A revocable attribute-based encryption EHR sharing scheme with multiple authorities in blockchain

Abstract

With the development of digital healthcare, sharing electronic medical record data has become an indispensable part of improving medical conditions. Aiming at the centralized power caused by the single attribute authority in current CP-ABE schemes and the problem that cloud servers are curious and even malicious, we design a revocable CP-ABE EHR sharing scheme with multiple authorities (MA-RABE) in blockchain. In this solution, a group of authorities complete user attribute distribution, key generation and user management through secret sharing and transactions. Besides, we innovatively implemented a distributed one-way anonymous key agreement so that other participants cannot obtain useful information from the fully hidden policy embedded in the ciphertext. Taking into account the computational overhead of a large number of bilinear operations in the decryption process, the solution also supports the cloud server to pre-decrypt the ciphertext, and the data user only needs to perform exponentiation operation once to obtain the plaintext from the pre-decryption result. Theoretical analysis and performance evaluation show that the scheme has reliable security and lower user revocation and ciphertext update overhead.

Introduction

To better trace the health conditions of patients, Electronic Health Record (EHR) emerged, which greatly improved the level of public healthcare management [1]. Massive studies have shown that analyzing and studying a large amount of timely EHR data can respond to public health emergencies such as the current COVID-19 pandemic [2] and provide a basis for public health decision-making.

When patients go to the hospital, they need to share their health records and medical histories with the doctor. Besides, the patients can contribute their medical data to medical research institutions under their will. Therefore, sharing medical data is an essential step to improve the quality of healthcare providers and make the healthcare system smarter [3]. However, the EHR management systems maintained independently by healthcare providers have led to the lack of interoperability among stakeholders [4], causing a waste of medical resources during hierarchical referrals, sothat patients undoubtedly lose control of their own EHR. Moreover, this EHR management model lacks transparency and is vulnerable to single points of failure, internal leakage and phishing attacks [5].

In addition, the security and privacy of EHR data have also attracted widespread attention and research in academia. Security here mainly refers to confidentiality, because EHR contains a large amount of critical and highly private patient information, including physiological information, medical history and even personal information [6]. Therefore, EHR must not be stored in the third party in plaintext, and only EHR owners and authorized users can access EHR. To achieve privacy protection, even if the EHR is stored in ciphertext, the relevant access policy must not disclose the personal information of participants during the sharing.

Aiming at the security, privacy and interoperability of EHR data, the traditional symmetric encryption technology can protect the confidentiality of EHR data, but it is difficult to meet the requirement for flexibility of EHR data sharing [7]. The novel attribute-based encryption (ABE) technology has better flexibility and fine-graininess and has become a promising solution for sharing EHR [8].

Technically speaking, ABE can be divided into two types: ciphertext policy attribute-based encryption (CP-ABE) and key policy attribute-based encryption (KP-ABE) [9]. KP-ABE embeds the access policy into the decryption key of Data User(DU) and embeds a set of attributes into the ciphertext. In CP-ABE, DU’s decryption key corresponds to a set of attributes, and the ciphertext in the cloud server is associated with an access policy. Only DU, whose attributes satisfy the access structure, can decrypt the ciphertext associated with the access structure. Both ABE schemes implement fine-grained access control through access structure customization and attribute management [10]. However, KP-ABE is more suitable for static access scenarios, such as paid streaming video websites and log encryption management. These scenarios hardly change the attributes associated with ciphertext. In dynamic access scenarios, specially EHR sharing scenarios, the attributes of EHR accessors are generally stable, and the EHR owner needs to change access policies embedded in ciphertext according to the access scenarios. Obviously, CP-ABE can better solve the interoperability problem between stakeholders since it allows Data Owner (DO) to customize a fine-grained access structure for data to decide who can access them. Therefore, CP-ABE is considered to be an ideal solution for securely sharing EHR in the public cloud [11].

However, there are some problems existing in the original CP-ABE [12, 13], the access policy embedded in the ciphertext is publicly accessible. If the data sharing scheme directly utilizes this type of explicit access policy, then the sensitive personal information of DU and DO will be indirectly derived [7]. Moreover, CP-ABE uses massive bilinear calculations in the encryption and decryption process, which consumes expensive time and storage resources and limits the application scenarios of CP-ABE [14, 15].

Besides, in most CP-ABE schemes, a single Attribute Authority (AA) manages the distribution and revocation of all attributes. Such schemes are vulnerable to a single point of failure and further affect the availability of attribute management. Due to the centralized power, the malicious authority even abuses the private key and distributes the attribute key to illegal users, resulting in unauthorized access to data [16, 17]. Although there have been some multi-AA schemes where the attribute universe is divided into multiple management domains, and each AA manages a disjoint attribute set. However, it causes the trust problem between management domains and does not fundamentally solve the single point of failure [18].

Fortunately, the emerging blockchain technology can ensure the integrity and immutability of data, so that operations on the blockchain can be recorded openly and transparently in the form of transactions. Therefore, the blockchain is expected to solve the trust crisis among the stakeholders and effectively improve the interaction and collaboration of the healthcare industry [3]. We can utilize the blockchain to avoid the problem of centralized power in CP-ABE and provide a new paradigm for health information exchange (HIE) [19].

To solve the above challenges faced by CP-ABE, avoid the centralized power caused by single AA, and ensure the reliable authorization of users and the secure sharing of data, we propose a secure Revocable ABE scheme with Multiple Authorities (MA-RABE) in blockchain. Specifically, the main contributions of our proposed scheme MA-RABE are summarized as follows:

1. Decentralized power. To prevent the abuse of private keys and single points of failure caused by a single AA, we deploy the entire scheme in blockchain. A group of attribute authorities (hereinafter referred to as AAs) through secret sharing jointly collaborate to generate global parameters, distribute keys and manage users.

2. Fully Hidden policy. The rows of the share-generating matrix are replaced by implicit bilinear mappings about the attributes. Only the attribute recover key owner can calculate which rows of the matrix the attribute corresponds to through the one-way anonymous key agreement. And AAs complete the secret distribution process of the attribute obfuscation key under the decentralized setting.

3. Efficient user management and key update. The AAs manage the legal users through the user binary tree, and the concrete operations include registration, revocation and rejoining. After the legal user set is changed, the AAs will generate the key update message for the minimum covered node set for the legal user to achieve a low key update overhead. Thus only the user with a node in minimum covered node set on the path to the root node can generate the pre-decryption key.

4. Pre-decryption of ciphertext. CSP can calculate the pre-decryption key against the node key and KU stored in the blockchain, and pre-decrypt the ciphertext to obtain the intermediate ciphertext. The DU only needs to perform one exponentiation on the intermediate ciphertext to obtain the plaintext.

The rest of the paper is organized as follows. We introduce the work related to the EHR sharing scheme in Sect. 2. We explain some preliminaries about encryption primitives and the technologies used in Sect. 3. Next, we describe the program model, scheme definition and security model in Sect. 4. Section 5 talks about the scheme construction in detail. Security analysis and performance evaluation of the scheme are presented in Sects. 6 and 7 respectively. Finally, we summarize the proposed scheme in Sect. 8.

Related work

CP-ABE is a promising data sharing solution. With the increased requirements in data privacy and application scenario variety, CP-ABE has also been improved to extend more functions, such as user revocation and computation outsourcing. The related work is as follows.

Multiple attribute authorities

The construction of the original multi-AA scheme [12] is still based on a trusted central authority (CA) and a global identifier (GID). The CA in the scheme can even decrypt each ciphertext. Chase and Chow [13] delete the trusted CA and achieve privacy protection by preventing CA from collecting information from specific users. Li et al. [17] implemented a multi-AA CP-ABE scheme TMACS for public cloud storage by using (t, n) threshold secret sharing. Any t AAs can generate the secret key for the legitimate user. And as long as less than t AAs are compromised, TMACS can guarantee security. Unfortunately, the scheme did not implement user revocation and outsourcing computation. Zhong et al. [20] proposed a decentralized multi-authority CP-ABE access control scheme. Each AA can independently publish attributes in its management domain. It realizes user revocation by only distributing version keys to legitimate users. The obfuscated access policy is designed in LSSS to protect the policy privacy. But due to each AA still manages disjoint attribute sets independently, it still cannot overcome the single-point bottleneck. Similarly, Sarma et al. [21] proposed a multi-authority scheme MACFI, in which each AA is an independent organization. Each AA manages a set of disjoint attributes, and the AA assigns the corresponding attributes to the user after verifying the user’s role. To reduce the communication overhead on the user side, Qin et al. [22] proposed a blockchain-based access control scheme BMAC, which leverages consortium blockchain to establish trust between multiple AAs. BMAC also introduces Shamir secret sharing to achieve cross-domain management of attribute tokens. Each attribute is jointly managed by multiple authorities, thus avoiding a single point of failure.

Policy privacy

Given the privacy leakage caused by partially hiding the attribute value in the access policy, Ramu [23] proposed a secure cloud framework by combining a modified CP-ABE and attribute bloom filter (ABF), which realizes the attribute hidden entirely. Similarly, Hao et al. [7] designed a fuzzy attribute positioning mechanism based on the garbled bloom filter to prevent unauthorized users from obtaining valuable attribute information. To avoid the abuse of the private key, Wu et al. [24] utilized blockchain technology to ensure the integrity and non-repudiation of the data and proposed an ABF-based and privacy-preserving traceable CP-ABE scheme. Fan et al. [25] realized the anonymization of attributes by adopting the one-way anonymous key agreement [26], where attributes are verifiable and anonymous. Besides, verifiable outsourcing decryption in edge is introduced to reduce the computing overhead on the user side. By exploiting hidden vector encryption, Zhang et al. [27] achieved complete policy hiding, where DU obtains the minimum authorized sets of $(M,\rho )$ instead of the entire $(M,\rho )$. Yang et al. [28] designed an authorization method based on the Private Set Intersection, which can completely hide the policy by calculating the intersection of the user’s attribute set and the policy’s attribute set.

