Ciphertext-Policy Hierarchical Attribute-Based Encryption Against Key-Delegation Abuse for IoT-Connected Healthcare System

With the maturity of technologies such as Internet of Things (IoT) and Cloud Computing, more and more medical institutions share patient’s medical data in the IoT-connected healthcare system, whereas it also brings hidden dangers to data security and privacy protection. The application of Hierarchical Attribute-Based Encryption (HABE) in IoT-connected healthcare system helps to solve the problem of data sharing with a large number of users. Delegation is a function of HABE, which can realize the transfer of hierarchical user access rights, effectively reducing the workload of the trusted authority. However, when ‘‘delegation’’ is used to generate decryption keys for users who do not comply with the access structure, the ‘‘key-delegation abuse’’ problem arises, which can seriously damage the privacy of patient’s data. Nevertheless, it has not attracted much attention in previous research. This paper proposes the problem of key-delegation abuse in Ciphertext-Policy Hierarchical Attribute-Based Encryption (CP-HABE). After the cryptanalysis of typical schemes, we conclude two reasons for key-delegation abuse in CP-HABE, which are randomizing the original key elements or keeping parts of them in a new decryption key. This paper proposes a new mechanism speciﬁcally by using directed graph and construct a CP-HABE scheme against key-delegation abuse (CP-HABE-AKDA). Aiming at the scenario of key leaking, we further present the traceable CP-HABE-AKDA solution for the IoT-connected healthcare system, which has the additional function of tracking and verifying the identity of key leaker.


I. INTRODUCTION
As one of the most potent communication paradigms, the Internet of Things (IoT) connects many objects (such as sensors, vehicles, houses and devices) to the Internet together. Since Cloud Computing [1] and Edge Computing [2] provide critical technical support for the IoT application layer, IoT can transmit real-time information to the target users and achieve massive storage at the same time. With the proliferation of concepts and products such as smart city, intelligent transportation, smart home, Wise Information Technology of 120, etc., the application scope of IoT has penetrated all aspects of people's lives. IoT has become a key component in healthcare applications. For example, wearable or embedded sensors can be connected to the subject's body for monitoring The associate editor coordinating the review of this manuscript and approving it for publication was Chun-Wei Tsai . physiological status and collecting physiological symptoms. The collected data, such as body temperature, blood pressure, heartbeat, etc. constitute the subject's electronic health record (EHR), which is one of the core components in IoT-connected healthcare system. According to EHR, medical personnel can provide patients with timely treatment of acute diseases and accurate prevention of chronic diseases, thereby IoTconnected healthcare system plays a crucial role in promoting the improvement of medical and healthcare services.
With the rapid development of IoT-connected healthcare system, data security and privacy issues have raised concerns about the development of smart healthcare. For example, a large amount of user information gathered from IoT devices is uploaded to the cloud in real time. Attackers illegally obtain massive data to design and develop healthcare applications [3]. The adversary also uses sensors from wearable devices to track patients without their consent.
The promulgation of the EU's General Data Protection Regulation (GDPR) has made personal data protection even more stringent. The laws of many countries treat individuals' privacy as a fundamental right. The U.S. health insurance privacy and accountability act (HIPAA) does not explicitly limit the use of wearables to collect physiological data, but it also requires compliance with federal regulations, which prohibit the disclosure of medical information without a patient's consent. The public's concern about data privacy and the enactment of laws related to privacy protection urge researchers to design more reasonable privacy conservation schemes and information confidentiality approaches.
Considering the privacy sensitivity of EHR, encryption and authorization are the leading measures for data owners to ensure privacy and enhance personal data control. Attributebased encryption (ABE) is a critical advanced encryption mechanism for implementing encryption, authorized access and sharing information with multiple users, which provides data confidentiality and fine-grained access control for EHR. The delegation feature in ABE schemes [4]- [6], which allows delegating to a subset of user attribute sets, and provides an ideal solution to the dynamically expanding problem brought by large-scale users. Whereas, the application of ABE in IoTconnected healthcare system remains practical challenges. For example, it is expected to have distinct access privileges for authorized users sharing EHR at different levels, such as physician-in-charge, attending doctor and medical doctor. Ciphertext-policy hierarchical attribute-based encryption (CP-HABE) is proposed as a prospective primitive for solving the above problem, which can achieve fine-grained access control in a hierarchy.

A. MOTIVATIONS
In order to deploy the CP-HABE scheme in IoT-connected healthcare system, besides implementing hierarchical access control on encrypted EHR, it is also essential to reduce the heavy key management workload of root authority. Some CP-HABE solutions [7], [8] support the key delegation from higher-level to lower-level, thus reducing the burden of root authorities. However, when delegation is leveraged to generate decryption keys for users who do not conform to the access structure, as is shown in Fig.1, it will lead to the abuse of key-delegation, which would not only destroy the access policy but also put the private data among the security risk of illegal access. In 2018, Jiang et al. [9] raised the issue of key-delegation abuse in CP-ABE and proposed a new scheme to resist key-delegation abuse in fog computing, but they did not give a definition of the problem, nor did they analyze its causes. CP-ABE and CP-HABE have distinct approaches of key-delegation abuse, but both of them pose a threat on the data access security; thus, the strategies to deal with the abuse of key-delegation are not the same. Furthermore, there is still a lack of relevant research and practical solutions to the keydelegation abuse in CP-HABE systems. Therefore, for the privacy protection in the IoT-connected healthcare system, especially based on CP-HABE, it is an essential issue that how to make use of the delegation to provide the lightweight key management in the CP-HABE scheme without causing key-delegation abuse.
Secondly, the massive data in IoT-connected healthcare system owns high commercial value. Data users are possible to disclose the key for the sake of benefits. What's more, different users with specific attributes in the hierarchy can decrypt the ciphertext containing the same access structure. That may give rise to the users' disclosing their keys without worrying about identities exposure. Hence, the CP-HABE solution applied in IoT-connected healthcare system is exceedingly required to have effective methods of tracking down the key leaker.

B. CONTRIBUTIONS
Aiming at the above problems, we construct a ciphertextpolicy hierarchical attribute-based encryption scheme against key-delegation abuse (CP-HABE-AKDA). Taking the IoTconnected healthcare system as the application case, we present a traceable CP-HABE-AKDA scheme for the scenario where a user discloses the private key. The main advantages of this paper are summarized as follows: • We first point out that key-delegation in the CP-HABE scheme will lead to key-delegation abuse, which would destroy the access policy. We cryptanalyze Asim et al.'s dynamic CP-HABE [7] scheme and discover the vulnerability in the key delegation algorithm. The domain authority can generate decryption keys for users who do not comply with the access policy, resulting in unauthorized data access. We also conclude that when the higher-level domain authority delegates the key to the lower-level domain authority, randomizing the higherlevel key elements to generate a new key, or retaining its decryption parts in the new lower-level key, are two ways that may cause the abuse of key-delegation in CP-HABE. VOLUME 8, 2020 • We achieve the delegation between hierarchical domain authorities while preventing key-delegation abuse. The proposed CP-HABE-AKDA scheme uses the integration of the directed graph and CP-HABE to realize the delegation of domain authorities. We embed a level key parameter into the user attribute private key, which is to prevent the higher-level domain authority from using the delegated new level key to forge a user attribute private key for unauthorized users. When applied to IoT-connected healthcare systems, the solution will significantly reduce the amount of workload for the root authority, which is associated with multiple IoT devices and users, achieving the scalability of the system. • We further study the strategy of tracking malicious user' identity under the key leak scenario and propose a traceable CP-HABE-AKDA solution for IoT-connected healthcare system. The EHR user identity is bound to the attribute set and embedded in the user attribute private key for becoming a necessary part of decryption. If a key is compromised, the identity of the key holder can verifiably be traced.

C. OUTLINE
The paper is organized as follows: In Section 2, we discuss related works. In Section 3, we discuss the key-delegation abuse problem in CP-HABE schemes. Section 4 provides some background definitions and the system description. In Section 5, the CP-HABE-AKDA scheme is presented, and the security proof is given in Section 6. In Section 7, we further proposed a traceable CP-HABE-AKDA scheme for IoT-connected healthcare system, and the security and traceability proof is given in Section 8. In Section 9, the comparisons of theoretical performance with some related works are provided. Finally, in Section 10, we conclude with some discussions and future work.

