Traceable and Weighted Attribute-Based Encryption Scheme in the Cloud Environment

In order to solve the problem that the importance of the user’s attribute is seldom considered in the most of the existing attribute-based encryption schemes with traitor tracing, we designed a traceable and weighted attribute-based encryption scheme. In our constructed scheme, the private key of the user consisting of user’s identity information is applied to trace traitors. In addition, the idea of weighted attribute is introduced, and the attributes set is transformed into the segmentation set of weighted attributes through the attributes set segmentation algorithm. Via employing a linear secret sharing scheme, the constructed scheme offers fine-grained and nimble access control mechanism. Under the assumption of q-BDHE in the standard model, we prove that the designed scheme is able to reach security against chosen-plaintext attack. By comparing with other relevant schemes, it has significant improvement in the costs of communication and computation, and it is more suitable for the application of the mobile terminal in cloud computing.


I. INTRODUCTION
One-to-many encryption pattern can be achieved by the system of attribute-based encryption (ABE) via fine-grained access control. The thought of ABE was brought up by Sahai and Waters [1]. The earliest opinion of ABE was deemed to fuzzy identity-based encryption. And then the mechanism of ABE was studied by a lot of other workers subsequently. ABE is mainly divided into two classifications: one of them is ciphertext-policy attribute-based encryption (CP-ABE) [2], and the other is key-policy attribute-based encryption (KP-ABE) [3]. Among the scheme of CP-ABE, the attributes set is in relation to the private key of the user, along with the access strategy has relation to the ciphertext of the data. On the contrary, the attributes set is bound up with the ciphertext of the data, as well as the access strategy is interrelated to the private key of the user in the system of KP-ABE. CP-ABE not only protects data privacy and provides fine-grained access control structure, but also approves holders of the data to designate nimble access policies [4], [5]. It is convenient for owners to share data in the cloud system.
In the system of ABE, the holder does not want to disclose the private key thanks to the private key is closely related to the privacy and security of the holder. Nevertheless, because the attributes set is related to the user's private key in the The associate editor coordinating the review of this manuscript and approving it for publication was Jiafeng Xie. existing ABE scheme, the same attribute may be assigned to different users, resulting in the same decryption private key held by different users. And the number of attributes is far less than the number of users in practical application. It is usually difficult to determine the real identity of the holder of the private key. As a result, users will sell their private key secretly or be stolen maliciously. Even if the system finds the sold private key, it is troublesome to determine the identity information of the original holder of the private key. Therefore, traitor tracing becomes one of the hot issues in the research of ABE [10]. Imagine a hospital that utilizes a system of CP-ABE. Along with three doctors have their decryption keys which correspond to attributes set, i.e., ''{Alice, Doctor, Psychiatric Department}'', ''{Bob, Nurse, Psychiatric Department}'', and ''{Coral, Doctor, Emergency Depart-ment}'' respectively. The patient wants to share his medical history by an access policy with attributes, for instance ''(Doctor AND (Psychiatric Department OR Emergency Department))'' instead of the identity-relevant attributes, for example ''(Alice OR Coral)''. In an expressive CP-ABE system, both Alice and Coral can decrypt the ciphertext via their private key. If Bob can decrypt the ciphertext, who helps him or her? Alice or Coral? So when a malevolent authorized user secretly exposes his or her private key, it is hard to determine the original holder of the private key.
Behind that question lurks another question: the doctor can be classified into distinct levels in the real spectacle, such VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/ as attending doctor, resident doctor, intern doctor, and so on. If we intend to append the whole situation to an access structure, we ought to regard whether all possibilities we have thought over. Hence, the access structure grows relative complicate. We can grant doctor with weight 1, 2, . . . , n, denote intern doctor as ''Doctor (1)'' and let attending doctor represent as ''Doctor (2)'' respectively, so the weight indicates the importance of the attribute. Both attending doctor and the intern doctor is capable of decrypting the data by using an access structure like {Doctor (1) AND Psychiatric Department}, whereas the intern doctor is unable to employ the access structure like {Doctor (2) AND Psychiatric Depart-ment} to decrypt the data. In brief, the weight can symbolize the significance of the attribute in the above circumstances, and weighted ABE is more applicable for the realistic scenario [11], [12]. In real life, the weighted attribute is in worthy consideration. Each user has many attributes, and the same attributes of different users should have different roles. For example, the properties of the two users are the same as that of the engineer, and the access rights they have should be different according to the experience. Engineer with long working experience should have the higher access right. Considering the actual application environment, each attribute plays a different role in the system, the corresponding right in the system is also different, and the status of each attribute may not be the same. It has practical significance to introduce the concept of weight into the ABE system, which makes the ABE scheme closer to the actual situation. Therefore, a realistic ABE system that holds traceability and the weighted attribute is very critical. In our paper, a weighted attribute-based encryption scheme that holds traitor tracing will be introduced.

