A trusted medical data sharing framework for edge computing leveraging blockchain and outsourced computation

Gaoyuan Quan; Zhongyuan Yao; Longfei Chen; Yonghao Fang; Weihua Zhu; Xueming Si; Min Li

doi:10.1016/j.heliyon.2023.e22542

. 2023 Nov 22;9(12):e22542. doi: 10.1016/j.heliyon.2023.e22542

A trusted medical data sharing framework for edge computing leveraging blockchain and outsourced computation

Gaoyuan Quan ^a,^b,^c,^∗, Zhongyuan Yao ^a,^b,^c, Longfei Chen ^a,^b,^c, Yonghao Fang ^a,^b,^c, Weihua Zhu ^a,^b,^c, Xueming Si ^a,^b, Min Li ^a,^b,^c

PMCID: PMC10711127 PMID: 38090001

Abstract

Traditional cloud-centric approaches to medical data sharing pose risks related to real-time performance, security, and stability. Medical and healthcare data encounter challenges like data silos, privacy breaches, and transmission latency. In response to these challenges, this paper introduces a blockchain-based framework for trustworthy medical data sharing in edge computing environments. Leveraging healthcare consortium edge blockchains, this framework enables fine-grained access control to medical data. Specifically, it addresses the real-time, multi-attribute authorization challenge in CP-ABE through a Distributed Attribute Authorization strategy (DAA) based on blockchain. Furthermore, it tackles the key security issues in CP-ABE through a Distributed Key Generation protocol (DKG) based on blockchain. To address computational resource constraints in CP-ABE, we enhance a Distributed Modular Exponentiation Outsourcing algorithm (DME) and elevate its verifiable probability to “1”. Theoretical analysis establishes the IND-CPA security of this framework in the Random Oracle Model. Experimental results demonstrate the effectiveness of our solution for resource-constrained end-user devices in edge computing environments.

Keywords: Trustworthy data sharing, Blockchain, CP-ABE, Distributed attribute authorization strategy, Distributed key generation protocol, Distributed modular exponentiation outsourcing algorithm

1. Introduction

The rapid proliferation of digitization in the healthcare sector has generated a vast amount of patient-related medical and health data. Responsible and ethical use of this information is critical to protecting the personal privacy of patients. Scholars have conducted significant research in the effective collection [1] and statistical classification [2] of medical data. However, there are currently various issues associated with the sharing of medical information. Medical data is susceptible to tampering or loss during transmission, making it challenging to facilitate seamless sharing. The phenomenon of ‘data silos' in various healthcare organizations is notably prevalent. Furthermore, most medical data is controlled by healthcare providers, raising concerns about data being transmitted and utilized without the patient's knowledge, leading to security risks and potential conflicts between healthcare providers and patients [3].

Compared to traditional healthcare systems that store user health data and health records in physical paper format, cloud-based healthcare systems have significantly improved efficiency and reduced storage costs over a period of time. However, with the explosive growth of medical data, cloud-based healthcare systems face challenges such as network latency, bandwidth limitations, privacy breaches, and security attacks.

First, the network latency and limited bandwidth of cloud storage can result in slower medical data transmission speeds, thereby reducing the real-time capabilities of healthcare systems. This is particularly critical for applications such as emergency care and surgery that require quickly access to patient data. In addition, medical data frequently needs to be shared among different systems and applications to support healthcare decisions. However, if cloud-based systems encounter network congestion, it can lead to the issue of inconsistencies in medical data, potentially resulting in inaccurate or outdated information.

Second, although outsourcing the storage of patient health data and EHRs to cloud service providers is convenient, efficient, and cost-effective, it results in users relinquishing control over their health data and EHRs upon digitization and cloud storage. On one hand, in the event of a security breach at a cloud service provider, there is a risk of exposing patient health data and other private information. Conversely, cloud service providers and healthcare organizations may face temptations to disclose patient health data or electronic health records for financial gain [4].

Third, cloud storage systems are vulnerable to security attacks. Traditionally, medical data has been predominantly housed in centralized databases or cloud storage systems, which introduce a singular point of vulnerability, leaving them exposed to various threats such as phishing, man-in-the-middle attacks, impersonation, and identity theft [5]. Furthermore, there is the overarching issue of attackers, malevolent users, and hackers cloning or duplicating a range of medical documents.

Yang et al. [6] introduced a CPRE scheme centered around cloud computing facilities, with support for user revocation in cloud environments. This proposed approach demonstrates reduced computational and communication overhead, facilitating easy access to cloud data using resource-constrained devices. Nevertheless, this cloud-centric data sharing strategy is susceptible to single points of failure and communication latency issues.

Edge computing, a technology designed to process data at the network's edge, overcomes the limitations of traditional cloud computing in terms of real-time processing and efficient bandwidth usage. Blockchain technology, recognized as a state-of-the-art approach for ensuring the security and immutability of data, has a broad range of applications in ensuring trust and sharing of data, spanning areas such as VANET [7] and healthcare. As a result, this paper introduces a blockchain-based architecture for secure sharing of medical data in edge computing environments, with the aim of improving both the efficiency and security of data processing in healthcare systems based on the cloud.

CP-ABE functions as a form of public key encryption, facilitating one-time encryption and multi-user sharing. This method plays a crucial role in enabling precise control over data access, ensuring the security of data sharing [8,9]. It has been widely applied in trustworthy data sharing scenarios within edge computing environments [10,11]. For instance, Suyel Namasudra et al. [12] have proposed a secure taxi-sharing system utilizing attribute-based encryption algorithms and re-encryption schemes integrated with blockchain technology. This system provides decentralization, immunity against single point of failure, resilience against collusion attacks, and data leakage prevention. Additionally, the encryption algorithms presented demonstrate remarkable scalability and can be applied to various domains, including the Internet of Things, big data, healthcare, and more.

However, there are several challenges in achieving trustworthy and secure data sharing based on CP-ABE in current edge computing environments:

First, traditional CP-ABE does not meet the real-time requirements of attribute authorization services in edge computing environments. In such environments, where data processing takes place at the network edge, there is a significant demand for real-time services. However, traditional MA-ABE schemes cannot satisfy this real-time requirement.

Second, there is the issue of unreliable edge nodes and the security of CP-ABE keys. In edge computing environments, edge nodes may be vulnerable to physical attacks, malware intrusion, and additional threats that could compromise the security of CP-ABE keys.

Finally, the contradiction between the resource-constrained end devices and the computational complexity of CP-ABE. CP-ABE requires substantial computational resources with the computational effort increasing linearly with the complexity of the attribute set or access policy [13]. This poses a challenge for resource-constrained end devices, especially in edge computing environments, where these devices have limited computational power, storage space, and battery life, making them unable to handle the extreme computational complexity of CP-ABE.

Therefore, the main focus of this paper is to address the challenge of achieving real-time, secure, and computationally efficient medical data sharing in edge computing environments by building on the foundation of CP-ABE data sharing mechanisms and incorporating blockchain technology. The primary contributions of this paper are as follows:

(1)
Propose a Blockchain-based Trusted Data Sharing Scheme in the Edge Computing Environment (BTDS), addressing privacy leakage and data silos issues in medical data sharing.
(2)
To address the real-time requirements of attribute authorization services in edge computing environments, this paper introduces a Distributed Attribute Authorization strategy based on blockchain (DAA). The distributed deployment strategy eliminates the central attribute authority while deploying the Attribute Authorization Center (AC) closer to end-users. This approach achieves a completely decentralized attribute authorization service and ensures real-time requirements for attribute authorization services in the edge computing environment.
(3)
To address the issue of key security in CP-ABE within edge environments, this paper presents a Distributed Key Generation protocol based on blockchain (DKG). This protocol ensures ‘useable but invisible’ privacy protection for the CP-ABE system's master key and user private keys, effectively resolving the problem of key storage in untrusted edge computing environments.
(4)
To address the issue of resource-constrained terminal devices, this paper combines blockchain technology to enhance a distributed modular exponentiation outsourcing algorithm (DME). This algorithm is applied to the encryption and decryption operations of CP-ABE, and its verifiability probability is improved to ‘1'.
(5)
This paper conducts a formal correctness and security analysis of the proposed BTDS architecture, along with the design of simulation experiments. The results demonstrate the effectiveness of the BTDS architecture for resource constrained end devices in edge computing environments.

The paper is structured as follows: In Section 2, we discuss relevant previous research. Section 3 provides the necessary background to comprehend the proposed architecture. Section 4 presents the system model, along with formal definitions and security considerations for the BTDS architecture. Section 5 delves into the specific implementation details of BTDS. Section 6 is dedicated to correctness and security proofs. Section 7 showcases the experimental results and offers a performance analysis. Finally, in Section 8, we draw our conclusions and outline directions for future research.

2. Related work

2.1. Medical data sharing based on blockchain

In the field of blockchain-based medical data sharing, numerous researchers have conducted valuable demonstration studies. Li et al. [14] introduced and implemented a lightweight blockchain-based solution for medical data sharing. They employed proxy re-encryption techniques to ensure secure data sharing among healthcare professionals and patients, as well as between patients themselves. VIKAS JAIMAN and colleagues [15] introduced a data sharing framework that incorporates standardized ontology consent and data request models, drawing from the DUO and ADA-M models. They also devised a smart contract to automate a universal consent model, which underwent testing on the LUCE data sharing platform.

Pratima Sharma et al. [16] conducted an analysis of the substantial security and privacy challenges encountered by traditional healthcare systems. Subsequently, they developed a contemporary decentralized application tailored for healthcare departments, harnessing blockchain-based Internet of Things (IoT) systems. PRATIMA SHARMA et al. [17] introduced a distributed architecture for a healthcare system featuring privacy protection, employing blockchain technology. They developed a distributed application designed for the creation and access of healthcare certificates. Renpeng Zou et al. [18] addressed the challenge of inefficient data retrieval in blockchain-based electronic health systems. They introduced an electronic health system named SPChain, which is built on blockchain technology and is dedicated to medical data sharing and privacy protection. To expedite data retrieval, the solution incorporates special key blocks and mini-blocks for patients to store their electronic medical records. Additionally, they implemented a reputation system to incentivize the participation of medical institutions in SPChain.

Exploring the integration of blockchain technology for medical data sharing within an edge computing environment is a pivotal research direction. Alaa Awad Abdellatif et al. [19] have introduced an innovative collaborative healthcare system that utilizes both edge computing and blockchain technologies to facilitate efficient and large-scale medical data exchange. RAIFA AKKAOUI et al. [20] have introduced an authentication and authorization framework known as EdgeMediChain for the sharing of health data. This comprehensive framework encompasses EMRs and PHD generated by Medical Internet of Things (MIoT) devices, utilizing the synergy of edge computing for scalability and blockchain technology for enhanced security.

2.2. Data sharing in edge computing environments based on CP-ABE

Considerable research efforts have been dedicated to addressing the challenge of data sharing based on CP-ABE within edge computing environments. In the context of real-time attribute authorization services in edge computing environments [21,22], Alshehri et al. [23] introduced the concept of fog node alliances and proposed a distributed authorization scheme based on blockchain and fog node alliances to tackle issues related to time delays and communication overhead among fog nodes. Additionally, Fargana J et al. [24] introduced a Fog Computing layer positioned between the cloud and users, aimed at mitigating the heightened risk of data errors occurring during network transmission.

In the realm of CP-ABE key security research [[25], [26], [27], [28]], Li et al. [29] introduced an innovative online/offline multi-authority CP-ABE scheme. This scheme leverages password reverse firewalls to safeguard against backdoor attacks and enhances the efficiency of MA-CP-ABE through an online/offline approach, consequently reducing storage and computational burdens for users. Remamany et al. [30] put forward a CP-ABE scheme based on Bloom filters. Within this scheme, the access policy is individually examined during the key generation process to ensure the integrity of access policies, thereby fortifying key security. Cheng et al. [31] introduced a CP-ABE scheme rooted in cloud-fog computing. This approach incorporates white-box tracing, maximum user access counts, and reward-penalty mechanisms to establish robust defenses against key leakage. Employing artificial intelligence to mitigate network security risks [32] is also a viable strategy for enhancing CP-ABE key security. For instance, Mohammad Kazim Hooshmand et al. [33] devised a method for network anomaly detection utilizing deep learning techniques.

Addressing the issue of resource-constrained devices in the edge computing environment, researchers have started exploring solutions focusing on the outsourcing of CP-ABE [[34], [35], [36], [37], [38], [39]]. A common approach in these studies is to offload some computational tasks to more powerful devices or cloud servers to reduce the computational burden on resource constrained devices. Touati et al. [40] enabled resource-constrained sensor nodes to implement CP-ABE within an Internet of Things (IoT) environment by orchestrating collaborative efforts among diverse nodes. This process entailed the delegation of computationally intensive operations to a group of auxiliary nodes.

Kiraz et al. [41] proposed a novel algorithm for outsourcing modular exponentiation operations securely to a single trusted cloud server while ensuring the correctness of computations. This algorithm is known to be the most efficient solution that utilizes a single untrusted server and provides the best verifiability probability. Moffat et al. [42] conducted an extensive review of CP-ABE applications in mobile cloud computing and the Internet of Things (IoT). The article underscores that, given the heterogeneity and resource limitations of IoT devices, applying research findings from mobile devices to attribute-based encryption within the IoT domain represents a significant avenue of research.

Li et al. [43] applied secure outsourcing algorithms for exponentiation to CP-ABE schemes and achieved the concealment of both the base and exponent information while supporting verifiability of the computation results. However, the probability of correct verification in their approach is only 1/2. Yan et al. [44] improved the modular exponentiation outsourcing algorithm based on the work of Li et al. [43] and applied it to the encryption and decryption phases of ciphertext-policy attribute-based encryption, increasing the verifiability probability to 1.

In summary, researchers have made valuable contributions to address the challenges associated with CP-ABE attribute authorization service real-time requirements in edge computing environments, protecting CP-ABE System Key security, and achieving efficient CP-ABE computation on resource constrained devices. However, these approaches, while partially addressing the aforementioned issues, still have limitations. While the work in Ref. [23] addressed the time delay and communication overhead between fog nodes, ensuring real-time attribute authorization services in large-scale edge computing environments remains a challenge. Although online/offline key generation techniques and cryptographic reverse firewalls, as seen in Refs. [[29], [30], [31]], can enhance the security of CP-ABE keys, preventing key leakage in an unreliable edge computing environment is an issue that needs additional attention. Additionally, while offloading some computational tasks to more powerful devices or cloud servers, as explored in Refs. [[40], [41], [42], [43], [44]], can alleviate the computational burden on resource-constrained devices, achieving efficient CP-ABE computations in edge environment while ensuring computational correctness remains an urgent challenge.

3. Preliminary knowledge

The notation used in this paper is presented in Table 1.

Table 1.

Symbol description.

Symbol	Description	Symbol	Description
$λ$	Security parameter	$m$	Plaintext
$P K$	Public key	$T$	Access structure
$M S K$	Master private key	$C T$	Ciphertext
$A$	System attributes	$C T_{m}$	Intermediate ciphertext
$S$	User attributes	$C T^{'}$	Partially decrypted ciphertext
$T K$	Transformation key	$ψ_{i}$	Public key fragment
$S K$	User private key	$κ_{i}$	Private key fragment

Open in a new tab

3.1. Bilinear mappings

According to the standardized definition provided in Ref. [45], let $q$ be a large prime number, and $G_{1}, G_{2}$ be two groups of order $q$ with operations called addition and multiplication, respectively. The bilinear map $e : G_{1} \times G_{1} \to G_{2}$ from $G_{1}$ to $G_{2}$ satisfies the following property [46].

