An Efficient Revocable Attribute-Based Signcryption Scheme With Outsourced Unsigncryption in Cloud Computing

In this paper, we present an efficient revocable signcryption (CP-ABSC) with outsourced unsigncryption scheme based on ciphertext-policy attribute based encryption (CP-ABE) to secure the data sharing in cloud computing that require access control, data encryption, and authentication to ensure message integrity and confidentiality. It can be used to signcrypt a message based on the access rights specified by the message itself. A user can decrypt a ciphertext if and only if it possesses the attributes required by the access structure of the data. Thus CP-ABSC felxible encrypts data based on the access rights of the data specified by the data itself, which differs significantly from the traditional encryption where the user can decrypt is predetermined and must be known by the data source. In addition, the proposed scheme handles attributes revocation with high efficiency and demands low computation overhead on users’ device during unsigncryption phase. Our scheme provides collusion attack resistance, message authentication, forgery prevention, and confidentiality. Furthermore, we compare the performance of our scheme with others in terms of the ciphertext, key size, computation cost and functionality.


I. INTRODUCTION
Recently more and more companies and individuals take advantage of the public cloud to store and share data. For the users, outsourcing data in the cloud avoids maintaining the local storage and pay-per-use manner saves the cost of hardware and software deployment. However, when sensitive data is stored in the cloud, how to ensure the confidentiality of these data is a major obstacle to the widespread deployment and adoption of cloud computing [2]. In general, the significant threats in cloud computing are: Integrity: An adversary may modify or destruct the messages (e.g. content, timing, sequence order, etc.) between the The associate editor coordinating the review of this manuscript and approving it for publication was Zhen Ling. cloud services and the data sources before they are transmitted, or the dishonest cloud services provider may discard some part of the stored data.
Confidentiality: An adversary can gain accesses to unauthorized data without permission or qualifications, which could result in loss or theft of data. This attack raises a security issue that could expose a user's private information.
Authentication and Access Control: In the scenario where the user stores sensitive data in cloud computing environment, access control is the key to ensuring the legal access of sensitive data and authentication can guarantee the legitimacy of the data and data source.
The primary security requirements for sharing data through the cloud are: confidentiality, access control, authentication, and verifiability. To effectively meet the aforemen- VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/ tioned requirements, an efficient security mechanism need to be designed. Attribute-Based Encryption (ABE) developed by [3] is a promising solution that can provide confidentiality and fine-grained access control. ABE is a one-to-many public key encryption that embeding attributes into the private key or ciphertext. There are two variants of ABE, named as keypolicy ABE (KP-ABE) [4] and ciphertext-policy ABE (CP-ABE) [5], respectively. In CP-ABE, decryption algorithme can success only when the attribute set in private key satisfies the access policy in ciphertext. In this way, data user with some specific attributes can access the sensitive data without knowing the data owner's unique identity information [6]. A signature analogue of ABE is Attribute-Based Signature (ABS) [7] which provides authentication and data integrity meanwhile hiding the identity of the signer. In ABS, a signer signs a message through private key which the authority embeds the signer's attributes into it. And the signature indicates the attributes of whom authenticated it. Similarly, ABS can be categorized into Signature-Policy ABS and Key-Policy ABS.
On the basis of previous method, the Attribute-Based Signcryption (ABSC) which achieve the confidentiality, finegrained access control and anonymous authenticity simultaneously is proposed. ABSC takes advantage of the ABE and ABS and is more efficient than ''encrypt-then-sign'' or ''sign-thenencrypt'' approach. The Ciphertext-Policy ABSC (CP-ABSC) is the combination of CP-ABE and SP-ABS. And the Key-Policy ABSC (KP-ABSC) is a combination of KP-ABE and KP-ABS. The CP-ABSC schemes with public verifiability mechanism are more appropriate than KP-ABSC in cloud storage applications because the encryptor in former schemes has right to define the access policy to decide who can access the plaintext [8].
However the existing implementations of ABSC have some problems that hinder the practical applications in cloud. One of them is the high computational overhead on user sides. In many previous ABSC schemes, the user sides need to compute a large number of bilinear pairing operations which are complicated and time-consuming. In order to alleviate the computation overhead on user sides, several outsourced ABE schemes were then put forward [9]- [11]. This approach can be extended into our signcryption scheme. And another shortage of almost all ABSC is the revocation mechanism for attributes. It is a significant requirement since attributes of users can be changed dynamically in practice. However, attribute revocation is non-trivial issue in attribute-based encryption (as same as signature), since each attribute is shared by multiple users. In other words, the revocation of any attribute or user will affect the other users. In native solution, data re-encryption and user secret key updates bring too heavy computation and communication overhead, which may cause bottlenecks in the revocation process.

