e(u a , v b ) = e(u, v) ab . (2) Non-degeneracy: e(g, g) = 1 . We say that G 0 is a bilinear group if the group operation in G 0 and the bilinear map e : G 0 × G 0 → G T are both efficiently computable. Notice that the map e is symmetric since e(g a , g b ) = e(g, g) ab = e(g b , g a ).
Given the bilinear map parameter (G 0 , G T , p, e, g) and three random elements (x, y, z) ∈ Z 3 p , if there is no probabilistic polynomial time (PPT) adversary B can distinguish between the tuple (g, g x , g y , g z , e(g, g) xyz ) and the tuple (g, g x , g y , g z , ϑ) , we say that the DBDH assumption holds, where ϑ is randomly selected from G T . More specifically, the advantage ǫ of B in solving the DBDH problem is defined as Definition 5 (DBDH) We say that the DBDH assumption holds if no PPT algorithm has a non-negligible advantage ǫ in solving DBDH problem.

System and security model
In this section, we introduce the system description, system model, threat model and security model of our scheme.

System description
As shown in Fig. 6, we consider a ciphertext retrieval scenario in fog computing environment. It consists of five parties: Key Authority Center ( KAC ), Data Owner ( DO ), Cloud Server ( CS ), End User ( EU ), and Fog Nodes ( FN ). The specific role of each party is given as follows: • Key Authority Center ( KAC ): The KAC is a fully trusted third party which is in charge of generating public parameters and secret keys. • Data Owner ( DO ): The DO defines the access structure to encrypt a ciphertext CT with the help of fog nodes. • Cloud Server ( CS ): The CS has huge computing power and storage capacity; it can provide computing and storage services to both data owner and end user, especially to help end user partially decrypt the ciphertext. • End User ( EU ): Resource-constrained user submits a trapdoor to the CS , which will help him/her to partially decrypt the ciphertext. • Fog Nodes ( FN ): Some computational overheads can be outsourced from the DO to the fog nodes during the encryption process.

System model
Our scheme includes the following six algorithms: • Setup(1 , L) → (PK , MSK ) Given security parameter and a set of all possible attributes L , the KAC generates public key PK and master secret key MSK. • KeyGen(PK , MSK , S) → SK On input the public key PK, the master secret key MSK and an attribute set S, the KAC generates a secret key SK for the EU. • Enc(PK , T 1 , T 2 , M) → CT On input PK, two access policies T 1 , T 2 and message M, with the help of fog nodes, the DO generates the ciphertext CT, in which T 1 is public and T 2 is fully hidden. • TrapSK → Tr The EU generates the trapdoor Tr by his own secret key SK and submits Tr to the CS. • Tran(CT , Tr) → CT or ⊥ : This algorithm contains two steps: -At first, the CS interacts Tr and CT to verify whether the EU has authority to decrypt CT. If S T 1 S T 2 , it outputs ⊥. -If S |= T 1 S |= T 2 , the CS partially decrypts CT and returns the precomputed ciphertext CT to the EU.
• Dec( CT , SK ) → M : On input CT , SK , the EU decrypts CT and outputs M.

Threat model
In this paper, we assume that the KAC is a fully trusted third party, while the CS and FN are honest-but-curious entities, which exactly follow the protocol specifications but also are curious about the sensitive information of ciphertexts and trapdoors. Users are not allowed to collude with CS or FN . Nevertheless, malicious users may collude with each other to access some unauthorized ciphertexts.

Security model
Our scheme achieves chosen plaintext security by the following security game between a PPT adversary A and a challenger C.
• Initialization A chooses and submits two challenge access policies T * 1 and T * 2 to its challenger C.
• Setup C runs Setup algorithm and returns the public key PK to A.
• Phase 1 A adaptively submits any attribute set S to C with the restriction that (S T * 1 S T * 2 ) . In response, C runs KeyGen algorithm and answers A with the corresponding SK.
• Challenge A chooses two equal-length challenge messages (m 0 , m 1 ) and submits them to C . Then C picks a random bit ϑ ∈ {0, 1} , runs Enc algorithm to encrypt m ϑ with T * 1 and T * 2 , and returns the challenge ciphertext CT * to A. • Phase 2 This phase is the same as Phase 1.
• Guess A outputs a guess bit ϑ ′ of ϑ . We say that A wins the game if and only if ϑ ′ = ϑ. The advantage of A to win this security game is defined as Adv(A) = Pr[ϑ ′ = ϑ] − 1 2 .