A. RELATED WORK
In recent years, ABE has become a research hotspot since Sahai and Waters [1] put forward the earliest opinion of ABE. Lots of ABE systems [2]- [9] were put forward. Li et al. [6] presented a practical extended file hierarchy CP-ABE system that can encrypt multiple documents on the same access level and it's applicable to large companies and institutions with multi-level departments. In order to better adapt to the leakage of the master key and secret key, Li et al. [7] first gave the formal definition and security model of the hierarchy ABE system with continuous leakage-resilience. And they came up with a ciphertext-policy hierarchy ABE system. Li et al. [8] taken the side-channel attacks into account on most of the existing KP-ABE systems. In their article, they came up with the formal definition and security model of KP-ABE which is resilient to continual auxiliary input leakage and put forward the concrete scheme. Li et al. [9] constructed an ABE scheme with full verifiability for outsourced decryption. In their scheme, it can not only guarantee the correctness of outsourced decryption for the authorized users, but also can check the correctness for transformed ciphertext for the unauthorized users.
The system of ABE controls the user's authority of decryption via the matching relationship between access structure and attributes set. However, there is a case that the traitor (or the malicious user) obtains illegal interest by disclosing the private key in practical application. Therefore, Abdalla et al. [10] first presented an encryption scheme depended on the identity of traitors. Wang et al. [13] offered an ABE scheme that could trace traitors based on identified users. In their scheme, a secure coding technique was introduced to guarantee the identity of abusers of the key. In general, traceable CP-ABE is capable of realizing the fine-grained access control mechanism. Yet the majority of the current CP-ABE schemes that hold traceable are limited to AND gate and less expressive. For the sake of boosting the expressive capability of the access strategy, Liu et al. [14] constructed a CP-ABE scheme that holds traceable and contents any monotonic access structure. In their scheme, a signature technique was used to generate identity information so that the CP-ABE system can trace malevolent users. As well as they divided the traceability of ABE into two classifications, one of them namely white-box traceability, and the other is black-box traceability. Liu et al. [15] put forward a black-box traceable CP-ABE. Ning et al. [16] came up with a CP-ABE scheme that holds the white-box traceable and contents nimble attributes. Li et al. [18] and Zhou et al. [19] put forward a multi-authority CP-ABE scheme of which polices were expressed in any monotonic access structure and holds traceable. Zhang et al. [20] came up with a CP-ABE scheme with large-universe multi-authority, as well as supported white-box traceability. Jiang et al. [21] came up with a scheme of CP-ABE to hinder the abuse of private key delegation of the user, and broadened it to a CP-ABE system with traceable. In addition, Ning et al. [22] offered a CP-ABE scheme and achieved both public auditing and traceability. The scheme of Guan et al. [23] realized traceability and brought about reliable key delegation. Li et al. [24] provided a CP-ABE scheme with traceable and the outsourced decryption with verifiable was realized at the same time. Wang et al. [25] came up with a CP-ABE scheme with traceable, as well as revocation of the user. Ning et al. [26] and Liu et al. [27] came up with a scheme of CP-ABE and supported both traceable and revocable.
Although these schemes can be employed to detect malevolent users, they do not consider the importance of attributes and they cannot support the weighted attribute. Considering the actual application environment, Liu et al. [11] presented the idea of ciphertext-policy weighted attribute-based encryption (CP-WABE), as well as they nominated the weighted attribute into the system of ABE. Chu and Wang [28] constructed a weighted ABE with revocation, but the scheme could not trace malicious users.

B. OUR CONTRIBUTION
Considering that it is difficult for malicious users to be traced after selling their private keys and aiming at the problem that the importance of attribute is seldom considered in the most of the existing traceable ABE scheme, our scheme introduces the concept of the weighted attribute into the traceable ABE scheme. Based on the comprehensive analysis of the existing CP-ABE scheme, we find that many researchers pay attention to tracing malicious users and weighted attributes independently. Inspiring by the scheme [11], [12], [16], [17], we construct a traceable and weighted attribute-based encryption system. The primary contributions of our constructed scheme are as below.
(1) In our constructed scheme, the malevolent users who expose their private keys for whatever intention can be distinguished through the tracking algorithm. The presented scheme randomizes the identity and the result is embedded into the private key of the user. The traitor can be tracked via tracking the user's identity information.
(2) By introducing the concept of the weighted attribute into the traceable ABE scheme, the flexibility of attribute expression in the system is improved and the complexity of access tree is reduced. According to the importance of attributes in the system, the trusted authority allocates different weights. Based on the weight of attributes, the attributes set is transformed into the segmentation set of weighted attributes via the attributes set segmentation algorithm. By using linear secret sharing scheme as access structure, fine-grained access control is provided. Because each attribute of the users is assigned weight, only when the attribute contained in the secret key satisfies the access structure of the ciphertext can it be decrypted correctly.
Comparing with the related traceable ABE scheme, it is of practical significance to introduce the concept of weight into the traceable ABE scheme, so that our scheme is closer to the actual situation. (3) Under the assumption of q-BDHE, the constructed scheme is proved to realize security against the chosen-plaintext attack in the standard model. The experimental results show that the scheme is practical in the cloud environment.