A. OUR CONTRIBUTIONS
In this paper, we propose a new ciphertext-policy revocable attribute-based signcryption with outsourced designcryption scheme. This scheme improves the efficiency and security related to the aforementioned issues. Our main contributions are outlined as follows: • We formalize the framework of ciphertext-policy revocable attribute-based signcryption with outsourced designcryption scheme. The method of our scheme is integrating revocable ABE with verifiable outsourcing decryption and server-aided signature verification.
• We implement an efficiently immediate attributes revocation approach. The cloud server is delegated the task of keep the elements in ciphertext and keys up to date. Benefiting from that the computation and communication overhead Involved to revocation can be distinctly alleviated.
• The correctness and security of the proposed scheme are theoretically proved. We also analyze the efficiency and feasibility of the proposed scheme. In particular, Our scheme is proven to be confidentiality under adaptive chosen plaintext attack. And the security analysis also shows the resistant against collusion attacks and unforgeability. We further compare our scheme with existing schemes in terms of performance and functionality.

B. ORGANIZATION
The rest of the paper is organized as follows. Section II overviews the related work. In section III, we will describe the preliminaries. We then present the system and security model in Section IV. Our construction is described in Section V. In Section VI and Section VII, security analysis and performance analysis are discussed. Finally, we conclude the paper in Section VIII.

II. RELATED WORK A. ATTRIBUTE-BASED ENCRYPTION WITH ATTRIBUTE REVOCATION
Due to the users' attributes may change frequently within the system in reality, the revocation of attributes in ABE applications for real-world applications is a necessary mechanism and hard problem. In [12], the author proposed an attribute revocable ABE schemes extended from their revocable IBE schemes [46] [20]. In their scheme, each attribute is assigned to an expiration date, which requires the authority center to reissue keys periodically. Thus, the authority center revokes attributes in the system by stopping publishing and updating new versions of properties There are two main problems with this approach: it exists a span of time which is vulnerability [13], And periodically key updating produces a heavy load for both the authority center and all non-revoked users. Attrapadung et al. [14] proposed an ABE scheme that realized user revocation through maintaining the revoked users' indices list. It avoids frequently updating secret keys and ciphertext. However this scheme does not consider only attributes revocation and the data owner needs to manage the revocation list.
In recent years, a new construction of CP-ABE, achieved immediate attribute revocation, was presented in [15] which improves the above drawbacks. In therir construction, it allows an untrusted server (such as the cloud) to convert a ciphertext into a new ciphertext without decrypting it, which is called proxy re-encryption. Li et al. [16] presented an efficient CP-ABE scheme with user revocation, and the lower computation cost through outsourcing both encryption and decryption to cloud servers. Later they also presented a CP-ABE scheme [17] with attribute revocation, which resists collusion attack by existing users and revoked users. And Several recent schemes on attribute revocation are proposed [18]- [21] B. OUTSOURCING DECRYPTION Green et al. [9] proposed an efficient approach to lighten computation overhead in the decryption. It largely reduces decryption computational cost on the users' devices, for the complex computation is outsourced to an semi-trusted proxy server. However, it exists a serious problem which is fake result from a dishonest cloud server can not be distinguished by users. On the basis of previous outsourced decryption schemes, An extended ABE scheme that allowed users to verify the correctness of transformed ciphertexts was proposed by Lai et al. [10]. In order to improve the efficiency, Qin et al. [11] introduced a key encapsulated mechanism based on et al. [10]. Ma et al. [22] provided a verifiable and exculpable ABE scheme. Their scheme outsourced complex computation in the both encryption and decryption phase. Furthermore, it provide exculpability, that is the users can not deny the results returned by the cloud server. With the development of outsourced ABE, researchers deploys the outsourced ABE technology in more ways. Li et al. [23] proposed a keyword search ABE scheme which outsourced computation in key generation and decryption. A multi-authority ABE scheme with outsourced encryption and decryption for mobile cloud computing is present by Shao et al. [24]. In [25], Liu et al. achieved highly efficient user revocation through outsourcing both of the computation of encryption and decryption to cloud servers.

