Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969

H O S T E D BY Contents lists available at ScienceDirect

Journal of King Saud University - Computer and

Information Sciences
journal homepage: www.sciencedirect.com

Blockchain-based CP-ABE data sharing and privacy-preserving scheme

using distributed KMS and zero-knowledge proof
Zhixin Ren , Enhua Yan , Taowei Chen *, Yimin Yu *
School of Information, Yunnan University of Finance and Economics, No. 237 Longquan Road, Wuhua District, Kunming, Yunnan Province 650221, China
Institute of Intelligent Application, Yunnan University of Finance and Economics, No. 237 Longquan Road, Wuhua District, Kunming, Yunnan Province 650221, China

A R T I C L E I N F O A B S T R A C T

Keywords: Nowadays, the integration of blockchain technology with Ciphertext-Policy Attribute-Based Encryption (CP-ABE)
Blockchain has drawn the researcher attention because it can provide key security auditing and transaction traceability in
CP-ABE the context of data sharing. However, in a majority of existing blockchain-based CP-ABE schemes, private keys
KMS
were still issued by one central authority that would lead to heavy computation, higher transaction costs, and
Zero-knowledge proof
Incentive mechanism
restricted scalability within the decentralized system. To address these challenges, we present an enhancement
approach towards utilizing distributed key management service (KMS) and zero-knowledge paradigms. In our
improved novel blockchain system model, we define two types of blockchain nodes for the CP-ABE scheme
through staking mechanism. Firstly, the proxy re-encryption nodes are introduced to offer secure multi-party
management and distribution of the CP-ABE’s master secret key, eliminating dependence on a central author­
ity and producing proofs of re-encryption correctness. Secondly, the operator nodes can collect all transactional
information in blockchain-based CP-ABE scheme and then send the Zero-Knowledge Succinct Non-Interactive
Argument of Knowledge (zk-SNARKs) proofs to verify the batch’s integrity via smart contract. Subsequently,
we employ the staking economic incentive model with reward determination and slashing in the decentralized
blockchain system to ensure network security. Finally, simulation results validate the effectiveness of our pro­
posed scheme in achieving secure and efficient data sharing. Even amidst the pressure of 100 simultaneous
transactions, the average response time for a single node remains at an approximate 28 s. Additionally, there is a
notable decrease in on-chain gas consumption, with a gas reduction exceeding 61%. Comparative analyses
further indicate that our blockchain-based CP-ABE scheme, in conjunction with a decentralized KMS, offers a
superior balance between computational efficiency and functional capability.

1. Introduction 2022; Xie, 2023). The reasons for this include the following:

In the digital era, data sharing has become a technology that makes it
possible for data to be easily collaborated and transferred across
different domain. It is widely applicable and establishing itself as an
indispensable component of collaborative research and decision-making
across various fields in the resent days (Li et al., 2014; Lu and Cheng,
2019). For instance, in digital healthcare system, sharing patients’
electronic health records between different research institutions or
hospitals bolsters medical research and epidemiological analysis. Doc­
tors that share data can make better informed medical decision and
services (CBS., 2019). Data gains its value when we share it, yet data
privacy policies and data ownership demands have historically placed a
barrier on our ability to elevate this value (NSTIC., 2018; Xu and Wang,
• Privacy-preserving technology are diverse and complex. In the
particular scenario, it is often necessary to use a combination of one
or more crypto and other advanced technologies.
• It is difficult to ensure the secure sharing of plaintext data. Moreover,
an attack on centralized platform of data sharing and protection may
lead to a data breach.
• Finally, the implement of privacy protection technique requires high
costs in terms of time and performance, which can be problematic
with data-in-motion and real-time analysis and dissemination.
Therefore, blockchain-based CP-ABE (Sahai and Waters, 2005; Goyal
et al., 2006; Bethencourt et al., 2007; Waters, 2011) is an emerging

