\subsection{Data Publication} Before outsourcing data $m$, the DO defines an access policy over the essential attribute and a set of descriptive attributes and converts the access policy to an access structure $(M,\rho)$. Then, the DO encrypts the data $m$ under the $(M,\rho)$ by running
\noindent\textsf{Encrypt}$(m, (M,\rho), GP, \{PP_{\theta}\}_{\theta\in F})$ algorithm and submits an ill-formed ciphertext as the output to the CS. After receiving the ill-formed ciphertext, the CS converts it to a well-formed ciphertext by running \textsf{CTConvert}$(\tilde{ct}, \{hk_{x_{\theta}}\}_{x_{\theta}=\rho(i),\theta\in F}^{h(ver_{x_{\theta}})})$ algorithm. Finally, the CS publishes the well-formed ciphertext to the cloud server.\\
\textbf{\textsf{…show more content… Note that, in decryption process, the version values of the attribute components in the user-attribute-keys are matched with the version values of the corresponding components in the ciphertext for the purpose of detecting whether there is any component stateless in the DU's user-attribute-keys. If there is any mismatch, then it will trigger the DU to request a key-update-key for the attribute on which the version number mismatch occurs from the CA or the corresponding AA.\\
\textbf{\textsf{Decrypt}}$(CT, G_{gid}, \{AK_{gid,{\theta}}\}_{\theta\in F})$. Suppose that ${\cal S}_{gid}=\bigcup_{\theta\in F} {\cal S}_{gid,{\theta}}$ satisfies the access structure $(M,\rho)$ and let $I\subseteq {1,2,...,l}$ be defined as $I=\{i:\rho(i)\in {\cal S}_{gid}\}$. Then, it chooses a set of constants $\{w_i \xleftarrow{R} \mathbb{Z}_p\}_{i\in I}$ and reconstructs the secret $s$ as $\sum_{i\in I}w_i\lambda_i$ if ${\lambda_i}$ are valid shares of the secret $s$ according to $M$. The decryption algorithm first computes:
