Blockchain-Aided Searchable Encryption-Based Two-Way Attribute Access Control Research

Xu, Zhigang; Zhang, Shiguang; Han, Hongmu; Dong, Xinhua; Zheng, Zhiqiang; Wang, Haitao; Tian, Wenlong

doi:https://doi.org/10.1155/2022/2410455

Security and Communication Networks

On this page

Abstract Introduction Related Work Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Blockchain and Smart Contracts Towards Decentralized Applications in Industry 4.0

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 2410455 | https://doi.org/10.1155/2022/2410455

Blockchain-Aided Searchable Encryption-Based Two-Way Attribute Access Control Research

Zhigang Xu,¹Shiguang Zhang,¹Hongmu Han,¹Xinhua Dong,¹Zhiqiang Zheng,²Haitao Wang,²and Wenlong Tian³

Academic Editor: Jiewu Leng

Received15 Apr 2022

Accepted25 Aug 2022

Published29 Sept 2022

Abstract

In the Internet of Things (IoT), data sharing security is important to social security. It is a huge challenge to enable more accurate and secure access to data by authorized users. Blockchain access control schemes are mostly one-way access control, which cannot meet the need for ciphertext search, two-way confirmation of users and data, and secure data transmission. Thus, this paper proposes a blockchain-aided searchable encryption-based two-way attribute access control scheme (STW-ABE). The scheme combines ciphertext attribute access control, key attribute access control, and ciphertext search. In particular, two-way access control meets the requirement of mutual confirmation between users and data. The ciphertext search avoids information leakage during transmission, thus improving overall efficiency and security during data sharing. Moreover, user keys are generated by the coalition blockchain. Besides, the ciphertext search and pre-decryption are outsourced to cloud servers, reducing the computing pressure on users and adapting to the needs of lightweight users in the IoT. Security analysis proves that our scheme is secure under a chosen-plaintext attack and a chosen keyword attack. Simulations show that the cost of encryption and decryption, keyword token generation, and ciphertext search of our scheme are preferable.

1. Introduction

In Industry 4.0, the IoT is commonly used in industrial environments and often requires processing large amounts of data. Due to the limited resources of IoT devices, we often store large amounts of data from IoT devices on cloud servers. However, this outsourced storage approach may cause many privacy and security problems, such as identity leakage, illegal access to private data, and data tampering. The solution to these problems is to store the ciphertext in the cloud server. Symmetric encryption can guarantee data confidentiality but cannot achieve fine-grained access control and secure data sharing.

Attribute access control is an access control mechanism proposed by Sahai and Waters [1] to ensure effective and secure data sharing and fine-grained access. Technically, attribute access control is mainly divided into two types: ciphertext-policy attribute-based encryption (CP-ABE) [2] and key-policy attribute-based encryption (KP-ABE) [3]. In the CP-ABE scheme, each data user obtains the corresponding attribute secret key from the authorization agency according to their attributes, and the access structure of the file is determined by the data owner. Only when the attribute set in the secret attribute key of the data acquirer meets the access structure of the file can the file be viewed correctly. In the KP-ABE, by contrast, files can only be viewed when the access structure of the identity key satisfies the ciphertext properties. However, these two methods of attribute access control are only a single method of authentication. They address the need for one-way control of data sharing but do not meet the need for two-way confirmation of users and data. For this reason, Attrapadung and Imai [4] proposed a two-policy attribute access control scheme whose core idea is to combine ciphertext access control with key access control. On the one hand, the ciphertext is obtained by associating the plaintext with the corresponding user access structure and plaintext attributes. On the other hand, the user’s private key is computed by associating its attribute set with the ciphertext access control structure. The plaintext can only be decryption if both the ciphertext access control and the key access control match. However, this solution is a centrally authorized agent prone to a single point of failure. Han et al. [5] proposed a distributed bidirectional attribute access control strategy. However, the scheme does not consider users’ security requirements for personal data queries and transmissions in the IoT environment.

Blockchain is increasingly used in non-transactional scenarios such as supply chains, the IoT, smart healthcare, and public security, where data often contain users’ private data. The data cannot be fully disclosed to everyone as a transaction and can only be shared to a limited extent. Through blockchain research, the use of blockchain to manage users’ keys ensures secure data sharing for the development of the Industrial Internet of Things (IIoT).

In this paper, we propose a blockchain-aided searchable encryption-based two-way attribute access control scheme (STW-ABE) to manage massive IoT data and meet people’s demand for data access control of private data. The main contributions of our scheme can be summarized as follows:(1)Blockchain-Aided Key Generation. Blockchain consensus nodes jointly execute the DKG to generate the secret key. It avoids the problem of secret key leakage caused by a single point of failure.(2)Blockchain-Cloud-Aided Keyword Search. The combination of attribute encryption technology and searchable encryption achieves fine-grained two-way access control of transaction ciphertexts in the blockchain. The blockchain sends a token containing a single keyword to the CS. The CS uses the token to perform a ciphertext search to avoid leakage of private data during transmission.(3)Cloud-Aided Pre-Decryption. The CS provides the pre-decryption service for users with access permission, and the user only needs to perform one exponential operation to decrypt the ciphertext. It reduces computational pressure for users and meets the needs of resource-constrained IoT devices.

