A Blockchain-Based CP-ABE Scheme with Partially Hidden Access Structures

Ba, Yang; Hu, Xuexian; Chen, Yue; Hao, Zenghang; Li, Xuewei; Yan, Xincheng

doi:https://doi.org/10.1155/2021/4132597

Security and Communication Networks

On this page

Abstract Introduction Related Work Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security and Privacy for Edge-Assisted Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 4132597 | https://doi.org/10.1155/2021/4132597

A Blockchain-Based CP-ABE Scheme with Partially Hidden Access Structures

Yang Ba,¹Xuexian Hu,¹Yue Chen,¹Zenghang Hao,¹Xuewei Li,²and Xincheng Yan³

Academic Editor: Qi Jiang

Received27 Aug 2021

Accepted12 Oct 2021

Published08 Nov 2021

Abstract

Data sharing has become a key technology to break down data silos in the big data era. Ciphertext-policy attribute-based encryption (CP-ABE) is widely used in secure data-sharing schemes to realize flexible and fine-grained access control. However, in traditional CP-ABE schemes, the access structure is directly shared along with the ciphertext, potentially leading to users’ private information leakage. Outsourcing data to a centralized third party can easily result in privacy leakage and single-point bottlenecks, and the lack of transparency in data storage and sharing casts doubts whether users’ data are safe. To address these issues, we propose a blockchain-based CP-ABE scheme with partially hidden access structures (BCP-ABE-PHAS) to achieve fine-grained access control while ensuring user privacy. First, we propose an efficient CP-ABE scheme with partially hidden access structures, where the ciphertext size is constant. To assist data decryption, we design a garbled Bloom filter to help users quickly locate the position of wildcards in the access structure. Then, to improve storage efficiency and system scalability, we propose a data storage scheme that combines blockchain technology and the interplanetary file system, ensuring data integrity. Finally, we employ smart contracts for a transparent data storage and sharing process without third-party participation. Security analysis and performance evaluation show that the proposed BCP-ABE-PHAS scheme can preserve policy privacy with efficient storage and low computational overhead.

1. Introduction

Cloud computing promotes the aggregation of storage and computational resources and has a tremendous market value. However, when data owners outsource data to cloud services, they lose control of their data, and their private information is at risk of leakage [1]. Recently, data security incidents have occurred frequently, and such events undermine users’ confidence in data security and raise concerns regarding cloud storage.

In 2005, Sahai and Waters [2] proposed attribute-based encryption (ABE) to achieve fine-grained access control. The ABE scheme is mainly categorized into ciphertext-policy ABE (CP-ABE) [3] and key-policy ABE (KP-ABE) [4]. In the KP-ABE scheme, the secret key and ciphertext are associated with the access structure (or access policy) and attribute set, respectively. In this case, the ciphertext can only be decrypted when the attribute set satisfies the access policy. Contrarily, in the CP-ABE scheme, the ciphertext and secret key are associated with the access policy and attribute set, respectively.

The CP-ABE scheme features fine-grained access control and one-to-many secure data sharing. However, in the traditional CP-ABE scheme, the access policy is directly shared along with the ciphertext. Consequently, anyone can get this access policy while obtaining the ciphertext; however, the access policy may contain the user’s sensitive information.

Consider a scenario in which a patient with a social security number (SSN) 123-456-789 wants to outsource his (or her) health data to the cloud and establish an access policy, as shown in Figure 1(a). This patient designs an access policy based on which only this patient or the psychologist at the city hospital can access the data. If the patient uses the traditional CP-ABE scheme to send the encrypted data and access policy to the cloud, anyone with access to this cloud can obtain the patient’s access policy. Thus, the data security of this patient, who is suffering from psychological problems, is undoubtedly threatened.

(a)

(b)

The most effective way to protect a user’s access policy information is to hide the attribute information. Policy hiding involves fully and partially hiding. In the CP-ABE scheme, fully hidden access policies imply that no attribute information in the access policy is revealed, and partially hidden access policies imply that only sensitive attribute values are hidden. As shown in Figure 1(b), the partially hidden access policy is expressed as (SSN: OR (Affiliation: AND Occupation: )), where the attribute values that may expose a user’s information are hidden. A tradeoff is obtained between the efficiency of the CP-ABE scheme and the fully hidden access structure using a partially hidden access structure embedded in the CP-ABE scheme to reduce computational costs [5].

Additionally, centralized storage architectures are vulnerable to various network attacks such as single point of attack, man-in-the-middle attack, and distributed denial-of-service attack [6, 7]. Owing to such attacks, data owners may lose control of their data. Because blockchain technology is transparent, decentralized, and unforgeable, blockchain-based data storage and sharing schemes have been proposed to resist such attacks. Blockchain is an append-only distributed database, so large-scale data can quickly bloat the blockchain and make it expensive and inefficient to scale. To alleviate the storage pressure of the blockchain, we propose a storage scheme that combines blockchain technology and the interplanetary file system (IPFS) [8].