C. ORGANIZATION
The backgrounds which consist of bilinear map, access structure, and complexity assumptions are given in the next section. Section 3 gives a formal definition. Our main scheme is represented in section 4. Section 5 represents the security analysis of our constructed scheme. In section 6, the concrete analysis is discussed. In the end, we summarized our constructed scheme in the last section.

A. BILINEAR MAP
Make G and G T denote two multiplication cyclic groups with the order of prime p, and a generator of G is g. e : G × G → G T is a bilinear map that contents: (2) Non-degeneracy: e (g, g) = 1; (3) Computability: For ∀u, v ∈ G, there exists a method that can calculate e (u, v).

B. ACCESS STRUCTURE
Let A denote a (monotonic) aggregation of the non-empty sub-aggregations of {P 1 , P 2 , · · ·, P n }, i.e., A ⊆ 2 {P 1 ,P 2 ,··· ,P n } \{∅}. Then the non-empty sub-aggregation A is a (monotonic) access structure. The subsets of A are considered as the authorized aggregations, otherwise, the rest of the sets are considered as the unauthorized aggregations.

C. LINEAR SECRET SHARING SCHEME (LSSS)
Definition 2: A LSSS over an aggregation of participants P can be considered as follows: (1) Each secret share comes from a vector in Z p .
(2) There has a matrix M with l rows and n columns which refers to the shared generation matrix. We describe a function ρ for i ∈ [1, l] that maps the i − th row of the matrix M to attribute ρ (i). We think over a column vector ν = (s,ν 2 , ν 3 , · · · , ν n ), where s ∈ Z p is a secret value, and we randomly choose ν 2 , ν 3 , · · · , ν n ∈ Z p . Then M ·ν represents a vector of l share of s, as well as the share (M · ν) i relates to attribute ρ (i). Each LSSS has the feature of linear reconstruction. Make A denote an access structure, S ∈ A indicates any authorized aggregation, along with make I ⊆ {1, 2, · · · , l} be illustrated as I = {i : ρ (i) ∈ S}. There exists an aggregation of constants {ω i |i ∈ I } that make i∈I ω i · M i = (1, 0, · · · , 0) true. If λ i = M i · ν is a valid share of any s, after that i∈I ω i λ i = s.

D. COMPLEXITY ASSUMPTIONS
We offer the assumption of l-Strong Diffie-Hellman (l-SDH) and present the assumption of q-Bilinear Diffie-Hellman Exponent (q-BDHE) in this section. Assumption 1 (l-SDH Assumption): Make G designate a group with the order of prime q, as well as make g mean a generator of G. A problem of l-SDH can be presented as follows. After selecting exponent x ∈ Z p casually and giving a l + 1 tuple g, g x , g x 2 , · · · , g x l , it produces a pair c, g 1/(x+c) ∈ Z p × G. The algorithm A can deal with the problem of l-SDH with the advantage ε if The assumption of l-SDH contents if no polynomial-time algorithm A is able to settle the problem of l-SDH with non-negligible advantage.
Assumption 2 (q-BDHE Assumption): Make G designate a group, the prime order is p, and g designates a generator of G. A problem of q-BDHE can be concretely represented as follows. Casually chooses exponent d, s ∈ Z * p and given VOLUME 8, 2020 y = g, g s , g d , · · · , g d q , g d q+2 , · · · , g d 2q , it is hard for the algorithm A to make a distinction between e (g, g) d q+1 s ∈ G T and the random component Z ∈ G T . The algorithm A can handle the problem of q-BDHE with the advantage ε if

Definition 4:
The assumption of q-BDHE contents if no polynomial-time algorithm A has a non-negligible advantage in handling the problem of q-BDHE.

III. DEFINITIONS AND SECURITY MODEL A. DEFINITION OF THE ALGORITHMS
Inspiring by references [11], [12], [16], [17], a traceable and weighted CP-ABE scheme which involves seven algorithms is constructed.
Taking system attributes set as input, it segments attributes set according to the maximum weight of the attribute and outputs the segmented set U .
By inputting a security parameter λ and segmented set U , it calculates the system master key MSK , as well as public parameters PP.