C. ATTRIBUTE-BASED SIGNCRYPTION
Signcryption simultaneously implements the both signing and encryption in a single logical step. The attribute-based signcryption (ABSC), first introduced by Gagne' et al. [26], combines attribute-based encryption and attribute-based signature with restriction that the access structure is fixed in the setup phase. Wang et al. [27] proposed an ciphertextpolicy ABSC scheme, which combines data encryption and signing through a expressive access tree. In order for users to provide different rights for signature and decryption, there are two attributes sets named ciphertext-policy and claimpredicate. Emura et al. [28] present a dynamic encryptor attribute-based signcryption scheme, which allow users to be free of updating private keys. Its security is proved in the standard model. Hu et al. [29] prensent an ABSC scheme for the body area network applications. In their scheme, it possesses the ability of error tolerance for the attributes. Liu et al. [30] implemented a secure sharing scheme for a personal health records system based on CP-ABSC. Later, Rao [31] proved that the scheme [30] fails to provide confidentiality and public ciphertext verifiability. And they also presented a provable secure CP-ABSC scheme for cloudbased PHR sharing system, which can protect the signcryptor privacy and provide public verifiability simultaneously. To take advantage of ciphertext-policy and key-policy in encryption and signature respectively, a hybrid access policy ABSC scheme was proposed by Yu et al. [32]. A novel decentralized KP-ABSC scheme was proposed by Meng and Meng [33]. It adopted multi-authority to strengthen the security and privacy of users. Deng et al. [34] proposed an outsourced designcryption CP-ABSC scheme in the cloudbased personal health records system. However, the above mentioned ABSC schemes all do not consider revocability. In their scheme, it required large computation and communication cost to support attribute revocation.

III. PRELIMINARIES
In this section, we summarize some mathematical problems for our scheme construction and security analysis.

A. BILINEAR MAPS
Let G 0 and G T be two multiplicative cyclic groups with the prime order p. A bilinear map e : G 0 × G 0 → G T satisfying the following properties: 1) Bilinear: for all P, Q ∈ G 0 and a, b ∈ Z * p , the equation e(P a , Q b ) = e(P, Q) ab is true. 2) Non-degeneracy: The generator g satisfies e(g, g) = I , where I is the identity element of group G T . 3) Computability: There is an effective polynomial time algorithm to compute e(P, Q) ∈ G 0 , for all P, Q ∈ G 0 .

B. DECISIONAL BILINEAR DIFFIE-HELLMAN (DBDH) ASSUMPTION
Let e : G 0 × G 0 → G T be a bilinear map, both G 0 and G T are cyclic groups of prime order p. Choose a random generator g of G 0 and random a, b, c, θ from Z * p . The decisional Bilinear Diffie-Hellman(DBDH) Assumption is to distinguish between the tuples of the form (g, g a , g b , g c , e(g, g) abc ) and (g, g a , g b , g c , e(g, g) θ ). An algorithm has non-negligible advantage in solv-

C. ACCESS STRUCTURE
Let P = {P 1 , P 2 , . . . , P n } be a set of parties. A collection A ⊆ 2 P is monotone if ∀B, C, we have that if B ∈ A and B ⊆ C then C ∈ A. An access structure (monotone access structure) is a collection (monotone collection) A ⊆ 2 P \∅. The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets.