Therefore, we propose a blockchain-based CP-ABE scheme with a partially hidden access structure (BCP-ABE-PHAS) to realize secure data storage and sharing. Our main contributions are summarized as follows:(1)We propose a CP-ABE scheme with partially hidden access structures to achieve fine-grained access control and ensure user privacy. Moreover, to assist data decryption, we design a garbled Bloom filter (GBF) to locate the position of wildcards in the access policy.(2)To ensure data integrity and improve system scalability, we adopt a storage scheme that combines blockchain technology and the IPFS, in which the real ciphertext is stored in the IPFS, and meanwhile, the access policy is stored on the blockchain.(3)We employ smart contracts to achieve automated and trusted access control, where the entire data storage and sharing process is transparent without third-party participation.(4)Security analysis and performance evaluation show that the proposed scheme can achieve effective privacy preservation without incurring considerable overhead.

The remainder of this paper is organized as follows. In Section 2, we introduce the related work. In Section 3, preliminaries are described. We then present the system architecture and security model in Section 4, followed by the detailed construction of the proposed scheme in Section 5. The security analysis and the performance evaluation are performed in Section 6, and the conclusions are presented in Section 7.

Bethencourt et al. [3] proposed the first CP-ABE scheme. This scheme allows data owners to specify a fine-grained access policy for their data to realize secure data sharing. However, an access policy may contain a user’s sensitive information which is attached to the ciphertext as a plaintext, causing privacy leakage [9].

To address this problem, some schemes that hide the access policy have been proposed. For example, Nishide et al. [10] proposed a CP-ABE scheme with hidden access policies. They proposed two schemes in which only attribute values are hidden using AND gates on multivalued attributes with wildcards. Based on this scheme [10], Li et al. [11] implemented user accountability while hiding the access policy. Phuong et al. [12] proposed two CP-ABE schemes with a hidden access policy. In this case, the access structure employs AND gates on positive and negative attributes with wildcards, and the ciphertext length is constant. Although these schemes are secure and efficient, AND-based access policies are limited in terms of expressiveness.

Thus, to facilitate a more expressive access policy, Lai et al. [13] proposed a partially hidden CP-ABE scheme that supports linear secret-sharing scheme-based access policy. Based on this scheme [13], Zhang et al. [14] proposed a scheme that can support a large attribute universe. However, these schemes are built using composite-order bilinear groups; thus, their efficiency is low. Katz et al. [15] first proposed the inner-product predicate encryption. However, the “superpolynomial blowup” problem makes the CP-ABE schemes that use the attribute-hiding IPE to construct a fully hidden access policy very inefficient [16]. Hur [17] proposed a CP-ABE scheme that can support any monotonous access policy. In this case, the access policy is hidden by attribute remapping, and most decryption operations are delegated to the cloud storage center to considerably reduce the requester’s computational overhead.

Because blockchain technology is decentralized, tamperproof, and transparent, it is widely used in secure data sharing and access control schemes. Based on inner-product predicate encryption [15], Gao et al. [18] proposed a trustworthy secure CP-ABE scheme with a fully hidden access policy based on blockchain technology. This scheme combines inner-product encryption and homomorphic encryption to hide access policies and uses smart contracts to store the generated proof on the blockchain permanently. Zhang et al. [19] proposed an access control for the Internet of Things (IoT) based on the smart contract which consists of the judge contract, access control contract, and register contract to achieve intelligent and efficient access control. Additionally, Xu et al. [20] proposed a blockchain-based smart healthcare system for large-scale health data privacy preservation. This system uses digital envelope technology to verify the confidentiality of information; however, it can only support one-to-one secure transmission, which does not satisfy the requirements of users who simultaneously employ multiple third parties to provide services. In the IoT environment, Xu et al. [21] and Novo [22] adopted the blockchain technology to realize secure data sharing and access control; however, these schemes do not satisfy large-scale storage and privacy protection requirements.

3. Preliminaries

In this section, we introduce some basic knowledge associated with our BCP-ABE-PHAS.

3.1. Bilinear Map

Let and be multiplicative cyclic groups of prime order . A bilinear mapping is a function which has the following properties:(1)Bilinearity: and , there exists (2)Nondegeneracy: there exists such that (3)Computability: , can be effectively computed

3.2. Blockchain

Blockchain is an append-only data structure in a peer-to-peer network environment, where data blocks are connected chronologically in a chain and the data in a blockchain are assured to be tamperproof, unforgeable, and traceable using cryptography [23]. As shown in Figure 2, a block comprises the block header and block body. The block header consists of four components: (1) PreBkHash, which is the digest of the previous block; (2) TS, which is the timestamp of the block creation; (3) nonce, which is the consensus proof computed by miners and guarantees the consensus of the block; (4) Merkle root, which is the root hash of the Merkle hash tree. The block body stores transaction details.