Definition 6
Our scheme achieves IND-CPA security if there exists no PPT adversary winning the above security game with a non-negligible advantage ǫ under the DBDH assumption.
In addition, we define a new security model chosen sensitive policy attack (CSPA) for our scheme by the following security game between A and C.
• Initialization A chooses and submits a challenge access structure T * 1 to its challenger C.
• Setup C runs Setup algorithm and gives PK to A.
• Phase 1 A adaptively submits any attribute set S with the restriction that S T * 1 . In response, C runs Trap algorithm and responds A with the corresponding trapdoor Tr.
• Challenge A submits m * and two challenge hidden policies T 0 * 2 and T 1 * 2 with the same structure. Then, C picks a random bit ϑ ∈ {0, 1} and returns the challenge ciphertext CT * encrypted with T * 1 and T ϑ * 2 . • Phase 2 This phase is the same as Phase 1.
• Guess A outputs a guess bit ϑ ′ of ϑ . We say that A wins the game if and only if ϑ ′ = ϑ . The advantage of A to win this security game is defined as Adv

Definition 7
Our scheme achieves IND-CSPA security if there exists no PPT adversary winning the above security game with a non-negligible advantage ǫ under the DBDH assumption.

Construction of our scheme
In this section, we present the concrete construction of CP-ABE scheme with hidden sensitive policy. Without loss of generality, we suppose that there are n possible attributes in total and L = {a 1 , a 2 , . . . , a n } is the set of all possible attributes. Assume G 0 , G T are multiplicative cyclic groups with prime order p and the generator of G 0 is g. Let be the security parameter which determines the size of groups. Let e : G 0 × G 0 → G T be a bilinear map and H : {0, 1} * −→ Z p be a hash function which maps any string to a random element of Z p . We also define the Lagrange coefficient � i,L (x) = j∈L,j� =i x−j i−j , where i ∈ Z p and a set L of elements in Z p . The details of our scheme are as follows.
• Setup(1 , L) → (PK , MSK ) : Given a security parameter and all possible attributes L , the KAC chooses a bilinear group G 0 with prime order p and generator g. Next, it picks α, β ∈ R Z * p and h ∈ R G 0 . For each attribute a j ∈ L , it selects v j , v ′ j ∈ R Z * p . Finally, it generates the public key PK and master secret key MSK as • KeyGen(MSK , S) → SK : While receiving an attribute set S from the EU , the KAC selects r, r ′ ∈ R Z * p and returns the secret key SK as • Enc(PK , T 1 , T 2 , M) → CT : The DO chooses ck ∈ R Z * p as a symmetric encryption key and encrypts message M with ck, E ck (M) , by using symmetric encryption (AES). Then, it encrypts ck with the help of the FN as follows: 1 The DO sends T 1 to the FN . The FN randomly choose a polynomial q x for each node x of T 1 from the root node R 1 in a top-down manner: for each node x of T 1 , the degree of q x is d x = k x − 1 , where k x is the threshold value of x; beginning with root node R 1 , the FN pick s 1 ∈ R Z * p , sets q R 1 (0) = s 1 and randomly chooses d R 1 = k R 1 − 1 other points of q R 1 to define the polynomial completely; for any other node x, they set q x (0) = q parent(x) (index(x)) and choose d x other points to define q x completely. The FN generate the CT ′ 1 as where X 1 is a set of attributes corresponding to all leaf nodes in T 1 and each x ∈ X 1 is corresponding to attribute a j . Note that T 1 is stored in CT ′ 1 in the form of plaintext, so the privacy of the access policy of T 1 is exposed. 