D. LINEAR SECRET SHARING SCHEME(LSSS)
A secret-sharing scheme over a set of parties P is called linear (over Z * p ) if 1) The shares for each party form a vector over Z * p . 2) There exists a share-generating matrix M for , where M has l rows and n columns. For all i = 1, 2, . . . , l, let the function ρ defined the party labeling the i-th row of M as ρ(i). Consider the vector v = (s, r 2 , . . . , r n ), where s ∈ Z * p is the secret to be shared, and r 2 , . . . , r n ∈ Z * p are randomly chosen. Then Mv is the vector of l shares of the secret s according to . The share (Mv) i belongs to party ρ(i). Every LSSS has the property of linear reconstruction defined as follow: Suppose that is an LSSS for the access structure A. Let S ∈ A be any authorized set, and I ⊂ {1, 2, . . . , l} be defined as I = {i : ρ(i) ∈ S}. Then there exist constants

IV. SYSTEM MODEL AND SECURITY MODEL A. SYSTEM MODEL
A representative network architecture for cloud computing is shown in Figure 1. The network architecture is consist of the following entities: Trusted Authority, Data Owner, Cloud Server and Data User. The Trusted Authority would initialize and distribute the keys for all users(Data Owner and Data User). The Data Owner defines an access structure A and also possesses an attribute structure(claim-predicate) π described his attributes. Then the Data Owner performs signcryption procedure using the access structure A and claim-predicate π . The Cloud Server is responsible for data storage and provide data access services for their vast storage space and computing resources. When Data User requests data access, the Cloud Server will partially decrypt the ciphertext of that data, and it will be fully decrypted only if the attributes of user satisfy the access policy of it. In addition, the Cloud Server is also in charge of large computing tasks during revocation phase, including updating ciphertext and secret keys. The Data Users are assigned a set of attributes associated with that access structure A. The Data Users unsigncrypt the partially unsigncrypted data, retrieved from the cloud server, by using of their secret keys.
Our scheme consists of the following probabilistic polynomial time algorithms: Setup(1 λ ) → PP, msk: This algorithm is run by the Trusted Authority. On input security parameter λ, it returns the public parameters PP and master secret key msk. sExtract(PP, {v i } i∈A uid , A uid ) → SK s : This algorithm is run by the Trusted Authority. On input the public parameters PP, master secret key msk and a user's signing attribute set A uid , it generates signing secret keys SK s for a user. dExtract(PP, {v i } i∈A uid , A uid ) → SK d : This algorithm is run by the Trusted Authority. On input the public parameters PP, master secret key msk and a user's decryption attribute set A uid , it generates decryption secret keys SK d for a user.
Signcrypt(m, PP, SK s , A(M , ρ), π s (M , ρ ) → δ): This algorithm is run by a Data Owner. On input the original data m, public parameters PP, predicate π s of data owner and a ciphertext access structure A it outputs the signcrypted data δ.
PartiallyUnsigncrypt(δ, PP, tk) → δ : This algorithm is run by the Cloud Server. On input the ciphertext δ, public parameters PP, the transforamtion key tk, and the signcrypted data δ access policy A, it outputs either the transformed ciphertext δ FullyUnsigncrypt(δ , rk) → m: This algorithm is run by a Data User. On input the transformed ciphertext δ and the retrieval key rk, it outputs either the original data m or rejection symbol ⊥.
UpdateKeyGen(a i , v i , V i ) →v i ,Ṽ i , uk i : This algorithm is run by the Trusted Authority. On input the revoked attribute a i , secret attribute key v i and public attribute key V i , it outputs new secret attributev i , public attribute keyṼ i and update key uk i . ProxyUpdate(δ, uk i ) →δ,t k: This algorithm is run by the Cloud Server. On input the signcrypted message δ and update key uk i , it outputs new signcrypted messageδ and transforamtion keyt k.