The concept of smart contracts was first proposed by Szabo [24]. A smart contract is a program that contains code (its function) and data (its state). Smart contracts are used in Ethereum blockchain [25].The contract address is usually given when a contract is deployed to the blockchain. Contract address is the address to a collection of codes on the blockchain that executes functions. These functions of a contract address are executed when a transaction is made to the contract address. Once a smart contract is deployed in the network, it can run as programmed without human intervention.

3.3. Bloom Filter

The Bloom filter is a space-efficient probabilistic data structure used to determine whether an element is contained in a specific set [26]. The Bloom filter is an -bit array that can represent a set of maximum elements. The Bloom filter has independent hash functions , where and indicates that the value generated by the hash function is uniformly distributed in . Herein, a Bloom filter with parameters is represented as , a Bloom filter encoding the set is represented as , and the value at index in is represented as .

First, all bits in the Bloom filter are set to 0. As shown in Figure 3, when we add the element in the set to the Bloom filter, we set for . When we verify the existence of an element in set , if exists for , this proves that ; otherwise, with a high probability.

The Bloom filter yields false positives; in other words, it yields an element that does not belong to the set , but the corresponding position values are all 1. As shown in Figure 3, the element does not belong to the set ; however, for . According to Bose et al. [27], the false positive probability is negligible if we select the optimal and values.

3.4. Secret Sharing

Secret sharing technology is an important aspect of cryptography research. For example, Shamir [28] proposed a -threshold secret-sharing scheme. The basic concept of this scheme is that the secret to be shared is divided and distributed to participants. The secret can be recovered in the case of minimum participants; otherwise, the secret cannot be recovered. When , secret sharing can be obtained using the (XOR) operation. Randomly generate bit strings with the same length as the secret , and calculate ; each of is a part of the secret . Finally, the secret can be obtained by computing .

3.5. Attribute Vector

As shown in Figure 4, we define two attribute vectors and , where and . Here, contains the wildcard , and represents the set of wildcard positions in .

The decryption algorithm discussed in this paper employs the following polynomial identity, where is the attribute value at position in the attribute vector.

We use Viète’s formulas [29] to construct the polynomial in equation (1), and the coefficients are calculated as follows:where . Here, if is clear, we can calculate the polynomial coefficients . For example, when , we can construct polynomial and calculate the coefficients:

3.6. Decision Linear Assumption

Let be a bilinear group of prime order with a generator . For any probabilistic polynomial-time (PPT) adversary , its advantage in solving the decision linear (DLIN) problem [30] in iswhere the probability is taken over all possible choices of . We say that the DLIN assumption holds in if there exists a negligible function such that for any PPT algorithm .

4. System Architecture and Security Model

4.1. System Architecture

The system architecture of the proposed scheme is shown in Figure 5. As illustrated, the system architecture involves five entities, i.e., attribute authority (AA), IPFS, data owner (DO), data user (DU), and blockchain. AA: the AA manages all attributes in the system and assigns attributes to users. It is also responsible for generating public parameters and issuing secret keys based on the users’ attributes. In this paper, the AA is fully trusted. IPFS: the IPFS is a distributed file storage system based on content addressing. Note that there is no central server node in the IPFS; thus, it can avoid the risk of a single point of failure. The IPFS uses an encryption algorithm to calculate the hash value hashipfs of a file, and this hashipfs is used as the file’s address. This approach reduces the repeated storage of files and ensures the integrity of files. DO: the DO selects the file to be shared and creates a corresponding access policy. First, the DO encrypts the file using the symmetric key aeskey and stores the ciphertext encfile in the IPFS. Then, the proposed CP-ABE scheme is used to encrypt aeskey and generate the ciphertext . Finally, hashipfs and are stored on the blockchain using a smart contract. DU: the DU sends a request to the AA, and the AA generates a secret key based on the attribute set of the DU. The DU obtains stored on the blockchain using the smart contract and decrypts based on its secret key. Here, if the attribute set satisfies the access structure set by the DO, then the DU can obtain the file from the IPFS using aeskey and hashipfs. Blockchain: the blockchain is an append-only distributed database, where data are stored permanently and are tamperproof. To ensure secure data sharing and fine-grained access control, the DO only stores hashipfs and on the blockchain using smart contracts.