2 The DO picks s 2 ∈ R Z * p and sends g s 2 , h s 2 , e(g, h) βs 2 to FN to generate CT 1 as 3 The DO picks s 3 , s 4 ∈ R Z * p and generates the ciphertext CT 2 corresponding to the T 2 in the same way of CT 1 . For each node y of T 2 , q y (0) and d y are defined exactly the same with above q x (0) and d x ; for the root node R 2 of T 2 , q R 2 (0) = s 3 . Then, and (2) PK = G 0 , g, h, g α , e(g, g) β , e(g, h) β , where each leaf node y is corresponding to attribute a j and X 2 is a set of all leaf nodes in T 2 . Since T 2 is defined the same as T 2 , except that the attribute name and its value in the T 2 are fully hidden. Therefore, the privacy of T 2 can be preserved. 4 The DO computes C = ck · e(g, g) β(s 2 +s 4 ) and sends E ck (M), C, CT 2 to FN , which generate and upload to the final ciphertext CT to the CS , where • Trap(SK ) → Tr : The Trap algorithm proceeds as follows. The EU chooses x ′ , y ′ , z ′ , k ∈ R Z * p and computes the attribute index H j = H (k � j) for each a j ∈ S , and generates the following trapdoor Tr with its SK as where the set {T For each node of T 1 , the CS runs a recursive algorithm as follows: (1) If x is a leaf node of T 1 . Let a j is the corresponding attributes of node x. If a j ∈ S , the CS computes If a j ∈ S , set F x = null. (2) If x is a non-leaf node, the recursive algorithm is defined as: for all child nodes z of x, where a i is the corresponding attributes of node z, the CS computes F z = F z (C z 1 , C z 2 , T i 10 , T i 11 , z) recursively. Let S x be an arbitrary k x -sized set of child nodes z satisfying F z = null . If S x does not exist, F x = null . Otherwise, the CS calculates where i = index(z) and S ′ x = {index(z) | ∀z ∈ S x }. By calling the above algorithm on the root node R 1 of T 1 , the CS gets F R 1 = e(g, h) αrs 1 (x ′ +y ′ ) . Then, the CS computes D as Then, for each leaf node y ∈ T 2 , the CS defines and checks whether there exists an H j ∈ {H j } a j ∈S such that If S |= T 1 and there exists an H j ∈ {H j } a j ∈S such that the a j is the corresponding attribute of leaf node y, then By running the above functions recursively, the CS can find out whether this EU has the attribute corresponding to each leaf node of T 2 and then check out whether it has the authority to access the ciphertext CT, e.t., S |= T 1 and S |= T 2 . If CT is accessible, CS outputs the following Table 2. Otherwise, the algorithm outputs ⊥ . Assume that the EU has the attributes corresponding to t leaf nodes in T 2 .
-Ciphertext precomputation If CT is accessible, i.e., S |= T 1 and S |= T 2 , the algorithm is similar to the recursive procedure defined in the above algorithm. 1. S |= T 1 . For each node of T 1 .
(1) If x is a leaf node of T 1 . If a j ∈ S , the CS sets G x = G x (C x 1 , T j 10 , x) and computes If a j ∈ S , set G x = null.
(2) If x is a non-leaf node, for all child nodes z of x, the CS computes G z = G x (C z 1 , T j 10 , z) recursively. Let S x be an arbitrary k x -sized set of child nodes z satisfying G z = null . If S x does not exist, G x = null . Otherwise, the CS calculates where i = index(z) and S ′ x = {index(z) | ∀z ∈ S x } . Then CS gets G R 1 = e(g, g) αrs 1 x ′ and computes 2. S |= T 2 . For each y i in Table 2, the CS sets G y i = G y i (C Since S |= T 2 , for the root node R 2 of T 2 , the CS can compute G R 2 = e(g, g) αrs 3 x ′ in a recursive manner, and then computes A ′ = G R 1 · e(T 6 , h s 1 +s 2 ) e(T 5 , g s 1 +s 2 ) = e(g, g) αrs 1 x ′ · e(g r ′ x ′ , h s 1 +s 2 ) e(g αrx ′ h r ′ x ′ , g s 1 +s 2 ) = e(g, g) αrs 2 x ′ .

