I Introduction
It was estimated that data breaches cost the United States’ healthcare industry approximately $6.2 billion in 2016 alone
[1]. To mitigate financial loss and implications on the reputation associated with data breaches, large multilevel organizations, such as healthcare networks, government agencies, banking institutions, commercial enterprises and etc., began allocating resources into data security research to develop and improve accessibility and storage of highly sensitive data.One major way that large enterprises are adapting to increased sensitive data management is the utilization of the cloud environment. It was reported that more than half of all U.S. businesses have turned over to the cloud for their business data management needs [2]. The ondemand cloud access and data sharing can greatly reduce data management cost, storage flexibility, and capacity [3]. However, data owners have deep concerns when sharing data on the cloud due to security issues. Once uploaded and shared, the data owner inevitably loses control over the data, opening the door to unauthorized data access.
A critical issue for data owners is how to efficiently and securely grant privilege levelbased access rights to a set of data. Data owners are becoming more interested in selectively sharing information with data users based on different levels of granted privileges. The desire to grant levelbased access results in higher computational complexity and complicates the methods in which data is shared on the cloud. Research in this field focuses on finding enhanced schemes that can securely, efficiently and intelligently share data on the cloud among users according to granted access levels.
Based on a study conducted by the National Institute of Standards and Technology (NIST), RoleBased Access Control (RBAC) models are the most widely used to share data in hierarchical enterprises of 500 or more individuals [4]. RBAC models aim to restrict system access to authorized users as they provide access control mechanisms. The access control mechanisms are based on predefined and fixed roles making the models identitycentric. Each individual within the organization is assigned to a role that defines the user’s privileges. However, the limitations of this model are evident when presented with a large complex matrix of data users in an organization. The foundation of RBAC is based on abstract choices for roles. This would require a continuously increasing number of RBAC roles to properly encapsulate the privileges assigned to each user of the system. Managing a substantial number of rules can become a resourceintensive task, referred to as role explosion [5].
To better comprehend the importance of this study, consider the scenario where patients share their Public Health Records (PHR) on the cloud to be accessed by health providers and administrators of a hospital. In most cases, the patient wishes to grant the physician access to most parts of the PHR (including its most sensitive parts, e.g. medical history) while granting an administrator access to limited parts that are less sensitive (e.g. date of birth). In order to achieve that, the patient needs to define a hierarchy of data access privileges ranking various types of hospital employees. Next, the patient needs to clarify the privileges at each level to define what each data user can access. It is important to realize that each patient may wish to encrypt his/her PHR differently. For example, the patient might grant access to the most sensitive parts of his/her PHR to only specific physicians while denying others. This allows the patient full control in defining the hierarchy, which is not fixed or predefined by the hospital.
In this paper, a Privilegebased Multilevel Organizational Datasharing scheme (PMOD) is proposed to solve the problems of sharing data within organizations with complex hierarchies. First, the scheme proposes to partition a data file into multiple parts of different sensitivity. Next, each part is symmetrically encrypted. The keys used in encryption serve as the actual data shared to users. The scheme then proposes an access structure that ranks data users of an organization into different privileged levels. Each level is associated with an access tree that defines the privileges pertaining to data users at each specific level. Each part of the data file is then encrypted once in a hierarchical manner to grant different access rights to the users based on their level within the hierarchy. The process of encryption and decryption is based on an Attribute Based Encryption (ABE) architecture that can achieve finegranularity when assigning privileges.
The rest of this paper is organized as follows. In Section II, the related work is reviewed. In Section III, preliminaries are introduced that summarize key concepts used in this research. Next, in Section IV, the problem formulation is described outlining the system model and design goals. In Section V, the proposed scheme, PMOD is introduced. Following that, in Section VI we formally prove the security of PMOD based on the hardness of the Decisional Bilinear DiffieHellman (DBDH) problem. In Section VII, performance analysis of PMOD is conducted and compared with two other schemes [6, 7]. Finally, in Section IX, a conclusion is drawn to summarize the work done in this research.
Ii Related Work
Fuzzy IdentityBase Encryption (Fuzzy IBE) was introduced in [8] to handle data sharing on the cloud in a flexible approach using encryption. The ciphertext is shared on the cloud to restrict access to authorized users. In order for an authorized individual to obtain the data, the user must request a private key from a keyissuer to decrypt the encrypted data. Fuzzy IBE is a specific type of function encryption [9] in which both the data user’s private key and ciphertext are affiliated with attributes. Attributes are descriptive pieces of information that can be assigned to any user or object. Since attributes can be any variable, they provide more flexibility when granting data access. The scheme enables a set of descriptive attributes to be associated with a data user’s private key and the ciphertext shared on the cloud. If the data user’s private key incorporates the minimum threshold requirement of attributes that match those integrated within the ciphertext, the data user can decrypt it. Although this scheme allows complex systems to be easily defined using attributes, it becomes less efficient when used to express large systems or when the number of attributes increases.
AttributeBased Encryption (ABE) schemes later emerged to provide more versatility when sharing data. These schemes integrate two types of constructs: attributes and access policies. Access policies are statements that join attributes to express which users of the system are granted access and which users are denied. ABE schemes were introduced via two different approaches: KeyPolicy AttributeBased Encryption (KPABE) and Ciphertext Policy AttributeBased Encryption (CPABE). KPABE was initially introduced in [10]. In KPABE, each ciphertext is labeled with a set of descriptive attributes, while each private key is integrated with an access policy. For authorized data users to decrypt the ciphertext, they must first obtain a private key from the keyissuer to use in decryption. The keyissuer integrates the access policy into the keys generated. Data users can successfully decrypt a ciphertext if the set of descriptive attributes associated with the ciphertext satisfies the access policy integrated within their private keys. KPABE can achieve finegrained access control and is more flexible than Fuzzy IBE. However, the data owner must trust the keyissuer to only issue private keys to data users granted the privilege of access. This is a limitation since the data owner ultimately forfeits control over which data users are granted access.
CPABE is another approach that was later proposed in [7]. It is considered to be conceptually similar to RoleBased Access Control (RBAC) [11]. However, CPABE gives the data owner control over which data user is able to decrypt certain ciphertexts. This is due to the access structure being integrated by the data owner into the ciphertext during encryption. It allows the private key generated by the keyissuer to only contain the set of attributes possessed by the data user. Several enhanced CPABE schemes [12, 13, 14, 15] were later introduced that can provide higher flexibility and better efficiency.
Most attributebased encryption schemes such as Fuzzy IBE, KPABE, and CPABE serve as a better solution when data users are not ranked into a hierarchy and each is independent of one another (i.e. no relationships). However, they share a common limitation of high computational complexity in the case of large multilevel organizations. These schemes require a single data file to be encrypted with a large number of attributes (from different levels) to grant them access to it.
Hierarchical AttributeBased Encryption (HABE) that combines the Hierarchical IdentityBased Encryption (HIBE) [16] scheme and CPABE was later introduced in [17]. HABE is able to achieve finegrained access control in a hierarchical organization. It consists of a root master that generates and distributes parameters and keys, multiple domain masters that delegate keys to domain masters at the following levels, and numerous users. In this scheme, keys are generated in the same hierarchical key generation approach as the HIBE scheme. To express an access policy, HABE uses a disjunctive normal form where all attributes are administered from the same domain authority into one conjunctive clause. This scheme becomes unsuitable for practical implementation when replicas of the same attributes are administered by other domain authorities. Synchronizing attribute administration might become a challenging issue with complex organizations that have multiple domain authorities. Examples of other hierarchical schemes were introduced in [18, 19].
File Hierarchy Ciphertext Policy AttributeBased Encryption (FHCPABE) scheme was introduced in [6]. FHCPABE proposes a leveled access structure to manage a hierarchical organization that shares data of various sensitivity. A single access structure was proposed that represents both the hierarchy and the access policies of an organization. This access structure consists of a root node, transport nodes, and leaf nodes. The root node and transport nodes are in the form of gates (i.e. AND or OR). The leaf nodes represent attributes that are possessed by data users. Based on the possession of certain attributes, each data user is mapped into specific transport nodes (certain levels within the hierarchy) based on the access structure that the user satisfies. If the data user satisfies a full branch of the access structure, then the data user is ranked at the root node (highest level within the hierarchy). Data users ranked at the highest level (root node) can decrypt a ciphertext of highest sensitivity and any other ciphertext with less sensitivity in the lower levels of the hierarchy. The nodes ranked in the lower levels (transport nodes) can not decrypt any ciphertexts in the levels above. The main advantage of this scheme is that it provides leveled access structures which are integrated into a single access structure. As a result, storage space is saved as only one copy of the ciphertext is needed to be shared on the cloud for all data users. However, since this scheme uses a single access structure to represent the full hierarchy, the higher levels are forced to accommodate attributes of all the levels below. As the number of levels increases in the hierarchy, the number of attributes grows exponentially making this scheme infeasible on a large scale. The authors in this work also propose a simplified and reduced access structure to reduce the computational complexity. They achieve this by removing all branches of the single access structure while keeping one full branch. The full branch consists of the root node, a set of transport nodes (one for each level), and the leaf nodes (attributes). They claim that not all nodes in the hierarchy carry information and therefore could be removed. However, this claim is only applicable to the case where the highest transport node of each branch to be removed is an OR gate. This is the least complicated scenario. In the case where the highest transport node of each branch consists of an AND gate, this solution is not applicable. Removing branches that consist of AND gates would change the access policies defined. In real applications, relationships within an organization are often built in a crossfunctional matrix, making this a complicated solution when assigning privileges.
Iii Preliminaries
This section introduces the preliminaries.
Iiia Cryptographic Hash Function
A cryptographic hash function is a mathematical algorithm that maps data of arbitrary size to a bit string of fixed size. It is cryptographically secure if it satisfies the following requirements:

PreimageResistance: It should be computationally infeasible to find any input for any prespecified output which hashes to that output, i.e. for any given , it should be computationally infeasible to find an such that .

Week Collision Resistance: For any given , it should be computationally infeasible to find such that [20].
IiiB Bilinear Maps
Let and be two multiplicative cyclic groups of the same prime order . The generator of is denoted as . A bilinear map from to is a function that satisfies the following properties:

Bilinearity: for any .

Symmetry: for any .

Nondegeneracy: .

Computability: is an efficiently computable algorithm.
IiiC Decisional Bilinear DiffieHellman (DBDH) Assumption
The DBDH assumption [23] is a computational hardness assumption and is defined as follows:
Let be a group of prime order , be a generator, and be chosen at random.
It is infeasible for the adversary to distinguish between any given and , where is a random element and denotes a random selection. An algorithm that outputs a guess , has advantage in solving the DBDH problem in if:
(1) 
The DBDH assumption holds if no polynomial algorithm has a nonnegligible advantage in solving the DBDH problem.
IiiD Access Structure
An access structure [24] represents access policies for a set of individuals interested in gaining individual access to a secret. The access structure defines sets of attributes that can be possessed by a single individual to allow access to the secret. It is defined as follows:
Let be a set of parties. A set of parties that can reconstruct the secret is defined as a collection. The collection is monotone meaning that, if then and implies . An access structure is a monotone collection of nonempty subsets , i.e., . The sets in are called the authorized sets and the sets not in are called the unauthorized sets.
In this paper, we use parties to represent the attributes. This means that an access structure may consist of both authorized and unauthorized sets of attributes.
IiiE Leveled Access Tree
An access tree at level represents an access structure that determines whether a data user can decrypt the ciphertext at that level or not. A may consist of multiple nodes. We use to represent the node of . The nonleaf nodes of are in the form of threshold gates, while the leaf nodes represent possible attribute values possessed by data users.
For every node , a threshold value is assigned. A node in the form of an gate is associated with a threshold value , where represents the number of children of node . A node in the form of an gate or any leaf node representing an attribute is associated with a threshold value .
The root node of each carries a secret . The data user that possesses the correct set of attributes can satisfy and obtain .
Iv Problem Formulation
The data owner (DO) owns a data file and wishes to share selective parts of it within an organization O. The is assumed to consist of either a single record or multiple records, where each record is composed of one or more record attributes. The O consists of a large set of data users (DU), where DU = and represents the number of data users. Data users in the set DU are ranked into a hierarchy H to define their privileges and which parts of they can gain access to. The H is not fixed nor predefined. It is defined by the DO as he/she encrypts his/her . In other words, the DO ranks the set DU in the O based on his/her personal needs. The DO defines the H based on an infinite pool of attributes. This means that the DO can rank the set DU according to his/her possession of specific attributes sets. It is important to realize that the DO has the complete freedom to define the H with any set of attributes without personally knowing any of the data users in set DU or what they possess in terms of attribute sets. The H consists of multiple levels , where . represents the highest rank while represents the lowest rank. At each level of the H, the DO defines a leveled access tree , where . Each possesses a set of attributes that ranks them within a certain level of H. The uses his/her set to request a unique private key from the keyissuer to use for decryption.
The challenge is to provide a secure and efficient scheme for the DO to share different segments of among a set DU, where each user is ranked differently in H. Each segment of has a sensitivity value that defines which users can gain access to it based on their rank within H. A user at any given level can gain access to only the segment at his/her level and all the segments from the respective levels below.
Symbol  Definition 

DO  A data owner 
O  An organization that consists of multiple data users 
H  The hierarchical layout of the O 
The level within H where  
The access tree at where  
The data file part where  
The symmetric key used to encrypt where  
The encrypted under where  
The ciphertext (encrypt under ) at where  
The data user in set DU where  
The data user’s private key where  
The attribute within the data user’s attribute set where and  
The node of where and  
Threshold value of where and 
Iva System Model
The general model of privilegebased data sharing among data users of an organization is illustrated in Fig. 1. In the figure, data users ranked at the higher levels (i.e. possess more privileges) within the hierarchy are granted access to more sensitive data than those ranked at lower levels (i.e. possess fewer privileges). The system consists of four main entities: keyissuer, cloud server, data owner, and data user.

Keyissuer: A fully trusted entity that grants private keys to data users in a system after authenticating their privileges.

Cloud server: A nontrusted entity used to store ciphertexts.

Data owner: An individual that owns a data file and wishes to share it with multiple data users of an organization selectively based on their data access privileges.

Data user: An individual that is ranked within a hierarchy of an organization and is interested in decrypting ciphertexts on the cloud.
It is a burden on the data owner to share his/her data file on the cloud as the hierarchy grows (the access privileges increase in number) and/or as the access restrictions become more complex due to an increase in the sensitivity of the data file. The data owner wishes to share the data file on the cloud in an efficient manner that is not computationally expensive while minimizing the cloud storage space used.
A trivial solution involves the data owner to use public key encryption. Every data user’s public key is used to decrypt the part of the data file they are granted access to. This ensures that no unprivileged data user will gain access to the data file even if that user is able to download the ciphertext from the cloud server. This solution would require the data owner to encrypt the same part of the data file once for each data user he/she wishes to grant access to. On a large scale, public key encryption becomes an inefficient solution due to the increase in the number of encryptions. It also requires large amounts of storage space making it expensive.
IvB Design Goals
To provide efficient, secure, and privilegebased data sharing to individuals of an organization, we have the following design goals:

PrivilegeBased Access: Data is shared in a hierarchical manner based on user privileges. Data users with more privileges (ranked at the higher levels of the hierarchy) are granted access to more sensitive parts of than those with fewer privileges (ranked at the lower levels of the hierarchy).

Data Confidentiality: All parts of are completely protected from the data users that are not privileged (including the cloud) to access the data. Each data user is entitled to access the parts of corresponding to the level they fall in and/or any other parts corresponding to the levels below with respect to the user’s level.

Finegrained access control: The data owner has the capability to encrypt any part of using any set of descriptive attributes he/she wishes, limiting access to only authorized data users. The set of descriptive attributes is defined by the data owner at the time of encryption.

Collusion resistant: Two or more data users at the same/different level can not combine their private keys to gain access to any part of they are not authorized to access independently.
V The Proposed PMOD Scheme
This section presents the construction of PMOD. We assume that file is partitioned into parts based on data sensitivity. Each part of is independently encrypted and shared among the data users of the system under a privilegebased access structure.
Va Data File Partitioning and Encryption
The DO partitions file into a set of data sections, that is . Each is treated as a new file that is associated with a sensitivity value used to assign access rights to the data users based on their privileges.
The process of partitioning is performed based on the structure of . We assume that consists of at least one record, resulting in multiple ways to handle this process. Fig. 2 presents a typical partitioning of .
If consists of a single record, then each represents one or more record attribute(s) associated with the record, as shown in case (1) in Fig. 2. However, if consists of multiple records, then DO has flexibility in choosing how to partition it. One approach is to handle each record as a whole, where records are clustered into groups of similar sensitivity. In this case, each represents one or more record(s), as shown case (2) in Fig. 2. Alternatively, partitioning can be performed over specific record attributes, versus the whole record. In this case, represents one or more record attribute(s) of the records, as shown case (3) in Fig. 2.
Each is treated as a new data file. Suppose contains the most sensitive information of that can only be accessed by a data user at the highest level and contains the least sensitive information of that can be accessed by all data users at any level of the hierarchy.
Before the DO uploads to the cloud, each is encrypted separately using a symmetric encryption algorithm such as the Advanced Encryption Algorith (AES) [25] with a secret key to produce an encrypted file .
(2) 
For key selection, the DO randomly selects . The remaining symmetric keys are derived from using a public oneway cryptographic hash function , that is
(3) 
After is used to symmetrically encrypt , it is encrypted under PMOD that will be discussed in Section VC, to be accessed only by the data users that have been granted the privilege of access.
The privileged data users that are successful in obtaining at level can derive using equation (3). However, given the properties of hash function , cannot be used to derive any of the private keys . In other words, a data user can only obtain private keys below his/her level, but cannot obtain any private keys from the levels above.
VB PrivilegeBased Access Structure
The privilegedbased access structure divides an O into levels of privileges, . The DO defines a at each corresponding . Each is associated with the appropriate leaf nodes (attributes nodes) that define the privilege level. Each user within the set DU of O falls into a specific level based on the attributes that the data user possesses. The data user that possesses the correct set of attributes which can satisfies at is able to gain access to parts .
Fig. 3 represents the general privilegebased access structure of PMOD. At each , a may consist of nonleaf nodes and leaf nodes. The nonleaf nodes are in the form of threshold gates, represented as ‘G’, and the leaf nodes are in the form of attributes, represented as ‘A’. The figure represents a privilegebased multilevel access structure. It is important to note that each could be constructed from any number and layout of nodes based on the privileges at each level.
The data user is successful in obtaining if and only if the user possesses a correct set of attributes that satisfy or any of the access trees corresponding to the higher levels in order to obtain any of .
VC The Proposed PMOD Construction
The scheme is based on the construction presented in [7] and formally divides the process into four main functions: .
This is a probabilistic function carried out by the keyissuer. The function takes a security parameter and randomly chooses values . The outputs of this function are public key and master key defined as:
(4)  
(5) 
This is also a probabilistic function carried out by the keyissuer. The inputs to this function are generated by the function, and the data user’s attribute set , where represents the attribute within the set. The function outputs a unique private key for the data user. In order to guarantee a unique , it generates a random value and incorporates it within the private key. Based on the number of attributes in the input set , the function also generates a random value for each attribute within the set. The is defined as:
(6)  
The purpose of the randomly selected is to ensure that each is unique and the attribute components within the are associated. It should be infeasible for data users to collude by combining components of their private keys ( and ) to decrypt data beyond their individual access rights. In other words, the attribute components from different private keys cannot be combined to access unauthorized data.
,,
This is a probabilistic function carried out by the DO. The inputs to this function are , the public key generated by the function, the symmetric key derived in equation (3), and the access tree that defines the authorized set of attributes at . The output of this function is the ciphertext .
For , the function will run times, once for each . At each run, the function chooses a polynomial with degree for each node . The process of assigning polynomials to each occurs in a topbottom approach starting from the root node in . The function chooses a secret and sets the value of . Next, it randomly chooses the remaining points of the polynomial to completely define it. For any other node , the function sets the value , where is ’s parent node polynomial. The remaining points of those polynomials are then randomly chosen.
Let be the set of leaf nodes in . The at is then constructed as:
(7)  
This is a deterministic function carried out by the data user. The inputs to this function are the ciphertext generated by the function corresponding to , and the data user’s private key .
The function operates in a recursive manner propagating through the nodes in by calling a recursive function defined as . The inputs to this function are , and a node within . If the attributes incorporated within the data user’s private key satisfy the nodes within , the data user can decrypt .
performs differently depending on whether is a leaf or nonleaf node. If is a leaf node and , returns , otherwise, and is defined as:
(8)  
If is a nonleaf node, operates recursively. For each node that is a child of , is computed and the output is stored in .
This recursive function is based on Lagrange interpolation. The Lagrange coefficient
for and the set of attributes is defined as:(9) 
Let be an arbitrary sized set of child nodes such that . If no such set exists then the function returns . Otherwise, is computed using Lagrange interpolation as follows:
(10)  
where and .
If the attributes in satisfy , then the following is computed at the root node .
(11)  
To obtain from the result derived in equation (11), we compute the following:
(12) 
At this point, the data user can simply decrypt using the derived from equation (12) to obtain the plaintext as follows:
(13) 
If the data user is successful in obtaining and is interested in attaining any information in the lower levels with respect to , he/she can compute the symmetric keys of the lower level as previously mentioned in equation (3). All the data files at the lower levels are decrypted using equation (13).
Vi Security Analysis
In this section, the security of PMOD is analyzed. It is assumed that a symmetric encryption technique such as AES is used to secure each individual data file . It is also assumed that the process of attribute authentication between a data user and the keyissuer, in order for the data user to obtain a private key, is secure and efficient. Therefore, the main focus of this section is to provide a formal proof of security for PMOD based on the work presented in [23]
. The security proof provided in this section is based on ciphertext indistinguishability which proves that the adversary is not able to distinguish pairs of ciphertexts. A cryptosystem is considered to be secure under this property if the probability of an adversary to identify a data file that has been randomly selected from a twoelement data file chosen by the adversary and encrypted does not significantly exceed
. We first present an Indistinguishability under ChosenPlaintext Attack (INDCPA) security game. Next, based on the INDCPA security game, a formal proof of security is provided for PMOD.INDCPA is a game used to test for security of asymmetric key encryption algorithms. In this game, the adversary is modeled as a probabilistic polynomialtime algorithm. The algorithms in the game must be completed and the results returned within a polynomial number of time steps. The adversary will choose to be challenged on an encryption under a leveled access tree . The adversary can impersonate any data user and request many private keys . However, the game rules require that any attribute set that the adversary claims to possess does not satisfy . The security game is divided into the following steps:

Initialization: The adversary selects an access tree to be challenged against and commits to it (i.e. the adversary will not change it throughout the game).

Setup: The challenger runs the function and sends the public key to the adversary.

Phase 1: The adversary requests multiple private keys () corresponding to different sets of attributes ().

Challenge: The adversary submits two equal length data files and to the challenger. The adversary also sends such that none of () generated from Phase 1 contain correct sets of attributes that satisfy it. The challenger flips a random coin and encrypts under . Finally, the challenger sends the ciphertext generated according to equation (7) to the adversary.

Phase 2: Repeat phase 1 with the restriction that none of the newly generated private keys () corresponding to the different sets of attributes () contain correct sets of attributes that satisfy .

Guess: The adversary outputs a guess of . The adversary wins the security game if and loses otherwise.
Definition 1 (Secure against adaptively chosen plaintext attack.).
PMOD is said to be secure against an adaptively chosen plaintext attack if any polynomialtime adversary has only a negligible advantage in the security game, where the advantage is defined as .
The security of PMOD is reduced to the hardness of the DBDH problem. By proving that a single at any is secure, the whole system is proved to be secure since all ciphertexts at any level follow the same rules.
Theorem 1.
PMOD is secure against adaptively chosen plaintext attack if the DBDH assumption holds.
Proof.
Assume there is an adversary that has nonnegligible advantage . We construct a simulator that can distinguish a DBDH element from a random element with advantage . Let be an efficiently computable bilinear map and is of prime order with generator . The DBDH challenger begins by selecting the random parameters: . Let be a generator and is defined as if , and otherwise, where and . The simulator acts as the challenger in the following game:

Initialization: The simulator accepts the DBDH challenge requested by the adversary who selects an access structure .

Setup: The simulator runs the function. It chooses a random and computes the value . Next, it simulates and , where represents a simulation of the value . Finally, it sends all components of to the adversary.

Phase 1: In this phase, the adversary requests multiple private keys () corresponding to different sets of attributes (). After receiving an query for a given set where (i.e. does not satisfy ), the simulator chooses a random and defines . Next, it simulates . Then, , it selects a random and simulates and . Finally, the simulated values of are sent to the adversary.

Challenge: The adversary sends two plaintext data files and to the simulator who randomly chooses a by flipping a coin to select one of the files. The simulator then runs the function and derives a ciphertext . It simulates , where represents a simulation of the value and . Next, it simulates . Finally, for each attribute (set of leaf nodes in ) it computes and . The simulated values of are then sent to the adversary.

Phase 2: Repeat Phase 1.

Guess: The adversary tries to guess the value . If the adversary guesses the correct value, the simulator outputs 0 to indicate that , or 1 to indicate that , a random group element in .
Given a simulator , if , then is a valid ciphertext, and
(14) 
If then is nothing more than a random value to the adversary. Therefore,
(15) 
(16) 
Therefore, the simulator plays the DBDH game with a nonnegligible advantage and the proof is complete. ∎
Vii Performance Analysis
In this section, we present a performance analysis for PMOD. We compare it with two existing schemes, CPABE [7] and FHCPABE [6].
Viia CPABE in a Hierarchical Organization
CPABE [7] handles sharing of independent pieces of data based on independent access policies. It was not designed to support a privilegebased access structure (i.e. hierarchical organization). Therefore, to adapt CPABE to a privilegebased access structure, the function runs once for each level. However, if it were to be used in a hierarchical organization, there would be a trade off between the key management and the complexity of the encryption and decryption processes. Fig. 4 shows the two general cases in which CPABE is utilized to share data with users in a hierarchical organization.
In case (1), key management is favored over encryption and decryption complexities. The individuals at each level possess attributes that define their privileges and the private keys to encrypt the data files. The size of each private key is therefore optimized and the key management process becomes less resourceintensive. However, since levels are independent, attributes must be repeatedly incorporated into each access tree. As a result, the sizes of the access trees at lower levels will increase, as shown in case (1) of Fig. 4. For complex organizations with a large number of levels, the access trees will become even larger. This results in an increase in encryption and decryption complexities.
On the other hand, case (2) favors minimizing encryption and decryption complexities over key management. Each data file is encrypted under an access policy with a set of unique attributes at each level without considering privileges and relationships. This results in simpler access trees at each level of the hierarchy and therefore lower encryption and decryption complexities. However, to grant access to an individual at a specific level, the keyissuer must generate a private key for that individual that incorporates the attributes at that level and all the levels below. Complex hierarchies that include a large number of attributes, could result in complicated key management. As a result, private keys will require incorporating a large number of attributes.
ViiB Computational Complexity
The computational complexity includes both encryption complexity and decryption complexity that are formulated using the number of group operations , for groups , respectively and the number of bilinear mapping operations involved in the and the functions for each scheme.
ViiB1 Encryption Complexity
Encryption complexity represents the number of basic operations involved in generating the ciphertext from the plaintext. It is formulated based on the function which involves group operations and .
The number of operations involved in sharing an independent piece of data using CPABE is and for and respectively, where denotes the number of leaf nodes (attributes) of the access tree . For a hierarchical organization, we present the encryption complexity of case (1) in Fig. 4 as it involves a relationship between all levels. In a real life application, case (2) would not satisfy a hierarchical organization as it requires attributes to be shared by all users regardless which level they belong to. The number of operations involved in the encryption process is formulated as and for and respectively, where are the number of leaf nodes (attributes) associated with access trees respectively. However, reuse of attributes needed at each level in this scheme increases the computational complexity, making it an overall inefficient solution for hierarchical organizational structures.
FHCPABE [6] uses a single access tree to encrypt all data files to be shared. The function only needs to run once for all data files to generate a single ciphertext. The number of operations involved are and for operations and respectively, where is the number of transport nodes (levels), and is the number of children nodes associated with a transport node. The single access structure merges access policies across levels into one large policy. The combined policy grants users access at different levels. This results in large sets , and . The encryption complexity in this scheme is dependent on the size of these sets and can grow exponentially depending on how the access tree is constructed.
PMOD generates multiple ciphertexts (one at each level) of the hierarchy. The number of operations involved is and for and respectively, where are the number of leaf nodes (attributes) associated with access trees respectively. However, PMOD leverages the relation between levels of a hierarchy. Therefore, it does not require reuse of attributes in levels like CPABE. In this case, are all specific to each level minimizing the number of attributes in each access tree. As a result, . Therefore, the encryption complexity of PMOD outperforms that of CPABE.
When comparing the encryption complexities of PMOD with FHCPABE, PMOD minimizes the number of operations involved in contrast to those needed by FHCPABE. This is because the encryption process for FHCPABE involves an access tree that contains all the access policies for all the levels in contrast to PMOD which involves smaller access trees, each one limited to an access policy of a single level. As a result, when comparing the encryption complexity of these two schemes, PMOD is more efficient than FHCPABE.
ViiB2 Decryption Complexity
Decryption complexity represents the number of basic operations involved in decrypting the ciphertext into plaintext. It is formulated based on the function which involves bilinear operations and group operations .
For a single run, CPABE [7] involves and number of operations and respectively, where is the number of attributes possessed by the data user and is the least number of interior nodes that satisfy .
To adapt CPABE to a privilegebased access structure, the function is run as many times as the number of ciphertexts a data user wishes to decrypt. The number of operations involved are and for operations and respectively, where are the least number of interior nodes that satisfy the access trees respectively.
FHCPABE [6] aims to satisfy a certain transport node (level) of the single access tree allowing the data user to decrypt certain encrypted files up to that level. To accomplish this, the function propagates through the access tree nodes recursively to make sure that the user’s attributes satisfy the nodes. The number of operations involved in this process are and for operations and respectively.
Since FHCPABE uses a single access tree , the number of transport nodes can be large, resulting in higher decryption complexity. The least number of interior nodes that satisfy can also be large if the construction of the access tree is not optimized. Constructing a single access tree that accommodates a large number of attributes is resourceintensive and could become complicated as the access rules become more sophisticated.
The number of operations involved in the decryption process for PMOD is similar to a single CPABE decryption run. PMOD needs to run the function only one time, even if the data user needs to obtain more than one data file. The function requires and for operations and respectively. Once the data user successfully decrypts the ciphertext (obtains the symmetric key at his/her level), the user can derive the remaining lower level keys as described in equation (3). The complexity of the operations involved in deriving the symmetric keys and decrypting ciphertexts at the lower levels are negligible in comparison with the group and bilinear operations involved in running the function, and therefore could be ignored.
Number of operations  

Complexity  Operation  CPABE  FHCPABE  PMOD 
Encryption  
Decryption  
Number of elements  

Component  Bitlength  CPABE  FHCPABE  PMOD 
Public Key  
Master Key  
Secret Key  
Ciphertext 