Efficient Multi-Authority Attribute-Based Searchable Encryption Scheme with Blockchain Assistance for Cloud-Edge Coordination

Peng Liu ,Qian He,? ,Baokang Zhao ,Biao Guo and Zhongyi Zhai

1School of Computer and Information Security,Guilin University of Electronic Technology,Guilin,541004,China

2School of Computer Science,National University of Defense Technology,Changsha,410073,China

ABSTRACT Cloud storage and edge computing are utilized to address the storage and computational challenges arising from the exponential data growth in IoT.However,data privacy is potentially risky when data is outsourced to cloud servers or edge services.While data encryption ensures data confidentiality,it can impede data sharing and retrieval.Attribute-based searchable encryption(ABSE)is proposed as an effective technique for enhancing data security and privacy.Nevertheless,ABSE has its limitations,such as single attribute authorization failure,privacy leakage during the search process,and high decryption overhead.This paper presents a novel approach called the blockchain-assisted efficient multi-authority attribute-based searchable encryption scheme(BEM-ABSE)for cloudedge collaboration scenarios to address these issues.BEM-ABSE leverages a consortium blockchain to replace the central authentication center for global public parameter management.It incorporates smart contracts to facilitate reliable and fair ciphertext keyword search and decryption result verification.To minimize the computing burden on resource-constrained devices,BEM-ABSE adopts an online/offline hybrid mechanism during the encryption process and a verifiable edge-assisted decryption mechanism.This ensures both low computation cost and reliable ciphertext.Security analysis conducted under the random oracle model demonstrates that BEM-ABSE is resistant to indistinguishable chosen keyword attacks (IND-CKA) and indistinguishable chosen plaintext attacks (INDCPA).Theoretical analysis and simulation results confirm that BEM-ABSE significantly improves computational efficiency compared to existing solutions.

KEYWORDS Attribute-based encryption;search encryption;blockchain;multi-authority;cloud-edge

1 Introduction

The widespread use of the Internet of Things(IoT)and 5G have led to a surge in the number of network edge devices,resulting in a rapid growth in edge data[1,2].The centralized data processing approach based on cloud computing is facing challenges in efficiently processing the vast amount of data generated by edge devices.Edge computing has emerged as a promising solution to the challenges faced by traditional cloud computing in processing the massive amounts of data generated by IoT devices.The fundamental concept of edge computing is to perform computing tasks close to the data source,which reduces network transmission bandwidth and response delay compared to traditional cloud computing [3].However,the untrusted or partially trusted nature of cloud service providers(CSP)and edge nodes(ENs)poses a significant risk to the privacy of sensitive data.Tampering and abusing data by these entities can leak user privacy information[3–5].Although symmetric encryption can be used by the data owner(DO)to maintain data confidentiality,the use of encryption prevents the ability to perform plaintext keyword retrieval.It creates challenges for fine-grained access control and data sharing.

To mitigate the potential risks of private data leakage,it is crucial to prioritize both data confidentiality and accessibility for effective access control.While symmetric encryption can provide data confidentiality,it makes information on encrypted data difficult to retrieve.Identity-based encryption(IBE)and attribute-based encryption(ABE)provide distinct access control mechanisms,with IBE offering coarse-grained access control and ABE providing fine-grained access control capabilities[6,7].It is critical in practice to have an effective keyword search and to have fine-grained access control over encrypted data.The technique of searchable encryption (SE) enables data users(DUs)to conduct searches on ciphertext data using specific keywords[8].To provide even more precise access control,the gradually popular solution in both industrial and academic domains is ciphertextpolicy attribute-based searchable encryption (CP-ABSE) with flexible access control policies [9,10].The high computational and storage requirements of CP-ABSE prevent its deployment on resourcesconstrained IoT devices,despite its promise as a SE scheme for fine-grained access control.Therefore,the lightweight CP-ABSE scheme is a prerequisite for its implementation on resource-constrained terminal devices.Additionally,many existing CP-ABSE schemes [9–13] that employ single-attribute authorization for attribute management and key distribution may encounter challenges in efficiently and securely handling attributes from a vast network of interconnected IoT devices and are prone to single-point failures and central corruption.Furthermore,trust in CSP is often weakened due to the risk of malicious access to data and tampering with query results.In contrast,blockchain technology provides a safer and more trustworthy option[14].As a decentralized ledger with multiparty consensus and a chain structure,blockchain offers an unparalleled guarantee of data integrity and trustworthiness compared to centralized systems.