1) SECURITY MODEL
The notion of security with respect to data confidentiality can be captured by a game. If no probabilistic polynomial time adversary has a non-negligible advantage in winning the following game, it is said to be indistinguishable under chosen plaintext attacks. A challenger C provides the enviroment for the attack, and A is an adversary.
Setup: The challenger C runs the Setup algorithm on input a security parameter λ, gives public parameters mpk to the adversary A and keeps the master key msk secret.
Query Phase 1: The adversary A selects a access structure A(M , ρ), a data owner uid and sends to the challenger C.
Challenge: The adversary A submits two equal length messages m 0 and m 1 to the challenger C with signing attribute and access policy. The attribute sets which satisfy the access policy must be not queried in Query Phase 1. C picks b∈ R {0, 1} and signcrypt the message m b by run algorithm Signcrypt. Then return δ * b to A. Guess: Finally, the adversary A outputs a guess bit b ∈ {0, 1} and wins the game if b = b .
The advantage of the adversary A in the above game is defined as Adv(A) = |Pr(b = b ) − 1 2 |.

V. OUR CONSTRUCTION
We give the detailed construction of our revocable attributebased signcryption scheme with outsourced designcryption in this section. The notations and their semantic meanings utilized in this paper to describe our scheme are presented in Table 1.

B. USER KEY GENERATION
The Trusted Authority is in charge of assigns a unique identity uid and an attributes set Auid for each user. In addition the Trusted Authority run the algorithm dExtract and sExtract to issues secret keys for each user. dExtract(PP, {v i } i∈A uid , A uid ) → SK d . The algorithm takes public parameters PP, attribute secret key and attributes set Auid of that user as input. It selects random number r d , β ∈ Z * p for a decryption user uid. And according to the user's attribute set A uid , it randomly chooses It sets transformation key as tk = {(K d,i , K d,i )} a i ∈A uid , retrieval key as rk = β and the decryption secret key as SK d = (K d , tk, rk).  K d ,rk will be send to the user uid. And tk will be send to the cloud server. The cloud server adds the tuple (uid, A uid , tk) into the user secret key list List tk . sExtract(PP, {v i } i∈A uid , A uid ) → SK s . The algorithm selects random number r s ∈ Z * p for each signer uid. And according to the signer's attribute set A uid , it randomly chooses {r s,i ∈ Z * p } a i ∈A uid . Then it computes It sets the signing secret key as SK s = (K s , {(K s,i , K s,i )}. The message exchange process is shown in Figure 2.
For the predicate π s of the data owner, it similarly generates M and computes λ i = M i v . Thus, the signature part is and upload it to Cloud Server. The message exchange process is shown in Figure 3.

D. ACCESS DATA
When one data user wants to request data from the cloud server, it must finish the unsigncryption procedure. The outsourced unsigncryption technology is used here to alleviate VOLUME 8, 2020 the user side's computation overhead. The unsigncryption procedure consists of two phases. phase 1: unsigncryption by cloud server The Cloud Server run the algorithm PartialUnsigncrypt to partially unsigncrypts the requested data δ.
PartiallyUnsigncrypt(δ, PP, tk) → δ . The algorithm takes the signcrypted data δ and the transformation key tk of user uid as inputs. If the attributes set A uid used in tk satisfies the access structure A(M , ρ) in δ, the algorithm proceeds as follows: Define I ⊂ {1, 2, . . . , l} as I = {i : ρ(i) ∈ A uid }. There must exist a set of reconstruction coefficients {ω i ∈ Z * p } i∈I satisfies i∈I ω i λ i = s. Then,it computes

g) r s s
The algorithm outputs a partially unsigncrypted data δ = (P, S). Then the cloud server send the partially unsigncrypted data δ to the data user uid. phase 2: unsigncryption by data user Once receiving partially unsigncrypted data from cloud server, the user uid run the algorithm FullyUnsigncrypt to further unsigncrypts the partially unsigncrypted data δ .
FullyUnsigncrypt(δ , rk) → m. The algorithm takes the partially unsigncrypted data δ and the retrieval key rk of user uid as inputs. It recover the data m and verify the signature as follows: Otherwise it outputs ⊥. The message exchange process is shown in Figure 4.

