1. Introduction
Due to the increasing popularity of the Internet of Things (IoT), the access of massive devices forms a heterogeneous environment, which will generate a great deal data to be transmitted to the data center through the network at the same time, and the network delay is inevitable. Edge computing provides a new way to solve the high delay problem in the process of mass data transmission of Internet of Things devices. In edge computing, the edge nodes are set between the cloud server and the client, and the storage and computing tasks are completed by the edge nodes, which solve the real-time problem of the outsourcing system to a large extent. However, it also brings huge challenges of security and privacy protection[2]. Therefore, access control for IoT systems with edge nodes has become a new research hotspot. Most of the existing schemes use data encryption to ensure user security and privacy, but the traditional encryption interface algorithms have security problems in the edge computing environment with a large amount of tasks. As the security and reliability requirements of large-scale data acquisition become higher, how to acquire and manage massive data securely and efficiently in the edge computing environment has become a difficult problem.
Attribution-based encryption (ABE) schemes[6] include KP-ABE[7]and CP-ABE[8], among which CP-ABE applies to cloud computing scenarios in most cases. However, ABE algorithm has a defect in efficiency, that is the computational cost of decryption stage is very high, and the more attributes involved in the access strategy, the more time decryption will take. Since many devices in the Internet of Things do not have enough computing and storage capacity, this problem makes it difficult for ABE algorithm to be widely applied in mobile devices with limited resources. In order to solve the problem that ABE algorithm takes a long time to decrypt and is difficult to apply on devices with limited resources, [14] firstly proposed an outsourced attribute encryption scheme. In the scheme [14], the client provides the transformation key (also known as the outsourcing decryption key) to the cloud, and the cloud uses the transformation key to pre-decrypt the ABE ciphertext and obtain the pre-decrypted ciphertext.Although the cloud server is pre-decrypted, it still cannot get any information about the original data from the ciphertext obtained from pre-decryption. Users can decrypt the ciphertext pre-decrypted by the cloud and recover the original data from it, and the calculation process is very easy, thus greatly reducing the computing cost of users. The solution is essentially a two-stage decryption between the cloud and the user. Most of the computing cost of decryption is borne by the cloud, while only a small part of the computing cost is borne by the user. [15] adds verifiability on the basis of outsourcing decryption to ensure that users can effectively check whether the transformation is completed correctly. Blockchain is cutting-edge technology in the field of data sharing, as a kind of decentralized distributed ledger, using data logically independent space, based on a new kind of distributed architecture and computing paradigm has been used in the areas of data sharing, the combination of blockchain and margin calculation can offer edge security problem in the calculation of the solution. In terms of attribute cancellation, many studies directly revoke the user [16] instead of revoking the attributes of the user. This paper uses the blockchain to achieve the revocation of user attributes.
Few existing schemes have studied the use of attribute encryption for data access control in blockchain-based edge computing. This paper has made the following contributions on the basis of existing research:
1) We propose a multi-agency attribute authorization data access control architecture based on blockchain and attribute-based encryption in edge computing, which has the characteristics of outsourcing decryption, verifiability, attribute revocation, protection of user attribute privacy.
2) We put forward the outsourcing decryption of multi-authorized agencies in the marginal calculation. It can be verified by the outsourcing decryption of the blockchain, which uses the blockchain to provide verification. It has an advantage in the storage space of the ciphertext compared to other methods.
3) We propose the revocation of user attribute keys based on blockchain, which can realize the attributes of the user through dynamically managing the attribute key of the user.
2. Related work
There are already some blockchain-based attribute encryption schemes. [1] proposed a access control scheme based on multi-authorization center ABE algorithm and blockchain. Authorization nodes in blockchain can be used as multiple attribute authorization centers. This distributed method effectively solves the problem that the authority of a single attribute authorization center is too large in the traditional ABE scheme and is prone to single point of failure. In this scheme, all data is encrypted using attribute-based encryption algorithms, and the encrypted data is stored in the blockchain. However, this method does not outsource the decryption process, so the application scenario will be limited.
