Journal of Systems Architecture 160 (2025) 103331 Contents lists available at ScienceDirect Journal of Systems Architecture journal homepage: www.elsevier.com/locate/sysarc A CP-ABE-based access control scheme with cryptographic reverse firewall for IoV Xiaodong Yang a , Xilai Luo a ,∗, Zefan Liao a , Wenjia Wang a , Xiaoni Du b , Shudong Li c a College of Computer Science and Engineering, Northwest Normal University, China b College of Mathematics and Statistics, Northwest Normal University, China c Cyberspace Institute of Advanced Technology, Guangzhou University, China ARTICLE INFO ABSTRACT Keywords: The convergence of AI and internet technologies has sparked significant interest in the Internet of Vehicles Attribute-based encryption (IoV) and intelligent transportation systems (ITS). However, the vast data generated within these systems Multi-authority poses challenges for onboard terminals and secure data sharing. To address these issues, we propose a novel Internet of Vehicles solution combining ciphertext policy attribute-based encryption (CP-ABE) and a cryptographic reverse firewall Cryptographic reverse firewall (CRF) mechanism for IoV. This approach offers several advantages, including offline encryption and outsourced Outsource decryption decryption to improve efficiency. The CRF mechanism adds an extra layer of security by re-randomizing vehicle data, protecting sensitive information. While single-attribute authority schemes simplify access control, they are not ideal for IoV environments. Therefore, we introduce a multi-authority scheme to enhance security. Performance analysis demonstrates our scheme’s ability to optimize encryption and decryption while safeguarding vehicle data confidentiality. In summary, our solution improves data management, access control, and security in the IoV, contributing to its safe and efficient development. 1. Introduction significant concerns about data security [5]. Therefore, cloud-based solutions alone are insufficient to meet the demands of the IoV. To Advances in 5G technology, coupled with the growing volume of ve- mitigate these issues, edge computing [6], fog computing [7], and hicular traffic, have intensified concerns regarding traffic safety, travel Roadside Units (RSUs) [8] have been proposed. RSUs, with their higher efficiency, and environmental impact. In response, Intelligent Transport computational capabilities, can process data more efficiently and up- Systems (ITS) and the IoV have emerged as critical components of load it to cloud servers in real time, addressing the challenges of latency modern transportation infrastructure. The functionality of the IoV relies and limited onboard processing power. on three key elements: the internal vehicle network, the vehicle-to- However, data security remains a critical issue. One potential so- vehicle communication network, and the in-vehicle mobile internet. lution is encrypting data before transmission, which introduces chal- These elements integrate technologies such as sensors, RFID (Radio Fre- lenges in ciphertext sharing. Traditional symmetric encryption, re- quency Identification), and automated control systems, operating under quiring a one-to-one correspondence between keys and users, proves established communication protocols to enable seamless, dynamic data inefficient for securing large volumes of data in IoV environments. Con- exchange between vehicles and the broader network. ventional asymmetric encryption algorithms also struggle with cipher- While drivers benefit from applications like navigation and traffic text sharing and are ill-suited for the frequent updates characteristic information sharing, the limited computing power of onboard terminals of IoV applications. A more appropriate approach is Attribute-Based is insufficient for computationally intensive tasks such as autonomous Encryption (ABE), which enables fine-grained access control, supports driving and AI-based obstacle avoidance [1]. A potential solution is encryption for multiple recipients, and facilitates the creation of com- offloading data processing to cloud servers, but the large volume of plex access policies [9–11]. ABE allows data owners to control who vehicle-generated data introduces high latency in communication be- can access their data, but the decryption process is computationally tween the onboard terminal and the cloud, compromising real-time decision-making [2–4]. This latency, coupled with the risks associated intensive, requiring numerous pairing and exponential operations. This with data leakage and theft in semi-trusted cloud environments, raises places a significant burden on resource-constrained onboard terminals, ∗ Corresponding author. E-mail addresses: yangxd200888@163.com (X. Yang), 2023222208@nwnu.edu.cn (X. Luo), lzf0097@163.com (Z. Liao), neuer1130@163.com (W. Wang), duxiaonwnu@163.com (X. Du), lishudong@gzhu.edu.cn (S. Li). https://doi.org/10.1016/j.sysarc.2025.103331 Received 11 August 2024; Received in revised form 4 December 2024; Accepted 2 January 2025 Available online 17 January 2025 1383-7621/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies. X. Yang et al. Journal of Systems Architecture 160 (2025) 103331 hindering timely data retrieval and impeding efficient communication. Yang et al. [22] introduced a CP-ABE scheme for dynamic big data As the number of attributes increases, the decryption complexity grows, updates, and Feng et al. [23] developed a CP-ABE scheme for industrial leading to slower decryption times and higher resource consumption. IoT. Other schemes [24,25] have improved security and efficiency, To address these challenges, several outsourced ABE schemes have broadening ABE’s application to the Internet of Medical Things (IoMT). been proposed [12–15], which offload expensive operations to cloud CP-ABE enables fine-grained access control, making it highly appli- servers, alleviating the computational load on onboard terminals. How- cable in sectors such as smart healthcare and intelligent transportation. ever, even secure theoretical implementations of ABE are vulnerable to However, single-attribute authority ABE schemes are vulnerable to col- practical attacks. Sophisticated adversaries may exploit backdoors [16], lusion attacks. To address this, it is desirable to delegate each attribute manipulate pseudo-random number generators [17,18], or intercept to different attribute authorities. Chase [26] was the first to introduce hardware interactions to gain unauthorized access to sensitive data. To the concept of multiple attribute authorities within the ABE framework, counter these threats, the concept of a Cryptographic Reverse Firewall where various authorities oversee different attributes. Lewko and Wa- (CRF) was introduced [19]. The CRF, positioned between the user and ters [27] later introduced the initial decentralized ABE framework with the server, intercepts and alters messages to ensure data security, even multiple authorities. Following this, Chaudhary et al. [28] proposed if the user is compromised. a multi-authority CP-ABE scheme tailored for the Internet of Vehicles Moreover, traditional ABE schemes rely on a single attribute au- (IoV) context. thority, which poses a risk of key leakage if the authority colludes Considering the constrained computing capabilities of user termi- with an adversary. To mitigate this, we propose a multi-authority nals, Green et