Partial policy hiding attribute-based encryption in vehicular fog computing

Vehicular fog computing (VFC), combining the vehicular ad hoc network with fog computing, is an efficient vehicle communication architecture. However, the user data is often threatened since VFC is an open environment. Attribute-based encryption (ABE) is suitable for open scenarios, such as cloud and Internet of Things, because of its confidentiality and access control characteristics. However, the traditional ABE has disadvantages, such as the inability to hide the attributes in the access policy and the use of computationally inefficient composite order bilinear pairing groups to prove adaptive security. Traditional ABE is not practical in VFC. We summarized the existing schemes of full policy hiding ABE and partial policy hiding ABE and then concluded that partial policy hiding ABE is more suitable for VFC. We combine policy hiding technology and the technology of converting bilinear pairing cryptography schemes into prime-order bilinear pairing cryptography schemes and propose an efficient and partial policy hiding ciphertext-policy ABE scheme suitable for VFC. Experiments have proved that our scheme is computationally more efficient than previous policy hiding ABE schemes.


Introduction
With the popularity of 5G communications, research on the application of the Internet of Things (IoT) has become increasingly popular. More and more IoT applications appear in people's daily lives, such as smart medical care, smart cities, and vehicular ad hoc network (VANET). Lee et al. (2016) proposed a key agreement technology to the vehicular ad hoc network (VANET) communication channels. Vehicular fog computing (VFC) (Huang et al. 2017) is one of the research focuses, which combines traditional VANET with fog computing and further utilizes the computing power of these fog nodes of RSU to meet the real-time and high-efficiency requirements in the application. Due to the particularity of VFC, the security requirements that need to achieve are also different from other applications. In VFC, in addition to confidentiality and access control that need to be considered in the general environment, the algorithms in the designed security protocol must be sufficiently efficient B Yongjian Liao liaoyj@uestc.edu.cn 1 University of Electronic Science and Technology of China, Chengdu, China for the limitation of computing power. Therefore, it is necessary to construct a secure and efficient encryption scheme with an access control function to meet the needs of VFC.
The traditional public-key encryption scheme can only meet the confidentiality requirements because the ciphertext can only be decrypted via a private key corresponding to the public key used for encryption. This is a one-to-one encryption scheme with no access control. Attribute-based encryption (ABE) adds access control functions to traditional public-key encryption, which not only satisfies confidentiality but also realizes access control. ABE includes ciphertext-policy ABE (CP-ABE) and key-policy ABE (KP-ABE) (Tian et al. 2020). In CP-ABE schemes, the ciphertext is corresponding to the access policy, and the secret key is corresponding to a set of attributes, while in KP-ABE schemes, the structure is just the opposite. Only when a certain subset of the attribute set meets the access policy decryption can succeed. CP-ABE is more suitable for VFC because users can dynamically specify the access control structure required for decryption when encrypting, which is more flexible. Feng et al. (2020), Alrawais et al. (2017), Jiang et al. (2018) already have applied ABE to edge computing and VANET.
Although traditional CP-ABE can realize confidentiality and flexible access control functions, there are still some in-depth issues that need to be considered. The openness of the access policy is an implicit problem of the traditional CP-ABE. In the traditional CP-ABE, the plaintext of the access policy with sensitive information will be sent to another user together with the ciphertext of the message, which may threaten the user's privacy. For example, suppose Alice uses CP-ABE to encrypt a message, and the specified access policy is "(driving age: more than 4 years AND location: Chengdu) OR (gender: male AND vehicle type: truck)". Bob with the attribute set "gender: male, vehicle type: truck, driving age: 3 years" can decrypt and obtain the plaintext information, while with the attribute set of "driving age: 5 years, gender: female, vehicle type: car ", Lina cannot decrypt. However, we found that although Lina cannot decrypt, she can obtain sensitive information such as the decryptor's address and vehicle type.
According to the problems mentioned above, the concept of "policy hiding" was put forward. "policy hiding" is divided into two types: "full policy hiding" and "partial policy hiding". The CP-ABE scheme of "full policy hiding" will hide all the attribute information in the policy. Only through decryption we can know whether the individual attribute set meets the access policy, but the decryptor cannot obtain any information in the policy. Katz et al. (2008) proposed a CP-ABE based on the inner-product predicate encryption (IPE) structure, but this scheme can only use a threshold access structure, which is far less flexible than the commonly used linear secret sharing scheme (LSSS). CP-ABE scheme of "partial policy hiding" will hide part of the attribute information. Although some of the attribute information will be exposed, it does not affect the overall security. Nishide et al. (2008) proposed a CP-ABE scheme with "partial policy hiding", but their scheme only supports AND-GATE access structure, and it is only selective security. Zhang et al. (2018) proposed another CP-ABE scheme with "partial policy hiding". They divide the attributes into attribute names and attribute values, and the access policies will expose the attribute names, while the corresponding attribute values were hidden in the access policy. As in the above example, the information in the access policy that Lina can obtain is "(driving age: -AND location: -) OR (gender: -AND vehicle type: -)". The adversary only obtains the name of the attribute that is not sensitive, and the sensitive and specific attribute values are protected. This scheme achieves complete security and "partial policy hiding" and adds a decryption test before decryption, which further improves the efficiency of decryption. However, this scheme is proposed based on the composite order group whose overload of computation is heavy. Guillevic (2013) had compared the computation on the composite order group and prime order group and recommended to use the prime order group. Therefore, the scheme of Zhang et al. (2018) is not suitable for VFC scenarios. Our target is to construct a prime-order-group-based, adaptive secure, and large universe CP-ABE scheme for VFC.