User revocation

To strengthen the system security and meet the application requirements in resource-constrained scenarios, Wei et al. [29] proposed a revocable hierarchical scheme RS-HABE, which expanded user revocation, secret key delegation and ciphertext update to the original ABE. Xiong et al. [30] designed a traceable CP-ABE scheme that employed outsourcing decryption to minimize the computing overhead on the user side. When encrypting data, the data owner needs to embed the user ID set and access policy into ciphertext. Only DU satisfies both two restrictions, the ciphertext can be decrypted, which yet runs counter to fuzzy encryption. Zheng et al. [31] proposed a cloud-assisted user revocation data sharing scheme to protect IoT data. It maintains effective sharing and user revocation but does not take into account the privacy leakage caused by unprocessed policies. Liu et al. [32] proposed a searchable ABE scheme BC-SABE that supports user revocation and outsourcing decryption, in which the blockchain replaces the centralized server. A group of AAs completes the generation of public parameters, key management and user revocation on the blockchain. However, this solution also has the problem of privacy leakage of unprocessed policies. Besides, Guo et al. [33] designed a user revocation mechanism using the chameleon hash function. To resist the collusion attack between the revoked users and the malicious users, Zhang et al. [34] set a group manager to assign a certificate for each user and embed the certificate into the user’s secret key. While implementing revocable user management, the scheme TR-TABE [35] can achieve white-box traceability without maintaining a user list.

In general, the above solutions cannot take into account full policy hiding, thorough decentralization, and efficient outsourcing of pre-decryption. However, our proposed MA-RABE achieves the above functions perfectly. In addition, MA-RABE can implement a complete user management process, including user revocation and rejoining.

Preliminaries

In this section, we give a review of some preliminaries to better understand the proposed scheme.

Bilinear maps

Definition 1

Let $\mathbb{G}$ and ${\mathbb{G}}_t$ be two multiplicative cyclic groups of prime order p, where g is a generator of $\mathbb{G}$ . Let $\widehat{e}$ be a bilinear map, $\widehat{e}:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_t$. And $\widehat{e}$ has following three properties:

• Bilinearity: $\forall a,b\in Z_p$ and $\forall u,v\in \mathbb{G}$, we have $\widehat{e}(g^a,g^b)=\widehat{e}{(g,g)}^{\mathit{ab}}$.

• Computability: $\forall u,v\in \mathbb{G}$, $\widehat{e}(u,v)$ can be computed in a polynomial time with an efficient algorithm.

• Non-degeneracy: $\widehat{e}(g,g)\ne 1_{{\mathbb{G}}_t}$, where $1_{{\mathbb{G}}_t}$ is the identity of ${\mathbb{G}}_t$.

Besides, the bilinear map $\widehat{e}$ is considered symmetric because it satisfies $\widehat{e}(g^a,g^b)=\widehat{e}{(g,g)}^{\mathit{ab}}=\widehat{e}(g^b,g^a)$.

Access structure

Definition 2

Let $\{A_1,A_2,...,A_n\}$ be the attribute universe. A collection $\mathfrak{A}\subseteq 2^{\{A_1,A_2,...,A_n\}}$ is monotone if for any two attribute sets B and C : if $B\in \mathfrak{A}$ and $B\subseteq C$, then $C\in \mathfrak{A}$. An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) $\mathfrak{A}$ of non-empty subsets of $\{A_1,A_2,...,A_n\}$, i.e. $\mathfrak{A}\subseteq 2^{\{A_1,A_2,...,A_n\}}\backslash \mathrm{\varnothing }$. The sets in $\mathfrak{A}$ are referred as the authorized sets, and the sets not in $\mathfrak{A}$ are called the unauthorized sets.

Linear secret sharing scheme

Let p be a prime. There is a matrix M with l rows and m columns. The linear secret sharing scheme $\mathrm{\Pi }$ over the attribute Universe $\mathcal{A}$ is considered linear if:

• the shares of a secret s composes a vector over ${\mathbb{Z}}_p$.

• For $\mathrm{\Pi }$, there is a function $\rho$ mapping from $\{1,2,...l\}$ to $\mathcal{A}$. Therefore the $i^{\mathit{th}}$ of M will be associated with $\rho (i)$. Given a column vector $\overrightarrow{v}={(s,r_2,...,r_m)}^T$, where $s\in {\mathbb{Z}}_p$ is the secret to be shared and $r_2,r_3,...,r_m$ are randomly selected from ${\mathbb{Z}}_p$. $M\overrightarrow{v}$ are l shares of s based on $\mathrm{\Pi }$ , so the $i^{\mathit{th}}$ share ${\lambda }_i={(M\overrightarrow{v})}_i$ belongs to the attribute $\rho (i)$.

To reconstruct the secret s, the user whose attribute set S satisfy the access policy $(M,\rho )$ can find a set of constants $\{{\omega }_1,{\omega }_2,...{\omega }_l\}$ in a polynomial time so that ${\sum }_{i\in I}{w}_i{M}_i=(1,0,...,0)$, where I denotes the rows which are associated with attributes in S. The the secret s can be recovered by the following formula:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill \sum _{i\in I}{w}_i{\lambda }_i& =\sum _{i\in I}{w}_i{(M\overrightarrow{v})}_i\hfill \\ \hfill & =\sum _{i\in I}(w_i{M}_i)\overrightarrow{v}\hfill \\ \hfill & =(1,0,...,0){(s,r_2,...,r_m)}^T\hfill \\ \hfill & =s\hfill \end{array}\end{array}$$ 1

Pedersen secret sharing scheme

Pedersen secret sharing scheme [36], improved from Shamir’s secret sharing scheme [37], is also a kind of (k, n) threshold secret sharing scheme. Shamir’s secret sharing scheme requires a trusted third party to divide the master secret into n sub-secrets through a $k-1$ degree polynomial and distribute them to n participants $P=\{P_1,P_2,...,P_n\}$. Reconstruction of the master secret requires at least k participants. The advantage of Pedersen’s scheme is that it enables n participants to divide the master secret without relying on a third-party CA. The Pedersen secret sharing scheme algorithm is described as follows:

• master secret generation: For each of the n participants , to generate a $k-1$ degree polynomial $f_i(x)$, $P_i$ independently and randomly select k coefficients $a_{i,c}\in Z_p^{\ast }(c=0,...,k-1)$. Among them, the constant term coefficient $a_{i,0}$ is used as its own sub-secret ${\alpha }_i$. The master secret for the entire scheme is $s={\sum }_{i=1}^n{\alpha }_i$, in which s is implicit.

• master share computation: Then the participant $P_i$ generates n sub-shares $s_{\mathit{ij}}=f_i(j)(j=1,...,n)$ and sends $s_{\mathit{ij}}$ to $P_j$ through a secure channel. After $P_i$ receives $n-1$ sub-shares from $P_j$, $P_i$ calculates its master share $s_i={\sum }_{j=1}^n{s}_{\mathit{ji}}$.

• master secret reconstruction: To recover the master secret, at least k participants are required. Suppose the set of these participants is $P_{\mathit{rec}}(k\le P_{\mathit{rec}}\le n)$, and the master secret s can be reconstructed by using LaGrange interpolation as follow:

  $$\begin{array}{c}\hfill s=\sum _{i\in P_{\mathit{rec}}}{s}_i\prod _{j\in P_{\mathit{rec}},j\ne i}\frac{j}{j-i}\end{array}$$ 2

  For the convenience of subsequent calculations, we set $L(i)={\prod }_{j\in P_{\mathit{rec}},j\ne i}\frac{j}{j-i}$.

Blockchain

Blockchain is a decentralized distributed ledger technology. There are two types of nodes in the blockchain network: full nodes and light nodes. Full nodes (also known as miner nodes) elect one to pack the next block through the consensus protocol. The elected miner node packs transactions into a block and broadcast it to other nodes [38]. After verifying the validity of the newly generated block, the full nodes will append the received block into the chain structure locally. Therefore, full nodes are required to have higher storage and computing capabilities. On the other hand, light nodes do not participate in the generation of blocks, but they can verify the legitimacy of blocks/transactions with a simple calculation.

All nodes that join the blockchain network can access the data in blockchain. Similarly, they can also call the functions in smart contracts deployed in blockchain. With the help of smart contracts, data sharing intermediaries can provide services to stakeholders in the form of DAPPs [39, 40]. Related operations such as attribute distribution and user management will become open and transparent [41].

User binary tree

In some papers, User Binary Tree (BT) [42, 43] is also called KEY Tree, in which each user is assigned a unique leaf node. If we calculate the update keys for each non-revoked user in the form of a list, the complexity is $O(N-R)$, where N is the number of users and R is the number of revoked users. In BT, the update keys only need to be calculated for the minimum covered nodes, the complexity is O(NlogN/R) [32]. The KUNode algorithm is as detailed in Algorithm 1, where $\mathcal{BT}$ is a user binary tree, revl is the user revocation list, rejl is the user rejoin list, and $x_l$ and $x_r$ are the left and right child nodes of the node x respectively. Note that non-revoked users in the scheme refer to users who have never been revoked or users who have been rejoined after revoked. The users who have not been rejoined after revoked are called illegal users.

To further describe the KUNode algorithm in MA-RABE, a user binary tree with a depth of 4 and 8 users marked A-H is shown in Fig. 1. The users crossed out by the red line represent illegal users. At the end of the KUNode algorithm, the nodes in set X are marked orange, and the nodes in set Y are marked green. When all users are non-revoked users, the set Y returned by the KUNode algorithm only contains the root node, so the key update needs to be generated for the root node. When users C, G and H are illegal, the key update needs to be generated for nodes 4, 6 and 11.

Fig. 1.

The nodes need to be generated the key update

The complexity assumption

Let $\mathbb{G}$ and ${\mathbb{G}}_t$ be two multiplicative cyclic groups of prime order p, where g is a generator of $\mathbb{G}$ . Let $\widehat{e}$ be a bilinear map, $\widehat{e}:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_t$. Given four random numbers $a,b,c,z\in Z_p^{\ast }$, three group elements $g^a,g^b,g^c\in \mathbb{G}$ and one random group element $Z\in {\mathbb{G}}_t$. The problem of determining if $Z==\widehat{e}{(g,g)}^{\mathit{abc}}$ or $Z==\widehat{e}{(g,g)}^z$ is called the decisional Bilinear Diffie Hellman(DBDH) problem.