al. [12] introduced an ABE scheme that delegates de- ABE scheme, integrated with a CRF, to enhance security and prevent cryption computations to the cloud. Lai et al. [13] improved upon this collusion attacks. The key contributions of this paper are as follows: by achieving verifiability of outsourced decryption. Zhong et al. [29] 1. We propose a CP-ABE-based scheme that enables more granular further enhanced the efficiency of outsourced decryption ABE schemes access control policies, enhancing the system’s flexibility. This and applied them to smart healthcare scenarios. proves particularly beneficial in IoV scenarios such as IoV com- Mironov and Stephens-Davidowitz [19] were the first to introduce munication, where data access can be dynamically adjusted in the concept of a reverse firewall. They proposed a generic architecture accordance with the context. to prevent user tampering, which could lead to data leakage. However, 2. The scheme integrates multiple attribute authorities to prevent the previous approach was found unsuitable for ABE schemes, prompt- collusion attacks and guarantee secure key management. Each ing Ma et al. [30] to introduce a cryptographic reverse firewall utilizing authority is responsible for managing vehicle attribute keys, the CP-ABE scheme. Additionally, Hong et al. [31] proposed a KP-ABE enhancing the security and efficiency of key generation, which scheme with multiple authorities. Due to the limitations of KP-ABE in is ideal for environments like smart cities or autonomous vehicle achieving fine-grained access control, Zhao et al. [32] proposed a CP- fleets. ABE scheme incorporating a CRF and leveraged outsourced decryption 3. We enhance the CRF module by incorporating key parameter to alleviate computational burdens. However, these approaches suffer re-randomization within the multi-authority ABE framework, from drawbacks, such as reliance on a single attribute authority or strengthening security in IoV communications, even if certain excessive computational overhead. Moreover, there is a risk of sys- parts of the system are compromised. tem compromise, which could lead to data leakage, especially in the 4. The scheme optimizes decryption efficiency through the use of context of IoV, characterized by constrained computational resources online-offline encryption techniques and offloading decryption and stringent data privacy requirements. At the same time, the devel- operations. Decryption time does not increase linearly with the opment of IoV places higher demands on the security and flexibility number of attributes, making it suitable for real-time applica- of access control. Therefore, the proposed scheme combines CP-ABE, tions like hazard detection and traffic optimization. CRF, and multi-authority models to meet the requirements for security, 5. The scheme also supports message integrity verification, which flexibility, and low computational overhead. can be easily carried out by onboard terminals using simple hash functions, ensuring the authenticity of IoV messages and pre- 3. System model and definitions venting malicious tampering in safety-critical communications. The paper is organized as follows: Section 2 reviews existing 3.1. Preliminaries attribute-based encryption schemes and the application of CRFs. Sec- tion 3 provides an overview of the system and security models. Sec- 1. Bilinear Maps: Involve two multiplicative cyclic groups of prime tion 4 discusses the base scenario and the extended CRF module. order 𝑝, denoted as 𝐺 and 𝐺𝑇 , with 𝑔 representing a generator Section 5 presents security proofs for the base scheme and the CRF- of 𝐺. A bilinear map 𝑒 ∶ 𝐺 × 𝐺 → 𝐺𝑇 must satisfies the following enhanced scheme. Section 6 reports on experiments and results. Finally, three features: Section 7 concludes the paper. (a) Non-degeneracy: 𝑒(𝑔 , 𝑔) ≠ 1. 2. Related work (b) Computability: Efficient computation of 𝑒(𝑀 , 𝑁) for any el- ements 𝑀 , 𝑁 ∈ 𝐺 is achievable through a polynomial-time Sahai [10] introduced fuzzy identity-based encryption, which paved algorithm. the way for Attribute-Based Encryption (ABE). ABE later branched (c) Bilinearity: Efficient computation of 𝑎, 𝑏 ∈ 𝑍𝑝 for any ele- into two forms: Key-Policy ABE (KP-ABE) [9] and Ciphertext-Policy ments 𝑀 , 𝑁 ∈ 𝐺 we can acquire 𝑒(𝑀 𝑎 , 𝑁 𝑏 ) = 𝑒(𝑀 , 𝑁)𝑎𝑏 . ABE (CP-ABE) [11]. Initially, both schemes used access trees to define policies. However, the first CP-ABE scheme only provided security 2. Access Structure: Consider a set 𝑃 = {𝑃1 , 𝑃2 , … , 𝑃𝑛 } representing under the random oracle model. Waters [20] introduced an LSSS-based 𝑛 users. A collection 𝑄 is deemed monotone if, for any subsets CP-ABE scheme that encodes policies using matrices. This founda- ∀𝐾 , 𝐿: if 𝐾 ∈ 𝑄 and 𝐾 ⊆ 𝐿, then 𝐿 ∈ 𝑄. Let 𝑄 bbe a nonempty tional model has influenced many subsequent ABE schemes, which subset of 𝑃 that is monotonic, i.e. 𝑄 ⊆ 2{𝑃1 ,𝑃2 ,…,𝑃𝑛 } ∖{∅}, then call have expanded into diverse domains, particularly cloud computing. 𝑄 a monotone access structure. In the context of access control, For example, Yu et al. [21] proposed a KP-ABE scheme enabling data sets included in 𝑄 are identified as authorized, while those that delegation to semi-trusted cloud servers while ensuring confidentiality. are not included are referred to as unauthorized sets. 2 X. Yang et al. Journal of Systems Architecture 160 (2025) 103331 3. Linear Secret Sharing Scheme (LSSS): Let 𝐴̃ = {𝐴̃ 1 , 𝐴̃ 2 , … , 𝐴̃ 𝑁 } be defined as the set that includes all possible attribute names. Cor- responding to each attribute name 𝐴̃ 𝑖 ∈ 𝐴̃ within A, there is an associated set of attribute values, denoted as 𝐴̃𝑖 = {𝐴𝑖,1 , 𝐴𝑖,2 , … , 𝐴𝑖,𝑏𝑖 }, where 𝑏𝑖 is the order of 𝐴̃ 𝑖 . The policy for access is denoted as 𝑇 = (𝑀 , 𝜌, 𝑉 ) Within the context of a linear secret sharing scheme, 𝑀 denotes a matrix structured with 𝑙 row size and 𝑛 column size. 𝜌 denotes a function that associates each row of 𝑀 with an attribute name in 𝐴̃ 𝑖 . 𝑉 = {𝑣𝜌(𝑖) }𝑖∈[1,𝑙] represents the set of attribute values associated with 𝑇 = (𝑀 , 𝜌). A LSSS encompasses the following pair of algorithms: (a) Distribute: Regarding the confidential value 𝑠 ∈ 𝑍𝑝 , arbi- trarily choose a vector 𝑓 = (𝑠, 𝑓2 , … , 𝑓𝑛 ), where 𝑓2 , … , 𝑓𝑛 ∈ 𝑍𝑝 . Calculate 𝜆𝑖 = 𝑀𝑖 ⋅ 𝑓 , where 𝑀𝑖 is the 𝑖𝑡ℎ row of matrix 𝑀. 𝜆𝑖 is a share of 𝑠 that corresponds to 𝜌(𝑖). (b) Reconstruct: Let 𝑆 ∈ 𝐴̃ is permissible for any recognized Fig. 1. Leak game. group and 𝐼 = {𝑖 ∶ 𝜌(𝑖) ∈ 𝑆} ⊆ {1, 2, … , 𝑙}, then, there ∑ is a collection of constants {𝜔𝑖 ∈ 𝑍𝑝 } satisfy 𝑖∈𝐼 𝜔𝑖 𝑀𝑖 = (1, 0, … , 0). The secret 𝑠 could be reconstructed by us via  and a party 𝑃 form a composed party, then we call  a ∑ calculating 𝑖∈𝐼 𝜔𝑖 𝑀𝑖 = 𝑠. cryptographic reverse firewall for 𝑃 . Next we give definitions of three properties of CRFs: Assume S= {𝐼𝑢 , 𝑆} represents the collection of attributes for users. 𝐼𝑢 ⊆ 𝐴̃ represents a collection of user attribute names. (a) Function Maintaining: In the context of any given reverse 𝑆 = {𝑠𝑖 }𝑖∈𝐼𝑢 denotes a set that includes all the attribute values firewall identified by  and any given party identified by of the user. For ∀𝑖 ∈ 𝐼, where 𝐼 = {𝑖 ∶ 𝜌(𝑖) ∈ 𝑆} ⊆ {1, 2, … , 𝑙}, 𝑃 , let  1 ◦𝑃 = ◦𝑃 . For 𝑘 ≥ 2, let  𝑘 ◦𝑃 = ◦( 𝑘−1 ◦𝑃 ). if 𝑖 satisfies (𝑀 , 𝜌) and 𝑠𝜌(𝑖) = 𝑣𝜌(𝑖) , thereafter, we identify S as For a framework  that adheres to the functionality re- matching 𝑇 . quirement  , we define the reverse firewall  maintains 4. q-BDHE problem: Suppose 𝐺 and 𝐺𝑇 represent two cyclic groups functionality if the composed party ◦𝑃 guarantees the with multiplication as their operation, and the order of each is functionality of the party 𝑃 under the scheme  in poly- the prime 𝑝, and 𝑔 be a generator of 𝐺. 