Our contribution
According to the problems described above, we construct an adaptive secure, prime-order-group-based, and large universe CP-ABE. We used the technology of Freeman (2010) and proposed a CP-ABE scheme suitable for VFC. The detailed advantages of this scheme are: 1. The use of prime-order group bilinear pair group greatly reduces computation load under the same security and satisfies the application scenarios of VFC, which are limited in computation. There is a decryption test phase before the decryption phase, which further improves the efficiency of decryption; 2. Separate the attribute value from the attribute name. Only the insensitive attribute name is included in the access control structure, and the attribute value is hidden in the ciphertext. This method hides the users sensitive information and protects user privacy; 3. Our scheme is large universe, which means the size of the attribute universe can be exponentially large and the size of public parameters is constant. In most of the previous schemes, the size of public parameters grows linearly with the size of the universe; 4. Our scheme can be proved adaptive security under the standard model. Compared with selective security, an adaptive security scheme is more usable and more secure;

Related work
Recently, many works about VFC have been proposed. Xiao and Zhu (2017) presented a visionary concept called VFC. They proposed the VFC architecture and some related requirements. Ning et al. (2019) presented a VFC-enabled traffic management scheme for smart cities. They constructed a three-layer VFC architecture to dynamically cooperate with each other for network load balancing. They also emphasized the security issues faced in VFC. Hou et al. (2016) presented a new paradigm referred to as VFC. They added the vehicle nodes to the fog node, making full use of the computing power of the vehicle. Huang et al. (2017) put forward the common architecture of VFC and its security requirements. Sahai and Waters (2005) proposed the concept of ABE. Then, Goyal et al. (2006) constructed the first KP-ABE scheme in 2006, and Bethencourt et al. (2007) constructed the first CP-ABE scheme in 2007. Lee et al. (2013) made a comprehensive survey of CP-ABE and KP-ABE. Liao et al. (2020) and Chen and Liao (2019) proposed two outsourced attribute-based encryption schemes. Nishide et al. (2008) firstly proposed a "partial policy hiding" ABE scheme. They used inner-product predicate encryption to hide the attribute in policy, and their scheme only supports an AND-GATE access structure. Lai et al. (2011) improved the work of Nishide et al. (2008) and proposed a "full policy hiding" ABE with the same access structure. However, the size of the ciphertext grows with the number of attributes. Yang et al. (2016) constructed an adaptive secure CP-ABE scheme with an AND-GATE access structure, but only supported small universe and used the composite order group. The scheme of Zhang et al. (2013) was built on prime order group, but can only be proved selective security. Schemes of Zhao et al. (2019) and Zhang et al. (2019) supported policy tree, which is more flexible than AND-GATE, but both of them supported small universe. Lai et al. (2012) proposed an adaptive security CP-ABE that supports large universe with a decryption test. Their scheme used the composite order group, which is not efficient. Zhang et al. (2018) improved the scheme of Lai et al. (2012) and further improved efficiency. However, their scheme also used the composite order group, which is very inefficient compared to the prime order group.

Organization
The organization of our paper is as follows: Section 2 introduces some definitions used in our system. Section 3 introduces our system and CP-ABE scheme. In Sect. 4, we prove the security of our scheme. Section 5 presents the efficiency analysis. In Sect. 6, we conclude our work.