(1)
Bilinear: The mapping is said to be bilinear if, for any $P, Q, R \in G_{1}$ and $a, b \in Z$ , $e (a P, b Q) = e {(P, Q)}^{a b}$ , or $e (P + Q, R) = e (P, R) \cdot e (Q, R)$ and $e (P, Q + R) = e (P, Q) \cdot e (P, R)$ .
(2)
Non-degenerate: The map doesn't map all the elements in $G_{1} \times G_{1}$ (that is, the even elements) to the unit in $G_{2}$ . Since $G_{1}, G_{2}$ is an order prime group, this means that if $P$ is a generator of $G_{1}$ , then $e (P, P)$ is a generator of $G_{2}$ .
(3)
Computability: For any $P$ and $Q$ in $G_{1}$ , there exists an effective algorithm to compute $e (P, Q)$ .

3.2. LSSS

A secret sharing scheme $\prod$ on a set of parties $P$ is referred to as a Linear Secret Sharing Scheme (LSSS) on $Z_{p}$ if it satisfies the following conditions:

(1)
The secret share distributed to each entity consists of a vector in $Z_{p}$ .
(2)
For a secret sharing scheme $\prod$ , there exists a matrix $M$ of $l \times n$ , and the mapping function $ρ$ maps each row of the matrix to an associated party. For $i = 1, . . ., l, ρ (i)$ represents the participant associated with the $i t h$ row. Consider a column vector $\vec{v} = {[s, y_{2}, y_{3}, . . ., y_{n}]}^{T}$ , where $s$ is the shared secret in $Z_{p}$ , and $y_{i}$ is a random value for $i = 2, . . ., n$ . According to the scheme $\prod$ , the matrix $M \vec{v}$ represents the secret $s$ being shared into $l$ secret shares, where $λ_{i} = {(M v)}_{i}$ represents the secret share held by participant $ρ (i)$ .
(3)
In a linear secret sharing scheme with linear refactoring features, if $S$ is a set of access authorizations in $A$ , there exists a constant ${w_{i} \in Z_{p}}_{i \in I}$ such that $\sum_{i \in I} w_{i} λ_{i} = s$ , where $λ_{i}$ is an effective share of the secret $s$ held by participant $ρ (i)$ , and $I = {i : ρ (i) \in S}$ .

3.3. Blockchain

Blockchain technology embodies an innovative distributed infrastructure and computational paradigm that harnesses the data structure of blockchain for data verification and storage. It employs a distributed node consensus algorithm to facilitate data generation and updates, while ensuring secure data transmission and access through cryptographic methods. Additionally, it relies on smart contracts, which consist of automated script code, for data programming and manipulation [47].

Blockchain functions as a decentralized ledger within a peer-to-peer network, with each participating node maintaining a complete copy of the ledger [48,49]. This redundancy guarantees data accessibility, even in the event of a single node failure, effectively mitigating the risk of data loss. Blockchain technology possesses several noteworthy characteristics, including decentralization, immutability, traceability, high trust, and high availability [50].

3.4. DBDHE

Let $p$ be a large prime number, $G_{1}$ and $G_{2}$ be two cyclic groups of order $p$ , and $g$ G be a generator of $G_{1}$ . We define $e : G_{1} \times G_{1} \to G_{2}$ as a bilinear mapping. Given a set of elements: $h, g, g^{σ^{1}}, . . ., g^{σ^{n}}, g^{σ^{n + 2}}, . . ., g^{σ^{2 n}}$ , the objective of the decisional bilinear Diffie-Hellman problem is to determine whether $Z = e (h, g^{σ^{n + 1}})$ or $Z = R_{1}$ , where $R_{1} \in G_{2}$ . The advantage of the attacker $A$ in solving the decisional bilinear Diffie-Hellman exponent (DBDHE) problem is defined as follows: $A d v_{D B D H E} (A) = | \Pr [Z = e (h, g^{σ^{n + 1}})] - \Pr [Z = R_{1} \overset{R}{\leftarrow} G_{2}] |$ . If $A d v_{D B D H E} (A)$ is less than a negligible value, then the DBDHE problem is considered difficult.

3.5. Edge computing Outsourcing Framework

Li et al. [51] proposed a secure and verifiable framework for outsourcing edge computing tasks, utilizing multiple non-collusive edge nodes. The framework involves two types of participants. Users with limited computing resources aim to outsource computationally intensive tasks, denoted as $F ()$ , to edge nodes that possess substantial computational capabilities. However, due to concerns regarding trustworthiness, users cannot fully rely on the edge nodes. The edge nodes are assumed to be non-collusive, meaning they do not collaborate to compromise data privacy [52]. In order to safeguard the data privacy of the edge nodes, the user performs a transformation on the original input $x$ , resulting in a modified input denoted as $x^{'}$ . Following the transformation of the input $x^{'}$ , the user divides it into individual components $(x_{1}^{'}, x_{2}^{'}, . . ., x_{i}^{'}, . . ., x_{n}^{'})$ . These components are then transmitted separately to the edge nodes, along with the computational task $F ()$ . Each edge node $i$ is responsible for executing the corresponding computation task $F (x_{i}^{'})$ using the received input $x_{i}^{'}$ . Upon completion, the edge node generates a response $y_{i}^{'}$ . Users can collect the responses ${y_{1}^{'}, y_{2}^{'}, . . ., y_{i}^{'}, . . ., y_{n}^{'}}$ and evaluate them to verify the correctness of the overall result $y^{'}$ . If the result is validated, the user can recover the real result $y$ from the evaluated result $y^{'}$ . Otherwise, if the validation fails, the user outputs “error” [53].

The proposed algorithm's overall framework consists of the following modules:

(1)
Precompute Module: This module precomputes static parameters to accelerate processing.
(2)
Problem Transformation Module: In this module, the user transforms the computational input $x$ into an encoded value $x^{'}$ . Additionally, the user generates and stores a secret value $θ_{x}$ for the verification and recovery process.
(3)
Problem Resolution Module: In this module, the encoded input $x^{'}$ is divided into separate components $(x_{1}^{'}, x_{2}^{'}, . . ., x_{i}^{'}, . . ., x_{n}^{'})$ . The user then transmits each component along with the computation task $F ()$ to the respective edge node.
(4)
Calculation Module: In this module, the edge nodes perform the computation task $F ()$ based on the received encoded input $x_{i}^{'}$ . Each edge node computes the result $y_{i}^{'} = F (x_{i}^{'})$ corresponding to its assigned component.
(5)
Results Module: In this module, the user collects the encoded results ${y_{1}^{'}, y_{2}^{'}, . . ., y_{i}^{'}, . . ., y_{n}^{'}}$ from the edge nodes. These results are then merged to obtain the overall encoded result $y^{'}$ .
(6)
Validation Module: In this module, the validity of the encoded result $y^{'}$ is verified using the secret value $θ_{x}$ . If the encoded result is valid, the output is set to 1; otherwise, it is set to 0.
(7)
Recovery Module: In this module, the user can recover the true results $y$ based on the encoded result $y^{'}$ and the secret value $θ_{x}$ .

4. Methodology

This section begins by describing the system model of BTDS, including the overall architecture, entity composition, and workflow. Subsequently, the algorithms involved in the scheme are formally defined. Finally, we present a security model for BTDS.

4.1. System architecture

The Trusted Medical Data Sharing Architecture in Edge Computing Environment (BTDS) in an edge computing environment is illustrated in Fig. 1. This architecture can be divided into three layers: End-user layer, edge service layer, and cloud storage layer. The End-user layer consists of Data Owners (DO) and Data Users (DU). The edge service layer includes Attribute Authorities (AA) and the Outsourcing Service Provider (OSP). The cloud storage layer comprises the Medical Cloud Computing Center (Cloud). The specific functions of the six participants in the BTDS architecture are as follows:

(1)
Data Owner (DO): DO, as the patient, is the owner of medical data (e.g., electronic health records) and holds the data's ownership. DO encrypts the original data by specifying access policies from electronic health records.
(2)
Data User (DU): DU, as a healthcare professional, typically a doctor, is the user of medical data. DU can only use the user's private key assigned by the medical institution alliance blockchain when their user attribute set (system privileges) satisfies the access policy set by the patient. This allows DU to further decrypt the ciphertext to obtain plaintext electronic health records.
(3)
Attribute Authorization Center (AC): Each healthcare institution serves as an Attribute Authority (AA) node in the CP-ABE algorithm. AA nodes elect shard representatives to act as Attribute Authorization Centers (AC) within the shard. ACs are responsible for providing attribute authentication and key distribution services to users within the shard.
(4)
Edge Blockchain (EBC): EBC is the edge blockchain composed of AA nodes, also known as the medical alliance blockchain. EBC has two roles: first, it adds an additional security verification mechanism to traditional medical cloud storage by storing cryptographic digests of medical data. Second, it provides distributed and secure key generation for CP-ABE.
(5)
Outsourcing Service Provider (OSP): OSP is a computing outsourcing service provider composed of AA nodes, responsible for the distributed execution of modular exponentiation operations outsourced by DO and DU.
(6)
Medical Cloud Computing Center (Cloud): Medical ciphertext data files uploaded by patient DO are stored on the medical cloud server.

The specific steps for patient A, who generates an electronic medical record at hospital A with doctor A, to share this record with doctor B at hospital B are shown in Fig. 1 as follows.

Step 1
Patient A arrives at hospital A for medical treatment, where doctor A generates electronic medical record information for patient A.
Step 2
After medical treatment, patient A can choose to synchronize their electronic medical record with the medical institution consortium, enabling future cross-domain medical treatment. The process of uploading an electronic medical record consists of using an edge outsourcing service on a patient's mobile device to upload an electronic medical record with attribute-based encryption to a medical cloud server. In addition, a cryptographic digest of the electronic medical records is uploaded to the Medical Institutions Alliance blockchain for verification.
Step 3
When patient A visits hospital B for medical treatment for the second time, doctor B can easily access patient A's electronic medical records from the medical cloud server using their own identity privileges, which are verified via the Medical Institutions Alliance blockchain.

The execution of CP-ABE encryption in BTDS architecture consists of three phases. The details of the process are as follows:

(1)
System Initialization Phase.

The BTDS architecture network is initially set up using the DAA sub-algorithm. Subsequently, the EBC initiates the system initialization smart contract of the CP-ABE master algorithm, leading to the distributed generation of the system's public key, master private key, and public parameters.

Step 1
Initially, the system employs the K-Means algorithm to perform preliminary partitioning of DUs and AAs based on their geographic association. Subsequently, within each partition, the AAs elect the AA with the best performance as the AC for that partition, which is responsible for serving the terminal users within that partition.
Step 2
The EBC executes the smart contract for system initialization within the CP-ABE algorithm, resulting in the generation of the system's public parameters. Each AA independently generates fragments of the system's public key and master private key. These key fragments are embedded within transaction blocks on the blockchain, while the fragments of the master private key are securely retained.
(2)
Data Encryption Phase.

The DO employs the CP-ABE main algorithm for attribute-based encryption on the original data. Subsequently, the encrypted data is uploaded to the medical cloud storage center. Simultaneously, the DO uploads the digest's hash value to the EBC. In this process, the DO utilizes the DME sub-algorithm to outsource the complex modular exponentiation computations to the OSP.

Step 1
The DO specifies the access policy and carries out simple exponentiation and XOR operations on the data.
Step 2
The DO utilizes the DME sub-algorithm to outsource the complex modular exponentiation computations to the OSP.
Step 3
The OSP returns a portion of the ciphertext for the data. The DO verifies the results returned by the OSP. Upon successful verification, the DO combines them with its own computed results to form the complete data ciphertext.
Step 4
The DO uploads the ciphertext to the Cloud and transmits the hash value of the data, which is packaged and then sent to the EBC.
(3)
Data Decryption Phase.
In the data decryption phase, the DU initially downloads the ciphertext from the medical cloud storage center and then sends a request for the decryption key to the AC associated with the corresponding shard. Subsequently, the DU executes the decryption algorithm provided by the CP-ABE scheme. Successful decryption is contingent on the attribute set of the DU aligning with the access structure defined for the ciphertext.
Step 1
The DU initiates a request for a private key from the AC node of their shard, providing their attribute set. The AC node subsequently returns the requested private key to the user.
Step 2
The DU proceeds to download the complete ciphertext from the Cloud and conducts a comparison between the hash of the downloaded ciphertext and the hash of the ciphertext stored on the EBC. If a match is found, the decryption process continues. However, in the event of a mismatch, the user's data access attempt fails, triggering a system alert.
Step 3
If the user's attribute set meets the access policy requirements defined in the ciphertext, the DU proceeds to outsource the exponentiation and bilinear pairing operations to the OSP. This is achieved using a transformation key to obtain partial plaintext results.
Step 4
The OSP returns the computation results, which are partial plaintext results. The DU utilizes the decryption key to compute the complete plaintext results.

4.2. Formal definition of main algorithm: CP-ABE

(1)
$S e t u p (1^{λ}, {0,1}^{*}) \to P P$ . The system invokes the sub-algorithm DAA to create the EBC. The algorithm for uploading the EBC is established, and the public parameter smart contract is executed by the designated endorsement node. The algorithm takes as input the security parameter $λ$ and the system attribute set ${0 ， 1}^{*}$ , yielding the system public parameter $P P$ as the output.
(2)
$E n c r y p t (P P, m \in {0,1}^{λ}, T) \to C T$ . The algorithm is executed collaboratively by DO and OSP. The input to the algorithm includes the system public parameters $P P$ , the plaintext $m$ , and the access structure $T$ . Initially, the DO triggers the DKG sub-algorithm to calculate the system public key and conduct partial encryption operations. Subsequently, the OSP employs the DME sub-algorithm to produce the partial data ciphertext, denoted as $C T_{m}$ . Ultimately, the complete data ciphertext, denoted as $C T$ , is generated through the encryption operation carried out by the DO.
(3)
$K e y G e n (P P, S) \to S K$ . The key generation algorithm is executed by the AC fragment. It accepts the system public parameters $P P$ and the user attribute set $S$ as inputs. DU initiates a request to AC for the key with its user attribute set $S$ . Subsequently, the AC initiates the DKG sub-algorithm to generate the user private key designated for DU.
(4)
$T r a n s f o r m (T K, C T) \to C T^{'}$ . The algorithm is performed by OSP using the transformation key $T K$ and the ciphertext $C T$ . OSP executes the decryption operation to generate the converted ciphertext $C T^{'}$ .
(5)
$D e s c r y p t (S K, C T^{'}) \to m$ . The algorithm is performed by DU using the decryption key $S K$ and the converted ciphertext $C T^{'}$ . DU executes the decryption operation to generate the complete data plaintext $m$ .