𝐺𝑇 has a bilinear map nomial time. 𝑒 ∶ 𝐺 × 𝐺 → 𝐺𝑇 . Choose 𝑡, 𝑓 ∈ 𝑍𝑝 at random, and calculate (b) Weakly Security-preserving:  operates under the premise 2 𝑞 𝑞+2 2𝑞 𝐽 = (𝑔 , 𝑔 𝑡 , 𝑔 𝑓 , 𝑔 𝑓 , … , 𝑔 𝑓 , 𝑔 𝑓 , … , 𝑔 𝑓 ). In the context of the 𝑞- that it will fulfill the functionality need  and the security BDHE problem, it is posited that no algorithm operating within need . When faced with any polynomial-time adversary 𝑞+1 polynomial time can differentiate between 𝑒(𝑔 , 𝑔)𝑓 𝑡 ∈ 𝐺𝑇 and 𝐵, we say that the scheme  satisfies weakly security- 𝐾 ∈ 𝐺𝑇 with a significant advantage. preserving if ◦𝑃 satisfies the security requirement . 5. Cryptographic Scheme: The cryptographic scheme  defines the (c) Weakly Exfiltration-resistant: The game Leak(, 𝑃𝑗 ,  , 𝜆), interaction between parties (𝑃1 , 𝑃2 , … , 𝑃𝑙 ) with states. The pro- as depicted in the Fig. 1, is the work of designers Mironov cess of scheme establishment is denoted by 𝑠𝑒𝑡𝑢𝑝(1𝜆 ), where 𝜆 and Stephens-Davidowitz [19]. The game is a security refers to the security parameters. Each party enters the public game between a reverse firewall  of party 𝑃 and a parameters 𝑃𝑔 and related messages, and then runs the sys- scheme  containing a tampering party  . The adversary tem initialization algorithm to obtain the corresponding state may control a party by hacking into the party’s algorithm (𝜐𝑃𝑖 )𝑙𝑖=1 for each party. According to the order in which the 𝑟𝑒𝑐 𝑒𝑖𝑣𝑒, 𝑛𝑒𝑥𝑡, 𝑜𝑢𝑡𝑝𝑢𝑡. scheme proceeds, the parties process messages from other parties The purpose of the game is to let the adversary discern in the scheme. Also, each party must have the corresponding whether the party’s actions are honest or tampered with. algorithms 𝑛𝑒𝑥𝑡𝑃𝑖 (𝜐𝑃𝑖 ) and 𝑟𝑒𝑐 𝑒𝑖𝑣𝑒𝑃𝑖 (𝜐𝑃𝑖 ). 𝑛𝑒𝑥𝑡𝑃𝑖 (𝜐𝑃𝑖 ) is used to Thus, a reverse firewall with leak resistance can make it output the updated message, 𝑟𝑒𝑐 𝑒𝑖𝑣𝑒𝑃𝑖 (𝜐𝑃𝑖 ) is used to output the impossible for an adversary to tell if party 𝑃 has been tam- states of the parties after the message update. After the scheme pered with, or if the party is known to have been tampered is completed, each party has algorithm 𝑜𝑢𝑡𝑝𝑢𝑡𝑃𝑖 (𝜐𝑃𝑖 ) return the with but does not know if the operation is honest, hence results of the scheme. We assume that the scheme  meets protecting the important privacy of the party. functionality requirement  and security requirements . If adversary 𝐵 within the Leak(, 𝑃𝑗 ,  , 𝜆) game cannot 6. Cryptographic Reverse Firewall: , the stateful algorithm, is syn- succeed in polynomial time with a noticeable advantage onymous with the Cryptographic Reverse Firewall. When pro- and while maintaining the party’s functionality  , then we vided with a current state and an input message, the algorithm label the reverse firewall  as weakly capable of resisting processes them and subsequently outputs an updated state and exfiltration. message. For ease of presentation, the state of  is not explicitly written out in the definition. Given that 𝑃 is a party and  is a firewall, the expression ◦𝑃 is introduced to indicate the party 3.2. System model that emerges from their composition. Fig. 2 depicts the four components that constitute our scheme: ◦𝑃 = 𝑟𝑒𝑐 𝑒𝑖𝑣𝑒◦𝑃 (𝜐, ) Attribute authorities (AA), Cloud server (CS), Data user (DU), Data = 𝑟𝑒𝑐 𝑒𝑖𝑣𝑒𝑃 (𝜐, (𝑚)) owner (DO). In addition, the system contains three reverse firewalls. = 𝑛𝑒𝑥𝑡◦𝑃 = (𝑛𝑒𝑥𝑡𝑃 (𝜐)) To implement data re-randomization within the RSU, three firewalls are strategically positioned: 𝐴𝐴 , the reverse wall for AA; 𝐷𝑂 , acting = 𝑜𝑢𝑡𝑝𝑢𝑡◦𝑃 (𝜐) = 𝑜𝑢𝑡𝑝𝑢𝑡𝑃 (𝜐) (1) as the reverse firewall for DO; and 𝐷𝑈 , fulfilling the same role for When the composite party participates in the scheme, the initial DU. state of the firewall  is set as the public parameter 𝑃𝑔 . If CS is mainly deployed to store cipher text and conversion key. 3 X. Yang et al. Journal of Systems Architecture 160 (2025) 103331 algorithm 𝐾 𝑒𝑦𝐺𝑒𝑛 and obtains corresponding secret key 𝑆 𝐾𝑖 . Then 𝐹 executes algorithm 𝐴𝐴 .𝐾 𝐺 and gets the re-randomized private key 𝑆 𝐾𝑖 ′ . Subsequently, 𝐹 executes 𝐾 𝑒𝑦𝐺𝑒𝑛.𝑟𝑎𝑛 to get conversion key 𝑇 𝐾𝑖 . Then 𝐹 executes 𝐷𝑈 .𝑇 𝐾 𝑈 𝑝𝑑 𝑎𝑡𝑒 to ob- tain re-randomized conversion key 𝑇 𝐾𝑖 ′ . Eventually, 𝐹 sends (𝑆 𝐾𝑖 ′ , 𝑇 𝐾𝑖 ′ ) to 𝐵. 4. Challenge Phase: Two equal-length plaintexts, 𝑚0 , 𝑚1 , are deliv- ered by 𝐵 as part of the protocol. 𝐹 randomly chooses 𝑏 ∈ {0, 1} and executes Enc.Offline*, Enc.Online* to obtain challenge ciphertext 𝐶 𝑇𝑏 . Then 𝐹 calls 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑓 𝑓 𝑙𝑖𝑛𝑒, 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 to get updated cipher text 𝐶 𝑇𝑏 ′ . 𝐹 sends 𝐶 𝑇𝑏 ′ to 𝐵. 5. Query Phase 2: Same as Query Phase 1. 6. Guess Phase: 𝐵 outputs the guess 𝑏′ ∈ {0, 1} for 𝑏. Definition 1. The criterion for the basic scheme’s selective CPA-secure is met when the probability of adversary 𝐵’s success in the game during Fig. 2. System model. polynomial time is negligible. 4. System construction AA is charged with the responsibility of establishing the public parameters and generating the master secret keys. 4.1. Basic scheme DU includes setting the access policy that guides the encryption process and producing a verification credential. After these steps are The scheme contains 𝑁 attribute authorities, each attribute author- accomplished, the DU uploads both the encrypted data and the verifi- ity managing one class of attributes 𝐴̃𝑖 = {𝐴𝑖,1 , 𝐴𝑖,2 , … , 𝐴𝑖,𝑏𝑖 }, 𝐴𝑖,1 ∈ 𝑍𝑝 , cation credential to the cloud server. 𝑖 = 1, 2, … , 𝑁, 𝑗 = 1, 2, … , 𝑏𝑖 . DO initiates the process by generating a conversion key, which is 1. Global Setup: Attribute authority 𝐴𝐴1 sets commonly known then uploaded to the cloud server. Following this, the DO retrieves the parameters 𝑃 𝑎𝑟𝑎𝑚𝑠 = {𝑔 , 𝑢, 𝑣, 𝑤, ℎ, 𝐺, 𝐺𝑇 , 𝐻0 ()} and publishes ciphertext and the verification credential from the cloud server to carry them, 𝐻0 is the designated collision-resistant hash function for out the concluding stages of decryption and integrity verification. generating robust verification credentials within the system. 𝐴𝐴 includes the re-randomization of public parameters and the  𝐻0 () ∶ {0, 1}∗ → {0, 1} 𝐻0 . secret keys that belong to users. 2. AASetup: 𝐷𝑂 is responsible to rerandomize cipher texts. 𝐷𝑈 is responsible to rerandomize conversion keys and conversion (a) For each Attribute Authority, the process involves ran- ciphertexts. domly choosing 𝛼𝑖 ∈ 𝑍𝑝 , determining 𝑌𝑖 = 𝑒(𝑔 , 𝑔)𝛼𝑖 , and then distributing 𝑌𝑖 to other attribute authorities. As the 3.3. Security model process concludes, each attribute authority carries out the ∏𝑁 ∑𝑁 calculation for 𝑌 = 𝑖=1 𝛼𝑖 = 𝑒(𝑔 , 𝑔)𝛼 , The DO and the DU in our system are considered completely trust- ∑𝑁 𝑖=1 𝑌𝑖 = 𝑒(𝑔 , 𝑔) where 𝛼 = 𝑖=1 𝛼𝑖 . worthy. However, the reverse firewalls and cloud server are deemed ‘‘honest and curious’’, meaning they will comply with the algorithm’s (b) Each attribute authority 𝐴̂ 𝑖 operates as follows: steps but will also endeavor to discover any private information within • Randomly select 𝑁 − 1 elements 𝑠𝑖𝑘 ∈ 𝑍𝑝 (𝑘 ∈ the data. Furthermore, there is a risk of the Attribute Authority collud- {1, 2, … , 𝑁}∖{𝑖}), calculate 𝑔 𝑠𝑖𝑘 and send it to other ing with an adversary. In response to this challenge, we have put in attribute authorities. place a selective CPA security game, and the sequence of events within • After receiving 𝑁 − 1 components 𝑔 𝑠𝑘𝑖 from other this game is as follows: ascribe powers 𝐴̂ 𝑘 (𝑘 ∈ {1, 2, … , 𝑁}∖{𝑖}), the master key 𝑀 𝐾 𝑖 is calculated by the following formula: 1. Init Phase: The rival 𝐵 declares a set of malicious attribute ∏ authorities 𝑅 = (𝐴̂ 𝑖 )𝑖∈𝐼 and access policies (𝑀𝑖 ∗ , 𝜌𝑖 ∗ )𝑖∈𝐼 ∗ to be 𝑀𝐾𝑖 = (𝑔 𝑠𝑖𝑘 ∕𝑔 𝑠𝑘𝑖 ) challenged, where 𝐼 ⊆ {1, 2, … , 𝑁}, 𝐼 ∗ ⊆ {1, 2, … , 𝑁}. Then 𝑘∈{1,2,…,𝑁}∖{𝑖} ∑ ∑ 𝐵 sends algorithms 𝐺𝑙𝑜𝑏𝑎𝑙𝑠𝑒𝑡𝑢𝑝∗ , 𝐴𝐴𝑆 𝑒𝑡𝑢𝑝∗ , 𝐾 𝑒𝑦𝐺𝑒𝑛∗ , 𝐾 𝑒𝑦.