This paper proposes an efficient multi-authority attribute-based searchable encryption scheme with blockchain assistance (BEM-ABSE) for cloud-edge collaboration.This BEM-ABSE scheme aims to provide secure and reliable searching while protecting privacy through blockchain,ciphertext searching,and ABE.To address the efficiency limitations and security vulnerabilities associated with Certificate Authorities (CAs),the BEM-ABSE scheme employs a consortium blockchain,enabling multiple attribute authorities to autonomously manage user attributes and key assignments.Furthermore,this scheme facilitates online/offline hybrid encryption and edge-assisted verifiable decryption,effectively minimizing the computational overhead involved in encryption and decryption operations.The main contributions of the scheme are as follows:

(1)Taking advantage of multi-authority ABE and blockchain,this paper proposes a searchable encryption scheme with fine-grained access control for cloud-edge collaboration.BEM-ABSE supports ciphertext keyword search based on smart contracts,online/offline hybrid encryption,and edgeassisted verifiable outsourcing decryption.This paper also proves this scheme can resist IND-CPA and IND-CKA under the random oracle model.

(2) Consortium blockchain is designed to replace the trusted CA in the traditional CP-ABSE scheme,allowing for the generation of global public parameters and the execution of ciphertext searches.The dependence on single-centre authorization is broken,and the reliability of ciphertext searches is improved.

(3) An online/offline hybrid encryption mechanism is utilized to reduce the time overhead during the encryption phase by performing pre-encryption computation and generating intermediate ciphertext.The decryption tasks are offloaded to ENs,effectively decreasing the computational burden of decryption for resource-constrained IoT devices.

The remainder of this paper is organized as follows.Section 2 provides a review of the related work.Section 3 demonstrates the background knowledge in the understanding of the BEM-ABSE.In Section 4,Formalize the system and security model.Then,the formal construction of the BEM-ABSE scheme is presented in Section 5.In Section 6 and 7,separate analyses of safety and performance are presented.Finally,The work of this paper is concluded in Section 8.

2 Related Work

2.1 Search Encryption

SE enables search on encrypted data using specified keywords,while ABSE provides detailed permissions control for data ciphertext retrieval,with significant research having been conducted in this field.Searchable symmetric encryption was first proposed by Song et al.[8]in 2000.However,using a single shared key for encryption and decryption in symmetric cryptography makes it impractical for complex multi-user applications.ABSE provides a flexible way to execute access control policies,ensuring that only users with the required policy attributes can access data.This one-to-many access control model enables secure and convenient data sharing.To reduce the computational overhead during the search process,Zheng et al.[9] proposed an ABSE scheme with verifiable results,which uses verifiable attribute-based encryption,but it also has some drawbacks,such as requiring a secure channel and high costs.Huang et al.[15] introduced a rapid and privacy-preserving attribute-based keyword search system designed for cloud document services.This system exhibits improved stability and efficiency during the search phase,but it does entail additional computational costs in other phases.Zhang et al.[16] designed a distributed and scalable,searchable encryption access control scheme that utilizes cloud services to achieve lightweight decryption processes,resulting in lower computational complexity and improving security against selected keyword attacks and selected plaintext attacks,but not suitable for resource-constrained devices due to high encryption time overhead.Considering the limitations of resource-constrained devices,Miao et al.[17] proposed a constant-sized trapdoor-based online/offline SE for cloud-assisted industrial IoT,where the overall encryption burden on DO is still heavy,but the cost of generating DU’s trapdoor is reduced through an elegant technique.Zhou et al.[18] proposed a general searchable encryption scheme for cloudassisted industrial IoT systems,with the lightweight generation of both index and query trapdoors.Liu et al.[5] proposed an efficient ABSE scheme for cloud-edge collaborative computing,reducing the computational cost of resource-constrained terminals by allowing EN to simultaneously perform text-based search and pre-decryption algorithms and save keyword indexes.