B. SELECTIVE CPA SECURITY MODEL
A security model is an indistinguishability game against chosen-plaintext attack (IND-CPA) described between an adversary and a challenger. Initialization: After declaring an access structure (M * , ρ * ) that the attacker will challenge, the attacker transmits it to the challenger.
Setup: After carrying out the Initialization algorithm, the challenger transfers PP to the adversary.

Phase 1:
The adversary quires the challenger to obtain the private keys of the user associated with (id 1 , S 1 ), · · ·, (id q , S q ) without any contenting the access policy (M * , ρ * ).
Challenge: The adversary offers messages M 0 and M 1 with equal-length to the challenger, along with an access structure (M * , ρ * ). The challenger selects a b ∈ {0, 1}. After encrypting M b to generate CT * with (M * , ρ * ), the challenger transmits CT * to the adversary.
Phase 2: The adversary quires the challenger to get the private keys of the user relevant to (id 1 , S 1 ), ···, (id q , S q ) with the same regulation in Phase 1.
Guess: The adversary generates a guess b for b. Via providing b = b, the adversary wins the game. The game requires that none of the inquired attributes set S 1 , · · · , S q can content (M * , ρ * ). The advantage of the adversary of winning the game is described as Definition 5: Our constructed scheme is secure against IND-CPA if all polynomial-time attackers have a negligible advantage in winning the above indistinguishability game.

C. TRACEABILITY MODEL
We can employ the following game that runs between a challenger and an adversary to prove the traceability of our constructed scheme.
Initialization: After carrying out the Initialization algorithm, the challenger transfers the public parameters PP to the adversary.
Key Query: The adversary asks the challenger to get the private keys of the user relevant to (id 1 , S 1 ), · · ·, (id q , S q ).
Key Forgery: After querying, the adversary produces the private key SK * of the user.
Via providing Track (PP, SK * ) → id/⊥ and Track (PP, SK * ) / ∈ {id 1 , · · · , id q }, the adversary can win the above game. The advantage of the adversary winning the above game is represented as Definition 6: Our constructed scheme holds traceability if all polynomial-time attackers have a negligible advantage in winning the above traceability game.

D. KEY SANITY CHECK MODEL
We can employ the following game that runs between a simulator and an adversary to describe the model of key sanity check according to the literature [16]. When the security parameter 1 λ is inputted, the simulator calls an adversary and returns the public parameters PP, the ciphertext CT , and two different keys SK id k ,S k ,SK id k ,S k corresponding to the same attributes set S k for a user U k with id k to the adversary A. A will win the game if the following requirements are met.

IV. SPECIFIC CONSTRUCTION 1) ATTRIBUTES SET SEGMENTATION ALGORITHM
Seg( ) → U . The algorithm is run by a trusted center TA. After inputting the system attributes set , TA assigns different weights based on the importance of attributes in our proposed system. Each attribute λ i is assigned its maximum weight θ i = weight (λ i ) (θ i is an integer only) that is allowed in the system. Trusted center TA segments λ i according to their weights. After segmenting, λ i is corresponded to (λ i , 1) · · · (λ i , θ i ) and system attributes collection is transformed into attributes segmentation set U of all attributes. Finally, the algorithm outputs U . For example, the position of the teacher in a university can be divided into three categories: Lecturer, associate professor, and professor. They are given weights of 1, 2 and 3 respectively, that is, they are represented by ''teacher: 1'', ''teacher: 2'', and ''teacher: 3'' respectively. In this case, only using this attribute, i.e., ''teacher'', can achieve the effect of the original three attributes. If there is an access structure like {Professor OR Associate professor OR Lecturer}, its structure can be reduced to {teacher: 1}, that is, the lowest attribute satisfying the policy is used to replace other attributes. In our scheme, we use weighted attribute to improve the expression ability of attribute and simplify the access structure.

2) INITIALIZATION ALGORITHM
The algorithm is carried out by TA. TA enters the security parameter λ and the attributes segmentation set U . Make G and G T represent two multiplication cyclic groups. The order is prime p, and g is a generator of G. e : G × G → G T is a bilinear map. Let z = i θ i . The trusted center TA implements the following procedures: (1) It casually chooses a, α ∈ Z p , and h ∈ G.
(2) For each attribute z, it selects U z ∈ G (U z is related to the attributes segmentation set U ). (3) The trusted center TA chooses a probabilistic encryption algorithm (Enc, Dec). This algorithm is a symmetric encryption with a secret keyk ∈ Z p . After encrypting the same plaintext, the algorithm can generate the diverse ciphertext.
Finally, the TA publishes PP = p, e, G, G T , g, h, g a , e (g, g) α , {U z } z∈U and lets the MSK = a, α,k secret.