4.3. Security model

A.
Goals of the Proposed Work.

The BTDS architecture outlines the following design objectives:

1)
Access control: Privacy breaches are the number one challenge for medical data sharing systems. Traditional medical cloud storage systems, which are based on cryptographic methods, do not allow users to decide the key-sharing process. When users upload their data to a cloud storage center, they relinquish control over their personal data, making it susceptible to potential data breaches. Therefore, the BTDS architecture, which relies on CP-ABE encryption, necessitates fine-grained access control to safeguard the data owner. This ensures that while achieving privacy protection for medical data, patients also retain autonomous control over their personal medical data.
2)
Security: Security during medical data sharing is one of the primary objectives of the BTDS architecture. The proposed CP-ABE scheme, which is based on blockchain and multiple attribute authorities, must ensure load balancing, verifiability, secrecy, and protection against collusion attacks.
3)
Performance: For edge computing with high real-time requirements, achieving lightweight and efficient CP-ABE is crucial. An efficient system is necessary, so efforts are made to ensure that the computational and communication overhead of the proposed BTDS architecture remains within reasonable limits.
B.
Correctness Definition

Definition 1: Correctness of BTDS, that is, assuming that each algorithm in the scheme is executed exactly, correct results will always be obtained. For example, $n e g (λ)$ is a negligible function of the security parameter $λ$ .

Equation 1.

(1)

C.
Security Definition
1)
Zero-Knowledge Property of DKG and DME

In the context of distributed key generation and distributed outsourcing of modular exponentiation computation, we aim to ensure that any participant in the system cannot acquire sensitive information (such as private keys) from other participants and cannot obtain any information about the plaintext from the OSP, while still being able to verify the correctness of the obtained results. In the following, we define the zero-knowledge property of distributed keys and outsourced computation results in this model through security experiments. The attacker $A$ is allowed to communicate with any participant in the system, including Attribute Authorization Centers (AC) and Outsourcing Service Providers (OSP). The task of $A$ is to attempt to obtain the private information of other participants, including private keys and detailed results of outsourced computations, while deceiving the system to verify the correctness of the computation results. The design of the security experiment is as follows:

Equation 2.

(2)

In the above experiment, the attacker $A$ can communicate with any participant in the system, including access to private information and outsourced computational results. The challenger then executes the $C h e c k Z e r o K n o w l e d g e$ function to verify if the attacker has successfully obtained the private information. If the verification is successful, indicating that the attacker cannot obtain private information, the output is 1, indicating that the system satisfies the zero-knowledge property. If the verification fails, indicating that the attacker has successfully obtained private information, the output is 0, indicating that the system does not satisfy the zero-knowledge property. The advantage of the attacker $A$ is defined as follows:

Equation 3.

(3)

Definition 2: If $A d v_{A}^{Z e r o - K n o w l e d g e} (P P, λ)$ is extremely tiny and approaches zero, then the system possesses a strong zero-knowledge property, indicating that the attacker cannot acquire private information.

2)
Verifiability of DME

In the context of distributed modular exponentiation outsourcing, security definitions of verifiability focus on the confidentiality of the verification key and the correctness of the outsourced computation. The following security experiment is designed to define the verifiability of the outsourcing scheme.We define the attacker $A (\cdot) = (A_{0}, A_{1})$ , where $A_{0}, A_{1}$ are two probabilistic polynomial-time simulators. The security experiment is structured as follows:

Equation 4.

(4)

For any $λ \in N$ , the advantage of attacker $A$ in verifying the confidentiality of the verification key in DME is defined as follows:

Equation 5.

(5)

Definition 3: If $A d v_{A}^{V e r i f i a b i l i t y} (D M E, λ) \leq n e g l (λ)$ , where $n e g l (λ)$ is a negligible function, then the DME scheme achieves verifiability in the outsourcing computation scheme.

3)
Confidentiality of BTDS

Definition 4: The privacy of encrypted data is defined using a security game that is not distinguishable under a chosen plaintext attack between the attacker $A$ and the challenger $B$ . Specifically, the scheme is considered indistinguishable under chosen plaintext attack (IND-CPA) secure if the absolute value of the difference between the probability $| \Pr [W i n_{A} (b = b^{'}) - 1 / 2] |$ is less than or equal to $ε$ , where $ε$ represents a negligible probability.

$I n i t$ : The attacker $A$ initiates the interaction with the challenger $B$ by sending a set of attributes ${0,1}^{*}$ .

$S e t u p$ : The challenger $B$ executes the $S e t u p$ algorithm and generates the public parameters $P P$ . The challenger then sends the public parameters $P P$ to the attacker $A$ .

$P h a s e s 1 & 2$ : The attacker $A$ queries the challenger $B$ for a decryption key $S K$ . The challenger performs the key generation algorithm $K e y G e n$ to generate the key $S K = (z, T K)$ , and sends it to the attacker $A$ .

$C h a l l e n g e$ : The attacker $A$ sends two plaintext messages of equal length $m_{0}, m_{1}$ to the challenger $B$ . The challenger $B$ randomly selects one of the plaintext messages $m_{b \in {0,1}}$ and performs the encryption algorithm $E n c r y p t$ to generate the corresponding ciphertext.

$G u e s s$ : The attacker $A$ outputs a guessed value $b^{'} \in {0,1}$ as their speculation for the value of $b$ . If $b = b^{'}$ , we consider the attacker to have won the game. The advantage of the attacker is defined as follows: $A d v_{A} = | \Pr [W i n_{A} (b = b^{'}) - 1 / 2] |$ .

5. Concrete scheme

This section is devoted to the specific details of the BTDS scheme, including the Medical Institution Alliance Edge blockchain, the Distributed Attribute Authorization Policy, the Distributed Key Generation Protocol, the Distributed Modular Exponential Outsourcing Algorithm, and the detailed construction of the CP-ABE master algorithm based on the blockchain and multiple authorization centers.

5.1. Medical Institution Alliance Edge Blockchain

The Medical Institution Alliance Edge Blockchain (EBC) is a consortium blockchain consisting of various healthcare institutions, deployed at the edge layer of the network, which is susceptible to network attacks. Each healthcare institution acts as an edge node, providing outsourced computing services to resource-constrained end users, including patients and doctors. Traditional healthcare institutions typically deploy internal networks to physically insulate themselves from cyber attacks. However, this network defense approach results in the inability of patient data to be shared among different healthcare institutions, leading to the phenomenon of “data silos” between them.

Some healthcare organizations have adopted cloud storage centers to alleviate this problem, but this approach simultaneously poses a risk of personal medical data leakage. Therefore, the BTDS architecture proposed in this paper leverages healthcare institutions as blockchain nodes, forming a Medical Institution Alliance Edge Blockchain (EBC). This approach maintains the existing cloud storage approach, while enhancing it with a blockchain verification mechanism. This ensures both data security and fine-grained access control for patients over their personal medical data.

As shown in Fig. 2, the EBC network architecture of the Medical Institutions Alliance Edge Blockchain utilizes the Hyperledger Fabric framework, a widely used open-source consortium blockchain framework known for its high configurability and scalability. It is highly suited for constructing medical consortium blockchains. The EBC network consists mainly of two types of nodes: super blockchain nodes and peer blockchain nodes.

1)
Super Blockchain Nodes (Government Nodes): These nodes are deployed in government regulatory departments or trusted institutions' data centers. They are responsible for storing the entire ledger information and overseeing network operations. These nodes should have a high degree of physical and cyber security.
2)
Peer Blockchain Nodes (Medical Institutions Nodes): These nodes are deployed in various medical institutions and serve as edge nodes. They provide outsourced computing services for patients and healthcare professionals while maintaining a portion of the ledger data. Each medical facility may have one or several nodes, depending on its size and requirements. In addition to storing ledger information, peer blockchain nodes may also undertake CP-ABE attribute authorization and key generation tasks. These nodes elect an Attribute Authorization Center (AC) within their respective shards based on their computational and storage capabilities. The AC is responsible for providing attribute authentication and key distribution services to users within the shard.

EBC (Medical Institutions Alliance Edge Blockchain) places a strong emphasis on security features such as data integrity, key security, and resistance to malicious intrusion attacks to ensure the privacy and trustworthiness of medical data. The following is a detailed description of the security properties of EBC:

1)
Data Verification Mechanism:

EBC leverages blockchain technology to verify and ensure the integrity of data stored on the blockchain through mechanisms such as hash values and blockchain fingerprints (e.g., Merkle trees). These mechanisms effectively detect data tampering and provide reliable verification of data integrity. In addition, EBC serves as a complementary verification mechanism for medical consortium blockchains, further preventing attackers from tampering with patient's personal data in the cloud and enhancing data security.

2)
Key Security:

EBC adopts the CP-ABE (Attribute-Based Encryption) system to achieve fine-grained data access control. Key security is crucial in edge computing environments. To mitigate the risk of key leakage, EBC introduces a distributed key generation protocol. This mechanism does not rely on a single Attribute Authorization Center (AC), ensuring that even if one AC experiences network failures or attacks, it will not lead to key leakage. EBC ensures that only legitimate users have access to the appropriate keys, thereby maintaining data confidentiality.

3)
Resistance to Malicious Intrusion Attacks:

EBC employs a decentralized architecture where data is no longer centrally stored on a single server, but distributed across multiple nodes. This architecture makes it difficult for an attacker to pinpoint a single intrusion target as the data is scattered throughout the network. To maintain network consistency and data trustworthiness, EBC applies consensus algorithms such as Byzantine Fault Tolerance (BFT) algorithms. Even if some nodes are attacked or compromised, the network can continue to function normally, ensuring data security and integrity.

5.2. Sub-algorithm DAA: distributed attribute authorization strategy

The distributed attribute authorization strategy in the blockchain-based scheme is implemented through AA nodes deployed in the edge layer, forming an Edge Blockchain (EBC). The system attribute set is agreed upon by the AA nodes and stored in the EBC for consensus. Following the principles of the K-Means clustering algorithm [54], the end-users and AA nodes are initially divided into shards based on their distance. Within each shard, an attribute authorization center (AC) is dynamically elected from the AA nodes as a representative. The AC is responsible for providing attribute authentication and key distribution services to the users within the shard. This distributed deployment strategy ensures that the AC is located closer to the end users, aligning with the concept of edge computing and meeting the real-time requirements of attribute authorization services in the edge computing environment.

(1)
Shard initialization

In the shard initialization algorithm, the topology of the nodes is based on the actual distribution of edge nodes in the medical data sharing consortium scenario, assuming that the IoT nodes are randomly distributed. This means that the node locations are randomly distributed and are not constrained by a particular mesh rule. In this scenario, the shard initialization algorithm remains applicable since it utilizes the K-means clustering algorithm, which can adapt to various node distribution patterns, including random distributions.

Suppose the system consists of $N$ AA nodes and $H$ terminal users(U). Each AA node, $A A_{i}$ , can be represented by a two-dimensional coordinate $(x_{i}, y_{i})$ . The distance between $A A_{i}$ and $A A_{j}$ is defined as follows: $D (A A_{i}, A A_{j}) = \sqrt{{(x_{i} - x_{j})}^{2} + {(y_{i} - y_{j})}^{2}}$ . The K-Means clustering algorithm divides AA nodes into $K$ shards. Initially, $K$ AA nodes are randomly selected as the initial shard representatives, also known as the shard's authorization center (AC), which provides services to the end users within the shard. The following two steps are then iterated until convergence:

①
Assign each AA node to the nearest shard representative.
②
Set the shard representative (AC) to the average position of all AA nodes in a shard.

Assumptions: The position of the end user $U_{u}$ is represented by the two-dimensional coordinates $(x_{u}, y_{u})$ , and the position of the shard representative $A C_{c}$ is represented by the two-dimensional coordinates $(x_{c}, y_{c})$ . The distance between the end user $U_{u}$ and the shard representative $A C_{c}$ nodes is defined as follows: $D (U_{u}, A C_{c}) = \sqrt{{(x_{u} - x_{c})}^{2} + {(y_{u} - y_{c})}^{2}}$ , where $u = 1,2, . . ., H$ and $c = 1,2, . . ., K$ .

The K-Means clustering algorithm is used to divide users into shards according to the following steps:

a.
Randomly assign $H$ users to $K$ shards.
b.
Compute the distance $D (U_{u}, A C_{c})$ between each user $U_{u}$ and its corresponding shard representative $A C_{c}$ .
c.
Redistribute users: For each user $U_{u}$ , find the nearest shard representative $A C_{c}$ , and redistribute the user $U_{u}$ to the shard represented by $A C_{c}$ .
d.
Iteration: Repeat steps b and c until no shard changes occur for any user or until a predetermined maximum number of iterations is reached.

The algorithm in question, as depicted in the pseudocode provided in Table 2, is described as follows:

(2)
Dynamic Selection of Shard AC

Table 2.

Shard initialization Algorithm.

Open in a new tab

In the shard, a performance measurement function is defined based on the CPU, memory, bandwidth, and other performance indicators of AA nodes:

Equation 6.

(6)

Among them, $ω_{1}, ω_{2}$ and $ω_{3}$ are weight values that can be adjusted according to specific requirements. $C P U (A A_{i}), M e m o r y (A A_{i})$ and $B a n d w i d t h (A A_{i})$ represent the CPU performance, memory size, and bandwidth of node $A A_{i}$ respectively.

Next, the performance score of each AA node is calculated and sorted in descending order. The AA node with the highest performance score is then selected as the shard representative.

The algorithm in question, as depicted in the pseudocode provided in Table 3, is described as follows:

(3)
Distributed Load Balancing

Table 3.

Shard AC Dynamic Election Algorithm.

Open in a new tab

We employ a distributed load balancing strategy, which distributes the load balancing task to individual shards for processing. Load balancing operations are performed based on node load information and utilize a sorted list to enhance lookup efficiency, reducing time complexity to O(log N), making it more suitable for large-scale network environments.

1)
For each shard:
①
Calculate the load of each AA node as follows:

Equation 7.

(7)

Where, $C P U_{u s a g e_{A A_{i}}}$ represents the CPU usage of the AA node, $M e m_{u s a g e_{A A_{i}}}$ represents the memory usage of the AA node, and $N e t_{d e l a y_{A A_{i}}}$ represents the network latency of the AA node. The parameters $α, β, γ$ are weight factors used to adjust the influence of CPU usage, memory usage, and network latency on the load.

②
The average load for each shard $P_{d}$ is calculated as follows: $L_{P_{t}} = (1 / n) \cdot \sum_{i = 1}^{N} L_{A A_{i}}$ , where $n$ is the number of nodes in a shard and $d = 1,2,3 . . ., K$ .
2)
Set the load threshold $T$ based on the system's actual requirements and capabilities. When $L_{P_{t}} > T$ , triggering the load balancing operation:
①
Define a list of loaded nodes, $N o d e L i s t$ , to store the load information of all nodes in the current shard.
②
For each AA node in the shard, the load information $L_{A A_{i}}$ of the node $A A_{i}$ is inserted into NodeList in sorted order.
③
Define a function $F i n d L o w L o a d N o d e s (N o d e L i s t, T)$ to find the list of nodes in the shard with load below $T$ .
④
Define a function $F i n d H i g h L o a d N o d e s (N o d e L i s t, T)$ to find the list of nodes within the shard with loads above $T$ .
⑤
Execute the migration of nodes from $L o w L o a d N o d e s$ to adjacent shards or perform other load balancing operations:

Equation 8.

(8)

Alternatively, nodes can be migrated from HighLoadNodes to newly created shards, or additional load balancing operations can be performed:

Equation 9.

(9)

The algorithm in question, as depicted in the pseudocode provided in Table 4, is described as follows:

(4)
Recovery of Shard AC Failure

Table 4.

Distributed Load Balancing Algorithm.