Preliminaries
In this section, we will introduce the bilinear group generator used in our scheme. Besides, we will introduce the assumption used in our proof.

Bilinear groups
Bilinear Groups Generator Bilinear group generator (G) takes a security parameter λ as input and outputs a set of groups and a pairing G, where G ⊂ G and H ⊂ H . The pairing must satisfy the following properties: -Bilinear: for all g 1 , g 2 ∈ G and h 1 , h 2 ∈ H , we havê e (g 1 g 2 , h 1 h 2 ) =ê (g 1 , h 1 )ê (g 1 , h 2 )ê (g 2 , h 1 )ê (g 2 , h 2 ); -Nondegenerate: for any g ∈ G (or h ∈ H ), and for all h ∈ H (or g ∈ G), we haveê (g, h) = 1, then g = 1 (or h = 1); -Computable: for any g ∈ G and h ∈ H , we can calculatê e in polynomial time.

Assumptions
Subgroup decision problem G is the bilinear group generator introduced above. We define the distribution as follows: If there exists an algorithm A that can solve the subgroup decision problem on the left. S D P L -Adv [A, G] denotes the advantage to solve the subgroup decision problem on the left: is a negligible function of λ, then G satisfies the subgroup decision assumption on the left. Analogously, if we define T 0 ← H and T 1 ← H , we can define the subgroup decision assumption on the right. If G satisfies both assumptions, we call G satisfies the subgroup decision assumption.
k-Linear assumption If groups G, G 1 , H , H 1 , G t generated by P all have prime order p > 2 λ , we call P is a prime-order bilinear group generator. For all groups generated by P have the same prime order, we have G = G 1 and H = H 1 . We use G 1 = G, G 2 = H , and G t = G t to denote the three distinct groups. LetĜ denote the output The element a is randomly chosen from the set A G L (5, 2) The cancelling pairing bilinear group generator described in Sect. 2.1.

G, G t Two cyclic multiplicative groups
, k ≥ 1 be an integer. We define the advantage of an algorithm A in solving the k-Linear problem in G 1 as k-Lin G 1 -Adv [A, P]: Similarly for k-Lin G 2 -Adv [A, P]. We say that G satisfies the k-Linear assumption in G 1 if k-Lin G 1 -Adv [A, P] (λ) is a negligible function of λ for any polynomial-time algorithm A (Similarly for G 2 ). Lemma 1 P satisfies the k-Linear assumption in G; then, G L (5, 2) satisfies the subgroup decision assumption. The proof of this lemma can be found in Theorem 2.5 of Freeman (2010).

System
In this section, firstly, we introduce our system model. Then, we put forward the security and performance requirements of our system. Finally, we give the detail of our scheme. Table 1 lists the notation table for the symbols in our system.

System model
In this subsection, we will introduce the system architecture of our scheme. We propose a partial policy hiding CP-ABE based on the prime order group and use it in VFC to construct a secure VFC model that can meet real-time requirements. There are four entities in our system.

Key Generation Center (KGC) KGC is a trusted cen-
ter that is responsible for system initialization and key generation. KGC generates public parameters and the master private key according to the security parameter and then distributes public parameters. KGC can also generate the corresponding private key according to the user's attribute set and send it to the user. Cloud center (CC), road side unit (RSU), and vehicle object (VO) can register and authenticate at KGC to obtain their own private key; 2. CC CC, with large storage capacity and computing power, can process and store a large amount of data uploaded by VO and RSU. CC can register at KGC to obtain its own private key. If VO adds CC's attributes to the access policy, CC can decrypt and process these data; 3. RSU RSU has limited storage and computing power that is weaker than CC. RSU is mainly responsible for processing the data uploaded by vehicle object with high real-time performance requirements. RSU can register at KGC to obtain its own private key, and vehicle object can specify the attributes of RSU in the policy so that RSU can decrypt and process data. RSU can also process the vehicle object data and forward the encrypted one to CC for processing and storage; 4. VO VO generates data and designs the policy to encrypt the data and upload it to RSU or CC. VO can register with KGC to obtain its own private key. VO can download data from the cloud or RSU and decrypt it with its own private key. The computing power of VO is very poor; Figure 1 shows our system model. VO includes trucks, cars, and taxis. Cloud is CC and RSU is the roadside unit described above. In the system, KGC runs Setup to generate public key and master secret key. Then, KGC can run Key-Gen to generate secret keys according to the user's attribute sets. VO specifies the policy and runs Encryption to encrypt data and then publishes the encrypted data to RSU or CC. VO, CC and RSU can use the secret key received from KGC to run Decryption to get the decrypted data. Figure 2 shows the detailed data flow in our system.