3) KEY GENERATION ALGORITHM
KeyGen(PP, MSK , S, id) → SK . The trusted center TA produces the decryption key SK . The trusted center TA authenticates the attributes set S k (S k ∈ U ) of the user u k and generates SK . The specific procedures are as below.
The trusted center TA casually selects r, r z ∈ Z p and computes c = Enck (id k ) for each z ∈ S k (1 ≤ z ≤ |U |), where id k is the identity of the user u k . We can see that there is no difference between the result c and a random number in Z p .

4) ENCRYPTION ALGORITHM
Enc (PP, m, (M , ρ)) → CT . Via encrypting the message m, the data owner obtains ciphertext CT . The specific operations are as follows. The data owner inputs public parameters PP, message m, access policies (M , ρ), where M is a matrix that has l × n elements. And the function ρ maps the row of the matrix M into the smallest share of the weighted attributes, i.e., ''teacher: 1''. Then, it selects a random column vector ν = (s, ν 2 , ν 3 , · · · , ν n ). ν 2 , ν 3 , · · · , ν n are employed for sharing the encryption factor s. The data user computes λ i = M i · ν for ∀i ∈ [1, l], where M i is a vector associated with the i−th row of the matrix M . After casual selecting an exponent τ i ∈ Z p , the data owner outputs CT as follows: [1,l] .

5) DECRYPTION ALGORITHM
Dec (PP, CT , SK ) → m/⊥. For the user u k , there exist two circumstances: (1) If the user's attributes aggregation S k / ∈ (M , ρ), i.e., the attributes aggregation S k of the u k is unable to fulfill the access policy (M , ρ), the algorithm aborts.
(2) If the user's attributes aggregation S k ∈ (M , ρ), the algorithm sets I = {i : ρ(i) ∈ S}, I ⊆ [1, l]. As well as there has a aggregation of constants ω i ∈ Z p i∈ [1,l] that can make i∈I ω i λ i = s true. The algorithm computes as below: In the end, via computing m = C/F, the algorithm obtains the message m.

6) KEY SANITY CHECK ALGORITHM
KeySan (PP, SK ) → 1 or 0. The key SK k of the user is checked by the trusted center TA to determine whether it satisfies the conditions of key sanity check algorithm, the specific procedures are as follows: 1) Check the form of the key SK k with SK = K 1 , K 2 , L 1 , L 2 , K z,1 , K z,2 z∈S k and K 1 ∈ Z * p , K 2 , L 1 , L 2 , K z,1 , K z,2 ∈ G. 2) Check e (L 2 , g) = e (L 1 , g a ).

VOLUME 8, 2020
The algorithm outputs 1 if the key SK k contents the conditions of key sanity check, otherwise, it outputs 0.

7) TRACKING ALGORITHM
Track (PP, SK ) → id/⊥. TA conducts this phase. If the key SK k of the user is unable to pass the procedure of key sanity check, i.e., KeySan (PP, SK ) → 0, then the algorithm outputs ⊥; otherwise, the algorithm extracts identity information id k from the key SK k of the user via Deck K 1 .

V. SCHEME ANALYSIS A. SECURITY ANALYSIS
Theorem 1: There is no probabilistic polynomial time (PPT) adversary who can break our scheme with non-negligible advantage under chosen-plaintext attack if the q-BDHE assumption holds, where q > 2|U | − 2, |U | is the amount of users of our constructed system.
Proof: We can suppose that there is a PPT adversary A who has the advantage of ε in winning this game. And in this circumstance, we are able to build a simulator B who is capable of breaking the q-BDHE problem with the advantage of ε/2. The simulation actions are stated as below.
Let G and G T indicate two multiplication cyclic groups. The order is prime p. g represents a generator of G and e : G × G → G T is a bilinear map. Given y = g, g s , g d , · · · , g d q , g d q+2 , · · · , g d 2q , the simulator B casts a fair coin µ. If µ = 0, B defines T = e (g, g) d q+1 s ; otherwise, B defines T = Z , where Z is a random component in G T . Initialization: Adversary A chooses an access policy (M * , ρ * ). M * is a l * × n * matrix and n * ≤ q. Attributes set segmentation: According to the weight θ i , the simulator B divides each attribute λ i into the attributes set and obtains the weighted segmented set U . Let u = i θ i .