II. RELATED WORK A. ATTRIBUTE-BASED ENCRYPTION
Attribute-Based Encryption (ABE) is a one-to-many advanced encryption mechanism. Delegation is a property of ABE, which can not only improve the efficiency of key management but also reduce the load of key issuing agencies.
The delegation feature provides ABE with the necessary support for data sharing scenarios with a large number of users, such as cloud storage. In 2005, Sahai and Waters [10] first proposed an ABE scheme as a fuzzy identity encryption application, in which data owners do not need to know the identity. The user's decryption key is associated with a set of attributes, and the user can decrypt the ciphertext only if there is a match between the decryption key and the ciphertext. In 2006, Goyal et al. [4] embedded the access structure into the user key and used the attribute set to describe the ciphertext, proposing an ABE (KP-ABE) scheme that supports the key strategy of any monotonic access structure. The solution also first proposed the delegation of decryption keys. When Y structure is subject to X structure, the user belonging to the access structure X can delegate the decryption key to the user whose access structure is Y .
In 2007, Ostrovsky et al. [11] further studied and constructed a KP-ABE scheme that allowed non-monotonic access structures to achieve a more flexible access strategy. Bethencourt et al. [5] proposed the ciphertext policy ABE (CP-ABE) scheme, in which the ciphertext and key roles are opposite to the KP-ABE scheme. The message is encrypted with a tree access policy, and the corresponding decryption key is associated with a set of attributes. This key can be used to decrypt the ciphertext as long as the attribute set satisfies the tree access policy, which is related to given ciphertext. The CP-ABE scheme also supports delegation, when the user can generate a key for a subset of its attribute set to implement delegation for the decryption key.
Cheung et al. [12] improved the security proof in Bethencourt et al. [5], using the AND-gate positive and negative attributes as the access structure, and proved for the first time that the selected ciphertext is secure under the assumption of the Decision Bilinear Diffie-Hellman (DBDH). However, this scheme is not richly expressive, and the ciphertext and key size increase linearly with the number of attributes. In 2008, Goyal et al. [13] proposed an improved version of CP-ABE, supporting access tree structures with bounded thresholds, and proved the decision-making bilinear Diffie-Hellman hypothesis under the standard model. The problem with this scheme is that the depth of the tree needs to be set during the initialization phase, and the user may be limited to using only access trees whose depth is less than the preset value. In 2011, based on the Linear Secret Sharing Scheme (LSSS) matrix, Waters [6] proposed a scheme with attribute based access control policies that support key delegation, but the size of ciphertext is linearly increasing with encryption and decryption overhead. In 2017, Li et al. [14] introduced an ordered binary decision graph (OBDD) as a new access structure to improve CP-ABE, a non-monotonic access structure that supports ''AND, NOT, OR'' relationship. In 2018, the keydelegation abuse in CP-ABE was proposed for in Jiang et al. literature [9] and the new schemes of provable security and traceable protection against key-delegation abuse were proposed in the fog computing scenario. However, malicious users can still build decryption devices or online black boxes to illegally decrypt other people's ciphers, with little risk of getting caught. Therefore, Qiao et al. [15] proposed the first practical CP-ABE scheme with black box traceability and extensibility. More recently, Yu et al. [16] propose a traceable and undeniable CP-ABE scheme, which can judge the traced malicious user is innocent or not, by introducing a public auditor. When CP-ABE is applied in the information centric Internet of things (ICoT) to realize the flexible access control of IoT data, the data publisher's retrieval of attributes on the centralized server will lead to high communication overhead. To address this issue, in 2017, Li et al. [17] proposed a distributed publisher driven secure data sharing for ICIoT, which enables only authorized users to retrieve IoT data from distributed cache.

B. HIERARCHICAL ATTRIBUTE-BASED ENCRYPTION
When a large number of users present a hierarchical structure, the CP-ABE scheme cannot support a complete delegation mechanism and an efficient, extensible revocation mechanism. To solve this problem, in 2011, Li et al. [18] proposed the concept of HABE, which classifies common attributes into a tree hierarchy, and each node on the tree is associated with an attribute. The parent node of the tree structure can derive the child node key to implement delegation, and vice versa. The user can decrypt the ciphertext only if the user attribute covers the number of attributes in the ciphertext and is not lower than a certain threshold. However, due to the use of thresholds, this solution does not provide finegrained access control. Wang et al. [19] proposed a fully authorized HABE by combining identity-based hierarchical attribute encryption (HIBE) with CP-ABE and supported an extensible revocation mechanism. In 2011, Wang et al. [20] implemented key-delegation between attribute authorities to provide confidentiality for shared data stored on untrusted cloud servers, and more suitable for enterprise outsourcing data in a cloud environment. However, since different domain masters can maintain the same attributes, this leads to more complexity, and the scheme does not support composite attributes.
In 2012, Wan et al. [21] proposed a hierarchical attribute set based encryption scheme (HASBE) that supports scalability, fine-grained access control, and user revocation. In this scenario, the data owner or data consumer is online only when needed, and does not have to be online from time to time, but the attribute authority should always be online. Asim et al. [7] combined encryption technology with trust management to define a dynamic HABE (D-HABE) scheme, which does not require encryption to bind attributes in access control policies to specific domain authorities. The scheme makes new users who join the authority domain of the virtual organization can decrypt the original information without re-encrypting them; however, the flexible key construction of the solution can lead to abuse of key delegation. In 2014, Liu et al. [22] proposed a CP-HABE scheme for fine-grained access control and proved that the scheme is secure under the assumption of q-parallel bilinear Diffie-Hellman exponent. Deng et al. [8] proposed a CP-HABE scheme with short ciphertext through dual-system encryption technology [23]- [25], in which attributes are organized in a matrix form. This feature enables the CP-HABE to carry a large number of users from different organizations with a delegation key. In 2016, Wang et al. [26] designed an efficient file-level ABE scheme for file sharing with hierarchical structure in cloud computing, which reduced ciphertext storage complexity and saved encryption time cost. In 2019, Li et al. [27] pointed out that Deng et al. scheme [8] did not consider leakage attacks. In order to solve this problem, the paper proposes a formal definition and security model of CLR layered attribute encryption (CLR-HABE) and constructs a CLR-HABE scheme against leak detection.
When applied in IoT related scenarios, the delegation of HABE is conducive to decreasing the workload of IoT devices in resource-constrained environments. In 2018, Huang et al. [28] proposed a fine-grained data access control scheme for restricted IoT devices and cloud computing based on HABE, which reduced the key management workload of trusted authority through employing an appropriate delegation mechanism in HABE. In 2018, Wang and Gao [29] proposed a regulation scheme with access control of identities for regulating Bitcoin transactions. The scheme is based on CP-HABE, in which users' identities are encrypted by using access policy and are contained in their transaction. Attributes of high level are assigned to regulation nodes, which have more priorities than ordinary users that presented by attributes of low level. In 2019, Sun et al. [30] proposed a fine-grained ranked multi-keyword search scheme over hierarchical data for the IoT-oriented healthcare system by leveraging CP-HABE and ranked multi-keyword search (RMKS) technologies. In 2019, Tan et al. [31] proposed a lightweight KP-ABE scheme to support IoT, and expanded it to a KP-HABE scheme for role delegation of healthcare systems connected with IoT. However, none of the above schemes mentions the problem of key-delegation abuse in HABE.

III. KEY-DELEGATION ABUSE IN CP-HABE
This section will analyze the algorithm of the CP-HABE schemes owning the property of delegation, explain the problem of ''key-delegation abuse'' and summarize the causes of the problem. For simplicity, the notations employed throughout this paper are listed in Table 1.
Firstly, the definition of key-delegation abuse in CP-HABE is given, that is, the domain authority or the user at level i, 1 < i < L, can generate decryption key by delegation for the user at level h, 1 < i < h < L, who does not conform to the access policy. Such behavior that destroying the access policy is called key-delegation abuse in CP-HABE.
The following example will illustrate how key-delegation abuse could form and break access policy. For the sake of generality, the dynamic CP-HABE scheme proposed by Asim et al. [7] is considered.