Open in a new tab

Assume that a shard can be in either a normal state (0) or a failed state (1) at any given time $t$ . The state of a shard can be represented as a binary random variable $S (t), S (t) \in {0,1}$ . If $S (t) = 0$ , it indicates that the shard is in a normal state at time $t$ . If $S (t) = 1$ , it indicates that the shard has failed at time $t$ .

For a failed shard, the failure recovery mechanism should elect the AA node with the best performance in the shard as the new shard representative, i.e., the AC node, to provide services for the users in the shard. Assuming that at time $t$ , the AC node of shard $P_{d}$ fails, the recovery process involves selecting the node with the highest performance score from the queue of AA nodes within the shard to serve as the new AC node.

Assuming that $A A (P_{d}, r a n k)$ represents the $r a n k - t h$ AA node within shard $P_{d}$ , we can define a failover function $R (P_{d}, r a n k, t)$ . When the AC node fail $S (P_{d}, t) = 1, R (P_{d}, r a n k, t) = A C (P_{d}, r a n k + 1)$ , indicating that at time $t$ , the new AC node for shard $P_{d}$ is set to the $(r a n k + 1) - t h$ AA node within the shard.

The algorithm in question, as depicted in the pseudocode provided in Table 5, is described as follows:

Table 5.

Shard AC fault recovery Algorithm.

Open in a new tab

5.3. Sub-algorithm DKG: distributed key generation protocol based on blockchain

Based on the distributed key generation protocol based on Generalized VSS introduced in Zhang et al.'s scheme [55], this paper incorporates blockchain as a trusted third party and presents a distributed key generation protocol based on blockchain. This protocol decentralizes the key management of CP-ABE across multiple participants, and the system public key is generated through consensus in the EBC. The system master key is not explicitly stored in any node, and the user private key can only be calculated when multiple AA nodes collaborate.

The system consists of $n$ participants, denoted as $A A_{1}, A A_{2}, . . ., A A_{n}$ , which form the group $A A =$ ${A A_{1}, A A_{2}, . . ., A A_{n}}$ . The participants have a monotone access structure, meaning that certain subsets of $A A$ can collaborate to recover shared secrets. The base set $Γ_{0} = {A C_{1}, A C_{2}, . . ., A C_{t}}$ represents the minimal set of elements under the inclusion relation in $Γ$ . In the system, each AA possesses a master private key denoted as $κ \in Z_{q}$ , and the corresponding public key to the system is represented as $ψ = g^{κ} (\mod p)$ .

(1)
Initialization phase
①
Selection of large prime numbers $p$ and $q$ such that $q | (p - 1)$ .
②
Selecting a finite cyclic group $G_{q}$ based on the discrete logarithm problem, where the order is $q$ , and $g, h$ as generators of $G_{q}$ .
③
Choose a residue class ring modulo $q$ denoted by $Z_{q}$ .
(2)
System master private key generation phase
①
$A A_{i}$ generates a secret value $κ_{i}$ for their access to the shared structure $Γ$ , where $i = 1,2, . . ., n$ . The specific process is as follows:
a.
When $A A_{i}$ wants to share a secret $κ_{i} \in Z_{q}$ , it makes the following commitment: $E_{i 0} = E (κ_{i}, e_{i}) = g^{κ_{i}} h^{e_{i}}$ , where $e_{i}$ is a randomly chosen secret value from $Z_{q}$ .
b.
$A A_{i}$ stochastically selects a polynomial $F_{i} (κ) = κ_{i} + F_{i, 1} κ + . . . + F_{i, n - 1} κ^{n - 1}$ of degree $n - 1$ from the ring $Z_{q} [K]$ , where $κ_{i}$ represents a secret value. Subsequently, $κ_{i k} = F_{i} (k), k = 1,2, . . ., n$ is computed. Afterwards, $A A_{i}$ randomly selects $G_{i 1}, G_{i 2}, . . ., G_{i, n - 1} \in Z_{q}$ and computes the commitment to $F_{i j}$ as $E_{i j} = E (F_{i j}, G_{i j}) = g^{F_{i j}} h^{G_{i j}}, i = 1,2, . . ., n - 1$ , which is then broadcasted to the participants.
c.
Generate $G_{i} (κ) = e_{i} + G_{i 1} x + . . . + G_{i, n - 1} x^{n - 1}$ where $e_{i k} = G_{i} (k), i = 1,2, . . . n$ . For each minimal qualified subset $A C_{j} = {A A_{j 1}, A A_{j 2}, . . ., A A_{j k}}$ , $A A_{i}$ is represented by $k + 1$ points: $((j_{1}, G_{i} (j_{1})), (j_{2}, G_{i} (j_{2})), . . ., (j_{k}, G_{i} (j_{k})), (0, e_{j}))$ . By applying Lagrange interpolation, another $k$ -degree polynomial $G_{i j} (κ)$ is calculated. The values of $F_{i j} (n + 1)$ and $G_{i j} (n + 1)$ are computed and publicly disclosed to all participants, where $j = 1,2, . . ., t$ .
d.
$A A_{i}$ securely transmits the secret share $(x_{i k}, e_{i k})$ to $A A_{k}$ for holding the share of the secret $κ_{i}$ , where $j = 1,2, . . ., t$ .
e.
Upon receiving its allocated share of the secret, $A A_{k}$ validates the integrity of the share by verifying whether $E_{i k} = E (x_{i k}, e_{i k}) = \prod_{j = 0}^{n - 1} E_{i j}^{k^{i}}$ . For each minimum qualified subset $A C_{j} = {A A_{j 1}, A A_{j 2}, . . ., A A_{j k}}$ , all participants have the ability to verify the integrity of the public data $F_{i j} (n + 1)$ and $G_{i j} (n + 1)$ by confirming whether $E (F_{i j} (n + 1), G_{i j} (n + 1)) = \prod_{m = 0}^{k} E_{i j_{m}^{m}}^{b}$ . Here, $b_{0} = \prod_{i = 1}^{k} (n + 1 - j_{i}) / \prod_{i = 1}^{k} (- j_{i})$ and $b_{m} = (n + 1) \sum_{1 \leq i \leq k, i \neq m} (n + 1 - j_{i}) / j_{m} \sum_{1 \leq i \leq k, i \neq m} (j_{m} - j_{i})$ , where $m = 1,2, . . ., k$ .
②
If the validation of $A A_{k}$ fails (i.e., $x_{i k}, e_{i k}$ is invalid), $A A_{k}$ broadcasts the values $x_{i k}, e_{i k}$ and files a complaint against $A A_{i}$ .
③
In the event of a complaint from $A A_{k}$ against $A A_{i}$ , it is incumbent upon $A A_{i}$ to broadcast the valid share it had provided to $A A_{i}$ .
④
If $A A_{i}$ receives complaints from all members of a qualified subset or is complained by some members and the broadcasted share in step③remains invalid, each member's share is reset to 0, i.e., $x_{i k} = 0 = e_{i k}$ . Simultaneously, $A A_{i}$ sets the selected secret value $κ_{i}$ to zero, and both $F_{i} (κ)$ and $G_{i} (κ)$ are treated as zero polynomials.
⑤
Each member $A A_{k}$ performs calculations on their private key share $s_{k} = \sum_{i = 1}^{n} κ_{i k} (\mod q)$ and the sum of their random values $u_{k} = \sum_{i = 1}^{n} e_{i k} (\mod q)$ . When a user needs to utilize the system's master private key, they can compute $κ = \sum_{i = 1}^{n} κ_{i} (\mod q)$ .
(3)
Extraction of the System Public Key Phase
①
Each attribute authorization node $A A_{i}$ calculates its respective shard of the system public key as $ψ_{i} = g^{κ_{i}}$ , where $i = 1,2, . . ., n$ .
②
Each $A A_{i}$ broadcasts its public key shard $ψ_{i}$ to the EBC.
③
After retrieving the public key shard $ψ_{i}$ from the EBC, when a user needs to use the private key, they compute $g^{κ} = \prod_{i = 1}^{n} ψ_{i} = \prod_{i = 1}^{n} g^{κ_{i}}$ . Additionally, because $e {(g, g)}^{κ} = e (g^{κ}, g)$ , the CP-ABE public key system parameter $e {(g, g)}^{κ}$ can be obtained.
(4)
User private key generation phase
①
The user (DU) sends the set of user attributes $S$ it possesses to the attribute authorization center (AC) of its shard. The AC then aggregates the set $S$ and uploads it to the Edge Blockchain (EBC).
②
Each attribute authorization node $A A_{i}$ generates a partial user private key based on the master secret key ( $M S K$ ) fragment and the attribute set $S$ it holds.
a.
For each attribute $x$ in the attribute set $S$ , attribute authorization node $A A_{i}$ randomly selects a value $t_{i} \in Z_{p}$ . Then, it calculates the user's private key parameter as $K_{x_{i}}^{'} = g^{F (x) \cdot t_{i}}$ .
b.
Attribute authorization node $A A_{i}$ utilizes its holdings of the $M S K$ fragment $κ_{i}$ to calculate the user's private key parameters. It calculates $K_{i}^{'} = g^{κ_{i} + a \cdot t_{i}}, L_{i}^{'} = g^{t_{i}}$ .
c.
$A A_{i}$ packages the calculated $K_{i}^{'}$ and $K_{x_{i}}^{'}$ and uploads them to the EBC.
③
Shard AC collects all the calculated $K_{i}^{'}, L_{i}^{'}$ from each member, as well as the corresponding $K_{i}^{'}, L_{i}^{'}$ for each attribute. Using Lagrange interpolation, it calculates $K^{'} = \prod_{i = 1}^{n} K_{i}^{' λ_{i}}$ , $K_{x}^{'} = \prod_{i = 1}^{n} K_{x_{i}}^{' λ_{i}}$ , and $L^{'} = \prod_{i = 1}^{n} L_{i}^{' λ_{i}}$ .
④
Shard AC randomly selects a conversion factor $z \in Z_{p}$ . It sets the converted keys as $T K = {K = {K^{'}}^{1 / z}, L = {L^{'}}^{1 / z}, {K_{x} = {(K_{x}^{'})}^{1 / z}}_{x \in S}}$ .
⑤
AC returns the user's private key $S K = (z, T K)$ to DU.

5.4. Sub-algorithm DME: distributed modular exponentiation outsourcing algorithm based on blockchain

Based on the scheme proposed in literature [51], the DME sub-algorithm enhances the secure outsourcing algorithm for distributed modular exponentiation based on blockchain. The algorithm can be described as follows:

(1)
$S e t u p (u, a, p) \to (E K, V K)$ This step is carried out by the User's User and the OSP. It involves performing a modular exponentiation operation on the base $u$ with the exponent $a$ modulo $p$ . The resulting value $y = u^{a} \mod p$ is the evaluation key $E K$ , and it is accompanied by the verification key $V K$ . The following details explain the process in more depth:
①
The User inputs the prime number $p$ and initiates the Rand subroutine to generate six blinds in the form of $(k_{1}, g^{k_{1}}), (k_{2}, g^{k_{2}}), (k_{3}, g^{k_{3}}), (k_{4}, g^{k_{4}}), (k_{5}, g^{k_{5}}), (k_{6}, g^{k_{6}})$ , where $g \in Z_{p}$ and $b \in Z_{p}$ .
②
The User selects a random number $r$ from the set $Z_{p}$ to perform a logical division of the base $u$ :

Equation 10.

(10)

Among them, the values of $w_{1}, w_{2}, t_{1}, t_{2}$ are calculated as follows: $w_{1} = u / v_{1}, w_{2} = u / v_{2}, t_{1} = (- k_{3} - k_{1} a) / k_{2} \mod q, t_{2} = (- k_{6} - k_{4} r a) / k_{5} \mod q$ .

③
The load balancing smart contract in the EBC, which consists of computing nodes, will initiate the selection of computing nodes for this round. The specific steps are as follows:

Initially, a segmented approach is employed to achieve load balancing among the edge nodes. The load segmentation method is defined as follows: $h_{j} = L / (1 - λ^{j})$ , where $L$ represents the exponent size, $λ = φ / (2 + φ), j \in [1, n]$ ， $φ = M M / M S$ (where $M S$ and $M M$ correspond to the cost of a modular square operation and a modular multiplication operation, respectively). The value $h_{j}$ denotes the segmentation points, with $h_{0} = 0$ being the initial point. The compute nodes are launched, and the number of nodes $n$ is determined as $n = [\log_{λ} 1 / (1 + 2 L (1 - λ)) + 1 / 2]$ .

④
The User partitions the logical indices $a, r a, t_{1}, t_{2}$ into $n$ segments through binary decomposition:

Equation 11.

(11)

⑤Let the verification key be denoted as $V K = {r}$ , and the evaluation key as $E K$ , which can be represented as ${(g^{k_{5}} w_{1} g^{k_{1}}, e_{1 j}, h_{j - 1}), (g^{k_{2}}, e_{2 j}, h_{j - 1})$ , $(g^{k_{6}} w_{2} g^{k_{4}}, e_{3 j}, h_{h - 1}), {(g^{k_{5}} e_{4 j,} h_{j - 1})}}_{j ϵ [1, n]}$
(2) $C o m p u t e (E K) \to {σ_{j}, π_{j}}$ .

This step is carried out by the distributed computing nodes, which compute the results $σ_{j}$ and generate evidence $π_{j}$ . Here are the detailed steps:

①
The compute nodes, denoted as $j, j \in [1, n]$ , perform the following steps sequentially:

Equation 12.

(12)

②The compute node returns the computed result and evidence as $σ_{j} = {d_{1, j}, d_{2, j}}$ and $π_{j} = {d_{3, j}, d_{4, j}}$ , respectively.
(3)
$V e r i f y (V K, σ_{j}, π_{j}) \to {y, ⊥}$ .

This step involves the User verifying the correctness of the result, which is done as follows: The User computes $y = \sum_{j = 1}^{n} (d_{1, j} \cdot d_{2, j}), y^{'} = \sum_{j = 1}^{n} (d_{3, j} \cdot d_{4, j})$ . If $y^{r} = y^{'}$ , then output the final result $y$ ; otherwise, output $⊥$ .

5.5. Main algorithm: blockchain-based CP-ABE with multi-attribute authority center

The main algorithm of this paper's scheme is built upon the approach presented in Ref. [44]. Below, we provide a detailed description of the algorithm.

(1)
$S e t u p (1^{λ}, {0,1}^{*}) \to P P$ .
①
The algorithm takes as input the security parameters $λ$ , the large prime number $q$ , and the system properties from the collection ${0,1}^{*}$ .
②
A prime order $p$ is selected, and $g$ is chosen as a generator element for the double linear group $G_{1}$ . A bilinear mapping $e : G_{1} \times G_{1} \to G_{2}$ is then generated.
③
A hash function $F : {0,1}^{*} \to G_{1}$ is selected. Two collision-resistant hash functions $H : {0,1} * \to Z_{q}^{*}$ and $H_{1} : {0,1}^{*} \to G_{1}$ are chosen.
④
Randomly selecting a parameter $a \in Z_{p}$ , the system parameters $P P = (g, g^{a}, F, H, H_{1})$ can be defined.
(2)
$E n c r y p t (P P, m \in {0,1}^{λ}, (M, ρ)) \to C T$ .