𝑟𝑎𝑛∗ , ( 𝑠𝑖𝑘 − 𝑠𝑘𝑖 ) 𝑒𝑛𝑐 .𝑜𝑓 𝑓 𝑙𝑖𝑛𝑒∗ , 𝑒𝑛𝑐 .𝑜𝑛𝑙𝑖𝑛𝑒∗ to challenger 𝐹 . = 𝑔 𝑘∈{1,2,…,𝑁}∖{𝑖} 𝑘∈{1,2,…,𝑁}∖{𝑖} , (2) 2. Setup Phase: 𝐹 executes algorithms 𝐺𝑙𝑜𝑏𝑎𝑙𝑠𝑒𝑡𝑢𝑝∗ and 𝐴𝐴𝑆 𝑒𝑡𝑢𝑝∗ to ∏𝑁 obtain the public parameter 𝑃 𝑎𝑟𝑎𝑚𝑠, attribute authorities public where 𝑖=1 𝑀 𝐾𝑖 = 1. key 𝑃 𝐾 and private key pairs (𝑃 𝐾𝑖 , 𝐴𝑆 𝐾 𝑖 )𝑖∈𝐼 . Subsequently, the • For each attribute 𝐴𝑖,𝑗 ∈ 𝐴̃𝑖 , calculate 𝑢𝐴𝑖,𝑗 ℎ. reverse firewall puts the 𝑊𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 algorithm into action to Attribution authority publishes public key 𝑃 𝐾 = (𝑔 , 𝑢, ℎ, generate and announce the new public key 𝑃 𝐾 ′ , and in doing 𝑤, 𝑣, 𝑒(𝑔 , 𝑔)𝛼 , 𝐺, 𝐺𝑇 ) and keeps its own private key 𝐴𝑆 𝐾 𝑖 = so, also retains the corresponding random number 𝑓 . 𝐵 can {𝛼𝑖 , (𝑢𝐴𝑗 ℎ)𝐴 ∈𝐴̂ , 𝑀 𝐾𝑖 }. receive 𝑃 𝐾𝑖 ′ from all non-malicious attribute authorities and 𝑗 𝑖 (𝑃 𝐾𝑖 , 𝐴𝑆 𝐾 𝑖 )𝑖∈𝐼 from all malicious attribute authorities. 3. KeyGen: Each attribute authority 𝐴̂ 𝑖 execute algorithm as fol- 3. Query Phase 1: Adaptive requests for secret keys regarding at- lows: tribute sets 𝑆1 , 𝑆2 , … , 𝑆𝑞 can be made by 𝐵. Each time 𝐵 per- forms a key query, when submitting a set of attributes, it is (a) Select 𝜃𝑖 ∈ 𝑍𝑝 at random, thereafter derive the elements imperative that they do not comply with the access structure of the secret key, denoted as 𝑀 𝐾𝑖 ⋅ 𝑔 𝜃𝑖 , 𝑀 𝐾𝑖 ⋅ 𝑣−𝜃𝑖 , 𝑀 𝐾𝑖 ⋅ rules outlined by (𝑀𝑖 ∗ , 𝜌𝑖 ∗ )𝑖∈𝐼 ∗ , nor come from a malicious at- 𝑔 𝛼𝑖 ⋅ 𝑤𝜃𝑖 and subsequently convey these elements to the tribute authority 𝑅 = (𝐴̂ 𝑖 )𝑖∈𝐼 . For every query 𝑆𝑖 , 𝐹 executes pertinent attribute authorities. 4 X. Yang et al. Journal of Systems Architecture 160 (2025) 103331 (b) Upon obtaining the components from various attribute 4.2. CRF scheme authorities, proceed to compute the secret key utilizing the following steps: 1. Initialization: The attribute authorities runs 𝐺𝑙𝑜𝑏𝑎𝑙𝑆 𝑒𝑡𝑢𝑝 and ∏𝑁 ∑𝑁 𝐴𝐴𝑆 𝑒𝑡𝑢𝑝, each attribute authority sends 𝛼𝑖 to 𝐴𝐴 , then 𝐴𝐴 𝐾0 = 𝑀 𝐾𝑖 ⋅ 𝑔 𝛼𝑖 ⋅ 𝑤𝜃𝑖 = 𝑔 𝑖=1 𝛼𝑖 𝑤𝑟 (3) executes algorithms as follows: 𝑖=1 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 ∶ Upon receiving the parameters from 𝐴𝐴, the CRF ∑ ∏ 𝑁 ∑𝑁 𝐴𝐴 calculates 𝛼 = 𝑁 𝑖=1 𝛼𝑖 , then randomly chooses 𝑎, 𝑏, 𝑐 , 𝑑 , 𝑒, 𝑓 ∈ 𝐾1 = 𝑀 𝐾𝑖 ⋅ 𝑔 𝜃𝑖 = 𝑔 𝑖=1 𝜃𝑖 = 𝑔𝑟 (4) 𝑍𝑝 and calculates 𝑔 ′ = 𝑔 𝑎 , 𝑢′ = 𝑢𝑏 , ℎ′ = ℎ𝑐 , 𝑤′ = 𝑤𝑑 , 𝑣′ = 𝑖=1 ′ 2 𝑣𝑒 , 𝛼 ′ = 𝛼 + 𝑓 , 𝑒(𝑔 ′ , 𝑔 ′ )𝛼 = 𝑒(𝑔 , 𝑔)𝑎 (𝛼+𝑓 ) . 𝐴𝐴 stores 𝑓 and ∏𝑁 ′ 𝐾𝑣 = 𝑀 𝐾𝑖 ⋅ 𝑣−𝜃𝑖 = 𝑣−𝑟 (5) publishes the updated 𝑃 𝐾 ′ = (𝑔 ′ , 𝑢′ , ℎ′ , 𝑤′ , 𝑣′ , 𝑒(𝑔 ′ , 𝑔 ′ )𝛼 , 𝐺, 𝐺𝑇 ). ′ After receiving 𝑃 𝐾 , 𝐴𝐴 executes 𝐾 𝑒𝑦𝐺𝑒𝑛 to generate secret key 𝑖=1 𝑆 𝐾 = {𝐾0 , 𝐾1 , {𝐾𝑖,2 , 𝐾𝑖,3 }𝑖∈[1,𝜎] , 𝑆𝐼 𝐷 } and sends 𝑆 𝐾 to CRF 𝐴𝐴 . (c) For each attribute 𝜎 ∈ [𝑆𝐼 𝐷 ∩ 𝐴̂ 𝑖 ], randomly choose 𝑟𝜎 ∈ 𝐴𝐴 runs the following algorithm for re-randomization. 𝑍𝑝 , where 𝜎 ≤ 𝑁 and 𝑆𝐼 𝐷 denotes the set of users. 𝐴𝐴 .𝐾 𝐺 ∶ Provide 𝑃 𝐾 ′ , 𝑓 and 𝑁 as input, where 𝑁 rep- 𝑟 𝑟 resents the total number of attributes. 𝐴𝐴 randomly selects Calculate 𝐾𝑖,2 = 𝑔 𝑟𝑖 , 𝐾𝑖,3 = (𝑢𝐴𝑖 ℎ) 𝑖 ⋅ 𝐾𝑣 = (𝑢𝐴𝑖 ℎ) 𝑖 𝑣−𝑟 . 𝑟′ , 𝑟1 ′ , 𝑟′2 , … , 𝑟′𝑁 ∈ 𝑍𝑝 , calculates 𝐾 ̃′ = 𝑔 ′ 𝑓 𝑤′ 𝑟′ , 𝐾 ̃′ = 𝑔 ′ 𝑟′ . For Then user gets the secret key 𝑆 𝐾 = {𝐾0 , 𝐾1 , 0 1 𝑟′𝑖 ′ {𝐾𝑖,2 , 𝐾𝑖,3 }𝑖∈[1,𝜎] , 𝑆𝐼 𝐷 }. 𝑖 = 1, 2, … , 𝑁, 𝑊 computes 𝐾 = 𝑔 , 𝐾 = 𝑣′ −𝑟 , 𝐾 𝐴𝐴 ̃ ′ ′ ′ 𝑖,2 ̃ ′ = 𝑣 𝑖,3 𝑟′ 𝑟′ ′ (𝑢′ 𝐴𝑖 ℎ′ ) 𝑖 ⋅ 𝐾𝑣′ = (𝑢′ 𝐴𝑖 ℎ′ ) 𝑖 𝑣′ −𝑟 . The intermediate key 𝑍 𝑆 𝐾 = 4. KeyGen.ran: Upon inputting 𝑆 𝐾, the data user independently ̃′ , 𝐾 (𝐾 ̃′ , {𝑟′ , 𝐾 ̃ ̃ ′ ,𝐾 ′ } ). 0 1 𝑖 𝑖,2 𝑖,3 𝑖∈[1,𝑁] selects a random element from the finite field 𝜏 ∈ 𝑍𝑝 , and Eventually, 𝐴𝐴 computes 𝐾0′ = 𝐾0 ⋅ 𝐾 ̃′ = 𝑔 ′ 𝛼+𝑓 𝑤′ 𝑟+𝑟′ = proceeds to calculate 𝐾0′ = 𝐾0 1∕𝜏 = 𝑔 𝛼∕𝜏 𝑤𝑟∕𝜏 , 𝐾1′ = 𝐾1 1∕𝜏 = 𝑔 𝑟∕𝜏 . ′ ′ ′ 0 ′ = 𝐾 1∕𝜏 = 𝑔 𝑟𝑖 ∕𝜏 , ̃′ = 𝑔 ′ 𝑟+𝑟 . For 𝑖 = 1, 2, … , 𝜎, where 𝑔 ′ 𝛼 𝑤′ 𝑟+𝑟 , 𝐾 ′ = 𝐾 ⋅ 𝐾 For 𝑖 = 1, 2, … , 𝜎, the data user calculates 𝐾𝑖,2 𝑖,2 1 1 1 ′ 𝐾𝑖,3 𝑟 ∕𝜏 ′ = 𝐾 1∕𝜏 = (𝑢𝐴𝑖 ℎ) 𝑖 𝑣−𝑟∕𝜏 . The transformation key, desig- ′ 𝜎 ≤ 𝑁, 𝐴𝐴 calculates 𝐾𝑖,2 ̃ = 𝐾𝑖,2 ⋅ 𝐾 ′ 𝑖,2 = 𝑔 ′ 𝑟𝑖 +𝑟𝑖 , 𝐾𝑖,3 ′ = 𝑖,3 ′ ′ = (𝑢′ 𝐴𝑖 ℎ′ )𝑟𝑖 +𝑟𝑖 𝑣′ −𝑟−𝑟 .  ′ nated as 𝑇 𝐾 = (𝑆𝐼 𝐷 , 𝐾0′ , 𝐾1′ , {𝐾𝑖,2 ′ , 𝐾′ } ) and the recovery ̃ ′ 𝑖,3 𝑖∈[1,𝜎] 𝐾𝑖,3 ⋅ 𝐾 𝑖,3 𝐴𝐴 sends the updated 𝑆 𝐾 = ′ ′ ′ ′ (𝐾0 , 𝐾1 , {𝐾𝑖,2 , 𝐾𝑖,3 } , 𝑆𝐼 𝐷 ) to data user. key, denoted as 𝑅𝐾 = 𝜏, serve distinct functions within the 𝑖∈[1,𝜎] cryptographic framework. 2. Data Upload: The data owner invokes the 𝐸 𝑛𝑐 .𝑂𝑓 𝑓 𝑙𝑖𝑛𝑒 5. Enc.Offline: Enter the 𝑃 𝐾, and let 𝑁 ′ denote the upper limit on and 𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 to obtain ciphertext 𝐶 𝑇 = ((𝑀 , 𝜌), 𝐶 , 𝐶0 , the count of rows within the secret sharing matrix. The data {𝐶𝑗 ,1 , 𝐶𝑗 ,2 , 𝐶𝑗 ,3 }𝑗∈[1,𝑙] ) and verification credential 𝑇 𝑜𝑘𝑒𝑛, then owner randomly chooses 𝑠 ∈ 𝑍𝑝 , calculates 𝐶̂ = 𝑒(𝑔 , 𝑔)𝛼𝑠 , 𝐶̂0 = 𝑔 𝑠 . sends 𝐶 𝑇 and 𝑇 𝑜𝑘𝑒𝑛 to CRF 𝐷𝑂 , 𝐷𝑂 executes algorithm as For 𝑗 = 1, 2, … , 𝑁 ′ , the data owner randomly chooses 𝑑𝑗 ∈ 𝑍𝑝 follows: and calculates 𝐶̂𝑗 ,1 = 𝑣𝑑𝑗 , 𝐶̂𝑗 ,2 = ℎ−𝑑𝑗 , 𝐶̂𝑗 ,3 = 𝑔 𝑑𝑗 . The intermediate 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑓 𝑓 𝑙𝑖𝑛𝑒 ∶ Input 𝑃 𝐾 ′ and 𝑁 ′ , the notation 𝑁 ′ is ciphertext 𝑀 𝑇 = (𝑠, 𝐶̂ , 𝐶̂0 , {𝑑𝑗 , 𝐶̂𝑗 ,1 , 𝐶̂𝑗 ,2 , 𝐶̂𝑗 ,3 }𝑗∈[1,𝑁 ′ ] ). used to represent the highest possible number of rows that are 6. Enc.Online: Input 𝑀 𝑇 , plaintext 𝑚, access structure (𝑀 , 𝜌), where allowed in the access structure. 𝐷𝑂 randomly chooses 𝑠′ ∈ 𝑍𝑝 ′ ′ ′ 𝑀 is a matrix of 𝑙 rows and 𝑛 columns (𝑙 ≤ 𝑁 ′ ). The data as secret value and calculates 𝐶̂ ′ = 𝑒(𝑔 ′ , 𝑔 ′ )𝛼 𝑠 , 𝐶̂0′ = 𝑔 ′ 𝑠 . For ′ ′ 𝑗 = 1, 2, … , 𝑁 , 𝐷𝑂 randomly chooses 𝑑𝑗 ∈ 𝑍𝑝 and calculates owner randomly chooses vector 𝑦⃖⃗ = (𝑠, 𝑦2 , … , 𝑦𝑛 ) ∈ 𝑍𝑝𝑛×1 . The 𝑑′ −𝑑 ′ 𝑑′ secret share is 𝜆⃖⃗ = (𝜆1 , 𝜆2 , … , 𝜆𝑙 )𝑇 = 𝑀 𝑦⃖⃗. Then the data owner 𝐶̂𝑗′,1 = 𝑣′ 𝑗 , 𝐶̂𝑗′,2 = ℎ′ 𝑗 , 𝐶̂𝑗′,3 = 𝑔 ′ 𝑗 . Enter the transitional calculates 𝑇 𝑜𝑘𝑒𝑛 = 𝐻0 (𝑚), 𝐶 = 𝑚 ⋅ 𝐶̂ = 𝑚 ⋅ 𝑒(𝑔 , 𝑔)𝛼𝑠 , 𝐶0 = 𝐶̂0 = 𝑔 𝑠 . encryption, denoted as 𝑀 𝑇 ′ = (𝑠′ , 𝐶̂ ′ , 𝐶̂ ′ , {𝐶̂ ′ , 𝐶̂ ′ , 𝐶̂ ′ } ). 0 𝑗 ,1 𝑗 ,2 𝑗 ,3 𝑗∈[1,𝑁 ′ ] For 𝑗 = 1, 2, … , 𝑙, data owner computes 𝐶𝑗 ,1 = 𝐶̂𝑗 ,1 ⋅ 𝑤𝜆𝑗 = 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 ∶ Input 𝑃 𝐾 ′ , 𝑀 𝑇 ′ and 𝐶 𝑇 . The CRF 𝐷𝑂 −𝑑 𝑤𝜆𝑗 𝑣𝑑𝑗 , 𝐶𝑗 ,2 = 𝐶̂𝑗 ,2 ⋅ 𝑢−𝜌(𝑗)𝑑𝑗 = (𝑢−𝜌(𝑗) ℎ) 𝑗 , 𝐶𝑗 ,3 = 𝐶̂𝑗 ,3 = 𝑔 𝑑𝑗 . randomly selects vector 𝑦⃖⃖⃗′ = (𝑠′ , 𝑦′2 , ..., 𝑦′𝑛 )𝑇 ∈ 𝑍𝑝𝑛×1 , then secret The ciphertext 𝐶 𝑇 = ((𝑀 , 𝜌), 𝐶 , 𝐶0 , {𝐶𝑗 ,1 , 𝐶𝑗 ,2 , 𝐶𝑗 ,3 }𝑗∈[1,𝑙] ) and the shared vectors 𝜆⃖⃖⃗′ = (𝜆′ , … , 𝜆′ )𝑇 = 𝑀 𝑦⃖⃖⃗′ . Then  1 𝑛 computes 𝐷𝑂 ′ ′ ′ verification credential is 𝑇 𝑜𝑘𝑒𝑛. 