A. REVIEW OF ASIM et al. SCHEME
Briefly introduce the main functions of Asim et al. scheme [7]: Setup (λ, L) : The root authority RA executes the initialization algorithm to generate parameters for a hierarchy of depth L. The assumption is that at the first level of the hierarchy there are domains. The input security parameters is λ, and g is a random generator of G 0 . The algorithm randomly selects α, β ∈ Z p , A = e (g, g) α−β , g 1 = g α , g 2 = g β , g 3 , h 1 , h 2 , . . . , h L ∈ G 0 , , y 1 , y 2 , . . . , y ∈ Z p , The public and secret parameters are composed of the following  KeyGen (PK , MK ): The root authority RA performs this algorithm to generate secret key SK i for the domain authority DA i of level i (1 ≤ i ≤ L), The algorithm randomly selects r, y φ ∈ Z p , y ψ ∈ B, and generates a key for this domain authority at level i: . . , h r L , g β− y ψ −y φ , g y ψ +y φ , ∀j ∈ adm : g y ψ +y φ H (j) y ψ +y φ A domain authority can use its secret key to generate secret keys for domain authorities beneath its level. Specifically, a domain authority key SK i of a level i can be generated in an incremental manner by the key SK i−1 for its parent node in the hierarchy. Let SK i−1 be the key of the parent node: ∀j ∈ adm : g y ψ +y φ H (j) y ψ +y φ To generate SK i , the domain authority corresponding to the parent node picks randomly r ∈ Z p and y φ ∈ Z p , where r = r + r , y φ = y φ + y φ , and outputs: The user attribute private key generation algorithm is run by a domain authority, which selects random number x ∈ Z p for each user, and outputs the user attribute private key with attribute set ω at level i (1 ≤ i ≤ L), as follows: The algorithm encrypt message M ∈ G 1 with the inputs of access tree τ and level i, which are related to access policy. Let z be a node of access tree τ , the encryption algorithm selects a random value s ∈ Z p and a polynomial q Z (·) for each node z of τ in a top-down manner, starting from the root node R, outputs cipher text as follows: Decryption CT , SK i,ω : First, the decryption algorithm use a recursive algorithm DecryptNode CT , SK i,ω , z to determine whether the user attribute set ω satisfies the access tree τ ; then, the plaintext is recovery.
(1) DecryptNode CT , SK i,ω , K : Let K is a leaf node on the access tree, j = att (K ), each leaf node is associated with a real-valued attribute. If j ∈ ω, then (2) DecryptNode CT , SK i,ω , k : When k is an internal node of the access tree, let the nodes z are the children of k, k be an arbitrary set of child nodes. The algorithm output F z to determine whether the user has enough attributes to satisfy the access policy. If not, the function returns ⊥, otherwise, using polynomial interpolation, the algorithm evaluates the following function: If the user attribute set meets the access policy, continue with the following steps: As is shown in Fig.2, in Asim et al. scheme [7], the domain authority DA * i−1 of level i − 1 can obtain the domain authority key at level i, through the key-delegation, and forge the attribute key SK i,ω for the user with attribute set ω at level i. That will result in the abuse of key-delegation. The process is as follows: According to the conditions in the scheme that affect the generation of user attribute keys: the user attribute set meeting the access structure and the attribute set belonging to the correct level in the hierarchy, the process of forgery is mainly divided into two parts. Firstly, the level key SK i is generated, and then the expression of attribute j in attribute set ω is embedded on the basis of SK i .
Step 1. According to KeyGen (PK , MK ), the domain authority DA * i−1 of level i − 1 uses a level key SK i−1 to generate a level key SK i by delegation.
Step 2. DA * i−1 generates user attribute private key SK i,ω of attribute set ω at level i, according to the algorithm dom number x ∈ Z p , then: , a 1 · g (r−r ) (2) , , By analyzing the components of attribute key SK i,ω in Asim et al. scheme, we could see that the key parts (1), (2) are related to the level of the user, and the key part (3), (4) and (5) are related to attribute set. Therefore, in order to satisfy the decryption requirement 1, that the user attribute set needs to be satisfied with the access structure, DA * i−1 could use part (3), (4) and (5) in the attribute private key SK i−1,ω which satisfying the access structure to construct the key part related to the attribute set in the attribute key SK i,ω at the level i. In order to satisfy the decryption requirement 2, the attribute set needs to belong to the correct level in the hierarchy. The domain authority DA * i−1 can construct parts (1) and (2) of SK i,ω , by using some parts of level key SK i generated by hierarchical delegation.

C. CAUSE ANALYSIS
Formally, in the CP-ABE scheme, the key-delegation is completed by generating the key of its attribute set subset; in the CP-HABE scheme, the key-delegation is completed by generating the lower-level user key. However, from an algorithm perspective, the two types of key-delegation are mainly accomplished through the following two methods: (1) The original key parts are randomized by taking a random number as the exponent to generate a new key and complete the key-delegation. This situation is found in scheme [7], [5]. The algorithm Delegate in reference [5] is taken as an example to explain the keydelegation process: the inputs of Delegate are the key SK of attribute set S and the other attribute setS, wherẽ S ⊆ S. The algorithm selects random numbersr and r k , ∀k ∈S, for randomizing each part of the key SK = D, ∀j ∈ S : D j , D j . Based on SK , the algorithm outputs a new keySK of attribute subsetS.
The core parts of the original key, which are responsible for decryption, are kept in a new key and realize the key-delegation. This situation is found in scheme [8], [32]. The algorithm Delegate in reference [8] is taken as an example to explain the key-delegation process: the inputs of Delegate (PK , SK S , S) are the public key PK , a secret key SK S for S , which is a set of attribute vectors VOLUME 8, 2020 of depth k and a set S of attribute vectors of depth k + 1. It outputs a new secret key SK S for S.
After the observation of K 0 , K 1 , K (j,0) , K (j,1) , these key elements can be represented by elements of the original key SK S , such as K 0 = K 0 g aW R 1 , 1) are the core parts of the decryption algorithm, as shown below: Therefore, the core decryption elements K 0 , K 1 , K (j,0) , K (j,1) of the key SK S of depth k can be used to construct the key SK S with a depth of k +1, and the key-delegation is achieved from the user of depth k to the user of depth k + 1. Since the above two delegation algorithms are both completed based on the secret key held by the delegators themselves. Therefore, when there is no permission or lack of constraints in a CP-HABE scheme, the delegator is possible to generate new keys for users who do not comply with the access policy and perform illegal delegation with profit motive. This leads to the abuse of key-delegation in CP-HABE.

A. ACCESS STRUCTURE
Here is a brief introduction to the AND-gate access structure with two values of positive and negative attributes.
Let N be a set of n attribute values, N = {t 1 , t 2 , . . . , t n }. For each attribute t i ∈ N , if it has a positive attribute, it is marked as +t i , and let the attribute value be 1; if it has a negative attribute, it is marked as −t i , and let the attribute value be 0. One AND-gate access structure is marked as W = t i ∈I t i , where I ⊆ N . By the assignment of the above processes 1 and 0, the value of the AND-gate W can be obtained. Given the attribute set T , if the value of the AND-gate W equals to 1, the attribute set T satisfies the AND-gate access structure; otherwise, the attribute set T does not satisfy the AND-gate access structure.

B. BILINEAR GROUPS
Let G, G T be cyclic groups of prime order p, and let g be a generator of G. We say G has an admissible bilinear map, e : G × G → G T , into G T if the following three conditions hold: • Bilinearity: e g α , g b = e (g, g) αβ , for all α, β ∈ Z p ; • Non-degeneracy: e (g, g) = 1; • Computability: e g α , g b for all g α , g β ∈ G can be computed efficiently.

C. THE GENERIC BILINEAR GROUP MODEL
We prove the security of the proposed construction in the generic bilinear group model introduced by Shoup [33]. Let ξ 0 and ξ 1 be two random encodings of an additive group F p , they are injective maps: ξ 0 , ξ 1 : In the model, the adversary is given access to the oracles that simulate the hash function, group operations in G 0 , G 1 and the non-degenerate bilinear map e : G 0 × G 0 → G 1 . We let G 0 denote a generic bilinear group.

D. COMPLEXITY ASSUMPTIONS
l − SDH Assumption [34]: Let G be a bilinear group of prime order p and g be a generator of G, the l-Strong Diffie-Hellman (l − SDH ) problem in G is defined as follows: given a (l + 1)-tuple g, g x , g x 2 , . . . , g x l as inputs, output a pair where the probability is over the random choice of x in Z * p and the random bits consumed by A. Definition 1: The l −SDH assumption holds if the l −SDH challenge problem can not be solved by any polynomial-time algorithm A who has at least non-negligible advantage.