How to implement effective access control scheme in the combination of blockchain and edge computing is also a hot research direction. In edge computing, there are a large number of network and computing resources distributed in the edge, and blockchain itself has the characteristics of decentralization and distribution. Integrating blockchain and edge computing into one system can provide users with safe and effective network, storage and computing services[4]. In[17], a multi-authorization outsourcing attribute encryption scheme (TLMO-ABE) containing time and location information is proposed. The innovation of this scheme is to add two factors of place and time to the attributes, so that the data user must access the corresponding data within the scope of time and place. The scheme also uses multiple attribute authority to manage user attributes, and the attribute key is generated and distributed by multiple attribute authority, which solves the security problem and performance bottleneck caused by a single authority. In order to achieve effective access control and management of the Internet of Things, [3] based on the existing traditional integrated blockchain and edge computing architecture, an access control model of the Internet of Things system including edge computing is proposed. Specifically, the scheme designs a three-tier IoT data access control architecture based on attribute encryption, while access control decisions are made by nodes on the blockchain by jointly executing smart contracts. The edge nodes in this scheme are responsible for encrypting, decrypting and transmitting data. The "SC-ABAC" access control model is proposed in [3] to realize the effective access control and management of the Internet of Things. However, this scheme does not deal with the environment in which the data itself exists and personal privacy information, so there may be privacy leakage problems. In [5], some nodes trusted by data consumer together calculate the user's attribute keys and store them. Then, in order to prevent key abuse problem, the key transfer transaction data structure is defined to realize the accountability of CP-ABE algorithm. Finally, attribute encryption and blockchain technology can be effectively combined, encryption and decryption process is carried out on the chain, sensitive text stored process is carried out on the chain, to achieve the chain on the chain of collaborative computing. However, this scheme has no outsourcing and verification process, so its application scope is limited. [12] proposed an efficient decryption access control scheme based on large domain attributes using cloud computing outsourcing decryption. The decryption process is completed by the cloud, which greatly reduces the ciphertext size, decryption time, and computing resource consumption. At the same time, the cloud has no access to any knowledge about the raw data.
There are some researches on attribute encryption based access control in blockchain. [9] proposed a WBAN privacy protection policy enhanced by mobile edge computing (MEC), and used attribute encryption for identity authentication to ensure the reliability of data sources. The scheme also designs a hybrid signature algorithm based on the decentralized MEC paradigm of blockchain, which realizes the efficient transmission of private information. The scheme also designs an optimized model of Merkle tree, which makes the source of the patient's medical data traceable and highly reliable by authenticating the nodes. Overall, the scheme has high reliability and is suitable for scenarios with high demand for data security.[10] given full consideration to the technical characteristics of blockchain, the malicious attack behavior in blockchain and the privacy issues involved in the access strategy of CP-ABE scheme were studied. The ciphertext, access structure and key structure are redesigned to protect the privacy information in the access policy. The solution also uses computing outsourcing to improve overall system efficiency. In [11], a new blockchain-based secure and trusted access control scheme TrustAccess that supports ciphertext policy and attribute privacy is proposed, which ensures the privacy of policy and attribute while realizing trusted access. Due to the low efficiency and poor scalability of the traditional CP-ABE scheme in the decryption process, [11] also proposed the OHP-CP-ABE optimization scheme, which meets the large-scale access requirements and has the scalability.
In the aspect of attribute revocation, some researches[17] directly revoke the user rather than revoke the user's attribute. In our scheme, the attribute revocation is realized by using blockchain.
3. Preliminaries
3.1. Bilinear maps
G0 and G1 are two multiplicative cyclic groups of prime order p. g is the generator of G0 and e is a bilinear mapping, e:G0×G0→ G1. The bilinear mapping e has the following properties:
1) Bilinearity: e(ga, gb)=e(g, g)ab, for all g ∈G0 and a, b∈Zp
2) Nondegeneracy: e(g, g)≠1
3)Computable: For ∀g1, g2∈ G0, there is an algorithm that makes e(g1, g2) computable.
3.2. Attribute and Access Policy(J. Lai et al.2011[13])
Attribute and access policy are important part of attribute encryption. We assume that the attribute set of the system is M=(V1, ..., Vi, ..., Vn), and the attribute set of a user is S={Att1, Att2, ..., Attn}.Access policy can be expressed as A = {W1, ..., Wi, ..., Wn}, in which Wi ⊆ Vi. If the attribute set S of the user satisfies the access policy A, then ki and ji∈Wi are present.
In the study of [13], both the access policy in ciphertext and the attribute set of users can be converted into vectors. The predicate OR(I1, I2) can be encoded as:
p(x1, x2) = (x1 - I1)⋅(x2 - I2) (1)
AND(I1, I2) can be encoded as:
p(x1, x2) = (x1 - I1) + r(x2 - I2), r ∈ ZN (2)
Through the OR and AND polynomial coding, tree structure of the access policy can be transformed to vector \(\begin{aligned}\vec{x} \end{aligned}\), similarly the user's attribute set of S can be converted into \(\begin{aligned}\vec{v}\end{aligned}\), when S meet T, we can get \(\begin{aligned}\vec{x} \cdot \vec{v}=0\end{aligned}\).
4. System Model
This section introduces the overall architecture of the scheme proposed in this paper, including the specific implementation details of the scheme, and the implementation of smart contracts involving storage, outsourcing decryption and attribute revocation in the blockchain.
4.1. Architecture
The full nodes in the blockchain are the edge server, which have computing power and storage capacity. The data source is from the resource-constrained devices, which have limited computing and storage capacity. Each edge server collects data from multiple end devices and provides services. The edge computing environment may involve multiple domains, multiple attributes, terminal devices, edge servers, and attribute authority jointly form a blockchain system, on which immutable data sharing transaction records are stored. The system has the following roles:
(1) Edge nodes (ENs) :EN have storage and computing capabilities. It processes DU's access requests in real time, pre-decrypts the ciphertext requested by DU, and returns the predecrypted ciphertext to DU.
(2) Data owner (DO), DO is the maker of the access policy in ciphertext, encrypting to generate ciphertext for raw data and uploading it to blockchain. A DO can be an edge node or a user.
(3) Data user (DU), DU obtains the pre-decryption result from the EN end and is responsible for local decryption to obtain plaintext data.
(4) Attribute authorization(AA), AA is the attribute authorization authority and distributes the attribute private key to DU.
DO and DU can be either edge servers or terminals. Our scheme supports multiple AA Settings. DU can request different attribute keys from AAs, and these AAs don’t need to communicate with each other. We used a decentralized method to carry out the key generation process, so that the key parts were issued by n independent AA for different vector elements vi. We assume that AAi generates attribute keys for attribute i, and then compose these keys into a corresponding attribute vector v = (v1, vi, ..., vn), Attribute sets are represented as U={w1, w2, w3, .., wi... wn}, wi represents the ith class attribute, each class attribute corresponds to multiple attribute values. Suppose that wi has j attribute values, denoted as Sw, i={vi, 1, vi, 2... vi, j}, | Sw, i| = j. Suppose the data visitor has n1 attributes and the set of attributes L={L1, L2, .. Ln1}, where Li=vi, j. The data owner has n2 attributes, set W={W1, W2, ..., Wn2}, Wi = vi, j. Set p edge nodes as blockchain nodes, and act as attribute authorization centers to authorize terminal devices.
Fig. 1 shows the system architecture and the data sharing process of our scheme:
1) DO starts the ciphertext storage contract and saves the ciphertext CT in the blockchain.
2) DU requests ciphertex.
3) AA issues the corresponding attribute key SKi to attribute i of DU. Note that the SKi here is obtained after AA is encrypted with DU's RSA public key.
4) Attribute key Ski is encrypted by the blockchain system to generate DKi and then sent to DU.
5) DU encrypts SKi again and sends the outsourced decryption key TKi to the blockchain system.
6) EN uses TKi to execute the outsourced decryption contract to realize partial decryption of CT and generate CT'.
7) CT' is sent to DU.
8) DU finishes the final decryption locally to get the plaintext data m. Each DU has a unique GID, and the RSA algorithm is used to generate both public and private keys for DU.
Fig. 1. System architecture
the notations used in this paper are listed in Table 1.
Table 1. The notations used in this paper
4.2. Construction
The system contains the following algorithms:
(1) Global Setup(1λ)
We first input the safety parameter λ and run the group generator ǫ (1λ) to obtain (p, q, r, g1, g2, G1, G2, GT, e), Let g1 and g2 be the two generators of G1 and G2. Select a random matrix A, A∈Z(k+1)(k), and a random matrix U, U∈Z(k+1)(k+1), We use compound order bilinear groups G1, G2, where the group order is the product of three prime numbers: N=pqr, hash function H:{0, 1}∗ →G2, which can map the global identity GID to G2. e:G1×G2→ GT is a bilinear mapping. The global public parameter GP is
GP = {g1, g2, gA1, gUTA1, e(g1, g2)} (3)
(2)Authority Setup(GP, AAi)
There are multiple AAs in the system, and each AA has multiple attributes. The algorithm input samples a random matrix W for the algorithm, resulting in a vector αi, a random number σi∈Z, and the attribute institution stores the key. The public key of AA is defined as follows:
PKi = {g1WTiA, e(g1, g2)αTiA, yi = gαi2} (4)
In addition to the GID, DU has its own RSA public key. The public key of DU is
PKj = {GIDj, cj} (5)
cj is the RSA public key, rj is the RSA private key, cj*rj mod N=1, Where cj is exposed to everyone in the system, rj is saved locally by the user. In KeyGen(), AA generates the attribute key for DU and uses cj to encrypt the attribute key.