𝐶 ′ = 𝐶 ⋅ 𝐶̂ ′ = 𝑚 ⋅ 𝑒(𝑔 ′ , 𝑔 ′ )𝛼 (𝑠+𝑠 ) , 𝐶0′ = 𝐶0 ⋅ 𝐶̂0′ = 𝑔 ′ 𝑠+𝑠 . For 7. Dec.Out: If the user’s attributes set, identified by 𝑆𝐼 𝐷 , does not 𝑗 = 1, 2, … , 𝑙, where 𝑙 ≤ 𝑁 ′ , 𝐷𝑂 calculates conform to the access structure, the cloud server will return 𝜆′ 𝜆 +𝜆′𝑗 ′ 𝑑𝑗 +𝑑𝑗′ 𝐶𝑗′,1 = 𝐶𝑗 ,1 ⋅ 𝐶̂𝑗′,1 ⋅ 𝑤′ 𝑗 = 𝑤′ 𝑗 𝑣 , (8) a null value ⊥ and terminate the algorithm. Otherwise, cloud ′ server collects 𝐼 = {𝑖, 𝜌(𝑖) ∈ 𝑆𝐼 𝐷 } and calculates {𝜔𝑖 ∈ 𝑍𝑝 }𝑖∈𝐼 , −𝜌(𝑗)𝑑𝑗′ 𝜌(𝑗) ′ −(𝑑𝑗 +𝑑𝑗 ) ∑ 𝐶𝑗′,2 = 𝐶𝑗 ,2 ⋅ 𝐶̂𝑗′,2 ⋅ 𝑢′ = (𝑢′ ℎ) , (9) where 𝑖∈𝐼 𝜔𝑖 ⋅ 𝑀𝑖 = (1, 0, … , 0) and 𝑀𝑖 is the 𝑖th row of matrix 𝑑 +𝑑𝑗′ 𝑀. Then the cloud server calculates 𝐶𝑗′,3 = 𝐶𝑗 ,3 ⋅ 𝐶̂𝑗′,3 = 𝑔 ′ 𝑗 . (10) 𝑒(𝐶0 , 𝐾0′ ) 𝐴= ∏ ′ ′ ′ 𝜔𝑖 The 𝐷𝑂 transmits the ciphertext 𝐶 𝑇 ′ = (𝐶 ′ , 𝐶0′ , {𝐶𝑗′,1 , 𝐶𝑗′,2 , 𝑖∈𝐼 (𝑒(𝐶𝑖,1 , 𝐾1 ) ⋅ 𝑒(𝐶𝑖,2 , 𝐾𝑗 ,2 ) ⋅ 𝑒(𝐶𝑖,3 , 𝐾𝑗 ,3 )) 𝐶𝑗′,3 }𝑗∈[1,𝑙] , (𝑀 , 𝜌)), which has been re-randomized, along with = 𝑒(𝑔 , 𝑔)𝛼 𝑠∕𝜏 , (6) the 𝑇 𝑜𝑘𝑒𝑛, to the cloud server. 3. Data Download: The data user runs 𝐾 𝑒𝑛𝐺𝑒𝑛.𝑟𝑎𝑛(𝑆 𝐾 ′ ) and sends in the given context, 𝑗 represents the position or identifier for 𝑇 𝐾 = (𝑆𝐼 𝐷 , 𝐾0′′ , 𝐾1′′ , {𝐾𝑖,2 ′′ , 𝐾 ′′ } ) to CRF 𝐷𝑈 . Then 𝐷𝑈 𝑖,3 𝑖∈[1,𝜎] the attribute value 𝜌(𝑖) in 𝑆𝐼 𝐷 (). executes algorithm as follows: 8. Dec.User: The data user uses the conversion key 𝑅𝐾 to decrypt 𝐷𝑈 .𝑇 𝐾 𝑈 𝑝𝑑 𝑎𝑡𝑒 ∶ 𝐷𝑈 randomly chooses 𝜑 ∈ 𝑍𝑝 and calculates as follows: 1∕𝜑 𝛼 ′ ∕𝜏 𝜑 (𝑟+𝑟′ )∕𝜏 𝜑 𝐶 𝑒(𝑔 , 𝑔)𝛼𝑠 𝑚 𝐾0′′′ = 𝐾 ′′ 0 = 𝑔′ 𝑤′ , (11) = 𝜏 = 𝑚, (7) 𝐴𝜏 (𝑒(𝑔 , 𝑔)𝛼𝑠∕𝜏 ) 1∕𝜑 (𝑟+𝑟′ )∕𝜏 𝜑 𝐾1′′′ = 𝐾 ′′ 1 = 𝑔′ , (12) then data user uses the verification credential 𝑇 𝑜𝑘𝑒𝑛 to com- 1∕𝜑 (𝑟 +𝑟′ )∕𝜏 𝜑 ′′′ plete the ciphertext verification, if 𝐻0 (𝑚) = 𝑇 𝑜𝑘𝑒𝑛 holds, the 𝐾𝑖,2 = 𝐾 ′′ 𝑖,2 = 𝑔′ 𝑖 𝑖 , (13) ciphertext is correct. Otherwise, the ciphertext may have been ′′′ 1∕𝜑 𝐴 (𝑟𝑖 +𝑟′𝑖 )∕𝜏 𝜑 ′ −(𝑟+𝑟′ )∕𝜏 𝜑 𝐾𝑖,3 = 𝐾 ′′ 𝑖,3 = (𝑢′ 𝑖 ℎ′ ) 𝑣 . (14) tampered with. 5 X. Yang et al. Journal of Systems Architecture 160 (2025) 103331 𝐷𝑈 stores 𝜑 ∈ 𝑍𝑝 and sends re-randomize conversion key 𝑒(𝐶0′ , 𝐾0′′′ ) 𝑇 𝐾 ′ = (𝑆𝐼 𝐷 , 𝐾0′′′ , 𝐾1′′′ , {𝐾𝑖,2′′′ , 𝐾 ′′′ } ) to the cloud server. 𝐴′ = ∏ ′ ′′′ ′ ′′′ ′ ′′′ 𝜔𝑖 𝑖,3 𝑖∈[1,𝜎] 𝑖∈𝐼 (𝑒(𝐶𝑖,1 , 𝐾1 ) ⋅ 𝑒(𝐶𝑖,2 , 𝐾𝑗 ,2 ) ⋅ 𝑒(𝐶𝑖,3 , 𝐾𝑗 ,3 )) When receiving a decryption request from a data user, the cloud ′ ′ ′ ′ server performs 𝐷𝑒𝑐 .𝑂𝑢𝑡(𝑇 𝐾 ′ , 𝐶 𝑇 ′ ) to acquire a partially de- 𝑒(𝑔 ′ , 𝑔 ′ )𝛼 (𝑠+𝑠 )∕𝜏 𝜑 𝑒(𝑔 ′ , 𝑤′ )(𝑟+𝑟 )(𝑠+𝑠 )∕𝜏 𝜑 = ∏ ′ ⋅∏ ′ crypted ciphertext 𝑇 𝐶 𝑇 . The cloud server sends 𝑇 𝐶 𝑇 = (𝐶 ′ , 𝐴 = ′ ′ (𝑟+𝑟′ )(𝜆𝑖 +𝜆𝑖 )𝜔𝑖 ∕𝜏 𝜑 ′ ′ (𝑟+𝑟′ )(𝑑𝑖 +𝑑𝑖 )𝜔𝑖 ∕𝜏 𝜑 ′ ′ 𝑖∈𝐼 𝑒(𝑔 , 𝑤 ) 𝑖∈𝐼 𝑒(𝑔 , 𝑣 ) 𝑒(𝑔 ′ , 𝑔 ′ )𝛼 (𝑠+𝑠 )∕𝜏 𝜑 ) and 𝑇 𝑜𝑘𝑒𝑛 to 𝐷𝑈 , 𝐷𝑈 runs algorithms as 1 ⋅∏ follows. ′ ′ ′ −𝜌(𝑖)(𝑑𝑖 +𝑑𝑖 )(𝑟𝑖 +𝑟𝑖 ′ )𝜔𝑖 ∕𝜏 𝜑 ′ ′ 𝑖∈𝐼 𝑒(𝑔 , 𝑢 ) 𝐷𝑈 .𝐷𝑒𝑐 ∶ The CRF 𝐷𝑈 computes 𝐴′ = 𝐴𝜑 = 𝑒(𝑔 ′ , 𝑔 ′ )𝛼 (𝑠+𝑠 )∕𝜏 1 ′ ′ ′ and sends 𝑇 𝐶 𝑇 = (𝐶 , 𝐴 ) and 𝑇 𝑜𝑘𝑒𝑛 to the data user. ⋅∏ ′ ′ (15) 𝑖∈𝐼 𝑒(𝑔 ′ , ℎ′ )−(𝑑𝑖 +𝑑𝑖 )(𝑟𝑖 +𝑟𝑖 )𝜔𝑖 ∕𝜏 𝜑 After receiving re-randomize partially decrypted ciphertext, data user runs 𝐷𝑒𝑐 .𝑈 𝑠𝑒𝑟 to recover plaintext 𝑚. Then the data user 1 ⋅∏ ′ ′ uses the verification credential 𝑇 𝑜𝑘𝑒𝑛 to finish the ciphertext 𝑖∈𝐼 𝑒(𝑔 ′ , 𝑢′ )𝐴𝑖 (𝑑𝑖 +𝑑𝑖 )(𝑟𝑖 +𝑟𝑖 )𝜔𝑖 ∕𝜏 𝜑 verification, if 𝐻0 (𝑚) = 𝑇 𝑜𝑘𝑒𝑛 holds, the ciphertext is correct. 1 1 ⋅∏ ′ ′ ⋅∏ ′ ′ ′ ′ (𝑑𝑖 +𝑑𝑖 )(𝑟𝑖 +𝑟𝑖 )𝜔𝑖 ∕𝜏 𝜑 ′ ′ −(𝑟+𝑟 )(𝑑𝑖 +𝑑𝑖 )𝜔𝑖 ∕𝜏 𝜑 𝑖∈𝐼 𝑒(𝑔 , ℎ ) 𝑖∈𝐼 𝑒(𝑔 , 𝑣 ) ′ ′ ′ ′ 5. Security analysis 𝑒(𝑔 ′ , 𝑔 ′ )𝛼 (𝑠+𝑠 )∕𝜏 𝜑 𝑒(𝑔 ′ , 𝑤′ )(𝑟+𝑟 )(𝑠+𝑠 )∕𝜏 𝜑 ′ ′ = ∑ ′ = 𝑒(𝑔 ′ , 𝑔 ′ )𝛼 (𝑠+𝑠 )∕𝜏 𝜑 . (𝑟+𝑟′ ) 𝑖∈𝐼 (𝜆𝑖 +𝜆𝑖 )𝜔𝑖 ∕𝜏 𝜑 𝑒(𝑔 ′ , 𝑤′ ) 5.1. Security proof (16) 𝛼 ′ (𝑠+𝑠′ )∕𝜏 𝐶′ 𝐶′ 𝑚 ⋅ 𝑒(𝑔 ′ , 𝑔 ′ ) Theorem 1. Given that the 𝑞-BDHE assumption holds true, the proposed ′𝜏 = 𝜑𝜏 = ′ ′ =𝑚 (17) 𝐴 𝐴 𝑒(𝑔 ′ , 𝑔 ′ )𝛼 (𝑠+𝑠 )∕𝜏 scheme is deemed secure against selective CPA. It is evident from the aforementioned equations that the message ‘m’ remains decryptable under normal circumstances even after Proof. If a polynomial-time adversary 𝐵 can effectively compromise the the implementation of a cryptographic reverse firewall. Conse- proposed scheme with a significant advantage, then we can develop a quently, the functionality of the cryptographic reverse firewalls challenger 𝐹 to solve the 𝑞-BDHE problem with a significant advantage. is preserved. The process is as follows: 2. Weakly Security-preserving and Weakly Exfiltration-resistant Init Phase: The adversary 𝐵 submits access policies (𝑀𝑖 ∗ , 𝜌𝑖 ∗ )𝑖∈𝐼 ∗ and We assume the following security game process. a set of malicious attribute authorities 𝑅 = (𝐴̂ 𝑖 )𝑖∈𝐼 , where 𝑀𝑖 ∗ is a 𝑙 ∗ 𝑛 Game 0: Same as chapter 3 security games. matrix. Furthermore, the attributes within the access structure must Game 1: In the init phase, attribute authorities’ 𝑃 𝐾 , 𝐴𝑆 𝐾 𝑖 are originate from trusted attribute authorities and cannot be maliciously generated by algorithms GlobalSetup and AASetup of basic manipulated. scheme, not GlobalSetup*, AASetup* and 𝐴𝐴 .SetUp. The sub- Setup Phase: The challenger 𝐹 executes algorithms AASetup and sequent algorithms are carried over unchanged from Game GlobalSetup to generate public parameter 𝑃 𝑎𝑟𝑎𝑚𝑠 = {𝑔 , 𝑢, 𝑣, 𝑤, ℎ, 𝐺, 𝐺𝑇 , 0. 𝐻0 ()} and private keys (𝑃 𝐾𝑖 , 𝐴𝑆 𝐾 𝑖 )𝑖∈𝐼 . The reverse firewall 𝐴𝐴 ex- Game 2: During both phase 1 and phase 2, the secret key 𝑆 𝐾 is ecutes the algorithm 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 to re-random public key, then 𝐴𝐴 derived from the KeyGen algorithm of the foundational scheme, publishes updated public key 𝑃 𝐾 ′ . rather than being produced by KeyGen* or the 𝐴𝐴 .𝐾 𝐺. The Query Phase 1: During this phase, 𝐵 can dynamically request secret 𝑇 𝐾 is produced using the KeyGen.ran function of the underlying keys for attribute sets 𝑆1 , 𝑆2 , … , 𝑆𝑞 . For every query 𝑆𝑖 , 𝐹 executes scheme, and not through KeyGen.ran* or the 𝐷𝑈 .TKUpdate. algorithm KeyGen to obtain corresponding secret key 𝑆 𝐾𝑖 . Then 𝐹 The subsequent algorithms mirror those utilized in Game 1. executes algorithm 𝐴𝐴 .𝐾 𝐺 to get re-randomized secret key 𝑆 𝐾𝑖′ . Game 3: During the challenge phase, the ciphertext labeled Subsequently, 𝐹 executes KeyGen.ran to get conversion key 𝑇 𝐾𝑖 . Then as 𝐶 𝑇𝑏 is constructed through the process of encryption de- 𝐹 runs 𝐷𝑈 .𝑇 𝐾 𝑈 𝑝𝑑 𝑎𝑡𝑒 to get re-randomized conversion key 𝑇 𝐾𝑖′ . 𝐶 noted by Enc.offline, Enc.online, not Enc.offline*, Enc.online*, returns (𝑆 𝐾𝑖′ , 𝑇 𝐾𝑖′ ) to 𝐵. 𝐷𝑂 .Enc.offline and 𝐷𝑂 .Enc.online. Actually, Game 3 is the Challenge Phase: 𝐵 provides two messages, 𝑚0 and 𝑚1 , of equal security game of basic scheme. length. 𝐹 randomly selects 𝑏 ∈ {0, 1} and runs Enc.Offline* and We then proceed to demonstrate the indistinguishability be- tween Game 0 and Game 1, followed by Game 1 and Game Enc.Online* to get challenge ciphertext 𝐶 𝑇𝑏 = ((𝑀 , 𝜌), 𝐶 , 𝐶0 , {𝐶𝑗 ,1 , 𝐶𝑗 ,2 , 2, and finally between Game 2 and Game 3, each in isolation. 𝐶𝑗 ,3 }𝑗∈[1,𝑙] ). Between Game 0 and Game 1, it is observed that no matter Then 𝐹 executes 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑓 𝑓 𝑙𝑖𝑛𝑒 and 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 Obtain a the modifications introduced by the tampered GlobalSetup* and, ciphertext 𝐶 𝑇𝑏′ . 