E. SYSTEM DESCRIPTION
In order to make our system more clearly, a framework of the proposed CP-HABE-AKDA scheme is given in Fig.3, which contains four entities: • Root Authority (RA): It is responsible for generating the system public key PK , master key MK , and the level key SK i for each domain authority. The root authority RA is the fundamental part of the entire architecture and is the ultimate trusted party.
• Domain Authority (DA): DA i is responsible for generating the attribute private key SK i,ω for the user with the attribute set ω at level i, the level key SK i+1 for the next level domain authority by the key-delegation, and responsible for managing the users at level i, including user additions and deletions.
• User (U): Users of each domain are managed by a directly affiliated domain authority. The user attribute private key in the proposed scheme is related not only to the user's attribute set, but also to the user's level. By embedding the relevant parameters of the two into SK i,ω at the same time, the user attribute private key held by the user not only realizes the user's identity in the system, but also prevents the abuse of key-delegation.
• Attribute: When the attribute set satisfies the access structure, the domain authority at the right level generates the user attribute private key. The attribute set and user identity are not bound. Only an attribute set with hierarchy can represent a user.
In the proposed CP-HABE scheme, the root authority and domain authorities in can form a directed access graph, which is represented by V = (L N , E) , L is a set of vertices L N = {L 0 , L 1 , . . . , L n } , L 0 represents the root authority, L 1 , L 2 , . . . , L n stands for n domain authorities of different levels, E is a set of edges. In a hierarchy, the relationship of domain authorities can be modeled as a partial ordered set with a binary relationship. In the partially ordered set (L N , ≤), if L t ≤ L i , it represents domain authority DA i with higher security permissions than DA t . For example, domain authority DA i can generate the level key of DA t , but not vice versa. If L t ≤ L i , L i is called a predecessor of L t , and L t is the successor of L i . Further, if L t ≤ L i , and there is no other L k ,such that L t ≤ L k ≤ L i ,then L i is said to be an immediate predecessor of L t , and L t is an immediate successor of L i .

V. CP-HABE-AKDA
In view of randomizing the delegation key parts, one of which are analyzed as causes of the key-delegation abuse in the CP-HABE scheme, this section proposes the ciphertextpolicy hierarchical attribute-based encryption against keydelegation abuse(CP-HABE-AKDA) and introduces the related definitions, construction, and security analysis.

A. CP-HABE-AKDA DEFINITION
This scheme consists of the following six algorithms: The global initialization algorithm is run by the root authority RA with inputting the global security parameter λ, generates the global public key PK and the master key MK for a hierarchy of depth L.
• LevelKeyGeneration (PK , MK ): A level key generation algorithm is run by the root authority RA with inputting the global public key PK and the master key MK , generates a level key SK i for the domain authority DA i at level i (1 ≤ i ≤ L).
• LevelKeyDerivation (SK i ): The algorithm is for the level key derivation. The domain authority DA i of level i generates a level key SK h for the domain authority at level h according to the key of level i and the public information between the levels. Authorities of each level domain use the level key derivation algorithm for keydelegation, which provides scalability for the solution.
• AttributeKeyGeneration (SK i , PK , ω): The algorithm is to generate the attribute private key for users at each level. The domain authority generates an attribute private key SK i,ω according to the public key PK , the level key SK i and the attribute set ω at level i, and is used to decrypt the ciphertext. The level key is used to generate the attribute private key of the level, which ensures the correctness when decrypting.
• Encryption (PK , M , τ, i): The encryption algorithm takes message M , access structure τ and public key PK at the level i as inputs, and the output is ciphertext CT .
• Decryption CT , SK i,ω : The decryption algorithm takes the attribute private key SK i,ω and ciphertext CT as the input. If the attribute set owned by the user meets the access structure and the level requirements of ciphertext, the plaintext will be output.

B. IND-S-CPA SECURITY MODEL
The general security model defined below describes the interaction between the adversary and the encryption algorithm. The formal security model between the adversary and the challenger is defined as follows: • Init: The challenger runs the initialization algorithm and sends the public parameters obtained by the algorithm to the adversary, while retaining the master key.
• Phase1: The adversary is allowed to execute the following types of polynomial bounded number of key queries: -Type 1: The adversary queries the domain authority of level i for the key with attribute set ω 1 , ω 2 , . . . , ω q . The challenger sends the attribute private key SK i,ω r , ∀r ∈ {1, 2, . . . , q} to the adversary.
• Challenge: The adversary submits two equal-length plaintext messages M 0 and M 1 to the challenger as the ciphertext that they want to be challenged. In addition, the adversary also gives the challenger an access policy * . None of the queried keys generated in phase 1 can satisfy the access policy * . The challenger tosses a coin b ∈ {0, 1} randomly, then encrypts m b with the access policy * , and returns ciphertext CT * to the adversary.
• Phase2: Repeat phase 1. The adversary continues to submit key queries to the challenger, and the queried keys do not comply with the access policy * . The challenger returns the corresponding keys to the adversary.
• Guess: The adversary outputs a guess value b for b. if b = b, the adversary will win the game. The advantage of the adversary's success in this game is defined as Definition 2: In the CP-HABE-AKDA security game, if all polynomial-time adversaries have at most a negligible advantage, the CP-HABE-AKDA is IND-s-CPA secure.

C. SECURITY MODEL AGAINST KEY-DELEGATION ABUSE ATTACK
The security definition against key-delegation abuse in a CP-HABE-AKDA scheme is described by a security game between a challenger and an adversary, as follows: • Init: The challenger runs the initialization algorithm and sends the public parameters obtained by the algorithm to the adversary, while retaining the master key. The total attribute set µ and the message space M are also defined in this phase.
• • Query 3: The adversary queries the challenger for the attribute private key of the different attribute set 1 , . . . , Q ⊆ µ at level h. When 1 ≤ σ ≤ Q, for each σ , the challenger runs the algorithm AttributeKeyGeneration and generates the attribute private key SK h, σ , and sends it to the adversary. The adversary can query the challenger adaptively.
• Output: The adversary selects a new attribute set ω * • for level h, while ω * = σ , 1 ≤ σ ≤ Q. And the adversary generates a new private key SK h,ω * and a new general decryption algorithm Decryption * (CT , SK ) for attribute set ω * at level h (1 ≤ i < h ≤ L), then sends them to the challenger. The adversary will win the game if the following conditions are met: with inputting an attribute set W ⊂ ω * at level h (1 ≤ i < h ≤ L) and an arbitrary message M ∈ M, where Decryption represents all the possible decryption algorithm. The advantage of an adversary is defined to be the probability that the adversary wins the security game.
Definition 3: In this security game, if all polynomial-time adversaries have at most one negligible advantage, the CP-HABE-AKDA scheme is secure against key-delegation abuse attack.

D. CP-HABE-AKDA CONSTRUCTION
In this section, we shall present our CP-HABE-AKDA scheme, the workflow of which is shown in Fig.4. The proposed scheme introduces a directed graph with the hierarchical structure to achieve delegation between upper and lower hierarchical domain authorities. When constructing an attribute private key, the algorithm associates the key parts related to the attribute set with the parameters related to the level, so that the domain authorities could not use keydelegation and parts of attribute private key for forging a new key, which would result in key-delegation abuse.
• GlobalSetup: Given a security parameter λ and an attribute universe µ with the size of n, where n is a natural number. The entire attribute set is µ := {1, 2, . . . , n}.
The algorithm first chooses two bilinear groups G and G T of prime order p, two random generators g 0 , h 0 ∈ G,a bilinear map e : G × G → G T . Let H : Z p × G × {0, 1} d → G be a secure hash function. The algorithm randomly selects α, β ∈ Z p , and computes In addition, it selects random elements y 1 , y 2 , . . . , y ∈ Z p , 1 ≤ ≤ L and g 3 , f 1 , f 2 , . . . , f L ∈ G. Root authority RA broadcast public key PK , keep the master key MK : • LevelKeyGeneration: Root authority RA assigns a unique public identity LID i ∈ B and a secret random large positive integer y i φ ∈ Z p for each level. Then the key parameter at level i is k i = H y i φ , LID i . RA stores k i and LID i in the entry of i th level key table, selects a random number r ∈ Z p , and generates the level key of domain authority DA i as follows: The level key SK i and key parameter k i are sent to DA i through a secure channel between RA and DA i .
• LevelKeyDerivation: It is assumed that the level i is the predecessor of the level h, 1 ≤ i ≤ h ≤ L, and their key parameters are k i and k h respectively. DA i uses the public information preset by RA to generate a new level key, and achieves level key-delegation. (1) The root authority RA randomly selects a large positive integer q to publicly store derived information The domain authority DA i selects the random number r ∈ Z p , and uses its level key SK i to generate the level key SK h related to level h, as follows: • AttributeKeyGeneration: This algorithm is run by domain authority DA i at level i to generate the attribute private key SK i,ω for the users with an attribute set ω ⊆ µ. DA i selects secret random number t 1 , t 2 , . . . , t 2n ∈ Z p , and computes the public parameters 0 . In addition, n − 1 random values x 1 , x 2 , . . . , x n−1 are randomly chosen in Z p , and associated with the level key parameter k i by computing x n = k i −x 1 −· · ·−x n−1 ∈ Z p . For each attribute j ∈ ω, a random number x n is assigned as follows: The attribute private key SK i,ω for the attribute set ω at level i is: • Encryption: This algorithm encrypts a message M ∈ G T under the access control policy specified with an access structure τ = j∈W j at level i, where W ⊆ ω. The encryption algorithm first selects a random value s ∈ Z p . Then, the ciphertext CT is composed as follows: There are tworequirements on successful decryption: first, the attribute set associated with the user needs to satisfy the access structure; second, the attribute set is at the correct level. Therefore, the decryption algorithm consists of two steps: the first step confirms whether the attribute set ω satisfies the access structure τ ; and the second step uses the attribute private key of the correct level for message recovery. The decryption algorithm uses algorithm DecAtt CT , SK i,ω to perform the following steps: (1) For all attributes j ∈ µ, if the set ω ⊆ µ composed of j conforms to the access structure τ , the algorithm DecAtt CT , SK i,ω outputs e (g 0 , h 0 ) sk i ; If such a set does not exist and the access structure is not satisfied, the algorithm outputs ⊥. (2) After confirming that the attribute set satisfies the access structure, the decryption algorithm executes: The correct Z (3) value can only be recovered by users at the correct level in the hierarchy. Finally, if the user's attribute private key satisfies access structure τ and has the correct level, the decryption algorithm VOLUME 8, 2020 recovers the message M :