4.2. The Definition of the BCP-ABE-PHAS Scheme

Here, we present the definition of our scheme. This scheme mainly involves the following four algorithms:(i): the Setup algorithm is executed by the AA. This algorithm takes security parameter as the input and outputs the public parameters PK and master secret key MSK.(ii): the KeyGen algorithm is executed by the AA. Here, PK, MSK, and of the DU are taken as inputs, and the secret key associated with is the output.(iii): the Encrypt algorithm is executed by the DO. This algorithm comprises the BuildGBF and GenCT functions. : this function takes an access policy and the wildcard position set as inputs and outputs GBF : this function takes PK, a message , an access policy , and the wildcard position set as inputs and outputs ciphertext (iv): the Decrypt algorithm is executed by the DU and comprises the QueryGBF and Dec functions. : this function takes an attribute vector of the DU as the input and queries GBF to obtain the wildcard position set : this function takes PK, , , and CT as inputs and outputs

Here, let , , and . For correctness, we require the following conditions to hold:(1)If the attribute vector of the DU satisfies the access policy , then (2)Otherwise, outputs a random message

4.3. Security Model

Definition 1. A CP-ABE scheme with the hidden access policy is semantically secure in the selective model if for all PPT adversaries ,for some negligible function . Based on [29], the security game is described as follows: Init: selects two different challenge attribute vectors , for at least one . Setup: the challenger runs algorithm, which outputs PK and MSK. It sends PK to and keeps MSK to itself. Query phase 1: adaptively issues key queries for the attribute vector , under the restriction that and . runs algorithm to obtain and sends to . Challenge: submits two messages and sends them to . Given and , randomly selects and encrypts under . Finally, sends to . Query phase 2: query phase 2 is the same as query phase 1. Guess: finally, outputs its guess for . If , then return 1; else, return 0.

5. Construction of the BCP-ABE-PHAS

5.1. Setup Phase

In this paper, we use to represent the attribute universe in the system. Here, is the set of possible values of the category attribute, where . Thus, the user’s attribute vector is , where . The access structure of the proposed scheme is , where . If or , we use to denote that the user’s attribute vector satisfies the access policy ; otherwise, we use to denote that the user’s attribute vector does not satisfy the access policy . Here, the wildcard in the access structure means “do not care.” The upper bound of the wildcard in the access structure is defined as , where .

The setup phase is run by the AA. Here, and are the multiplicative cyclic groups of a large prime order , is a generator of , and is a bilinear map. The AA randomly chooses and and sets and . Let for . The AA also generates independent hash functions . Therefore, the public parameters are expressed as follows:

Additionally, the master secret key is expressed as follows:

5.2. Data Encryption Phase

The encryption phase is executed by the DO and involves three main parts, which are described in the following section.

5.2.1. IPFS Storage

The DO selects the file to be shared, generates the symmetric key aeskey using the Advanced Encryption Standard (AES), and encrypts the file using aeskey to generate the ciphertext encfile.

To relieve the pressure on blockchain storage, the proposed scheme stores encfile in the IPFS using the ipfs add encfile command, and the IPFS returns unique hash value ipfshash to retrieve encfile. Note that anyone can obtain the ciphertext encfile stored in the IPFS using the ipfs get ipfshash command.

5.2.2. Hidden Access Policy

The blockchain is public, all participants can obtain the data on the blockchain, so we need to hide the attribute information of the access policy. The access policy developed by the DO is . Assume that the access policy contains wildcards that occur at positions .

When data are decrypted, determining the position of the wildcard symbols is essential; however, directly sending the set may reveal the user’s private information. Thus, to solve this problem, we adopt an efficient positioning algorithm based on the GBF. The GBF is a combination of a Bloom filter and secret sharing technology. Differing from traditional Bloom filters that use a bit array, the GBF uses an array of bits. The GBF can verify whether an attribute exists in the specified set and locate the position index of the attribute to realize the hidden set and protect the user’s private information. In addition to the probability of hash function collisions, the probability of string matching must be verified. Therefore, the false positive probability of the GBF is less than that of the traditional Bloom filter.

When the DO adds an element , to the GBF, the algorithm first uses the -secret-sharing scheme to randomly generate -bit strings and sets . Then, it hashes with independent hash functions and obtains , where is uniformly distributed in . Finally, generated is stored in the GBF based on the position index generated by .

When elements are further added to the GBF, if a certain position is already occupied by previously added elements, we reuse the share already stored in the GBF. As shown in Figure 6, when we add to the GBF, the hash value of is the same as the hash value of . If we modify , the previously added element cannot be restored; thus, we set . The construction of the GBF is presented in Algorithm 1.

Input: set , security parameter , , and hash functions
Output: garbled Bloom filter GBF
(1)	GBF = new -element array of bit strings;
(2)	fordo
(3)	;//initialize the GBF with “NULL”
(4)	end for
(5)	fordo
(6)	;
(7)	fordo
(8)	;//get the index of the position
(9)	ifthen
(10)	ifthen
(11)	;
(12)	else
(13)	;//get a new share
(14)	;
(15)	end if
(16)	else
(17)	;//reuse an existing share
(18)	end if
(19)	end for
(20)	;//store the last share
(21)	end for
(22)	fordo
(23)	ifthen
(24)	;//fill the position with random strings
(25)	end if
(26)	end for

The DO constructs a GBF to hide the set of wildcard positions based on Algorithm 1 and then uses Viète’s formulas to compute . Here, , where . It randomly chooses . The DO then creates aswhere is . Therefore, the ciphertext is .