Setup:
The simulator B carries out the following procedures.
B casually selects a value z x ∈ Z p for each attribute x ∈ U (1 ≤ x ≤ |U |), and then each component of the group U x ∈ G is produced as below. And then if there has i ∈ {1, 2, · · · , l * } that can make ρ * ρ * is a single-shot function, i.e., for any x, there at most exists one i that can make ρ * (i) = x true.
B casually chooses a ∈ Z p , then computes g a and sets h = g d .
The simulator B generates PP = p, e, G, G T , g, h, e (g, g) α , {U x } x∈U and MSK = a, α,k .
Phase 1: The adversary A submits S and requests the corresponding decryption key, where S does not content M * .
The simulator B performs the following operations: B finds a vector ω = (ω 1 , ω 2 , · · · , ω n * ) ∈ Z n * p that can make As we all know that there exists such a vector according to the concept of LSSS. After selecting random numbers c, r x ∈ Z P , B defines After selecting a random number t ∈ Z p , B makes r = 1 a+c t + ω 1 d q + ω 2 d q−1 + · · · + ω n * d q−n * +1 . B computes K 2 , L 1 , L 2 , K x,1 as below: g ω i d q+1−i 1/(a+c) = g r , If there is not exists i that can make ρ * (i) = x true for ∀x ∈ S, then make K When ρ * (i) ∈ S, there is M * i · ε = 0 and then d q+1 will be eliminated via combining the index. The x . Challenge: B builds the challenge ciphertext. After adversary A enters messages m 0 , m 1 with equal-length to B, B casts a coin ν ∈ {0, 1} and performs the following operations. The simulator B computes C = m ν · T · e g α , g s , C 0 = g s , and C 1 = (g s ) a . Then B randomly selects y 2 , y 3 , · · · , y n * ∈ Z p and uses ν = s, sd + y 2 , sd 2 + y 3 , · · · , sd n * −1 + y n * ∈ Z * p for sharing the secret value.
Phase 2: This phase is similar to Phase 1.
Guess: A produces a guess ν of ν. If ν = ν, the simulator B outputs µ = 0 which indicates T is a valid tuple of q-BDHE. Otherwise, B generates µ = 1 which indicates T is a random component in G T . The decryption key and public parameters which are produced by simulating in the above game are similar to those in the real system.
38290 VOLUME 8, 2020 When µ = 0, A receives ciphertext of m ν . If the advantage of A is ε, we can get Pr ν = ν |µ = 0 = 1 2 + ε. B guesses µ = 0 as ν = ν , and we obtain Pr µ = µ |µ = 0 = 1 2 + ε. In the game of q-BDHE, the advantage of the simulator B is described as A is able to win the game with a non-negligible advantage, hence, the simulator B is also able to simulate the game of q-BDHE with non-negligible advantage.

B. TRACEABILITY
Theorem 2: Suppose q < l, where q is the amount of key asks built by the adversary, our scheme is traceable if the assumption of l-SDH holds.
Proof: We are able to suppose that there is a PPT adversary A. A is capable of winning this game with the advantage of ε. And we let l = q + 1. As well as we can set up a PPT algorithm B. B is capable of breaking the hardness problem of l-SDH with non-negligible advantage.
Make G and G T represent two multiplication cyclic groups. And the order of them is prime p. Let g be a generator of G, and make e : G × G → G T be a bilinear map. To break the l-SDH problem, the algorithm B is able to simulate an entity that the adversary A wants to challenge.
After casual selecting α, θ ∈ Z p and h ∈ G, B chooses a random number u x ∈ Z p and computes U x = g u x for each attribute x. In the end, B releases PP = p, e, G, G T , g, h = g θ , g a , e (g, g) α , {U x } x∈U . The master key is MSK = a, α,k . Key Query: Adversary A offers a set of attributes (id i , S i ) to B. After that A inquires the relevant decryption keys. When A goes on the i − th query, we set i ≤ q and let f i (y) = f (y) y+c i . Then we can get f i (y) = q−1 =ḡ f (a)/(a+c i ) = g 1/(a+c i ) . After selecting r, r x ∈ Z p casually, B computes Key Forgery: Adversary A offers a forged decryption key SK * to B. And make ε A denote the case that A wins the game, i.e., SK * meets the conditions of key sanity check and K 1 / ∈ c 1 , c 2 , · · · , c q . If the case ε A does not occur, B chooses a random tuple (c r , ω r ) ∈ Z p × G as a solution to the hardness problem of l-SDH. If the case ε A takes place, B rewrites f (y) to f (y) = γ (y) y , c i ∈ Z * p , and K / ∈ c 1 , c 2 , · · · , c q , f (y) is unable to be divided by y + K 1 according to the basic theorem of algebra. B computes the tuple (c r , ω r ) ∈ Z p × G according to the subsequent operations. Suppose L 1 = g r , in which r ∈ Z p is unknown. On the basis of the equality e (L 2 , g) = e (L 1 , g a ) in the phase of key sanity check, we can obtain L 2 = g ar . In line with the equality e K 2 , g a g K 1 = e (g, g) α e L 2 L K 1 1 , h , we can get K 2 = g α/(a+K 1 ) h r . Then B performs the subsequent operations.
The tuple (c r , ω r ) is a solution to the problem of l-SDH. Thus, the theorem is proved successfully.