VI. SECURITY ANALYSIS OF CP-HABE-AKDA
The generic bilinear group model and the random oracle model are used to demonstrate that there is no effective adversary can break the security of the proposed scheme with non-negligible probability, if an adversary performs generic operations on the group used in the proposed scheme. In a generic group model, group elements are encoded as a unique random string so that adversaries can manipulate group elements using canonical group operations in G and G T , and cannot test any property other than equality.
First, the functions and symbols used in the simulation security game are given. Define two kinds of random codes ξ 0 , ξ 1 on additive group F p , such that ξ 0 , ξ 1 : , g) ρ ∈ G T , The challenger receives two oracle models to compute group operations on G and G T , one oracle model to compute non-degenerate bilinear mappings e : G × G → G T , and the other oracle model represents hash function H : {0, 1} * → G.

A. SECURITY PROOF OF CONSTRUCTION
Theorem 1: Let q be an upper bound on the total number of group elements that an adversary A can receive from queries she makes to the challenger for elements from the oracle model for the hash function, groups G and G T , bilinear map e, and from his interaction in the CP-HABE-AKDA security game. The advantage of the adversary in the security game is O q 2 /p . Proof: Here we first bind the advantage of adversary A to an improved security game. In the security game defined in Definition 2, the ciphertext that challenger randomly outputs contains the message-related elementĈ, which might bê C = M 0 · e (g 0 , h 0 ) (α−β)s orĈ = M 1 · e (g 0 , h 0 ) (α−β)s . In an improved security game, the challenger may returnĈ = e (g 0 , h 0 ) (α−β)s , orĈ = e (g 0 , h 0 ) θ , where θ is uniformly selected from Z p , and the adversary A has to determine which value to take. Obviously, any adversary with an advantage ε in the CP-HABE-AKDA security game can be converted to an adversary with at least an advantage ε/2 in an improved security game. Therefore, the advantage of the adversary can be bound in the improved security game. The following will prove that in an improved security game, no adversary A has a non-negligible advantage. Here we define all possible queries and corresponding outputs that adversary A might perform in a secure game simulation. In the security game, adversary A receives the following encodings from the interaction with the challenger .
In the initialization phase of the security game, the components generated by algorithm GlobalSetup include: The challenger sends the public parameters to A.
In Phase 1 and Phase 2 of the security game, the components generated by the attribute private key algorithm AttributeKeyGeneration associated with an attribute set ω at level i include: In the challenge phase of the security game, the components generated by algorithm Encryption include: (3) ξ 0 νst j j∈W → E i,ω = h s j j∈W = g νst j j∈W , (4) ξ 0 νst j j∈µ\W → E i,ω = h s j j∈µ\W = g νst j j∈µ\W ; It should be noted that if A queries for a secret key satisfying the challenge access policy * then the challenger would not issue the key. The adversary can use the group elements received from the interaction with the challenger to perform generic group operations and equality tests on α, β, y , y i φ , t, r, s, x 1 , . . . , x n−1 , t j , η l , where each variable is an element from Z p picked randomly in our scheme. Queries that the adversary can execute include: • Queries to oracle model for group operations on G and G T . When adversary A requests for multiplication or division of group elements represented by their random encodings, the oracle model returns the addition or subtraction in the additive or multiplicative cyclic groups respectively, based on the encoding of the group elements.
• Queries to the oracle for computing pairing operation. When the adversary A requests for pairing of the group elements represented by random encodings, the oracle model returns the multiplication of group elements in the multiplicative cyclic groups. Next, it will be proved that by using the above simulation results, adversary A cannot distinguish the challenger's ciphertext betweenĈ = e (g 0 , h 0 ) θ andĈ = e (g 0 , h 0 ) (α−β)s with a non-negligible advantage.
According to the standard approach of the security in the generic group model, when the adversary queries for the group oracle model, an unexpected collision occurs because the challenger randomly selects values for the variables α, β, y , y i φ , t, r, s, x 1 , . . . , x n−1 , t j , η l . That means, when two different forms of rational function correlation queries are conducted, the two query values will be the same due to random selection of variable values. In the security game of the generic group model, the probability of a collision with any two different queries is the same as the adversary's view, which is at most O q 2 /p . Therefore, for the output of ciphertextĈ, when θ = (α − β) s, the adversary can complete the security game with a non-negligible advantage. The following will use reduction to absurdity for constructing the challenge ciphertext ξ 1 ((α − β) υνs) as a condition to prove that the adversary A can neither perform the polynomial query, nor make the linear combination produce polynomials of the form (α − β) s, so there will be no collision, and the adversary A cannot distinguish challenger's ciphertexts with a non-negligible advantage. Table 2 lists the feasible queries in G T that can be constructed using the group elements received from the simulation of the secure game. The adversary A can construct a polynomial query containing item (α − β) s by using the results in cells (3,2) and (3,3) in Table 2: The polynomial in (1) also contains terms B, C, E, hence it needs to cancel terms B, C to construct a polynomial of the form (α − β) s, and also require term E to be 0. The following is a case-based analysis of the strategy that may be deployed by adversary A to cancel terms B, C and make term E be 0. The analysis is based on the fact that adversary A can never use a key that satisfies access control policy * . In order to satisfy * , the key should correspond to the correct level i and satisfy the access structure τ * . Then we identify the following two situations: • Case 1 In this case, the adversary A uses the output obtained from the type 1 query in the security game defined in this section. The key obtained from the query corresponds to the level i in the hierarchy but does not satisfy τ * . In order to cancel terms B, C of (1), the adversary A can pair the query results of the units (5, 1) and (8,2) in Table 2 and construct a polynomial of the form −t − i l=1 η l . In order to make term E to be 0, then is a fixed value. This means that when term E is 0, the adversary A can make a key that satisfies τ * , which contradicts the assumption of case 1. According to the security definition, adversary A should not have at least one element of key associated with the ciphertext created by using τ * . Therefore, term E cannot be 0, so the adversary A cannot use the strategy of case 1, for constructing a polynomial of the form (α − β) s.
• Case 2 In this case, the adversary A uses the output obtained from the type 2 query of the security game in this section. The key obtained by the adversary from the query does not correspond to level i in the hierarchy (i.e., the user does not belong to the correct level), but instead satisfies the access structure τ * (i.e., the user has the required attributes). Suppose that adversary A can only use the key corresponding to levelî in the hierarchy, whereî = i, and create a challenge ciphertext for it. However, these keys satisfy the partial access strategy * , that is, only the access structure τ * is satisfied. This assumption is consistent with the security definition that adversary A cannot access the key that satisfies the challenge access policy * . In order to distinguish the keys corresponding to levelsî and i, the level key parameters kˆi and k i are used here, respectively. Since the related secret component which satisfies the AND access structure τ * can be accessed, in this case, the adversary A can cancel term E. To cancel terms B and C, adversary A can pair the queries in Table 2 with cells (4, 1), (5, 1) and (8,3), and construct a polynomial of the form −kˆit − kˆi î l=1 η l . To cancel terms B and C, adversary A needs to query kˆi. However, this contradicts the security definition. Therefore, the adversary cannot construct a polynomial of the form (α − β) s, by using the strategy of Case 2. VOLUME 8, 2020 In summary, it is concluded that the adversary A cannot perform a polynomial query to obtain a polynomial of the form (α − β) s. This proves that there is no generic adversary A could break the security of the proposed CP-HABE-AKDA with a non-negligible advantage.

