Enabling efficient traceable and revocable time-based data sharing in smart city

With the assistance of emerging techniques, such as cloud computing, fog computing and Internet of Things (IoT), smart city is developing rapidly into a novel and well-accepted service pattern these days. The trend also facilitates numerous relevant applications, e.g., smart health care, smart office, smart campus, etc., and drives the urgent demand for data sharing. However, this brings many concerns on data security as there is more private and sensitive information contained in the data of smart city applications. It may incur disastrous consequences if the shared data are illegally accessed, which necessitates an efficient data access control scheme for data sharing in smart city applications with resource-poor user terminals. To this end, we proposes an efficient traceable and revocable time-based CP-ABE (TR-TABE) scheme which can achieve time-based and fine-grained data access control over large attribute universe for data sharing in large-scale smart city applications. To trace and punish the malicious users that intentionally leak their keys to pursue illicit profits, we design an efficient user tracing and revocation mechanism with forward and backward security. For efficiency improvement, we integrate outsourced decryption and verify the correctness of its result. The proposed scheme is proved secure with formal security proof and is demonstrated to be practical for data sharing in smart city applications with extensive performance evaluation.

typical cloud-fog-based smart city data sharing scenario where application data are gathered from resource-poor IoT devices deployed all over the smart city and outsourced to the public cloud for storage, processing and sharing.
However, the shared data of smart city applications involve massive sensitive information and may inflict severe consequences on users if eavesdropped or illegally accessed. Let us take smart health care for example. The Personal Health Records (PHRs) essential for healthcare systems are collected from the wearable devices of patients and shared among healthcare practitioners for the diagnosis and treatment. The PHRs contain much private and sensitive information of patients (e.g., disease, identity, home address, etc.) [6] and will cause privacy leakage if eavesdropped and illegally accessed by attackers. Therefore, providing an efficient data access control scheme for data sharing in smart city applications permits no delay. A direct method to guarantee the security of the application data is encryption. However, it incurs heavy workload in key management and data distribution when multiple users access the shared data, especially in the setting of largescale smart city applications. Fortunately, the promising ciphertext-policy attributebased encryption (CP-ABE) [7] provides users with a fine-grained access control for their shared data by which users can designate desired access policy for their encrypted data.
As far as we know, many existing CP-ABE schemes [8][9][10] are vulnerable to malicious insiders who intend to leak their decryption key to outsiders for illicit profit pursuing, which poses a big issue on data security. It is intractable to trace these users according to the leaked decryption keys without specific identities. Meanwhile, it is of great necessity to afford a user revocation mechanism to enforce punishment on malicious users. Although the works in [11][12][13][14] propose several revocable CP-ABE schemes, they suffer from either low efficiency or the lack of forward and backword security (i.e., the revoked users cannot access the data shared before and after their revocation). Thus, how to efficiently trace a malicious user and enforce user revocation is one challenging issue. Furthermore, in many smart city applications, the shared data are time-sensitive in multi-user access; that is, some information should be accessed by an authorized user only after a specific time point, which is the second challenging issue to deal with. The scheme in [12] can address this requirement by introducing time-releasing encryption (TRE) into CP-ABE, but it suffers from high computational cost and is unsuitable for resource-poor terminals in applications of smart city, which brings the third challenging issue.
Therefore, in this paper, we concentrate on studying these challenging issues of data sharing in smart city applications and then present an efficient traceable and revocable time-based CP-ABE (TR-TABE) scheme to achieve efficient user tracing and revocation with forward and backward security together with time-based access control in data sharing. Combining with verifiable outsourced decryption, our scheme can achieve high computation efficiency and correctness verification considering semi-trusted fog nodes. Specifically, our main contributions are threefold: • We propose an efficient traceable and revocable time-based data access control scheme for data sharing based on CP-ABE. All non-revoked users can access the shared data of their interests when and only when their attribute sets satisfy the access policy and their access time satisfy the designated time release policy at the same time. • We design a new approach to achieve user tracing and revocation simultaneously.
Based on white-box user tracing mechanism, the approach achieves efficient user tracing without maintaining a user list and the malicious user revocation with forward and backward security; that is, the revoked users cannot access the shared data before and after their revocation. • To offset the heavy burden of computation in resource-poor devices, we introduce verifiable outsourced decryption into our scheme to offload a part of work task to semi-trusted fog nodes. Moreover, our scheme is resistant to key leakage attacks that an adversary cannot recover the ciphertext even he can compromise the transformation key. • We present the formal security analysis for the proposed scheme to show that it achieves the security goals. Besides, we implement our scheme and conduct extensive experimental simulation to demonstrate its efficiency and practicality in data sharing of smart city applications.
The rest of this paper is outlined as follows. Some related work is reviewed in Sect. 2. In Sect. 3, we give several notations and definitions used in this paper. The system model, formal definition and security model and concrete constructions of our scheme are presented in Sect. 4. In Sect. 5, we present the construction of our proposal and discuss detailed security analysis with performance evaluation of our scheme. Finally, we make a conclusion for our work in Sect. 6.