C. KEY SANITY CHECK
Theorem 3: The advantage of the adversary A in winning the game of key sanity check is negligible.
Proof: We refer to the proof method of literature [16]. The ciphertext returned to the adversary A is CT = (M , ρ) , C, C 0 = g s , C 1 = g as , C i,1 , C i,2 , C i,3 i∈ [1,l] , and two different keys are SK id k ,S k = K 1 , K 2 , L 1 , L 2 , K z,1 , A will win the game if the following requirements are met. Requirements (1)-(5): (1) KeySan PP, SK id k ,S k → 1.
From requirements (1) and (3), we can obtain: Similarly, we can get the following information from requirements (2) and (4): C/F =C/F, where F = E/D,F =Ẽ/D, which contradicts to (6). Therefore, the advantage of the adversary A in winning the game of key sanity check is negligible.

VI. APPLICATION AND PERFORMANCE ANALYSIS A. APPLICATION ANALYSIS
In order to better illustrate the idea of this paper, we take the electronic medical record (EMR) system as an example to describe. The system includes patient, TA, cloud server, and doctor. Among them, the doctor can be divided into different levels in the real scene, such as attending doctor, resident doctor, intern doctors, etc. TA assigns weights based on the importance of the attributes. The patient shares his E-record with the doctor who satisfies the access policy. At the same time, if the doctor's private key satisfying the policy is sold, the proposed scheme can track and determine the identity information of the owner of the private key. Fig. 1 shows the application processes of the proposed scheme in the cloud-based EMR system. Firstly, TA allocates different weights according to the importance of attributes in the system and divides the system attributes set according to the maximum weights of attributes. After generating the public parameters and the master secret key in the initialization phase, TA generates the corresponding private key for the user. The patient encrypts and uploads the E-record to the cloud server via using the access strategy simplified by the weighted attributes. Then, doctors with different attributes request and obtain E-record ciphertext of the patient. Finally, only when the doctor's attributes meet the access policy specified by the patient can the doctor decrypt and get the E-record of the patient. In addition, for doctors who do not have decryption authority to obtain the secret key in some way and get plaintext, the key sanity check algorithm and tracking algorithm can track the identity information of the owner who leaks the decryption key.

B. COMPARISION ANALYSIS
Via comparing our constructed scheme with other related schemes in the size of public key, the size of private key, the size of ciphertext, whether supporting weighted attributes and traceability, the particular conclusions are represented in Table 1. Let |u| indicate the amount of attributes in the attributes set, |S| represents the quantity of the attributes owned by the users, and |l| represents the size of the access policy.
We introduce the concept of weighted attribute into the traceable ABE scheme, which will not affect the performance of tracking. Because the weight of attributes in the system has been determined by TA before the initialization phase, there is no cost in managing the weighted value of attributes such as user/attribute revocation, key re-generation, and policy update.
As represented in Table 1, the size of the public key, the private key of the user and ciphertext in [28] are 3 + |u|, |S|+3 and 2|l|+2 respectively, which are all superior to other schemes, but this scheme does not support traceability. While the scheme in [20] supports traceability, it does not consider the weighted attribute. In terms of performance, the length of public key of scheme in [20] is 4|u| which is 4 times longer than the proposed scheme, the size of private key is 4|S| + 1  and the length of ciphertext is 6|l| + 1 which are almost twice as long as that of our scheme, so the communication cost is much higher than other schemes. Both the length of the public key of our constructed scheme and the system in [25] are 7 + |u|, but the length of the private key is 2|S| + 4 which is shortened by |S| in [25], and the size of the ciphertext is 3|l| + 3 which is shortened by |l| at the same time.
The comparisons of the costs of computation are represented in Table 2. In Table 2, let E indicate the exponential action in G, G T , P is a bilinear pairing operation, M represents a multiplication activity in group G, and M T indicates a multiplication activity in group G T , as well as |I | denotes the amount of attributes in the decryption key that meet the conditions in the access strategy.
Though the computation costs of key generation phase, encryption stage, decryption procedure of scheme in [28] are (4 + |S|)E + M , (2 + 3|l|)E, (4|l| + 3)P + 2M T respectively, which are the most efficient of other schemes, it does not hold traceability. For the sake of supporting traceability, the cost of computational of the scheme in [20] is higher than that of the scheme in [28]. In the phase of key generation, our scheme requires to calculate (4 + 2|u|)E + M , which is interrelated to the amount of attributes in the constructed system. It is more efficient than the efficiency of the key generation of [25] which is (4 + 3|S|)E + M , and our scheme slightly less efficient than the key generation algorithm of [28]. In the procedure of encryption, both our scheme and scheme [25] need to calculate (3+3|l|)E, so the efficiency of encryption of two schemes is associated with the length of access strategy. Because pairing operation takes a lot of time, the efficiency of the constructed scheme and scheme [25] is better than that of the scheme in [20]. In the phase of decryption, our constructed scheme needs to calculate (3|I | + 1)P + 2E + 2M + M T , with the increase of the amount of attributes meeting the requirements of access policy in the private key of the user, the efficiency of decryption increases. The decryption efficiency of the scheme [25] is (4|I | + 1) P + M T + (|I | + 3) E + (|I | + 1) M . It can be seen that its decryption efficiency is higher than our constructed system. Although the scheme [25] can achieve traceability, our scheme can achieve traceability and weighted attribute at the same time. Because the cost of the multiplication operation is much more complex than that of bilinear pairing operation, the efficiency of our scheme is lower than that in [28].
In a word, comparing with other schemes in terms of function and performance, the constructed scheme realizes the functions of weighted attribute and traceability at the cost of less performance loss. It can not only track malicious users from the key information leaked by the system, but also set the weight according to the importance of the attributes, which is closer to the actual environment.