Definition 3

It is said that DBDH assumption holds on bilinear group $(\mathbb{G},{\mathbb{G}}_t,\widehat{e},p)$ if there does not exist a probabilistic polynomial time (PPT) adversary $\mathcal{A}$ who can solve the above the DBDH problem with a non-negligible advantage $P{r}_{\mathcal{A},DBDH}$.

System overview

This section provides an overview of the proposed model and the security requirements to satisfy. Besides, we introduce the main functions in the scheme and define the security model.

System model

As shown in Fig. 2, there are four kinds of entities in MA-RABE:

Fig. 2.

System model

Data Owner (DO)

The DO has a large amount of EHR data. The DO encrypts the EHR by customizing the LSSS policy, then outsources the ciphertext with the corresponding access policy to the CSP.

Data User (DU)

The DU refers to the research institution and the medical provider, who needs to register its key and attributes in AAs. To access data of DO, DU can initiate a pre-decryption request to CSP, then obtain the symmetric key by performing one exponentiation on the returned pre-decryption result.

Attribute Authority (AA)

AAs manage all users based on a global $\mathcal{BT}$, revl and rejl. AAs are responsible for distributing Attribute Recovery KEY (ARK), Node Key (NK) and Update Key (UK) for non-revoked DU through PSSS.

Cloud Service Provider (CSP)

The CSP is responsible for storing the ciphertext uploaded by the DO and providing pre-decryption services to all DUs. Note that we assume that CSP is semi-trusted, that is, CSP is honest but curious. Therefore, CSP will actively leak the privacy of the policy embedded in the ciphertext, but it will execute the protocol honestly.

Besides, due to the trust problem of multiple parties involved in a distributed environment, the blockchain is used as the underlying architecture of the solution. The blockchain contains the system smart contract of this solution (hereinafter referred to as the contract). The contract provides AAs with the registration function, the revocation function and the rejoining function. The contract provides interfaces for AAs to call the PSSS protocol, which are used to negotiate and generate keys. The contract also contains a user binary tree and two lists revl and rejl that can store N tuples.

Security requirements

Robustness

The system can tolerate some malicious attribute authorities, and these malicious attribute authorities will not affect the normal operation of the system and will not control the system.

Decentralization

The operation of the system is not under the control of a central entity. Especially in terms of user management and key distribution. In addition, the solution should not be threatened by a single point of failure.

Collusion resistance

Even if the attribute set of colluders satisfies the access policy, they can not decrypt the symmetric key encrypted by LSSS, so they will not get the plaintext further.

Policy privacy

Only the policy constitutors and the attribute owners can reconstruct the mappings from attributes to the rows in the share-generating matrix. In addition, after receiving the pre-decryption request information from the DU, the CSP cannot deduce which attributes the DU has.

Scheme definition

In this section, we provide the formal definition of the scheme MA-RABE.

• $Setup(\lambda ,N)\to (GP,\mathcal{BT},revl,rejl)$. AAs execute this function, which takes one random security parameter $\lambda$ and the maximum number of users N as input. Then the function outputs the global parameter GP, the initialized DU binary tree $\mathcal{BT}$ and two empty lists revl and rejl, which store the user’s revocation and rejoining time respectively.

• $NKGen(GP,uid,S_{\mathit{uid}},\mathcal{BT})\to N{K}_{\mathit{uid}}$. This function takes the public parameters GP, user identifier uid, user’s attribute set $S_{\mathit{uid}}$ and $\mathcal{BT}$ as input and outputs the user’s node key $N{K}_{\mathit{uid}}$. The node key is a set of calculations of the user public key and attributes in cyclic group, so it can be regarded as the issuance for user attributes.

• $UKGen(GP,revl,rejl,\mathcal{BT},t)\to U{K}_t$. The function takes the public parameters GP, the revocation list revl, rejoins the list rejl, $\mathcal{BT}$ and time t as input, and calculates the update key $U{K}_t$ for the non-revoked user at the time t.

• $PDKGen(GP,\mathcal{BT},N{K}_{\mathit{uid}},U{K}_t)\to PD{K}_{\theta ,uid}$. The function takes public parameters GP, user node key $N{K}_{\mathit{uid}}$, update key $U{K}_t$ and $\mathcal{BT}$ as input. Take the intersection node $\theta$ to compute and output the user’s pre-decryption key $PD{K}_{\theta ,uid}$, and return False if there is no intersection node.

• $Encrypt(MSG,(M,\rho ),GP,t)\to CT$. The function takes plaintext MSG, a monotonic access structure $(M,\rho )$, public parameters GP and time t as input. Then it outputs ciphertext CT.

• $PreDec(CT,PD{K}_{\theta ,uid},N{K}_{\mathit{uid}},U{K}_t)\to C{T}^{\prime }$. This function inputs the ciphertext CT, the user’s Pre-Decryption Key $PD{K}_{\theta ,uid}$, node key $N{K}_{\mathit{uid}}$ and update key $U{K}_t$, then outputs the pre-decryption result $C{T}^{\prime }$.

• $UserDec(C{T}^{\prime },s{k}_{\mathit{uid}})\to MSG$. This function inputs the pre-decryption result $C{T}^{\prime }$ and the user private key $s{k}_{\mathit{uid}}$, and outputs the plaintext MSG.

Security model

The Indistinguishability security under Chosen-Plaintext Attacks (IND-CPA security) of the MA-RABE is defined by the following game between a PPT adversary $\mathcal{A}$ and the challenger $\mathcal{C}$. Assuming that $\mathbb{A}$ is the set of AAs with the size of n and the scheme satisfys the security of (k, n) PSSS, that is, there are at most $k-1$ compromised AAs in $\mathbb{A}$.

Setup

The adversary $\mathcal{A}$ specifies a corrupted authority set ${\mathbb{A}}^{\prime }$ with the size of $n^{\prime }\le k-1$. The challenger $\mathcal{C}$ runs the Setup() to generate the global parameters GP, and the binary tree $\mathcal{BT}$, as well as two lists revl and rejl that storage user’s revocation and rejoining time respectively.

Query phase 1

The adversary $\mathcal{A}$ adaptively queries the following oracles:

The user register oracle ${\mathcal{O}}_{\mathit{Reg}}(·,·)$ takes the user identity uid along with its public key $p{k}_{\mathit{uid}}$, then assigns a leaf node of $\mathcal{BT}$ to store $(uid,p{k}_{\mathit{uid}})$ if uid has not been queried in this oracle and returns $\mathcal{BT}$ to $\mathcal{A}$.

The node key generation oracle ${\mathcal{O}}_{\mathit{NK}}(·,·)$ takes the identity identifier uid and the attribute set $S_{\mathit{uid}}^{\ast }$ as input, and then runs the algorithm $NKGen(GP,uid,S_{\mathit{uid}}^{\ast },\mathcal{BT})$ and returns the running result $N{K}_{\mathit{uid}}$ to $\mathcal{A}$.

The update key generation oracle ${\mathcal{O}}_{\mathit{UK}}(·)$ takes the time t as input, then runs the algorithm $UKGen(GP,revl,rejl,\mathcal{BT},t)$ and returns $U{K}_t$ to $\mathcal{A}$.

The user revocation oracle ${\mathcal{O}}_{\mathit{Rev}}(·,·)$ takes the time t and the identity uid as input, then runs UserRev(revl, uid, t) and returns the updated revocation list revj to $\mathcal{A}$.

Challenge

The adversary $\mathcal{A}$ submits a challenge access matrix $(M^{\ast },{\rho }^{\ast })$, the time $t^{\ast }$ and two symmetric keys $KE{Y}_0$ and $KE{Y}_1$ with the same length to the challenger $\mathcal{C}$. Among them, the challenge access matrix and$(M^{\ast },{\rho }^{\ast })$ time $t^{\ast }$ need to satisfy the following constraints:

1. For any query ${\mathcal{O}}_{\mathit{NK}}(uid,S_{\mathit{uid}}^{\ast })$ such that the attribute set $S_{\mathit{uid}}^{\ast }$ satisfies the challenge matrix, Then uid must have been queried in ${\mathcal{O}}_{\mathit{Rev}}(uid,t)$, where $t\le t^{\ast }$.

2. For any non-revoked user uid, if its attribute set $S_{\mathit{uid}}^{\ast }$ satisfies the challenge matrix, then uid must be in ${\mathcal{O}}_{\mathit{NK}}(·,·)$ has not been queried.

Then $\mathcal{C}$ tosses a coin to determine the value of $\gamma \in \{0,1\}$ , then executes $Encrypt(KE{Y}_{\gamma },(M^{\ast },{\rho }^{\ast }),GP,t^{\ast })\to C{T}^{\ast }$ and returns the challenge ciphertext $C{T}^{\ast }$ to $\mathcal{A}$.

Query phase 2

After receiving the challenge ciphertext $C{T}^{\ast }$, $\mathcal{A}$ continues to query the oracles according to Query Phase 1 adaptively.

Guess

$\mathcal{A}$ outputs a guess bit ${\gamma }^{\prime }\in \{0,1\}$ for $\gamma$. The winning advantage for the adversary is $\mathcal{A}$ defined as $Ad{v}_{\mathcal{A}}=Pr[\gamma ={\gamma }^{\prime }]-\frac{1}{2}$.

Definition 4

A Revocable Attribute-Based Encryption EHR Sharing Scheme With Multiple Authorities(MA-RABE) in blockchain is selective IND-CPA secure, if the advantages of all (k, n) probabilistic polynomial time adversaries in the above game are negligible.