Related work
Ciphertext-policy ABE. As considered to be a promising technique for data access control, attribute-based encryption (ABE) was first proposed in [15]. Later, Goyal et al. [7] further studied ABE and divided it into two types: ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). In the former, user can flexibly designates the access policy for ciphertext. Subsequently, a great many studies were dedicated to CP-ABE [16][17][18][19][20]. On account of the low efficiency in decryption, many researchers proposed outsourced CP-ABE, such as [21][22][23][24][25][26][27]. These schemes offload most of the complex computation in decryption to third party, such as cloud and fog node, to save cost for resource-poor devices. Very recently, some researches have introduced time-sensitive data access control for time-based applications by combining timed release encryption (TRE) [28] with data access control schemes, such as [29], but they only achieved coarse granularity. Later, Hong et al. [12] proposed a time-sensitive CP-ABE scheme with fine-grained access control, but it still incurs heavy cost in decryption. Revocable ABE. Revocable ABE has two directions: One is attribute revocation [30] that dynamically revokes one or more user attributes and the other is user revocation that revokes all of a user's permission directly. In user revocation, there are also two classifications: One is direct revocation and the other is indirect revocation. The studies in [11,31] proposed several direct user revocable CP-ABE schemes, but they bring about complex computation. Later, Liu et al. [32] made some improvement by setting valid time period for user secret key. Recently, Xiong et al. [33] have proposed a user revocable CP-ABE scheme with broadcast encryption to achieve direct user revocation, while it incurs high communication cost and cannot achieve ciphertext update. Very recently, the work in [34] introduces ciphertext update into direct user revocation. In the meantime, Lee et al. [35] raised a revocable CP-ABE scheme with self-update to achieve indirect user revocation, but it introduces much computation cost. Later, Cui et al. [36] proposed a server-aided indirect user revocable CP-ABE scheme, but it is vulnerable to decryption key leakage attack. To address the problem, the proposals in [37,38] made corresponding contributions based on [39], but their computation cost is still high.
Traceable ABE. To achieve user traceability in CP-ABE schemes, Li et al. [40] proposed the first accountable CP-ABE scheme to resist user collusion for key sharing. Then, the scheme [41] extends [40] to multi-authority setting. However, both the schemes only support AND gate policy. Later, the scheme in [42] proposed an accountable multiauthority scheme that can support access policy tree, but this kind of schemes cannot support effective user tracing. On this account, the schemes in [43,44] presented black-box traceable CP-ABE schemes, but they incur a large size of public parameters and ciphertexts. To address the bottleneck issue of black-box traceability, Ning et al. [45] proposed a large universe traceable CP-ABE scheme without any identity table by introducing white-box tracing mechanism into CP-ABE. Based on this scheme, Liu et al. [46] proposed an efficient traceable CP-ABE scheme with user revocation which lacks of forward and backward security, while Yan et al. [47] proposed another traceable CP-ABE scheme supporting multi-domain setting and full security in standard model, but it is implemented over composite order groups and suffers from heavy computation burden.

Preliminary
The section presents several relevant notions and definitions employed in our paper.

Notations
In this paper, {1, . . . , n} is abbreviated to [n], an integer set modulo a prime number p is denoted by Z p , user revocation list by RL u , user secret key, update key and transformation key by SK ID , UK t , DK ID,t , respectively.

Access structure
Definition 1 (Access structures [26]). Suppose {L 1 , . . . , L n } is a parties set. One of the collection L ⊆ 2 {L 1 ,...,L n } is considered to be monotone if∀M, N : M ∈ LandM ⊆ M, thenN ∈ L . An access structure that is monotone is defined as one of the non-empty subsets L of {L 1 , . . . , L n }, i.e., L ⊆ 2 {L 1 ,...,L n } \∅ . The elements in L are defined as authorized sets and the other sets are defined as unauthorized sets. Without loss of generality, we can describe users with their attribute set.

Access policy tree
Definition 2 (Access Tree [27]). Similar to [27], suppose R is a policy tree with each node x ∈ R , where we use a threshold gate to represent non-leaf nodes and a leaf node is an attribute att(x) . As to a threshold gate x ∈ R , we use num(x) which is the number of children and the threshold value th x ∈ [1, num(x)] to depict it. Specifically, if th x = 1 , it is an OR gate, and if th x = num(x) , it is an AND gate. If x ∈ T is a leaf node, its threshold value is th x = 1.
Moreover, suppose r ∈ R is the root node. If x ∈ T is a non-leaf node, child(x) is a collection of its children and parent(x) denotes the parent node of x. Thus, we can infer that |child(x)| = num(x) . We use the function index(x) to signify the unique index value of each node x ∈ T.
Access tree satisfaction. Suppose R is an access tree rooted from node r, then we use R x to denote a subtree rooted from node x ∈ R . Here, we define R x (A) = 1 when and only when A (a attribute set) is satisfactory to the subtree R x ; that is, when a leaf node x has att(x) = att i ∈ A , then R x (A) = 1, and when a non-leaf node has ∀z x ∈ child(x) , the number of z satisfying R z (A) = 1 exceeds th x , R x (A) = 1.

KUNode algorithm
As in [6], we utilize a binary tree for user revocation. Let BT be a complete binary tree. It has N u leaf nodes and a root node RN. For each non-leaf node δ , its left and right child node is denoted as δ l and δ r . Each leaf node θ is associated with a user ID. Path(ID) denotes the nodes in the path from RN to θ . RL u is the revocation list storing the tuple (ID, t) with revoked user ID at time period t. The algorithm KUNode(BT, RL u , t) can obtain a minimum node set Y b . For any element (ID, t) ∈ RL u , Path(ID) Y b = ∅ . For other element (ID, t) / ∈ RL u , the algorithm can get a node δ ∈ Y b that is an ancestor of the leaf node θ related to the user ID. The detail of this algorithm is shown in 1.  [39]). To guarantee forward security, the system lifetime has N t = 2 d discrete time period denoted by {0, 1, . . . , N t − 1} . The lifetime is represented by a binary time tree T t of depth d. For each leaf node σ t in time tree T t , it is assigned with a time period t in chronological left-to-right order. For each node σ ∈ T t , RC σ denotes its right child, and b σ indicates the binary string according to the path from the root node to σ , where the path traverses the left child and right child of the parent node is denoted by 0 and 1, respectively. Given a time period t,

Definition 3 (Time Binary Tree
for each σ ∈ N t , a node σ ′ ∈ Nˆt exists that b σ is a prefix of b σ ′.