The rest of this article is organized as follows. Section 2 reports the most related work. Section 3 introduces relevant knowledge, including linear secret-sharing schemes, distributed key generation protocols, searchable encryption, and blockchain technology. Section 4 presents the system definition, including the system model, the STW-ABE scheme, and the security model. In Section 5, we reveal the detailed construction of the STW-ABE scheme. Section 6 analyzes the security of our scheme and compares the time cost with other schemes in encryption, decryption, and ciphertext search. Finally, we conclude in Section 7.

In Industry 4.0, access control technology is essential to build trust and sustainability in a distributed context of the IoT. Leng et al. [6] proposed a blockchain model with chemical signature access under a distributed context, Makerchain, which binds unique signature data to the blockchain and automatically executes smart contracts set between manufacturers to achieve service trust between manufacturers. Rahman et al. [7] proposed a distributed multi-signature technology based on blockchain to realize multi-party identity authentication and guarantee the trust between multiple parties in the Industry 4.0 system. However, it does not consider the resource limitation of IoT terminal devices. Most data encryption techniques in use today are based on bilinear mapping encryption, which means that the computational cost of decryption is high. Most lightweight devices do not adapt to attribute-based access control. Therefore, many attribute access control schemes propose the method of outsourcing decryption. Li et al. [8] proposed an outsourcing ABE scheme search based on keyword search. However, the search method used in this scheme is a common public key encryption of keywords, which cannot achieve a fine-grained searchable encryption scheme. Ziegler et al. [9] proposed an outsourcing decryption scheme based on a prime order group to bridge the gap between the highly dynamic IIoT environment and resource-constrained devices. The IoT includes a core network and an edge network, and data security problems will be encountered in data sharing. Liu et al. [10] proposed a privacy-protecting multi-keyword searchable encryption scheme in a distributed system. Through a multi-server architecture, authorized servers can jointly search whether the token matches the ciphertext, thus improving the search efficiency. Miao et al. [11] put forward a multi-keyword search scheme based on attributes and transformed attributes into 0 and 1 codes for attribute judgment comparison, thus improving the efficiency of strategy judgment.

In the IIoT, blockchain is a new generation of security technology with immutability and traceability characteristics. Leng et al. [12] discussed how blockchain promotes the sustainable development of manufacturing and product life management in Industry 4.0. Mehta et al. [13] proposed a blockchain-based copyright contract transaction scheme for the Industry 4.0 supply chain, which ensured the security of copyright transactions for different stakeholders in the industry. But the blockchain has its potential security problems. Leng et al. [14] proposed the PDI model and divided blockchain security issues into process level, data level, and infrastructure level. This paper mainly studies data access control to solve the data-level security sharing problem to improve blockchain systems’ data security. In Industry 4.0, blockchain provides key technology for the secure intelligent manufacturing of IIoT, but distributed Industry 4.0 needs to realize collaborative trust. Leng et al. [15] put forward eight network security obstacles in the intelligent manufacturing of blockchain. The cybersecurity barriers include device deception, false authentication, and trust in data sharing among participants. Therefore, implementing blockchain identity authentication in the IIoT is of great significance for the multi-party trust and sustainability of Industry 4.0. Li et al. [16] proposed a multi-keyword encrypted search scheme applicable for blockchain, which implements ciphertext information search and data access control through smart contracts. Before ciphertext search, the smart contract automatically determines data access permission to enhance trust among IoT users. Feng et al. [17] proposed a data privacy protection scheme based on blockchain searchable attribute access control. The user’s permission authentication is implemented by the user’s local server, avoiding the security risk of submitting the user’s private key and access structure to the blockchain network. Gao et al. [18] proposed a trusted secure ciphertext policy and attributed a hiding access control scheme based on blockchain. The scheme hides the ciphertext policy and attribute information and reduces accidental leakage of data information. Therefore, Liu et al. [19] proposed a searchable attribute-based encryption scheme in which a coalition blockchain replaces the traditional centralized server to be responsible for the generation and storage. Qin et al. [20] proposed a lightweight IoT access control scheme based on attribute encryption and blockchain to verify the accuracy of outsourced decrypted data in IoT through a smart contract. In addition, some schemes use the distributed feature of blockchain to distribute secret keys as the authority. Lewko and Waters [21] proposed a multi-authority attribute-based encryption scheme. In this scheme, the secret user key consists of multiple components, each from a different organization, to prevent collusion attacks among users. Qin et al. [22] proposed a blockchain multi-attribute access control scheme for cloud data sharing. Smart contracts on blockchain manage attribute tokens across domains to solve the trust problem between multiple users. Shi et al. [23] proposed a blockchain-based distributed access control scheme for IoT. The solution uses blockchain nodes as the addresses of IoT devices. It uses blockchain to complete the data authorization, cancelation, access control, and auditing process to ensure data security in the distributed IoT system.

The access control scheme mentioned above compensates for the deficiency of the blockchain access control mechanism in the IIoT environment. However, combining the existing access control scheme with blockchain is not enough to meet users’ demand for secure sharing access control of private data. Currently, most blockchain access control solutions only implement user access policy settings for the data and do not address the need for two-way policy confirmation between the user and the data. Furthermore, the security of the data during sharing and the usability of users of lightweight devices were not considered. Therefore, this paper proposes a blockchain-aided searchable encryption-based two-way attribute access control scheme (STW-ABE).

3. Preliminaries

3.1. Linear Secret-Sharing Schemes (LSSS)

The linear secret-sharing scheme [24] is defined as follows.

Definition 1. Let P be a set of parties. Let be a matrix. Let be a function that maps a row to a party for labelling. Let represent a linear secret-sharing scheme with access structure A, which usually consists of two polynomial-time algorithms:(1)For , the -th row of matrix is labeled by a party , where is a function that maps a row to a party for labelling. The algorithm takes as input the secret value that is shared. are randomly chosen, and . The share belongs to party .(2)Let be input. Let , and randomly select . The output is a constant with linear reconstruction characteristics: .

3.2. Distributed Key Generation (DKG) Protocol

Traditional key generation is performed by the central server. This centralized management approach is prone to a single point of failure problem. To solve this problem, researchers proposed the distributed key generation (DKG) protocol [25]. In the DKG protocol, the generation of secret values is done by multiple parties, not by an authoritative center, and does not rely on trusted third parties. Multiple nodes jointly generate a secret value , and each node has a corresponding secret value to share. The secret value can be restored only when the sharing rule is met, where is the number of nodes authorized by participants and is the threshold. The secret value generated by nodes must be shared by at least participants to complete the sharing of secret value .

3.3. Searchable Encryption

Song et al. [26] proposed the practical technology of encrypted data search. In this technique, the scheme for searching the encrypted data is described, and the security of the generated encryption system is proved. The third-party server can only obtain the matching ciphertext results if only the ciphertext data are provided. Nevertheless, it cannot obtain the data information in plaintext, which implements query isolation. In addition, a hidden query is supported. Data users only need to send the search token containing the query keyword to the third-party server for ciphertext search without disclosing the detailed information of the keyword to the server.

3.4. Blockchain Technology

Generally, there are three types of blockchain: public blockchain, private blockchain, and coalition blockchain. A public blockchain allows any node to generate transaction information and view all information in the block. In a private blockchain, all nodes on the network are controlled by a single organization, and only a small number of authorized nodes have access to the data information. In the coalition blockchain, authorized nodes can join the blockchain network and participate in transactions and information synchronization with strong controllability and high privacy.

This paper uses a coalition blockchain. The blockchain is controlled by a group of trusted nodes that control the consensus protocol. Other authorized nodes can generate data and send them to the blockchain for storage. Then, the consensus node runs the consensus protocol to complete the ledger update in the coalition blockchain so that all nodes keep the whole state consistent. In this paper, the specific functions of the coalition blockchain are as follows. (1) The consensus node in the blockchain initializes system parameters using the distributed secret key generation protocol. (2) The consensus node is responsible for generating, storing, and distributing global public keys, public and private key pairs of users, and user identity keys. (3) The consensus node responds to the keyword searched by the user, generates a ciphertext index through the blockchain, and sends it to the cloud server.

4. System Definition

4.1. System Model

The STW-ABE scheme contains four participants presented as follows. The detailed structural components of the scheme are shown in Figure 1.(1)Data Publisher (DP). Any IoT device can generate data. The plaintext data containing ciphertext attributes and user access structure are encrypted on the local service. Then, the ciphertext and ciphertext index are uploaded to the cloud server. Data publishers can be people and any IoT device.(2)Data Acquirer (DA). The data acquirer receives the user identity key from the blockchain, which contains the user attributes and the ciphertext access structure. The DA can only capture the ciphertext if the DA attribute meets the user access structure of the DP and the ciphertext attribute meets the ciphertext access structure of the DA. The DA obtains the ciphertext that meets the individual’s conditions and decrypts it with its user identity key.(3)Blockchain (BC). A coalition blockchain comprises trusted consensus nodes. The blockchain is responsible for initializing the global public key and generating users’ public and private key pairs, user identity secret keys, and tokens.(4)Cloud Server (CS). Cloud servers are used to store large amounts of ciphertext and ciphertext indexes that are uploaded by DP. In addition, CS responds to users’ search requests, verifies access control permission, provides pre-decryption services for DA who meets the permission, and returns the pre-decrypted intermediate ciphertext to the DA.

The STW-ABE scheme is divided into three parts. The first part is encryption. First, the DP obtains the global public key and users’ public and private key pairs from the blockchain. Then, the DP encrypts the plaintext data through the ciphertext attribute set and user access structure. The DP then sends the ciphertext and ciphertext index to CS. The second part is the ciphertext search. DA searches for ciphertext information by keyword. First, DA sends a keyword to the blockchain network. Second, the blockchain network encrypts a keyword into a token and sends the token to CS, which conducts a ciphertext search through the ciphertext index and search tokens. Finally, the retrieved ciphertext is stored. The third part is decryption. The CS verifies the access control permissions of the set of users, that is, whether the user attributes meets the user access structure and whether the ciphertext attribute set meets the ciphertext access structures. The CS provides a pre-decryption service to generate intermediate ciphertext for the DA, satisfying the two-way access structure. When the DA receives the intermediate ciphertext from CS, the DA uses the user identity key to decrypt the intermediate ciphertext into plaintext.

4.2. System Procedure

The composition of the STW-ABE scheme is as follows.

4.2.1. Initialization

. Setup: the process runs on blockchain consensus nodes participating in authorization and outputs global public key .

. User public key and private key generation: the process runs in the blockchain consensus nodes, with global public key as input, and outputs user public key and user private key .

