Efficient Multi-Authority Attribute-Based Searchable Encryption Scheme with Blockchain Assistance for Cloud-Edge Coordination

1  Introduction

The widespread use of the Internet of Things (IoT) and 5G have led to a surge in the number of network edge devices, resulting in a rapid growth in edge data [1,2]. The centralized data processing approach based on cloud computing is facing challenges in efficiently processing the vast amount of data generated by edge devices. Edge computing has emerged as a promising solution to the challenges faced by traditional cloud computing in processing the massive amounts of data generated by IoT devices. The fundamental concept of edge computing is to perform computing tasks close to the data source, which reduces network transmission bandwidth and response delay compared to traditional cloud computing [3]. However, the untrusted or partially trusted nature of cloud service providers (CSP) and edge nodes (ENs) poses a significant risk to the privacy of sensitive data. Tampering and abusing data by these entities can leak user privacy information [3–5]. Although symmetric encryption can be used by the data owner (DO) to maintain data confidentiality, the use of encryption prevents the ability to perform plaintext keyword retrieval. It creates challenges for fine-grained access control and data sharing.

To mitigate the potential risks of private data leakage, it is crucial to prioritize both data confidentiality and accessibility for effective access control. While symmetric encryption can provide data confidentiality, it makes information on encrypted data difficult to retrieve. Identity-based encryption (IBE) and attribute-based encryption (ABE) provide distinct access control mechanisms, with IBE offering coarse-grained access control and ABE providing fine-grained access control capabilities [6,7]. It is critical in practice to have an effective keyword search and to have fine-grained access control over encrypted data. The technique of searchable encryption (SE) enables data users (DUs) to conduct searches on ciphertext data using specific keywords [8]. To provide even more precise access control, the gradually popular solution in both industrial and academic domains is ciphertext-policy attribute-based searchable encryption (CP-ABSE) with flexible access control policies [9,10]. The high computational and storage requirements of CP-ABSE prevent its deployment on resources-constrained IoT devices, despite its promise as a SE scheme for fine-grained access control. Therefore, the lightweight CP-ABSE scheme is a prerequisite for its implementation on resource-constrained terminal devices. Additionally, many existing CP-ABSE schemes [9–13] that employ single-attribute authorization for attribute management and key distribution may encounter challenges in efficiently and securely handling attributes from a vast network of interconnected IoT devices and are prone to single-point failures and central corruption. Furthermore, trust in CSP is often weakened due to the risk of malicious access to data and tampering with query results. In contrast, blockchain technology provides a safer and more trustworthy option [14]. As a decentralized ledger with multi-party consensus and a chain structure, blockchain offers an unparalleled guarantee of data integrity and trustworthiness compared to centralized systems.

This paper proposes an efficient multi-authority attribute-based searchable encryption scheme with blockchain assistance (BEM-ABSE) for cloud-edge collaboration. This BEM-ABSE scheme aims to provide secure and reliable searching while protecting privacy through blockchain, ciphertext searching, and ABE. To address the efficiency limitations and security vulnerabilities associated with Certificate Authorities (CAs), the BEM-ABSE scheme employs a consortium blockchain, enabling multiple attribute authorities to autonomously manage user attributes and key assignments. Furthermore, this scheme facilitates online/offline hybrid encryption and edge-assisted verifiable decryption, effectively minimizing the computational overhead involved in encryption and decryption operations. The main contributions of the scheme are as follows:

(1) Taking advantage of multi-authority ABE and blockchain, this paper proposes a searchable encryption scheme with fine-grained access control for cloud-edge collaboration. BEM-ABSE supports ciphertext keyword search based on smart contracts, online/offline hybrid encryption, and edge-assisted verifiable outsourcing decryption. This paper also proves this scheme can resist IND-CPA and IND-CKA under the random oracle model.

(2) Consortium blockchain is designed to replace the trusted CA in the traditional CP-ABSE scheme, allowing for the generation of global public parameters and the execution of ciphertext searches. The dependence on single-centre authorization is broken, and the reliability of ciphertext searches is improved.

(3) An online/offline hybrid encryption mechanism is utilized to reduce the time overhead during the encryption phase by performing pre-encryption computation and generating intermediate ciphertext. The decryption tasks are offloaded to ENs, effectively decreasing the computational burden of decryption for resource-constrained IoT devices.

The remainder of this paper is organized as follows. Section 2 provides a review of the related work. Section 3 demonstrates the background knowledge in the understanding of the BEM-ABSE. In Section 4, Formalize the system and security model. Then, the formal construction of the BEM-ABSE scheme is presented in Section 5. In Section 6 and 7, separate analyses of safety and performance are presented. Finally, The work of this paper is concluded in Section 8.

2  Related Work

2.1 Search Encryption

SE enables search on encrypted data using specified keywords, while ABSE provides detailed permissions control for data ciphertext retrieval, with significant research having been conducted in this field. Searchable symmetric encryption was first proposed by Song et al. [8] in 2000. However, using a single shared key for encryption and decryption in symmetric cryptography makes it impractical for complex multi-user applications. ABSE provides a flexible way to execute access control policies, ensuring that only users with the required policy attributes can access data. This one-to-many access control model enables secure and convenient data sharing. To reduce the computational overhead during the search process, Zheng et al. [9] proposed an ABSE scheme with verifiable results, which uses verifiable attribute-based encryption, but it also has some drawbacks, such as requiring a secure channel and high costs. Huang et al. [15] introduced a rapid and privacy-preserving attribute-based keyword search system designed for cloud document services. This system exhibits improved stability and efficiency during the search phase, but it does entail additional computational costs in other phases. Zhang et al. [16] designed a distributed and scalable, searchable encryption access control scheme that utilizes cloud services to achieve lightweight decryption processes, resulting in lower computational complexity and improving security against selected keyword attacks and selected plaintext attacks, but not suitable for resource-constrained devices due to high encryption time overhead. Considering the limitations of resource-constrained devices, Miao et al. [17] proposed a constant-sized trapdoor-based online/offline SE for cloud-assisted industrial IoT, where the overall encryption burden on DO is still heavy, but the cost of generating DU's trapdoor is reduced through an elegant technique. Zhou et al. [18] proposed a general searchable encryption scheme for cloud-assisted industrial IoT systems, with the lightweight generation of both index and query trapdoors. Liu et al. [5] proposed an efficient ABSE scheme for cloud-edge collaborative computing, reducing the computational cost of resource-constrained terminals by allowing EN to simultaneously perform text-based search and pre-decryption algorithms and save keyword indexes.

However, these schemes risk privacy data leakage as the CSP and ENs are either untrusted or semi-trusted. The combination of searchable public key encryption with blockchain technology is gaining popularity among scholars to enhance ciphertext security. This approach benefits from blockchain technology's decentralized, transparent, traceable and tamper-proof characteristics. Yang et al. [19] presented a scheme allowing encrypted file upload to the cloud while placing the encrypted index on the blockchain. This scheme ensures the encrypted index is tamper-proof, integrity, and traceability and enables users to obtain accurate search results without needing third-party verification. However, these schemes have limitations, such as scalability difficulties, security and performance bottlenecks, and the potential for excessive permissions, as they rely on a single authorization center. Niu et al. [20] proposed a policy hide and verifiable blockchain-assisted ABSE scheme. This scheme stores the index is stored on the blockchain, and searches are performed using smart contracts, which reduces the computational load on the service. With the growth of the Internet of Things and the widespread adoption of 5G wireless networks, the cloud-edge collaborative data-sharing model has become more prevalent, and the number of IoT devices requiring authorization has increased significantly. However, relying on a single authorization center can result in significant losses if it crashes or is compromised.

2.2 Multi-Authority Attribute-Based Encryption

There are significant security risks in the current ABE schemes, as they rely on one attribute authority to manage attributes and keys. This authority may be able to decrypt any ciphertext within its control. To address this issue, researchers have proposed a variety of multi-authority ABE schemes (MA-ABE). The MA-ABE scheme was first proposed by Chase [21], but managing attribute authorities requires a trusted certificate authority, which may prove costly and have backward security challenges. Subsequently, Lewko et al. [22] proposed a distributed multi-authority ABE where attribute authorities are solely responsible for creating initial public parameters. The scheme utilizes a linear secret sharing scheme (LSSS) matrix to represent access policies, offering greater expressive capabilities compared to AND gates. However, the scheme lacks post-quantum security assurance. Tu et al. [23] suggested using attribute-group keys for large attribute domains in distributed computing systems using fog computing. To improve user privacy and security, Guo et al. [24] developed an encrypted data access control solution that utilizes smart contracts to define interactions between DOs, users and attribute authorities. However, DOs using symmetric encryption for data encryption can lead to heavy key management overhead. Qin et al. [25] utilized a consortium blockchain to establish trust bridges between attribute authorities and designed an MA-ABE based on blockchain. However, the existence of certificate authorities raises concerns about potential single-point failures. According to Xiao et al. [26], their blockchain-based MA-ABE scheme incorporates flexible attribute revocation; It can be applied to data publishing services and payment platforms for Dos. To manage dynamic users and improve search result credibility, Yu et al. [27] proposed an efficient multi-authority SE scheme using blockchain technology for keyword-based search and dynamic user management. Multiple-cloud block storage technology was used by Wu et al. [28] to address the problems with unstable cloud servers and to guard against malicious actions, including the leakage of private information, tampering with ciphertext, and malicious deletion of ciphertext. The security of keyword indexes and the impartiality of search results are guaranteed by the blockchain's immutability. Utilizing online/offline encryption and outsourced decryption processes, Xu et al. [29] distributed ABSE approach with shared keyword search was suggested. Although the key delegation problem is resolved inside a single authority, the approach has a somewhat high total computation cost.

While these schemes address the attribute and key management issue a single authority brings, current multi-authority systems still face some challenges. Some schemes rely on a central authority for management [30], generating complete private keys through the CA to avoid single-point of failure of attribute authorities. However, this approach also involves high trust costs for the CA. Additionally, there is over-reliance on the cloud service when users send encryption requests to the cloud. The CSP usually performs encryption search and pre-decryption processes [31], meaning they can arbitrarily modify the search results or encryption data.

3  Preliminaries

3.1 Bilinear Maps

Assume that G and GT are multiplicative cyclic groups, where the group order is p, and the generator is g. The properties described below apply to the bilinear group mapping: e:G×G→GT:

(1)   Biplanarity: e(ua,vb)=e(u,v)ab, ∀u,v∈G and a,b∈Zp;

(2)   Nondegeneracy: e(g,g)≠1;

(3)   Computability: an efficient algorithm exists to calculate e(u,v), ∀u,v∈G;

3.2 Access Structure

Definition 1 (access structure): Given that there are n participants 𝒫={P1,P2,⋯,Pn}. A collection A⊆2{P1,P2,⋯,Pn} considered monotonic when the following conditions are satisfied: ∀B,C: if C∈A holds on condition that B⊆C. A monotonic access structure is defined as a collection A containing non-empty subsets {P1,P2,⋯,Pn}. Authorized collections are those within the collection A, while unauthorized collections refer to the remaining subsets.

3.3 Pedersen (t, n) Secret Sharing Algorithm

Each participant is both a distributor and a participant in the Pedersen (t, n) [27]. Given that there are n participants p=(p1,p2,⋯,pn) and distribute the respective sub-secret Si using the Shamir secret-sharing algorithm. The specific design of the algorithm is outlined as follows.

(1) Generating the master secret S: Each distributor (participant) pi randomly selects their respective sub-secret Si. The master secret of the whole scheme is defined as S=∑i=1nSi.

(2) Producing the sub-share value si,j: pi chooses a t-1th degree polynomial fi(x) satisfying Si=fi(0) and calculates si,j=fi(xj)j∈[1,n] for each pi. Then, pi sends the sub-share si,j to the associated participant pi and keeps si,i as part of the main share.

(3) Producing the master share si: Each pi calculates the respective si with the formula as si=∑j=1nsj,i, where si,j is the share held by participant pi itself. Note that pi just presents the master share si when reconstructing the secret as a sub-share of the reconstructed secret.

(4) Recovering the master secret: If any t participants can recover the master secret, it may be assumed that p1,p2,⋯,pt have the capacity to rebuild the S using the Lagrange interpolation formula and the specific algorithm is S=∑i=1tsi∑j=1,j≠ik−ji−j.

The Pedersen (t, n) algorithm achieves secure sharing of secrets among multiple participants without revealing any information about the secret without a trust center. Therefore, it is executed by blockchain nodes in the BEM-ABSE scheme to produce global parameters and accomplish ciphertext search.

3.4 Security Assumptions

Definition 2 (Bilinear Diffie-Hellman (BDH) assumption). Let (G,GT,g,e) as the bilinear mapping parameter and elements ga,gb,gc∈G, where a,b,c∈Zp are selected random, The BDH problem in (G,GT,g,e) is hard to compute the bilinear pairing e(g,g)abc∈GT from ga,gb,gc. The algorithm has the advantage ε in solving the BDH problem in the group G when the following inequation Eq. (1) holds. The BDH assumption is true as long as the algorithm 𝒜 is never able to solve the BDH issue satisfactorily by a non-negligible margin.

|Pr[𝒜(g,ga,gb,gc)=e(g,g)abc]|≥ε(1)

Definition 3 (Decisional q-parallel Bilinear Diffie-Hellman Exponent (BDHE) assumption). Let (G,GT,g,e) as the bilinear mapping parameter and a,s,b1,⋯,bq∈Zp as the random elements. Given:

y=[g,gs,ga,⋯,gaq,gaq+2,⋯,ga2q,∀1≤i≤qgsbi,ga/bi,⋯,gaq/bi,gaq+2/bi,⋯,ga2q/bi,∀1≤i,j≤q,i≠jgasbj,⋯,gaqsbj/bi](2)

Even though the adversary has a tuple y, the tuple e(g,g)aq+1s and a random element R∈GT can nonetheless be difficult to differentiate from one another.

|Pr[ℬ(y,T=e(g,g)aq+1s)=0]|−|Pr[ℬ(y,T=R)=0]|≥ε(3)

When the inequality Eq. (3) is satisfied, the algorithm demonstrates an advantage E in solving the q-BDHE problem. This implies that it is not possible for any algorithm to successfully solve the decisional q-BDHE problem with non-negligible advantage.

4  Scheme Design

4.1 System Architecture

The system architecture of the suggested strategy is displayed in Fig. 1. It comprises five entities: DO, EN, CSP, AAs, DU and BC. The BEM-ABSE scheme system model is depicted in Fig. 1, demonstrating the scheme's fundamental structure.

Figure 1: System architecture

1) DO. Any IoT device capable of generating data. DO sets access policies, encrypts files and keyword indexes, and uploads the encrypted data and keyword indexes over a wireless network to EN.

2) EN. ENs are located at the edge of the network and possess strong computing and storage capabilities. They are able to dutifully store the ciphertext in the CSP and embed the keyword index and ciphertext address into the keyword index storage transaction, which is then submitted to the blockchain. In addition, ENs assist DU in partially decrypting the ciphertext, but they cannot obtain any information during the decryption process.

3) CSP. CSP is responsible for providing storage services for the encrypted data uploaded by legitimate DO through EN. In addition, it allows EN to access the ciphertext data associated with search results.

4) AAs. The BEM-ABSE has a number of attribute authorities. Each AA manages multiple attributes in an attribute domain and generates user attribute keys based on its user attributes.

5) DU. DUs create search trapdoors using keywords of their interest and embed them into search transactions, which are then submitted to the blockchain for subsequent encrypted file searching. After receiving partially decrypted ciphertext associated with search results from the EN, DUs can fully decrypt the data using their identity private keys.

6) BC. BC consists of trusted nodes responsible for global parameter generation and user registration. Search smart contracts (SSC) and validation smart contracts (VSC) are deployed on the blockchain. SSC conducts encrypted file searching on the blockchain through search trapdoors submitted by users, while VSC verifies the integrity of the data associated with user search results.

EN serves as a crucial link between users and the cloud in the BEM-ABSE. DO encrypts and transmits a large amount of generated data to the cloud through EN, reducing the cost of local storage management. Moreover, in order to lessen the computing burden of the decryption process, the EN nearest to DU is in charge of partly decrypting the ciphertext. CSP is solely responsible for storing a large amount of encrypted data. A permission blockchain composed of pre-selected trusted nodes is accountable for storing encrypted indices, conducting ciphertext searches, and verifying decryption results to achieve secure and controllable encrypted retrieval.

4.2 Scheme Definition

The BEM-ABSE scheme includes the following nine algorithms. Assuming there are N attribute authorities {AA1,AA2,⋯,AAN} in the BEM-ABSE, a global property set S has a total of U attributes, and each AA manages a different set of attributes Si,i∈N.

(1)   Setup

1) GlobalSetup(1λ)→GP. The BC executes the algorithm. Given a security parameter λ, and then outputs the global parameters GP.

2) AuthoritySetup(GP,Si)→(PKi,SKi). Given the GP and Si, Each AAi runs the procedure to produce the public and private keys (PKi,SKi). Notice that the SKi is held by attribute authority.

(2)   Key Generation

1) IdKeyGen(GP,uid)→(uskuid,upkuid). Given the user identification uid and GP, the legitimate user conducts the algorithm to output its secret key uskuid and public upkuid. Notice that the uskuid is held by the user and send upkuid to BC for registration.

2) SKGen(GP,uid,Suid,SKi,PKi)→SKi,uid. Given the GP, uid, user attribute set Suid, PKi and SKi. Each associated AAi executes this algorithm to generate the decryption key SKi,uid and sends it to DU to construct the user transform key TKuid.

(3)   Encryption

1) Offline.Enc(GP,PKi)→IC. This phase is performed by the DO's more computationally capable devices. It takes the GP and PKi as input and outputs intermediate ciphertext IC. Note that this part of the operation is calculated only once when the set of attributes of DO remains unchanged.

2) Online.Enc(GP,IC,PKi,(Ml×n,ρ),F,𝒲)→(CT,Iw). Given access policy (Ml×n,ρ), original data F, keyword set 𝒲 and GP, IC, PKi. It generates a set Iw of keyword indexes and ciphertext CT.

(4)   Trapdoor Generation

TrapGen(GP,w′)→Tw′. Given GP and an interesting keyword w′. DU executes the algorithm to generate trapdoor Tw′ related to the w′.

(5)   Search

Search(Tw′,Iw)→CT/⊥. Taking Tw′ and Iw as inputs, SSC runs a search algorithm to search for the file that matches the trapdoor Tw′ with the index Iw. Afterward, the address in ciphertext linked with the search results is sent to DU by SSC.

(6)   Decryption

1) EN.Dec(CT,GP,SKi,u)→CT′. When receiving the CT obtained from CSP using the ciphertext address from DU, take as input GP and transformation key TKuid of the user uid, the EN generation the partial decrypt ciphertext CT′ for DU.

2) User.Dec(CT′,uskuid,VKF)→F/⊥. After gaining the CT′ from the EN, DU decrypts the CT′ using its uskuid to obtain the symmetric key, thus recovering the data file CF.

4.3 Security Model

The security of BEM-ABSE is based on the BDH assumption and q-BDHE assumption. This paper design two security games to demonstrate that the BEM-ABSE system is secure in the IND-CKA and IND-CPA models.

(1)   IND-CKA mode.

The BEM-ABSE scheme is IND-CKA secure. A pre-selected group of reliable and secure nodes serves as the consensus node in a blockchain, albeit these nodes might be unavailable or infected. As long as the Pedersen (t, n) secret sharing method remains safe, no one node can independently complete the reconstruction of the system's secret parameters, keeping the entire blockchain secure. The IND-CKA of the BEM-ABSE is defined as a game between challenger 𝒞 and adversary 𝒜.

Setup: The challenger 𝒞 invokes the Pedersen algorithm to run the GlobalSetup generate GP and sends the GP to the 𝒜.

Phase 1: In polynomial-time many times (PPT), 𝒜 provides a keyword collection to 𝒞, then 𝒞 performs TrapGen to generate trapdoor associated with each keyword and sends them to the adversary.

Challenge: 𝒜 provides challenge query keywords w0∗ and w1∗ that without appearing in Phase 1, where the lengths of keywords are the same. Then, 𝒞 choose an arbitrary bit b and runs Online.Enc algorithm to generate Iwb∗ for the wb∗, then 𝒞 returns the Iwb∗ to adversary.

Phase 2: 𝒜 adaptively repeats the execution of query Phase 1, while it should follow the constraints of the query phase.

Guess: 𝒜 outputs its guessed bit b′, and if b=b′, 𝒜 wins the attack game; Otherwise, it fails. The advantage of 𝒜 winning this game is Adv𝒜IND−CKA=|Pr[b=b′]−12|.

Definition 4: If the bilinear Diffie-Hellman assumption holds, the BEM-ABSE scheme achieves IND-CKA security.

(2)   IND-CPA mode.

The BEM-ABSE scheme is IND-CPA secure. Assume that 𝒜 can adaptively perform any key query while only statically corrupting the attribute authority. Let SA be a set of AAs and S be a set of attributes. The IND-CPA of the BEM-ABSE is defined in a game between 𝒞 and 𝒜.

Init: The adversary 𝒜 pre-selection of the corrupted set of attribute authorities is SA′⊆SA and chooses an (M∗,ρ∗). After that, 𝒜 provides this access structure to 𝒞. In addition, the 𝒜 construct and initialize collection D and table T.

Setup: 𝒞 invokes Pedersen algorithm runs GlobalSetup generation GP, and sends the GP to 𝒜. At the same time, the 𝒞 performs AuthoritySetup on the attribute authority in the set SA−SA′ to generate the key pair (PK,SK) and returns PK back to 𝒜. For the attribute authority corrupted in the set SA′, the 𝒜 direct performs AuthoritySetup to obtain key pairs.

Phase 1: 𝒜 sends (S,Suid,uid) to challenger 𝒞 for the decryption key SKi,uid query with the user attribute set Suid, global set of attributes S={Si}i∈SA−SA′ and user identification uid. Notice that, there is a restriction that the set Suid of all attributes in D cannot satisfy (M∗,ρ∗). If 𝒜 has previously submitted Suid, then 𝒞 retrieves the entity (S,Suid) by searching T and returns SKS,uid. Otherwise, 𝒞 performs SKGen algorithm to generate SKS,uid={Si,uid}i∈SA−SA′ and sets D=D∪Suid.

Challenge: 𝒜 provides challenge cipertext m0∗ and m1∗, where the lengths of keywords are the same. Then, the 𝒞 randomly selects bit b and encrypts mb∗ with (M∗,ρ∗) and runs the Online.Enc algorithm to generate CTb∗, Finally, 𝒞 returns CTb∗ back to adversary.

Phase 2: 𝒜 adaptively repeats the execution of query Phase 1, while it should follow the constraints of the query phase.

Guess: 𝒜 outputs its guessed bit b′, and if b=b′, 𝒜 wins the attack game; Otherwise, it fails. The advantage of 𝒜 winning this game is Adv𝒜IND−CKA=|Pr[b=b′]−12|.

Definition 5: The BEM-ABSE scheme achieves IND-CPA security if no PPT adversary has a significant advantage in the security game described above.

5  BEM-ABSE Construction

(1)   Setup

1) GlobalSetup: This algorithm runs through the primary node with inputs of security parameter λ, the algorithm first creates the symmetric bilinear pairing (G,GT,p,g,e), where G and GT are cyclic groups of the same prime order p with a generator g. Next, the node shares four parameters a,μ,c,γ∈Zp∗ using the Pedersen secret sharing protocol. Blockchain node BN calculates gaBN,gμBN,gcBN,gγBN based on their shared secret shares aBN,μBN,cBN,γBN∈Zp∗, respectively, and broadcast these values to other nodes in the network. Then, the node uses three hash functions H:{0,1}∗→Zp∗, H1:{0,1}∗→G ,H2:GT→{0,1}logp to simulate a random oracle model. Finally, the system publishes the global parameters with Eq. (4).

GP=(G,GT,p,g,e,H,H1,H2,ga,gμ,gc,gγ)(4)

2) AuthoritySetup: Each attribute authority AAi randomly selects a element αi∈Zp∗ and calculates yi=gαi. Then, AAi randomly selects uj∈Zp∗ for each of the managed attributes aj∈Si. Note that each attribute authority manages a unique attribute set. Finally, it keeps the private key secret SKi=(αi,uj) and reveals its PKi=(e(g,g)αi,yi,guj), where i∈[1,N] and j∈[1,U].

(2)   Key Generation

1) IdKeyGen: DU is assigned a unique identifier uid and a set of attributes Suid when it joins the BEM-ABSE, and then DU randomly selects z∈Zp∗ and calculates ga/z and g1/z. After that, DU sends its public identity key upkuid=(ga/z,g1/z) to the BC registration and keeps the private identity key uskuid=z.

2) SKGen: When the DU is successfully registered, each AAi associated with the attribute in Suid generates the decryption key SKi,uid for the DU uid. Attribute authority input the Suid={aj}, nuid=|Suid|, u=H(uid) and selects ti∈Zp∗. After that, AAi perform the following calculation SKi,uid with Eq. (5). Finally, AAi sends the SKi,uid to DU for constructing the user transform key TKuid.

SKi,uid={Ki=gau/zgati,Li=gu/zgti/z,Li.j=gu(aj−uj)/zg(aj−uj)ti/z}i∈uA,j∈nuid(5)

(3)   Encryption

1) Offline.Enc: DO perform offline encryption on computationally capable devices before determining the access structure and extracting keywords. First, DO selects λj′,uj′,rj∈Zp∗, where j∈[1,U]. Then DO calculates C1,j=gaλj′gu′(−rj)gujrj and C2,j=grj. Finally, DO outputs an intermediate ciphertext IC={C1,j,C2,j,λj′,uj′}j∈[1,U].

Leveraging IC on end devices with limited resources, such as sensors and wearables, can help decrease the processing overhead of the encryption process. In addition, the IC can be used multiple times when the attributes owned by the user remain unchanged.

2) Online.Enc: After obtaining the intermediate ciphertext IC. Firstly, DO chooses a random number m∈GT and calculates K=H2(m) as the symmetric key, and then DO generates the ciphertext CF=Encsym(K,F) and verification value VKF=H1(H2(m)||CF) of the data file F.

Then, the DO protects m with the specified access policy (Ml×n,ρ), where Ml×n is a matrix with l rows and n columns, the function ρ maps each row of Ml×n to an attribute. The DO chooses a vector v=(s,y2,y3⋯,yn) and calculates the λj=Mjv, where y2,y3⋯,yn∈Zp∗ is used to share the encryption element s and Mj refers to the j-th row of the matrix Ml×n. After that, DO calculates C=m∏i∈uAe(g,g)αis, C′=gs, C3,j=λj−λj′ and C4,j=uj′−ρ(j), where j∈[1,l] and uA is the set of associated attribute authorities, then DO outputs CT=(C,C′,C1,j,C2.j,C3,j,C4,j,CF,(Ml×n,ρ),VKF).

Next, the DO extracts keywords set 𝒲=(w1,w2,⋯,wn) from F and randomly selects elements ξi∈Zp∗ for each keyword wi∈𝒲. After that, it calculates the keywords index set I𝒲={Iwi}wi∈𝒲={[I1,wi,I2,wi]}, where I1,wi=gξi and I2,wi=H2(e((gγ)ξi,H1(wi))). Finally, DO sends the (CT,I𝒲) to the nearest EN, and then DO stores the CT on CSP with the address address and submits the index storage transaction with embedded I𝒲 and address to the blockchain.

(4)   Trapdoor Generation

TrapGen: When a DU searches for data files according to his keyword w′ of interest, DU first selects a random element δ∈Zp∗ and inputs GP, then DU calculates T1,w′=H2(e(gγ,(gc)δ)), T2,w′=gδ ,T3,w′=H1(w′). Finally, DU embeds Tw′=(T1,w′,T2,w′,T3,w′) into the generated search transaction and submits it to the BC.

(5)   Search

Search: After receiving the search transaction from DU, the SSC checks whether Tw′ matches index Iw with Eq. (6), where θ=(T3,w′)γ⊕T1,w′ and φ=H1(e((T2,w′)c,gγ)) are generated by blockchain nodes executing the Pedersen secret sharing protocol. If the above condition both holds, SSC returns the search result relevant ciphertext address address to DU. Otherwise, it returns ⊥.

H2(e(I1,θ⊕φ))=I2(6)

(6)   Decryption

1) EN.Dec: When EN receives the TKuid and the ciphertext CT obtained from CSP using the ciphertext address from DU, it performs ciphertext transform for CT. If the DU's attributes set Suid satisfies the access policy (Ml×n,ρ) embedded in ciphertext CT, and let's define the mapping of user attributes as I={j:ρ(j)∈Suid} where I⊆{1,2,⋯,l}, there must exist a collection of constants {oj∈Zp∗} such that ∑j∈Suidojλj=s, where λj=Mjv. Then, DU further obtains CT′ with Eq. (7). Finally, the EN returns (C,CT′,CF) back to DU.

CT′=∏i∈uAe(C′,Ki)∏j∈I,ρ(j)∈Sie(Cj,Li)e(C2,j,Li,j)=∏i∈uAe(g,g)αis/z(7)

2) User.Dec: After receiving the transform ciphertext from EN, the DU utilizes its private key uskuid to decrypt and retrieve the random number m=C/(CT′)z. Then, DU generates a validation transaction and embeds m and address in it before submitting it to the BC to verify the equality relationship between H1(H2(m)||CF) and VKF through the VSC. If yes, the DU obtains the complete outsourced decrypted data and decrypts the data file F=Decsym(K,CF) with the symmetric key K=H2(m). Otherwise, decryption fails and outputs ⊥. It is worth noting that data validation is not mandatory during the decryption process.

6  Security Analysis

Theorem 1: If the decisional q-BDHE assumption holds, the BEM-ABSE scheme achieves IND-CPA security.

Proof: Assume there is a game that can be won in PPT by the adversary 𝒜 with a non-negligible advantage ε. Then, we construct a simulator ℬ with a non-negligible advantage ε/2 to solve the decisional q-BDHE problem. The simulation is carried out as follows.

Init: ℬ receives a q-BDHE challenge instance (y,T). 𝒜 chooses the access structure (Ml×n∗,ρ∗) and SA′∈SA is a set of corrupted attribute authority, where Ml×n∗ has l<q columns.

Setup: ℬ chooses a security parameter λ, then uses the Pedersen algorithm to perform the GlobalSetup and produce the global parameter GP. Each uncorrupted AAi executes the AuthoritySetup algorithm where i∈(SA−SA′). Then, ℬ picks a random element αi′∈Zp and implicitly lets α=αi′+aq+1 by setting e(g,g)αi=e(g,g)αi′e(ga,gaq),yi=gαi=gαi′+aq+1. For each attribute aj, choose an element zj∈Zp at random, then calculate guj=gzj∏i∈XgaMx,1∗/bxga2Mx,2∗/bx⋯gnMx,n∗/bx, where implicitly defines uj as zj+∑x∈XaMx,1∗bx+a2Mx,2∗bx+⋯+anMx,n∗bx, note that if X=∅ then guj=gzj. Finally, ℬ returns PKi back to 𝒜.

Phase 1: 𝒜 sends (S,Suid,uid) to ℬ for the decryption key SKi,uid query with the user attribute set Suid, global set of attributes S={Si}i∈SA−SA′ and user identification uid. ℬ random chooses element di∈Zp and column vector ω=(ω1,ω2,⋯,ωn)T, such that ω1=−1 and Ml∗ω=0 for all i where ρ∗(i)∈Suid. ℬ defines ti=di+ω1aq+ω2aq−1+⋯+ωnaq−n+1 and computes Li=gu+ti/z=gu+di/z∏k=0n(gaq+1−k)ωk/z. Due to ω1=−1, gati contains the factor g−aq+1, but this portion can be cancelled out by a factor in gαi, allowing ℬ to calculate Ki=gau/zgαi′/zgadi/z∏k=2n(gaq+1−k)ωk/z. For each attribute aj∈Suid, if it exists ρ∗(x)=aj, let Li,j=Liaj−zj, otherwise, Li,j=Liaj−zj ∏x∈X∏k=1n((gak)(u+di)/z∏f=1,f≠kn(gaq+1+f−k/bx)ωk/z)−Mx,k∗. Finally, ℬ returns SKS,uid={K,L,L}i∈SA−SA′,j∈S back to 𝒜.

Challenge: 𝒜 submits two challenge messages m0∗, m1∗ with equal length. Then, ℬ randomly selects bit b and recovers mb∗ under (M∗,ρ∗). After that, ℬ computes C=mb∗Te(gs,gαi′). Then, ℬ constructs a vector v=(s,sa+y2,sa2+y3,⋯,san−1yn) for achieving secret sharing of the s, where each element y2,⋯,yn∈Zp in v is randomly chosen. Since there exists λ′=Ml×n∗v, it is possible to construct λj′=∑k=1nMj,k∗sak−1+λ~j from the vector v with λ~j=∑k=2nMj,k∗syk. ℬ randomly selects an element zj′∈Zp and calculates uj′=zj′+∑x∈XaMx,1∗bx+a2Mx,2∗bx+⋯+anMx,n∗bx. For i=1,2,⋯,l, ℬ first selects random elements rj′,βj,γj∈Zp and defines γj=−(rj′+sbj), then calculates C2,j=grj=g−rj′−sbj,C3,j=βj, C4,j=γj and C1,j=gaλj′g−uj′rjgujrj=gaλ~jg−(rj′+sbj)(zj−zj′)∏k=1n(gsak)Mj,k∗. Finally, ℬ returns CT∗ back to 𝒜.

Phase 2: 𝒜 adaptively repeats the execution of query Phase 1, while it should follow the constraints of the query phase.

Guess: 𝒜 outputs its guessed bit b′, and if b=b′, 𝒜 wins the attack game; Otherwise, it fails. If η=0, ℬ guess T=e(g,g)aq+1s, 𝒜 obtains the legitimate ciphertext of mb∗ and gains the game with the probability ε=Pr[b=b′]−12, the probability that ℬ wins is ε=Pr[b=b′|η=0]=Pr[b=b′]=ε+12. If η=1, there is a random element in the ciphertext, the ℬ wins the game with probability is ε=Pr[b=b′|η=1]=Pr[b≠b′]=12. Thus, the probability of ℬ solving the q-BDHE problem is AdvAIND−CPA=|Pr[b=b′]−12|=ε2.

Because of the hardness of the q-BDHE problem, the advantage AdvAIND−CPA=ε2 of the adversary in breaking the BEM-ABSE scheme is negligible.

Theorem 2: If the bilinear Diffie-Hellman assumption holds, the BEM-ABSE scheme achieves IND-CKA security.

Proof: Assume there is a game that can be won in PPT by the adversary 𝒜 with a non-negligible advantage ε. Then, we construct a simulator ℬ with a non-negligible advantage ε/eqH2qT to solve the bilinear Diffie-Hellman problem, let e be the base of the natural logarithm, qH2 and qT denote the maximum query limits for the hash function H2 and trapdoor, respectively.

Init: Assume that given a BDH tuple (g,u1=gδ1,u2=gδ2,u3=gδ3), where δ1,δ2,δ3∈Zp are random elements, the objective of ℬ is to calculate e(g,g)δ1δ2δ3∈GT.

Setup: ℬ chooses a security parameter λ and invokes the trusted node to execute the Pedersen algorithm to obtain the gc and gγ with the input gδ1, where gγ=gδ1t1=u1t1. Then, ℬ returns public parameters (H1,H2,gc,gγ) to the adversary 𝒜 that are only relevant to conducting a keyword search.

Phase 1: 𝒜 can adaptively issue the subsequent oracles in PPT.

𝒪H1(wi): The ℬ first initializes a hash list LH1 of tuples (wi,hi,ai,ci,). While adversary queries H1 with a specific keyword wi, ℬ first search the LH1 list. If wi already exists in LH1, it returns hi back to 𝒜. Alternatively, ℬ randomly selects a bit ci∈{0,1} where Pr[ci=0]=1/(qT+1). After that, ℬ selects a random element ai∈Zp and calculates hi. Notice that when ci=0, hi=u2ai∈G; Otherwise, hi=gai∈G. Finally, ℬ returns hi back to 𝒜 while storing (wi,hi,ai,ci,) in the list LH1.

𝒪H2(ti): The ℬ initializes list LH2 for the tuple (ti,vi). 𝒜 queries H2 with an arbitrary element ti∈GT, and if ti has been previously queried, ℬ searches LH2 for the associated query result and returns it to 𝒜. Otherwise, ℬ randomly select vi∈{0,1}log⁡p and sends H2(ti)=vi to 𝒜 while storing (ti,vi) in the list LH2.

𝒪Tw(wi): When 𝒜 issues a trapdoor query with the keyword wi, ℬ first queries list LH1 to obtain H1(wi)=hi and the corresponding tuple (wi,hi,ai,ci,). Notice that when ci=0, ℬ terminates the query. Otherwise, hi=gai∈G. Then, ℬ randomly selects an element ξ∈Zp to query 𝒪H2(ti) to get H2(e(gc,(gγ)ξ)) and calculates T1,wi∗=H2(e(gc,(gγ)ξ)),T2,wi∗=gξ and T3,wi∗==H1(wi)=gai. Finally, ℬ sends Twi∗ to 𝒜.

Challenge: 𝒜 provides challenge query keywords w0∗ and w1∗, where the lengths of keywords are the same. After receiving the challenge keywords, ℬ generates the index by performing the following steps: ℬ first obtains H1(w1)=h1 and H2(w2)=h2 form 𝒪H1(wi) and the associated (wi,hi,ai,ci,)i∈{0,1} by retrieving LH1. Notice that ℬ will terminate the current challenge if both c0 and c1 are either 0 or 1. Otherwise, ℬ randomly selects a bit b such that cb=0. ℬ chooses a random number t2∈Zp and J∈{0,1}logp, and then calculates the challenge keyword index Iwb∗=(I1,wb∗,I2,wb∗)=((u3)1/t2,J) with the implicit defines ξ=δ3/t2 and J=H2(e((gγ)ξ,H1(wb)))=H2(e(g,g)δ1δ2δ3(ait1/t2)). We can know that Iwb∗ is a valid index of wb as required. Finally, ℬ returns Iwb∗ back to the adversary.