* Corresponding authors at: Yunnan University of Finance and Economics, No. 237 Longquan Road, Wuhua District, Kunming, Yunnan Province 650221, China.
E-mail addresses: [email protected] (T. Chen), [email protected] (Y. Yu).

https://doi.org/10.1016/j.jksuci.2024.101969
Received 27 October 2023; Received in revised form 11 February 2024; Accepted 11 February 2024
Available online 29 February 2024
1319-1578/© 2024 The Author(s). Published by Elsevier B.V. on behalf of King Saud University. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
Z. Ren et al.
hybrid privacy-preserving technology that has gained significant
attention from scholars and the industry in the field of data security and
sharing (Xue et al., 2019; Sookhak et al., 2017). This is mainly due to:
• The CP-ABE scheme is constructed to achieve multiple privacy levels
data sharing among dynamic groups of users, which supports one-to-
many access control on shared data in many practical application
scenarios.
• The CP-ABE scheme empowers data owners to establish their own
access policies, effectively granting encryption-based access control
to their data with granularity refined to the attribute level.
• Blockchain (Nakamoto, 2009) as a decentralized Peer-to-Peer (P2P)
distributed ledger and computing paradigm, can provides key
auditing and traceability for CP-ABE by establishing secure data
access control mechanism within untrusted environments. Mean­
while, the technology features in blockchain can provide attribute
policies management, privacy and accountability enhancement for
CP-ABE.
However, the majority of current blockchain-based CP-ABE access
control schemes rely on centralized authorization models (Bramm and
Mark, 2018; Yan et al., 2020), resulting in risks of single point of failure,
low computational efficiency, challenges in key leakage, as well as
system scalability. These problems also present potential challenges that
researchers need to address in order to achieve trade-off between
decentralization, security, and scalability that occurs within a
blockchain-based system.
To address the above issues, we utilize blockchain nodes that acts as
a trusted proxy entity to generate and distribute key fragments, ensuring
the traceability of the update of keys through an immutable ledger in
blockchain. Meanwhile, we introduce the zero-knowledge proof tech­
nology to enhance system scalability, which is to bundle transactions
off-chain and post a short summary of the transactions on blockchain.
The integrity proof of transactions aggregation is much shorter and more
efficient to verify than original transactions. In addition, in order to
build a reliable blockchain system in trustless network, we analyze
economic incentives and punishments by applying probability model
among different type nodes of blockchain-based CP-ABE.
1.1. Our contributions
Building on our previous work (Chen et al., 2023; Zhang et al., 2021),
we further introduce zero-knowledge proof paradigm to enhance and
scale the distributed KMS-based CP-ABE scheme in decentralized
blockchain system. The main contributions of this work can be outlined
as follows:
(1) To mitigate the dependence on a single authority responsible for
issuing master secret keys (MSK) to all users, we present a threshold
proxy re-encryption scheme. This scheme leverages a key encapsulation
mechanism (KEM) to integrate the key management system into the
blockchain infrastructure. Furthermore, we incorporate the Fiat-Shamir
Heuristic protocol into our non-interactive zero-knowledge (NIZK) proof
system to verify the correctness of re-encryptions.
(2) To boost the scalability of the blockchain network and minimize
on-chain gas consumption, we designed a transaction aggregation
mechanism based on zk-SNARKs. The operator nodes collect trans­
actions generated during the system’s operation, performs batch
execution and aggregation, and generates corresponding zk_proofs to
verify the validity of account state transitions.
(3) To ensure effective, fair operation, and to motivate participation
in the decentralized blockchain system, we explore the benefits of eco­
nomic incentives and slashing model. This economic incentive mecha­
nism can enhance node activity and overall network health. Moreover,
we briefly present that the decisional q-parallel Bilinear Diffie-Hellman
Exponent (BDHE) assumption is generically secure in our CP-ABE