B. PROOF OF CONSTRUCTION AGAINST KEY-DELEGATION ABUSE
Theorem 2: The proposed CP-HABE-AKDA scheme is secure against Key-delegation Abuse Attack with respect to Definition 3 in the generic group model.
The proof is also based on the generic group model. Suppose the adversary generates a new key SK h,ω * for the attribute set ω * at level h, through the level key derivation algorithm and the attribute private key generation algorithm, and gives the decryption algorithm Decryption * (·), which can decrypt the ciphertext encrypted with access policy * . First, we use the standard parameters of the general group model, it is to be proved that if this occurs with a nonnegligible probability, then the multilinear polynomials in the new key as described above, must also meet the corresponding constraints. Therefore, we use reduction to absurdity to assume that the multilinear polynomial corresponding to the adversary's output satisfies the required constraints, and then we get a contradiction. In order to satisfy the constraints, polynomials must have a specific structure, namely, they can only depend on certain given group elements.
Proof: For a generic-group adversary, the challenger executes a security game against key-delegation abuse attack as follows. For each group element related to the adversary, the challenger tracks its discrete logarithm through a multivariate rational function in an indeterminate formal variable. The simulation process associates each group element with some rational function.
For each distinct rational function in the set, it enters the value of the rational function into the corresponding encoding ξ 0 or ξ 1 and provides the result to the adversary as the encodings of the particular group elements. In this security game, the codes received by the adversary from the interaction with the challenger, are based on the generic group model, as the same as in the proof of theorem 1, so they will not be repeated here.
During the output phase of the security game, the adversary outputs a claimed new attribute private key SK h,ω * and a suitable decryption algorithm Decryption * (·) for the new attribute set ω * at level h. For ciphertext CT encrypted with access structure τ = ∧ j∈W j at level h, if the new private key can be used to compute Y = e (g 0 , h 0 ) (α−β)s , thus it can decrypt M from E . Therefore, the new private key SK h,ω * should contain the group element of each attribute j to be paired with the group element corresponding to E i,ω (or E i,ω ) of the ciphertext in the bilinear map. For the attribute j in µ, these group elements are represented by D * j , and the necessary structure of the new key SK h,ω * can be expressed Assuming the new key meets the above conditions, perform the following steps: is uniformly selected randomly in Z p , there are coefficients δ 1,σ = δ 2,σ = · · · δ n,σ , which can be represented by δ σ .
(2) Considering condition 2, when 1 j is uniformly randomly selected in Z p , the following conclusion can be drawn: if there are attributes j ∈ ω * and j / ∈ ω σ , then δ σ = 0; then it can be derived, is uniformly randomly selected in Z p , the following conclusions can be drawn: if j ∈ ω * and j ∈ ω σ , δ σ = 0, then it can be derived, when 1 ≤ h < i ≤ L, if δ σ = 0, then ω * ⊆ ω σ . Therefore, when h = i, if δ σ = 0, then ω * ⊆ ω σ . This will cause that the adversary fails to generate a new key for ω * = ω σ at level h (1 ≤ i < h ≤ L), or the ciphertext decrypted with the key of the attribute set ω σ can also be decrypted with the generated new key. Thus, it contradicts the conditions in the security definition. Therefore, the assumption is not true. The adversary cannot successfully generate a new private key to win the game. This proves that the proposed scheme can resist the key-delegation abuse attack.

VII. TRACEABLE CP-HABE-AKDA
A secure IoT-connected healthcare system based on CP-HABE is expected to implement key delegation in daily situations, helping doctors save time in treating patients; in case of key leakage, it would be able to track the identity of the key leaker and protect patients' privacy. We present a CP-HABE-AKDA scheme with white-box traceability for the IoT-connected healthcare system. To better illustrate our scheme, the system model, scheme definition, security model, traceability model and scheme construction are described respectively in this section.
As shown in Fig.5, our IoT-connected healthcare system mainly involves five various types of entities: root authority(e. g., hospital administrative department), domain authority (e. g., department of hospital), data owner(e. g., patient), healthcare cloud storage(HCS) and data users(e. g., doctor). The root authority is responsible for generating system public parameters (step1) and creating level keys for each domain authority with different access rights (step 3). For example, the outpatient doctor can refer to all the patients' medical records, the resident doctor can refer to the corresponding disease's medical records, and the pharmacy doctor can only see the prescription of the medical records. After collecting the physiological data through assigned wireless protocols (e.g., Wifi, Bluetooth) from the wearable IoT devices (e.g., mobile terminals, sports bracelets), the data owner encrypts it with the specified access policy, and then outsource the ciphertext to HCS(step 2). If the data user's attribute set complies with the access policy, the user can recover the encrypted data (step 7).
In an emergency, the attending doctor A performs preliminary diagnosis and treatment on the patient in the ambulance, and then he uploads the physiological data and preliminary prescription to HCS with encrypted form. In order to strive for treatment time and start the operation for the patient as soon as possible, attending doctor A requires doctor B of the pharmacy department to dispense drugs in advance according to the prescription. Then the outpatient department of Doctor A delegates the Pharmacy Department (step 5) to generate an attribute private key for pharmacy Doctor B (step 6). In this way, it eliminates the time of delegation from the hospital management department to the pharmacy department (step 4), and then to Doctors B (step 6). When the ambulance arrives at the hospital, Doctor A is ready for the patient's operation.
When a drug supplier purchases prescriptions from a doctor at a high price, the doctor may give the attribute private key to the drug supplier for the benefit. If a key's leaking is discovered, the hospital management department will trace the identity of the doctor based on the leaked key (step 8).

A. TRACEABLE CP-HABE-AKDA DEFINITION
The traceable CP-HABE-AKDA scheme consists of the following eight algorithms.
• GlobalSetup (λ, L): The global initialization algorithm is run by the root authority RA with inputting the global security parameter λ, generates the global public key PK and the master key MK for a hierarchy of depth L.
• USignKeyGen (PK ): The user sign-verify key generation algorithm, takes PK as input, and outputs secret sign-key x U and public verify-key P U .
• LevelKeyGeneration (PK , MK ): A level key generation algorithm is run by the root authority RA with inputting the global public key PK and the master key MK , generates a level key SK i for the domain authority DA i at level i (1 ≤ i ≤ L).
• LevelKeyDerivation (SK i ): The level key derivation algorithm is run by the domain authority DA i of level i, which generates a level key SK h for the domain authority of level h (1 ≤ i < h ≤ L) according to the level key SK i and the public information between the levels. Authorities of each level domain use the level key derivation algorithm for key-delegation.
• AttributeKeyGeneration (SK i , PK , ω): The algorithm is to generate the attribute private key for users at each level. The domain authority generates an attribute private key SK i,ω according to the public key PK , the level key SK i and the attribute set ω at level i, and is used to decrypt the ciphertext. The level key is used to generate the attribute private key of the level, which ensures the correctness when decrypting.
• Encryption (PK , M , τ, i): The encryption algorithm takes message M , access structure τ and public key PK at the level i as inputs, and the output is ciphertext CT .
• Decryption CT , SK U ,ω : The decryption algorithm takes the attribute private key SK U ,ω and ciphertext CT as the inputs, and outputs M or ⊥.
• Trace PK , SK U ,ω : Identity tracking algorithm takes the user attribute private key SK U ,ω and PK as inputs, RA checks the key elements, and outputs a valid flag 1 or invalid flag 0. If the output is 1, RA queries the identity information.

B. IND-S-CPA SECURITY MODEL
In this paper, the security game between a challenger and an adversary is used to describe the ciphertext indistinguishability under adaptive chosen plaintext attacks (IND-s-CPA) of VOLUME 8, 2020 a traceable CP-HABE-AKDA scheme. In this model, RA is not allowed to conspire with DA. The adversary chooses to use the access policy * for the encryption challenges. The access policy * includes the partial level i of a certain level range and the AND-gate access structure where the attribute set ω belongs. The formal security model is defined between the adversary and the challenger as follows: • Init: The adversary submits a challenge access policy * to the challenger.
• Setup: The challenger runs algorithms GlobalSetup and USignKeyGen, then sends the public key PK obtained by the algorithm to the adversary.
• Phase1: The adversary queries the challenger for a secret sign-key corresponding to a series of honest identities U . Since user identity U is bound to attributes, here the user is corresponding to the attribute set ω at level i. If identity U is colluded, the adversary submits the public verify-key directly to the challenger. The adversary queries the challenger for the decryption key corresponding to the identity U . The adversary is allowed to execute the following types of polynomial bounded number of key queries: -Type 1: The adversary queries the domain authority of level i for the key with attribute set ω 1 , ω 2 , . . . , ω q . The challenger sends the attribute private key SK i,ω r , ∀r ∈ {1, 2, . . . , q} to the adversary.
• Challenge: The adversary submits two equal-length plaintext messages M 0 and M 1 to the challenger as the ciphertext that they want to be challenged. In addition. The adversary also gives the challenger an access policy * . None of the queried keys generated in phase 1 can satisfy the access policy * . The challenger tosses a coin b ∈ {0, 1} randomly, then encrypts m b with the access policy * , and returns ciphertext CT * to the adversary.
• Phase2: Repeat phase 1. The adversary continues to submit key queries to the challenger, and the queried keys that do not meet the access policy * . The challenger returns the corresponding keys to the adversary.
• Guess: The adversary outputs a guess value b for b. If b = b, the adversary will win the game. The advantage of the adversary's success in this game is defined as

Definition 4:
In the traceable CP-HABE-AKDA security game, the traceable CP-HABE-AKDA is IND-s-CPA secure, if all polynomial-time adversaries have at most a negligible advantage.

C. TRACEABILITY MODEL
The user identity information in the scheme proposed in this section is related to the user attribute private key through the user's signature. Therefore, a white-box traceability security game is similar to the unforgeability of a signature. It can be described by the following security game between challenger and adversary.
• Init: The challenger runs GlobalSetup and USignKeyGen algorithms and sends the public key obtained by the algorithm to the adversary.
• Phase1: The adversary is allowed to perform a polynomial bounded number of key queries: the adversary queries the challenger for the signature key related to a series of honest identity U , that is, the adversary submits the attribute set (i, ω 1 ) , (i, ω 2 ) , . . . , i, ω q to request the corresponding signature key. If identity U is colluded, the adversary submits the verification public key directly to the challenger, and the adversary queries the challenger for the decryption key corresponding to identity U and attribute set ω.
• Forge: The adversary outputs a (U * , ω * ) decryption key SK U * ,ω * . If Trace PK , SK U * ,ω * = ⊥, and SK U * ,ω * does not come from the query of (U * , ω * ) decryption key, the adversary wins the game, and its advantage is defined as Adv (A) = Pr [Awins]. Definition 5: In the security game as mentioned above, if all polynomial-time adversaries have at most one negligible advantage, then the traceable CP-HABE-AKDA has white box traceability.

D. TRACEABLE CP-HABE-AKDA CONSTRUCTION
We construct the traceable CP-HABE-AKDA scheme as follows, the workflow of which is shown in Fig.6: • GlobalSetup: Given a security parameter λ and an attribute universe µ with the size of n. The entire attribute set is µ := {1, 2, . . . , n}, where n is a natural number. The algorithm first chooses two bilinear groups G and G T of prime order p, two random generators 1} → G be a secure hash function, where d denotes the bit length of identity information IDinfo. The algorithm randomly selects α, β ∈ Z p and computes Y = e(g 0 , h 0 ) α−β , g 1 = g α 0 , g 2 = g α 0 . It also selects random elements, y 1 , y 2 , . . . , y ψ ∈ Z p , 1 ≤ ψ ≤ L and g 3 , f 1 , f 2, . . . , f L ∈ G. Root authority RA broadcasts public key PK and keep the master key MK : • USignKeyGen: The algorithm is run by the user and generates a pair of user signed keys. User U randomly selects an element x U ∈ Z p as the signature key and publishes P U = g x U as the public verified key.
• LevelKeyGeneration: Root authority RA assigns a unique public identity LID i ∈ B and a secret random large positive integer y i π ∈ Z p for each level, then the key parameter for each level i is k i = H (y i π , LID i ). RA stores k i and LID i in the entry of i th level key table, selects a random number r ∈ Z p , and generates the level key of domain authority DA i as follows: The key SK i and key parameter LID i are sent to DA i through a secure channel between RA and DA i .
• LevelKeyDerivation: It is assumed that the security level i is the predecessor of the security level h, 1 ≤ i < h ≤ L, and their key parameters are k i and k h respectively. DA i uses the public information preset by RA SK i to generate a new level key SK h to realize level key-delegation. First, the root authority RA randomly selects a large positive integer q to store derived public information y i,h = k h − H (k i , LID h ) mod q for the relationship (V i , V h ) in the hierarchy, which is from level i to level h. q is published by RA later.
Then, according to the public information LID h and, y i,h , DA i uses its key parameter k i to calculate the value of key parameter k h of level h, that is Finally, DA i selects a random number r ∈ Z p , and uses its level key SK i to generate level key SK h related to level, as follows: . . , f k h L AttributeKeyGeneration: The attribute private key SK U ,ω of the user whose attribute set is ω at level i is generated by root authority RA, domain authority DA and the user U in the following steps: Step 1. RA verifies the user's identity. U first selects a one-time random number r U ∈ Z p , calculates F = h x U , 1 h 1 = H 1 (r U , P U , IDinfo U ) and then sends (r U , F, P U , IDinfo U , ω) to RA. Then, RA verifies the correctness of F through the equation e (F, g) = e (h 1 , P U ). If it is true, RA queries (r U , * , * , IDinfo U , * , * ) in the user registry Index RA , and if the user's item is found, the user is verified. RA sends the level key SK i to U through the secure channel between U . Otherwise, RA will create an item for the user, storing (r U , F, P U , IDinfo U , ω) in table Index RA .
Step 2. The domain authority DA i at level i generates attribute private key SK U ,ω for user U with attribute set ω ⊆ µ. DA i selects secret random number t 1 , t 2 , . . . , t 2n ∈ Z p , and computes the public parameters h 1 = h t 1 0 , . . . , h n = h t n n , h n = h t n+1 n+1 , . . . , h 2n = h t 2n 0 . In addition, n − 1 random values x 1 , x 2 , . . . , x n−1 are randomly chosen in Z p and associated with k i by computing For each attribute j ∈ ω, a random number x n is assigned as follows: DA i sends D i,ω j∈µ to user U through the secure channel between domain authority and user.
Step 3. User U selects a random number λ ∈ Z p , and outputs the private key of the attribute set ω at level i is: , D i,ω j∈µ   • Encryption: This algorithm encrypts a message M ∈ G T under the access control policy specified with an access structure τ = j∈W J at level i, where W ⊆ ω. The encryption algorithm first selects a random value s ∈ Z p . Then, the ciphertext CT is composed as follows: There are two requirements on successful decryption: first, the attribute set associated with the user needs to satisfy the access structure; second, the attribute set needs to be at the correct level. Therefore, the decryption algorithm consists of two steps: the first step confirms whether the attribute set ω satisfies the access structure τ ; and the second step uses the attribute private key of the correct level for message recovery. The decryption algorithm uses algorithm DecAtt CT , SK U ,ω , ω to execute the following steps: Step 1. For all attributes j ∈ µ, if the set ω ⊆ µ composed of conforms to the access structure τ , DecAtt(CT , SK U ,ω , ω) outputs e(g 0 , h 0 ) (−k i s) ; If such a set does not exist and the access structure is not matched, the algorithm outputs ⊥.
Step 2. After confirming that the attribute set satisfies the access structure, the decryption algorithm executes: • Trace: The identity tracking algorithm takes the user's attribute private key as input, and the root authority RA checks its key element to verify whether the user's attribute private key is valid. After verification, RA queries the user registry Index RA based on the elements in the key construction and traces out the user holding the key. First, RA checks if the user attribute private key elements make the following formulas hold: If all the above equations are true, the user attribute private key SK U ,ω passes the identity check, and the tracking algorithm outputs 1; otherwise, the tracking algorithm outputs 0. If the output is 1, RA finds (r U , F, P U , IDinfo U , ω) from the user registry Index RA , and verifies whether e (F, g) = e (h 1 , P U ) is valid, when h 1 = H 1 (r U , P U , IDinfo U ). If it holds, RA outputs the user identity information IDinfo U which is corresponding to SK U ,ω .

Proof:
The proof is similar to that for Theorem 1, and hence, we omit it.

B. TRACEABILITY PROOF OF CONSTRUCTION
Theorem 4: If l − SDH assumption holds, the traceable CP-HABE-AKDA scheme is white box traceable, that is, the user can not generate a forged key.
Proof: Suppose there exists an adversary A that has non-negligible advantage in winning the traceability game after making q key queries, without the generality, let q = q + 1. A probabilistic time polynomial algorithm B can be constructed to break l − SDH assumption with the advantage of ε. The interaction between A and B is as follows: • Init: B receives one of parameters ḡ,ḡ δ , . . . ,ḡ δ q in l − SDH assumption, whereḡ is an element on G and sets B U =ḡ x U , U = 0, 1, . . . , q. The goal of B is to output a tuple (c U , U ) ∈ Z p × G that satisfies B creates an identity list T = ∅ and broadcasts the public key: • Phase1: In the i − th query, adversary A submits the parameter (IDinfo U , ω U ) to B, and queries the corresponding private key for the user with the attribute set ω U at level i, whose identity is IDinfo U . Let the polynomial function f U (y) be of the form: Similarly, polynomial expansion can be obtained as follows: θ ϑ y ϑ B computes: Then B randomly selects and calculates: 86646 VOLUME 8, 2020 , D 1 = c U = r U , and adds (c U , IDinfo U ) to the table T .
• Forge: The adversary A submits a private key SK to B. According to the assumption, the private key can pass the validity verification and D * 1 / ∈ c 1 , c 2 , . . . , c q . After receiving the private key, B first rewrites the polynomial function f (y) as: where the remainder term γ −1 ∈ Z p , and γ (y) is a polynomial about y: γ U y U . Divide both ends of equation ( * ) by y + D * 1 to get the rational fraction: (y + c U ) and D * 1 / ∈ c 1 , c 2 , . . . , c q , we can know from the basic algebra theorem that y + D * 1 cannot divide f (y), so the remaining terms γ −1 = 0. Then B computes 1/γ − 1 (modp) (since gcd (γ − 1, p) = 1) and then does following computation: , the solution of l − SDH problem is D * 1 , * . Now we evaluate the advantage of B in breaking l −SDH assumption. Let SDH (c * , * ) denote the event that D * 1 , * is a solution for the l − SDH problem, which can be verified by checking whether e ḡ λ 0 ·ḡ c * 0 , * = e (ḡ 0 ,ḡ 0 ) holds. Note that when B randomly chooses D * 1 , * , SDH (c * , * ) happens with negligible probability, mark zero for simplicity. Moreover, the probability of the event happens when D * 1 , * satisfies e ḡ λ 0 ·ḡ c * 0 , * = e (ḡ 0 ,ḡ 0 ) is 1 in the case of (Awin ∧ gcd (γ −1 , p) = 1) when B outputs D * 1 , * . So the probability for B have a solution of l − SDH problem is calculated as follows: Therefore, the algorithm B can solve the l − SDH problem with non-negligible advantage, which conflicts with the l − SDH assumption, so the theorem proves that the proposed traceable CP-HABE-AKDA scheme has white-box traceability.

IX. PERFORMANCE ANALYSIS
In terms of performance analysis, factors that affect the performance of the proposed scheme are taken into account, mainly considering the size of key storage space and the cost of attribute set-related algorithms. In this section, from the aspect of storage overhead, the length of user attribute private key is used as an indicator; from the aspect of computational overhead, the user attribute private key is generated, and the amount of encryption and decryption operations are used as indicators. The proposed scheme is compared with the HABE scheme represented by the Wang scheme [20], Wan scheme [21] and Asim scheme [7]. For convenience, the notations used in the following description is introduced in Table 3.
In the proposed schemes, level key generation and encryption operation are related to the computing cost of root authority RA, attribute private key generation is related to the computing cost of domain authority DA, and decryption operation is related to the computing cost of the user. The computational overhead of several schemes is shown in Table 4.
In Wang's scheme [20], a file is encrypted based on the Disjunctive Normal Form (DNF) access control strategy A = When Wan scheme [21] generates the key of length 2 |A u |+ |A m | for the user, the algorithm and mechanism adopted are the same as that used for generating the key of the domain. The cost is determined according to the number of attributes owned by the user and the number of subsets in the recursive attribute set. The computational complexity is O (2n + A m ). The encryption algorithm adopts the form of an access control tree. The transformation nodes of the leaf node set in the access control tree determine the encryption cost. The tree access structure τ is used to encrypt DEK, including 2 exponentiation operations for each leaf node in τ and 1 exponentiation operation for each transformation node. Therefore, the computational complexity of the new file creation is O 2 N y + |N x | , where y represents the number of leaf nodes in τ and x represents the transformation nodes in τ .
Since the decryption overhead depends on the access control tree and key structure, the decryption operation consists of two bilinear pairings for each leaf node on the path from leaf node to root node, and one exponentiation operation for each node on the path from leaf node to root node. When the Asim scheme [7] generates an attribute private key of length |A u | + |A m | for the user, the overhead is determined according to the number of attributes owned by the user and the level of the user. A total of i + 5 + 2n exponentiation operations are used, where i represents the level of the user and n represents the number of attributes in the user attribute set. When encrypting, the form of access control tree is used. The encryption cost is determined by the number of nodes and levels in the access control tree adopted by the encryption algorithm, so the overhead of file encryption includes i + 2 + 2n exponentiation operations and one bilinear pairing operation. The cost of the decryption operation depends on the user attribute private key. The decryption operation includes three bilinear pair operations to satisfy the leaf nodes of the access tree and one bilinear pair for each transition node on the path from the leaf node to the root node, and 2i exponentiation operation used for the attribute set at level i.
The proposed schemes take each attribute in AND-gate structure as a unit to realize the user attribute private key generation, encryption, and decryption. Therefore, the length of the user attribute private key is related to n, which is the number of total attributes, and linearly increases with the universe of attributes. In the generation of the user attribute private key, the level key parameter and each attribute in the attribute set are embedded by exponentiation operation. In the decryption, each attribute component of the user's attribute private key corresponds to the ciphertext component. Through bilinear mapping, the decryption qualification of the attribute private key is verified, and then the decryption is completed. Since the calculation cost of Wan scheme [21] and Asim scheme [7] is related to the number of nodes in an access tree structure, the more complex the tree structure is, the more computation is required. However, the calculation cost of the proposed schemes is related to the size of the entire attribute set. It has nothing to do with the internal structure. Therefore, when the total attribute set is fixed, the proposed scheme is more efficient.

X. CONCLUSION
In this paper, we focus on the issue of key-delegation in the HABE scheme and propose the key-delegation abuse problem in CP-HABE, which could severely affect the data security when adopted in IoT-connected healthcare system. In order to solve the problem, we summarize two causes of key-delegation abuse in CP-HABE and present a targeted CP-HABE-AKDA solution. In the proposed scheme, the directed graph is applied to realize the key-delegation between domain authorities from the upper level to the lower level. By embedding the level key parameter into a user attribute key, our construction can prevent the domain authority from creating decryption keys for users who do not comply with the access policy. We further study the strategy of tracking malicious user's identity when key leakage happens, especially in IoT-connected healthcare system, and designs a traceable CP-HABE-AKDA solution that can resist key-delegation abuse and has white-box traceability. Based on the generic group model and the random oracle model, we demonstrate the CPA security of the proposed schemes and the ability to resist key-delegation abuse attacks. Moreover, we complete the traceability proof of the proposed traceable CP-HABE-AKDA scheme based on l −SDH assumption.
As mentioned above, the key-delegation abuse not only exists in the HABE scheme with AND-gate access structure, but also in the schemes with the access tree and LSSS structure. The solutions provided in this paper only considers the case of AND-gate. In practice, especially in the IoTconnected healthcare system, HABE schemes are mainly with the access tree structure. Therefore, in the next stage of work, we continue to expand the HABE schemes against keydelegation abuse to the schemes with access tree and LSSS structure. Furthermore, supporting user revocation for the proposed scheme with traceability is also a potential research work we will explore. XI CHEN is currently pursuing the Ph.D. degree with the Department of Information and Communication Engineering, Beijing Jiaotong University. Her research interests include cryptographic protocols and information security.
YUN LIU received the Ph.D. degree in electronic engineering from Beijing Jiaotong University, in China. She is currently a Professor, the Director of the Department of Communication and Information System, and the Director of the Key Laboratory of Communication and Information Systems, Beijing Municipal Commission of Education, Beijing Jiaotong University. She has edited many books and published more than 200 articles and book chapters, as well as participated in many international academic activities, including the organization of several international conferences. Her current research interests include telecommunication, computer networks, network security, intelligent transportation systems, and social dynamics. She is an IET Fellow. He is currently an Associate Professor with the School of Electronic and Information Engineering, Beijing Jiaotong University. He has more than 40 publications and filed six patents. His research interests include cryptographic protocols, cyberspace security, cloud computing security, big data security, and blockchain.
Dr. Li is a member of the International Association for Cryptologic Research (IACR), the Chinese Association for Cryptologic Research (CACR), the Association for Computing Machinery (ACM), and the China Computer Federation (CCF).