C. EXPERIMENT TEST
Through the above theoretical analysis, our scheme has advantages in function and efficiency. For the sake of estimating the actual characteristic of our constructed scheme more accurately, the time cost on the terminal device is further analyzed via experiments, including time of key generation procedure, encryption step, and decryption phase, as represented in Fig. 2.
We program the scheme via employing the Java pairing-based cryptography (JPBC) library and MyEclipse development environment. A Type A pairing is selected to accomplish the activities in the prime order group and construct an elliptic curve y 2 = x 3 + x. The experiments are carried out on the Windows 10 system, and the parameters are Inter (R) Core (TM) i5-8300H CPU at 2.30 GHz and 8GB RAM. By calling pairing function to achieve pairing() operation, module power and module multiplication are tested by calling powzn() function and mul() function respectively. We represent the tendencies of time cost of key generation procedure, encryption step and decryption phase in Fig. 2(a), (b) and (c), as the amounts of attributes raises. Effectively, the characteristics of key generation procedure, encryption step, and decryption phase are decided by the amount of attributes |S| of the user, the number of attributes in access policy |l| and the amount of attributes in the decryption key that contents the access policy |I |. We are able to describe the abscissa axis labels in Fig. 2 as ''Number of attributes'' because of |S|, |l|, and |I | primary mean the amount of attributes.
In Fig. 2(a), we are able to discover that the time cost of key generation procedure increases linearly with the amount of attributes of the user. The experimental consequences of encryption and decryption represented in Fig. 2(b) and (c) are resembled to that of key generation. When the amount of user attributes in the experiment is 50, it will cost 1024ms in order to produce the key for the user. If the data owner sets the amounts of attributes in access policy at 50, the time of encryption will cost 1528ms. While the amount of attributes in the decryption key of the user that contents the access policy is 50, the user will spend 1066ms on decrypting the ciphertext. We are able to discover the time cost of encryption is maximum, whereas the time cost of key generation procedure and decryption phase are temperate. Actually, the encryption operation is not often performed. The key generation action is carried out by a trusted center, thus the overhead of decryption on the user side is the primary criterion measuring the efficiency of the constructed scheme. However, the amounts of attributes in the decryption key of the user that contents the access strategy is far less than the total number of the attributes, so it can't reach 50 in the real application.
Hence, the time cost of our proposed system is acceptable. All in all, the experimental outcomes represented in Fig. 2 are consistent with the theoretical analysis represented in Table 2.
Based on the above analysis, according to the function and performance, the constructed scheme can not only track malicious user from the key information leaked by the system, but also set the weight of attributes according to the importance degree, which is more suitable to the actual environment, and the performance has been greatly optimized.

VII. CONCLUSION
In this paper, a traceable attribute-based encryption scheme with weight is constructed. The constructed scheme can achieve high expression, efficiency, and security. In particular, in our constructed scheme, it can detect the original holder of the key from the private key of the user, as well as prevent malevolent key holder from leaking his private key for whatever intention without getting caught. In addition, the attributes are marked weight with the importance, and the access policy can be designed according to the weighted attributes. Under the assumption of q-BDHE in the standard model, the constructed scheme is proved to be secure against chosen-plaintext attack. Due to the strong security of lattice theory, our future study will target at building up a traceable CP-ABE on the basis of lattice theory.