Cryptographic background
Here, we give the definition of some cryptographic primitives including bilinear map, decisional bilinear Diffie-Hellman exponent (BDHE) assumption and l-strong Diffie-Hellman assumption. [27]): We consider two p-ordered G 0 and G 1 groups that are multiplicative cyclic, where p is a prime. ε, ǫ are two generators of group G 0 . If the may ê : G 0 × G 0 → G 1 satisfies the following properties: It is considered that DBDH assumption holds when no probabilistic polynomial time (PPT) adversaries can deal with the DBDH problem whose advantages are non-negligible.
for an algorithm A randomly choosing x ∈ Z p ; then, the advantage for an algorithm solving the problem is ε.
If no PPT algorithm A can solve the l-SDH problem with the advantage at least ε , then the l-SDH assumption holds.

Methods
We present the concrete construction of our TR-TABE scheme together with the system model, formal definition and security model for our proposal in this section.

System model and threat model
As shown in Fig. 2, the system involves five entities, i.e. Trusted Authority (TA), Cloud Service Provider (CSP), Fog Node (FN), Data Owner (DO) and Data User (DU), which are described as follows: • TA: The entity is in charge of initiating the entire system by generating system public key and master key. It also responsible for user tracing and revocation, in which TA

Fig. 2 Framework of TR-TABE scheme
exposes the real identity of a malicious user who leaked his secret key and revokes the user by adding his identity into user revocation list. • CSP: The entity is responsible for providing enormous storage and computation resources for customers. It also offers a large number of services for users, such as data sharing and data outsourcing services. Moreover, it is in charge of the trapdoors exposure and update for the shared ciphertexts in it. • FN: The entity is in charge of user requests processing and conducting outsourced decryption for users who accessing the shared data in CSP. • DO: The entity takes charge of generating ciphertexts according to access policy and current time period for his own data to be stored and shared in CSP. • DU: The entity can access desired data shared in CSP and receive partially decrypted ciphertexts from FN. He can recover the correct plaintext if he is authorized and not revoked at current period. The entity is also responsible for generating his own decryption key by combining update key and his secret attribute key.
In our proposal, TA and DO are considered to be fully trusted. CSP and FN are supposed to be semi-trusted who conduct their protocol honestly but are curious about the contents transmitted. The entity DU involves untrusted users that may initiate collusion attack and conduct malicious activities for extra interest revenues, such as share his decryption key to outsiders. On account of these threats, we take the following design goals into consideration for our scheme: • User Collusion Resistance. The scheme should prevent unauthorized users colluding with each other to obtain more privileges for accessing the shared data. • Time-based and Fine-Grained Access. The data shared in CSP should not be learned by any malicious third party and can be accessed only by authorized DU after specific time point according to designated access policy. • Secure User Revocation. Any malicious cloud users that conduct malicious activities should be revoked with forward and backward security; that is, they cannot access the data shared before and after their revocation. • Traceability: Any malicious cloud users that illegally leaked their decryption keys for profit should be precisely recognized and exposed their real identity efficiently. • Verifiability: Due to the semi-trusted fog nodes, DU should have the ability to verify the correctness of the results from outsourced decryption. • Efficiency: As the resource-poor mobile devices deployed and utilized in smart city, it is preferable for DU to outsource the highly computational burden in decryption to CSP for efficiency improvement.

The formal definition of TR-TABE
Our TR-TABE scheme involves the following algorithms: • Setup( , N u , d) → {PK, MSK} : TA is responsible for the algorithm execution. Given the security parameters , N u , d , the algorithm constructs the whole system for the generation of system public key PK that is published publicly and master key MSK stored secretly. • AKeyGen(PK, sta, ID, S) → SK ID : TA is in charge of the algorithm execution.
Given the system public key PK, state information sta, user identity ID and his attribute set S, the algorithm outputs the secret attribute key and sends it to user ID through secure channel. • UKeyGen(PK, MSK, RL u , sta, t) → UK t : TA is responsible for the execution of this algorithm. Given the system public key PK and master key MSK, user revocation list RL u , state information sta and current time period t, the algorithm returns the update key UK t of current time period t. • DKeyGen(PK, SK ID , UK t ) → DK ID,t : Non-revoked user is responsible to execute the algorithm. Given the system public key PK, original secret attribute key SK ID and update key UK t , the algorithm combines SK ID with UK t to derive his decryption key DK ID,t at the beginning of each time period. • Encrypt(PK, m, t, T a ) → CT t : The algorithm is in the charge of DO. Given the system public key PK, the message m, current time period t and access policy tree T a , the algorithm outputs the ciphertext of m according to T a at time period t and uploads it to CSP. • CTUpdate(PK, CT t ,t) → CTˆt : CSP is responsible for the execution of this algorithm. Given the system public key PK, ciphertext CT t of time period t and the next time period t > t , the algorithm updates the ciphertext components associated with the symmetric encryption key from current time period t to the next time period t and outputs CTˆt. • TokenGen(PK, t) → TK t : The algorithm is in the charge of TA. Given the system public key PK and time period t, the algorithm outputs the time token TK t . • Trap(PK, TK t ) → TP ′ σ ,x : CSP is responsible for the execution of this algorithm. Given the system public key PK and the time token TK t of time period t, the algorithm outputs the exposed trapdoor TP ′ σ ,x of related ciphertexts and replaces the corresponding ciphertext components with it.
• TKeyGen(PK, DK ID,t ) → TK ID,t : The algorithm is in the charge of DU. Given the system public key PK and decryption key DK ID,t of time period t, the algorithm outputs the transformation key TK ID,t for outsourced decryption. • Decrypt OUT (PK, TPK ID,t , CT t , t) → CT t ′ : CSP is responsible for the algorithm execution. Given the system public key PK, public transformation key TPK ID,t , ciphertext CT t and time period t, the algorithm finishes outsourced decryption and outputs partially decrypted ciphertext CT t ′ .
• Decrypt U (PK, TSK ID,t , CT ′ σ t ) → m or null : DU is in charge of the execution of this algorithm. Given the system public key PK, secret transformation key TSK ID , t and partially decrypted ciphertext CT t ′ , the algorithm recovers and outputs the plaintext message m if authorized and null if not authorized.
• UTrace(PK, DK ID,t , RL u , t) → ID or null : The algorithm is in the charge of TA.
Given the system public key PK, decryption key DK ID,t , revocation list RL u and time period t, the algorithm exposes the identity ID of malicious user and adds it into revocation list RL u .

Traceability of TR-TABE
The traceability of our scheme is modeled through a security game between adversary A and challenger C as follows: Init: C executes Setup algorithm to initiates the system public key PK to A. Key Query: A conducts q queries for decryption key generation given . Then, C runs DKeyGen to derive decryption keys for A . For a better understanding, we assume all decryption are generated at time period t.
Key Forgery: A outputs a decryption key DK A,t . If A can win the game, then for a well-formed decryption key DK A,t , Thus, the advantage of A in winning the game is: where Ŷ is the leaf nodes in BT covered by KUNode(BT , RL u , t).

Definition 7
The TR-TABE has traceability if no PPT adversary can break the above game with a non-negligible advantage.

IND-CPA security of TR-TABE
According to the ability of adversary, there are two types of adversaries: Type-A adversary who has insufficient privilege for data access, even he is not revoked or arrives at release time and Type-B adversary who has enough rights but has been revoked before declared time period. Then, we describe the IND-CPA security model for our TR-TABE scheme corresponding to these adversaries and conduct a selective security game between an adversary A and a challenger C . specified as follows: Init: A sends a challenge access policy tree T * a , a time period t * and a revocation list RL * u to C. Setup: C executes the Setup algorithm of our scheme and outputs the public parameters to A.
, where q i belongs the following: • SK Query: A requests C for secret key with an attribute set S. As a response, C outputs the secret key and returns them to A. • UK Query: A requests C for update key with a revocation list RL u and time period t. As a response, C outputs the update key and returns it to A . Besides, C issue a decryption key query to get decryption key for algorithm execution. • DK Query: C running decryption key generation algorithm after SK Query and UK Query to get decryption key and sends it to A. • TK Query: A issues queries for transformation key similar to that in SK Query. C executes TKeyGen to generates transformation key pairs and sends it to A.
• RL Query: A submits user revocation request with identity ID at time period t, C updates the revocation list.
Note that all the above queries have the same constraints as that of [6]; that is, RK Query and UK Query must be queried later than previous queries and they cannot be queried at the same time period. SK Query cannot be queried before UK Query at the same time period. Challenge: A finishes the above phase and issues two equal-length data B 0 and B 1 to C . Then, C randomly picks a bit ǫ ∈ [0, 1] and encrypts m ǫ according to T * a and t * and sends it to A.

Overview of our proposal
In our proposal, we intend to achieve time-based and fine-grained access control for data sharing in applications of smart city with efficient user tracing and revocation over large attribute universe. Our scheme holds constant sized public parameters and can trace malicious users who try to share their decryption keys with outsiders for profit then revoke them. Any revoked users cannot access ciphertexts before and after his revocation and the ciphertext update requires no secret keys. Moreover, based on our system model, we give an overview for our TR-TABE scheme involving the following four phases shown in Fig. 3.
• Initialization. In this phase, TA initiates the whole system by generating system public parameters and master key for the system. All entities in the system can obtain the system public parameters. • Key Generation. In this phase, TA creates secret attribute keys for users according to their attribute set and periodically distributes update keys at the beginning of each time period. Unrevoked users can calculate their decryption key with secret key and update key. • Encryption. In this phase, DO encrypts the sensitive and important data using symmetric encryption algorithm before uploading them to the CSP. Moreover, DO designates an access policy for the data to enable fine-grained access control and data sharing in CSP. Moreover, CSP periodically updates outsourced ciphertexts at the end of each time period. • Decryption. In this phase, DU requests desired data from CSP through FN. After outsourced decryption, FN returns the DU with the partially decrypted ciphertexts. DU recovers the plaintext according to the result of verification.
• Trace. In this phase, if any malicious cloud user leaks his decryption key for illegal profits, TA will obtain the identity of key owner according to the exposed decryption key and conduct revocation.