However,these schemes risk privacy data leakage as the CSP and ENs are either untrusted or semitrusted.The combination of searchable public key encryption with blockchain technology is gaining popularity among scholars to enhance ciphertext security.This approach benefits from blockchain technology’s decentralized,transparent,traceable and tamper-proof characteristics.Yang et al.[19]presented a scheme allowing encrypted file upload to the cloud while placing the encrypted index on the blockchain.This scheme ensures the encrypted index is tamper-proof,integrity,and traceability and enables users to obtain accurate search results without needing third-party verification.However,these schemes have limitations,such as scalability difficulties,security and performance bottlenecks,and the potential for excessive permissions,as they rely on a single authorization center.Niu et al.[20]proposed a policy hide and verifiable blockchain-assisted ABSE scheme.This scheme stores the index is stored on the blockchain,and searches are performed using smart contracts,which reduces the computational load on the service.With the growth of the Internet of Things and the widespread adoption of 5G wireless networks,the cloud-edge collaborative data-sharing model has become more prevalent,and the number of IoT devices requiring authorization has increased significantly.However,relying on a single authorization center can result in significant losses if it crashes or is compromised.

2.2 Multi-Authority Attribute-Based Encryption

There are significant security risks in the current ABE schemes,as they rely on one attribute authority to manage attributes and keys.This authority may be able to decrypt any ciphertext within its control.To address this issue,researchers have proposed a variety of multi-authority ABE schemes(MA-ABE).The MA-ABE scheme was first proposed by Chase[21],but managing attribute authorities requires a trusted certificate authority,which may prove costly and have backward security challenges.Subsequently,Lewko et al.[22]proposed a distributed multi-authority ABE where attribute authorities are solely responsible for creating initial public parameters.The scheme utilizes a linear secret sharing scheme(LSSS)matrix to represent access policies,offering greater expressive capabilities compared to AND gates.However,the scheme lacks post-quantum security assurance.Tu et al.[23]suggested using attribute-group keys for large attribute domains in distributed computing systems using fog computing.To improve user privacy and security,Guo et al.[24] developed an encrypted data access control solution that utilizes smart contracts to define interactions between DOs,users and attribute authorities.However,DOs using symmetric encryption for data encryption can lead to heavy key management overhead.Qin et al.[25] utilized a consortium blockchain to establish trust bridges between attribute authorities and designed an MA-ABE based on blockchain.However,the existence of certificate authorities raises concerns about potential single-point failures.According to Xiao et al.[26],their blockchain-based MA-ABE scheme incorporates flexible attribute revocation;It can be applied to data publishing services and payment platforms for Dos.To manage dynamic users and improve search result credibility,Yu et al.[27]proposed an efficient multi-authority SE scheme using blockchain technology for keyword-based search and dynamic user management.Multiplecloud block storage technology was used by Wu et al.[28]to address the problems with unstable cloud servers and to guard against malicious actions,including the leakage of private information,tampering with ciphertext,and malicious deletion of ciphertext.The security of keyword indexes and the impartiality of search results are guaranteed by the blockchain’s immutability.Utilizing online/offline encryption and outsourced decryption processes,Xu et al.[29] distributed ABSE approach with shared keyword search was suggested.Although the key delegation problem is resolved inside a single authority,the approach has a somewhat high total computation cost.

While these schemes address the attribute and key management issue a single authority brings,current multi-authority systems still face some challenges.Some schemes rely on a central authority for management[30],generating complete private keys through the CA to avoid single-point of failure of attribute authorities.However,this approach also involves high trust costs for the CA.Additionally,there is over-reliance on the cloud service when users send encryption requests to the cloud.The CSP usually performs encryption search and pre-decryption processes [31],meaning they can arbitrarily modify the search results or encryption data.

3 Preliminaries

3.1 Bilinear Maps

Assume thatGandGTare multiplicative cyclic groups,where the group order isp,and the generator isg.The properties described below apply to the bilinear group mapping:e:G×G→GT:

(1)Biplanarity:e（ua,vb）=e(u,v)ab,?u,v∈Ganda,b∈Zp;

(2)Nondegeneracy:e(g,g)/=1;

(3)Computability:an efficient algorithm exists to calculatee(u,v),?u,v∈G;

3.2 Access Structure

Definition 1 (access structure):Given that there arenparticipantsP={P1,P2,···,Pn}.A collection A?2{P1,P2,···,Pn} considered monotonic when the following conditions are satisfied:?B,C:ifC∈A holds on condition thatB?C.A monotonic access structure is defined as a collection A containing non-empty subsets{P1,P2,···,Pn}.Authorized collections are those within the collection A,while unauthorized collections refer to the remaining subsets.

3.3 Pedersen(t,n)Secret Sharing Algorithm

Each participant is both a distributor and a participant in the Pedersen (t,n) [27].Given that there arenparticipantsp=(p1,p2,···,pn)and distribute the respective sub-secretSiusing the Shamir secret-sharing algorithm.The specific design of the algorithm is outlined as follows.

(1) Generating the master secretS: Each distributor (participant)pirandomly selects their respective sub-secretSi.The master secret of the whole scheme is defined asS=.

(2) Producing the sub-share valuesi,j:pichooses at-1th degree polynomialfi(x)satisfyingSi=fi(0)and calculatessi,j=for eachpi.Then,pisends the sub-sharesi,jto the associated participantpiand keepssi,ias part of the main share.

(3) Producing the master sharesi: Eachpicalculates the respectivesiwith the formula assi=,wheresi,jis the share held by participantpiitself.Note thatpijust presents the master sharesiwhen reconstructing the secret as a sub-share of the reconstructed secret.

(4) Recovering the master secret: If anytparticipants can recover the master secret,it may be assumed thatp1,p2,···,pthave the capacity to rebuild theSusing the Lagrange interpolation formula and the specific algorithm isS=.

The Pedersen (t,n) algorithm achieves secure sharing of secrets among multiple participants without revealing any information about the secret without a trust center.Therefore,it is executed by blockchain nodes in the BEM-ABSE scheme to produce global parameters and accomplish ciphertext search.

3.4 Security Assumptions

Definition 2(Bilinear Diffie-Hellman(BDH)assumption).Let(G,GT,g,e)as the bilinear mapping parameter and elementsga,gb,gc∈G,wherea,b,c∈Zpare selected random,The BDH problem in(G,GT,g,e)is hard to compute the bilinear pairinge(g,g)abc∈GTfromga,gb,gc.The algorithm has the advantageεin solving the BDH problem in the groupGwhen the following inequation Eq.(1)holds.The BDH assumption is true as long as the algorithmAis never able to solve the BDH issue satisfactorily by a non-negligible margin.

Definition 3(Decisional q-parallel Bilinear Diffie-Hellman Exponent (BDHE)assumption).Let(G,GT,g,e)as the bilinear mapping parameter anda,s,b1,···,bq∈Zpas the random elements.Given:

Even though the adversary has a tupley,the tupleand a random elementR∈GTcan nonetheless be difficult to differentiate from one another.

When the inequality Eq.(3) is satisfied,the algorithm demonstrates an advantage E in solving the q-BDHE problem.This implies that it is not possible for any algorithm to successfully solve the decisional q-BDHE problem with non-negligible advantage.

4 Scheme Design

4.1 System Architecture

The system architecture of the suggested strategy is displayed in Fig.1.It comprises five entities:DO,EN,CSP,AAs,DU and BC.The BEM-ABSE scheme system model is depicted in Fig.1,demonstrating the scheme’s fundamental structure.

1)DO.Any IoT device capable of generating data.DO sets access policies,encrypts files and keyword indexes,and uploads the encrypted data and keyword indexes over a wireless network to EN.

2)EN.ENs are located at the edge of the network and possess strong computing and storage capabilities.They are able to dutifully store the ciphertext in the CSP and embed the keyword index and ciphertext address into the keyword index storage transaction,which is then submitted to the blockchain.In addition,ENs assist DU in partially decrypting the ciphertext,but they cannot obtain any information during the decryption process.

3)CSP.CSP is responsible for providing storage services for the encrypted data uploaded by legitimate DO through EN.In addition,it allows EN to access the ciphertext data associated with search results.

4)AAs.The BEM-ABSE has a number of attribute authorities.Each AA manages multiple attributes in an attribute domain and generates user attribute keys based on its user attributes.

5)DU.DUs create search trapdoors using keywords of their interest and embed them into search transactions,which are then submitted to the blockchain for subsequent encrypted file searching.After receiving partially decrypted ciphertext associated with search results from the EN,DUs can fully decrypt the data using their identity private keys.

6)BC.BC consists of trusted nodes responsible for global parameter generation and user registration.Search smart contracts (SSC) and validation smart contracts (VSC) are deployed on the blockchain.SSC conducts encrypted file searching on the blockchain through search trapdoors submitted by users,while VSC verifies the integrity of the data associated with user search results.

Figure 1:System architecture

EN serves as a crucial link between users and the cloud in the BEM-ABSE.DO encrypts and transmits a large amount of generated data to the cloud through EN,reducing the cost of local storage management.Moreover,in order to lessen the computing burden of the decryption process,the EN nearest to DU is in charge of partly decrypting the ciphertext.CSP is solely responsible for storing a large amount of encrypted data.A permission blockchain composed of pre-selected trusted nodes is accountable for storing encrypted indices,conducting ciphertext searches,and verifying decryption results to achieve secure and controllable encrypted retrieval.

4.2 Scheme Definition

The BEM-ABSE scheme includes the following nine algorithms.Assuming there areNattribute authorities {AA1,AA2,···,AAN} in the BEM-ABSE,a global property setShas a total ofUattributes,and each AA manages a different set of attributesSi,i∈N.

(1) Setup

1)GlobalSetup(1λ)→GP.The BC executes the algorithm.Given a security parameterλ,and then outputs the global parametersGP.

2)AuthoritySetup(GP,Si)→(PKi,SKi).Given theGPandSi,Each AAiruns the procedure to produce the public and private keys(PKi,SKi).Notice that theSKiis held by attribute authority.

(2) Key Generation

1)IdKeyGen(GP,uid)→(uskuid,upkuid).Given the user identificationuidandGP,the legitimate user conducts the algorithm to output its secret keyuskuidand publicupkuid.Notice that theuskuidis held by the user and sendupkuidto BC for registration.

2)SKGen(GP,uid,Suid,SKi,PKi)→SKi,uid.Given theGP,uid,user attribute setSuid,PKiandSKi.Each associated AAiexecutes this algorithm to generate the decryption keySKi,uidand sends it to DU to construct the user transform keyTKuid.

(3) Encryption

1)Offline.Enc(GP,PKi)→IC.This phase is performed by the DO’s more computationally capable devices.It takes theGPandPKias input and outputs intermediate ciphertextIC.Note that this part of the operation is calculated only once when the set of attributes of DO remains unchanged.

2)Online.Enc(GP,IC,PKi,(Ml×n,ρ),F,W)→(CT,Iw).Given access policy(Ml×n,ρ),original dataF,keyword setWandGP,IC,PKi.It generates a setIwof keyword indexes and ciphertextCT.

(4) Trapdoor Generation

TrapGen(GP,w′)→.GivenGPand an interesting keywordw′.DU executes the algorithm to generate trapdoorrelated to thew′.

(5) Search

Search(,Iw)→CT/⊥.TakingandIwas inputs,SSC runs a search algorithm to search for the file that matches the trapdoorwith the indexIw.Afterward,the address in ciphertext linked with the search results is sent to DU by SSC.

(6) Decryption

1)EN.Dec（CT,GP,SKi,u）→CT′.When receiving theCTobtained from CSP using the ciphertext address from DU,take as inputGPand transformation keyTKuidof the useruid,the EN generation the partial decrypt ciphertextCT′for DU.

2)User.Dec(CT′,uskuid,VKF)→F/⊥.After gaining theCT′from the EN,DU decrypts theCT′using itsuskuidto obtain the symmetric key,thus recovering the data fileCF.

4.3 Security Model

The security of BEM-ABSE is based on the BDH assumption andq-BDHE assumption.This paper design two security games to demonstrate that the BEM-ABSE system is secure in the INDCKA and IND-CPA models.

(1) IND-CKA mode.

The BEM-ABSE scheme is IND-CKA secure.A pre-selected group of reliable and secure nodes serves as the consensus node in a blockchain,albeit these nodes might be unavailable or infected.As long as the Pedersen (t,n) secret sharing method remains safe,no one node can independently complete the reconstruction of the system’s secret parameters,keeping the entire blockchain secure.The IND-CKA of the BEM-ABSE is defined as a game between challengerCand adversaryA.

Setup:The challengerCinvokes the Pedersen algorithm to run theGlobalSetupgenerateGPand sends theGPto theA.

Phase 1:In polynomial-time many times (PPT),Aprovides a keyword collection toC,thenCperformsTrapGento generate trapdoor associated with each keyword and sends them to the adversary.

Phase 2:Aadaptively repeats the execution of queryPhase1,while it should follow the constraints of the query phase.

Guess:Aoutputs its guessed bitb′,and ifb=b′,Awins the attack game;Otherwise,it fails.The advantage ofAwinning this game is.

Definition 4:If the bilinear Diffie-Hellman assumption holds,the BEM-ABSE scheme achieves IND-CKA security.

(2) IND-CPA mode.

The BEM-ABSE scheme is IND-CPA secure.Assume thatAcan adaptively perform any key query while only statically corrupting the attribute authority.LetSAbe a set of AAs andSbe a set of attributes.The IND-CPA of the BEM-ABSE is defined in a game betweenCandA.

Init:The adversaryApre-selection of the corrupted set of attribute authorities is?SAand chooses an(M?,ρ?).After that,Aprovides this access structure toC.In addition,theAconstruct and initialize collection D and table T.

Setup:Cinvokes Pedersen algorithm runsGlobalSetupgenerationGP,and sends theGPtoA.At the same time,theCperformsAuthoritySetupon the attribute authority in the setSA-to generate the key pair(PK,SK)and returnsPKback toA.For the attribute authority corrupted in the set,theAdirect performsAuthoritySetupto obtain key pairs.

Phase 2:Aadaptively repeats the execution of queryPhase1,while it should follow the constraints of the query phase.

Guess:Aoutputs its guessed bitb′,and ifb=b′,Awins the attack game;Otherwise,it fails.The advantage ofAwinning this game is.

Definition 5:The BEM-ABSE scheme achieves IND-CPA security if no PPT adversary has a significant advantage in the security game described above.

5 BEM-ABSE Construction

(1) Setup

(2) Key Generation

1)IdKeyGen:DU is assigned a unique identifieruidand a set of attributesSuidwhen it joins the BEM-ABSE,and then DU randomly selectsz∈and calculatesga/zandg1/z.After that,DU sends its public identity keyupkuid=（ga/z,g1/z）to the BC registration and keeps the private identity keyuskuid=z.

(3) Encryption

LeveragingICon end devices with limited resources,such as sensors and wearables,can help decrease the processing overhead of the encryption process.In addition,theICcan be used multiple times when the attributes owned by the user remain unchanged.

2)Online.Enc: After obtaining the intermediate ciphertextIC.Firstly,DO chooses a random numberm∈GTand calculatesK=H2(m)as the symmetric key,and then DO generates the ciphertextCF=Encsym(K,F)and verification valueVKF=H1(H2(m)||CF)of the data fileF.

(4) Trapdoor Generation

(5) Search

(6) Decryption

2)User.Dec: After receiving the transform ciphertext from EN,the DU utilizes its private keyuskuidto decrypt and retrieve the random numberm=C/(CT′)z.Then,DU generates a validation transaction and embedsmandaddressin it before submitting it to the BC to verify the equality relationship betweenH1(H2(m)||CF)andVKFthrough the VSC.If yes,the DU obtains the complete outsourced decrypted data and decrypts the data fileF=Decsym(K,CF)with the symmetric keyK=H2(m).Otherwise,decryption fails and outputs ⊥.It is worth noting that data validation is not mandatory during the decryption process.

6 Security Analysis

Theorem 1:If the decisionalq-BDHE assumption holds,the BEM-ABSE scheme achieves INDCPA security.

Proof:Assume there is a game that can be won in PPT by the adversaryAwith a non-negligible advantageε.Then,we construct a simulatorBwith a non-negligible advantageε/2 to solve the decisionalq-BDHE problem.The simulation is carried out as follows.

Phase 2:Aadaptively repeats the execution of queryPhase1,while it should follow the constraints of the query phase.

Because of the hardness of theq-BDHE problem,the advantageof the adversary in breaking the BEM-ABSE scheme is negligible.

Theorem 2:If the bilinear Diffie-Hellman assumption holds,the BEM-ABSE scheme achieves IND-CKA security.

Phase 1:Acan adaptively issue the subsequent oracles in PPT.

Phase 2:Aadaptively repeats the execution of queryPhase1,while it should follow the constraints of the query phase.

7 Performance Analysis

7.1 Functional Analysis

BEM-ABSE supports multi-authority,LSSS,on/offline encryption,assisted decryption,results verification and blockchain.The functional features are compared in Table 1.Schemes [29,31] and BEM-ABSE are all SE schemes based on multiple authorization centers.The access policy is based on LSSS,which can effectively avoid single-point failures and improve the system’s security.However,A significant computational cost is placed on the client by other systems,with the exception of the BEMABSE scheme,which does not have the design of online/offline procedures or edge-assisted decryption throughout the encryption and decryption stages.Despite the fact that the scheme [29] outsources encryption and decryption to save costs for the client,its overall computing cost is significant,and its impact is poor.Schemes[20]and BEM-ABSE support data integrity verification.Furthermore,BEMABSE runs ciphertext search via a smart contract and uploads the ciphertext index to the blockchain,which can better safeguard user privacy and data security.

Table 1:Functional comparison

7.2 Theoretical Analysis

In theoretical computations,the computational complexity is primarily evaluated by considering the pairingPand the exponentiationE(ET)operations on the groupG(GT).Multiplication and hash operations are relatively lighter in comparison and are not given as much emphasis in terms of computational analysis.

The computational complexity of the selected method was analyzed,and a detailed study was conducted on the differences in computational costs.The results were compared in Table 2,where|S|is the number of attributes of the user andlis the number of attributes in the access policy.As the number of attributes increases linearly,in comparison to the other two,BEM-ABSE generates keys at a lower computational cost.Due to the online/offline strategy used in encryption,the computational overhead of DO online encryption is 3E+ET+P,while the computational costs for trapdoor creation and search are unaffected.In the decryption phase,due to the use of EN assistance for decryption,DU’s computational cost isET.Note that in the table,Δrepresents 2l+1 andΘrepresents 2|S|+1 and“—”represents without consideration.

The storage cost comparison results of these schemes are shown in Table 3.Where|G|,|GT|andare used to specify the lengths of elementsG,GT,andZp,respectively.The quantity of attributes influences the size of the user’s key and ciphertext.In comparison to methods [20] and [29],BEMABSE has less storage overhead during the key generation and ciphertext generation phases.It is worth noting that the storage cost in the trapdoor generation and search phase is constant,which has a significant advantage over the other two schemes.

Table 2:Comparison of computational cost

7.3 Experimental Analysis

The experiment simulated the deployment of a Hyperledger Fabric on a server with an Inter?Xeon?E5-2630 CPU@2.3 GHz 16-core and 64 GB RAM.We instantiated an edge node on a laptop with a 2.8 GHz Intel?Core?i7-1165 and 16 GB of RAM and instantiated a resource-constrained device on a Raspberry Pi 3B with a Quad-Core ARMv8 CPU@1.2 GHz 4-core processor and 1 GB of RAM.The Fabric network is made up of three order nodes and four peer nodes that use the Raft consensus mechanism.Note that the experiment used the Pairing-Based Cryptography Library(PBC)to implement cryptographic operations and chose an elliptic curve group with type A:y2=x3+xand the order of the group is 160 bits.When theG(GT)group order is set as 512 bits,we can obtainwith a length of 160 bits and|G|and|GT|with a length of 1024 bits.Moreover,we also setl=|S|∈[0,50].

Fig.2 describes the computation and storage cost of BEM-ABSE.The comparison of computation costs is given in Figs.2a–2d.In Fig.2a,we noticed that the time cost for all three methods has a direct correlation with the number of attributes during the key generation procedure.Notably,when compared to the other two systems,the BEM-ABSE method has reduced computing costs.In Fig.2b,scheme BEM-ABSE adopts an online/offline encryption mechanism.Note that although the BEMABSE scheme’s computational cost during the encryption phase is larger than that of the scheme[20],the BEM-ABSE scheme uses intermediate ciphertexts for online encryption during DO usage in the encryption process rather than performing offline encryption every time during encryption.When we setl=50,the time cost of DO online encryption is 25.52 ms.The computational costs for the trapdoor generation and search are shown in Figs.2c and 2d,respectively.In the BEM-ABSE scheme,the computational costs of trapdoor generation and ciphertext search remain constant.

Figure 2:Algorithm time and storage cost

Next,the comparison of storage costs is given in Figs.2e and 2h.As illustrated in Fig.2e,the key generation stage storage costs in schemes[29]and BEM-ABSE are similar.When the number of attributes reaches 50,the scheme[20]has a storage cost that is almost double that of the BEM-ABSE.In Fig.2f,it can be observed that in the encryption stage,the storage cost of the scheme[29]escalates significantly as the number of attributes increases,surpassing the storage cost of the schemes[20]and BEM-ABSE by a significant margin.Figs.2g and 2h demonstrate that the storage costs associated with trapdoor generation and search stages in BA-ABSE are denoted as 2|G|+|GT|(0.38KB) and 2|G|+2|GT|(0.5KB),respectively,and remain unaffected by the number of attributes.However,the storage costs in the same stage for schemes[20]and[29]increase linearly with the attribute.

In Fig.3,the decryption time overhead is depicted.It can be observed that both the BME-ABSE scheme and [29] exhibit a linear increase in decryption time overhead as the number of attributes in the ciphertext policy grows.The BME-ABSE scheme has a total decryption time of 282 ms when there are 50 attributes which is much less than the 423 ms of the scheme [29].In order to further lower the DU’s computing expense during the decryption stage,the BME-ABSE scheme delegates the task of converting ciphertext with higher computational cost to ENs.At the same time,DU only needs to perform consistent operations regardless of the access policy.The utilization of computational resources on ENs simplifies the decryption process,reduces complexity,and shortens the time cost of decryption.In order to increase the decryption efficiency of IoT devices with limited resources,a lightweight decryption procedure is advantageous.

Figure 3:Decryption time cost

8 Conclusion

This paper presents an efficient multi-authority attribute-based searchable encryption scheme with blockchain assistance (BEM-ABSE) for cloud-edge collaborative scenarios.The BEM-ABSE scheme introduces an online/offline hybrid encryption mechanism.It adopts an edge-assisted outsourcing decryption mechanism,significantly improving the efficiency of encryption and decryption and effectively reducing the computation overhead of resource-limited IoT devices.The consortium blockchain serves as a trusted authentication center for global parameter generation and management,and the introduction of smart contracts realizes trusted and fair ciphertext keyword search and decryption result verification.BEM-ABSE has been rigorously analyzed for security and shown to be secure against IND-CPA and IND-CKA attacks.Performance analysis confirms its efficiency and practicality.However,a major limitation of the BEM-ABSE is its lack of support for expressive search queries such as fuzzy search and multi-keyword search and its inability to revoke permissions for malicious users.Future work will focus on designing a flexible indexing and efficient permission revocation scheme,enabling the BEM-ABSE to support various controllable search requests.

Acknowledgement:We thank the anonymous reviewers and editors for their very constructive comments.

Funding Statement:This work is supported by the National Natural Science Foundation of China (Nos.62162018,61972412),the Natural Science Foundation of Guangxi (No.2019GXNSFGA245004),the Guilin Science and Technology Project(20210226-1)and the Innovation Project of Guangxi Graduate Education(No.YCSW2022296).

Author Contributions:The authors confirm contribution to the paper as follows:study conception and design:Peng Liu,Qian He;data collection:Peng Liu;analysis and interpretation of results:Peng Liu,Biao Guo;draft manuscript preparation:Peng Liu.All authors reviewed the results and approved the final version of the manuscript.

Availability of Data and Materials:The data used to support the findings of this study are included within the article.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.