E. ATTRIBUTE REVOCATION
To revoke an attribute a i from some users, Trusted Authority adds these users' identity into attributes revocation list RList i . Then the revocation procedure consists of two phases. phase 1: key update by Trusted Authority The Trusted Authority run the algorithm UpdateKeyGen to generate update key and send it to the Cloud Server for ciphertext updating. UpdateKeyGen The algorithm takes the revoked attribute a i , secret attribute key v k and public attribute key V i as input. It chooses a new random elementv i ∈ Z * p and computesṼ i = g¯v i as new attribute secret and public key for revoked attributes. Then it generates the update key uk i = v ī v i and send to the Cloud Service.
phase 2: signcrypted data and key update by Cloud Server When the Cloud Server receives the update key uk i , it run the algorithm ProxyUpdate to updates the signcrypted data and user secret key list List tk .
ProxyUpdate(δ, uk i ) →δ,t k. The algorithm takes the signcrypted data δ, update key uk i as input. It manipulates signcrypted data as: And it compute new user secret key of user uid / ∈ RList i in tk as: The message exchange process is shown in Figure 5.

VI. SECURITY ANALYSIS A. CORRECTNESS
The correctness of decryption part in unsigncryption procedure: The correctness of verification part in unsigncryption procedure: e(g, g) (α−r s )sh e(g, g) αsh e(g, g) −r s sh = e(g, g) st = V . If the data is not forged or falsified, then the equation The proposed scheme is IND-(CP-ABSC)-CPA secure under the DBDH assumption.
Theorem 1: Suppose the DBDH assumption holds in G 0 and G T . Then no polynomial time adversary can win the IND-(CP-ABSC)-CPA game with a non-negligible advantage.
Proof of Theorem 1: If an adversary A can break the IND-(CP-ABSC)-CPA secure of our scheme that makess q times queries with a non-negligible advantage ε, then there is another challenger C with algorithm B can solve the DBDH problem with a non-negligible advantage. The simulation proceeds as follows.
Setup: The adversary A selects a access structure A(M , ρ), a data owner uid and sends to the challenger C. The challenger C is given an instance of the DBDH tuple (g, g a , g b , g c , Z ), where g is a random generator of G and a, b, c∈ R Z * p . C performs the algorithm Setup in the proposed scheme. In particular, it chooses a random element x ∈ Z * p and sets A = e(g, g) α = e(g, g) ab+x . C publish the public parameters to A and keep master secret key secret.
Query Phase 1: The adversary A selects attributes set {a i : a i / ∈ A} and queries the challenger C for decryption secret key. The challenger C randomly chooses r ∈ Z * p to compute K d = g x −r . For the x = α − ab, r d = ab + r . Then accroding to the algorithm dExtract, The decryption secret key send to A is ( . Challenge: The adversary A submits two equal length messages m 0 and m 1 to the challenger C. C select b∈ R {0, 1} and signcrypt the message m b as: The challenger C sends the generates ciphertext to the adversary A. Query Phase 2: The adversary A makes a polynomially bounded number of above queries in the same way in Query Phase 1 except that he cannot make dExtract queries on attribute sets which satisfy the ciphertext- policy A(M , ρ).

2) COLLUSION ATTACK RESISTANCE
In our scheme,secret attribute keys owned by different users are independent. Thus this scheme can defend against collusion attacks although the original ABE can not. For example, assuming that colluding attackers all do not possess a sufficient number of attributes to successfully decrypt the ciphertext C alone. It is impossible to successfully collusion attack for two reasons. First, private keys possessed by users with different identity are independent since they are randomized by unique element r d . Second, cloud server can not compute the partially decrypted data by using different users' public attribute key, because the public attribute keys are also blind by unique random elements. Thus, when users and the cloud server collude, they are still unable to combine their private key components in any useful way. Therefore we draw the conclusion that the proposed scheme is secure against collusion attacks.