scheme.
2
Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969
1.2. Paper organization
The paper is structured as follows: In Section 2, we describe the
related research on CP-ABE. Section 3 presents the necessary back­
ground knowledge for this study, including parameter definitions and
foundational information. Our scheme’s system model and incentive
mechanism are described in Section 4, which includes the scheme’s
definition. Section 5 details the specific construction methods of the
related algorithms for our scheme. Section 6 introduces the correctness
verification of re-encryption and the validation of transaction aggrega­
tion. The algorithmic security of our scheme is examined in Section 7,
along with the evaluation and analysis of simulated experiments con­
ducted. Section 8 offers a conclusion to our paper and indicates future
directions for research advancement.
2. Related work
CP-ABE as a novel encryption technology, has seen considerable
attention from researchers since its inception. Many have focused on
designing and improving CP-ABE algorithms to enhance their flexibility
and security while extending their applicability to diverse fields and
scenarios. For instance, Guo et al. (Guo et al., 2023) improved the effi­
ciency of information collection in vehicular environments, proposed an
application-oriented data sharing scheme for Vehicular Ad-hoc Net­
works (VANETs) using enhanced CP-ABE, and validated its efficiency
and security through performance analysis and simulations. Liang et al.
(Liang et al., 2009) proposed the first scheme by combining proxy re-
encryption with CP-ABE, tested selectively secure without random or­
acles under chosen-plaintext attacks, ensuring main key security and
preventing key collusion between agents and users. Doshi et al. (Doshi,
2022) utilized proxy re-encryption to propose a constant-length CP-ABE
scheme resilient to collusion attacks, establishing security using the
Decisional Bilinear Diffie-Hellman (DBDH) hardness assumption. Ede­
macu et al. (Edemacu et al., 2020) based their scheme on the Ordered
Binary Decision Diagrams (OBDD) access structure with enhanced
expressiveness, introducing instant attribute/user revocation, effi­
ciency, and in collaborative e-health systems secure data sharing is
needed for preventing collusion attacks. From recent studies by these
researchers, existing schemes often struggle to provide access control in
untrusted environments due to trusted authorization entities, leading to
issues such as single points of failure and low computational efficiency
in large-scale settings. Additionally, the lack of uniqueness in user
attribute private keys, generated and distributed by trusted authoriza­
tion entities, raises concerns about potential key misuse. Furthermore,
verification of correctness during proxy re-encryption computations is
lacking, and challenges persist concerning the tampering of ciphertext
during transmission and the authenticity of the ciphertext source.
In recent years, the application of blockchain-based CP-ABE systems
have become widespread in a variety of areas. For instance, to address
security and privacy challenges in industrial Internet of Things (IoT),
Banerjee et al. (Banerjee et al., 2021) developed a CP-ABE scheme based
on blockchains. Their scheme achieved policy hiding, constant-sized
keys and ciphertexts, outperforming alternatives in security and
computational efficiency through simulation-based comparisons.
Sammy et al. (Sammy and Vigila, 2022) presented a distributed CP-ABE
scheme that allows secure cloud-based patient health record sharing.
They achieved data user attribute revocation using Rivest-Shamir-
Adleman (RSA) key pairs and demonstrated security under the d-Deci­
sional Diffie-Hellman (d-DDH) assumption. Gao et al. (Gao et al., 2020)
employed homomorphic encryption to hide user attributes. Blockchain
acted as an entity for identity proof and verification, granting the main
key. Despite enabling distributed key computation and attribute pres­
ervation, their main key storage remained centralized, introducing se­
curity concerns. Manzoor et al. (Manzoor et al., 2018) and Badsha et al.
(Badsha et al., 2020) proposed blockchain-based proxy re-encryption
methods. They sought to enhance data sharing security in different
Z. Ren et al. Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969