5.2.3. Blockchain Storage

A blockchain is an append-only distributed database that stores data on the blockchain permanently, which ensures that the data can be tamperproof but increases the storage pressure on the blockchain. Therefore, in this paper, the ciphertext encfile is stored in the IPFS, and only ipfshash and are stored on the blockchain. To achieve secure data sharing and fine-grained access control, we employ smart contracts to ensure that the data storage and sharing process is open and transparent without third-party participation. Here, the public and private keys of the DO in the blockchain are represented by and , respectively.

Generally, the DO is the creator of the access control contract (ACC) who wants to share data with DUs. The ACC provides application binary interfaces (ABIs) to manage and implement access control. The ABIs of the ACC are presented in Table 1.

The DO creates and deploys the ACC and then obtains the contract address and ABIs. Furthermore, the DO sends a transaction to execute the uploadfile ABI of the ACC to upload the data on the blockchain (Algorithm 2).

	Input: CT, ipfshash, time, , ACC address addr, and uploadfile ABI
	Output: storage transaction
(1)	Compute the message digest ;
(2)	Generate the signature ;
(3)	Generate a storage transaction ;
(4)	Send according to and ABI;
(5)	return;

5.3. Key Generation Phase

The key generation phase is executed by the AA. In this phase, the secret key is generated for the DU, the attribute vector of which is . The AA randomly chooses and sets and . Then, the following algorithm is executed:

Therefore, the secret key of the DU is .

5.4. Data Decryption Phase

Data decryption is performed by the DU and mainly comprises the following three phases.

5.4.1. Obtain Data on the Blockchain

The DU sends a transaction to execute the getfile ABI of the ACC to obtain the data stored on the blockchain (Algorithm 3).

	Input: ACC address addr, getfile ABI, and
	Output: verified result
(1)	Obtain the data according to and getfile ABI;
(2)	Compute the message digest ;
(3)	Verify the signature ;
(4)	ifthen
(5)	return True;
(6)	else
(7)	return False;
(8)	end if

Therefore, the DU obtains ipfshash and stored on the blockchain.

5.4.2. QueryGBF

The DU obtains the data stored on the blockchain, where . As observed from the data encryption phase, obtaining is the key to decrypting . Here, the DU obtains according to Algorithm 4.

Input: garbled Bloom filter GBF, , the number of attributes , security parameter , , and hash functions
Output: set
(1)	= new set of length ;
(2)	fordo
(3)	;
(4)	fordo
(5)	;
(6)	ifthen
(7)	break;
(8)	else
(9)	;
(10)	end if
(11)	end for
(12)	ifthen
(13)	;
(14)	end if
(15)	end for

First, we determine whether the hash value of the attribute exists in the GBF. If the corresponding position of the attribute in the GBF is 0, the attribute must not be in . When all GBF positions corresponding to the hash values of the attribute are not empty, the DU must calculate the position index of the wildcard in the access policy using ; if the calculated value is the same as the position index corresponding to the attribute vector of the DU, the attribute is present in ; otherwise, this attribute is not in .

5.4.3. Data Decryption Phase

In this phase, the DU obtains the set of wildcard positions and then uses Viète’s formulas to compute , where . The ciphertext can only be decrypted when the attributes of the DU can satisfy the access policy. Then, can be computed as follows:

When the DU successfully decrypts the data, it obtains aeskey. Then, the DU obtains encfile stored in the IPFS using ipfshash. Subsequently, aeskey is used to decrypt encfile to obtain the file shared by the DO.

6. Security Analysis and Performance Evaluation

6.1. Correctness

In this section, we verify the correctness of the proposed scheme. When we use a decryption key that satisfies the given access policy, the Decrypt algorithm indeed returns the correct message.where for equation (11), we use that ,

Then, we have

If the secret key of the DU is valid, then , . Thus,

6.2. Security Analysis

Theorem 1. The proposed BCP-ABE-PHAS scheme is semantically secure in the selective model assuming that the DLIN assumption holds in group .

Proof. Assume there exists a PPT adversary that can break the selective semantic security. We then build an algorithm that uses to solve the DLIN problem in .
Here, the challenger selects a bilinear group of prime order and a generator , as well as the group and a bilinear map . Then, the challenger randomly chooses five values and computes and . The challenger randomly chooses and sends the tuple to . Note that the goal of is to guess with a probability greater than . To generate a guess, interacts with in the following selective semantic security experiment. Init: chooses two challenge attribute vectors and . Here, the wildcard position sets are denoted as and , respectively. Then, randomly chooses , where . Setup: chooses , which is the upper bound number of wildcards. Then, chooses uniformly at random and sets the following: Here, randomly chooses and computes and . The public key is expressed as follows: Additionally, the master secret key is expressed as follows: Query phase 1: in this phase, will respond to the key query of . Each time, will commit an attribute vector and set , , and . Then, responds by computing Finally, sends to . Challenge: when query phase 1 is over, sends two messages , , to . Then, randomly chooses and outputs its guess and selects a message to encrypt under . Then, creates sends the challenge ciphertext to . Query phase 2: query phase 2 is the same as query phase 1. Guess: outputs its guess for .Finally, if , outputs 1; otherwise, outputs 0.
In the following, we analyze the probability of success for . Here, if , then will behave correctly as a challenger to . Furthermore, will have the probability of of guessing . If , will have the probability of of guessing .
To conclude this proof, we obtain the following:which is nonnegligible, thereby contradicting the DLIN assumption.