Initialization phase
• Setup( , N u , d) → {PK, MSK} : On inputting the security parameter , the maximum number of system users N u and the depth d of the time tree T t , the setup algorithm initiates a binary tree BT with N u leaf nodes, the user revocation list RL u = ∅ and system initial state sta = BT for user revocation mechanism. It also computes the total number of time periods N t = 2 d in T t , where the set of total time periods is denoted by F T . Then, it generates two multiplicative bilinear groups G 0 and G 1 of prime order p with a generator g of group G 0 and a bilinear map ê : G 0 × G 0 → G 1 and selects random numbers α, a, γ ∈ Z p . The algorithm also chooses η, η 1 , η 2 , · · · , η d ∈ R G 0 and a probabilistic symmetric encryption scheme (Enc, Dec) from a binary string to Z * p with a random key K ∈ K . Then, it selects collision-resistant hash functions where H 0 , H 1 are two collision-resistant hash functions, H 2 is a pseudorandom function, K is the symmetric encryption key universe and M is the message universe. The algorithm also defines a function H : for each time period t ∈ T t expressed by a d-length binary string, where t i denotes the ith bit of t. Next, it computes and outputs the system public key and master key as follows: Finally, TA publishes PK publicly and stores MSK locally in secret.

Key generation phase
• AKeyGen(PK, sta, ID, S) → SK ID : The algorithm chooses a random empty leaf node θ of the binary tree BT to store user ID. For each node δ ∈ Path(θ) , the algorithm selects a random element µ δ ∈ G 0 if the node δ is not assigned and a random number r δ ∈ Z p . Then, the algorithm calculates c = Enc(ID,K ) . It also chooses a random number r ID ∈ Z p for user ID and r i ∈ Z p for each attribute att i ∈ S and computes Finally, the algorithm outputs the secret attribute key of user ID as SK ID = {S, K ID = c, {SK δ,ID } δ∈Path(θ) } with updated system state sta.
• UKeyGen(PK, MSK, RL u , sta, t) → UK t : Given the current time period t, the algorithm run KUNode(BT , RL u , t) to get the node set Y. For each node δ ∈ Y , the algorithm fetches µ δ . If δ is not assigned previously, it assigns a random µ δ ∈ G 0 to the node δ . Then, the algorithm chooses a random number β δ ∈ Z p for each node δ and computes Finally, the algorithm outputs the update key UK t = {UK δ } δ∈Y of current time period t. • DKeyGen(PK, SK ID , UK t ) → DK ID,t : On inputting the secret attribute key SK ID and update key UK t for current time period tof user ID, the algorithm calculates the decryption key for non-revoked user ID in the current period t.

Encryption phase
• Encrypt(PK, m, t, T a ) → CT t : On inputting PK, the data m to be encrypted and the designated access policy tree T a , the algorithm consists the following steps for each node σ ∈ N t : • The algorithm chooses a random B ∈ G 1 and computes ck = H 0 (B) as the symmetric encryption key. Then, it encrypts the data m with ck to get CT s = Enc(m, ck) . Moreover, the algorithm computes the message verification code φ = H 2 (B, m). • With the designate access policy tree T a whose root node is denoted by R, the algorithm chooses a random number s 0 σ ,R ∈ Z p as the base secret value of T a for each node σ ∈ N t and computes C σ ,0 = B ·ê(g, g) αs 0 σ ,R , C σ ,1 = g s 0 σ ,R , C σ ,2 = g as 0 σ ,R . Then, for each node x in T a , the algorithm picks two random number s 1 σ ,x , s 2 σ ,x ∈ Z * p , which satisfy the following equation: • For each time trapdoor TP x related to the time release t ∈ F T and a secret parameter s 2 σ ,x , DO picks a random number r t ∈ Z p and generates TP σ ,x for node x ∈ T a as follows: • For the nodes in access policy tree T a , the algorithm computes the ciphertext in a top-to-bottom way by executing the following steps: • For each non-leaf node x with s 1 σ ,x , the DO chooses a polynomial q x whose degree d x = th x − 1 and q x (0) = s 1 σ ,x . For each of x's child node y ∈ child(x) with a unique index index(y) , DO set s 0 y = q x (index(y)). • For a leaf node x with s 1 σ ,x and related attribute att x , the algorithm generates corresponding ciphertext components C σ ,x , C ′ σ ,x as follows: where X is the leaf node set in T a . • Moreover, the algorithm obtains − → C σ =< c σ ,0 , c σ ,|b σ +1| , . . . , c σ ,d > by computing: − → C σ } σ ∈N t and uploads it to CSP.
• CTUpdate(PK, CT t ,t) → CTˆt : Given the ciphertext CT t at time period t and a new time period t that t > t , the algorithm conducts the following steps: • For each node σ ′ ∈ Nˆt , the algorithm obtains a node σ ∈ N t which satisfies that b σ is a prefix of b σ ′ . Then, the algorithm selects a random number s 0 σ ′ ,R ∈ Z p as the updated base secret value of T a and computes: Then, the algorithm computes s 1 according to access policy tree T a the same as in Encrypt algorithm. • For each unexposed time trapdoor TP x related to the new time release t ∈ F T and a secret parameter s 2 , DO picks a random number rˆt ∈ Z p and generates TP σ ,x for node x ∈ T a as follows: • For each leaf node x ∈ T a , the algorithm calculate the updated ciphertext components as follows: • Moreover, the algorithm calculates and Finally, the updated ciphertext is generated as for time period t and replaces CT t stored in CSP.

Decryption phase
The decryption phase involves the following algorithms: • TokenGen(PK, t) → TK t : As the system runs at a uniform time and the time is counted by the number of time point here. When each time point t ∈ F T arrives, TA published a time token TK t = H 1 (t) γ which can be received by each entity in the system. • Trap(PK, TK t ) → TP ′ σ ,x : When CSP receives a TK t at releasing time point t published by CA, it finds all trapdoors related to time point t in all access policies of files stored in CSP. For each of these trapdoors TP σ ,x = (A σ ,x , B σ ,x ) , the CSP computes the following equation: Then, the CSP replaces these TP σ ,x with TP ′ σ ,x for the cipertexts of related files. Thus, if the above equation is correctly executed, the related trapdoor will be exposed to be TP ′ σ ,x = s 2 σ ,x . • TKeyGen(PK, DK ID,t ) → TK ID,t : On inputting the decryption key DK ID,t of DU ID at time period t, the algorithm selects z t ∈ R Z * p as the secret transformation key TSK ID,t of the DU and computes the public transform key Finally, the algorithm outputs the transformation key pair TK ID,t = (TPK ID,t , TSK ID,t ) for the DU who keeps the TSK u secret and publishes TPK u with data access request.
• Decrypt OUT (PK, TPK ID,t , CT t , t) → CT t ′ : The algorithm is executed by CSP for outsourced decryption given ciphertext CT t . As to each node x ∈ T a , we assume that the related trapdoor is exposed, i.e. TD ′ x = s 2 x , as follows: The algorithm picks the ciphertext component corresponding to the leaf node σ t ∈ N t and conducts the procedure in a bottom-up way in the following steps: • For a leaf node x ∈ T a , if its associated attribute att i ∈ S , the algorithm executes: If att i / ∈ S or TP σ t ,x is not exposed, P x = null.
• For a non-leaf node x ∈ T a , If there exists a th x -sized child nodes set N x of x, for each node y ∈ N x , P x = null and there exists no unexposed trapdoor associated with node x at time period t. The algorithm executes the following equation: where j = index(y) and N ′ x = {index(y) : y ∈ N x } . Otherwise, P x = null . Then, recursively, the algorithm obtains P R =ê(g, g) x , x is related to an exposed trapdoor x is related to no trapdoor Finally, the CSP sends partially decrypted ciphertext CT • Decrypt U (PK, TSK ID,t , CT ′ σ t ) → M or null : After receiving the partially decrypted ciphertext CT ′ σ t , the algorithm gets the random element B * by computing B * = C σ t ,0 /(C ′ σ t ) TSK ID,t . Then, it calculates ck * = H 0 (B * ), m * = Dec(CT s , ck * ) . It outputs m * if ψ = H 2 (B * , m * ) or null otherwise.

User trace phase
• UTrace(PK, DK ID,t , RL u , t) → ID or null : Given a suspected decryption key DK ID,t , the algorithm first runs the following check. Key Sanity Check: If the decryption key DK ID,t does not satisfy Key Sanity Check, the algorithm abort and outputs null. Otherwise, we consider it as a well-formed decryption key. Then, the algorithm computes ID = Dec(K ID ,K ) and recovers the suspected user ID. The algorithm checks whether ID is stored in BT . If ID does node exists, the algorithm aborts and returns null. Otherwise, it updates the revocation list with RL u = RL u ∪ {(ID, t)}.

Results and discussion
In this section, we present the result of our study including security and performance analysis with corresponding discussion.

Traceability of TR-TABE
In this part, we show the reduction of the traceability of our TR-TABE scheme to l-SDH assumption.

Theorem 1 Our TR-TABE scheme is traceable if l-SDH assumption holds and the number of queries
ID,i,2 dk ID,i,3 , H 1 (att i )) =ê(dk ID,i,1 , g)· e(dk K ID ID,0 dk ID , 2, g) ·ê(g, g) α 1 Proof If there exists a PPT adversary A that can break the traceability game with non-negligible advantage ε after q queries, then we can construct a challenger C that have the ability to solve the l-SDH problem with advantage ε/2 assuming l = q + 1 . We also suppose G 0 , G 1 are two bilinear groups of prime order p with a bilinear map ê : G 0 × G 0 → G 1 and a generator h ∈ G 0 . After receiving a l-SDH problem input (ĝ,ĝ a ,ĝ a 2 , . . . ,ĝ a l ) , C sets T i =ĝ a i where i ∈ {0, . . . , l} and intends to output (c t , w t =ĝ 1/(a+c 0 ) ) . C creates the following simulation in utilizing A to break the scheme by solving the l-SDH problem.
Init. C runs Setup to initiate the whole system and randomly selects q numbers c 1 , c 2 , . . . , c q ∈ Z p and α, γ ∈ R Z p , Key query. A submits (ID i , S i ) to C for the corresponding decryption key DK ID,t at time point t. For the ith query that i ≤ q , suppose =ĝ q(a)/(a+c i ) = g 1/(a+c i ) . C randomly chooses r δ , r ID i , β δ ∈ Z p , {r y } att y ∈S i ∈ Z p then computes the decryption key by simulating AKeyGen, UKeyGen and DKeyGen, Finally, C outputs DK IDi ,t = {S i , K IDi , dk IDi ,0 , dk IDi ,1 , dk IDi ,2 , dk IDi ,3 , {dk IDi ,y,1 , dk IDi ,y,2 , dk IDi ,y,3 } atty∈Si } to A.
Key Forgery. A submits a decryption key DK * ID i ,t to C . Suppose an event that A breaks the game is denoted by E A in which DK * ID i ,t can pass Key Sanity Check of Eqs. 1, 2, 3 and K ID i / ∈ {c 1 , . . . , c q } . In case that E A does not happen, C randomly chooses (cˆt , wˆt ) ∈ Z p × G 0 as a response to l-SDH problem. Otherwise, C repre- Then, C can calculate 1/(ϑ − 1) as gcd(ϑ − 1, p) = 1 . It also computes Then, ê(ĝ cˆt ·ĝ wˆt ,ĝ 1 a+K ID i ) =ê(ĝ,ĝ) and (cˆt , wˆt ) is a solution for l-SDH problem.
Suppose another event E SDH (c t , w t ) that (c t , w t ) can solve l-SDH problem which satisfies ê(ĝ c t ·ĝ w t ,ĝ 1 a+K ID i ) =ê(ĝ,ĝ) . The event E SDH (c t , w t ) happens if and only if E A happens and gcd(ϑ − 1, p) = 1 given (c t , w t ) from C . Therefore, the probability that C solves l-SDH problem is a+c i g r δ {dk ID,y,1 = g r ID i H 1 (att y ) r y , dk ID i ,y,2 = g r y , dk ID i ,y,3 = g ar y } att y ∈S i As the probability of E SDH (c t , w t ) with random (c t , w t ) is negligible, we set it as zero in our computation.
In conclusion, if A can break our scheme with non-negligible advantage, then C can solve l-SDH problem with same advantage, which is inconsistent with l-SDH assumption. Therefore, our scheme is traceable.

Theorem 2
No PPT adversaries can selectively win the security game of our scheme with an advantage that is non-negligible on condition the DBDH assumption holds.
1 Proof When the advantage ς of adversary A is non-negligible when he selectively break the security game against our scheme, we can create a simulator B who is able to distinguish a DBDH parameter from a random parameter with an identical advantage to that of A . Init: The simulator B of DBDH game creates the bilinear group {G 0 , G 1 ,ê, p, g} , where ê : G 0 × G 0 → G 1 and g ∈ G 0 . It than selects random c, d, m, ν ∈ Z p and ε ∈ [0, 1] . If ε = 0 , the challenger B generates a tuple (C, D, M, V ) = (g c , g d , g m ,ê(g, g) cdm ) ; otherwise, it generates (g c , g d , g m ,ê(g, g) ν ) . B then sends the tuple to C . In the meantime, the adversary A submits a selected challenging access policy tree T * a , a time period t * ∈ F T and a revocation list RL * u which contains revoked users before the time period to challenger C of our scheme.
Setup: After the challenger C gets the DBDH tuple (C, D, M, V) and bilinear group from B as well as the security parameters N u , , d , it computes N t = 2 d as the total number of time periods and randomly chooses α ′ , γ ∈ Z p , sets ê(g, g) α =ê(g, g) α ′ê (g, g) cd . and hash functions H 0 , H 1 , H 2 , H 3 . Then, for Type-A attack, C computes δ = g γ and for Type-B attack, it simulates δ = D . C also simulates H 1 (x) = g q x , where q x ∈ Z p . Finally, C generates system public parameters PK = {G 0 , G 1 , p, g, g a ,ê,ê(g, g) α , η 1 , . . . , η d , h = g γ } and the master key MSK = {g α , a, γ } . It keeps the MSK privately and sends the PK to the adversary A.
Phase 1: The adversary A submits a series queries q i for secret key and transformation key as follows: • SK Query: C generates secret attribute key given the attribute set S in A 's requests. It first sets random µ ′ δ ∈ G 0 for each node δ ∈ BT .
• Type-A adversary: T * a (S) � = 1 . To generate the secret attribute key, C chooses an empty leaf node θ ∈ BT randomly if the identity ID is not assigned. It picks random numbers r δ , c ′ , r ′ ∈ Z p and sets r ID = r ′ − c .
• Type-B adversary: T * a (S) = 1 and ID ∈ RL * u . Then, ID must have been associated with a leaf node θ ∈ BT and each node δ ∈ Path(ID) is also assigned. C returns the original secret key to A.
• UK Query: C creates update key on inputting a revocation list RL u and a time period t. For each node δ ∈ Y , C chooses a random number β δ ∈ Z p for each node δ and computes: UK δ,t = {uk δ,t,0 = µ −1 δ · H(t) β δ , uk δ,t,1 = g β δ } • DK Query: C queries this algorithm to generate the final decryption key as follows.
• TK Query: Similar to the SK Query, the challenger C runs TKeyGen algorithm to generate transformation key pair and sends them to A. • RL Query: Given the query of A for user revocation request with identity ID at time period t, C updates the revocation list by adding (ID, t) into revocation list RL u .
Challenge: The adversary A finishes the Phase 1 and submits two data B 0 and B 1 with equal length to C . First, C picks ǫ ∈ R [0, 1] and computes C σ ,0 = B ǫ ·ê(g, g) αs 0 σ ,R = B ǫ ·ê(g, g) αm = B ǫ · Vê(g, g) α ′ m , C σ ,1 = g s 0 σ ,R = g m = M, C σ ,2 = g as 0 σ ,R = g am = M a . With respect to the adversary A , when ε = 0 , V =ê(g, g) cdm and according to the decryption procedure, the adversary can get B ǫ from CT. Nevertheless, when ε = 1 , V ∈ G 1 is a random element. Thus, A cannot get any information about m ǫ from CT.
Phase 2: The adversary A repeats the procedures in Phase 1 with the same restriction that the ID / ∈ RL and the attribute set S in queries do not satisfy T. Guess: The adversary A outputs the guess of bit ǫ ′ . If ǫ = ǫ ′ , the challenger C guesses V =ê(g, g) cdm with his output 0; otherwise, it guesses Z as a random element. If the adversary A has the advantage of ς , then the challenger C can break the DBDH game with advantage ς 2 given that the variables ǫ and ε are independent. The computation of the advantage for C is the same as in [12].
In conclusion, if an adversary A can win the security game of our scheme with a nonnegligible advantage ς , then the challenger C can break the DBDH game with identical advantage. Therefore, our scheme is IND-CPA secure in our security model.

Performance analysis
In this section, we compare our proposal and several existing related work in theoretical analysis and actual performance evaluation. We first present the function comparison of our scheme and various state-of-the-art CP-ABE schemes [6,12,21,46,48] summarized in Table 1.

Theoretical analysis
The theoretical analysis of our scheme involves computation and storage complexity. For computation complexity, we let |X|, K , N , |TP|, |P| denote the size of leaf node set, nonleaf node set, node set of N t , trapdoors set and the length of the path in binary tree BT in access policy tree T a . Then, we let E 0 , M 0 and E 1 , M 1 denote the exponential operation and the multiplication operation in G 0 and G 1 , respectively while let P denote the pairing operations. For storage complexity, we let |G 0 |, |G 1 | and |Z p | denote the length of elements in G 0 , G 1 and Z p , respectively. In Table 2, we compare the TR-TABE with scheme [12] from the aspect of computation cost of Encrypt, Decrypt, KeyGen and storage overhead involving public parameter size (PP Size), decryption key size (DSK Size) and ciphertext size (CT Size). Here, the KeyGen denotes the AKeyGen algorithm in TR-TABE and DSK Size in scheme [12] is the size of user secret key.

Implementation and evaluation
As for the precise performance evaluation for our scheme, we implement it and the related scheme [12] using Java Programming Language and Java Pairing-Based Cryptography library (JPBC) [49] which supports operations of pairing, exponential, addition, multiplication and inversion in finite field and groups. In our implementation, we adopt the Type-A curve with prime order. It is defined over a 160-bit elliptic curve group and a 512-bit finite field. Moreover, our experimental simulations are run on a Windows10 system with Intel Core i5 CPU 2.13 GHz and 8.00-GB RAM. Figure 4 shows the actual time cost comparison of Encrypt algorithm in different settings. The time cost of encryption in our scheme is affected by the number of leaf nodes, the number of trapdoors in access policy tree T a and the size of N t while that of [12] is only affected by the former two. However, we can see from Fig. 4a-d that the time cost difference between the two schemes is increasing with the growth of |N|.
In Fig. 5, we notice that within the same size of user attribute set, the decryption cost in our scheme is smaller and nearly constant when the number of ciphertexts grows, while in scheme [12], it is far more and linear with the growth of the number of ciphertexts. Moreover, from Fig. 5a-d, within the same size of user attribute set, the time cost of decryption for one data file in scheme [12] is far more than that of our scheme, and as the number of ciphertexts grows, the gap gets bigger. Figure 6 depicts the actual time cost of key generation in the two schemes. From the theoretical analysis, the time cost of key generation in our scheme is affected by the number of attributes of a user and the length of the user path in BT of the system, which incurs extra time cost. As Fig. 6a-d shows, when |P| is set as [4,6,8,10], the time cost in our scheme is more than that of scheme [12] and the difference of time cost between the two schemes increases with the growth of |P|. This is consistent with the theoretical analysis of our scheme which incurs the extra cost for key components corresponding to the path for the users in BT . These extra components are used for user revocation with forward security. As the user secret attribute key is generated by TA just once for each user, the extra cost is also acceptable for DU. Figure 7 plots the comparison of the size of public parameter, decryption key and ciphertext between the two schemes. Obviously, in Fig. 7a, the size of the system public parameters in our scheme is related to d (Here, we set d = 6 ) and is larger than that of scheme [12] as we take some extra storage complexity for time function H in our scheme. Moreover, in Fig. 7b, the storage overhead of decryption key in our scheme is nearly none due to outsourced decryption, while that of the scheme [12] is far more and proportional to the size of the user attribute set. From Fig. 7c, d with different settings of |N|, we notice that the ciphertext size in our scheme is more than that of [12] and as |N| grows, the gap becomes bigger.
In Fig. 8, we present the comparison of the actual time and storage cost in user tracing between our scheme and the scheme [47]. Accordingly, we summarize the theoretical overhead comparison of the two schemes in Table 3. The user tracing algorithm in our scheme eliminates the identity table, which only costs O(1) in computational complexity and no storage overhead, while the scheme [47] costs O(n) in computation complexity for user tracing, where n is the size of identity table, and   Fig. 8a and b that the time cost and storage overhead in user tracing of our scheme is nearly none.
In conclusion, although our scheme incurs extra storage overhead for ciphertext, it outperforms existing related schemes in time cost of encryption and decryption as well as user tracing. Moreover, it can support large attribute universe, user traceability and revocability with forward and backward security and time-based data access control. Thus, our scheme is more suitable for data sharing of smart city applications with resource-poor user devices.

Conclusion
In this paper, we investigated the troublesome security issues of data sharing in cloudfog-based smart city and proposed an efficient time-based data sharing scheme with traceability and revocability, i.e., TR-TABE. We presented the system model and the threat model for our proposal. To support efficient user tracing and revocation, we designed an efficient traceable and revocable CP-ABE scheme with forward and backward security. Moreover, to provide time-based data access control, we integrated the time release encryption into our designed CP-ABE scheme. Furthermore, the computation burden of resource-poor devices is low in our scheme by outsourced decryption. Besides, we presented the security proof for our scheme and evaluated its precise performance by conducting extensive experimental simulations to demonstrate its efficiency and practicality in data sharing of smart city applications. In addition, although our proposal is designed for data sharing of applications in smart city, it can also be utilized for more generic systems.