The algorithm randomly selects $r \in G_{2}$ , computes $s = H (r, m)$ , and $R = H_{1} (r)$ . Then it invokes the child algorithm DKG to compute the public key to the system as $P K = {(g, e (g, g)}^{α}, g^{a}, F, H, H_{1})$ . Given a plaintext $m$ , DO calculates $C = R \cdot e {(g, g)}^{α s}, C^{'} = g^{s}, C^{″} = m \oplus R$ .

In this algorithm, $M$ represents a matrix with dimensions $l \times n$ , and $ρ$ denotes an injective function that associates each row of matrix $M$ with its corresponding attribute. The encryption process can be outlined as follows:

①
Randomly select a vector $\vec{v} = {(s, x_{2}, . . ., x_{n})}^{T} \in Z_{p}$ to be used for sharing the encrypted exponent $s$ .
②
For each row of the matrix $M$ , denoted as $M_{i}$ , calculate the inner product $λ_{i} = M_{i} \cdot \vec{v}$ , where $i$ ranges from 1 to $l$ and $M_{i}$ represents the $i$ -th row of matrix $M$ .
③
Randomly select $r_{1}, r_{2}, . . ., r_{l}$ from $Z_{p}$ , and invoke the sub-algorithm DME. The User and OSP work together to compute the intermediate ciphertext $C T_{m} = {C_{i} = g^{a λ_{i}} g^{F (ρ (i)) (- r_{i})}, D_{i} = g^{r_{i}}}$ .

The detailed process of the first sub-algorithm DME with ${(g^{a})}^{λ_{i}}$ is as follows:

a.
Execute the system initialization algorithm $S e t u p (g^{a}, λ_{i}, p)$ within the DME sub-algorithm. This process yields the verification key $V K$ as ${r}$ , and the evaluation key $E K$ as ${(g^{k_{5}} w_{1} g^{k_{1}}, e_{1 j}, h_{j - 1}), (g^{k_{2}}, e_{2 j}, h_{j - 1})$ , $(g^{k_{6}} w_{2} g^{k_{4}}, e_{3 j}, h_{h - 1}), {(g^{k_{5}} e_{4 j,} h_{j - 1})}}_{j ϵ [1, n]}$ .
b.
The distributed computing nodes on the OSP are deployed to execute the $C o m p u t e (E K)$ algorithm in a decentralized manner, resulting in the computed values $σ_{j} = {d_{1, j}, d_{2, j}}$ and the corresponding evidence $π_{j} = {d_{3, j}, d_{4, j}}$ .
c.
Execute the $V e r i f y (V K, σ_{j}, π_{j})$ algorithm to validate the calculated results obtained from outsourcing, and output the verification outcome.

In a similar manner, calculate $g^{F (ρ (i)) (- r_{i})}$ and $g^{r_{i}}$ using the DME algorithm.

⑤
Upon successful execution of the computation by the OSP, the DO can generate the complete ciphertext $C T = {C, C^{'}, C^{″}, C_{i}, D_{i}}$ , where $C, C^{'}, C^{″}$ are computed by the DO, and $C_{i}, D_{i}$ are computed by the OSP and subsequently verified by the DO.
(3)
$K e y G e n (P P, S) \to S K$ .

DU initiates the process by submitting its attribute set $S$ to the respective shard AC node. The AC node then invokes the sub-algorithm DKG to generate the user's private key $S K = (z, T K)$ .

(4)
$T r a n s f o r m (T K, C T) \to C T^{'}$ .

After obtaining the successful grant of $S K$ , DU downloads the ciphertext $C T$ from the Cloud and verifies its integrity by comparing the ciphertext hash stored in EBC. DU then combines the decryption key $T K$ with the ciphertext $C T$ and sends them to OSP for further processing. OSP invokes the child algorithm DME to unlock a portion of the ciphertext, resulting in the transformed ciphertext $C T^{'} = {C, C^{″}, C T_{t r a n s f o r m}}$ .

①
Let $I \subset {1,2, . . ., l}$ be defined as $I = {i : ρ (i) \in S}$ , where $I$ represents a subset of attributes from the system's complete attribute set.
②
When the user attribute set $S$ satisfies the access policy $(M, ρ)$ , and there exists a valid set of secret shares ${λ_{i}}$ for the secret $s$ with respect to the access matrix $M$ , it is possible to compute a constant set ${w_{i} \in Z_{p}}_{i \in I}$ in polynomial time, such that the linear combination $\sum_{i \in I} w_{i} λ_{i} = s$ is achieved.
③
The transformed ciphertext $C T_{t r a n s f o r m}$ is computed according to the following procedure:

Equation 13.

(13)

(5)
$D e s c r y p t (S K, C T^{'}) \to m$ .
①
After receiving the partially decrypted ciphertext $C T^{'}$ , DU performs the following computations: $r = C / {(C T_{t r a n s f o r m})}^{z}, m = C \oplus H_{1} (r)$ and $s = H (r, m)$ .
②
If the calculated values of $C = r \cdot e {(g, g)}^{α s}$ and $C T_{t r a n s f o r m} = e {(g, g)}^{s α / z}$ validate the correctness of the OSP's computation, the decrypted plaintext $m$ is produced as the output.

6. Proof of correctness and security

6.1. Proof of correctness

This section will provide a proof of correctness for the proposed BTDS system. The fundamental CP-ABE algorithm used in BTDS is based on the classic paper by GREEN et al. [56], so there is no need to reprove its correctness. This section will mainly focus on demonstrating the correctness of BTDS architecture, particularly in the context of the improved distributed key generation and distributed modular exponentiation outsourcing as discussed in Ref. [56].

Theorem 1

Correctness of Algorithm DKG,if EBC performs this algorithm correctly, it can guarantee that the output key is always correct.

Proof: According to the description of the sub-algorithm DKG, the master private key parameter $κ$ of the system is shared by all participants.

a)
$A A_{i}$ commits to a key $κ_{i}$ : During the initialization phase, each $A A_{i}$ publicly reveals a commitment $E (κ_{i}, e_{i}) = g^{κ_{i}} h^{e_{i}}$ , where $κ_{i}$ is their chosen secret value, and $e_{i}$ is a randomly chosen secret value. This commitment ensures the relationship between $κ_{i}$ and $e_{i}$ .

b)
Polynomial Interpolation Calculation: In step (2)c, participants calculate a polynomial $G_{ij} (κ)$ concerning the secret value $κ_{i}$ through polynomial interpolation. This ensures that each participant has a portion of the polynomial $G_{ij} (κ)$ , where $j$ denotes different minimum qualified subsets. Thus, each participant shares information about the secret value $κ_{i}$ .

c)
Secret Share Distribution and Verification: Participants send their secret shares $(x_{ik}, e_{ik})$ to other participants. These shares include information about the secret value $κ_{i}$ . Receivers verify the validity of these shares, ensuring that they satisfy the commitment relationship. This ensures that each participant holds valid secret shares.

d)
Computation of the System Master Private Key Parameter $κ$ :Each member $A A_{k}$ calculates their share concerning the system's master private key parameter $κ$ , represented as $s_{k} = \sum_{i = 1}^{n} κ_{ik} (\mod q)$ . This is achieved by adding up the secret shares, which are part of the information about each participant's secret value $κ_{i}$ . Finally, by summing all shares, the system's master private key parameter $κ$ is correctly reconstructed.

Thus, based on the above proof, Algorithm DKG guarantees the correctness of the system's master private key parameter $κ$ . This also implies that, in theory, the correctness of the BTDS architecture is guaranteed only if the sub-algorithm DKG is executed exactly. It forms the basis for ensuring the correctness of the BTDS architecture.

Theorem 2

Correctness of Algorithm DME. Under the assumption of correct execution by OSP, Algorithm DME ensures the integrity and accuracy of the outsourced computation results.

Proof: For Algorithm DME, given the input $u^{a} \mod p$ , where $u$ and $a$ are variables, the correct computation can be performed by following these steps:

①
Correctness of blind segmentation: The base exponent can be accurately reconstructed after blind segmentation.

$Equation 14.$ (14)

②
The accuracy of edge node computation: The sub-algorithm DME ensures the detection and resolution of potential errors in computation results provided by the edge nodes. This guarantee is established through a rigorous proof by contradiction. Suppose there is a scenario where a compute node deviates from the protocol during the execution of the sub-algorithm DME and produces incorrect computation results. In such a case, when DU performs the verification algorithm, a contradiction arises. Specifically, if $y^{r} = \sum_{j = 1}^{n} (d_{1, j} \cdot d_{2, j})$ does not equal $\sum_{j = 1}^{n} (d_{3, j} \cdot d_{4, j}) = y^{'}$ , the program outputs $⊥$ and triggers the monitoring mechanism. OSP takes appropriate measures to penalize the erroneous node and initiates a new round of computation with a different compute node. This process is repeated until DU's verification equation holds, ensuring the output of the correct computation result $y$ .

Inference 1: Based on Theorem 1 and Theorem 2, it can be inferred that the correctness of BTDS is guaranteed. If the CP-ABE main algorithm based on blockchain and multi-attribute authorization center, as described in this paper, is executed correctly, then it ensures that the BTDS architecture will consistently share data correctly.

6.2. Security proof

Theorem 3

If there exists a probabilistic polynomial-time attacker $A$ such that $Ad v_{B}^{Zero - Knowledge} (PP, ZK, λ) \geq ε (λ)$ , then $A$ can devise an algorithm $F$ to violate the zero-knowledge property of both DME and DKG.

Proof: To begin, it is necessary to construct an Challenger $B$ to challenge the zero-knowledge properties of DME and DKG. The objective is to prove that $Ad v_{B}^{Zero - Knowledge} (PP, ZK, λ)$ is negligible, meaning that Challenger $B$ cannot break the zero-knowledge properties within an ignorable amount.

$Init$ :Attacker $A$ selects an attribute set ${0,1}^{*}$ to challenge and sends it to the challenger $B$ .

$Setup$ :Challenger $B$ runs the $Setup$ algorithm and sends the generated public parameters $PP$ to attacker $A$ . During this phase, attacker $A$ cannot interfere with or influence the generation of system parameters since this is part of the zero-knowledge property.

$Phase 1 & 2$ :(1) Attacker $A$ sends a decryption key $SK$ query to Challenger $B$ , and the challenger executes the key generation algorithm $KeyGen$ to generate the key $(SK, TK)$ , which is then sent to attacker $A$ .

(2)
In this phase, there may be communication and interaction between attacker $A$ and challenger $B$ , but attacker $A$ cannot obtain the key $SK$ or any other private information. If attacker $A$ can successfully challenge the zero-knowledge property of DME, it means that attacker $A$ c annot distinguish whether the key $SK$ generated by challenger $B$ is real or not because attacker $A$ cannot access the detailed information of $SK$ .

$Challenge$ :Attacker $A$ sends two equally long plaintext messages ${m_{0}, m_{1}}$ to challenger $B$ ,and $B$ randomly selects one plaintext message $m_{b \in {0,1}}$ and performs the encryption algorithm $Encrypt$ to generate a ciphertext.

$Guess$ :Attacker $A$ outputs a value $b^{'} \in 0,1$ as the guess for $b$ , and if $b^{'} = b$ ,then attacker $A$ wins the game.

If attacker $A$ can successfully challenge the zero-knowledge property of DME, it means that attacker $A$ cannot gain access to private information $SK$ or other sensitive information. Therefore, attacker $A$ also cannot break the zero-knowledge properties of DME and DKG. Thus, DME and DKG satisfy zero-knowledge properties.

Theorem 4

If there exists a probabilistic polynomial-time attacker $A$ such that the advantage $Ad v_{B}^{Verifiability} (DME, λ) \geq ε (λ)$ , then $A$ is capable of constructing an algorithm $F$ that undermines the $α$ -Verifiability property of the outsourced results of DME.

Proof: To begin, it is necessary to construct a Challenger $B$ to challenge the verifiability properties of DME. The objective is to prove that $Ad v_{B}^{Verifiability} (DME, λ)$ is negligible, meaning that Challenger $B$ cannot break the verifiability properties within an ignorable amount.

$Init$ : Attacker $A$ selects a verification key secrecy experiment to challenge, denoted as DME,and sends it to the Challenger $B$ .

$Setup$ : Challenger $B$ randomly generates the public parameters $PP$ for DME and DKG and sends them to attacker $A$ .

$Phase 1 & 2$ : Attacker $A$ executes the simulator $A_{0}$ to simulate the verification key secrecy experiment and generates a simulated verification key $VK$ . Challenger $B$ randomly selects a bit $b \overset{R}{\leftarrow} {0,1}$ .

$Challenge$ : Challenger $B$ performs the outsourced computation and generates a computation result $Out$ .

$Guess$ : Attacker $A$ executes the simulator $A_{1}$ to estimate whether the computation result generated by the challenger is correct, i.e., $\hat{b} = A_{1} (ε VK, Out)$ .

For any $λ \in N$ , $Ad v_{A}^{Verifiability} (DME, λ) = | \Pr [Ex p_{A}^{Verifiability} (DME, λ) = 1] - \frac{1}{2} | \leq negl (λ)$ , demonstrating that the DME scheme achieves the verifiability properties of the outsourced computation.

Theorem 5

Given the decidable $q - BDHE$ hypothesis in the groups $G$ and $G_{T}$ , it can be concluded that the proposed BTDS scheme achieves IND-CPA security within the random oracle model.

Proof: Suppose there exists a polynomial-time attacker $A$ that breaks the BTDS scheme with a non-negligible advantage $ε$ . In this case, we can construct a challenger algorithm $B$ that can solve the $q - BDHE$ hard problem with a non-negligible advantage.

In the specific interactive game, a group $G$ is selected with a generator $g$ , and a bilinear mapping $e : G \times G \to G_{T}$ is established. The challenger $B$ is provided with a hardness input $(g, g^{s}, g^{s^{2}}, . . ., g^{s^{q}}, ζ)$ , where $α, s \in Z_{p}$ . Without possessing the knowledge of $s$ and $α$ , the challenger $B$ engages in an interactive game with the attacker $A$ and computes $ζ = e {(g, g)}^{α s^{q + 1}}$ .

$Init$ : The attacker $A$ selects an access strategy to challenge $T^{*} = (M^{*}, ρ^{*})$ and sends it to the challenger $B$ .

$Setup$ : The challenger $B$ randomly selects $a \in Z_{p}$ , and computes the public parameters $PP = < G, G_{T}, g, g^{a}, e >$ . These parameters are then sent to the attacker $A$ .

$Phase 1 & 2$ : The challenger $B$ initializes empty tables $T_{1}, T_{2}, T_{3}$ , an empty set $D$ , and an integer $j = 0$ . The attacker $A$ is allowed to perform multiple queries on attribute sets according to the following rules.

(1)
$Random Oracle Hash H_{1} (R, m)$ : If the entry $(R, m, s)$ exists in the table $T_{1}$ , it returns $s$ ; Otherwise, it randomly selects a value $s \in Z_{p}$ , records the entry $(R, m, s)$ in table $T_{1}$ , and returns $s$ .

(2)
$Random Oracle Hash H_{2} (R)$ : If the entry $(R, t)$ exists in the table $T_{2}$ , it returns $t$ ; otherwise, it randomly selects a value $t \in {0,1}^{λ}$ , records the entry $(R, t)$ in table $T_{2}$ , and returns $t$ .