Table 2 Correspondence between leaf node and attribute index
Leaf nodes of T 2 Hash value of the index of the corresponding attribute . . .

y t H jt
Finally, the CS returns the precomputed ciphertext to the EU. Remark 1 Different from previous schemes, we let the attribute a j (or leaf node x, attribute index H j ) appear in the component of secret key (or ciphertext, trapdoor) just to make it clearer which attribute (or leaf node, attribute index) the component of secret key (or ciphertext, trapdoor) corresponds to.

Remark 2
Once the EU has access to the ciphertext, the CS will find out that the leaf nodes in the access tree must correspond to some attributes in S. Therefore, we made a small modification to the Trap algorithm, replacing {T j 10 , T j 11 , a j | ∀a j ∈ S} with {T j 10 , T j 11 , a j | ∀a j ∈ S 1 } , where S 1 ⊆ S . Since the public access policy is revealed in the ciphertext, the end user can decide the attribute set S 1 by their own. In addition, the Trap algorithm can be run offline while the device is charging.

Remark 3
The computational overhead of the CS to run the Access Verification algorithm scales linearly with | T 1 | + | S | · | T 2 | , supposed that | S | is the number of attributes the EU owned and | T 1 |, | T 2 | is the number of leaf nodes in the access tree T 1 , T 2 , respectively. Thus, it does not need a super-polynomial time to find out the correct attributes for successful decryption.

Security analysis
Theorem 1 Supposed that a PPT adversary A can break the IND-CPA security of our scheme with a non-negligible advantage ǫ > 0 , then there exists a PPT simulator B that can distinguish a DBDH tuple from a random tuple with an advantage ǫ 2 .
Proof Given the bilinear map parameter (G 0 , G T , p, e, g) . The DBDH challenger C selects Next, C sends B the tuple �g, g a ′ , g b ′ , g c ′ , Z� . Then, B plays the role of challenger in the following security game.
• Initialization A submits two challenge access policy T * 1 and T * 2 to B. • Setup B chooses β ′ , x ∈ Z p at random and sets h = g x , g α = g a ′ , e(g, g) β = e(g, g) β ′ +a ′ b ′ = e(g, g) β ′ e(g a ′ , g b ′ ) , e(g, h) β = e(g, g) βx . For each attribute • Phase 1 A adaptively submits any attribute set S ∈ L to B with the restriction that (S T * 1 S T * 2 ) . In response, B picks r,r ∈ Z p at random, computes g r = gr g b ′ = gˆr −b ′ , g β+αr = g β ′ +a ′ b ′ +a ′ (r−b ′ ) = g β ′ +a ′r , h β+αr = g (β ′ +a ′r )x = h β ′ +a ′r , g αr h˜r , h αr h˜r , g˜r . For each a j ∈ S , if a j ∈ T * 1 , B computes g Afterward, B answers A with the corresponding secret key • Challenge A submits two equal-length challenge messages {m 0 , m 1 } to B . Then, B chooses s 1 , s 2 ∈ R Z p and generates where X * 1 is a set of attributes corresponding to all leaf nodes in T * 1 and each x * ∈ X * 1 is corresponding to attribute a j . The B sets and generates CT * 2 in a similar method. B picks s 3 ∈ R Z p and sets g s 4 = g c ′ g s 2 , h s 4 = g s 4 x , e(g, g) β(s 2 +s 4 ) = Z · e(g, g) β ′ c ′ . So, (25) SK = g β ′ +αr , h β ′ +a ′r , g αr h˜r, h αr h˜r, g˜r, where Finally, B randomly picks θ ′ ∈ {0, 1} , sets C * = m θ ′ · Z · e(g, g) β ′ c ′ , and returns A the final challenge ciphertext CT * = {T * 1 , T * 2 , C * , CT * 1 , CT * 2 }. • Phase 2 This phase is the same as Phase 1.
If Z = R , then CT * is random from the view of A . Hence, B ′ s probability to guess θ correctly is Else Z = e(g, g) a ′ b ′ c ′ , then CT * is available and A ′ s advantage of guessing θ ′ is ǫ . Therefore, B ′ s probability to guess θ correctly is In conclusion, B ′ s advantage to win the above security game is Theorem 2 Supposed that a PPT adversary A can break the IND-CSPA security of our scheme with a non-negligible advantage ǫ > 0 , then there exists a PPT simulator B that can distinguish a DBDH tuple from a random tuple with an advantage ǫ 2 .
Proof The proof process of this theorem is similar to that of Theorem 1. The DBDH challenger C sends B the tuple �g, g a ′ , g b ′ , g c ′ , Z� , in which Z = e(g, g) a ′ b ′ c ′ or R . A chooses a challenge access structure T * initially. B returns public key in the same way as in Theorem 1. Then A adaptively submits any attribute set S with the restriction that S T * . Since B can generate secret keys as in Theorem 1, it can naturally answer A with the corresponding trapdoor Tr. In the challenge phase, A submits m * and two challenge policies T * 0 and T * 1 with the same structure, i.e., T * 0 = T * 1 . B randomly picks θ ′ ∈ {0, 1} , generates CT * 2 with T * θ ′ and returns the challenge ciphertext CT * . If A 's advantage of guessing θ ′ is ǫ , then B 's advantage to distinguish a DBDH tuple from a random tuple is ǫ 2 .
Remark 4 In Definition 6, it demonstrates the IND-CPA security of our scheme. Since the adversary needs to satisfies both T * 1 and T * 2 to decrypt the ciphertext, the restriction on the private key inquiry in Theorem 1 is (S T * 1 S T * 2 ) , otherwise the adversary can break our scheme trivially. While in Definition 7, it is required that the adversary cannot tell the challenge sensitive policy T * 0 apart from T * 1 if it doesn't satisfy the public access policy T * . So the restriction on the private key inquiry in Theorem 2 is S T * , otherwise the adversary can break our scheme trivially.

Complexity analysis
In this section, we compare the computational overhead with some other related schemes with hidden policy from a technical point of view. Some schemes only support AND-gate policies, to represent an expressive policy f, we transmute it to a disjunctive normal form and f = f 1 · · · f n and then represent each f i by a conjunctive clause as f i = att i,1 · · · att i,l . Without loss of generality, we suppose each attribute att i has two values att i,1 , att i,2 and consider such a simple access policy which means that there are 2 n access strategies. Now, we discuss the computational overhead of each scheme in Table 3.
As shown in Table 3, schemes [6,24,25] restricted with AND-gates on multi-values give rise to an exponential size of ciphertext for supporting an expressive access policy. Since the attribute value is hidden in [28], for finding the correct attribute value for successful decryption, [28] needs end user to test super-polynomial times. In addition, all the above schemes only protect the privacy attribute value, but expose the information of attribute name. Some other schemes based on the inner-product predicate encryption [18,29] that we haven't discussed in detail here, because transform an inner-product predicate to an expressive access policy will also cause an exponential size of ciphertext. In our scheme, the size of ciphertext, test time and decryption time are all polynomial. Partial overhead for generating the ciphertext is outsourced to fog nodes and most overhead during test and decryption is outsourced from end user to the cloud.

Conclusion
In this work, we provide a novel method to protect the privacy of sensitive policy in CP-ABE scheme. With the help of KS techniques,the access policy in our scheme is expressive and compact, and the computational overhead of encryption (half part) and decryption (most part) can be sifted to fog nodes and cloud server respectively. Hence, f = (att 1,1 att 1,2 ) (att 2,1 att 2,2 ) . . . (att n,1 att n,2 ),  Table 4.