4.2.2. User Identity Key Generation

. User identity key generation: the process is run consensus nodes in blockchain that execute the distributed key generation protocol, taking the global public key , the user public key , the user private key, the user attributes set , the ciphertext access structure , and user’s identity as input, and outputs the user identity key.

4.2.3. Encryption

. Encryption: this process is run by the DP, taking the global public key , the user public key , the user private key , the user’s identity , the user access structure , ciphertext attribute set , and plaintext as input, and outputs ciphertext and keywords of ciphertext .

4.2.4. Index Generation

. Index generation: this process is run by the DP, with the global public key , the user public key , and the keywords of ciphertext as input, and outputs the ciphertext index .

4.2.5. Token Generation

. Token generation: this process is run by the blockchain consensus nodes, with the global public key , the user identity key , and the keywords of the data user as input, and outputs user search token .

4.2.6. Search

. Search: this process is run by the CS, taking the global public key , the user search token , and the ciphertext index as input to output the matching ciphertext .

4.2.7. Decryption

. Proxy decryption: this process is run by the CS, taking the global public key , the ciphertext , and the user identity key as input. If the ciphertext attribute set satisfies the ciphertext access structure and the user attribute set satisfies the user access structure , the ciphertext is pre-decrypted and sends the intermediate ciphertext returned to the DA.

. User decryption: this process is run by the DA, taking the global public key , the ciphertext , the intermediate ciphertext , and the user identity key as input, and outputs plaintext .

The notations used in our scheme are summarized in Table 1.

4.3. Security Model

4.3.1. Ciphertext Indistinguishability

The indistinguishability security under chosen-plaintext attack (IND-CPA) of an STW-ABE scheme is defined by the following game between a challenger and a probabilistic polynomial-time (PPT) adversary . Let be the authority universe of size . We define adversary as a adversary who can compromise at most authority. This security model adopts the key generation protocol. The description of the game is as follows:(1)Initialization: runs the Initialization of STW-ABE and returns the global public key , user public key , and user private key to .(2)Query phase I: adversary queries the following oracles adaptively.(a)User Identity Key Oracle. submits an identity to . runs the . Finally, it returns to .(b)Encryption Oracle. sends to . runs the to generate the ciphertext . Notice that the user access structure does not satisfy the challenge user attribute set , and the ciphertext attribute set does not satisfy the challenge ciphertext access structure .(3)Challenge: submits two plaintexts of equal length , and sends them to . selects a random number and encrypts the selected plaintext with user access structure and ciphertext attribute set . The final ciphertext will be generated () and sent to .(4)Query phase II: still can make queries adaptively as in Query Phase I.(5)Guess: outputs a guess for .

The advantage of in this game is defined as follows:

Definition 2. An STW-ABE scheme is IND-CPA secure if the advantage defined above for any PPT adversary is negligible.

4.3.2. Index Indistinguishability

Index indistinguishable security (IND-CKA) under chosen access structure and chosen keyword attack is defined as the security game of challenger and a probabilistic polynomial-time (PPT) adversary for the STW-ABE scheme. In this scheme, only single keyword ciphertext retrieval is considered. The description of the game is as follows:(1)Initialization: defines a user access structure and ciphertext attribute set .(2)Setup: runs the Initialization of STW-ABE and returns the global public key , user public key , and user private key to .(3)Query phase I: adversary queries the following oracles adaptively.(a)User Identity Key Oracle. submits an identity to . runs the . Finally, it returns to .(b)Token Oracle. send to . runs the to generate the token . Notice that the user access structure does not satisfy the challenge user attribute set , and ciphertext attribute set does not satisfy the challenge ciphertext access structure . We assume that all query results (Tok) have at least one matched index that can be searched out.(c)Index Oracle. submits to , and runs the to generate the index.(4)Challenge: submits two keywords of equal length , and to . chooses randomly number and runs the with the challenge user access structure and ciphertext attribute set to return to .(5)Query phase II: still can make queries adaptively as in Query Phase I after receiving the challenge index. Similarly, cannot query on the user access structure, which satisfies the challenge user attribute set, and ciphertext attribute set, which satisfies the ciphertext access structure.(6)Guess: outputs a guess for .

The advantage of in this game is defined as follows:

Definition 3. An STW-ABE scheme is IND-CKA secure if the advantage defined above for any PPT adversary is negligible.

5. Construction

This section presents a detailed construction of our STW-ABE scheme, including initialization, user identity key generation, encryption, decryption, token generation, and search.

5.1. Initialization

This stage is divided into two parts. First, the blockchain consensus node executes the distributed key generation protocol to generate the global public key. Then, the blockchain consensus nodes generate user public and private keys.

Part One. . First, the q-order bilinear group with generator and bilinear mapping is selected in the setup. In addition, the description of a hash function that maps user identity to elements of is published. Finally, the global public key is generated.

Part Two. . The authorization center manages the set of user attributes and ciphertext attributes of all users. random selection of parameters , according to the attribute set. Then, blockchain consensus nodes generate user public key and user private key .

5.2. User Identity Key Generation

. This is run by the consensus nodes that execute the distributed key generation protocol, taking the global public key , the user public key , the user private key , the user attributes set , the ciphertext access structure , and user’s identity as inputs to output the user identity key .(1)Let be a matrix. The process randomly selects , and constructs the vector and vector . is the secret value to be shared.(2)Let be the -th row of the matrix , and calculate , .(3)Select for each to calculate the following equation:(4)Create a key that belongs to a primary attribute for the user identity and do the following calculation: .(5)Finally, the user identity key is generated () and sent to the DA.

5.3. Encryption

The encryption consists of two processes, namely, encryption and the index generation .

. This process is run by the , taking the global public key , the user public key , the user private key , the user identity , the user access structure , ciphertext attribute set , and plaintext as input.(1)Let be a matrix. The process first randomly selects , . Let vector , , and be the secret value to be shared.(2)Let be the -th row of the matrix , and , .(3)Select for each to calculate the following equation:(4)Create a key that belongs to the corresponding subattribute for the encrypted file, and the following calculation is performed:(5)Finally, the ciphertext is generated: and sent to the CS.

. This process was conducted by DP on local devices, with the global public key , the user public key , and the keywords of ciphertext as inputs. is the number of data keywords. The following calculations are performed to encrypt each keyword into a ciphertext index.

Finally, the ciphertext index is obtained and sent to the CS.

5.4. Token Generation

. This process is run by the consensus nodes that execute the distributed key generation protocol, with the global public key , the user identity key , and the keywords of the data users as input. The following calculations are performed.

Finally, the user tokens are generated () and sent to the CS.

5.5. Search

. The search is conducted by the CS. This process takes the global public key , the user search token , and the ciphertext index as input. Suppose the ciphertext search is successful, output the ciphertext. Otherwise, the process is terminated.(1)Judge if the following equation holds:(2)If yes, output the storage ciphertext ; else, abort.

5.6. Decryption

The decryption consists of two processes, namely, the proxy decryption process and the user decryption process .

. Proxy decryption is run by the CS, taking the global public key , the ciphertext , and the user identity key as input. Determine whether the user attributes satisfy the file access permission, whether the ciphertext attribute set satisfies the ciphertext access structure , and whether the user attribute set satisfies the user access structure .

Verify that the user attribute set satisfies the user access structure; randomly selected makes . Similarly, verify that the ciphertext attribute set satisfies the ciphertext access structure; randomly selected makes . If the authentication succeeds, perform the following calculation for the ciphertext pre-decryption.

Pre-decryption equation:

. The user decryption is run by DA, taking the global public key , the ciphertext , the intermediate ciphertext , and the user identity key as input.

Decryption equation:

6. Security and Performance Analysis

6.1. Security Analysis

The STW-ABE simplifies the security problem to a decisional bilinear Diffie–Hellman (DBDH) problem.

Theorem 1. The STW-ABE scheme is IND-CPA secure if the decisional bilinear Diffie–Hellman (DBDH) problem is hard.

Proof. If adversary can break the STW-ABE scheme with a non-negligible advantage, adversary can solve the DBDH problem with a non-negligible advantage. -order bilinear group with generator and bilinear mapping exists. plays as the challenger in the following steps. Given an instance of the DBDH problem , where are randomly selected. ; when , ; when , .
Initialization. runs the Initialization of STW-ABE and returns the global public key , user public key , and user private key to .
Query Phase I. Adversary queries the following oracles adaptively.
User Identity Key Oracle. submits an identity to . runs the . Finally, it returns to .
Encryption Oracle. sends to . runs the to generate the ciphertext . Notice that the primary access structure does not satisfy the challenge primary attribute set , and ciphertext attribute set does not satisfy the challenge secondary access structure .
Challenge. submits two plaintexts of equal length , and sends them to . selects a random number and then encrypts the selected plaintext with user access structure and ciphertext attribute set . The final ciphertext will be generated and sent to .
Query Phase II. still can make queries adaptively as in Query Phase I after receiving the challenge ciphertext . Similarly, cannot query the user access structure that satisfies the challenge user attribute set and the ciphertext attribute set that satisfies the ciphertext access structure.
Guess. outputs a guess for . If , outputs , and receives a tuple . Otherwise, outputs , and receives a tuple . The advantage of is analyzed as follows.
When , , cannot obtain the information of . Thus, . When , .
When , , obtains ciphertext . Thus, . When , .
Thus, guesses , and the correct advantage isIn summary, if adversary can break the proposed scheme with a non-negligible advantage in polynomial time, a scheme that can solve the DBDH problem with a non-negligible advantage in polynomial time exists. However, the DBDH problem is difficult, so the STW-ABE scheme is IND-CPA secure.

Theorem 2. The STW-ABE scheme is IND-CKA secure if the decisional bilinear Diffie–Hellman (DBDH) problem is hard.

Proof. Assume that there is a PPT adversary who can win the index indistinguishability security game defined in Section 4.3.2 with non-negligible advantage . Then, we can construct a to solve the DBDH problem with a non-negligible advantage . plays as the challenger in the following steps. Given an instance of the DBDH problem , where are randomly selected. ; when , ; when , .
Initialization. defines a user access structure and ciphertext attribute set .
Setup. runs the Initialization of STW-ABE and returns the global public key , user public key , and user private key to .
Query Phase I. Adversary queries the following oracles adaptively.
User Identity Key Oracle. submits an identity to C. C runs the . Finally, it returns to .
Token Oracle. sends to . runs the to generate the token . Notice that the user access structure does not satisfy the challenge user attribute set , and the ciphertext attribute set does not satisfy the challenge ciphertext access structure . We assume that all query results (Tok) have at least one matched index that can be searched out.
Index Oracle. submits to , and runs the to generate the index.
Challenge. submits two keywords of equal length and to . chooses number randomly and runs the with the challenge user access structure and ciphertext attribute set to return to .The advantage of is analyzed as follows.
When , we set ; then, the index presented as follows is identical to an actual index:When , due to the randomness of , this index is random to the adversary and contains no information about .
Query Phase II. still can make queries adaptively as in Query Phase I after receiving the challenge Index. Similarly, cannot query the user access structure that satisfies the challenge user attribute set and the ciphertext attribute set that satisfies the ciphertext access structure.
Guess. outputs a guess for . If , the probability of outputs is . If , the probability of outputs is . Thus, the advantage of solving the DBDH problem isBecause the DBDH problem is hard, we can get that is negligible. In other words, the advantage of breaking our scheme is negligible, and our scheme achieves chosen keyword security.

6.2. Performance Analysis

In this section, we analyze the performance and computational efficiency of STW-ABE. We compare the performance of STW-ABE with other schemes in Table 2, where “” indicates that the solution supports this method. “” indicates that the solution does not support this method. In Table 3, we compare the computational efficiency of STW-ABE with other schemes, in which represents an exponential operation, represents a pairing operation, represents a hash operation, represents the number of attributes in the authorized institution, represents the number of keywords in each document, is the number of keywords searched by the user, is the number of the ciphertext attributes, and is the number of the user attributes.

As seen in Table 2, our scheme not only realizes two-way access control of ciphertext search but also uses CS to provide outsourced decryption service, reducing the computational pressure on users.

Table 3 compares the computational efficiency of encryption, decryption, index generation, token generation, and ciphertext search. In our scheme, first, the user needs to perform a exponential operation and a hash operation to encrypt the data, in which only one exponential operation is required for each ciphertext attribute. The user performs a hash operation on each ciphertext keyword and exponential operation to generate a ciphertext index. Secondly, the cloud server performs a hash operation and exponential operation for each keyword to be searched to generate a token for data users. Then, the cloud server performs a ciphertext search by an exponential operation of and pairing operation time of . In decryption, the scheme divides the decryption cost into the user part (denoted as User) and the cloud server part (denoted as Cloud). The cloud server performs the pairing operation . The user then only needs to perform the exponential operation once to decrypt the ciphertext into plaintext. Furthermore, the STW-ABE scheme is compared with two multi-permission ABE schemes, DP-ABE [5] and D-ABE [21], and two searchable encryption schemes, PAB-MSK [11] and BC-SABE [19], in Table 3. The cost of linear secret-sharing protocol is ignored in efficiency analysis.

Figures 2 and 3 contain the simulation results of the five processes. We simulated this on an Ubuntu 16 desktop system. The system has an Intel Core i7-8700 CPU and 4GB RAM. All programs were developed using Charm (version 0.50) [27], a rapid prototyping framework based on the Python encryption scheme.

(a)

(b)

(a)

(b)

(c)

Figure 2(a) shows the encryption time cost of three ABE schemes with multiple authority agencies. As seen in the figure, the time cost of all the resulting schemes has a linear relationship with the number of attributes contained in the encrypted access structure. Figure 2(b) shows the decryption time cost of schemes D-ABE, BC-SABE, and STW-ABE. As seen in Figure 2, the time cost of cloud decryption of D-ABE, BC-SABE, and STW-ABE has a linear relationship with the number of attributes, and the user decryption cost in STW-ABE is independent of the number of attributes. Since STW-ABE outsources most of the decryption work to cloud servers, the computing pressure on users is greatly reduced. This scheme is more suitable for using lightweight devices in the IoT environment.

Figure 3(a) shows the time cost of the generated ciphertext index. It can be seen from the figure that STW-ABE has better computing performance than scheme PAB-MKS and scheme BC-SABE. Figure 3(b) shows the simulation results of the time cost required for the generation of the . The time cost of the schemes is linearly related to the number of attributes, but it can be seen that the time cost of STW-ABE is much shorter than that of scheme BC-SABE. Figure 3(c) shows the time cost of the search process under simulation. In this scheme, the file index and the number of files are fixed as simulated constants. The results of the search process represent only the performance of the search process and do not include the time cost of searching the actual database. As seen in Figure 3(c), the time cost of the STW-ABE search process is similar to that of the search process in the PAB-MKS scheme and the BC-SABE scheme. Moreover, they are all linearly related to the number of attributes.

Discussion. There are two concerns when designing searchable encryption access control schemes. (1) Security. In Section 4.1, the two-way access control scheme based on searchable encryption has been proven to be IND-CPA security and IND-CKA security, which is also achieved by most searchable encryption schemes. In this paper, we use the distributed feature of blockchain and change the central authorization model in traditional access control to a blockchain consensus node with DKG that generates the relevant secret key. Where DKG follows the sharing principle, is the total number of blockchain consensus nodes involved in key generation, andis the minimum number of consensus nodes involved in key generation. The secret key sharing must be participated by more than consensus nodes, thus improving the robustness of the scheme. At the same time, a blockchain is a distributed ledger that ensures data integrity, immutability, and traceability of the information stored in it such as global public keys and user keys. (2) Efficiency. In this paper, the simulation experiment simulated the efficiency of the scheme and compared it with other schemes. It can be found that this scheme has certain advantages in implementation efficiency. In the decryption process, considering that most IoT devices have limited resources and cannot perform efficient decryption calculations, this scheme uses cloud servers to assist users in decryption. A large amount of decryption computation is outsourced to CS, thus reducing the computational pressure on users. This scheme adopts a distributed key generation protocol, and multiple blockchain consensus nodes participate in generating users’ public and private key pairs, which will not affect the security and robustness of the scheme. Meanwhile, the secret keys generated by blockchain nodes do not need to respond to user requests in real time, so the time cost of secret key generation is not simulated in this paper. Among them, in the BC-SABE scheme, the cloud server is used to complete the generation of tokens with the user jointly, and the user does not need to perform the calculation related to the number of attributes. In the BC-SABE scheme, the token generation time by the blockchain consensus node is not given, so there is no comparison between them in Figure 3(b). Similarly, the generation of a token in STW-ABE is completed by the blockchain consensus node. The user does not need to calculate the consumption in the generation of tokens.

7. Conclusions

This paper proposes a distributed STW-ABE scheme using coalition blockchain and cloud servers to assist users with accurate and secure data search and sharing. Our solution not only enables two-way confirmation between users and data but also enables the fine-grained search of ciphertext and lightweight decryption for users. In addition, our scheme utilizes a coalition blockchain to replace the centralized key management server. The consensus nodes jointly generate key parameters through the DKG, improving the security of the IoT system. Then, the blockchain is responsible for generating public and private keys, user identity keys, and keyword tokens. Due to the limited resources of IoT devices and the massive pairing operations required for the search and decryption process, we delegate a large amount of computation to CS during the search and decryption process. The user only needs one exponential operation to complete the decryption process from ciphertext to plaintext. The present security and efficiency analysis shows that the scheme has good safety and practicality.

Our ultimate aim is to design a secure and efficient data sharing system for the IIoT. The possible further research direction is to implement dynamic updating of access policies based on the current work.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This study was supported by the National Natural Science Foundation of China (grant no. 61772180), the Key-Area Research and Development Program of Guangdong Province (2020B1111420002), the Key-Area Research and Development Program of Hubei Province (2022BAA040), the Science and Technology Project of Department of Transport of Hubei Province (2022-11-4-3), and the Innovation Fund of Hubei University of Technology (BSQD2019027, BSQD2019020, and BSQD2016019).

References

A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the International Conference on Theory & Applications of Cryptographic Techniques, Springer, Berlin, Heidelberg, 2005.
View at: Google Scholar
B. Waters, “Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization,” in Proceedings of the International Workshop on Public Key Cryptography, Springer, Berlin Heidelberg, 2008.
View at: Google Scholar
V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryption for fine-grained access control of encrypted data,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 2006.
View at: Google Scholar
N. Attrapadung and H. Imai, “Dual-policy attribute based encryption,” in Proceedings of the 7th International Conference on Applied Cryptography and Network Security, Springer, Berlin, Heidelberg, 2009.
View at: Google Scholar
D. Han, J. Chen, L. Zhang, Y. Shen, and Y. Gao, “Access control of blockchain based on dual-policy attribute-based encryption,” in Proceedings of the 2020 IEEE 22nd International Conference on High Performance Computing and Communications; IEEE 18th International Conference on Smart City; IEEE 6th International Conference on Data Science and Systems (HPCC/SmartCity/DSS), Yanuca Island, Cuvu, Fiji, December 2020.
View at: Google Scholar
J. Leng, M. Zhou, J. L. Zhao, Y. Huang, and Y. Bian, “Makerchain: a blockchain with chemical signature for self-organizing process in social manufacturing,” Journal of Cleaner Production, vol. 234, pp. 767–778, 2019.
View at: Google Scholar
Z. Rahman, I. Khalil, X. Yi, and M. Atiquzzaman, “Blockchain-based security framework for a critical industry 4.0 cyber-physical system,” IEEE Communications Magazine, vol. 59, no. 5, pp. 128–134, 2021.
View at: Publisher Site | Google Scholar
J. Li, X. Lin, Y. Zhang, and J. Han, “KSF-OABE: outsourced attribute-based encryption with keyword search function for cloud storage,” IEEE Transactions on Services Computing, vol. 10, no. 5, pp. 715–725, 2017.
View at: Publisher Site | Google Scholar
D. Ziegler and A. Marsalek, “Efficient Revocable Attribute-Based Encryption with Hidden Policies,” in Proceedings of the 2020 IEEE 19th International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom), Guangzhou, China, 2020.
View at: Google Scholar
X. Liu, G. Yang, W. Susilo, J. Tonien, X. Liu, and J. Shen, “Privacy-preserving multi-keyword searchable encryption for distributed systems,” IEEE Transactions on Parallel and Distributed Systems, vol. 32, no. 3, pp. 561–574, 2021.
View at: Publisher Site | Google Scholar
Y. Miao, J. Ma, X. Liu, X. Li, Z. Liu, and H. Li, “Practical attribute-based multi-keyword search scheme in mobile crowdsourcing,” IEEE Internet of Things Journal, vol. 5, no. 4, pp. 3008–3018, 2018.
View at: Publisher Site | Google Scholar
J. Leng, G. Ruan, P. Jiang et al., “Blockchain-empowered sustainable manufacturing and product lifecycle management in industry 4.0: a survey,” Renewable and Sustainable Energy Reviews, vol. 132, Article ID 110112, 2020.
View at: Publisher Site | Google Scholar
D. Mehta, T. Sudeep, B. Umesh, and S. Arpit, “Blockchain-based royalty contract transactions scheme for industry 4.0 supply-chain management-,” Sciencedirect. Information Processing & Management, vol. 58, no. 4.
View at: Publisher Site | Google Scholar
J. Leng, M. Zhou, J. L. Zhao, Y. Huang, and Y. Bian, “Blockchain Security: A Survey of Techniques and Research Directions,” IEEE Transactions on Services Computing, vol. 15, 2020.
View at: Publisher Site | Google Scholar
J. Leng, S. Ye, M. Zhou et al., “Blockchain-secured smart manufacturing in industry 4.0: a survey,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 51, no. 1, pp. 237–252, 2021.
View at: Publisher Site | Google Scholar
M. Li, C. Jia, and W. Shao, “Blockchain based multi-keyword similarity search scheme over encrypted data Security and Privacy in Communication Networks,” Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, Springer, Cham, Switzerland, vol. 336, 2020.
View at: Google Scholar
T. Feng, H. Pei, R. Ma, Y. Tian, and X. Feng, “Blockchain data privacy access control based on searchable attribute encryption,” Computers, Materials & Continua, vol. 66, no. 1, pp. 871–890, 2020.
View at: Publisher Site | Google Scholar
S. Gao, G. Piao, J. Zhu, X. Ma, and J. Ma, “Trustaccess: a trustworthy secure ciphertext-policy and attribute hiding access control scheme based on blockchain,” IEEE Transactions on Vehicular Technology, vol. 69, no. 6, pp. 5784–5798, 2020.
View at: Publisher Site | Google Scholar
S. Liu, J. Yu, Y. Xiao, Z. Wan, S. Wang, and B. Yan, “Bc-sabe: blockchain-aided searchable attribute-based encryption for cloud-iot,” IEEE Internet of Things Journal, vol. 7, no. 9, pp. 7851–7867, 2020.
View at: Publisher Site | Google Scholar
X. Qin, Y. Huang, Z. Yang, and X. Li, “Lbac: a lightweight blockchain-based access control scheme for the internet of things -,” Information Sciences, vol. 554, pp. 222–235, 2021.
View at: Publisher Site | Google Scholar
A. Lewko and B. Waters, “Decentralizing attribute-based encryption,” Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Berlin, Heidelberg, 2011.
View at: Google Scholar
X. Qin, Y. Huang, Z. Yang, and X. Li, “A blockchain-based access control scheme with multiple attribute authorities for secure cloud data sharing,” Journal of Systems Architecture, vol. 112, no. 11, Article ID 101854, 2021.
View at: Publisher Site | Google Scholar
N. Shi, L. Tan, C. Yang, C. He, and H. Xu, “Bacs: a blockchain-based access control scheme in distributed internet of things,” Peer-to-Peer Networking and Applications, vol. 14, no. 6, 2020.
View at: Publisher Site | Google Scholar
A. Beimel, Secure Schemes for Secret Sharing and Key Distribution, Israel Institute of Technology-Technion, Haifa, Israel, 1996.
T. P. Pedersen, “A threshold cryptosystem without a trusted party (extended abstract),” in Proceedings of the Advances in Cryptology - EUROCRYPT '91, Workshop on the Theory and Application of of Cryptographic Techniques, Brighton, UK, 1991.
View at: Google Scholar
D. X. Song, D. Wagner, and A. Perrig, “Practical techniques for searches on encrypted data,” in Proceeding of the 2000 IEEE Symposium on Security and Privacy. Science Progress 2000, pp. 44–55, Berkeley, CA, USA, May 2000.
View at: Publisher Site | Google Scholar
J. A. Akinyele, C. Garman, I. Miers et al., “Charm: a framework for rapidly prototyping cryptosystems,” Journal of Cryptographic Engineering, vol. 3, no. 2, pp. 111–128, 2013.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Zhigang Xu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

394

Downloads

399

Citations

Security and Communication Networks

Blockchain and Smart Contracts Towards Decentralized Applications in Industry 4.0

Blockchain-Aided Searchable Encryption-Based Two-Way Attribute Access Control Research

Abstract

1. Introduction

2. Related Work

3. Preliminaries

3.1. Linear Secret-Sharing Schemes (LSSS)

3.2. Distributed Key Generation (DKG) Protocol

3.3. Searchable Encryption

3.4. Blockchain Technology

4. System Definition

4.1. System Model

4.2. System Procedure

4.2.1. Initialization

4.2.2. User Identity Key Generation

4.2.3. Encryption

4.2.4. Index Generation

4.2.5. Token Generation

4.2.6. Search

4.2.7. Decryption

4.3. Security Model

4.3.1. Ciphertext Indistinguishability

4.3.2. Index Indistinguishability

5. Construction

5.1. Initialization

5.2. User Identity Key Generation

5.3. Encryption

5.4. Token Generation

5.5. Search

5.6. Decryption

6. Security and Performance Analysis

6.1. Security Analysis

6.2. Performance Analysis

7. Conclusions

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright