Abstract In the applications of Internet of Things (IoT), users usually do not believe that the cloud server is doing a good job of confidentiality, and thus the private data/documents are encrypted and maintained in the cloud storage. And then, fine-grained data sharing of these encrypted data for increased efficiency is an important requirement. Key-aggregate cryptosystem (KAC) has been proposed to address this problem, which can realize efficient delegation of decryption rights of any subset of ciphertexts. However, the end-devices of IoT may not have the special trusted hardware, and the stored keys are apt to be leaked by side-channel attacks. To solve this problem, we design two leakage-resilient KAC schemes, which can be proved secure with auxiliary input. We also implement these schemes over two platforms to test their applicability for the resource-constrained devices.