(3)Encrypt ({PKi}, x, m) → CT
DO takes the public key {PKi} of AAs, access policy vector x, and shared information m as input, and finally outputs ciphertext CT. x = (x1, . . ., xn) ∈ Z, is the access policy vector, and the vector s∈Z is randomly selected to calculate:
C0 = gAs1 (6)
Ci = g(xiUT + WTi)AS1 (7)
\(\begin{aligned}C^{\prime}=m \cdot \prod_{i=1}^{n} e\left(g_{1}, g_{2}\right)^{\alpha^{T} A s}=m \cdot e\left(g_{1}, g_{2}\right)^{\alpha^{T} A s}\end{aligned}\) (8)
CT = {C0, {Ci}, C'} (9)
Where \(\begin{aligned}\alpha=\sum_{i=1}^{n} \alpha_{i}\end{aligned}\).
(4)KeyGen(GID, PKi, SKi, v) → DKi, GID, v.
AA, associated with attribute i, selects the public key PKi of AA related to the attribute i of DU, the GID of DU, and the attribute vector corresponding to v of DU for calculation
\(\begin{aligned}\mu_{i}=\sum_{j=1}^{i-1} H\left(y_{j}^{\sigma_{i}}, G I D, v\right)-\sum_{j=i+1}^{n} H\left(y_{j}^{\sigma_{i}}, G I D, v\right)\end{aligned}\) (10)
It is easy to check that
Σni=1μi = 0 (11)
We take k+1 hash function, to generates gh2 , where h∈Z. We define
H(GID, v) = (H1(GID, v), …, Hk+1(GID, v))T = gh2 (12)
Ki = gαi-viWih + μi2 (13)
DU has its own RSA public key ci, AA uses DU's RSA public key to encrypt Ki, and the final algorithm outputs key SKi, GID, v .The algorithm outputs keys SKi, GID, v
SKi,GID,v = {Kcii, gh2} (14)
SKi, GID, v are first sent to the blockchain system, and the blockchain node encrypts SKi, GID, v again for subsequent attribute revocation. All nodes maintain a table, in which the attribute key corresponding to each GID is recorded. Attribute i of GID corresponds to a key dGID, i, dGID, i is secretly stored by the blockchain node. The blockchain system sends the encrypted keys SKi, GID, v'to the user,
SKi,GID,v '={Kcii ⋅ gdi2, gh⋅di2} (15)
After the user gets SKi, GID, v ', decrypts it with his own RSA private key ri, then DU gets the DKi, GID, v.
DKi,GID,v = {Ki ⋅ gdGID,i2, gh⋅dGID,i2} (16)
DKi, GID, v is the attribute key that the user gets associated with attribute i. The essence of revocation attribute is to change the user's attribute key. If the blockchain system does not encrypt this time, the attribute key obtained by DU will always be kept by the user and cannot be changed, so the attribute revocation cannot be completed. What is stored in the blockchain is the SKi, GID, v 'encrypted by DU's RSA public key, not the true attribute key.
(5) OutKeyGen (z, {DKi, GID, v}) → (TKi) .
The OutKeyGen algorithm is executed by the user and ultimately generates the transformation key TKi. DU selects a random value z∈ Z, then calculate TKi
TKi = {Kzi ⋅ gzdGID,i2, gzhdGID,i2 ∀i} (17)
The TKi is recorded on the blockchain. Decryption requires obtaining both dGID, i and z.
(6) Transform (GP, TK, CT) →CT'.
The Transform algorithm is executed by blockchain nodes through smart contracts. The CT is encrypted under the access matrix (A, ρ), If DU has a secret key {Kρ(x), GID} for a subset of row Ax of A such that (1, 0, ..., 0) within the span of these lines, the decrypt process as follows
\(\begin{aligned}\begin{array}{l}e\left(C_{0}, \prod_{i=1}^{n} K_{i}\right) \cdot e\left(\prod_{i=1}^{n} C_{i}^{v_{i}}, H(G I D, v)\right) \\ =e\left(g_{1}^{A s}, g_{2}{ }^{z \cdot \sum_{i=1}^{n} \alpha_{i}-v_{i} W_{i} h+\mu_{i}+d_{G I D, i}}\right) \cdot e\left(g_{1}^{\sum_{i=1}^{n} v_{i}\left(x_{i} U^{T}+W_{i}^{T}\right) A s}, g_{2}^{z h \cdot d_{G I D, i}}\right) \\ =e\left(g_{1}, g_{2}\right)^{\alpha^{T} A s z \sum_{i=1}^{n} d_{i}-A s z \cdot \sum_{i=1}^{n} v_{i} h^{T} W_{i}^{T}+d_{G I D, i}} \cdot e\left(g_{1}, g_{2}\right)^{<x, v>h^{T} U^{T} A s z \sum_{i=1}^{n} d_{i}+A s z \cdot \sum_{i=1}^{n} v_{i} h^{T} W_{i}^{T}+d_{G I D, i}} \\ =e\left(g_{1}, g_{2}\right)^{\alpha^{T} A s z \sum_{i=1}^{n} d_{G I D, i}} \cdot e\left(g_{1}, g_{2}\right)^{<x, v>h^{T} U^{T} A s z \sum_{i=1}^{n} d_{G I D, i}} \\ =C T^{\prime}\end{array}\end{aligned}\) (18)
If the attribute satisfies the policy, <x, v>=0, then
CT' = e(g1, g2)αT AszΣni=1dGID,i (19)
The ENs on the Blockchain are further calculated Σni=1 di according to the locally saved di, then decryption of CT ' e(g1, g2)αT Asz is obtained. The decryption result is sent to DU offline. In this step, the outsourcing decryption process realized by smart contract consumes the most computing resources in the whole attribute encryption.
(7)OutDecrypt (CT, CT', z) → {m, ⊥} .
The OutDecrypt algorithm is run by DU.DU calculate:
\(\begin{aligned}\frac{C^{\prime}}{C T^{\prime}}=\frac{m \cdot e\left(g_{1}, g_{2}\right)^{\alpha^{T} A s z}}{e\left(g_{1}, g_{2}\right)^{\alpha^{T} A s z}}=m\end{aligned}\) (20)
In this step DU is decrypted to obtain the original data m, which requires very little computation.
4.3. Smart Contracts
A blockchain node executing a smart contract has the same input and executes the same code, so it also has the same output. Our scheme mainly includes three smart contracts, storage contract, outsourcing decryption contract and attribute revocation contract. The characteristics of smart contract ensure that the process of storage, outsourcing decryption and attribute revocation is open, transparent and verifiable. The functions of these three contracts are described below.
1) Storage contract
DO links the encrypted data through the storage contract, enter the ciphertext CT and Signature, and link the content as Txstorage = {CT, CheckCode, signature}. Txstorage consists of three parts, wherein CT is the cipher text, CheckCode is the hash of the plaintext m, The DO uses its private key to digitally sign the ciphertext to generate the signature. CheckCode=H(CT), Therefore, any DU can use CheckCode to verify the integrity of the shared ciphertext. Assume that DO has an RSA private key of r and a public key of c, Signature is used to prove that the CT was indeed sent by DO, Signature= H(CT)· r. The blockchain node only needs to calculate L=Signature·c mod N when verifying the signature. If L=CheckCode, the signature verification is successful.
2) Outsourcing decryption contract:
Triggered by DU, DU inputs CT, GID and its own conversion key TKs, and finally obtains proxy decryption result. Blockchain nodes conduct proxy decryption operation through smart contracts, making the process of proxy decryption open and transparent, and ensuring the correctness of decryption results.
3) Attribute revocation contract
The attribute update contract input is GID, and the attribute to be revoked is i, and SAA is the attribute set corresponding to attribute authority AA. Finally, all blockchain nodes delete the key dGID, i corresponding to attribute I of the locally saved GID. In this way, the blockchain cannot perform outsourcing decryption, and users cannot decrypt data with the local key. Thus, the effect of revoking user attributes is achieved.
Smart contracts perform operations such as ciphertext storage, outsourced decryption and attribute retraction, making these processes open and transparent and giving full play to the security and reliability of blockchain.
4.4. Security Analysis
a. Prevent collusive attacks
In order to prevent users with different attribute keys from gathering attribute keys to launch collusion attacks, in our scheme, AA will embed the user's GID into the user's attribute key when generating attribute keys for the user, so that each attribute key of the user is bound to its globally unique GID. As a result, users cannot combine their attribute keys to decrypt ciphertext during decryption. The decryption program must recover the blind factor s in e(g1, g2)s by pairing the key of the attribute, identity pair (i, GID) with the ciphertext element to obtain s[14].
b. Attribute key abuse problem
1)AA
When the edge server generates the outsourced decryption key, only part of the decrypted data can be obtained, but not the plaintext data. Multi-institution attribute authorization ensures that the complete attribute key of the user is generated by multiple AAs together, instead of a single AA controlling the attribute key of all users. This also solves the problem of single point of failure and key abuse of attribute authorization to a certain extent.
2) Blockchain node
In this paper, AA generates the attribute key and encrypts it with the user's RSA public key to get SKi, GID, v. The blockchain node gets it and then encrypts the attribute key with dGID, i to get SKi, GID, v '. The blockchain node gets the key encrypted by AAs with the DU's RSA public key, so if it is not decrypted by the user's private key, the blockchain node cannot decrypt the ciphertext. DU gets the key SKi, GID, v 'after the blockchain encryption, and gets the proxy decryption key TKi after the encryption again, which is sent to the blockchain system. User to unlock, you must pass a blockchain system agent, so blockchain system can revoke users corresponding dGID, i, make Outsourcing decryption process can not be calculated Σni=1 di to get the result of the attributes revocation, and revocation of attribute key is done through smart contracts, This also means that every attribute revocation is approved by all nodes of the blockchain, so there is no problem in this system that someone will revoke the user's attribute at will.
c. Privacy protection
Since GID is included in the generation process of attribute key SKi, when the blockchain node encrypts SKi, it does not know what attribute corresponds to the user. Therefore, the attribute privacy of the data user is protected. AAs generate attribute keys for DU, but the attribute key set {SKi} of a DU does not necessarily come from the same AA. Therefore, an AA usually cannot grasp all attribute information of the user. Compared with the scheme using a single AA, our scheme is more private.
d. Indistinguishability
Theorem 1: The CP-ABE scheme in Waters[18] satisfies the selective CPA- security, so our scheme is also selective CPA-security.
We define a safe game between an adversary A and a challenger C in this paper, named Expind. A attempts to recognize two randomly generated encrypted messages without sufficient attribute keys. The Expind security game is defined as follows:
Initialisation –A chooses a challenge access policy Ψ*=(A*, ρ*) and sends it to C.
Setup –A and C both run the Global Setup algorithm to generate the global public parameters and get their public and private keys.
Queries phase –A queries the attribute keys, which doesn't satisfy the access policy.
Challenge –A sends two plaintexts M0 and M1 to C. C chooses a random bit b ∈ {0, 1}, and encrypts Mb underΨ*=(A*, ρ*), and sends the result Eb to A.
Queries phase 2 –A can request some queries as in Queries Phase 1.
Guess – A tries to guess which message Mb' where b' ∈ {0, 1} corresponds to the challenge ciphertext Eb. The advantage of the adversary to win the game is:
\(\begin{aligned}A d v_{A}\left[\operatorname{Exp}^{\operatorname{Conf}}\left(1^{\xi}\right)\right]=\left|\operatorname{Pr}\left[b=b^{\prime}\right]-\frac{1}{2}\right|\end{aligned}\) (21)
Definition 1. Our scheme is CPA-secure if the AdvA[ExpConf(1ξ)] is negligible for all probabilistic polynomial time adversaries.
Proof: We define adversary A running the Expind security game with B who is running the Lewko et al[19]'s CPA-security game with a challenger C. The interaction process of A, B, and C is described below:
Initialisation –A gives B a challenge access policy Ψ*=(A*, ρ*),
Setup - B runs the Global Setup algorithm to generate the global public parameters GP. Finally, it outputs the GP defined as
GP = {g1, g2, gA1, GUTA1, e(g1, g2)} (22)
B asks C to execute the Authority Setup algorithm to generate the public key
PKi = {gWTiA1, e(g1, g2)αTiA, yi = gσi2}.
Queries phase 1 –A issues a key query by submitting a set of attributes Sj and his GID. Then, B calls C to generate and return SKi, GID, v' = {Kcii ⋅ gdi2, gh⋅di2} to A.
Challenge –A sends {M0, M1}∈GT to B. B chooses a bit b ∈ {0, 1} and sends Mb to C. C selects a random bit b ∈ {0, 1} and encrypts a message Mb∈{M0, M1} as the challenge ciphertext EDb. The challenger computes the challenge ciphertext as follows:
\(\begin{aligned}C_{0}=g_{1}^{A s}, C_{i}=g_{1}^{\left(x_{i} U^{T}+W_{i}^{T}\right) A s}, C^{\prime}=m \cdot \prod_{i=1}^{n} e\left(g_{1}, g_{2}\right)^{\alpha^{T} A s}=M_{b} \cdot e\left(g_{1}, g_{2}\right)^{\alpha^{T} A s}\end{aligned}\) (23)
Then, C sends the generated ciphertext EDb to A.
Queries phase 2 – A continues to request some queries and B answers as in Queries Phase 1.
Guess –A chooses a bit b'. Then, B sends b' to C as its guess about b. A guesses the generated challenge ciphertext EDb by trying one of the two plaintext messages M0 and M1. Hence, A tries to distinguish between C01=M1e(g1, g2)s and C02=M2e(g1, g2)s.
Expind's game has a smaller probability of breaking than Lewko-Game because B must win the game for A to get the correct EDb value and try to guess B's value as such a probability Pr[ExpLewkoA(1ζ)] ≥ Pr[Expconf-realA(1ζ)], and the advantage of A is negligible. Therefor, our scheme satisfies the indistinguishability.
5. Comparisons and Performance Analysis
From Table 2, we can see how our scheme compares with other schemes. The scheme in [15] has the function of verifiable outsourcing decryption, but it lacks the privacy protection process of attributes or policies, and the function of attribute revocation, which is not convenient to manage user attributes. The multiplicative homomorphic ElGamal cryptosystem is used in [11] to ensure the attribute privacy in the authorization verification process. This scheme has high security and privacy, but the decryption process is conducted by the user. As the decryption process requires complex calculations, it is not appropriate for the scenario with a great number of terminal devices, and the scheme has no attribute revocation procedure. The scheme in [10] combines attribute encryption and blockchain technology for data sharing, has the process of outsourcing attribute decryption, and has privacy protection and verifiability, and has excellent performance. However, this scheme lacks an attribute revocation procedure. When applied to the edge computing scenario, our scheme can provide multi-institution attribute authorization, outsourcing decryption, verifiability, attribute privacy protection, attribute revocation and other properties, which has great advantages compared with other literatures. The characteristics of multi-mechanism make the system of this paper has high scalability. The feature of outsourcing decryption makes the scheme in this paper applicable to scenarios involving resource-constrained devices. Verifiability is a natural feature of blockchain, and our scheme also has the feature of privacy protection, which protects the user's attribute privacy.
Table 2. Comparison with other scheme
The experimental environment of this paper uses ubuntu 20.04 system, python3.7, and the CPU is Intel(R) Core(TM) i7-9750H CPU@2.60GH. In terms of performance, it can be seen from Fig. 2 that the most time-consuming process is the decryption. When the number of attributes is 10, the decryption time is about 100ms. When the number of attributes reaches 50, the decryption time is about 2500ms, with exponential growth. However, mass terminal devices are usually limited in computing power, storage capacity and other resources, and it is difficult to do decryption. As long as security and privacy are guaranteed, outsourcing the decryption process requiring complex calculations to edge servers with relatively rich computing resources is a good solution. Therefore, outsourcing decryption is very suitable for edge computing scenarios, and the attribute revocation mechanism based on blockchain in this paper can flexibly manage the attributes of end users.
Fig. 2. Latency of our scheme
Due to the natural verifiability of blockchain, compared with the scheme [15], which adds verification marks to the ciphertext, it can be seen from Fig. 3 that when the number of attributes is the same, the ciphertext in our scheme occupies a smaller space and the gap between the occupied space will become larger as the number of attributes increases.
Fig. 3. Compare the space occupied of CT
6. Conclusion
This paper studies the data access control scheme based on CP-ABE in edge computing. Our scheme has the characteristics of outsourcing decryption, verifiability, protection of attribute privacy, etc., which is more suitable for the edge computing scenario with many devices with limited resources, and proposes a user attribute revocation scheme based on blockchain. After attribute revocation, users will not be able to decrypt related ciphertext. Therefore, users' access permissions can be controlled at a fine-grained level. In future research, we will consider the efficiency problem. While blockchain brings security and privacy to various fields, there are also some efficiency problems, which are mainly caused by the consensus algorithm adopted with the blockchain system. Different consensus algorithms in the blockchain may introduce different system delays, and the end-user experience will also depend on the performance of the blockchain system. Therefore, efficient consensus algorithm in edge computing based on blockchain will be a meaningful topic for our future research.
References
- Guan Y, Guo S, Li P, et al., "Secure and Verifiable Data Access Control Scheme With Policy Update and Computation Outsourcing for Edge Computing," in Proc. of 2020 IEEE 26th International Conference on Parallel and Distributed Systems (ICPADS), IEEE, 398-405, 2020.
- Zhou Jun, Shen Huajie, Lin Zhongyun, Cao Zhenfu, Dong Xiaolei, "Research Advances on Privacy Preserving in Edge Computing," Journal of Computer Research and Development, 57(10), 2027-2051, 2020.
- ZHANG Jie, XU Shanshan, YUAN Lingyun, "Internet of things access control model based on blockchain and edge computing," Journal of Computer Applications, 42(07), 2104-2111, 2022.
- Yang R, Yu F R, Si P, et al., "Integrated Blockchain and Edge Computing Systems: A Survey, Some Research Issues and Challenges," IEEE Communications Surveys & Tutorials, 21(2), 1508-1532, 2019. https://doi.org/10.1109/COMST.2019.2894727
- Zhang Xiaodong, Chen Taowei, Yu Yimin, Duan Zhengtai, Gao Jian, "Model of block-chain data sharing based on ABE," Application Research of Computers, 2021(08), 2278-2283, 2021.
- Sahai A, Waters B, "Fuzzy identity-based encryption," in Proc. of Annual international conference on the theory and applications of cryptographic techniques, 457-473, 2005.
- Goyal V, Pandey O, Sahai A, et al., "Attribute-based encryption for fine-grained access control of encrypted data," in Proc. of the 13th ACM conference on Computer and communications security, 89-98, 2006.
- Bethencourt J, Sahai A, Waters B, "Ciphertext-policy attribute-based encryption," in Proc. of 2007 IEEE symposium on security and privacy (SP'07), IEEE, 321-334, 2007.
- Zhen Y, Liu H, "Distributed privacy protection strategy for MEC enhanced wireless body area networks," Digital Communications and Networks, 6(2), 229-237, 2020. https://doi.org/10.1016/j.dcan.2019.08.007
- Zhang Z, Ren X, "Data security sharing method based on CP-ABE and blockchain," Journal of Intelligent & Fuzzy Systems, 40(2), 2193-2203, 2021. https://doi.org/10.3233/JIFS-189318
- Gao S, Piao G, Zhu J, et al., "Trustaccess: A trustworthy secure ciphertext-policy and attribute hiding access control scheme based on blockchain," IEEE Transactions on Vehicular Technology, 69(6), 5784-579, 2020.
- Fu X, Nie X, Wu T, et al., "Large universe attribute based access control with efficient decryption in cloud storage system," Journal of Systems and Software, 135, 157-164, 2018. https://doi.org/10.1016/j.jss.2017.10.020
- Green M, Hohenberger S, Waters B, "Outsourcing the Decryption of ABE Ciphertexts," in Proc. of 20th USENIX Security Symposium (USENIX Security 11), 2011.
- Lai J, Deng R H, Li Y, "Fully secure cipertext-policy hiding CP-ABE," in Proc. of Information Security Practice and Experience: 7th International Conference, ISPEC 2011, Guangzhou, China, 24-39, 2011.
- J. Lai, R. H. Deng, C. Guan and J. Weng, "Attribute-Based Encryption With Verifiable Outsourced Decryption," IEEE Transactions on Information Forensics and Security, vol. 8, no. 8, pp. 1343-1354, 2013. https://doi.org/10.1109/TIFS.2013.2271848
- Ge C, Susilo W, Baek J, et al., "Revocable attribute-based encryption with data integrity in clouds," IEEE Transactions on Dependable and Secure Computing, 19(5), 2864-2872, 2022. https://doi.org/10.1109/TDSC.2021.3065999
- PENG Hongyan, LING Jiao, QIN Shaohua, DENG Jianfeng, "Attribute-Based Encryption Scheme for Edge Computing," Computer Engineering, 2021(1), 37-43, 2021.
- Waters B, "Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization," in Proc. of Public Key Cryptography-PKC 2011: 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Italy, 53-70, 2011.
- A. Lewko and B. Waters, "Decentralizing attribute-based encryption," in Proc. of Advances in Cryptology-EUROCRYPT 2011, 568-588, 2011.