6.3. Performance Evaluation

6.3.1. Data Storage Efficiency

We conduct an experiment to verify the efficiency of two storage schemes, i.e., cloud-based server storage and IPFS-based distributed storage. Here, we set up a local server and an IPFS cluster in the same local area network. The cluster comprises five local devices, all of which are Ubuntu 18.04 systems with an Intel Core i5 CPU at 2.4 GHz with 4 GB RAM. We compare the performance of the two storage schemes based on the time required for uploading and downloading files. Figure 7 shows the transmission time required by the two schemes. Note that all experimental results are the average of 30 trials. As shown in Figure 7, the upload and download time of files in the IPFS-based scheme are less than those of the files in the cloud-based scheme. Moreover, the time required for uploading and downloading the files in the cloud-based scheme exhibits a faster growth trend than the IPFS-based scheme when the file size increased. Therefore, the IPFS-based scheme can improve storage efficiency and system scalability.

6.3.2. GBF Efficiency

We conduct another experiment to verify the storage and query efficiency of the GBF. Here, we use double hashing technology, and the hash functions of the GBF are constructed using the 128-bit SpookyHash and MurmurHash. The length of the GBF is set to , and in this experiment. Furthermore, the number of attributes in the access policy is 5–35, the number of wildcards is 2–14, and the number of hash functions is . Note that all reported experimental results are the average values obtained over 30 trials. As shown in Figure 8, for , the time required to add 10 wildcards to the GBF is approximately 4.5 ms, and the query time is approximately 3.5 ms. Therefore, introducing the GBF does not increase the computational overhead of the system.

(a)

(b)

6.3.3. Performance Evaluation

We also analyze the performance of our scheme and five existing CP-ABE schemes with AND gates in terms of the ciphertext size, decryption consumption, whether access policies are hidden, and so on. The results are presented in Table 2, where represents the pairing operation, represents the exponentiation operation, represents the number of attributes in the access structure, represents the number of possible values for an attribute, and represents the number of wildcards in the access structure. From Table 2, among all schemes that support wildcards and the hidden access policy, our scheme exhibits the smallest ciphertext size. Furthermore, the ciphertext size of our scheme is constant. Note that the decryption consumption of our scheme is related to the number of wildcards , where ; thus, our scheme has the advantage in terms of decryption consumption.

To evaluate the actual performance of our scheme, we compare it to schemes proposed in [10, 31]. Here, we implement our scheme on a desktop PC (3.4 GHz Intel Core i7 CPU with 16 GB RAM) based on Ubuntu 18.04 LTS and Java Pairing-Based Cryptography Library (JPBC) 2.0.0. This implementation uses a 160-bit elliptic curve group based on the supersingular curve over a 512-bit finite field. The number of attributes in the access policy is 5–35, and the number of wildcards is 2–14. To ensure accuracy in our experiments, all reported experimental results are the averages obtained over 30 trials.

Figure 9(a) shows the size of the public parameters in the setup phase. The size of public parameters in all schemes increases linearly with the increase in the number of attributes. Nishide et al. [10] defined all possible values for each attribute in the public parameter; thus, the size of the public parameters is larger than other schemes. Figure 9(b) presents the execution time of the key generation phase. In our scheme, the key is generated by the AA with high computational power; therefore, although the time required in our scheme is greater than other schemes, it will not affect the efficiency of our scheme. Figure 9(c) presents the execution time of the encryption operation. Here, the number of exponentiation operations in the encryption algorithm is related to the attribute; thus, the required time increases with the increase in the number of attributes. The scheme in [10] exhibits more exponentiation operations in the encryption phase than our scheme and the scheme in [31]; thus, the required time is greater than the other two schemes. Figure 9(d) shows the execution time of the decryption operation. Note that the existing scheme [31] does not hide the access policy; thus, its decryption time is fixed. The decryption time of our scheme is less than that of the scheme in [10].

(a)

(b)

(c)

(d)

In summary, our scheme has advantages in terms of data encryption and decryption when implementing the hidden access policy.

7. Conclusion

In this paper, we propose a BCP-ABE-PHAS scheme to achieve trustworthy access while ensuring user privacy. Traditional centralized storage architectures are vulnerable to various network attacks, e.g., single point of attack, man-in-the-middle attack, and distributed denial-of-service attack. Therefore, we adopt a data storage scheme that combines blockchain technology and the IPFS; this approach relieves the storage pressure on the blockchain and guarantees data integrity. The experimental results demonstrate that our scheme is efficient and maintains a constant ciphertext size. Furthermore, to assist data decryption, we design a GBF to help users quickly locate the position of wildcards in the access policy. The proposed scheme uses smart contracts to guarantee that the entire data storage and sharing process is transparent, dynamic, and automated. The results of security analysis and performance evaluations demonstrate that our scheme is secure and efficient.

Data Availability

As part of the data in the paper is confidential, the code cannot be published for the time being. If data needed, send the corresponding author an email.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (Grant Nos. 62172433, 62172434, 61862011, and 61872449).

References

R. Lu, H. Zhu, X. Liu, J. K. Liu, and J. Shao, “Toward efficient and privacy-preserving computing in big data era,” IEEE Network, vol. 28, no. 4, pp. 46–50, 2014.
View at: Publisher Site | Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption, lecture notes in computer science,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 457–473, Springer, Aarhus, Denmark, May 2005.
View at: Publisher Site | Google Scholar
J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute-based encryption,” in Proceedings of the IEEE Symposium on Security and Privacy, pp. 321–334, IEEE, CA, USA, May 2007.
View at: Publisher Site | Google Scholar
V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 89–98, Alexandria, VA, USA, November 3 2006.
View at: Publisher Site | Google Scholar
H. Cui, R. H. Deng, J. Lai, X. Yi, and S. Nepal, “An efficient and expressive ciphertext-policy attribute-based encryption scheme with partially hidden access structures, revisited,” Computer Networks, vol. 133, pp. 157–165, 2018.
View at: Publisher Site | Google Scholar
Z. Li, D. Wang, and E. Morais, “Quantum-safe round-optimal password authentication for mobile devices,” IEEE Transactions on Dependable and Secure Computing, p. 1, 2020.
View at: Publisher Site | Google Scholar
S. Qiu, D. Wang, G. Xu, and S. Kumari, “Practical and provably secure three-factor authentication protocol based on extended chaotic-maps for mobile lightweight devices,” IEEE Transactions on Dependable and Secure Computing, p. 1, 2020.
View at: Publisher Site | Google Scholar
N. Nizamuddin, H. R. Hasan, and K. Salah, “IPFS-blockchain-based authenticity of online publications,” in Proceedings of the International Conference on Blockchain, pp. 199–212, Springer, Xi’an, China, December 22 2018.
View at: Publisher Site | Google Scholar
C. Wang, D. Wang, G. Xu, and D. He, “Efficient privacy-preserving user authentication scheme with forward secrecy for industry 4.0,” Science China Information Sciences, vol. 65, no. 1, pp. 1–15, 2021.
View at: Publisher Site | Google Scholar
T. Nishide, K. Yoneyama, and K. Ohta, “Attribute-based encryption with partially hidden encryptor-specified access structures,” in Proceedings of the International Conference on Applied Cryptography and Network Security, pp. 111–129, Springer, New York, NY, USA, June 2008.
View at: Publisher Site | Google Scholar
J. Li, K. Ren, B. Zhu, and Z. Wan, “Privacy-aware attribute-based encryption with user accountability,” in Proceedings of the International Conference on Information Security, pp. 347–362, Springer, Pisa, Italy, September 2009.
View at: Publisher Site | Google Scholar
T. V. X. Phuong, G. Yang, and W. Susilo, “Hidden ciphertext policy attribute-based encryption under standard assumptions,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 1, pp. 35–45, 2015.
View at: Google Scholar
J. Lai, R. H. Deng, and Y. Li, “Expressive CP-ABE with partially hidden access structures,” in Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pp. 18-19, ACM, Seoul, Republic of Korea, May 2 2012.
View at: Publisher Site | Google Scholar
Y. Zhang, D. Zheng, and R. H. Deng, “Security and privacy in smart health: efficient policy-hiding attribute-based access control,” IEEE Internet of Things Journal, vol. 5, no. 3, pp. 2130–2145, 2018.
View at: Publisher Site | Google Scholar
J. Katz, A. Sahai, and B. Waters, “Predicate encryption supporting disjunctions, polynomial equations, and inner products,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 146–162, Springer, Istanbul, Turkey, April 2008.
View at: Publisher Site | Google Scholar
A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Waters, “Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 62–91, Springer, French Riviera, May 30 2010.
View at: Publisher Site | Google Scholar
J. Hur, “Attribute-based secure data sharing with hidden policies in smart grid,” IEEE Transactions on Parallel and Distributed Systems, vol. 24, no. 11, pp. 2171–2180, 2013.
View at: Publisher Site | Google Scholar
S. Gao, G. Piao, J. Zhu, X. Ma, and J. Ma, “TrustAccess: a trustworthy secure ciphertext-policy and attribute hiding access control scheme based on blockchain,” IEEE Transactions on Vehicular Technology, vol. 69, no. 6, pp. 5784–5798, 2020.
View at: Publisher Site | Google Scholar
Y. Zhang, S. Kasahara, Y. Shen, X. Jiang, and J. Wan, “Smart contract-based access control for the Internet of Things,” IEEE Internet of Things Journal, vol. 6, no. 2, pp. 1594–1605, 2018.
View at: Publisher Site | Google Scholar
J. Xu, K. Xue, S. Li et al., “Healthchain: a blockchain-based privacy preserving scheme for large-scale health data,” IEEE Internet of Things Journal, vol. 6, no. 5, pp. 8770–8781, 2019.
View at: Publisher Site | Google Scholar
R. Xu, Y. Chen, E. Blasch, G. Chen, and C. A. C. Blend, “A blockchain-enabled decentralized capability-based access control for IoTs,” in Proceedings of the 2018 IEEE International Conference on Internet of Things, pp. 1027–1034, Halifax NS Canada, Auguest 3 2018.
View at: Google Scholar
O. Novo, “Blockchain meets IoT: an architecture for scalable access management in IoT,” IEEE Internet of Things Journal, vol. 5, no. 2, pp. 1184–1195, 2018.
View at: Publisher Site | Google Scholar
S. Nakamoto, “Bitcoin: a peer-to-peer electronic cash system,” 2008, https://bitcoin.org/bitcoin.pdf.
View at: Google Scholar
N. Szabo, “Smart contracts,” 1994, http://www.fon.hum.uva.nl/rob/Courses/InformationInSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/smart.contracts.html.
View at: Google Scholar
G. Wood, “Ethereum: A secure decentralised generalised transaction ledger,” 2014, https://www.gavwood.com/paper.pdf.
View at: Google Scholar
B. H. Bloom, “Space/time trade-offs in hash coding with allowable errors,” Communications of the ACM, vol. 13, no. 7, pp. 422–426, 1970.
View at: Publisher Site | Google Scholar
P. Bose, H. Guo, E. Kranakis et al., “On the false-positive rate of Bloom filters,” Information Processing Letters, vol. 108, no. 4, pp. 210–213, 2008.
View at: Publisher Site | Google Scholar
A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979.
View at: Publisher Site | Google Scholar
S. Sedghi, P. van Liesdonk, S. Nikova, P. Hartel, and W. Jonker, “Searching keywords with wildcards on encrypted data,” in Proceedings of the International Conference on Security and Cryptography for Networks, pp. 138–153, Springer, Amalfi, Italy, September 16 2020.
View at: Publisher Site | Google Scholar
D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” in Proceedings of the Annual International Cryptology Conference, pp. 41–55, Springer, Santa Barbara, California, USA, August 22 2002.
View at: Publisher Site | Google Scholar
K. Emura, A. Miyaji, A. Nomura, K. Omote, and M. Soshi, “A ciphertext-policy attribute-based encryption scheme with constant ciphertext length,” in Proceedings of the International Conference on Information Security Practice and Experience, pp. 13–23, Springer, Xi’an, China, April 2009.
View at: Publisher Site | Google Scholar
J. Lai, R. H. Deng, and Y. Li, “Fully secure cipertext-policy hiding CP-ABE,” in Proceedings of the International Conference on Information Security Practice and Experience, pp. 24–39, Springer, Guangzhou, China, May 2011.
View at: Publisher Site | Google Scholar
L. Cheung and C. Newport, “Provably secure ciphertext policy ABE,” in Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 456–465, ACM, NY, USA, October 31 2007.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Yang Ba et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1198

Downloads

843

Citations

Security and Communication Networks

Security and Privacy for Edge-Assisted Internet of Things

A Blockchain-Based CP-ABE Scheme with Partially Hidden Access Structures

Abstract

1. Introduction

2. Related Work

3. Preliminaries

3.1. Bilinear Map

3.2. Blockchain

3.3. Bloom Filter

3.4. Secret Sharing

3.5. Attribute Vector

3.6. Decision Linear Assumption

4. System Architecture and Security Model

4.1. System Architecture

4.2. The Definition of the BCP-ABE-PHAS Scheme

4.3. Security Model

5. Construction of the BCP-ABE-PHAS

5.1. Setup Phase

5.2. Data Encryption Phase

5.2.1. IPFS Storage

5.2.2. Hidden Access Policy

5.2.3. Blockchain Storage

5.3. Key Generation Phase

5.4. Data Decryption Phase

5.4.1. Obtain Data on the Blockchain

5.4.2. QueryGBF

5.4.3. Data Decryption Phase

6. Security Analysis and Performance Evaluation

6.1. Correctness

6.2. Security Analysis

6.3. Performance Evaluation

6.3.1. Data Storage Efficiency

6.3.2. GBF Efficiency

6.3.3. Performance Evaluation

7. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright