This work is licensed under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.

1. Introduction

The development of 5G and Internet of Things technology provides a large amount of training data for the rapid implementation of artificial intelligence (AI). At the same time, data security and privacy protection have become the most interesting topics in data governance and sharing. Powerful data mining and analysis have brought potential threats to personal privacy protection. Traditionally, most people choose to outsource their data to cloud servers for sharing and dissemination. However, most of the data stored in the cloud is very sensitive, especially those data generated by IoT devices that are closely related to human life. These data have their particularities and may contain personal-related information such as life, work, and healthcare; once personal data is stolen or leaked illegally and linked to the data owner’s real identity, it may bring great trouble to an individual. Therefore, integrating data and generating value while ensuring data security and privacy have become a significant challenge for all contemporary companies that use big data and AI.

At present, researchers have proposed many secure sharing schemes in the cloud environment [1–9]. These schemes seem to solve the security and privacy issues during data sharing. Nevertheless, these schemes all have a standard feature: they are overly dependent on the Cloud Service Provider (CSP). They believe that the CSP is a trusted third-party organization, and their security models assume that the CSP is semitrustable, which means that the CSP will be curious about the data but will not destroy it. It means that the following situations are always inevitable:

(1) The CSP itself may make profits from the user’s private data, or its insiders may do evil and cause the user’s privacy disclosure. Although some methods, such as attribute-based encryption algorithms, can achieve user-defined access policies that seem user-centric, these methods still require a trusted third party to generate and manage user keys. It is impossible to exclude the possibility of collusion between these trusted centers. All these will lead to the fact that once the data owners upload their data to the cloud server, they will no longer have their data’s absolute possession

From the above point of view, to better protect data security and personal privacy, it is very urgent to design a whole user-centric data-sharing scheme to solve the above problems. In this scheme, we do not need to rely on any trusted third party to store and disseminate data, nor do we worry that the data will be inaccessible. Fortunately, with the emergence and development of Bitcoin [10], as a decentralized and self-organized cryptocurrency, its underlying technology blockchain can elegantly help us realize such a data security sharing scheme [11–14]. In this paper, we proposed a data-sharing scheme based on blockchain. The main contributions of this paper are as follows:

(1) A user-centric data security sharing scheme named BSSPD is proposed, which combines blockchain, CP-ABE, and IPFS. The data owner encrypts his sharing data and stores it on IPFS to maximize decentralization, and BSSPD allows the data owners to have fine-grained access control over their data. Moreover, it supports revoking permissions of a specific data user at an attribute level without affecting others

The rest of this paper is organized as follows. Section 2 consists of related works. Section 3 reviews some preliminary knowledge used throughout this paper. In Section 4, we have an overview of our scheme. Specific implementation details are described in Section 5. Security and performance analysis are discussed in Section 6. Finally, the conclusion and future direction are presented.

2. Related Work

As early as 2015, Swan pointed out that there was not yet an acceptable “health data common” model [15] with appropriate privacy and reward systems for public sharing of personal health data and quantified self-tracking data. Simultaneously, the author believes that blockchain can precisely provide such a structure for creating a secure, remunerated, and owner-controlled health data sharing. Zyskind et al. described a distributed personal data management system [16] that ensures users own and control their data. The system encrypts the data collected from the user’s mobile phone and stores it off-chain and only stores the data’s hash value on the blockchain. Meanwhile, two acceptable transaction types named Taccess and Tdata are defined, in which Taccess is used to implement access control management, and Tdata is used for data storage and retrieval. Azaria et al. proposed MedRec system [17], a blockchain-based decentralized record management system for electronic medical records (EMRs). MedRec provides patients with a comprehensive and immutable log, and the patients can access their medical information at any time across providers and locations. However, the system implements permissionless blockchain with PoW consensus, lacking data security, data privacy, and throughput. Xia et al. proposed MeDShare [18], a system that solves the problem of sharing medical data in a trustless environment by custodians of medical big data. Dubovitskaya et al. have proposed a framework for managing and sharing EMR data for cancer patient care [19]. It uses a permission chain to maintain metadata and access control policies and uses cloud services to store the encrypted data. Patients can define their access control policies to ensure data security and availability. The above-mentioned data-sharing schemes based on blockchain give an ideal blueprint, but most of them only describe the scheme’s outline and do not provide the implementation details of the required protocol.

In the following years, many researchers have designed and implemented more robust access control protocols on blockchain to protect data privacy and security during sharing. Liang et al. used the consortium chain Hyperledger Fabric to realize a user-centric health data-sharing model [20] in which the cloud storage is used as a data warehouse and the blockchain ledger is constructed to store operations such as query and update. At the same time, it uses the member management service provided by Hyperledger Fabric to strengthen the users’ identity authentication and the channel model to protect users’ privacy. Fan et al. focused their attention on mobile network data sharing and privacy protection in the 5G era and proposed an efficient sharing scheme based on blockchain [21]. The main idea is to define a transaction format on blockchain to represent an access strategy. The strategy includes access requestor, content provider, visitor, and the beginning and ending time of access allowed, which is a role-based access control model. Zhang et al. proposed a blockchain-based data-sharing scheme for AI-powered network operations [22]. The scheme sets up two different types of chain, in which DataChain is used as access control tools for data, and BehaviorChain is used to store access records and ensure they cannot be tampered with. They divide access permissions into four levels. Zhou et al. proposed a blockchain-based file-sharing system [23] to address inefficient file sharing during the review of academic papers. The scheme uses Access Control Language (ALC) to exercise access control over the information stored on-chain. It needs to define an access policy on the blockchain for each pair of users and resource. Patel proposed a crossdomain image-sharing framework based on blockchain [24], which uses blockchain as data storage and allows patients to define an access policy. They pointed out that this approach can protect the data from unrelated parties, but no research has been conducted on privacy and security. Tan et al. have proposed a blockchain-based access control scheme for Cyber-Physical Social System (CPSS) big data [25], called BacCPSS. BacCPSS uses an address of blockchain as the user’s identity and maintains a user access matrix on the Smart Contract, ensuring that only operations authorized in the access matrix can be performed. The access control methods implemented in the above data-sharing schemes either need to maintain large numbers of access rules on the chain or cannot achieve fine-grained access control. Neither the access control matrix nor the RBAC is suitable for distributed environments like blockchain.

ABE is considered the most appropriate technology to solve data security and privacy protection problems in a distributed environment. Therefore, recently, researchers have used ABE to achieve fine-grained access control over data on the blockchain. Jemel and Serhrouchni proposed a decentralized access control mechanism [26]. For the first time, researchers used blockchain nodes to execute a CP-ABE algorithm to verify user access rights’ legitimacy. The scheme designs two types of transactions: SetPolicy and GetAccess. But it does not use Smart Contracts, and it is obvious that the scheme is unable to achieve more complex requirements. Sun et al. constructed a model of secure storage and effective sharing for electronic medical data based on ABE and blockchain [27], which provides better access control. Doctors use ABE to encrypt patients’ medical data and store it on IPFS. However, it also does not use Smart Contracts. It only broadcasts some ABE parameters stored in transactions, which cannot achieve more complex business functions. Wang et al. proposed a sharing scheme [28] in which users distribute secret keys. It realizes that the data owner has a fine-grained access control on his data. At the same time, the Ethereum Smart Contract is used to realize the retrieval of ciphertext keywords. However, it requires multiple off-chain communication between users, and more importantly, it does not implement the permit revocation. Pournaghi et al. proposed a secure and efficient sharing scheme based on blockchain and ABE entitled MedSBA to record and store medical data [29]. It implements the update and revocation of permissions by broadcasting a new strategy to cover the previous transaction, but this will lead to users who do not want to be revoked to update their keys.

3. Preliminary

3.1. Bilinear Groups of Composite Order

Let $n=p_1{p}_2$ ($p_1$ and $p_2$ are distinct primes), $G_1$ and $G_2$ be cyclic groups of order $n$, and $g$ be a generator of $G_1$. We call $e:G_1\times G_1\to G_2$ as a bilinear pairing, if it is a map with the following properties:

(1) Bilinear: $e{g}_1^a,g_2^b=e{g_1,g_2}^{ab}$ for all $g_1,g_2\in G_1$ and $a,b\in Z$

Let $G_{p_1}$ and $G_{p_2}$ denote the subgroups of $G_1$ with order $p_1$ and $p_2$. Then, $G_1=G_{p_1}\times G_{p_2}$; $g^{p_2}$ and $g^{p_1}$ are the generators of $G_{p_1}$ and $G_{p_2}$. Let $g_1$ and $g_2$ denote the generators of $G_{p_1}$ and $G_{p_2}$. For all random elements $h_1\in G_{p_1}$ and $h_2\in G_{p_2}$, then we have $e{h}_1,h_2=1$; because of that, $e{h}_1,h_2=e{g}_1^a,g_2^b=e{g}^{{ap}_2},g^{{bp}_1}=e{g,g}^{{abp}_1{p}_2}$.

3.2. Linear Secret-Sharing Scheme (LSSS)

Let $P=P_1,\cdots ,P_n$ be a set of parties, and $A,\rho$ denote an access structure in which $A$ is an $l\times k$ access matrix with $\rho$ mapping its rows. A linear secret-sharing scheme (LSSS) consists of two polynomial-time algorithms:

(1) $ShareA,\rho$: to share a secret value $s$, it randomly chooses $v_1,v_2,\cdots ,v_{k-1}\in Z$ and let $\mathbf{v}={s,v_1,\cdots ,v_{k-1}}^T$. Let $A_i$ denote the vector as the $i$th row in matrix $A$, and then, the share ${\sigma }_i=A_i\mathbf{v}$ belongs to party $\rho i$

3.3. Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

The CP-ABE mechanism was proposed by Bethencourt et al. [30]. It is a public key encryption scheme, but unlike RSA and ECC, CP-ABE is a one-to-many encryption scheme. In CP-ABE, the user’s attributes correspond to the private key, and the access policy is embedded in the ciphertext [31]. Only when the decryption user’s attributes satisfy the access policy can the data be decrypted. CP-ABE is mostly used for fine-grained access control. CP-ABE consists of four phases: initialization, key generation, encryption, and decryption, corresponding to the following four algorithms:

(1) $Setup\lambda ,S\to PSK,MSK$

Initialization algorithm is a randomization algorithm, which is generally executed on a trusted key distribution center. The algorithm inputs a secure parameter $\lambda$ and the attributes are set $S$, to generate the system public key PSK and the system master key MSK.

(2) $KeyGenPSK,MSK,\omega \to USK$

Key generation algorithm generates a private key USK for the data user according to the system public key PSK, the system master key MSK, and the data user’s attributes $\omega$.

(3) $EncryptPSK,M,A\to CM$

Encryption algorithm is executed by the data owner. The algorithm inputs the system public key PSK, the message M to be encrypted, and the access control structure $A$ associated with the access policy and outputs the ciphertext CM.

(4) $DecryptPSK,CM,USK\to M$

Decryption algorithm is executed by the data user. The inputs of the algorithm are the system public key PSK, the user’s private key USK, and the ciphertext CM. If the data user’s attribute set $\omega$ satisfies the access policy, he will decrypt the ciphertext and obtain the corresponding plaintext $M$.

3.4. Blockchain

A blockchain concept originated from Nakamoto’s Bitcoin paper [10], and it is based on cryptography and P2P network. The data on the blockchain is organized into blocks, which are chained in a particular chronological order. Cryptography and consensus mechanisms ensure the security and nonforgery of data. In short, as the underlying technology of cryptocurrencies like Bitcoin, blockchain is a distributed trusted ledger that cannot be tampered with.

3.4.1. Smart Contract

At the early stage of blockchain development, only cryptocurrencies like BTC and LTC were more successful applications. In 2013, Buterin introduced the concept of Smart Contract in his Ethereum white paper [32], demonstrating the first public blockchain with a built-in Turing complete language. Smart Contract [33] was defined as “a computerized transaction protocol that executes the terms of the contract.” In the blockchain, Smart Contract is a code that relies on blockchain’s trusted environment to automatically execute while enabling the blockchain to realize a more complex business. The smart contract operation mechanism based on blockchain is shown in Figure 1.

[figure omitted; refer to PDF]

From a higher point of view, blockchain can be considered a state machine triggered by transactions, and its public ledger is a world state starting from the Genesis Block. Users can build a transaction and broadcast it from any node in the blockchain network. All block producers will perform the corresponding operation after receiving the transaction. Because of the consensus mechanism, all nodes will eventually get a consistent result and update the world state. The action triggered by a transaction can be to deploy a new Smart Contract or to invoke a Smart Contract from blockchain and execute it in a sandbox environment. Blockchain provides Smart Contract with the following capabilities:

Public state: everyone can see the Smart Contract’s execution and its current global status on the public ledger, which cannot be tampered with.

Trusted propagation channel: after encrypting the message by the receiver’s public key, the sender can broadcast the message through the blockchain. The receiver will receive the message, and it will be recorded on the blockchain securely and undeniably.

3.4.2. Transaction of EOS

In the EOS blockchain, there are three essential components named address, account, and transaction. Each user has his account in EOS, and each account corresponds to multiple ECDSA key pairs denoted by $pk,sk$. The public key calculates an address of EOS through a hash function and base58 coding. The private key and the public key are used to sign and verify the transaction, respectively. If a user wants to invoke a Smart Contract on-chain, he needs to prepare such a transaction Tx [34]: $$\begin{array}{}\text{(1)}& Tx={Ref}_{block},t,{Sig}_{u}Chain\_ID,Tx,ActionCode,Name,{Auth}_u,Data.\end{array}$$

${Ref}_{block}$ denotes the reference to the block number and header of a block which generated recently to prevent transactions from appearing on a forked chain. ${Sig}_{u}Chain\_ID,Tx$ denotes the user’s signature information on the transaction which is used to verify the identity of the user who initiated the transaction by his public key. $Action$ represents the operation to be performed, where $Code$ is the name of the Smart Contract to be invoked, $Name$ is a method in Smart Contract to be called, ${Auth}_u$ is used to verify whether the user who initiated the transaction has the permission, and $Data$ is the parameters to be passed into the contract.

3.4.3. Data Persistence of EOS

After the Smart Contract is executed, the occupied memory will be released, and all variable data in the program will be lost, so it is necessary to persist the data in Smart Contract. In the Smart Contact of Ethereum, data can only be stored in key-value pairs, which is difficult to meet more complex requirements. In EOS, it imitates Multiindex Containers in Boost library and develops a C++ class: $eosio::multi\_index$ (hereinafter referred to as multi_index). Each multi_index can be regarded as a table in the traditional database. Each row of the table can store an object, and the object’s attributes can be any C++ data type. Therefore, the table constructed by multi_index in EOS is no less flexible than traditional databases. A significant feature of multi_index is that a primary key can be set as the main index and 16 secondary indices. Users can obtain any of these indices and use the emplace, erase, modify, and find functions of the index to insert, delete, update, and select data.

3.5. IPFS (InterPlanetary File System)

The InterPlanetary File System is a globally oriented, point-to-point distributed version of the File System, dedicated to creating persistent and distributed storage and shared file network transmission protocols. By integrating existing technologies such as BitTorrent, DHT, Git, and SFS (self-certifying File System), IPFS provides a high-throughput content block storage model that contains content addressing hyperlinks. Simultaneously, it does not have a single point of failure, and the nodes in the system do not need to trust each other. Any resource, such as text, images, sound, video, and website code, once added to the IPFS network, computes the content to a uniquely encrypted hash value unique to the address. This address can be understood as a URL (Uniform Resource Locator) on the Web. If the user wants to use the file, they just need to go to this address to get them.

4. Overview of Our Scheme

This section will give an overview of the system model and the design of our proposed scheme. Table 1 shows some symbols and abbreviations involved in this paper.

Table 1

The symbols and abbreviations involved in this paper.

4.1. System Model of BSSPD

Our proposed scheme BSPPD consists of four components: IPFS, blockchain, data owner, and data user. The DO encrypts his data and uploads it to IPFS, then invokes the Smart Contract on blockchain to save the returned address along with the decryption key. CP-ABE is used to realize a fine-grained access control of data. The DO distributes the private keys for DUs through blockchain, and only those who satisfy the access policy can download and decrypt the shared data. The whole process is entirely decentralized. The data is encrypted and stored in the IPFS to ensure the security of data and accessibility. The traces of the DO and DUs are stored on the blockchain, which cannot be tampered with or denied. The specific functions and responsibilities of these four parts are as follows:

(1) IPFS: provide a secure and reliable storage service. The incentive mechanism ensures that the data on IPFS will never be unavailable

The system model of the proposed scheme is shown in Figure 2.

[figure omitted; refer to PDF]

The CP-ABE algorithm we adopted was mainly inspired by [35] and extended to use the user’s ID as an attribute to support permission revocation. The keyword ciphertext search in BSSPD was learned from [36]. The corresponding description of each step number in Figure 2 is shown as follows:

(i) The DO creates and deploys Smart Contracts. There are two Smart Contracts in our scheme. UMContract includes the functions of user registration, attribute management, identity management, and authentication. DSContract includes publishing sharing data, updating access policy, permission revocation, and data retrieval

4.2. Detail Design of BSSPD

The scheme we proposed is mainly composed of the following phases: initialization phase, apply and register phase, encryption and uploading phase, search phase, decryption and downloading phase, and permission revocation phase. This section will describe the detailed design of each phase and the corresponding relationship with the process steps in the previous section.

4.2.1. Initialization Phase

The primary function of the initialization phase is that the DO deploys Smart Contracts, then generates the system master key and the public parameters in the scheme, and stores them in the Smart Contract. The core algorithm of this phase is $Setup{1}^{\lambda }\to MSK,PK$, which was executed by the DO. The algorithm’s input is a security parameter $1^{\lambda }$, and the outputs are the system master key MSK and public system parameters PK. MSK will be kept secret by the DO, and PK will be stored in UMContract by the DO initiating a transaction. The corresponding steps in the system flowchart are (i) and (ii).

4.2.2. Apply and Register Phase

The apply and register phase’s primary function is that the DU invokes to apply for registration, and an asymmetric encryption algorithm public key is required when applying. After that, the DO assigns a unique uid and distributes private keys for the DU. The core algorithm is $KeyGenMSK,PK,uid,\omega \to {SK}_{data},{SK}_{search}$ which is run by the DO. The inputs of the algorithm are the system master key MSK, the public parameters PK, the uid of the DU, and the general attribute set $\omega$ of the DU. It outputs the private attribute key ${SK}_{data}$ and the search key ${SK}_{search}$ of the DU. The DO executes ${SK}_{uid,\omega }={Enc}_{{Pk}_{com}}{SK}_{data}\mid {SK}_{search}$ and invokes UMContract to store ${SK}_{uid,\omega }$ in the Smart Contract. In this way, the DU can obtain his private keys securely and reliably. The corresponding steps in the system flowchart are (iii)–(v).

4.2.3. Encryption and Uploading Phase

The encryption and uploading phase’s main function is that the DO encrypts sharing data and uploads it to IPFS. After that, the address and decryption key are encrypted and uploaded to DSContract, and the ciphertext keyword indices are established for the relevant DUs. The core algorithm is $EncryptF,A_{l\times k},\rho ,{R_{\rho x}}_{x\in 1,\cdots ,l},PK$ and executed by the DO. It consists of the following three substeps:

The input of the data encryption algorithm is the sharing data $F$, and outputs are the key $K_F$ of a symmetric encryption algorithm and an IPFS address ${href}_{location}$. The whole process is to randomly select a private key $K_F$ and encrypt $F$ to get the ciphertext CF and then upload CF to IPFS to get the address ${href}_{location}$. The corresponding step in the system flowchart is (vi).

The algorithm is used to encrypt the address, and the key whose inputs are the decryption key $K_F$, the IPFS address ${href}_{location}$, the access policy $\mathcal{P}$, a revocation list $R_i$ for each attribute in $\mathcal{P}$, and system public parameters PK. Its output is the ciphertext of $K_F$ and encrypted with CP-ABE. The corresponding step in the system flowchart is (vii).

In the algorithm that generates the ciphertext keyword index, the DO selects a keyword kw of data $F$, which is used as inputs together with the search secret key $K_{search}$ of a relevant DU. The output is a search token $t_{kw}$ and the corresponding step in the system flowchart is (viii).

4.2.4. Search Phase

The main function of the search phase is that a DU uses the trapdoor function to generate the corresponding search token according to the keyword of the shared data which he wants. After that, the DU invokes the contract DSContract for retrieval. This phase can be divided into two steps, as follows:

Generate search token algorithm, which is executed by the DU. The DU selects the keyword related to the shared data he wants to search, together with his ${SK}_{search}$ as inputs, and the output is the search token $t{\prime }_{kw}$ corresponding to the keyword. This corresponds to step (ix) in the system flowchart.

The search algorithm is executed by DSContract, which uses the search token $t{\prime }_{kw}$ generated by the DU in the previous step as input. If such data exists, the algorithm returns data-related information successfully. In this algorithm, the DU sends a transaction to DSContract to trigger the execution, corresponding to steps (x)–(xii).

4.2.5. Decryption and Downloading Phase

The main function of the decryption and downloading phase is that DUs use their attribute private keys to decrypt the data-related information to obtain the address where the shared data stored on IPFS and the decryption key. The core algorithm is $Decrypt{SK}_{uid,\omega },{CT}_{K_F\mid {href}_{location}},PK\to K_F,{href}_{location}$ which was executed by the DU. The inputs of the algorithm are the private attribute key ${SK}_{uid,\omega }$ of the DU, the data-related information ${CT}_{K_F\mid {href}_{location}}$, and the public system parameters PK. It outputs the decryption key $K_F$ and the address ${href}_{location}$. Because the access policy $\mathcal{P}$ and the revocation list $R_i$ of each attribute are embedded in the ciphertext, if the attribute set of the DU that have not been revoked still satisfies access policy $\mathcal{P}$, he will decrypt and obtain $K_F$ and ${href}_{location}$ successfully. In this way, the DU could download ${CT}_F$ from IPFS and decrypt it to obtain the data $F$. This corresponds to step (xiii) in the system flowchart.

4.2.6. Permission Revocation Phase

The main function of the permission revocation phase is that the DO performs an attribute-level fine-grained permission revocation to a DU on a certain ciphertext. At the same time, it does not need to update the keys of other DUs related to the ciphertext. The core algorithm of this phase is $\mathrm{Re}voke{K}_F,{href}_{location},\mathcal{P},{R_i}_{i\in \mathcal{P}},PK,i,uid\to CT{\prime }_{K_F\mid {href}_{location}}$ which is run by the DO. This is similar to the encryption algorithm, but a DU’s uid and the attribute i to be revoked are added to the parameters. The algorithm will add uid to the revocation list $R_i$ and output a new ciphertext. The DO sends a transaction to DSContract to update the data-related information. In this way, if the remaining attribute set of the DU cannot satisfy the policy $P$, he can no longer decrypt the data after obtaining the ciphertext, while other DUs are not affected. This corresponds to step (xiv) in the system flowchart.

5. Implementation Details of Our Scheme

In order to achieve our goal, we will construct a CP-ABE which supports permission revocation and combine it with the EOS blockchain to implement our scheme. This section will elaborate on the details of our Smart Contracts deployed on EOS blockchain and concrete construction of BSSPD.

5.1. Smart Contract Design

To make the logic clearer, we divide the Smart Contract in the scheme into two parts: UMContract and DSContract. UMContract is used to manage DUs’ identity, while DSContract is used to handle business operations related to data sharing. In the contract, we will use _self to represent the account of the DO who created the contract. We will describe the detailed design of these two contracts.

5.1.1. User Management Contract (UMContract)

Algorithm 1: SetTarget.

Algorithm 2: GetUserByUid.

Algorithm 3: Apply.

The UMContract is composed of five function interfaces: SetTarget, GetUserByUid, Apply, Register, and Authenticate. We initialize UMContract as follows.

Let three-tuple $A,uid,{Pk}_{com}$ denote a DU, and create a multi_index named table_user for it in which $A$ is an EOS account of the DU, uid is the unique ID assigned by the DO, and ${Pk}_{com}$ is a public key of the DU used for communication with the DO. Let $A$ be the primary key of table_user whose corresponding index is account_idx. Let uid_idx be a secondary index corresponding to uid. Let target be the target value of PoW.

(1) SetTarget: when UMContract receives action (UMContract, SetTarget, Auth, (newTarget)), this function interface will be triggered to execute. It can only be invoked by the DO who created the contract to adjust the difficulty of PoW. When there are too many users in the system, the DO can increase the difficulty of PoW

Algorithm 4: Register.

Algorithm 5: Authenticate.

5.1.2. Date Sharing Contract (DSContract)

The DSContract is composed of six function interfaces: SetPK. SetSK, AddData, PolicyUpdate, Search and EndSearch, and Remove. We initialize DSContract as follows.

Let PK denote the system public parameters. Let two-tuple ($A$, SK) be the corresponding relationship between the DU’s account and his attribute private key, and the multi_index table_sk is created for it. Let $A$ be the primary key of table_sk whose corresponding index is ua_idx. Let two-tuple (fid, cf) denote the shared data in which fid is the id of shared data and cf is the data-related information. Then, create a multi_index data_table for it, where fid is the primary key and fid_idx is the corresponding index. Let four-tuple (id, $A$, $t$, fid) be an index of DU related to shared data in which $A$ is the EOS account of DU, $t$ is the search token, and fid is the id of shared data in data_table, then create a multi_index search_table for it. Let sa_idx, t_idx, sf_idx be the secondary indices of search_table, corresponding to $A$, $t$, and fid, respectively.

(1) SetPK: when DSContract receives action (DSContract, SetPK, Auth, (newPk)), this function interface will be triggered to execute. It can only be invoked by the DO to set and update the system public parameters

Algorithm 6: SetPK.

Algorithm 7: SetSK.

Algorithm 8: AddData.

Algorithm 9: PolicyUpdate.

Algorithm 10: Search and EndSearch.

Algorithm 11: Remove.

5.2. Concrete Construction of BSSPD

In this section, we will show the concrete construction of our scheme, including the algorithms that the DO and DUs need to execute at each phase and their interactions with the EOS blockchain. Our initialization is as follows.

Let $N=p_1{p}_2$ ($p_1$ and $p_2$ are distinct primes) $G_1$ and $G_2$ be cyclic groups of order $N$. Let $G_{p_1}$ and $G_{p_2}$denote the subgroups of $G_1$ with order $g$ and $Y$. Let $e:G_1\times G_1\to G_2$ be a bilinear pairing and $I=1,\cdots ,m$ be the set of all attributes. Let $F$ be a pseudorandom function, where $F:{0,1}^k\times {0,1}^{\ast }\to {0,1}^k$, and $U={uid}_1,\cdots ,{uid}_n$ be the uid set of all DUs obtained from UMContract.

(1) $setup{1}^{\lambda },I$

For each attribute $i\mid i\in I$, the algorithm first randomly picks two elements $t_i,{\gamma }_i\in Z_{p_1}$ and computes $T_i=g^{t_1},h_i\in g^{{\gamma }_i}$. Next, it picks $\alpha ,a\in Z_{p_1}$ randomly, then computes $eg,g$.

The public key is PK: $$\begin{array}{}\text{(2)}& PK=N,e{g,g}^{\alpha },g,u=g^a,{T_i=g^{t_i},h_i\in g^{{\gamma }_i}}_{i\in I}.\end{array}$$

The system master key is MSK: $$\begin{array}{}\text{(3)}& MSK=\alpha ,a,{t_i}_{i\in I},Y.\end{array}$$

Among them, $t_i$ and $T_i$ are used for calculations related to attributes, ${\gamma }_i$and $h_i$ are used for calculations related to attribute revocation, u is used for calculations related to DU’s identity, and $Y$ is used for randomization of DU’s private key.

Then, send the following transaction to EOS blockchain and store the public key in the DSContract: $$\begin{array}{c}\text{(4)}& Tx=\mathrm{Re}{f}_{block},t,Sigchain\_id,Tx,ActionDSContract,SetPK,{Auth}_{DO},PK.\end{array}$$

(2) $KeyGenuid,\omega ,MSK,PK$

Firstly, send the following transaction to EOS blockchain to obtain the DU’s information including $A$, ${Pk}_{com}$, and uid from UMContract: $$\begin{array}{c}\text{(5)}& Tx=\mathrm{Re}{f}_{block},t,{Sig}_{DO}chain\_id,Tx,ActionUMContract,GetUserByUid,{Auth}_{DO},uid.\end{array}$$

After that, the algorithm randomly chooses $r\in Z_{p_1}$ and computes $K_0=g^{a+\alpha r}$. For each attribute $i\in \omega$, randomly pick $r_i\in Z_{p_1}$ and $Y_{i,1},Y_{i,2},Y_{i,3}\in G_{p_2}$, then compute the following: $$\begin{array}{c}\text{(6)}& K_{i,1}=g^{\alpha r+t_i{r}_i+{ar}_i}{Y}_{i,1},K_{i,2}=g^{r_i}{Y}_{i,2},\\ K_{i,3}={u^{uid}{h}_i}^{r_i}{Y}_{i,3}.\end{array}$$

Let $K_i=K_{i,1},K_{i,2},K_{i,3}$, then DU’s attribute private key will be ${SK}_{uid,\omega }=K_0,{K_i}_{i\in \omega }$. As can be seen, the attribute-related part of the private key is embedded with the DU’s identity.

Then, the algorithm randomly picks a secret key ${SK}_{search}$ for search where ${SK}_{search}={SK}_i\leftarrow {0,1}^{\lambda }$. Let ${SK}_{uid}=E.{Enc}_{{Pk}_{com}}{SK}_{uid,\omega }\mid {SK}_{search}$, and send the following transaction to set and update the DU’s private keys: $$\begin{array}{c}\text{(7)}& Tx=\mathrm{Re}{f}_{block},t,{Sig}_{DO}chain\_id,Tx,ActionDSContract,SetSK,{Auth}_{DO},A,{SK}_{uid}.\end{array}$$

(3) $EncryptF,A_{l\times k},\rho ,{R_{\rho x}}_{x\in 1,\cdots ,l},PK$

The algorithm randomly chooses a private key $K_F$ of $\epsilon$, and encrypts the sharing data $CF=\epsilon .{Enc}_{K_F}F$, then uploads the CF to the IPFS network, and the returned address is ${href}_{location}$, set $M=K_F\mid {href}_{location}$.

The algorithm first randomly picks $s,v_2,\cdots ,v_k\in Z_{p_1}$ and lets $\mathbf{v}={s,v_2,\cdots ,v_k}^T$. For $i=1$ to $l$, it calculates ${\lambda }_x={\mathbf{A}}_x·\mathbf{v}$ where ${\mathbf{A}}_x$ is the vector corresponding to the $\mathbf{x}$th row of ${\mathbf{A}}_{l\times k}$. Assume that $R_{\rho x}={uid}_1,\cdots ,{uid}_{l_{\rho x}}$ in which the number of revocable users $l_{\rho x}$ is variable. For each ${uid}_j\in R_{\rho x}$, it randomly chooses a ${\eta }_{x,j}\in Z_{p_1}$, where $j=1,2,\cdots ,l_{\rho x}$ and ${\sum }_{j=1}^{l_{\rho x}}$, and then computes $$\begin{array}{c}\text{(8)}& C_0=M·e{g,g}^{\alpha s}.C_1=g^s.\end{array}$$

For each attribute $\rho x$, it computes that $$\begin{array}{c}\text{(9)}& C_{x,0}=g^{{\lambda }_x},C_{x,1}=T_{\rho x}^{{\lambda }_x}.\end{array}$$

When $R_{\rho X}\ne \varnothing$, it computes for each revoked ${uid}_j\in R_{\rho x}$ as follows: $$\begin{array}{c}\text{(10)}& C_{x,j,1}=g^{{\eta }_{x,j}},C_{x,j,2}={u^{{uid}_j}{h}_{\rho x}}^{{\eta }_{x,j}}.\end{array}$$

The ciphertext CF is set to $$\begin{array}{}\text{(11)}& {CT}_{K_F\mid {href}_{location}}=C_0,C_1,{C_{x,0},C_{x,1},{C_{x,j,1},C_{x,j,2}}_{j=1,\cdots ,l_{\rho x}}}_{x\in 1,\mathrm{..},l}.\end{array}$$

(4) $IndexGenA,kw,K_{search},{CT}_{K_F\mid {href}_{location}}$

The algorithm calculates a search token for a keyword kw of the sharing data. $$\begin{array}{}\text{(12)}& t_{kw}=F{K}_{search},kw.\end{array}$$

After that, it will send the following transaction to EOS blockchain to publish the data-related information and add the indices for the relevant DUs: $$\begin{array}{c}\text{(13)}& Tx=\mathrm{Re}{f}_{block},t,{Sig}_{DO}chain\_id,Tx,ActionDSContract,AddData,{Auth}_{DO},A,t_{kw},{CT}_{K_F\mid {href}_{location}}.\end{array}$$

(5) $Trpdrk{w}^{\prime },{SK}_{search}$

The DU obtains ${SK}_{uid}$ from the DSContract and decrypts it with his own private key. $$\begin{array}{}\text{(14)}& {SK}_{uid,\omega }\mid K_{search}=E.{Dec}_{{Sk}_{com}}{SK}_{uid}.\end{array}$$

Then, it calculates the search token corresponding to $k{w}^{\prime }$. $$\begin{array}{}\text{(15)}& t{\prime }_{kw}=F{K}_{search},k{w}^{\prime }.\end{array}$$

(6) $Searcht{\prime }_{kw}$

Send the following transaction to EOS blockchain: $$\begin{array}{c}\text{(16)}& Tx=\mathrm{Re}{f}_{block},t,{Sig}_{DU}chain\_id,Tx,ActionDSContract,Search,{Auth}_{DU},t{\prime }_{kw}.\end{array}$$

If the search is successful, the DU will obtain the data-related information ${CT}_{K_F\mid {href}_{location}}$.

(7) $Decrypt{SK}_{uid},{CT}_{K_F\mid {href}_{location}},PK$

Let $L=x\mid \rho x\in \omega ,uid\notin R_{\rho x}$, then ${\omega }^{\prime }={\rho x}_{x\in L}$ denote the attribute set of the DU that has not been revoked. Assume that ${\omega }^{\prime }$ still satisfies the access policy $A_{l\times k},\rho$; for any $x$ from 1 to $l$, it will calculate $D_{x,1}$ and $D_{x,2}$. $$\begin{array}{c}\text{(17)}& D_{x,1}=\prod _{j=1}^{l_{\rho x}}{\frac{e{K}_{\rho x,2},C_{x,j,2}}{e{K}_{\rho x,3},C_{x,j,1}}}^{1/uid-{uid}_j},D_{x,2}=\frac{e{K}_{\rho x,1},C_{x,0}}{e{K}_{\rho x,2},C_{x,1}}.\end{array}$$

Let ${\mu }_x$ be the restitution coefficient corresponding to the $\mathbf{x}$th row in $A_{l\times x}$, and finally obtain the plaintext. $$\begin{array}{}\text{(18)}& M=K_F\mid {href}_{location}=C_0·\frac{1}{e{K}_0,C_1}·\prod _{x\in L}{D_{x,1},D_{x,2}}^{{\mu }_x}.\end{array}$$

The DU can download CF from IPFS according to ${href}_{location}$ and then use $K_F$ to decrypt CF and obtain the shared data $F$. $$\begin{array}{}\text{(19)}& F=\epsilon .{Dec}_{K_F}CF.\end{array}$$

(8) $\mathrm{Re}vokeM,A_{l\times k},\rho ,{R_{\rho x}}_{x\in 1,\cdots ,l},PK,uid,i$

Take the revoking of the attribute $i$ of a DU to the sharing data $F$ as an example; the DO needs to add the uid of the DU to the revocation list corresponding to the attribute $i$ and execute the CP-ABE part of Encrypt to encrypt the data-related information $M$. Then, the DO sends a transaction as following to the EOS blockchain. $$\begin{array}{c}\text{(20)}& Tx=\mathrm{Re}{f}_{block},t,{Sig}_{DO}chain\_id,Tx,ActionDSContract,PokicyUpdate,{Auth}_{DO},fid,CT{\prime }_{K_F\mid {href}_{location}}.\end{array}$$

6. Security and Performance Analysis of the Proposed Scheme

6.1. Security and Privacy Analysis of BPSSD

6.1.1. Correctness

Let$L=x\mid \rho x\in \omega ,uid\notin R_{\rho x}$, then ${\omega }^{\prime }={\rho x}_{x\in L}$ denote the attributes set of the DU that has not been revoked. Assume that ${\omega }^{\prime }$ still satisfies the access policy $A_{l\times k},\rho$; for any $x$ from 1 to $l$, then $$\begin{array}{c}\text{(21)}& D_{x,1}=\prod _{j=1}^{l_{\rho x}}{\frac{e{g}^{r_{\rho x}}{Y}_{\rho x,2},{u^{{uid}_j}{h}_{\rho x}}^{{\eta }_{x,j}}}{e{u^{uid}{h}_{\rho x}}^{r_{\rho x}}{Y}_{\rho x,3},g^{{\eta }_{x,j}}}}^{1/uid-{uid}_j}=e{g,u}^{-r_{\rho x}\sum _{j=1}^{l_{\rho x}}{\eta }_{x,j}}=e{g,g}^{-{ar}_{\rho x}{\lambda }_x},D_{x,2}=\frac{e{g}^{\alpha r+t_{\rho x}{r}_{\rho x}+{ar}_{\rho x}}{Y}_{\rho x,1},g^{{\lambda }_x}}{e{g}^{r_{\rho x}}{Y}_{\rho x,2},T_{\rho x}^{{\lambda }_x}}=e{g,g}^{\alpha r+t_{\rho x}{r}_{\rho x}+{ar}_{\rho x}{\lambda }_x-t_{\rho x}{r}_{\rho x}{\lambda }_x}=e{g,g}^{\alpha r+{ar}_{\rho x}{\lambda }_x},\\ M^{\prime }=K_F\mid {href}_{location}=C_0·\frac{1}{e{K}_0,C_1}·\prod _{x\in L}{D_{x,1}{D}_{x,2}}^{{\mu }_x}=Me{g,g}^{\alpha s}·\frac{1}{e{g}^{\alpha +\alpha r},g^s}·e{g,g}^{\alpha r\sum _{x\in L}{\lambda }_x{\mu }_x}=Me{g,g}^{\alpha s}·\frac{1}{e{g}^{\alpha +\alpha r},g^s}·e{g,g}^{\alpha rs}=M.\end{array}$$

After the proof, the data-related information $M$ can be decrypted by the DU.

6.1.2. Security Analysis

The CP-ABE algorithm used in this paper is based on the scheme [37], referring to the revocation idea in [35] that introduces a revocation list for each attribute. The scheme [37] has proved to be completely secure. The detailed proof process can refer to the security analysis in [37], which is based on the standard model, and the security depends on three static assumptions.

This paper focuses on security data sharing based on blockchain. The security of CP-ABE is not within the main scope of this article. We will conduct a brief analysis of the security after adding an attribute revocation mechanism to the scheme [37].

If an adversary $\mathcal{A}$ can win the game with a nonnegligible advantage in the security model in [37], he must be able to calculate $e{g,g}^{\alpha s}$. To obtain such a pairing, the adversary needs to utilize $K_0=g^{a+r\alpha }$ in the private key and $C_1=g^s$ in the ciphertext, both of which can get $e{g,g}^{\alpha s}e{g,g}^{\alpha rs}$. This means that $\mathcal{A}$ needs to get $e{g,g}^{\alpha rs}$. Then, $\mathcal{A}$ needs to get $D_{x,1}$ and $D_{x,2}$ corresponding to each attribute and get $e{g,g}^{\alpha r{\lambda }_x}$ by calculation. If $\mathcal{A}$ does not satisfy the challenge attributes, he cannot obtain the correct attribute keys to calculate $e{g,g}^{\alpha r{\lambda }_x}$conforming to the access policy and recover $e{g,g}^{\alpha rs}$.

For collusion attacks, when generating private keys for each DU, a random element $r$ is contained in $K_0$ and random elements $r_i$ and $Y_{i,1},Y_{i,2},Y_{i,3}$ are added to the attributes, so that different DUs cannot combine their private keys to launch attacks.

The attribute private key $K_{i,3}={u^{uid}{h}_i}^{r_i}{Y}_{i,3}$ which is related to the revocation contains the DU’s identity information uid. When $R_{\rho x}\ne \varnothing$, each ${uid}_j\in R_{\rho x}$ in the revocation list contains $C_{x,j,1}=g^{{\eta }_{x,j}}$ and $C_{x,j,2}={u^{{uid}_j}{h}_{\rho x}}^{{\eta }_{x,j}}$, which need to be eliminated when decrypting. $1/uid-{uid}_j$ is used when eliminating. If uid is in the revocation list, $1/uid-{uid}_j$ will not be calculated to achieve the purpose of revoking the attribute $j$ of uid.

6.1.3. Other Security Problem

(1) Data Security. Data security includes the confidentiality, integrity, and availability of the shared data. In our scheme, the large-capacity sharing data of the DO is encrypted using an efficient asymmetric encryption algorithm such as AES and uploaded to IPFS. The IPFS will split the encrypted data and store them on different IPFS nodes in a distributed manner. The access will be routed through the dynamic hash table maintained by each node, and a certain redundancy mechanism will ensure fault tolerance. Besides, IPFS also provides version control like Git. Thus, data encryption and storage in blocks ensure the confidentiality of the shared data. The integrity is guaranteed by dynamic hash table routing, and the tampered data blocks will not be available. The redundant storage and incentive mechanisms of IPFS ensure that users can access their data at any time. As long as IPFS is secure, then the data stored on it in our scheme is secure.

(2) Privacy Analysis. In a data-sharing system, privacy includes the content of the DO’s shared data and the traces of the DU when using the data. In our scheme, the DO will encrypt the address of the shared data and the corresponding decryption key with CP-ABE according to the established access policy. Then, the ciphertext is stored on the blockchain, and only the DUs whose attribute set satisfies the access policy can obtain the data. The content of the data will not be leaked. For the traces generated by DUs, we encrypt the keywords corresponding to the sharing data. The DU invoked the trapdoor function to calculate the search token for the keyword that he needs to retrieve and then uses the search token for retrieving on the blockchain without revealing any information he wants. More importantly, the user’s identity is represented in the form of an address on the blockchain, and the real information of the user will not be exposed.

(3) Fine-Grained Access Control. In our scheme, the fine-grained access control of shared data is realized by CP-ABE. The DO can make different access policies through LSSS and assign different attributes to DUs. Meanwhile, fine-grained access control should also include fine-grained revocation. The proposed scheme draws on the identity-based broadcast encryption scheme, in which the DO assigns a unique uid for each DU, and the uid will be used as a user attribute, embedded in the ciphertext together with the general attributes. Each general attribute in the ciphertext carries a revocation list, and the DU whose uid in this list no longer has the corresponding attribute, so that it achieves the purpose of directly revoking a DU’s attribute.

(4) Avoid a Single Point of Failure. Compared with traditional cloud storage solutions, there is no centralized third party in our proposed scheme. Blockchain and IPFS used in BSSPD are all distributed technologies. Even if some of the nodes fail, the availability of the whole scheme will not be affected. More importantly, the BitTorrent protocol adopted by IPFS can enjoy a high throughput only by requiring paying a small number of fees to incentive storage nodes. Simultaneously, the EOS blockchain is free to users, only the DO needs to mortgage some system tokens in exchange for storage and CPU resources, and these tokens can also be redeemed.

(5) User-Centric. In our proposed scheme, the DO can generate public parameters and the system master key and generate and distribute the private keys for DUs according to their attributes. Moreover, the DO can formulate access policies arbitrarily to assign and revoke the permission of DUs. All of these are controlled by the DO without any trusted third party. In this manner, the DO has complete control over his shared data.

(6) Identity Authentication. The user generates his identity in the blockchain through an asymmetric encryption algorithm with generating key pairs, whose cost is too low. In our proposed scheme, since the uid is embedded in the ciphertext of CP-ABE as an attribute, the DUs may register a large number of uids and use different uids to search and decrypt the shared data, which increases the burden of the DO. In order to prevent such attacks, BSSPD requires identity authentication. Before applying for registration, the DU needs to perform a PoW, which is similar to Bitcoin mining. The DO can adjust the difficulty of PoW according to the total number of DUs in the system. User management and identity authentication are carried out on the blockchain, and only authenticated users can perform operations. These are all executed in Smart Contract ensuring transparency and security.

6.2. Experiments and Performance Analysis of BPSSD

6.2.1. Functional Comparison

We compared the scheme proposed in this article with the recent blockchain-based data-sharing models from the following aspects, including security and privacy, identity management, fine-grained access control, immediate access revocation, and ciphertext keyword retrieval, as shown in Table 2.

Table 2

Functional comparison between BSSPD and other blockchain-based data-sharing scheme.

From the comparison in the table, it can be concluded that due to the blockchain’s decentralized and trustless nature, the data-sharing models based on blockchain allow DOs to formulate access control policies for their data on-chain, so they all can guarantee security and privacy. Early schemes like Ref. [18] mostly only described the model’s outline without the specific implementation details. Generally, they only describe how blockchain can benefit security and privacy during the sharing, so the function is relatively simple. Reference [21] implemented a role-based access control model on the blockchain, but it turns out that RBAC is not suitable for implementing fine-grained access control and revocation in a distributed environment. Reference [28] utilized CP-ABE to achieve fine-grained access control, but it does not achieve permission revocation. However, in the access control scheme based on CP-ABE, an immediate access revocation is indispensable.

In our proposed scheme, we utilized CP-ABE to achieve fine-grained access control and realized the identity management of DUs. The DO assigns and manages unique uids and attributes for registered DUs. Maintaining a revocation list for each attribute in the ciphertext can directly revoke a particular attribute of a DU without updating others’ keys. BSSPD uses ciphertext keyword search to protect the privacy of DUs on-chain. Therefore, our proposed scheme has better applicability and usability.

6.2.2. Storage Analysis

BSSPD is a user-centric data-sharing scheme based on the EOS blockchain, and it stores the public system parameters, user information, and data-related information in the persistent database of Smart Contract. Because the storage resource on-chain is valuable and the acquisition of RAM in the EOS blockchain requires mortgaging system tokens, so it is necessary to analyze the size of the data stored in the Smart Contract.

We first define some symbols; we set $\mid G_1\mid$, $\mid G_2\mid$, $\mid G_{p_1}\mid$, $\mid G_{p_2}\mid$ to represent the bit length of an element in group $G_1,G_2,G_{p_1}$, and $G_{p_2}$, respectively. Let $\mid Z_N\mid$ be the bit length of an element in filed $Z_N$, $\mid K_{AES}\mid$ be the bit length of a key of AES algorithm, and $\mid {Sk}_{com}\mid$ and $\mid {Pk}_{com}\mid$ be the bit length of private key and public key of ECC, respectively; |S| denote the number of attributes in system, and $K_{search}$ denote the bit length of a secret key of pseudorandom function $F$.

According to the experiment simulation in our scheme, we set$\mid G_1\mid =\mid G_2\mid =\mid G_{p_1}\mid =\mid G_{p_2}\mid =1024$bits;$\mid Z_N\mid =128$bits;$\mid K_{AES}\mid =$256 bits;$\mid {Sk}_{com}\mid =$256 bits;$\mid {Pk}_{com}\mid =272$bits;$\mid K_{search}\mid =128$bits; the bit length of account, uid, fid, and search token$t_{kw}$to be 64; and the bit length of an IPFS address to be 256. The storage overhead of BSSPD at each phase varies with the number of attributes which is shown in Figure 3.

[figure omitted; refer to PDF]

In our proposed scheme, there are three operations that interact with the blockchain to store data in the Smart Contract, which are as follows:

(1) Initialization

The DO uploads the system public parameters to the Smart Contract; the storage overhead is $$\begin{array}{}\text{(22)}& \mid Z_N\mid +\mid G_1\mid +2\mid G_{p_1}\mid +\mid S\mid 2\mid G_{p_1}\mid =3200+2048\mid S\mid \text{bits}.\end{array}$$