(3)
$Creat (S)$ : The attacker $A$ submits an attribute set $S$ to the challenger $B$ for private key inquiries. The challenger $B$ increments $j$ by 1. The challenger $B$ randomly selects a value $z \in Z_{p}$ and runs the $KeyGen$ algorithm. It sets the conversion key as $TK = {K = {K^{'}}^{1 / z}, L = {L^{'}}^{1 / z}, {K_{x} = {(K_{x}^{'})}^{1 / z}}_{x \in S}}$ and the private key as $SK = (z, TK)$ . Finally, the entry $(j, S, SK, TK)$ is stored in the table $T_{3}$ and returned to the attacker $A$ .

(4)
$Corrupt (i)$ : The challenger $B$ verifies whether there exists an entry $(i, S, SK, TK)$ in the table $T_{3}$ corresponding to the index $i$ . If such an entry is found, the challenger $B$ returns the private key $SK$ to the attacker $A$ . Otherwise, the output is $⊥$ . $Challenge$ : The attacker $A$ submits two plaintext messages of equal length, $m_{0}$ and $m_{1}$ , to the challenger $B$ . The challenger $B$ randomly selects one of the plaintext messages, denoted as $m_{b \in {0,1}}$ , and encrypts it using the encryption algorithm $Encrypt$ . The resulting ciphertext $CT = {C, C^{'}, C^{″}, C_{i}, D_{i}}$ is then transmitted to the attacker $A$ .

Guess: The attacker $A$ provides a value $b^{'} \in 0,1$ as their conjecture for $b$ . If $b^{'} = b$ , the challenger $B$ outputs 0, indicating that the conjecture for $ζ = e {(g, g)}^{α s^{q + 1}}$ is correct. Otherwise, the challenger outputs 1, indicating that the conjecture for $ζ$ is a random element in the group $G_{T}$ . When $ζ = e {(g, g)}^{α s^{q + 1}}$ , the challenger $B$ can provide a valid simulation, which leads to the following expression: $\Pr [B {(g, g^{s}, g^{s^{2}}, . . ., g^{s^{q}}, ζ = e (g, g)}^{α s^{q + 1}}) = 0] = Ad v_{A} + 1 / 2$ . When $ζ$ is a random element, the value of $m_{b}$ is completely random to the attacker $A$ , thus we have: $\Pr [B (g, g^{s}, g^{s^{2}}, . . ., g^{s^{q}}, ζ) = 0] = 1 / 2$ .

In summary, the challenger $B$ can successfully challenge and break the decidability of the $q - BDHE$ hypothesis with a non-negligible advantage.

7. Simulation experiment and performance analysis

7.1. Comparison of schemes

Table 6 and 7 focus on the functional analysis and computational complexity analysis of the BTDS architecture. To facilitate quantitative comparison of the schemes, we denote by $E$ the exponentiation operation, $M$ the modular exponentiation operation, $P$ the bilinear pairing operation, $n$ the number of attributes used in the access strategy, and $l$ the number of rows in the access structure matrix based on LSSS.

Table 6.

Functional analysis.

Scheme	Multi-authority	Encryption Outsourcing	Decryption Outsourcing	Key Generation Outsourcing	Verification Probability	Distributed Outsourcing	Blockchain
[56]	Single	×	✓	×	✓	×	×
[43]	Single	✓	✓	×	✓	×	×
[57]	Single	✓	✓	✓	✓	×	×
[58]	Multi	×	✓	×	✓	×	×
BTDS	Multi	✓	✓	✓	✓	✓	✓

Open in a new tab

Table 7.

Computational complexity analysis.

Scheme	DO		DU		OSP
Scheme	Data Owner Encryption	Data Owner Verification	Data User Verification	Data User Decryption	Encryption outsourcing	Decryption outsourcing
[56]	$(4 + 3 n) E + 1 M$	–	$2 E + 1 M$	$1 M$	–	$2 M + (2 n + 1) P$
[43]	$2 E$	$2 E + 1 M$	$5 E + 4 M + 1 P$	$1 M$	–	–
[57]	$3 E + 1 M$	–	–	$3 M$	$(2 l + 1) M$	$s M + (2 s + 4) P$
[58]	$5 E + 1 M$	–	–	$1 E + 1 M$	–	$1 E + 2 M + 3 n P$
BTDS	$2 E + (2 M)$	$3 M$	$2 E + 1 M$	$1 E + 1 M$	$1 E + 2 l M$	$2 M + n l P$

Open in a new tab

Green et al. [56] proposed the first ABE scheme with outsourced decryption. This scheme involves semi-trusted servers performing (2n + 1) bilinear pairing operations and 2n modular exponentiations to generate partially decrypted ciphertext. The user can then retrieve the original message with a single exponential operation. During the encryption process, the data owner requires (4 + 3n) exponentiation operations and one modular exponentiation.

Li et al. [43] outsourced both encryption and decryption operations to cloud servers, significantly reducing the computational load on user terminals. They not only support outsourced encryption and decryption operations, but also introduce two types of secure outsourced exponentiation algorithms for exponentiation operations in outsourced encryption. These algorithms use mathematical partitioning and blinding operations to hide the bases and exponents contained in the ciphertext components, thus ensuring data privacy. However, the correctness verification probabilities for multiple-base modular exponentiation secure outsourcing algorithms and single-base modular exponentiation secure outsourcing algorithms were only 2/5 and 1/2, respectively. In the [43] scheme, data owners were involved in only 2 exponentiation operations during the encryption computation phase, requiring 2 exponentiation operations and 1 modular multiplication operation in the encryption verification phase. Data users, on the other hand, require only one modular multiplication operation during the decryption computation, but five exponential operations and one bilinear pairing operation during the decryption verification phase. Bilinear pairing computations are significantly more expensive than modular multiplication computations.

Zhao et al. [57] proposed a fully outsourced ciphertext policy attribute-based encryption scheme that supports verifiable key generation, encryption, decryption computations, and the verification of outsourced computation results. During the encryption process, the data owner needs three exponentiation operations and one modular exponentiation operation. In the decryption phase, the data user needs only one exponentiation operation and one modular exponentiation operation.

The aforementioned works [43,56,57] are based on single-authority CP-ABE outsourcing schemes. Sana Belguith et al. [58] introduced a policy-hiding outsourced ABE scheme called PHOABE, based on multi-authority CP-ABE, which delegates the computationally expensive part of the decryption process to a semi-trusted cloud server. During the encryption phase, the data owner needs to perform five exponential operations and one modular exponential operation. Data users outsourced computationally expensive operations, including 3n bilinear pairing operations, 2 modular exponentiation operations, and 1 exponentiation operation, to semi-trusted cloud servers. As a result, the data user only needs to perform 1 exponentiation operation and 1 modular exponentiation operation during the decryption phase.

In this work, we replace the modular exponentiation outsourcing algorithm with a distributed modular exponentiation outsourcing algorithm more suitable for edge computing scenarios, based on the PHOABE scheme. In addition, we use a distributed key generation algorithm in conjunction with EBC to ensure key security while generating user private keys. Unlike the scheme in Ref. [43], our scheme requires data owners to perform 2 additional modular exponentiation operations when using the system public key for encryption operations for the first time. However, it only requires 3 modular exponentiation operations during the encryption verification phase. Data users require one additional modular exponentiation operation during decryption computations but perform fewer operations, including 3 exponentiation operations, 3 modular exponentiations, and 1 bilinear pairing operation, during the verification phase compared to the scheme in Ref. [43].

In addition, the communication overhead of outsourced computations in the BTDS architecture is another significant performance factor. A comprehensive analysis of the communication overhead of the DME algorithm reveals that the user needs to send $4 n * L e n p + 4 n * L e n p = (24 * 1024 + 160 * 4) / 8 * 1024 \approx 3 K B$ of data to n edge computing nodes and all edge computing nodes together need to send $4 n * L e n p = 4 n * 1024 / 8 * 1024 = 3 K B$ of data to the user [51]. Thus, the communication cost can be considered negligible compared to the computational time cost within a reasonable healthcare scenario distance.

Finally, the implementation cost of EBC should not be neglected. The storage of ciphertext data copies in the blockchain has a negligible impact on the time cost of the system, since the BTDS architecture is an incremental improvement over the original healthcare cloud storage-based system. All operations take place in the background of the system and do not alter the user experience. Therefore, the primary consideration for the implementation cost of EBC lies in the key generation process when performing the CP-ABE algorithm. The DKG sub-algorithm is a distributed secure key generation protocol implemented on top of EBC, and it guarantees the ‘useable but invisible’ property of the entire CP-ABE algorithm execution. This means that no AA at risk of key leakage can have the system's master private key independently, yet they can still collaborate to generate the user's private key. During this process, the sharing of the system's public key and uploading to the blockchain consensus are performed offline during the system initialization phase, so the real-time cost of this part can be considered negligible. In the user private key generation process, each $A A_{i}$ generates user private key parameters $K_{i}^{'} K_{x_{i}}^{'}, L_{i}^{i}$ , which include the random selection of $t_{i}$ , computation of exponentiations $(g^{F (x) t_{i}}, g^{κ_{i} + α t_{i}}, g^{t_{i}})$ , and uploading of these parameters to EBC. The computational cost of each $A A_{i}$ depends on the required exponentiation and data transfer. However, since each AA node is responsible for generating a portion of the private key, the computational cost of a single AA is limited and this cost can also be considered negligible to some extent. The main cost in this section is concentrated in the Lagrangian interpolation computation of the AC ensemble and all partial private keys generated by the AAs. The time complexity of Lagrange interpolation in BTDS architecture mainly depends on the number of input points (AA nodes) and the distributed computing environment's setup. If the number of input points for Lagrange interpolation in BTDS is n, then theoretically, the time complexity of Lagrange interpolation is O(n). This is because the cost of computing each Lagrange basis function is O(1), and there are a total of n basis functions. However, BTDS operates in a distributed computing environment, where different nodes may be responsible for processing different input points. In such a scenario, each node can compute the basis functions it is responsible for in parallel, thus reducing the overall interpolation time cost. Taking everything into consideration, the cost of Lagrange interpolation in BTDS can be approximated as O(n), or even further improved through parallel computation.

Overall, when properly utilizing parallel computing to address the cost of Lagrange interpolation in distributed key generation, this paper's scheme, based on the foundation of literature [43], which incorporates distributed modular exponentiation outsourcing algorithms and distributed key generation protocols better suited for edge computing environments, performs better in terms of computational cost compared to the reference scheme. While it involves an additional computational cost for the public key to the system during the initial encryption operation, it guarantees a 100 % verification probability and significantly reduces the computational cost during the encryption verification phase, making the overall computational cost superior to the compared schemes.

7.2. Experimental analysis

Based on the theoretical analysis presented above, the proposed scheme is better suited for data trust sharing scenarios in edge computing environments in terms of functionality and computational cost. To further evaluate the practical performance of this scheme, this section conducts experiments to analyze the computational overhead on terminal devices, including the encryption time for data owners and the decryption time for data users, in comparison to the literature [43,44,57].

Experimental Environment: The experiments were conducted in a controlled environment using a Windows 10 operating system, an Intel(R) Core(TM) i5-8250U CPU @1.60 GHz 1.80 GHz processor, and 8 GB of memory. The code was developed and executed within the IntelliJ IDEA 2022 development environment, utilizing the JPBC-2.0.0 function library for implementation.

Experimental Setup: In the CP-ABE scheme, the encryption time and decryption time are influenced by the number of attributes. As this paper focuses on the application of CP-ABE in the edge computing environment, the encryption time and decryption time were specifically tested when the Data Owner (DO) and Data User (DU) were considered as terminal nodes. During the experiment, the number of attributes was gradually increased with an average increment of 10. The base value was set to 10, and the results were incremented by a factor of 10. The final experimental results were obtained by averaging the results of 10 iterations.

Fig. 3 consists of two sub-figures: sub-figure (a) shows the computational time comparison for DO during the encryption process, while sub-figure (b) presents the computational time comparison for DU during the decryption process. From Fig. 3, it can be observed that the time spent by DO during the encryption phase and DU during the decryption phase in both the literature [43,44,57] schemes and this paper's scheme does not increase with the number of attributes.

In Fig. 3 (a), it is evident that the scheme presented in literature [57] outsources all CP-ABE key generation, encryption, and decryption operations to a cloud server, resulting in significantly lower encryption costs for data owners (DO) compared to the schemes in literature [43,44] and this paper's scheme. Literature [43,44] only outsources the computationally expensive modular exponentiation and bilinear pairing operations in the CP-ABE encryption and decryption phases to a cloud server. To better adapt to edge computing environments, this paper replaces the modular exponentiation outsourcing algorithm used in literature [43,44] with the distributed modular exponentiation outsourcing algorithm proposed in literature [51]. This approach outsources the modular exponentiation and bilinear pairing operations in the CP-ABE encryption and decryption phases to edge nodes for parallel computation. Compared to the DO encryption time in the literature [43] scheme, the literature [44] scheme requires more computational time due to the increased correctness probability. However, due to the reduction in DO verification time through the use of distributed modular exponentiation outsourcing, the encryption time is lower than that of the literature [44] scheme.

From Fig. 3 (b), it is evident that literature [43] requires significantly additional time for DU during the decryption and verification phase due to the need for one computationally expensive bilinear pairing operation. Consequently, the overall decryption time for literature [43] is much higher than that of literature [44,57], and this paper's scheme. The decryption time for this paper's scheme is almost identical to that of the literature [44] scheme and considerably lower than that of literature [57].

In summary, the computational time of DO and DU in the proposed scheme does not increase with the number of attributes or the complexity of the access strategy. In this paper, our scheme achieves critical security for CP-ABE at the edge and increases the verifiability probability of the distributed modular exponentiation outsourcing algorithm to 100 %. While maintaining security, the proposed scheme keeps the efficiency of the CP-ABE algorithm within a reasonable range. Therefore, based on these experiments, it is feasible to apply the proposed scheme for trusted sharing of medical data in an edge computing environment.

8. Conclusion

In this paper, we address the issue of trustworthy medical data sharing in edge computing environments and present a blockchain-based Trustworthy Medical Data Sharing (BTDS) solution. We begin by considering the real-time demands of attribute authorization services in edge computing environments and propose a Distributed Attribute Authorization (DAA) strategy based on blockchain. To mitigate the key security concerns of CP-ABE in edge environments, we introduce a Distributed Key Generation (DKG) protocol built on blockchain. To overcome resource limitations in end-user devices, we enhance a Distributed Modular Exponentiation (DME) outsourcing algorithm and apply it to the encryption and decryption outsourcing computations in CP-ABE.

Lastly, we prove the security of the BTDS architecture under the Random Oracle Model and conduct simulation experiments. The results indicate that the computational time for DO and DU in our solution does not increase with the growth in the number of attributes or the complexity of access policies. Instead, it remains within a reasonable and lower range. In summary, the proposed BTDS architecture aligns with the initial design intent of providing fine-grained data access control for resource-constrained end-user devices in edge computing environments.

However, there are some limitations to our study. For instance, the performance of our scheme in large-scale real-world edge computing environments and how to further optimize our scheme to accommodate more complex real-world edge computing scenarios are issues worth investigating. We hope that future research will contribute more in these areas.

Nevertheless, it is important to acknowledge the limitations of our study and identify potential avenues for future research. Specifically, the performance of our scheme in large-scale edge computing environments and the optimization of our scheme to cater to more intricate edge computing scenarios warrant further investigation. We encourage future researchers to delve deeper into these areas, aiming to make significant advancements and contribute valuable insights.

Data availability statement

Data related to this study has not been deposited in a publicly available repository, but will be available upon request.

Ethics declarations

This research study does not require review and/or approval from an ethics committee because it does not involve animal experiments, human subjects, behavioral research, clinical trials, or any form of medical research.

CRediT authorship contribution statement

Gaoyuan Quan: Writing – review & editing, Writing – original draft, Validation, Methodology, Formal analysis, Data curation, Conceptualization. Zhongyuan Yao: Writing – review & editing, Validation, Supervision, Methodology, Funding acquisition, Conceptualization. Longfei Chen: Visualization, Validation, Software, Funding acquisition, Data curation. Yonghao Fang: Visualization, Software, Data curation. Weihua Zhu: Supervision, Project administration, Funding acquisition. Xueming Si: Supervision, Resources, Project administration, Funding acquisition, Conceptualization. Min Li: Writing – review & editing, Investigation.

Declaration of competing interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgements

This research was funded by Major Public Welfare Project of Henan Province, grant number 201300210300; Key Science and Technology Project of Henan Province, grant number 222102210168; Open Fund of Henan Key Laboratory of Network Cryptography Technology, grant number LNCT2022- A12, LNCT2021-A14; Postgraduate Research and Innovation Project of Zhongyuan University of Technology, grant number YKY2023ZK52.

Contributor Information

Gaoyuan Quan, Email: 2021116579@zut.edu.cn.

Zhongyuan Yao, Email: yaozhongyuan@zut.edu.cn.

Longfei Chen, Email: 2021016570@zut.edu.cn.

Yonghao Fang, Email: 2021016569@zut.edu.cn.

Weihua Zhu, Email: 9773@zut.edu.cn.

Xueming Si, Email: 9770@zut.edu.cn.

Min Li, Email: 2021116578@zut.edu.cn.

References

1.Elia Rafaella, et al. A real‐world data collection framework for a fused dataset creation for joint human and remotely operated vehicle monitoring and anomalous command detection. CAAI Transactions on Intelligence Technology. 2022;7(3):432–445. [Google Scholar]
2.Liu Xianchen. Real-world data for the drug development in the digital era. Journal of Artificial Intelligence and Technology. 2022;2(2):42–46. [Google Scholar]
3.Fang Liming, et al. Privacy protection for medical data sharing in smart healthcare. ACM Trans. Multimed Comput. Commun. Appl. 2020;16(3s):1–18. [Google Scholar]
4.Yang Pan, Xiong Naixue, Ren Jingli. Data security and privacy protection for cloud storage: a survey. IEEE Access. 2020;8:131723–131740. [Google Scholar]
5.Newaz AKM Iqtidar, et al. GLOBECOM 2020-2020 IEEE Global Communications Conference. IEEE; 2020. Adversarial attacks to machine learning-based smart healthcare systems. [Google Scholar]
6.Yang Yanjiang, et al. Cloud based data sharing with fine-grained proxy re-encryption. Pervasive Mob. Comput. 2016;28:122–134. [Google Scholar]
7.Wang Mingwei, et al. Review on offloading of vehicle edge computing. J. Artific. Intell. Technol. 2022;2:132–143. [Google Scholar]
8.Li Y., Dong Z., Sha K., Jiang C., Wan J., Wang Y. TMO: time domain outsourcing attribute-based encryption scheme for data acquisition in edge computing. IEEE Access. 2019;7:40240–40257. doi: 10.1109/ACCESS.2019.2907319. [DOI] [Google Scholar]
9.Abdollahi S., Mohajeri J., Salmasizadeh M. Highly efficient and revocable CP-ABE with outsourcing decryption for IoT[C]//2021 18th international ISC conference on information security and cryptology (ISCISC) IEEE. 2021:81–88. [Google Scholar]
10.Waters B. International Workshop on Public Key Cryptography. Springer Berlin Heidelberg; Berlin, Heidelberg: 2011, March. Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization; pp. 53–70. [Google Scholar]
11.Gao H., Ma Z., Luo S., Xu Y., Wu Z. BSSPD: a blockchain-based security sharing scheme for personal data with fine-grained access control. Wireless Commun. Mobile Comput. 2021;2021:1–20. [Google Scholar]
12.Namasudra Suyel, Sharma Pratima Achieving a decentralized and secure cab sharing system using blockchain technology. IEEE Trans. Intell. Transport. Syst. 2022;99:1–10. [Google Scholar]
13.Yan L., Ge L., Wang Z., et al. Access control scheme based on blockchain and attribute-based searchable encryption in cloud environment. J. Cloud Comput. 2023;12:61. doi: 10.1186/s13677-023-00444-4. [DOI] [Google Scholar]
14.Liu Xiaoguang, et al. A blockchain-based medical data sharing and protection scheme. IEEE Access. 2019;7:118943–118953. [Google Scholar]
15.Jaiman Vikas, Urovi Visara. A consent model for blockchain-based health data sharing platforms. IEEE Access. 2020;8:143734–143745. [Google Scholar]
16.Sharma Pratima, et al. EHDHE: enhancing security of healthcare documents in IoT-enabled digital healthcare ecosystems using blockchain. Inf. Sci. 2023;629:703–718. [Google Scholar]
17.Sharma Pratima, et al. Blockchain-based privacy preservation for IoT-enabled healthcare system. ACM Trans. Sens. Netw. 2023;19(3):1–17. [Google Scholar]
18.Zou Renpeng, Lv Xixiang, Zhao Jingsong. SPChain: blockchain-based medical data sharing and privacy-preserving eHealth system. Inf. Process. Manag. 2021;58(4) [Google Scholar]
19.Abdellatif Alaa Awad, et al. Medge-chain: leveraging edge computing and blockchain for efficient medical data exchange. IEEE Internet Things J. 2021;8(21):15762–15775. [Google Scholar]
20.Akkaoui Raifa, Hei Xiaojun, Cheng Wenqing. EdgeMediChain: a hybrid edge blockchain-based framework for health data exchange. IEEE Access. 2020;8:113467–113486. [Google Scholar]
21.Li X., Liu T., Obaidat M.S., Wu F., Vijayakumar P., Kumar N. A lightweight privacy-preserving authentication protocol for VANETs. IEEE Syst. J. 2020;14(3):3547–3557. [Google Scholar]
22.Cao K., Liu Y., Meng G., Sun Q. An overview on edge computing research. IEEE Access. 2020;8:85714–85728. [Google Scholar]
23.Alshehri M., Panda B., Almakdi S., Alazeb A., Halawani H., Al Mudawi N., Khan R.U. A novel blockchain-based encryption model to protect fog nodes from behaviors of malicious nodes. Electronics. 2021;10(24):3135. [Google Scholar]
24.Abdullayeva Fargana J. Internet of Things‐based healthcare system on patient demographic data in Health 4.0. CAAI Transactions on Intelligence Technology. 2022;7(4):644–657. [Google Scholar]
25.Odelu Vanga, et al. Expressive CP-ABE scheme for mobile devices in IoT satisfying constant-size keys and ciphertexts. IEEE Access. 2017;5:3273–3283. [Google Scholar]
26.Jiang Y., Susilo W., Mu Y., Guo F. Ciphertext-policy attribute-based encryption against key-delegation abuse in fog computing. Future Generat. Comput. Syst. 2018;78:720–729. [Google Scholar]
27.Wang H., Zheng Z., Wu L., Wang Y. Adaptively secure outsourcing ciphertext-policy attribute-based encryption. J. Comput. Res. Dev. 2015;52(10):2270–2280. [Google Scholar]
28.Li Q., Ma J.F., Xiong J.B., Liu X.M., Ma J. An adaptively secure multi-authority ciphertext-policy ABE scheme on prime order groups. ACTA ELECTONICA SINICA. 2014;42(4):696. [Google Scholar]
29.Li J., Fan Y., Bian X., Yuan Q. Online/offline MA-CP-ABE with cryptographic reverse firewalls for IoT. Entropy. 2023;25(4):616. doi: 10.3390/e25040616. [DOI] [PMC free article] [PubMed] [Google Scholar]
30.Priya Remamany K., Maheswari K., Ramesh Babu Durai C., Anushkannan N.K., Victoria D.R.S., Ben Othman M.T., Hamdi M., Hamam H. A localized Bloom filter-based CP-ABE in smart healthcare. Appl. Sci. 2022;12(24) [Google Scholar]
31.Cheng F., Ji S., Lai C.F. Efficient CP-ABE scheme resistant to key leakage for secure cloud-fog computing. J. Internet Technol. 2022;23(7):1461–1471. [Google Scholar]
32.Deng Yuli, et al. Problem-Based cybersecurity lab with knowledge graph as guidance. Journal of Artificial Intelligence and Technology. 2021;2:55–61. [Google Scholar]
33.Hooshmand Mohammad Kazim, Hosahalli Doreswamy. Network anomaly detection using deep learning techniques. CAAI Transactions on Intelligence Technology. 2022;7(2):228–243. [Google Scholar]
34.Yang H.K., Feng C.S., Jin Y.X., Wang L., Luo W.P., Deng H.H. ACP-ABE scheme with verifiable outsourced encryption and decryption. ACTA ELECTONICA SINICA. 2020;48(8):1545. [Google Scholar]
35.Sethi Kamalakanta, Pradhan Ankit, Bera Padmalochan. Practical traceable multi-authority CP-ABE with outsourcing decryption and access policy updation. J. Inf. Secur. Appl. 2020;51 [Google Scholar]
36.Zhao K.Q., Kang P., Liu B., Guo Z., Feng C.S., Qing Y. A CP-ABE scheme with cloud proxy Re-encryption. ACTA ELECTONICA SINICA. 2023;51(3):728. [Google Scholar]
37.Premkamal Praveen Kumar, Kumar Pasupuleti Syam, Alphonse P.J.A. Dynamic traceable CP‐ABE with revocation for outsourced big data in cloud storage. Int. J. Commun. Syst. 2021;34(2) [Google Scholar]
38.Jiangtao D.O.N.G., Peiwen Y.A.N., Ruizhong D.U. Verifiable access control scheme based on unpaired CP-ABE in fog computing. J. Commun. 2021;42(8):139–150. [Google Scholar]
39.Zou L.P., Feng C.S., Oin Z.G., Yuan D., Luo W.P., Li M. CP-ABE scheme with fast decryption for public cloud. RuanJian Xue Bao/Journal of Software. 2020;31(6):1817–1828. http://www.jos.org.cn/1000-9825/5704.htm (in Chinese) [Google Scholar]
40.Touati L., Challal Y., Bouabdallah A. IEEE; 2014. C-cp-abe: Cooperative Ciphertext Policy Attribute-Based Encryption for the Internet of things[C]//2014 International Conference on Advanced Networking Distributed Systems and Applications; pp. 64–69. [Google Scholar]
41.Kiraz M.S., Uzunkol O. Efficient and verifiable algorithms for secure outsourcing of cryptographic computations. Int. J. Inf. Secur. 2016;15:519–537. [Google Scholar]
42.Moffat S., Hammoudeh M., Hegarty R. 2017. A Survey on Ciphertext-Policy Attribute-Based Encryption (CP-ABE) Approaches to Data Security on Mobile Devices and its Application to IoT[C]//Proceedings of the International Conference on Future Networks and Distributed Systems. [Google Scholar]
43.Li Z., Li W., Jin Z., Zhang H., Wen Q. An efficient ABE scheme with verifiable outsourced encryption and decryption. IEEE Access. 2019;7:29023–29037. [Google Scholar]
44.Yan X.X., He G.H., Yu J.X. Secure and verifiable outsourced ciphertext policy attribute-based encryption. Journal of Cryptologic Research. 2020;7(5):628–642. doi: 10.13868/j.cnki.jcr.000395. [DOI] [Google Scholar]
45.Huang Haijun, et al. A traceable and verifiable CP-ABE scheme with blockchain in VANET. J. Supercomput. 2023:1–25. [Google Scholar]
46.Liu, Jianwei, et al. “Space-Air-Ground Integrated Network Security 9819911249, 9789819911240.” Ebin.pub, 25 June 406AD, ebin.pub/space-air-ground-integrated-network-security-9819911249-9789819911240.html. Accessed 3 November. 2023.
47.Zhou W., Wang H., Mohiuddin G., Chen D., Ren Y. Consensus mechanism of blockchain based on por with data deduplication. Intelligent Automation & Soft Computing. 2022;34(3):1473–1488. [Google Scholar]
48.Chen L., Yao Z., Si X., Zhang Q. Three-stage cross-chain protocol based on notary group. Electronics. 2023;12:2804. doi: 10.3390/electronics12132804. [DOI] [Google Scholar]
49.Liu Z., Pang H., Li Y., Li S. 2021 International Conference on Computer, Blockchain and Financial Development. CBFD); Nanjing, China: 2021. "Research on distributed energy network transaction model based on blockchain,"; pp. 311–314. [DOI] [Google Scholar]
50.Shao Q.F., Jin C.Q., Zhang Z., et al. Blockchain: architecture and research progress. Chin. J. Comput. 2018;41(5):969–988. [Google Scholar]
51.Li H., Yu J., Zhang H., et al. Privacy-preserving and distributed algorithms for modular exponentiation in IoT with edge computing assistance. IEEE Internet Things J. 2020;7(9):8769–8779. [Google Scholar]
52.Luo Sheng. User privacy protection scheme based on verifiable outsourcing attribute-based encryption. Secur. Commun. Network. 2021;2021 doi: 10.1155/2021/6617669. Article ID 6617669, 11 pages. [DOI] [Google Scholar]
53.Li H., Yu J., Zhang H., Yang M., Wang H. Privacy-Preserving and distributed algorithms for modular exponentiation in IoT with edge computing assistance. IEEE Internet Things J. Sept. 2020;7(9):8769–8779. doi: 10.1109/JIOT.2020.2995677. [DOI] [Google Scholar]
54.Lei X.F., Xie K.Q., Lin F., Xia Z.Y. An efficient clustering algorithm based on local optimality of K-Means. Journal of Software. 2008;19(7):1683–1692. http://www.jos.org.cn/1000-9825/19/1683.htm [Google Scholar]
55.Zhang F., Wang Y. Distributed key generation based on generalized verifiable secret sharing. ACTA ELECTONICA SINICA. 2003;31(4):580. [Google Scholar]
56.Green M., Hohenberger S., Waters B. vol. 11. USENIX Security; 2011. Outsourcing the decryption of {ABE} ciphertexts. (20th USENIX Security Symposium). [Google Scholar]
57.Zhao Z.Y., Wang J.H., Xu K., et al. Fully outsourced attribute-based encryption with verifiability for cloud storage. J. Comput. Res. Dev. 2019;56(2):442–452. [Google Scholar]
58.Belguith Sana, et al. Phoabe: securely outsourcing multi-authority attribute based encryption with policy hidden for cloud assisted iot. Comput. Network. 2018;133:141–156. [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Data Availability Statement

Data related to this study has not been deposited in a publicly available repository, but will be available upon request.

[bib46] 1.Elia Rafaella, et al. A real‐world data collection framework for a fused dataset creation for joint human and remotely operated vehicle monitoring and anomalous command detection. CAAI Transactions on Intelligence Technology. 2022;7(3):432–445. [Google Scholar]

[bib47] 2.Liu Xianchen. Real-world data for the drug development in the digital era. Journal of Artificial Intelligence and Technology. 2022;2(2):42–46. [Google Scholar]

[bib33] 3.Fang Liming, et al. Privacy protection for medical data sharing in smart healthcare. ACM Trans. Multimed Comput. Commun. Appl. 2020;16(3s):1–18. [Google Scholar]

[bib34] 4.Yang Pan, Xiong Naixue, Ren Jingli. Data security and privacy protection for cloud storage: a survey. IEEE Access. 2020;8:131723–131740. [Google Scholar]

[bib35] 5.Newaz AKM Iqtidar, et al. GLOBECOM 2020-2020 IEEE Global Communications Conference. IEEE; 2020. Adversarial attacks to machine learning-based smart healthcare systems. [Google Scholar]

[bib42] 6.Yang Yanjiang, et al. Cloud based data sharing with fine-grained proxy re-encryption. Pervasive Mob. Comput. 2016;28:122–134. [Google Scholar]

[bib45] 7.Wang Mingwei, et al. Review on offloading of vehicle edge computing. J. Artific. Intell. Technol. 2022;2:132–143. [Google Scholar]

[bib57] 8.Li Y., Dong Z., Sha K., Jiang C., Wan J., Wang Y. TMO: time domain outsourcing attribute-based encryption scheme for data acquisition in edge computing. IEEE Access. 2019;7:40240–40257. doi: 10.1109/ACCESS.2019.2907319. [DOI] [Google Scholar]

[bib58] 9.Abdollahi S., Mohajeri J., Salmasizadeh M. Highly efficient and revocable CP-ABE with outsourcing decryption for IoT[C]//2021 18th international ISC conference on information security and cryptology (ISCISC) IEEE. 2021:81–88. [Google Scholar]

[bib1] 10.Waters B. International Workshop on Public Key Cryptography. Springer Berlin Heidelberg; Berlin, Heidelberg: 2011, March. Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization; pp. 53–70. [Google Scholar]

[bib2] 11.Gao H., Ma Z., Luo S., Xu Y., Wu Z. BSSPD: a blockchain-based security sharing scheme for personal data with fine-grained access control. Wireless Commun. Mobile Comput. 2021;2021:1–20. [Google Scholar]

[bib43] 12.Namasudra Suyel, Sharma Pratima Achieving a decentralized and secure cab sharing system using blockchain technology. IEEE Trans. Intell. Transport. Syst. 2022;99:1–10. [Google Scholar]

[bib55] 13.Yan L., Ge L., Wang Z., et al. Access control scheme based on blockchain and attribute-based searchable encryption in cloud environment. J. Cloud Comput. 2023;12:61. doi: 10.1186/s13677-023-00444-4. [DOI] [Google Scholar]

[bib36] 14.Liu Xiaoguang, et al. A blockchain-based medical data sharing and protection scheme. IEEE Access. 2019;7:118943–118953. [Google Scholar]

[bib37] 15.Jaiman Vikas, Urovi Visara. A consent model for blockchain-based health data sharing platforms. IEEE Access. 2020;8:143734–143745. [Google Scholar]

[bib29] 16.Sharma Pratima, et al. EHDHE: enhancing security of healthcare documents in IoT-enabled digital healthcare ecosystems using blockchain. Inf. Sci. 2023;629:703–718. [Google Scholar]

[bib30] 17.Sharma Pratima, et al. Blockchain-based privacy preservation for IoT-enabled healthcare system. ACM Trans. Sens. Netw. 2023;19(3):1–17. [Google Scholar]

[bib38] 18.Zou Renpeng, Lv Xixiang, Zhao Jingsong. SPChain: blockchain-based medical data sharing and privacy-preserving eHealth system. Inf. Process. Manag. 2021;58(4) [Google Scholar]

[bib31] 19.Abdellatif Alaa Awad, et al. Medge-chain: leveraging edge computing and blockchain for efficient medical data exchange. IEEE Internet Things J. 2021;8(21):15762–15775. [Google Scholar]

[bib32] 20.Akkaoui Raifa, Hei Xiaojun, Cheng Wenqing. EdgeMediChain: a hybrid edge blockchain-based framework for health data exchange. IEEE Access. 2020;8:113467–113486. [Google Scholar]

[bib3] 21.Li X., Liu T., Obaidat M.S., Wu F., Vijayakumar P., Kumar N. A lightweight privacy-preserving authentication protocol for VANETs. IEEE Syst. J. 2020;14(3):3547–3557. [Google Scholar]

[bib4] 22.Cao K., Liu Y., Meng G., Sun Q. An overview on edge computing research. IEEE Access. 2020;8:85714–85728. [Google Scholar]

[bib5] 23.Alshehri M., Panda B., Almakdi S., Alazeb A., Halawani H., Al Mudawi N., Khan R.U. A novel blockchain-based encryption model to protect fog nodes from behaviors of malicious nodes. Electronics. 2021;10(24):3135. [Google Scholar]

[bib44] 24.Abdullayeva Fargana J. Internet of Things‐based healthcare system on patient demographic data in Health 4.0. CAAI Transactions on Intelligence Technology. 2022;7(4):644–657. [Google Scholar]

[bib6] 25.Odelu Vanga, et al. Expressive CP-ABE scheme for mobile devices in IoT satisfying constant-size keys and ciphertexts. IEEE Access. 2017;5:3273–3283. [Google Scholar]

[bib7] 26.Jiang Y., Susilo W., Mu Y., Guo F. Ciphertext-policy attribute-based encryption against key-delegation abuse in fog computing. Future Generat. Comput. Syst. 2018;78:720–729. [Google Scholar]

[bib8] 27.Wang H., Zheng Z., Wu L., Wang Y. Adaptively secure outsourcing ciphertext-policy attribute-based encryption. J. Comput. Res. Dev. 2015;52(10):2270–2280. [Google Scholar]

[bib9] 28.Li Q., Ma J.F., Xiong J.B., Liu X.M., Ma J. An adaptively secure multi-authority ciphertext-policy ABE scheme on prime order groups. ACTA ELECTONICA SINICA. 2014;42(4):696. [Google Scholar]

[bib10] 29.Li J., Fan Y., Bian X., Yuan Q. Online/offline MA-CP-ABE with cryptographic reverse firewalls for IoT. Entropy. 2023;25(4):616. doi: 10.3390/e25040616. [DOI] [PMC free article] [PubMed] [Google Scholar]

[bib11] 30.Priya Remamany K., Maheswari K., Ramesh Babu Durai C., Anushkannan N.K., Victoria D.R.S., Ben Othman M.T., Hamdi M., Hamam H. A localized Bloom filter-based CP-ABE in smart healthcare. Appl. Sci. 2022;12(24) [Google Scholar]

[bib12] 31.Cheng F., Ji S., Lai C.F. Efficient CP-ABE scheme resistant to key leakage for secure cloud-fog computing. J. Internet Technol. 2022;23(7):1461–1471. [Google Scholar]

[bib48] 32.Deng Yuli, et al. Problem-Based cybersecurity lab with knowledge graph as guidance. Journal of Artificial Intelligence and Technology. 2021;2:55–61. [Google Scholar]

[bib49] 33.Hooshmand Mohammad Kazim, Hosahalli Doreswamy. Network anomaly detection using deep learning techniques. CAAI Transactions on Intelligence Technology. 2022;7(2):228–243. [Google Scholar]

[bib13] 34.Yang H.K., Feng C.S., Jin Y.X., Wang L., Luo W.P., Deng H.H. ACP-ABE scheme with verifiable outsourced encryption and decryption. ACTA ELECTONICA SINICA. 2020;48(8):1545. [Google Scholar]

[bib14] 35.Sethi Kamalakanta, Pradhan Ankit, Bera Padmalochan. Practical traceable multi-authority CP-ABE with outsourcing decryption and access policy updation. J. Inf. Secur. Appl. 2020;51 [Google Scholar]

[bib15] 36.Zhao K.Q., Kang P., Liu B., Guo Z., Feng C.S., Qing Y. A CP-ABE scheme with cloud proxy Re-encryption. ACTA ELECTONICA SINICA. 2023;51(3):728. [Google Scholar]

[bib16] 37.Premkamal Praveen Kumar, Kumar Pasupuleti Syam, Alphonse P.J.A. Dynamic traceable CP‐ABE with revocation for outsourced big data in cloud storage. Int. J. Commun. Syst. 2021;34(2) [Google Scholar]

[bib17] 38.Jiangtao D.O.N.G., Peiwen Y.A.N., Ruizhong D.U. Verifiable access control scheme based on unpaired CP-ABE in fog computing. J. Commun. 2021;42(8):139–150. [Google Scholar]

[bib18] 39.Zou L.P., Feng C.S., Oin Z.G., Yuan D., Luo W.P., Li M. CP-ABE scheme with fast decryption for public cloud. RuanJian Xue Bao/Journal of Software. 2020;31(6):1817–1828. http://www.jos.org.cn/1000-9825/5704.htm (in Chinese) [Google Scholar]

[bib19] 40.Touati L., Challal Y., Bouabdallah A. IEEE; 2014. C-cp-abe: Cooperative Ciphertext Policy Attribute-Based Encryption for the Internet of things[C]//2014 International Conference on Advanced Networking Distributed Systems and Applications; pp. 64–69. [Google Scholar]

[bib20] 41.Kiraz M.S., Uzunkol O. Efficient and verifiable algorithms for secure outsourcing of cryptographic computations. Int. J. Inf. Secur. 2016;15:519–537. [Google Scholar]

[bib21] 42.Moffat S., Hammoudeh M., Hegarty R. 2017. A Survey on Ciphertext-Policy Attribute-Based Encryption (CP-ABE) Approaches to Data Security on Mobile Devices and its Application to IoT[C]//Proceedings of the International Conference on Future Networks and Distributed Systems. [Google Scholar]

[bib22] 43.Li Z., Li W., Jin Z., Zhang H., Wen Q. An efficient ABE scheme with verifiable outsourced encryption and decryption. IEEE Access. 2019;7:29023–29037. [Google Scholar]

[bib23] 44.Yan X.X., He G.H., Yu J.X. Secure and verifiable outsourced ciphertext policy attribute-based encryption. Journal of Cryptologic Research. 2020;7(5):628–642. doi: 10.13868/j.cnki.jcr.000395. [DOI] [Google Scholar]

[bib24] 45.Huang Haijun, et al. A traceable and verifiable CP-ABE scheme with blockchain in VANET. J. Supercomput. 2023:1–25. [Google Scholar]

[bib53] 46.Liu, Jianwei, et al. “Space-Air-Ground Integrated Network Security 9819911249, 9789819911240.” Ebin.pub, 25 June 406AD, ebin.pub/space-air-ground-integrated-network-security-9819911249-9789819911240.html. Accessed 3 November. 2023.

[bib50] 47.Zhou W., Wang H., Mohiuddin G., Chen D., Ren Y. Consensus mechanism of blockchain based on por with data deduplication. Intelligent Automation & Soft Computing. 2022;34(3):1473–1488. [Google Scholar]

[bib51] 48.Chen L., Yao Z., Si X., Zhang Q. Three-stage cross-chain protocol based on notary group. Electronics. 2023;12:2804. doi: 10.3390/electronics12132804. [DOI] [Google Scholar]

[bib52] 49.Liu Z., Pang H., Li Y., Li S. 2021 International Conference on Computer, Blockchain and Financial Development. CBFD); Nanjing, China: 2021. "Research on distributed energy network transaction model based on blockchain,"; pp. 311–314. [DOI] [Google Scholar]

[bib25] 50.Shao Q.F., Jin C.Q., Zhang Z., et al. Blockchain: architecture and research progress. Chin. J. Comput. 2018;41(5):969–988. [Google Scholar]

[bib26] 51.Li H., Yu J., Zhang H., et al. Privacy-preserving and distributed algorithms for modular exponentiation in IoT with edge computing assistance. IEEE Internet Things J. 2020;7(9):8769–8779. [Google Scholar]

[bib54] 52.Luo Sheng. User privacy protection scheme based on verifiable outsourcing attribute-based encryption. Secur. Commun. Network. 2021;2021 doi: 10.1155/2021/6617669. Article ID 6617669, 11 pages. [DOI] [Google Scholar]

[bib56] 53.Li H., Yu J., Zhang H., Yang M., Wang H. Privacy-Preserving and distributed algorithms for modular exponentiation in IoT with edge computing assistance. IEEE Internet Things J. Sept. 2020;7(9):8769–8779. doi: 10.1109/JIOT.2020.2995677. [DOI] [Google Scholar]

[bib27] 54.Lei X.F., Xie K.Q., Lin F., Xia Z.Y. An efficient clustering algorithm based on local optimality of K-Means. Journal of Software. 2008;19(7):1683–1692. http://www.jos.org.cn/1000-9825/19/1683.htm [Google Scholar]

[bib28] 55.Zhang F., Wang Y. Distributed key generation based on generalized verifiable secret sharing. ACTA ELECTONICA SINICA. 2003;31(4):580. [Google Scholar]

[bib39] 56.Green M., Hohenberger S., Waters B. vol. 11. USENIX Security; 2011. Outsourcing the decryption of {ABE} ciphertexts. (20th USENIX Security Symposium). [Google Scholar]

[bib41] 57.Zhao Z.Y., Wang J.H., Xu K., et al. Fully outsourced attribute-based encryption with verifiability for cloud storage. J. Comput. Res. Dev. 2019;56(2):442–452. [Google Scholar]

[bib40] 58.Belguith Sana, et al. Phoabe: securely outsourcing multi-authority attribute based encryption with policy hidden for cloud assisted iot. Comput. Network. 2018;133:141–156. [Google Scholar]

PERMALINK

A trusted medical data sharing framework for edge computing leveraging blockchain and outsourced computation

Gaoyuan Quan

Zhongyuan Yao

Longfei Chen

Yonghao Fang

Weihua Zhu

Xueming Si

Min Li

Abstract

1. Introduction

2. Related work

2.1. Medical data sharing based on blockchain

2.2. Data sharing in edge computing environments based on CP-ABE

3. Preliminary knowledge

Table 1.

3.1. Bilinear mappings

3.2. LSSS

3.3. Blockchain

3.4. DBDHE

3.5. Edge computing Outsourcing Framework

4. Methodology

4.1. System architecture

Fig. 1.

4.2. Formal definition of main algorithm: CP-ABE

4.3. Security model

5. Concrete scheme

5.1. Medical Institution Alliance Edge Blockchain

Fig. 2.

5.2. Sub-algorithm DAA: distributed attribute authorization strategy

Table 2.

Table 3.

Table 4.

Table 5.

5.3. Sub-algorithm DKG: distributed key generation protocol based on blockchain

5.4. Sub-algorithm DME: distributed modular exponentiation outsourcing algorithm based on blockchain

5.5. Main algorithm: blockchain-based CP-ABE with multi-attribute authority center

6. Proof of correctness and security

6.1. Proof of correctness

Theorem 1

Theorem 2

6.2. Security proof

Theorem 3

Theorem 4

Theorem 5

7. Simulation experiment and performance analysis

7.1. Comparison of schemes

Table 6.

Table 7.

7.2. Experimental analysis

Fig. 3.

8. Conclusion

Data availability statement

Ethics declarations

CRediT authorship contribution statement

Declaration of competing interest

Acknowledgements

Contributor Information

References

Associated Data

Data Availability Statement

ACTIONS

PERMALINK

RESOURCES

Similar articles

Cited by other articles

Links to NCBI Databases