Construction

System initialization

AAs select the security parameter $\lambda$ and the maximum number of users N as input, and execute the algorithm $Setup(\lambda ,N)$. The algorithm generates two cyclic groups $\mathbb{G}$ and ${\mathbb{G}}_t$ with a prime p order, where g is the generator of $\mathbb{G}$. It also generates bilinear mapping $\widehat{e}:\widehat{e}(\mathbb{G},\mathbb{G})\to {\mathbb{G}}_t$, an anti-collision function $H:{\{0,1\}}^{\ast }\to \mathbb{G}$ and two random group elements h and $d\in \mathbb{G}$.

Suppose n is the total number of AAs, and k is the threshold for PSSS. n AAs generate shares ${\{{\alpha }_i,{\beta }_i\}}_{i\in n}$ about random numbers $\alpha ,\beta$ through PSSS. Then each authority calculates locally and submit $\widehat{e}{(g,g)}^{{\alpha }_i},g^{{\beta }_i}$ to the contract. The contract receives $\widehat{e}{(g,g)}^{{\alpha }_i},g^{{\beta }_i}$ sent by k authorities, and calculates as follows:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill \widehat{e}{(g,g)}^{\alpha }& =\prod _{i=1}^k{(\widehat{e}{(g,g)}^{{\alpha }_i})}^{L(i)}\hfill \\ \hfill & =\widehat{e}{(g,g)}^{{\sum }_{i=1}^k{\alpha }_{i}L(i)}\hfill \end{array}\end{array}$$ 3

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill g^{\beta }& =\prod _{i=1}^k{(g^{{\beta }_i})}^{L(i)}\hfill \\ \hfill & =g^{{\sum }_{i=1}^k{\beta }_{i}L(i)}\hfill \end{array}\end{array}$$ 4

Therefore, the global parameter $GP=\{\widehat{e},\mathbb{G},{\mathbb{G}}_t,h,d,e{(g,g)}^{\alpha },g^{\beta },H\}$. Then contract generates a binary tree $\mathcal{BT}$ for DU, assigns a random number ${\xi }_{\theta }\in \mathbb{G}$ to each node $\theta$ of $\mathcal{BT}$ and initializes two empty lists revl and rejl that can store N tuples.

User management

• Register Each DU generates its own private key $usk\in Z_p^{\ast }$, and calculates $g^{\mathit{usk}}$ as its public key.Then DU calls the registration function in the contract and sends his public key. After the registration function collects at least k AAs’ signatures, it will randomly select a $\mathcal{BT}$ leaf node to store $(uid,g^{\mathit{usk}})$.

• Revocation AAs calls the revocation function in the contract with the parameter (uid, t). After the revocation function collects at least k AAs’ signatures, it sets $(uid,\ast )$ to (uid, t) in the list revl.

• Rejoining AAs calls the rejoining function in the contract with the parameter (uid, t). After the rejoining function collects at least k AAs’ signatures, it sets $(uid,\ast )$ to (uid, t) in the list rejl.

Remark

The input time to perform revocation and rejoining is always later than the time of the latest $U{K}_t$. Otherwise, revocation and rejoining of the user are meaningless. Similarly, when executing the revocation of uid, the input time must be later than the time of uid in rejl. When executing the rejoining of uid, the input time must be later than the time of uid in revl.

Key generation

Attribute recovery key assignment

Attribute recovery key is a part of the one-way anonymous key agreement, used to recover the attributes in the matrix. DU calculates $H{(x)}^{\mathit{usk}}$ for each owned attribute x. Note that the attribute x here contains both the attribute name and the attribute value. Then DU sends $H{(x)}^{\mathit{usk}}$ to each authority through a secure channel. To verify the ownership correctness, each authority needs to check:

$$\begin{array}{c}\hfill \widehat{e}(H(x),p{k}_{\mathit{uid}})==\widehat{e}(H{(x)}^{\mathit{usk}},g)\end{array}$$ 5

After checking that it is correct, each attribute authority calculates the share of attribute recovery key token $H{(x)}^{usk·{\beta }_i}$ and sends it to the contract. The contract collects at least k shares of the attribute recovery key token to recover attribute recovery key token $ARK{T}_{uid,x}$ by interpolation:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill ARK{T}_{uid,x}& =\prod _{i=1}^{k}H{(x)}^{usk·{\beta }_i·L(i)}\hfill \\ \hfill & =H{(x)}^{usk·{\sum }_{i=1}^k{\beta }_{i}L(i)}\hfill \\ \hfill & =H{(x)}^{usk·\beta }\hfill \end{array}\end{array}$$ 6

DU decrypts $ARK{T}_{uid,x}$ with its private key to get the attribute recovery key:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill AR{K}_x& =ARK{T}_{uid,x}^{1/usk}\hfill \\ \hfill & ={(H{(x)}^{usk·\beta })}^{1/usk}\hfill \\ \hfill & =H{(x)}^{\beta }\hfill \end{array}\end{array}$$ 7

Node key generation

AAs generate the node key $N{K}_{\mathit{uid}}$ for uid based on the user attribute set $S_{\mathit{uid}}$ and runs $NKGen(GP,uid,S_{\mathit{uid}},\mathcal{BT})$. The detailed process is as follows:

1. AAs retrieve and parse the leaf node ${\theta }_{\mathit{uid}}$ that stores uid in $\mathcal{BT}$ to get the tuple $(uid,g^{\mathit{usk}})$. For each node $\theta$ in $Path({\theta }_{\mathit{uid}})$, AAs extract the value ${\xi }_{\theta }$.

2. n AAs leverage (k, n) PSSS to generate shares ${\{r_{\theta ,i},v_{\theta ,i},{\{{\omega }_{\theta ,x,i}\}}_{x\in S_{\mathit{uid}}}\}}_{\theta \in Path({\theta }_{\mathit{uid}})}$ of random numbers $r_{\theta },v_{\theta },{\{{\omega }_{\theta ,x}\}}_{x\in S_{\mathit{uid}}}\in \mathbb{G}$ for the user uid.

3. For each node $\theta$ in $Path({\theta }_{\mathit{uid}})$: each authority calculates locally and submits $p{k}_{\mathit{uid}}^{{\alpha }_i}·{\xi }_{\theta }^{r_{\theta ,i}}·d^{v_{\theta ,i}}$, $g^{v_{\theta ,i}}$ and ${\{g^{{\omega }_{\theta ,x,i}},H{(x)}^{{\omega }_{\theta ,x,i}}·h^{v_{\theta ,i}}\}}_{x\in S_{\mathit{uid}}}$ to the contract.

4. The contract receives shares of $N{K}_{\mathit{uid}}$ from at least k authorities, then calculates as follows:

   $$\begin{array}{c}\hfill \begin{array}{cc}\hfill N_{\theta ,1}& =\prod _{i=1}^k{(p{k}_{\mathit{uid}}^{{\alpha }_i}·{\xi }_{\theta }^{r_{\theta ,i}}·d^{v_{\theta ,i}})}^{L(i)}\hfill \\ \hfill & =p{k}_{\mathit{uid}}^{{\sum }_{i=1}^k{\alpha }_{i}L(i)}·{\xi }_{\theta }^{{\sum }_{i=1}^k{r}_{\theta ,i}L(i)}·d^{{\sum }_{i=1}^k{v}_{\theta ,i}L(i)}\hfill \\ \hfill & =p{k}_{\mathit{uid}}^{\alpha }·{\xi }_{\theta }^{r_{\theta }}·d^{v_{\theta }}\hfill \end{array}\end{array}$$ 8

   $$\begin{array}{c}\hfill \begin{array}{cc}\hfill N_{\theta ,2}& =\prod _{i=1}^k{g^{v_{\theta ,i}}}^{L(i)}\hfill \\ \hfill & =g^{{\sum }_{i=1}^k{v}_{\theta ,i}L(i)}\hfill \\ \hfill & =g^{v_{\theta }}\hfill \end{array}\end{array}$$ 9

   For each attribute $x\in S_{\mathit{uid}}$, it caculates:

   $$\begin{array}{c}\hfill \begin{array}{cc}\hfill N_{\theta ,x,1}& =\prod _{i=1}^k{g^{{\omega }_{\theta ,x,i}}}^{L(i)}\hfill \\ \hfill & =g^{{\sum }_{i=1}^k{\omega }_{\theta ,x,i}L(i)}\hfill \\ \hfill & =g^{{\omega }_{\theta ,x}}\hfill \end{array}\end{array}$$ 10

   $$\begin{array}{c}\hfill \begin{array}{cc}\hfill N_{\theta ,x,2}& =\prod _{i=1}^k{(H{(x)}^{{\omega }_{\theta ,x,i}}·h^{v_{\theta ,i}})}^{L(i)}\hfill \\ \hfill & =H{(x)}^{{\sum }_{i=1}^k{\omega }_{\theta ,x,i}L(i)}·h^{{\sum }_{i=1}^k{v}_{\theta ,i}L(i)}\hfill \\ \hfill & =H{(x)}^{{\omega }_{\theta ,x}}·h^{v_{\theta }}\hfill \end{array}\end{array}$$ 11

Therefore, the node key of uid is $N{K}_{\mathit{uid}}={\{N_{\theta ,1},N_{\theta ,2},{\{N_{\theta ,x,1},N_{\theta ,x,2}\}}_{x\in S_{\mathit{uid}})}\}}_{\theta \in Path({\theta }_{\mathit{uid}})}$.

Update key generation

AAs run $UKGen(GP,revl,rejl,\mathcal{BT},t)$ according to the revocation list, rejoin list and the time mark t to generate the update key $U{K}_t$ at t. The process is as follows:

1. AAs calculate the minimum covered node set $KUNode(revl,rejl,\mathcal{BT},t)$ according to the revocation list and the rejoining list.

2. n AAs leverage (k, n) PSSS to generate shares ${\{s_{\theta ,i}\}}_{\theta \in KUNode(revl,rejl,\mathcal{BT},t)}$ of random numbers $s_{\theta }\in \mathbb{G}$ for the user uid.

3. For each node $\theta$ in $KUNode(revl,rejl,\mathcal{BT},t)$: each authority calculates locally and submits $H{(t)}^{s_{\theta ,i}}·{\xi }_{\theta }^{-r_{\theta ,i}}$ and $g^{s_{\theta ,i}}$ to the contract.

4. The contract receives shares of $U{K}_t$ from at least k nodes, then calculates as follows:

   $$\begin{array}{c}\hfill \begin{array}{cc}\hfill U_{\theta ,1}& =\prod _{i=1}^k{(H{(t)}^{s_{\theta ,i}}·{\xi }_{\theta }^{-r_{\theta ,i}})}^{L(i)}\hfill \\ \hfill & =H{(t)}^{{\sum }_{i=1}^k{s}_{\theta ,i}L(i)}·{\xi }_{\theta }^{{\sum }_{i=1}^k-r_{\theta ,i}L(i)}\hfill \\ \hfill & =H{(t)}^{s_{\theta }}·{\xi }_{\theta }^{-r_{\theta }}\hfill \end{array}\end{array}$$ 12

   $$\begin{array}{c}\hfill \begin{array}{cc}\hfill U_{\theta ,2}& =\prod _{i=1}^k{g^{s_{\theta ,i}}}^{L(i)}\hfill \\ \hfill & =g^{{\sum }_{i=1}^k{s}_{\theta ,i}L(i)}\hfill \\ \hfill & =g^{s_{\theta }}\hfill \end{array}\end{array}$$ 13

The update key for legal users is $U{K}_t={\{U_{\theta ,1},U_{\theta ,2}\}}_{\theta \in KUNode(revl,rejl,\mathcal{BT},t)}$. Note that the input t for this algorithm is always the current moment, which is always later than any time in revl and rejl.

Pre-decryption key generation

This process is usually completed by the CSP. uid sends a pre-decryption request to the CSP. Then the CSP retrieves the leaf node ${\theta }_{\mathit{uid}}$ corresponding to uid in $\mathcal{BT}$. If $Path({\theta }_{\mathit{uid}})\cap KUNode(revl,rejl,\mathcal{BT},t)=\mathrm{\varnothing }$, then the CSP returns rejection. Otherwise, according to the property of the KUNode algorithm, the non-revoked user’s $Path({\theta }_{\mathit{uid}})$ must have an intersection node $\theta$ with $KUNode(revl,rejl,\mathcal{BT},t)$. The pre-decryption key of uid is calculated as follow:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill PD{K}_{\theta ,uid}& =N_{\theta ,1}·U_{\theta ,1}\hfill \\ \hfill & =p{k}_{\mathit{uid}}^{\alpha }·{\xi }_{\theta }^{r_{\theta }}·d^{v_{\theta }}·H{(t)}^{s_{\theta }}·{\xi }_{\theta }^{-r_{\theta }}\hfill \\ \hfill & =p{k}_{\mathit{uid}}^{\alpha }·d^{v_{\theta }}·H{(t)}^{s_{\theta }}\hfill \end{array}\end{array}$$ 14

Remark

After the $AR{K}_x$ and $N{K}_{\mathit{uid}}$ of the user uid are distributed, the relationships between attribute $x\in S_{\mathit{uid}}$ and related keys can be represented by Fig. 3, in which the solid line represents the public relationship disclosed in the contract, and the dotted line represents the relationship known only to uid and AAs. And due to computational difficulties, others cannot deduce the user’s attribute information through the key information.

Fig. 3.

The relationships between attribute x and related keys

Encryption

As shown in Fig. 4, MA-RABE adopts a combination of symmetric and asymmetric hybrid encryption. The DO encrypts the data to share with the AES symmetric key and then encrypts the symmetric key by LSSS. The workflow of Encryption is shown in Fig. 4. The detailed process is as follows:

Fig. 4.

The workflow of Encryption. There are three entities involved in Encryption, DO means Data Owner, SC means Smart Contract, and DU means Data User

Symmetric encryption

DO generates AES key $KEY\in {\mathbb{G}}_t$ and encrypts data by $AESEncrypt(KEY,data)\to C{T}_{\mathit{KEY}}$.

Asymmetric encryption

DO customizes an access policy AP, where J is the number of attributes in AP. Then DO converts AP into the share-generating matrix $M_{l\times m}$ and the mapping function $\rho$ over the related attributes.

Then DO obfuscates the mapping function to fully hide the related attributes and protect the privacy of the data-sharing parties by the following three steps:

1. DO randomly selects a number $r\in Z_p^{\ast }$ and calculates ${\sigma }_j=\widehat{e}({(g^{\beta })}^r,H(att{r}_j))$ for $\forall j\in [J]$, where $att{r}_j$ is an attribute in the access policy.

2. DO computes the matrix confusion key $g^r$, which is used to recover part of the mapping function $\rho$ for DU later.

3. DO replaces the previous mapping function $\rho (i)$ with ${\rho }^{\prime }(i)=\widehat{e}({(g^{\beta })}^r,H(att{r}_j))$ for $\forall i\in [l]$.

Thus the access policy AP is eventually converted into the LSSS scheme $\mathrm{\Pi }:(M_{l\times m},{\rho }^{\prime })$ on the related attributes.

Next, DO runs $Encrypt(KEY,(M,{\rho }^{\prime }),GP,t)$ to encrypt the AES key KEY as the following steps:

1. DO obtains the time t of the latest $U{K}_t$ from the contract, then computes $\overline{C}=KEY·\widehat{e}{(g,g)}^{\alpha ·s}$ and $C_0=H{(t)}^s$.

2. DO randomly selects $s,r_2,r_3,...,r_m\in Z_p^{\ast }$ to form a vector $\overrightarrow{n}={\{s,r_2,r_3,...,r_m\}}^T$.

3. For $\forall i\in [l]$, DO calculates ${\lambda }_i=M_i·\overrightarrow{n}$, where $M_i$ is the $i^{\mathit{th}}$ row of matrix M.

4. DO randomly selects ${\{u_i\}}_{i\in [l]}\in Z_p^{\ast }$, then compute the ramaining chiphertext as follows for $\forall i\in [l]$:

   $$\begin{array}{c}\hfill \left\{\begin{array}{cc}& C_{i,1}=g^{{\lambda }_i}\hfill \\ \hfill & C_{i,2}=g^{u_i}\hfill \\ \hfill & C_{i,3}=d^{{\lambda }_i}·h^{u_i}\hfill \\ \hfill & C_{i,4}=H{(x)}^{-u_i}\hfill \end{array}\right)\end{array}$$

Finally, DO uploads the outsourced ciphertext $CT=((M,{\rho }^{\prime }),g^r,C{T}_{\mathit{KEY}},\overline{C},C_0,{\{C_{i,1},C_{i,2},C_{i,3}{C}_{i,4}\}}_{\forall i\in [l]})$ to the cloud server CSP.

Pre-decryption

To alleviate the computational pressure caused by bilinear maps, CSP can pre-decrypt for DU without leaking privacy and return the pre-decrypted result $C{T}^{\prime }$. The workflow of Pre-Decryption is shown in Fig. 5. CSP performs pre-decryption by executing the following steps:

1. DU obtains the $(M,{\rho }^{\prime }),g^r$ of CT from CSP, then computes ${\{{\sigma }_j^{\prime }:{\sigma }_j^{\prime }=\widehat{e}(g^r,H{(att{r}_j)}^{\beta })\}}_{\forall j\in [S]}$, where S is the number of the attribute set $S_{\mathit{uid}}$.

2. DU computes the set of rows $I=\{i:{\{{\sigma }_j^{\prime }\}}_{\forall j\in [S]}\cap {\{{\rho }^{\prime }(i)\}}_{\forall i\in [l]}\}$. This means that the DU recovers part of the mapping function $\rho$ and knows which rows in the matrix M correspond to the attributes it has. Then DU sends the set I and the corresponding ${\{H{(\rho (i))}^{usk·\beta }\}}_{\forall i\in I}$ to CSP.

3. If the attribute set of uid satisfies the access policy, then ${\{M_i\}}_{\forall i\in I}$ must be a full-rank matrix. Therefore, the CSP can find a set of constants $c_i\in Z_p^{\ast }$ in a polynomial time such that ${\sum }_{i\in I}{c}_i{M}_i=(1,0,...,0)$.

4. Then CSP runs $PreDec(CT,PD{K}_{\theta ,uid},N{K}_{\mathit{uid}},U{K}_t)$. It trys to compute the pre-decryption key $PD{K}_{\theta ,uid}$ against $N{K}_{\mathit{uid}}$ and $U{K}_t$ stored in blockchain. If the calculation of the pre-decryption key fails, the rejection is returned to DU. Otherwise, the CSP finds ${\{N_{\theta ,\rho (i),1},N_{\theta ,\rho (i),2}\}}_{i\in I}$ that corresponds to ${\{H{(\rho (i))}^{usk·\beta }\}}_{\forall i\in I}$ as shown in Fig. 3 and computes:

   $$\begin{array}{c}\hfill \begin{array}{cc}& \prod _{i\in I}{\left[\frac{\widehat{e}(C_{i,1},PD{K}_{\theta ,uid})·\widehat{e}(N_{\theta ,\rho (i),1},C_{i,4})·\widehat{e}(N_{\theta ,\rho (i),2},C_{i,2})}{\widehat{e}(N_{\theta ,2}·C_{i,3})}\right]}^{c_i}\hfill \\ \hfill & ·\frac{1}{\widehat{e}(C_0,U_{\theta ,2})}=\widehat{e}{(g,g)}^{usk·\alpha ·s}=C{T}^{\prime }\hfill \end{array}\end{array}$$ 15

   and further returns $C{T}^{\prime }$ to DU.

Fig. 5.

The workflow of Pre-Decryption. There are three entities involved in Pre-Decryption, DO means Data Owner, SC means Smart Contract, and DU means Data User

User decryption

DU runs $UserDec(C{T}^{\prime },s{k}_{\mathit{uid}})$ locally after receiving $C{T}^{\prime }$.

1. DU uses its own private key to perform one exponentiation on the received $C{T}^{\prime }$ to obtain the symmetric key KEY:

   $$\begin{array}{c}\hfill KEY=\frac{\overline{C}}{{(C{T}^{\prime })}^{1/usk}}\end{array}$$ 16

2. Then, DU uses KEY to perform AES decryption on $C{T}_{\mathit{KEY}}$ by $AESDecrypt(KEY,C{T}_{\mathit{KEY}})\to data$.

Ciphertext update

When the set of non-revoked users in the system changes (that is, user revocation or rejoining occurs), AAs will generate a key update message $U{K}_{t_{\mathit{latest}}}$ about the latest moment. DO needs to update the $C_0$ in the CT according to the time of $U{K}_{t_{\mathit{latest}}}$, so that users who are non-revoked at $t_{\mathit{latest}}$ can obtain the plaintext.

$$\begin{array}{c}\hfill C_0\leftarrow H{(t_{\mathit{latest}})}^s\end{array}$$ 17

Security Analysis

Correctness

The correctness proof of Eqs. (15) and (16) is presented in Appendix A.

Security proof

Theorem 1

The MA-RABE scheme is IND-CPA secure if the DBDH problem is hard to break and (k, n) PSSS is IND-CPA secure.

Proof

Assume that there is a PPT adversary $\mathcal{A}$ who can break the MA-RABE scheme in selective security model defined in IV.D with a non-negligible advantage $\epsilon$. Given an instance of the DBDH problem $(g,g^a,g^b,g^s,Z)$ where $\mathcal{A}$ needs to decide $Z==\widehat{e}{(g,g)}^{\mathit{abs}}$ or $Z==\widehat{e}{(g,g)}^z$. And z is randomly selected from $Z_p^{\ast }$. There are two types of adversary who will query oracles and return the decision to the challenger $\mathcal{C}$.

• $\mathcal{A}$ is a legal user. $\mathcal{A}$ cannot query the node key about $S^{\ast }$, but $\mathcal{A}$ can obtain the update key of the challenge time $t^{\ast }$.

• $\mathcal{A}$ is a illegal user. $\mathcal{A}$ can query the node key about $S^{\ast }$ and obtain the update key of the challenge of $t^{\ast }$. But all users whose attribute sets satisfy the challenge matrix $(M^{\ast },{\rho }^{\ast })$ are revoked at $t^{\ast }$ or before $t^{\ast }$.

Init

The challenger $\mathcal{C}$ runs the adversary $\mathcal{A}$. $\mathcal{A}$ chooses the challenge matrix $(M^{\ast },{\rho }^{\ast })$ and sends it to $\mathcal{C}$.

Setup

The adversary $\mathcal{A}$ specifies a corrupted authority set ${\mathbb{A}}^{\prime }$ with the size of $n^{\prime }\le k-1$ so that the challenger $\mathcal{C}$ can generate the global parameters $GP=\{\widehat{e},\mathbb{G},{\mathbb{G}}_t,h,d,e{(g,g)}^{\alpha },g^{\beta },H\}$. The hash function H is abstracted into $H(y)=g^{{\tau }_y},{\tau }_y\in Z_p^{\ast }$. Then $\mathcal{C}$ returns GP to $\mathcal{A}$, where $\alpha =ab$ is implicitly defined for $\widehat{e}{(g,g)}^{\alpha }==\widehat{e}(g^a,g^b)$.

Query phase 1

$\mathcal{A}$ queries the following oracles adaptively.

${\mathcal{O}}_{\mathit{Reg}}(uid,p{k}_{\mathit{uid}})$: The adversary $\mathcal{A}$ submits the identity uid along with the corresponding $p{k}_{\mathit{uid}}$. The challenger $\mathcal{C}$ picks an unsigned leaf node ${\theta }_{\mathit{uid}}$ from $\mathcal{BT}$ and stores $(uid,p{k}_{\mathit{uid}})$ in ${\theta }_{\mathit{uid}}$.

${\mathcal{O}}_{\mathit{NK}}(uid,S_{\mathit{uid}}^{\ast })$: The adversary $\mathcal{A}$ submits the identity uid and the attribute set $S_{\mathit{uid}}^{\ast }$. The challenger $\mathcal{C}$ answers the query $(uid,S_{\mathit{uid}}^{\ast })$ as follows:

Case 1

If uid is a non-revoked user, and the attribute set $S_{\mathit{uid}}^{\ast }$ satisfies the challenge matrix $(M^{\ast },{\rho }^{\ast })$, then ${\mathcal{O}}_{\mathit{NK}}(uid,S_{\mathit{uid}}^{\ast })$ cannot be queried.

Case 2

If uid is a revoked user, and the attribute set $S_{\mathit{uid}}^{\ast }$ does not satisfy the challenge matrix $(M^{\ast },{\rho }^{\ast })$, then the challenger $\mathcal{C}$ runs $NKGen(GP,uid,S_{\mathit{uid}}^{\ast },\mathcal{BT})$ and returns the $N{K}_{\mathit{uid}}^{\ast }$ to $\mathcal{A}$.

${\mathcal{O}}_{\mathit{UK}}(t)$: The adversary $\mathcal{A}$ submits the identity uid and a time mark t to query the update key. Then the challenger $\mathcal{C}$ runs $UKGen(GP,revl,rejl,\mathcal{BT},t)$ and returns the $U{K}_t^{\ast }$ to $\mathcal{A}$.

${\mathcal{O}}_{\mathit{Rev}}(uid,t)$: The adversary $\mathcal{A}$ submits a time mark t and the identity uid to revoke uid. Then challenger $\mathcal{C}$ runs revocation function with (uid, t) and returns the updated revl. Note that the input time in this oracle must be later than the time of uid in rejl.

Challenge

$\mathcal{A}$ submits two symmetric keys $KE{Y}_0$ and $KE{Y}_1$ with the same length and the challenge time $t^{\ast }$. Then $\mathcal{C}$ tosses a coin to determine the value of $\gamma \in \{0,1\}$ and computes $\overline{C}=KE{Y}_{\gamma }·\widehat{e}{(g,g)}^{ab·s}$, $C_0={(g^{{\tau }_t})}^s$ and $C^{\prime }=g^s$. For each row $M_i^{\ast }$ of $M^{\ast }$, $\mathcal{C}$ computes

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}& C_{i,1}=g^{{\lambda }_i}\hfill \\ \hfill & C_{i,2}=g^{u_i}\hfill \\ \hfill & C_{i,3}=d^{{\lambda }_i}·h^{u_i}\hfill \\ \hfill & C_{i,4}={(g^{{\tau }_x})}^{-u_i}\hfill \end{array}\right)\end{array}$$

Therefore, $C{T}^{\ast }=((M^{\ast },{\rho }^{\ast }),g^r,C{T}_{\mathit{KEY}},\overline{C},C_0,C^{\prime },\{C_{i,1}$ $,C_{i,2},C_{i,3}{C}_{i,4}{\}}_{\forall i\in [l^{\ast }]})$. Finally, $\mathcal{C}$ returns the challenge ciphertext $C{T}^{\ast }$ to $\mathcal{A}$.

Query phase 2

After receiving the challenge ciphertext $C{T}^{\ast }$, $\mathcal{A}$ continues to query the oracles according to Query Phase 1 adaptively.

Guess

$\mathcal{A}$ outputs ${\gamma }^{\prime }\in \{0,1\}$ to guess the value of $\gamma$. $\mathcal{C}$ returns 1 if $\gamma ={\gamma }^{\prime }$ which denotes $Z==\widehat{e}{(g,g)}^{\mathit{abs}}$. Otherwise, $\mathcal{C}$ returns 0 which denotes Z is a random number $g^z$ in group $\mathbb{G}$. When $Z==\widehat{e}{(g,g)}^{\mathit{abs}}$, the challenge ciphertext $C{T}^{\ast }$ is hard to break, $Pr[\gamma ={\gamma }^{\prime }]=\frac{1}{2}+\epsilon$. When $Z==g^z$, $Pr[\gamma ={\gamma }^{\prime }]=\frac{1}{2}$. Therefore, the probability of $\mathcal{C}$ to solve DBDH problem $P{r}_{\mathcal{C},DBDH}=|\frac{1}{2}Pr[\gamma ={\gamma }^{\prime }|Z==\widehat{e}{(g,g)}^{\mathit{abs}}]+\frac{1}{2}Pr[\gamma ={\gamma }^{\prime }|Z==g^z]|=|\frac{1}{2}(\frac{1}{2}+\epsilon )-\frac{1}{2}·\frac{1}{2}|=\frac{\epsilon }{2}$.

Since the probability for any PPT adversary to break DBDH problem is negligible. The probability of $\mathcal{C}$ to solve DBDH problem $\frac{\epsilon }{2}$ is also negligible. We can derive that the advantage of $\mathcal{A}$ to win the game $\epsilon$ is negligible. So the scheme MA-RABE achieves chosen-plaintext security.

Robustness

Since the scheme MA-RABE uses PSSS (k, n) to distribute user keys and manage users, so its robustness is affected by the threshold k and the total number of AAs n. We assume that the attacker can make some AAs in MA-RABE go down. We suppose the probability that a single AA goes down is d. When the attack further expands, until the number of AAs work is less than k, it will make the system crashed directly. So the probability of system crash satisfies the Bernoulli distribution ${\sum }_{n-k+1}^n\left(\begin{array}{c}i\\ n\end{array}\right)d^i{(1-d)}^{n-i}$. Figure 6a, b show the probability of system crash versus the threshold of PSSS k and the probability of a single AA crash d when n is 5 and 10 respectively.

Fig. 6.

The probability of system crash varies with the probability of a single authority crash

Next, we consider another situation. If the attacker controls at least k AAs in MA-RABE through some means and thus controls the entire system. We assume that the probability of a single AA being controlled is c, then the probability of system being controlled also satisfies the Bernoulli distribution ${\sum }_k^n\left(\begin{array}{c}i\\ n\end{array}\right)c^i{(1-c)}^{n-i}$. Figure 7a, b show the probability of the system being controlled versus the threshold of PSSS k and the probability of a single AA being controlled c when n is 5 and 10 respectively.

Fig. 7.

The probability of system being controlled varies with the probability of one single authority being controlled

From the analysis of Figs. 6 and 7, we can see that compared to a system based on a single AA, the MA-RABE has better robustness. The closer that k gets to n in the scheme, the more chance the system crashes, and the probability of the system being compromised gets smaller. On the contrary, the less k is than n, the less chance the system crashes, and the probability of the system being controlled will be higher. On the other hand, when k is larger, the computational overhead of reconstructing the secret will increase. Therefore, choosing appropriate k and n can simultaneously ensure low computational overhead and strong security, such as (3,5), (5,10), (6,10).

Decentralization

The AAs in MA-RABE adopts PSSS protocol to negotiate to generate keys and manage users. This process requires at least k authorities. Any single authority cannot affect the security of the protocol, nor will it affect the security of the system. Therefore, there is no central entity in the application layer of the system. In addition, the user’s status and key information are stored in the smart contract, and the correctness of the operation result of the smart contract is verified by all full nodes of the blockchain. Therefore, there is no central entity in the code layer of the system. In summary, MA-RABE achieves decentralization and effectively resists single points of failure.

Collusion resistance

According to the decryption process in Appendix A, if the colluders want to decrypt the ciphertext with their attributes, they need to specify the private key of the mastercolluder. Therefore, it is necessary to use a PDK containing the mastercolluder’s private key. The $v_{\theta }$ in $N_{\theta ,2}$ is the same as the $v_{\theta }$ in PDK, and it belongs to the same user under the same node. Therefore, this process also needs to fix the mastercolluder’s $N_{\theta ,2}$. In addition, $C_{i,1}$, $C_{i,2}$, $C_{i,3}$, $C_{i,4}$, $C_0$ and $U_{\theta ,2}$ are also need to be fixed.

Recall the generation process of $N_{\theta ,{\rho }^{\prime }(i),2}$. For the same node, the $v_{\theta }$ for different users are different. Therefore, when the colluders share their $N_{\theta ,{\rho }^{\prime }(i),2}$, the $\widehat{e}(h^{v_{\theta }},g^{u_i})$ in the numerator cannot be eliminated by the $\widehat{e}(g^{v_{\theta }},h^{u_i})$ in the denominator.

Policy privacy

In the process of encrypting the AES key, DO uses the one-way anonymous key to replace the explicit mapping function $\rho (i)$ between the rows of the matrix and attributes with $\rho {(i)}^{\prime }$: ${\rho }^{\prime }(i)=\widehat{e}({(g^{\beta })}^r,H(att{r}_j))$. In order to recover the rows of the matrix to attributes, the decryptor has two methods:

1. The decryptor needs to know the value of r. However, the discrete logarithm problem in cyclic groups is difficult to solve. The decryptor cannot derive the value of r from the public $g^r$.

2. According to the bilinearity of Bilinear Maps: $\widehat{e}(g^r,H{(att{r}_j)}^{\beta })=\widehat{e}({(g^{\beta })}^r,H(att{r}_j))$. This process requires $g^r$ and $H{(att{r}_j)}^{\beta }$. The matrix confusion key $g^r$ is part of the ciphertext and is public. $H{(att{r}_j)}^{\beta }$ is the $AR{K}_{att{r}_j}$ of DU. So only the decryptor with the ${\{AR{K}_{att{r}_j}\}}_{j\in [J]}$ can recover the rows of the matrix to attributes.

In addition, recall that the CSP will receive the pre-decryption request information the set of rows I and the corresponding ${\{H{({\rho }^{\prime }(i))}^{usk·\beta }\}}_{\forall iin[l]}$ from DU. Among them, $H{({\rho }^{\prime }(i))}^{usk·\beta }$ is the $ARK{T}_{uid,{\rho }^{\prime }(i)}$ of DU, which is public in the contract and is associated with ${\{N_{\theta ,{\rho }^{\prime }(i),1},N_{\theta ,{\rho }^{\prime }(i),2}\}}_{i\in I}$. CSP cannot derive attribute information.

Therefore, our scheme MA-RABE realizes policy privacy protection.

Performance evaluation

This section compares the proposed scheme MA-RABE with other CP-ABE schemes in terms of function implementation, storage and computational overhead.

Security and functionality comparison

We make a comparison between previous CP-ABE schemes and our scheme in Table 1 in terms of the attribute authority working mechanism, the underlying blockchain architecture, user rejoining, user revocation, hidden policy, and outsourcing decryption. The scheme of [44] has an assumed credible CA and thus has the problem of centralized power. In the scheme of [20], each AA manages one attribute set which is non-intersecting to others, so the breakdown of any AA will affect the availability of attribute management. In other schemes, the attribute Universe is jointly managed by a group of attribute authorities, which can prevent single points of failure and enhance system security. In addition, the proposed scheme MA-RABE has richer user management functions and supports hidden policy and outsourcing pre-decryption, which can greatly reduce the computing overhead on the user side without leaking user privacy.

Table 1.

The Comparison of Functionality

Schemes	Authority working mechanism	Blockchain	User rejoining	User revocation	Hidden policy	Outsourcing Pre-decryption
[44]	Single, Centralization
[17]	Multiple, Jointly collaborating				$\surd$
[20]	Multiple, Exclusive Sets			$\surd$	$\surd$
[32]	Multiple, Jointly collaborating	$\surd$		$\surd$		$\surd$
MA-RABE	Multiple, Jointly collaborating	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$

“Single, Centralization” means that there is only one Central Authority in the scheme

“Multiple, Exclusive Sets” means that there are multiple Attribute Authorities that each manage a disjoint attribute set in the scheme

“Multiple, Jointly collaborating” means that there are multiple Attribute Authorities that jointly manage the Attribute Universe in the scheme

$\surd$ indicates the existence of the functionality in the scheme

The storage overhead

In this section, we compare the proposed MA-RABE with other schemes in terms of the storage overhead. The used notions in comparison are listed in Table 2. N and n respectively denote the number of users and AA in the scheme.

Table 2.

Notations

Symbol	Meaning
$|Z_p^{\ast }|$	size of the element of group $Z_p^{\ast }$
$|\mathbb{G}|$/$|{\mathbb{G}}_t|$	size of the element of group $\mathbb{G}$/${\mathbb{G}}_t$
$|SymCT|$	size of the ciphertext encrypted by AES
$T_a$	number of attributes in scheme
$A_u$	number of attributes owned by DU
$A_E$	number of attributes of LSSS matrix
$A_D$	number of attributes of DU’s minimum authorized set
P	one pairing operation of $\widehat{e}$
E/$E_t$	one exponentiation in $\mathbb{G}$/${\mathbb{G}}_t$
$E_E$	AES Encryption computation
$E_D$	AES Decryption computation

From the Table 3, we can see that the central authority appears in the schemes [44] and [17], where the CA key of [44] is a constant size and the CA key of [44] is positively correlated with the number of AA, the number of users and the number of attributes. The other three schemes [20, 32] and MA-RABE do not involve the central authority, so there is no need to consider the CA storage burden caused by the scheme’s scale and complexity.

Table 3.

The comparison of storage performance

	Key Size of CA	Key Size of DU	Ciphertext Size	Updated Ciphertext Size
Waters [44]	2$|Z_p^{\ast }|$	(2$A_u$+4)$|Z_p^{\ast }|$	$|SymCT|$+(2$A_E$+1)$|\mathbb{G}|$ + $|{\mathbb{G}}_t|$	-
Li et al. [17]	(2$T_a$+2N+n+10)$|Z_p^{\ast }|$	(2$A_u$+5)$|Z_p^{\ast }|$	$|SymCT|$+(2$A_E$+1)$|\mathbb{G}|$ + $|{\mathbb{G}}_t|$	-
Zhong et al. [20]	-	2$A_u|\mathbb{G}|$ + $|Z_p^{\ast }|$	$|SymCT|$+(3$A_E$+1)$|\mathbb{G}|$ + $|{\mathbb{G}}_t|$	$A_E|{\mathbb{G}}_t|$
Liu et al. [32]	-	$|Z_p^{\ast }|$	$|SymCT|$+(3$A_E$+2)$|\mathbb{G}|$ + $|{\mathbb{G}}_t|$	-
MA-RABE	-	$A_u|\mathbb{G}|$ + $|Z_p^{\ast }|$	$|SymCT|$ +(4$A_E$+2)$|\mathbb{G}|$ + $|{\mathbb{G}}_t|$	$|\mathbb{G}|$

In addition, we can see that the scheme [32] has the lowest storage overhead on the DU side. This is because the scheme [32] does not process the LSSS matrix for privacy protection, and the DU only needs to store the user private key used to decrypt the symmetric key with the size of $|Z_p^{\ast }|$. Since the proposed MA-RABE adopts the one-way anonymous key agreement, which requires additional storage of the corresponding attribute recovery key for each attribute. Therefore, the storage overhead on DU sied in this solution is $A_u|\mathbb{G}|$ + $|Z_p^{\ast }|$.

In terms of ciphertext storage overhead, since all schemes use AES symmetric encryption and ABE asymmetric encryption, the symmetrically encrypted ciphertexts in these schemes all require $|SymCT|$-sized space. In addition, the storage overhead of the ciphertext is related to the number of parameters set. It is reasonable that the ciphertext storage overhead of MA-RABE is slightly more than other schemes under the condition of ensuring privacy and realizing ciphertext pre-decryption. Finally, in terms of updating ciphertext, only the scheme [20] and MA-RABE realize the ciphertext update function. When MA-RABE updates the ciphertext, the ciphertext size that CSP needs to update only needs $|\mathbb{G}|$, which is much smaller than scheme [20].

The computaional overhead

In this section, we compare the proposed MA-RABE with other schemes in terms of the computaional overhead. The used notions in comparison are listed in Table 2. We assume that R is the number of revoked users and k is the secret sharing threshold in the multi-AA scheme.

Table 4 compares the computational overhead in detail, focusing on the most time-consuming operations: bilinear pairing operation and exponentiation operation.

Table 4.

The comparison of computational performance

	Encryption on DO side	Decryption on DU side	Update of Key	Update of Ciphertext
Zhong et al. [20]	(3$A_E$+1)E+2$A_E{E}_t$+$E_E$	$A_D$($E_t$+2P)+$E_D$	($N-R$+1)E+$E_t$ (off-chain)	$A_{E}P$
Liu et al. [32]	(4$A_E$+2)E+$E_t$+$E_E$	$E_t$+$E_D$	k($N-R$)(2$A_u$+4)E (on-chain)	-
MA-RABE	(5$A_E$+2)E+$E_t$+$E_E$	$E_t$+$E_D$	k(RlongN/R)E (on-chain)	E

From Table 4 we can know that when encrypting data on the DO side, the scheme [20] has fewer exponentiation operations in $\mathbb{G}$ and more exponentiation operations in ${\mathbb{G}}_t$ than scheme [32]. While the MA-RABE performs more exponentiation operations in $\mathbb{G}$ are used than scheme [32].

In terms of DU-side decryption, since the scheme [32] and MA-RABE both adopt outsourcing pre-decryption, the decryption overhead of these two schemes is lower than the scheme [20].

In terms of the cost of updating the key, the scheme [20] needs to update the decryption key for each non-revoked user. Besides, the scheme [32] needs to update the attribute key for each non-revoked user, so it has the most computational overhead. In contrast, MA-RABE has the lowest key update overhead, which is unrelated to the number of user attributes.

In terms of the cost of updating ciphertext, the scheme [20] and MA-RABE implement the ciphertext update function, and we can clearly see that MA-RABE has a lower and constant computational cost for updating ciphertext.

To further evaluate the actual performance of the schemes, we performed the simulation on a Ubuntu system with AMD R5 4600H CPU 3.0 GHz and 16 GB RAM. The cyclic group in the experiment adopts the curve group of the PBC library based on Python. The smart contracts are deployed on Hyperledger Fabric. The experimental data are an average of 50 simulation results.

Figure 8a contains the simulation results of encrypting the symmetric key on the DO side. The horizontal axis is the number of attributes in the access policy, i.e., the number of rows of the access matrix; the vertical axis is the time spent on encryption. Since the scheme [20] has more exponentiation operations, encryption takes significantly more time than the other two schemes. However, when encrypting the symmetric key, the scheme [32] performs fewer exponentiation operations in $\mathbb{G}$ by the number of attributes than MA-RABE, so it takes slightly less time than MA-RABE.

Fig. 8.

The simulation results of computational overhead compared with the Zhong et al. [20] and Liu et al. [32]

Figure 8b presents the decryption overhead of the symmetric key on the DU side. The horizontal axis is the number of rows in the access matrix corresponding to the minimum attribute set of the DU that satisfies the access policy; the vertical axis is the decryption time. Assuming that before decryption, DU has calculated the $\widehat{e}(g^r,H{(x)}^{\beta })$ of attributes required for decryption against the matrix confusion key $g^r$. For the same $g^r$, the $\widehat{e}(g^r,H{(x)}^{\beta })$ only needs to be calculated once forever. As shown in Figure 8b, since the pre-decryption in MA-RABE is outsourced to the CSP, DU only needs to perform one exponentiation operation to obtain the symmetric key, which has extremely high decryption efficiency.

Figure 8c shows the calculation results of the ciphertext update on the DO side. The horizontal axis is the number of attributes in the access policy; the vertical axis is the time spent in the calculation. The overhead of the scheme [20] has a linear relationship with the number of attributes. Since MA-RABE only needs to perform an exponentiation operation on updating the ciphertext, it has a constant ciphertext update overhead, which is obviously better than the former.

In general, the scheme has slightly more encryption calculation overhead on the DO side than the scheme [32]. But compared with the schemes [20] and [32], MA-RABE has sufficient advantages in other aspects.

Conclusion

In this article, we propose a secure revocable ABE scheme with multiple authorities MA-RABE based on blockchain. This solution can well solve the problem of privacy leakage and computational burden in the EHR sharing process. First, multiple authorities leverage PSSS (k,n) to manage users and distribute keys to prevent centralized power and achieve strong security robustness. Besides, MA-RABE supports any LSSS policy hiding through the novel decentralized one-way anonymous key agreement, which effectively protects the privacy of data owners and data users. The MA-RABE also achieves key update through the BT with low overhead. Considering that the EHR sharing scenario involves devices with limited computing resources, outsourcing decryption is introduced into MA-RABE. Theoretical analysis and experimental simulation show that the MA-RABE can implement more complex functions and meet the requirements of low storage overhead and low user decryption overhead. The future work for MA-RABE is to implement verifiable outsourcing decryption to prevent the CSP from dishonestly executing the protocol and returning to DU the wrong intermediate decryption ciphertext.

Biographies

Xiaohui Yang

is a Professor at the School of Cyber Security and Computer, Hebei University, China. He received his PhD degree from the University of Science and Technology of China in 2010. He has published several research papers in reputed international journals and conferences. His primary research interests include distributed computing, information security and trusted computing.

Wenjie Li

received his M.S. degree from the School of Cyber Security and Computer, Hebei University of China in 2021. Currently, he is a Ph.D. student at the School of Cyber Engineering, Xidian University, China. He is working on Cryptography and Blockchain technology novel applications, such as blockchain-based systems, decentralized applications, smart contracts programming and security and software development. His major research interests include information security, peer-to-peer networks, cryptocurrencies and blockchains.

Kai Fan

received the B.S., M.S., and Ph.D. degrees in telecommunication engineering, cryptography and telecommunication and information system from Xidian University, Xi’an, China, in 2002, 2005, and 2007, respectively. He is currently an Associate Professor with the State Key Laboratory of Integrated Service Networks, Xidian University. He has authored/co-authored over 70 papers in journals and conferences. He has received nine Chinese patents. He has managed five national research projects. His research interests include IoT security and information security.

Appendix A. The correctness proof of equations

The CSP pre-decrypts the ciphertext for DU as Eq. (15). The correctness proof of the Eq. (15) is presented here.

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill C{T}^{\prime }& =\prod _{i\in I}{\left[\frac{\widehat{e}(C_{i,1},PD{K}_{\theta ,uid})·\widehat{e}(N_{\theta ,\rho (i),1},C_{i,4})·\widehat{e}(N_{\theta ,\rho (i),2},C_{i,2})}{\widehat{e}(N_{\theta ,2}·C_{i,3})}\right]}^{c_i}·\frac{1}{\widehat{e}(C_0,U_{\theta ,2})}\hfill \\ \hfill & =\prod _{i\in I}{\left[\frac{\widehat{e}(g^{{\lambda }_i},p{k}_{\mathit{uid}}^{\alpha }·d^{v_{\theta }}·H{(t)}^{s_{\theta }})·\widehat{e}(g^{{\omega }_{\theta ,\rho (i)}},H{(x)}^{-u_i})·\widehat{e}(H{(x)}^{{\omega }_{\theta ,\rho (i)}}·h^{v_{\theta }},g^{u_i})}{\widehat{e}(g^{v_{\theta }},d^{{\lambda }_i}·h^{u_i})}\right]}^{c_i}\frac{1}{\widehat{e}(H{(t)}^s,g^{s_{\theta }})}\hfill \\ \hfill & =\prod _{i\in I}{\left[\frac{\widehat{e}(g^{{\lambda }_i},p{k}_{\mathit{uid}}^{\alpha }·d^{v_{\theta }}·H{(t)}^{s_{\theta }})·\widehat{e}(g^{{\omega }_{\theta ,\rho (i)}},H{(x)}^{-u_i})·\widehat{e}(H{(x)}^{{\omega }_{\theta ,\rho (i)}},g^{u_i})·\widehat{e}(h^{v_{\theta }},g^{u_i})}{\widehat{e}(g^{v_{\theta }},d^{{\lambda }_i})·\widehat{e}(g^{v_{\theta }},h^{u_i})}\right]}^{c_i}\frac{1}{\widehat{e}(H{(t)}^s,g^{s_{\theta }})}\hfill \\ \hfill & =\prod _{i\in I}{\left[\frac{\widehat{e}(g^{{\lambda }_i},p{k}_{\mathit{uid}}^{\alpha })·\widehat{e}(g^{{\lambda }_i},d^{v_{\theta }})·\widehat{e}(g^{{\lambda }_i},H{(t)}^{s_{\theta }})}{\widehat{e}(g^{v_{\theta }},d^{{\lambda }_i})}\right]}^{c_i}\frac{1}{\widehat{e}(H{(t)}^s,g^{s_{\theta }})}\hfill \\ \hfill & =\frac{{\prod }_{i\in I}{\left[\widehat{e},(g^{{\lambda }_i},p{k}_{\mathit{uid}}^{\alpha }),·,\widehat{e},(g^{{\lambda }_i},H{(t)}^{s_{\theta }})\right]}^{c_i}}{\widehat{e}(H{(t)}^s,g^{s_{\theta }})}\hfill \\ \hfill & =\frac{\widehat{e}(g^s,p{k}_{\mathit{uid}}^{\alpha })·\widehat{e}(g^s,H{(t)}^{s_{\theta }})}{\widehat{e}(H{(t)}^s,g^{s_{\theta }})}\hfill \\ \hfill & =\widehat{e}{(g,g)}^{usk·\alpha ·s}\hfill \end{array}\end{array}$$

The DU decrypts the pre-decryption result locally as Eq. (16). The correctness of Eq. (16) is presented as follows.

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill \mathit{KEY}& =\frac{\overline{C}}{{(C{T}^{\prime })}^{1/usk}}\hfill \\ \hfill & =\frac{KEY·\widehat{e}{(g,g)}^{\alpha ·s}}{{[\widehat{e}{(g,g)}^{usk·\alpha ·s}]}^{1/usk}}\hfill \\ \hfill & =\frac{KEY·\widehat{e}{(g,g)}^{\alpha ·s}}{\widehat{e}{(g,g)}^{\alpha ·s}}\hfill \end{array}\end{array}$$

Funding

This work is supported by the National Key R&D Program of China under Grant 2017YFB0802300 and the Natural Science Foundation of Hebei Province under Grant F2021201052.

Declarations

Conflict of interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.