𝐹 that has been re-randomized sends 𝐶 𝑇𝑏′ to 𝐵. AASetup* algorithms, after the application of re-randomization Query Phase 2: The challenger 𝐹 proceeds as in Query Phase 1. via the 𝑊𝐴𝐴 reverse firewall, the public parameter 𝑃 𝐾 ′ always Guess Phase: 𝐵 outputs a bit 𝑏′ ∈ {0, 1}. If 𝑏′ = 𝑏, then 𝐹 outputs 0 corresponds to the structure of the 𝑃 𝐾 that is generated by the (meaning that 𝐵 obtains the normally generated ciphertext). If 𝑏′ ≠ standard algorithm. This uniformity is due to the malleability 𝑏, then 𝐹 outputs 1(meaning that 𝐵 obtains the randomly selected of the key in question. Consequently, there is no distinguishable element). Hence, the adversary 𝐵 has advantage of 𝜖 security game difference between Game 0 and Game 1. directly correlates to the ability of function 𝐹 to resolve the 𝑞-BDHE Given that the secret key 𝑆 𝐾 and the conversion key 𝑇 𝐾, problem with the same level of probability. which are produced for the user by the attribute authority, also possess malleability, it follows that Game 1 and Game 2 are 5.2. Security analysis indistinguishable. When it comes to Game 2 and Game 3, the 𝐶 𝑇 will undergo rerandomization by the reverse firewall, resulting The features of the proposed scheme include: in a new ciphertext 𝐶 𝑇 ′ , a process that is a consequence of the ciphertext’s malleable nature. Thus, regardless of how the 1. Function Maintaining Enc.offline* and Enc.online* algorithms operate, the ultimate If the collection of attributes associated with the secret key configuration of the ciphertext aligns with that of the basic ∑ constitutes an authorized set, then the equation 𝑖∈𝐼 𝜔𝑖 ⋅ (𝜆𝑖 + scheme’s ciphertext structure. Consequently, there is no distin- 𝜆𝑖 ′ ) = 𝑠 + 𝑠′ holds. Thus, guishable difference between Game 2 and Game 3. In summary, 6 X. Yang et al. Journal of Systems Architecture 160 (2025) 103331 Table 1 Function comparison. Scheme With CRFs Outsource Offline encryption Multi-authority Ciphertext verification Access structure Guo et al. [25] ✕ ✓ ✓ ✕ ✕ Tree Chaudhary et al. [28] ✕ ✓ ✕ ✓ ✕ LSSS Hong et al. [31] ✓ ✕ ✕ ✓ ✕ LSSS Zhong et al. [29] ✕ ✓ ✕ ✕ ✕ Tree Zhao et al. [32] ✓ ✓ ✓ ✕ ✕ Tree Jin et al. [33] ✓ ✕ ✕ ✕ ✕ LSSS Elhabob et al. [34] ✓ ✕ ✕ ✕ ✓ Tree Ours ✓ ✓ ✓ ✓ ✓ TREE we deduce that Game 0 and Game 3 are equivalent in terms of By combining the above technologies, this method not only pro- their indistinguishability. Given that the foundational scheme is tects the communication channel, but also improves the security secure, it follows that the proposed scheme is also secure. of information. 3. Message Verification The data user(vehicle/RSU) use parameters 𝑇 𝑜𝑘𝑒𝑛, 𝑚 and hash 6. Performance evaluation function 𝐻0 () to check whether equation 𝐻0 (𝑚) = 𝑇 𝑜𝑘𝑒𝑛 holds true. With the help of the verification procedure described, the 6.1. Experimental setup data user can identify any tampering that may have occurred with the message. Additionally, it provides assurance regarding The following outlines the hardware and software contexts utilized the completeness and dependability of the received message. If for conducting the experiment: the message changes, the equation will not holds. Therefore, the proposed scheme supports the message verification. • The experimental apparatus consists of a desktop computer 4. Collusion Resistance equipped with a 3.2 GHz AMD Ryzen 5 5600x CPU, 16 GB of RAM, and runs the Windows 11 Professional (x64) OS. Theorem 2. Should the difficulty of the discrete logarithm problem remain • The experimental schemes are realized using Java 8 and the uncompromised, the proposed scheme can defend against collusion attacks JPBC 2.0.0 library [32]. The prime-order bilinear pairings are initiated by up to 𝑁 − 1 attribute authorities. constructed upon a 160-bit elliptic curve group, which is founded on the equation 𝑦2 = 𝑥3 + 𝑥. According to the encryption process, each attribute authority randomly chooses 𝑠𝑖𝑘 ∈ 𝑍𝑝 and attribute authority extends 6.2. Theoretical analysis the value 𝑔 𝑠𝑖𝑘 to all the other attribute authorities involved. Given the difficulty inherent in the discrete logarithm problem, it Table 1 provides a side-by-side comparison to examine the function- would be problematic for an adversary 𝐵 to deduce 𝑠𝑖𝑘 from 𝑔 𝑠𝑖𝑘 ality of our proposed scheme in relation to other schemes. Scheme [25] alone. Hence, even with the combined efforts of 𝑁 − 2 attribute supports outsourced decryption and online encryption, but the rest authorities working in tandem with the adversary, guessing a of the functionality is not realized. Scheme [28] introduced multiple valid 𝑀 𝐾𝑖 remains an unattainable task for the adversary. Con- authorities to protect against collusion attacks. Scheme [29] only pro- sequently, the adversary cannot devise a valid secret key 𝑆 𝐾. vides outsource decryption, thus the efficiency of encryption phase is This renders the proposed scheme resistant to collusion attacks not good enough. Scheme [31–34], add CRF modules between entities carried out by 𝑁 − 1 attribute authorities. based on the above schemes. However, these schemes either do not have outsourced decryption or do not have multiple attribute authori- 5.3. Informal security analysis ties, which has some disadvantages. Our scheme provides both of these features, taking into account both efficiency and security. Through 1. Side channel attack defenses comparison, we can find that the proposed scheme adds cryptographic The proposed scheme utilizes CRF technology, which signif- reverse firewalls between entities. By employing these firewalls, the icantly reduces the computational overhead while enhancing system is fortified with a layer of defense that maintains its func- security. By leveraging CRF, it reduces the risk of messages tional integrity against potential subversion attacks and any attempts being attacked and complicates potential threats. In addition, to tamper with its algorithms. multi-authorization technology maximizes the security of the The introduction of multi-attribute authorities ensures that the sys- entire system, effectively preventing single-point leakage, while tem is resistant to collusion attacks. The proposed scheme also provides balancing power consumption and execution time. These two outsourcing decryption as well as offline encryption, which requires methods not only improve the efficiency, but also provide strong low computation for the users to obtain the ciphertext. Addition- protection against side channel attacks. ally, verification credentials empower users to check and ensure the In short, the scheme effectively combines efficiency and en- ciphertext’s integrity. hanced security, making it suitable for secure communication in The following notations are applied within Tables 2 and 3 are as vehicular networks that are susceptible to side channels. follows: 𝐸 signifies an exponential operation, and 𝑃 denotes a bilinear 2. Man-in-the-Middle attack defense0 pairing operation. In the given context, 𝑀 signifies the number of rows The proposed scheme uses CP-ABE technology. This technique in a matrix as well as the number of leaf nodes in an access tree. The uses a ciphertext policy, which embeds the access policy into the symbol 𝑙 is used to denote the total number of attributes possessed by ciphertext. This improves the security and flexibility of access users, while 𝑘 signifies the minimum number of attributes from the control and reduces the risk of man-in-the-middle attack (MITI) access structure required to fulfill the decryption criteria. due to identity forgery. As shown in Table 2, our scheme is in the middle of the 𝐾 𝑒𝑦𝐺𝑒𝑛 In addition, we enhance the CRF module by integrating key pa- phase. However, our scheme achieves the lowest computational over- rameter re-randomization within the multi-authority ABE frame- head in the 𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 phase. In the 𝐷𝑒𝑐 .𝑂𝑢𝑡 phase, our scheme does work. In addition, the proposed scheme also supports message not achieve significant advantages. But in 𝐷𝑒𝑐 .𝑈 𝑠𝑒𝑟 phase, our scheme integrity verification, easily executable by onboard terminals requires only a single exponential operation, reaches a constant level using simple hash functions. of computational overhead. 7 X. Yang et al. Journal of Systems Architecture 160 (2025) 103331 Fig. 3. Time consumption of basic scheme. Table 2 Computation comparison. Scheme KeyGen Encryption Outsource decryption User decryption Offline Online Guo et al. [25] (𝑙 + 4)𝐸 (3𝑀 + 1)𝐸 3𝐸 2𝑙𝐸 + 2𝑙𝑃 𝐸 Chaudhary et al. [28] (2𝑙 + 2)𝐸 ✕ (3𝑀 + 1)𝐸 (4𝑙 + 2)𝐸 𝐸 Zhong et al. [29] (3𝑙 + 6)𝐸 ✕ (2𝑀 + 2)𝐸 ✕ 2𝑙𝐸 + (𝑙 + 1)𝑃 Hong et al. [31] (4𝑙 + 2)𝐸 + 𝑃 ✕ (5𝑀 + 2)𝐸 ✕ 𝐸 + (3𝑘 + 1)𝑃 Zhao et al. [32] (2𝑙 + 4)𝐸 3𝑀 𝐸 + 𝑃 3𝐸 (3𝑙 + 1)𝐸 + (2𝑙 + 1)𝑃 2𝐸 Jin et al. [33] 𝑙𝐸 + 𝑃 ✕ 6𝑀 𝐸 + 3𝑃 ✕ 𝑙𝐸 + 2𝑃 Elhabob et al. [34] (2𝑙 + 2)𝐸 ✕ 4𝐸 ✕ 3𝐸 Ours (2𝑙 + 3)𝐸 (2𝑀 + 2)𝐸 3𝐸 𝑙𝐸 + 3𝑙𝑃 𝐸 Table 3 Fig. 3(a) demonstrates that our scheme has a low computational Time consumption of CRFs. overhead., is observed to be low. As shown in Fig. 3(b), when compar- Scheme 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 𝐴𝐴 .𝐾 𝐺 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 ing the computational overhead of the 𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 phase, our scheme, Hong et al. [31] 2𝑙𝐸 + 2𝑙𝑃 (5𝑙 + 2)𝐸 2𝑙𝐸 + 𝑃 which benefits from the preprocessing performed in the 𝐸 𝑛𝑐 .𝑂𝑓 𝑓 𝑙𝑖𝑛𝑒 Zhao et al. [32] 2𝐸 (2𝑙 + 3)𝐸 4𝐸 phase, has the lowest computational overhead of all the schemes eval- Jin et al. [33] (𝑙 + 2)𝐸 (2𝑙 + 2)𝐸 𝑃 Elhabob et al. [34] 2𝐸 (2𝑙 + 3)𝐸 4𝐸 uated. In terms of Fig. 3(c), the efficiency of our scheme is in the Ours 5𝐸 (2𝑙 + 3)𝐸 2𝐸 middle of the 𝐷𝑒𝑐 .𝑂𝑢𝑡 phase. While in the 𝐷𝑒𝑐 .𝑈 𝑠𝑒𝑟 phase, our scheme maintains the lowest computational overhead, It is also significant to observe that the overhead does not fluctuate with varying counts of attributes in the system. In terms of CRFs’ time consumption, our scheme achieves time con- As depicted in Fig. 4, there is a performance comparison for the re- sumption of constant level in 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 phase as illustrated in 3, the randomization of secret keys by CRF 𝐴𝐴 . Our scheme’s computational time overhead does not fluctuate based on the count of attributes within overhead is similar to that of scheme [32], which is at the lower the system. Moreover, our scheme achieves the highest efficiency in level. Moreover, as shown in Fig. 5, the computational overhead of terms of the 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 phase, and requires only two exponential our scheme in the 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒 phase is the most efficient and does operations. not escalate linearly with an increase in vehicle attributes, which is a distinct advantage over other scheme [31]. And compared with [33, 6.3. Practical analysis 34], the proposed scheme still has an advantage in the computational overhead of 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝 phase. In light of the hardware and software environment described within In summary, our scheme reduces resource consumption on the user the xperimental Setup section, Fig. 3 presents a performance comparison side and improves the efficiency of data flow in vehicles with limited of the multiple phases of our scheme. computing power. 8 X. Yang et al. Journal of Systems Architecture 160 (2025) 103331 Acknowledgments This work was supported in part by Key project of Gansu Science and Technology Plan (23YFGA0081), Gansu Province College Industry Ssupport Plan (2023CYZC-09), National Natural Science Foundation of China (No. 62362059). Data availability The authors do not have permission to share data. References Fig. 4. Time consumption of 𝐴𝐴 .𝑆 𝑒𝑡𝑈 𝑝. [1] Siyi Liao, Jun Wu, Jianhua Li, Ali Kashif Bashir, Shahid Mumtaz, Alireza Jolfaei, Nida Kvedaraite, Cognitive popularity based AI service sharing for software- defined information-centric networks, IEEE Trans. Netw. Sci. Eng. 7 (4) (2020) 2126–2136. [2] Rich Miller, Rolling zettabytes: Quantifying the data impact of connected cars, Data Cent. Front. (2020). [3] Kayhan Zrar Ghafoor, Linghe Kong, Sherali Zeadally, Ali Safaa Sadiq, Gre- gory Epiphaniou, Mohammad Hammoudeh, Ali Kashif Bashir, Shahid Mumtaz, Millimeter-wave communication for internet of vehicles: status, challenges, and perspectives, IEEE Internet Things J. 7 (9) (2020) 8525–8546. [4] Soheila Ghane, Alireza Jolfaei, Lars Kulik, Kotagiri Ramamohanarao, Deepak Puthal, Preserving privacy in the internet of connected vehicles, IEEE Trans. Intell. Transp. Syst. 22 (8) (2020) 5018–5027. [5] Liang Zhao, Hongmei Chai, Yuan Han, Keping Yu, Shahid Mumtaz, A collabo- rative V2X data correction method for road safety, IEEE Trans. Reliab. 71 (2) (2022) 951–962. [6] Weisong Shi, Jie Cao, Quan Zhang, Youhuizi Li, Lanyu Xu, Edge computing: Vision and challenges, IEEE Internet Things J. 3 (5) (2016) 637–646. Fig. 5. Time consumption of 𝐷𝑂 .𝐸 𝑛𝑐 .𝑂𝑛𝑙𝑖𝑛𝑒. [7] Zhenyu Zhou, Haijun Liao, Bo Gu, Shahid Mumtaz, Jonathan Rodriguez, Resource sharing and task offloading in IoT fog computing: A contract-learning approach, IEEE Trans. Emerg. Top. Comput. Intell. 4 (3) (2019) 227–240. [8] Xingwang Li, Zhen Xie, Zheng Chu, Varun G Menon, Shahid Mumtaz, Jianhua 7. Conclusion Zhang, Exploiting benefits of IRS in wireless powered NOMA networks, IEEE Trans. Green Commun. Netw. 6 (1) (2022) 175–186. [9] Vipul Goyal, Omkant Pandey, Amit Sahai, Brent Waters, Attribute-based encryp- In the IoV environment, securing the encryption and sharing of the tion for fine-grained access control of encrypted data, in: Proceedings of the 13th vast amounts of data generated by vehicles, while preventing data leak- ACM Conference on Computer and Communications Security, 2006, pp. 89–98. age due to device tampering, presents significant challenges. To address [10] Amit Sahai, Brent Waters, Fuzzy identity-based encryption, in: Advances in these challenges, we propose an advanced attribute-based encryption Cryptology–EUROCRYPT 2005: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May scheme, enhanced with a cryptographic reverse firewall, specifically 22-26, 2005. Proceedings 24, Springer, 2005, pp. 457–473. designed for the IoV ecosystem. This scheme is supported by multiple [11] John Bethencourt, Amit Sahai, Brent Waters, Ciphertext-policy attribute-based attribute authorities, which not only defend against collusion attacks encryption, in: 2007 IEEE Symposium on Security and Privacy, SP’07, IEEE, but also enable offline encryption and outsourced decryption. These 2007, pp. 321–334. [12] Matthew Green, Susan Hohenberger, Brent Waters, Outsourcing the decryption integrated features greatly improve the computational efficiency of of {abe} ciphertexts, in: 20th USENIX Security Symposium, USENIX Security 11, vehicular onboard units. Additionally, we deploy RSUs with CRFs 2011. between the entities, ensuring that data remains secure even in the [13] Junzuo Lai, Robert H. Deng, Chaowen Guan, Jian Weng, Attribute-based encryp- event of device tampering. The proposed attribute-based encryption tion with verifiable outsourced decryption, IEEE Trans. Inf. Forensics Secur. 8 scheme, combined with the reverse firewall mechanism, shows great (8) (2013) 1343–1354. [14] Suqing Lin, Rui Zhang, Hui Ma, Mingsheng Wang, Revisiting attribute-based promise in securing data transmission and storage within the IoV, while encryption with verifiable outsourced decryption, IEEE Trans. Inf. Forensics protecting against unauthorized access and data leakage. Secur. 10 (10) (2015) 2119–2130. [15] Cong Zuo, Jun Shao, Guiyi Wei, Mande Xie, Min Ji, CCA-secure ABE with outsourced decryption for fog computing, Future Gener. Comput. Syst. 78 (2018) CRediT authorship contribution statement 730–738. [16] James Ball, Julian Borger, Glenn Greenwald, et al., Revealed: how US and UK Xiaodong Yang: Writing – review & editing, Writing – original spy agencies defeat internet privacy and security, Know Your Neighb. (2013). draft. Xilai Luo: Writing – review & editing, Writing – original draft. [17] Stephen Checkoway, Ruben Niederhagen, Adam Everspaugh, Matthew Green, Tanja Lange, Thomas Ristenpart, Daniel J Bernstein, Jake Maskiewicz, Hovav Zefan Liao: Writing – review & editing, Writing – original draft. Wenjia Shacham, Matthew Fredrikson, On the practical exploitability of dual {ec} in Wang: Writing – review & editing, Writing – original draft. Xiaoni {tls} implementations, in: 23rd USENIX Security Symposium, USENIX Security Du: Writing – review & editing, Writing – original draft. Shudong Li: 14, 2014, pp. 319–335. Writing – review & editing, Writing – original draft. [18] Yevgeniy Dodis, Chaya Ganesh, Alexander Golovnev, Ari Juels, Thomas Risten- part, A formal treatment of backdoored pseudorandom generators, in: Advances in Cryptology–EUROCRYPT 2015: 34th Annual International Conference on the Declaration of competing interest Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I 34, Springer, 2015, pp. 101–126. [19] Ilya Mironov, Noah Stephens-Davidowitz, Cryptographic reverse firewalls, in: Ad- The authors declare that they have no known competing finan- vances in Cryptology-EUROCRYPT 2015: 34th Annual International Conference cial interests or personal relationships that could have appeared to on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, influence the work reported in this paper. April 26-30, 2015, Proceedings, Part II 34, Springer, 2015, pp. 657–686. 9 X. Yang et al. Journal of Systems Architecture 160 (2025) 103331 [20] Brent Waters, Ciphertext-policy attribute-based encryption: An expressive, effi- Xilai Luo is presently a master’s degree candidate at the cient, and provably secure realization, in: International Workshop on Public Key College of Computer Science and Engineering, Northwest Cryptography, Springer, 2011, pp. 53–70. Normal University, located in China. His academic pur- [21] Shucheng Yu, Cong Wang, Kui Ren, Wenjing Lou, Achieving secure, scalable, suits are focused on the areas of artificial intelligence, and fine-grained data access control in cloud computing, in: 2010 Proceedings information security, and cryptography. IEEE INFOCOM, IEEE, 2010, pp. 1–9. [22] Kan Yang, Xiaohua Jia, Kui Ren, Ruitao Xie, Liusheng Huang, Enabling efficient access control with dynamic policy updating for big data in the cloud, in: IEEE INFOCOM 2014-IEEE Conference on Computer Communications, IEEE, 2014, pp. 2013–2021. [23] Jun Feng, Hu Xiong, Jinhao Chen, Yang Xiang, Kuo-Hui Yeh, Scalable and revocable attribute-based data sharing with short revocation list for IIoT, IEEE Internet Things J. 10 (6) (2022) 4815–4829. Zefan Liao is actively working towards his master’s degree [24] Qian Mei, Hu Xiong, Yeh-Cheng Chen, Chien-Ming Chen, Blockchain-enabled in the College of Computer Science and Engineering at privacy-preserving authentication mechanism for transportation cps with Northwest Normal University, China. His areas of research cloud-edge computing, IEEE Trans. Eng. Manage. (2022). interest include the fields of edge computing, information [25] Rui Guo, Geng Yang, Huixian Shi, Yinghui Zhang, Dong Zheng, O 3-R-CP-ABE: An security, and cryptography. efficient and revocable attribute-based encryption scheme in the cloud-assisted IoMT system, IEEE Internet Things J. 8 (11) (2021) 8949–8963. [26] Melissa Chase, Multi-authority attribute based encryption, in: Theory of Cryp- tography: 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, the Netherlands, February 21-24, 2007. Proceedings 4, Springer, 2007, pp. 515–534. [27] Allison Lewko, Brent Waters, Decentralizing attribute-based encryption, in: An- nual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, 2011, pp. 568–588. Wenjia Wang is pursuing her master’s degree within the [28] Chandan Kumar Chaudhary, Richa Sarma, Ferdous Ahmed Barbhuiya, RMA- College of Computer Science and Engineering at Northwest CPABE: A multi-authority CPABE scheme with reduced ciphertext size for IoT Normal University, China. Her research interests are cen- devices, Future Gener. Comput. Syst. 138 (2023) 226–242. tered on the topics of data security and network security. [29] Hong Zhong, Yiyuan Zhou, Qingyang Zhang, Yan Xu, Jie Cui, An efficient and outsourcing-supported attribute-based access control scheme for edge-enabled smart healthcare, Future Gener. Comput. Syst. 115 (2021) 486–496. [30] Hui Ma, Rui Zhang, Guomin Yang, Zishuai Song, Shuzhou Sun, Yuting Xiao, Concessive online/offline attribute based encryption with cryptographic reverse firewalls—Secure and efficient fine-grained access control on corrupted machines, in: Computer Security: 23rd European Symposium on Research in Computer Security, ESORICS 2018, Barcelona, Spain, September 3-7, 2018, Proceedings, Xiaoni Du received the Ph.D. degree in cryptography from Part II 23, Springer, 2018, pp. 507–526. Xidian University, Xi’an, China, in 2008. [31] Bo Hong, Jie Chen, Kai Zhang, Haifeng Qian, Multi-authority non- She worked as a Visiting Scholar with the University of monotonic KP-ABE with cryptographic reverse firewall, IEEE Access 7 (2019) Kentucky, Lexington, KY, USA, and Hong Kong University 159002–159012. of Science and Technology, Hong Kong, in 2011 and 2014, [32] Yang Zhao, Yuwei Pang, Xingyu Ke, Bintao Wang, Guobin Zhu, Mingsheng Cao, respectively. She is currently a Professor with the College A metaverse-oriented CP-ABE scheme with cryptographic reverse firewall, Future of Mathematics and Statistics, Northwest Normal Univer- Gener. Comput. Syst. 147 (2023) 195–206. sity, Lanzhou, China. Her main research interests include [33] Jin C., Chen Z., Qin W., et al., Blockchain-based proxy re-encryption scheme information security, cryptography, and coding. with cryptographic reverse firewall for IoV, Int. J. Netw. Manage. (2024) e2305. [34] Elhabob R., Eltayieb N., Xiong H., et al., Equality test public key encryption with cryptographic reverse firewalls for cloud-based E-commerce, IEEE Trans. Consum. Electron. (2024). Shudong Li received the M.S. degree in applied mathe- matics from Tongji University, Shanghai, China, in 2005, and the Ph.D. degree in Posts and Telecommunications from Xiaodong Yang (Member, IEEE) received the M.S. degree Beijing University, Beijing, China, in 2012. in cryptography from Tongji University, Shanghai, China, in From 2013 to 2018, he held the position of a post- 2005, and the Ph.D. degree in cryptography from Northwest doctoral researcher at the National University of Defense Normal University, Lanzhou, China, in 2010. Technology in Changsha, China. He now serves as a Pro- In his role as a Postdoctoral Researcher at China’s State fessor at the Cyberspace Institute of Advanced Technology Key Laboratory of Cryptology in Beijing during 2016, he at Guangzhou University. His primary research interests played a significant part in advancing the field. Today, he are in the realms of Big Data and its security, malware holds the position of Professor at the College of Computer identification, and cloud computing. Science and Engineering, Northwest Normal University. The core of his research is anchored in public-key cryptogra- phy, information security protocols, and the application of wireless sensor networks. 10