Security and performance requirement
In this subsection, we will propose the security and performance requirements that our system meets. In our system, both CC and RSU are curious but honest, that is, they both will transmit and process data honestly but hope to get the secret information of VO. We list the security requirement as follows: 1. Privacy of Plaintext The ciphertext will perfectly hide the information about the plaintext. Adversary cannot get any information except the length of the plaintext without decryption; 2. Collusion Resistance Any user, whose attribute sets do not satisfy the policy, respectively, cannot decrypt the ciphertext, even a collection of their attributes satisfies the policy. For example, Alice has the secret key for attribute set "('Number Plate': odd), ('Model': truck)", while Bob has the secret key for attribute set "('Number Plate': even), ('Model': car)". They are not satisfied with the policy "('Number Plate': even) AND ('Model': truck)", respectively, so they cannot decrypt the ciphertext although the collection of their attribute set satisfies the policy; 3. Partially Policy Hiding The policy sent with ciphertext only exposes the information about attribute name, but doesn't expose the specific attribute contents which satisfy the policy. In the actual environment, the specific value of the attributes often contains a lot of sensitive information of the user, and the attribute names are not sensitive; Then, we introduce the performance requirements as follows: 1. Large Universe Large universe means that the size of the public parameter has nothing to do with the size of the attribute universe. In the small universe scheme, the size of the public parameter increases linearly with the size of the attribute domain, which means that we must fix a very large public parameter at system initialization. In our system, there are a large number of attributes of CC, RSU, and VO, so our system meets the large universe; 2. Efficient Decryption In our system, VO has poor computing power. Although the computing power of RSU is stronger than that of VO, it is also insufficient. Therefore, we should minimize the amount of calculation in the decryption step to reduce the computational amount of VO and RSU and reduce the calculation time;

Detail of CP-ABE scheme
The order of G is N = p 5 , and G 1 , G 2 , G 3 , G 4 are subgroups of G whose element is all of prime order p. The detail of our CP-ABE scheme is as follows: 1. Setup 1 λ KGC inputs the security parameter and then gets the public parameters PK and the master secret key MSK. The attribute set is uniformly. Finally, the Setup algorithm outputs the PK and MSK: 2. KeyGen(PK, MSK, θ) KGC receives the user's (VO or RSU or CC) attribute set θ and returns the secret key SK θ associated with the attribute set to the corresponding user. The attribute set of the user is θ = (I S , S), where I S ∈ Z p is the attribute name index, and S = {s i } i∈I S is the set of attribute values. KGC picks random number r ∈ R Z p , then randomly chooses R 3 , R 3 , R 3,i ∈ R G 3 from g 3 where i ∈ I S . Finally, algorithm can output user's secret key: 3. Encryption(PK, M, A) VO sets the access policy A and runs the Encryption algorithm to generate the ciphertext CT A , then sends the ciphertext with an access policy to RSU or CC. In the input, the M ∈ G T denotes the plaintext. A = (A, ρ, T ) is an access policy, where A is a matrix with rows and n columns. ρ is a map from each row of A j to the attribute name, and T = t ρ(1) , t ρ(2) , . . . , t ρ( ) ∈ Z p is the set of attribute values. VO randomly chooses two vectors v 1 , v 2 ∈ R Z N p , v 1 = s, v 1,2 , . . . , v 1,n and v 2 = (s , v 2,2 , . . . , v 2,n ), then randomly choose X 2 , X 2, j , X 1, j , X 1, j ∈ R G 4 based on g 4 and r j ∈ R Z p , where 1 ≤ j ≤ . Finally, Encryption algorithm outputs the ciphertext: If this equation holds, users can decrypt to get plaintext, else output ⊥. (b) Final Decryption Firstly, users calculate: Then users can recover the plaintext: M = C 1 /E.

Correctness of scheme
The correctness of CP-ABE means that the user can decrypt to recover the plaintext only when his attribute set satisfies the access policy. For the Test phase in Decryption, if the user's attribute set satisfies the access policy, then we have: If and only if t ρ(i) = s ρ(i) , for i ∈ I, we have: and e C 2 , K = e g s 1 X 2 , R 3 g a 1 g br 1 = e (g 1 , g 1 ) as +br s .
Similarly, for the Final Decryption phase in Decryption, we have: Then, we can calculate: and e C 1 , K = e g s 1 , R 3 g a 1 g br 1 = e (g 1 , g 1 ) as+br s .
Finally, we can calculate E = e(g 1 ,g 1 ) as+br s e(g 1 ,g) br s = e (g 1 , g 1 ) as = Y s and then recover the plaintext

Security proof
In this section, we firstly give our security model. Then, we introduce our assumption and the proving process. Finally, we analyze the security for our VFC system.

Security model for CP-ABE
In this section, we will define the adaptive security for our scheme. The game between an adversary A and a challenger B is 1. Setup B executes Setup 1 λ to get the public key PK and master secret key MSK. Then, B sends PK to A; 2. Phase1 A submits some attribute sets θ = (I S , S). B runs KeyGen(PK, MK, θ) to generate secret keys SK θ and transmits to A; 3. Challenge A chooses two messages M 0 and M 1 . Then, A chooses two access policies A 0 = (A, ρ, T 0 ) and A 1 = (A, ρ, T 1 ) and sends the access policies with the messages to B. Both access policies should not be satisfied by the attribute sets queried in Phase1. B randomly chooses b ∈ {0, 1}. Then, B runs Encryption(PK, The same as Phase1, except the queried attribute sets should not satisfy the A 0 and A 1 in Challenge;

Guess
The advantage of A winning the game is defined as Adv A = Pr b = b − 1/2 .

Assumptions
According to lemma 1, G L (5, 2) satisfies the subgroup decision assumption. Then, we have the following assumptions.
Assumption 1 For the group generator G L (5, 2), define the following distribution: Then we choose: The advantage for an algorithm A to distinguish X 1 and X 2 is defined as: If Adv1 G L (5,2),A (λ) is negligible, the group generator G L (5, 2) satisfies Assumption 1.
Assumption 2 For the group generator G L (5, 2), define the following distribution: Then we choose: D = ( p, G, G t , e, g 1 , P 1 P 2 , Q 2 Q 3 , P 3 , P 4 ) , The advantage for an algorithm A to distinguish X 1 and X 2 is defined: If Adv2 G L (5,2),A (λ) is negligible, the group generator G L (5, 2) satisfies Assumption 2.
Assumption 3 For the group generator G L (5, 2), define the following distribution: Then, we choose: D = p, G, G t , e, g 1 , g 2 , g a 1 P 2 , g b 1 Q 2 , P 3 , P 4 , The advantage for an algorithm A to distinguish X 1 and X 2 is defined: If Adv3 G L (5,2),A (λ) is negligible, the group generator G L (5, 2) satisfies Assumption 3.
Assumption 4 For the group generator G L (5, 2), define the following distribution: Then, we choose: The advantage for an algorithm A to distinguish X 1 and X 2 is defined: If Adv4 G L (5,2),A (λ) is negligible, the group generator G L (5, 2) satisfies Assumption 4.

Proof in detail
In this subsection, we first introduced the core theorem for security proof. Then, we define the structure of secret key and ciphertext in security proof. Finally, we constructed a series of games and proved the indistinguishability between these games through six lemmas.
Theorem If Assumptions 1 to 4 holds, then our CP-ABE scheme can be proved adaptively secure in the standard model.

Proof
We use subgroup G 2 , which is not used in the normal CP-ABE construction, to help prove the security.
Firstly, we generate the semi-function ciphertext. We first choose y, y ∈ R Z p and w, w ∈ R Z n p randomly. Then, we choose three random numbers z i ∈ R Z p related to attributes and α i , α i ∈ R Z p related to the row of the matrix A in access policy. Then construct the semi-function ciphertext: Secondly, we hope to generate three types of semifunction keys. We choose d, d ∈ R Z p and {d i ∈ R Z p } i∈I S randomly. Then, set three types of semi-function keys: We use these semi-function keys and ciphertext; we can construct a list of games. We define q to be the maximum number of key queries, and q ≥ k ≥ 1. Then, we can construct the sequence games as follows: 1. Game Real : In this game, both the secret keys queried by the adversary and the ciphertext are the same as the normal secret keys in our CP-ABE scheme. 2. Game 0,3 : In this game, the secret keys queried by the adversary are the same as the normal secret keys in the above scheme. Set the challenge ciphertext to be the semifunctional ciphertext. 3. Game k,1 : In this game, the first k −1 secret keys queried by the adversary are semi-key 3 . The k th secret key is semi-key 1 . The rest secret keys are the same as the normal secret keys in the above scheme. Set the challenge ciphertext to be the semi-functional ciphertext. 4. Game k,2 : In this game, the first k −1 secret keys queried by the adversary are semi-key 3 . Set the kth secret key to be semi-key 2 . The rest secret keys are the same as the normal secret keys in the above scheme. Set the challenge ciphertext to be the semi-functional ciphertext. 5. Game k,3 : In this game, the first k secret keys queried by the adversary are semi-key 3 . The rest secret keys are the same as the normal secret keys in the above scheme. Set the challenge ciphertext to be the semi-functional ciphertext. 6. Game Final 0 : In this game, all queried secret keys are semi-key 3 . Set the challenge ciphertext to be semi-function encryption of a random message which is independent of M 0 and M 1 . 7. Game Final 1 : This game is similar to Game Final 0 . The only difference is that D 1, j and D 2, j are random elements in G 1 × G 2 × G 4 . Set the challenge ciphertext to be independent of attribute sets T 0 and T 1 . Hence, the advantage of adversary is 0.
Finally, we propose 6 lemmas to connect above games. The target is to prove Game Real and Game Final 1 are indistinguishable, so Theorem holds; then, our scheme is secure.
Lemma 2 Based on Assumption 1, Game Real and Game 0,3 are computationally indistinguishable.
Proof Suppose there exists an adversary A satisfying |Game Real Adv A − Game 0,3 Adv A | = . We can construct a simulator B with Adv1 G L (5,2),B (λ) = to break Assumption 1. B is given g 1 , g 3 , g 4 , V and simulates Game Real or Game 0,3 .
Setup B randomly chooses a, b, a 0 ∈ Z p and Z 4 ∈ G 4 . Then, B sets Y = e (g 1 , g 1 ) a , h 1 = g a 0 1 , Z = h 1 Z 4 and sends P K = p, g 1 , g b 1 , Y , Z, g 4 to A. Phase 1 B generates secret keys which are the same as the secret key generated in our CP-ABE scheme from M K = (a, h 1 , g 3 ) and can answer the key queries from A.
Challenge A submits two messages M 0 , M 1 of equal length and two access structures A 0 = (A, ρ, T 0 ) , A 1 = (A, ρ, T 1 ) where A 0 , A 1 cannot be satisfied by any attribute set queried in phase 1. B randomly chooses β ∈ {0, 1} and does:
If V ← G 1 , B simulates Game Real . Phase 2 B does the same operation as Phase 1 with the restriction that the queried attribute sets cannot satisfy A 0 and A 1 . When V ← G 1 , G 2 , B simulates Game 0,3 . When V ← G 1 , B simulates Game Real . Then, V can be distinguished by B with the advantage Adv1 G L (5,2),A (λ) = .
Setup: B randomly picks a, b, a 0 ∈ R Z p and Z 4 ∈ R G 4 . Then, it sets Y = e (g 1 , g 1 ) a , h 1 = g a 0 1 , Z = h 1 Z 4 . B sends P K = p, g 1 , g b 1 , Y , Z, g 4 , and only B knows M K = (a, h 1 , g 3 ).
Phase 2: B works the same as Phase 1 under a different restriction that all of the queried attribute sets cannot satisfy A 0 and A 1 . If V ← G 1 , G 2 , G 3 , B simulates Game k,1 . If V ← G 1 , G 3 , B simulates Game k−1,3 . Then, V can be distinguished by B with the advantage Adv2 G L (5,2),A (λ) = .
Lemma 4 Based on Assumption 2, Game k,1 and Game k,2 are computationally indistinguishable.
Proof Suppose there exists an adversary A satisfying We can construct a simulator B with Adv2 G L (5,2),A (λ) = to break Assumption 2. Given g 1 , P 1 P 2 , Q 2 Q 3 , P 3 , P 4 , V, B can simulate Game k,1 or Game k,2 .
Setup: B randomly chooses a, b, a 0 ∈ R Z p and Z 4 ∈ R G 4 . Set Y = e (g 1 , g 1 ) a , h 1 = g a 0 1 , Z = h 1 Z 4 , and send A Phase 1: To answer the jth key query where j = k, B does the same as Proof of Lemma 3.
To answer the jth key query where j = k, B does the same operations like Proof of Lemma 3, but randomly picks e ∈ R Z p and sets K = g a Here (Q 2 Q 3 ) e term was added to randomize the G 2 part of K , which is the only difference between this proof and Proof of Lemma 3. If V ← G 1 , G 2 , G 3 , this is a properly distributed semi-key 1 . If V ← G 1 , G 3 , this is a properly distributed semi-key 2 .
Challenge: The same as Challenge in Proof of Lemma 3. Phase 2: B works the same as Phase 1 under a different restriction that all of the queried attribute sets cannot satisfy A 0 and A 1 . If V ← G 1 , G 2 , G 3 , B simulates Game k,1 . If V ← G 1 , G 3 , B simulates Game k,2 . Then, V can be distinguished by B with the advantage Adv2 G L (5,2),A (λ) = .
Lemma 5 Based on Assumption 2, Game k,2 and Game k,3 are computationally indistinguishable.
Proof Suppose there exists an adversary A satisfying |Game k,2 Adv A − Game k,3 Adv A | = .
We can construct a simulator B with Adv2 G L (5,2),A (λ) = to break Assumption 2. Given g 1 , P 1 P 2 , Q 2 Q 3 , P 3 , P 4 , V, B can simulate Game k,2 or Game k,3 . Setup: B randomly chooses a, b, a 0 ∈ R Z p and Z 4 ∈ R G 4 . Set Y = e (g 1 , g 1 ) a , h 1 = g a 0 1 , Z = h 1 Z 4 , and send A the P K = p, g 1 , g b 1 , Y , Z, g 4 . Phase 1: To answer the jth key query where j = k, B does the same as Proof of Lemma 3.
To answer the jth key query where j = k, B chooses f , e ∈ R Z p , R, R , R i ∈ R G 3 and calculates: This is a properly distributed semi-key 3 . If V ← G 1 , G 3 , this is a properly distributed semi-key 2 . Challenge: The same as Challenge in Proof of Lemma 3. Phase 2: B works the same as Phase 1 under a different restriction that all of the queried attribute sets cannot satisfy A 0 and A 1 . If V ← G 1 , G 2 , G 3 , B simulates Game k,3 . If V ← G 1 , G 3 , B simulates Game k,2 . Then, V can be distinguished by B with the advantage Adv2 G L (5,2),A (λ) = .
Lemma 6 Based on Assumption 3, Game q,3 and Game Final 0 are computationally indistinguishable.
Proof Suppose there exists an adversary A satisfying We can construct a simulator B with Adv3 G L (5,2),A (λ) = to break Assumption 3. Given g 1 , g 2 , g a 1 P 2 , g s 1 Q 2 , P 3 , P 4 , V , B can simulate Game q,3 or Game Final 0 .
Setup: B randomly chooses b, a 0 ∈ R Z p and Z 4 ∈ R G 4 . Then B sets Y = e g 1 , g a 1 P 2 , h 1 = g a 0 1 , Z = h 1 Z 4 , and send A P K = p, g 1 , g b 1 , Y , Z, g 4 . Phase 1: To answer the key queries and the normal keys for θ = (I S , S) with S = {s i } i∈I S , B chooses r ,d, d ∈ R Z p , {d i ∈ R Z p } i∈I S , and R 3 , R 3 , R 3,i ∈ R G 3 , then creates semi-key 3 : K = g a 1 P 2 g br 1 R 3 gd 2 = g a 1 g br 1 R 3 g d 2 , where g d 2 = P 2 gd 2 .  Fig. 3 Encryption cost
where 1 ≤ j ≤ . 4. B sends the challenge ciphertext CT A to A.
If g s 1 Q 2 = g s 1 g y 2 , then we have the challenge ciphertext as follows: Phase 2: B works the same as Phase 1 under a different restriction that all of the queried attribute sets cannot satisfy A 0 and A 1 . If T = e (g 1 , g 1 ) as , the distribution of challenge ciphertext is identical to the distribution of semi-functional encryption of M β , so B simulates Game q,3 . Otherwise, the distribution of challenge ciphertext is identical to the distribution of semi-functional encryption of a random message in G t , so B simulates Game Final 0 . Then, T can be distinguished by B with the advantage Adv3 G L (5,2),A (λ) = .
Lemma 7 Based on Assumption 4, Game Final 0 and Game Final 1 are computationally indistinguishable.
Proof Suppose there exits an adversary A satisfying We can construct a simulator B with Adv4 G L (5,2),A (λ) = to break Assumption 4. Given g 1 , g 2 , R 2 g t 1 , P 2 h t 1 , P 3 , P 4 , h 1 Z 4 , g r 1 S 2 S 4 , V, B can simulate Game Final 0 or Game Final 1 .
Setup: B randomly chooses a, b ∈ R Z p . Then set Y = e (g 1 , g 1 ) a , Z = h 1 Z 4 , and sends A P K = ( p, g 1 , g b 1 , Y , Z, g 4 ). Phase 1: When A asks for a key for θ = (I S , S) with S = {s i } i∈I S , B randomly pickst ∈ R Z p , and R 3,i , R 3 , R 3 ∈ R G 3 for i ∈ I S , then set semi-key 3 as follows: In fact, K = g a 1 g bt 1 R 3 g d 2 , {K i = g s i 1 h 1 t R 3,i g d i 2 } i∈I S , K = g 1 R 3 g d 2 , where t = t t, g d 2 = R bt 2 , g d 2 = Rt 2 , g d i 2 = R s it 2 Pt 2 .
this scheme is inefficient because they use composite order groups as the basic group. We further compare our scheme with the schemes of Lai et al. (2012) and Zhang et al. (2018). Both Lai et al. (2012) and Zhang et al. (2018) use the composite order groups that are very inefficient compared with prime order groups. According to the analysis of De Caro and Iovino (2011), to satisfy the security level equivalent to 1024 bit discrete logarithm security, we should choose prime order groups with 512 bits' elements or 4-primes composite order groups of 1024 bits' elements. (Elements in every prime order subgroup are 256 bits.) We test the time of exponentiation in G 1 , the time of exponentiation in G t , and time of pairing on a laptop (with 1.4GHz Intel i5-8257U CPU, and 16GB RAM) based on macOS Big Sur 11.0.1 and Java pairing-based cryptography library 2.0.0 ( De Caro and Iovino (2011)). We choose Type A1 pairings and Type A pairings, which are both built on the curve y 2 = x 3 + x. In Table 3, we show the comparison of calculating time between the composite order group and prime order group. Then we compare our scheme with the schemes of Lai et al. (2012) and Zhang et al. (2018) in detail in Table 4. The definitions of the notations in the table are as follows: -G: is a composite order group of order N which is the product of 4 prime numbers and every prime is 256 bits. The elements in G and its subgroups are 1024 bits in length; -G: is a prime order group of order p, where p is a 160-bit prime, and the elements in G are 512 bits.; -: denotes the number of rows in the matrix A in access policy; -|I |: denotes the number of minimum authorized attribute set; -Exp G : denotes the time of exponentiation in G; -Exp G t : denotes the time of exponentiation in G t ; -Exp G : denotes the time of exponentiation in G; -Exp G t : denotes the time of exponentiation in G t ; -Pair c : denotes the time of pairing in composite order group G; -Pair p : denotes the time of pairing in prime order group G; Although the size of ciphertext in our scheme is larger than the schemes of Zhang et al. (2018) and Lai et al. (2012), the computation in encryption, decryption test, and decryption is faster than both schemes. The comparison details of encryption, decryption test, and decryption are shown in Figs. 3, 4, 5. In Fig. 3, we show that our scheme is about 3.4 times faster than the scheme of Zhang et al. (2018) in the encryption phase. In Fig. 4, we show that our scheme is about 3 times faster than the scheme of Zhang et al. (2018) in the decryp-tion test phase, and in Fig. 5 we show that ours is about 2 times faster in the decryption phase. In summary, our scheme is more efficient than existing schemes in computation cost. Besides, we prove that our scheme is adaptively secure in the standard model and can partially hide attributes in access policy with efficient decryption test before decryption. Therefore, our scheme is suitable for the smart transportation environment.

Conclusion
We summarized the overall architecture of VFC and the security requirements of VFC. Then, we proposed a CP-ABE scheme based on the prime order bilinear pairing group for the security requirements of VFC. After that, we proved its adaptive security under the standard model. Finally, a performance analysis was made.
However, there are also some open problems. The size of ciphertext is too large, which is not suitable for storage limited devices. How to reduce the length of the ciphertext is an open problem. Besides, the pairing operation in the decryption phase will grow with the minimum number of attributes required in the access policy, which is not efficient enough. How to reduce the number of pairing operations in the decryption phase to a constant level is also worth studying.