3) UNFORGEABILITY
The adversary who wants to forge the signcryption ciphertext must have the secret key of sensitive data owner or know the random factor t. However, the adversary cannot forge the private key SK s = (g α−r s , {g r s H 1 (a i ) r s,i , H 1 (a i ) r s,i /v i }) because the secret element r s and r s,i are chosen randomly. Additionally, the attacker cannot falsify a valid signcryption ciphertext from exist ciphertexts. Even if the ciphertext is modified by the adversary, the receiver can still verify the integrity and legitimacy of the ciphertext through the algorithm FullyUnsigncrypt. Therefore we draw the conclusion that the proposed scheme is unforgeable under chosen message attacks.

VII. PERFORMANCE ANALYSIS
In this section, we analyze the communication and computation cost of our proposed scheme. Then we compare them with combining ABE and ABS scheme, and other previous ABSC schemes. The communication overhead is directly related to the ciphertext size, decryption key size and signing key size. And the computation overhead is directly related to the cost of computation operation in signcryption and designcryption phase. To make the analysis more understandable, The notations which we use to evaluate the efficiency of different schemes are listed in Table 2. We assume that the size of access structure and hash computation cost are not included in the calculation.

A. COMMUNICATION OVERHEAD
We analyze the ciphertext, decryption key and signging key size of our proposed scheme as follows. According to the VOLUME 8, 2020 construction, the length of ciphertext δ can be computed as: Therefor the total ciphertext size according to equation (1) is (2n e +2n s +2)|g 0 |+|g T |+|Z p |. In the same way, the decryption key and signing key is SK d , SK s can be computed as: The decryption key and signing key size according to equation (2),(3) is (2n d + 1)|g 0 | + |Z p |, (2n s + 1)|g 0 |.

B. COMPUTATIONAL OVERHEAD
The major concern for the computation cost is the exponentiation and pairing operations in signcryption and designcryption algorithm. In our scheme, the Signcrypt algorithm s,i }, e(C 0 , g t ), which need (2n e + 2n s + 3) times exponentiation operations in G 0 , 2 times exponentiation operations in G T and one pair operation. And the FullyDesigncrypt algorithm calculates Y = e(K d , C 0 ) · P β , V = e(C 0 , R)/(Y · S −1 ) h , which only need one exponentiation operation in G 0 and one exponentiation operation in G T .
The communication overheads of the schemes in [6], [35], [27], [28], [31], [34] are analyzed as follows. In [6], [35], the decryption and signing key composed n d and (2n s + 1) elements in G 0 . And the ciphertext contained (3n e + 2n s + 1) elements in G 0 , an element in G T . We can see that this size is a bit larger than ours. In [27], the decryption key,signing key and ciphertext are related to attributes, which composed (2n d + 1) elements in G 0 , (2n s + 1) elements in G 0 and (2n e + 2n s + 2) elements in G 0 plus an element in G T and an element in Z p respectively. our's key and ciphertext size is almost same with them. In [28], the decryption key,signing key and ciphertext are related to attributes, which composed (4n d + 1) elements in G 0 , (4n s + 1) elements in G 0 and (3l e + 4) elements in G 0 plus an element in G T respectively. Compared to our scheme, we have shorter decryption and signing key size and a little longer ciphertext size. In [31], the decryption key,signing key and ciphertext are related to attributes, which composed (n d + 2) elements in G 0 , (n s + 2) elements in G 0 and (n e + n s + 4) elements in G 0 plus an element in G T respectively. In [34], the decryption key,signing key and ciphertext are related to attributes, which composed (n d + 2) elements in G 0 , (n s + 2) elements in G 0 and 2(n e + n s + 2) elements in G 0 plus an element in G T respectively. The decryption and signing key size in [34] is shorter than ours, while the ciphertext size is larger than ours. The Comparison of ciphertext, decryption key and signing key size are summarized in Table 3.
The computational overheads of the schemes in [6], [35], [27], [28], [31], [34] are analyzed as follows. In [6], [35], the encryption and decryption algorithms need (3n e + 1) exponentiations in G 0 plus one exponentiations in G T and 2n d pairings plus n d exponentiations in G T , respectively. Adding the signing and verifying algorithm to it, there are (2n e + 1) exponentiations in G 0 plus one exponentiations in G T and (2n s log n s + 2) pairings, respectively. Thus we can claim that our scheme is superior over the [6], [35] whose overall of signcryption and designcryption cost is (3n e +2n s + 1)E 0 + 2E T and (2n d + 2n s log n s + 2)P + n d E T , respectively. In [27], The signcryption and designcryption algorithms take (2n e + 2n s + 3) exponentiations in G 0 plus one exponentiations in G T plus one pairing and (1 + n d log n d + n s log n s ) exponentiations in G T plus (2n d log n d + 2n s log n d + 1) pairings. Our scheme's signcryption cost is close to [27]. But the designcryption cost is much better than theirs due to the outsourced designcryption. In [28], The signcryption and designcryption algorithms take (2n d + 2n s + 3) exponentiations in G 0 plus one exponentiations in G T and (2n d + 4n s + 3) pairings. The signcryption cost in [28] is also close to ours. In [34], signcryption need (n e + 2n s + 4) exponentiations in G 0 , which is less than ours. And their designcryption need (2 + l s ) exponentiations in G 0 plus one pairing, which is greatly less than the above scheme but still more than ours. For the computation overhead of designcryption, the computational overhead in our scheme is quite light for users. The reason is that we securely outsourced the most complex operations to a proxy cloud server and only left user's devices a exponentiation in group G 0 , G T , respectively. In [6], [35], [27], [28], [31], the number of exponentiation and pairing operations of designcryption is at least linear to the number of attributes in decryption(signing) key. Although [34] also outpouring the designcryption to a cloud server to alleviate computation overhead on user side, our scheme reduce n s +1 exponentiation and a pairing operations compared to theirs. The Comparison of signcryption cost and designcryption cost are listed in Table 4.
We conducted a simulation experiment on an Intel i3-3320 processor with 3.30GHz and 2GB memory running 32-bit ubuntu 16.04.4 system. The experiment was based on Stanford Pairing-Based Crypto (PBC) library. We adopted   the type A bilinear pair as the bilinear map. Under this environment, we obtained the results that a pairing operation takes 10.6ms; an exponentiation operation in G 0 and G T takes 6.4ms and 5.7ms, respectively. Figure 6 depicts the computation time of signcryption on the data owner side of our and the other schemes. It shows that the time for signcryption increases linearly with the number of attributes involved. Our scheme has a relatively good performance. Our scheme's computational cost of signcryption is lower than the schemes [6], [35] and [27] and almost same as the scheme [27], [28]. Only Deng et al.'s [34] performs better than ours. However, as expected, the experiment results demonstrate that our scheme largely decreases the designcryption overhead. From Figure 7, the computational cost of the data user keeps constant and is much lower than the other schemes [6], [35], [27], [28], [31], [34], due to the outsourcing mechanism is used in our designcryption algorithm.
Except the above comparison, our scheme supports a more important function. To handle the attribute revocation problem, the previous schemes [6], [35], [27], [28], [31], [34] require the data owner to decrypt the ciphertext and signcrypt it again. However in our scheme, That task of data owners is outsourced to the cloud servers while the curious cloud servers do not obtain the plaintext of storage data. And our scheme is forward security for the user who drops an attribute fail to access the plaintext of the subsequent data after attribute revocation.
Through the comparison, althrough the ciphertext and key size of our proposed scheme have little advantage over above schemes, our proposed scheme outperforms in computation overhead and supports more feature which makes it more useful in practice.

VIII. CONCLUSION
In this paper, we present a new ciphertext-policy attributebased signcryption scheme for data sharing in the cloud computing environment. It provide flexible access control and ensure the authenticity of the data without revealing the specific identity of the data owner. Besides, it can efficiently handle attributes revocation. The security analysis prove that our scheme can successfully guarantee the data communication security in cloud computing environment. For our scheme support outsourced unsigncryption, the performance analysis demonstrates that our scheme is efficient in terms of computational cost. In the future research, we aim to design a more efficient signcryption approach with less communication and computation requirement during the revocation phase.

ACKNOWLEDGMENT
This article was presented in part at the International Conference on Wireless Algorithms, Systems, and Applications 2019 [1]. VOLUME 8, 2020