Table 1
Summary of Characteristics and Limitations of CP-ABE Schemes.
Architecture Research Scheme Research Description Research Limitations

CP-ABE Guo et al. (Guo et al., A privacy-enhanced VANET data security sharing scheme is proposed. • Centralized storage and
2023) generation of keys.
Liang et al. (Liang et al., Extended the descriptions of conditions and identities based on proxy re-encryption • Centralized storage of keys.
2009) and attribute encryption. • Inability to verify the correctness
of re-encryption.
Doshi et al. (Doshi, 2022) Proposed a CP-ABE proxy re-encryption scheme with constant ciphertext length. • Existence of a centralized
authority.
• Inability to verify the correctness
of re-encryption.
Edemacu et al. (Edemacu Proposed an expressive, and collusion-resistant access control scheme with instant • Existence of a trusted authority.
et al., 2020) attribute/user revocation. • Centralized storage of keys.
Blockchain-based Sammy et al. (Sammy and Implemented user attribute revocation and utilized elliptic curve cryptography to • Existence of a centralized
CP-ABE Vigila, 2022) reduce the complexity. authority.
Gao et al. (Gao et al., Proposed a hidden policy scheme to ensure the privacy of policies. • Key management issues were not
2020) considered.
• Low participation of nodes.
• High on-chain gas consumption.
Manzoor et al. (Manzoor Implemented information sharing through smart contracts, ensuring data visibility • Existence of a centralized
et al., 2018) only to authorized individuals through proxy re-encryption. authority.
Badsha et al. (Badsha Proposed a blockchain network security information sharing scheme with privacy • Centralized generation of keys.
et al., 2020) protection features. • Key management issues were not
considered.
• Inability to verify the correctness
of re-encryption.
• Low participation of nodes.
• High on-chain gas consumption.
Zhang et al. (Zhang and Proposed a scheme supporting keyword retrieval and increased node participation • Key management issues were not
Sun, 2020) through the design of incentive mechanisms. considered.
• Inability to verify the correctness
of re-encryption.
• High on-chain gas consumption.
Zhai et al. (Zhai et al., Proposed a data sharing scheme and designed a distributed key generation method • Inability to verify the correctness
2023) compatible with blockchain. of re-encryption.
• Low participation of nodes.
• High on-chain gas consumption.

ways, with Badsha using conditional proxy re-encryption based on
Attribute-Based Encryption (ABE) and Manzoor using certificate-based
proxy re-encryption. According to Zhang et al. (Zhang and Sun, 2020),
a data sharing algorithm that utilizes a combination of attribute-based
and blockchain re-encryption for keyword retrieval was developed.
However, it does not take key management into consideration. Simi­
larly, Zhai et al. (Zhai et al., 2023) have also proposed a similar scheme
that securely shares critical on-chain information through proxy re-
encryption of attribute-linked data. They also utilize a distributed key
generation method specifically designed for blockchain networks to
mitigate centralized key management and leakage risks. While both
schemes address key management concerns, the algorithm efficiency
can still be improved.
Table 1 summarizes the characteristics and limitations of current CP-
ABE schemes. From Table 1, it is evident that while the previously
mentioned solutions have addressed specific challenges within their
respective domains, they often exhibit limitations in their seamless
integration with blockchain, leading to a range of issues. These chal­
lenges encompass diverse areas such as computational efficiency, gas
consumption and inadequate correctness validation mechanisms in
certain proxy re-encryption methodologies. Furthermore, the absence of
robust incentive and penalty mechanisms undermines the cooperative
behavior of participants within blockchain networks, potentially
undermining the overall security and operation of such networks.
3. Preliminaries
3.1. Notation definition
Table 2 displays the primary notations utilized in the proposed
scheme.
3.2. Fiat-Shamir Heuristic (Beimel, 2021; Dima, 2019; Dima, 2019)
The Fiat-Shamir heuristic can be applied to any Sigma protocol to
obtain NIZKPs.
P (g, x, h = gx ) : V (g, h = gx , π = (c, u, z)) :
?
Select randomly r ∈ Z; Check c=H(g, h, u);
?
Compute u = gr ; Check gz =u⋅hc
Compute c = H(g, h, u);
Compute z = c⋅x + r;
Output π = (u, c, z)
3.3. Proxy Re-Encryption (Nunez, 2018)
Proxy re-encryption (PRE) serves as an instrument in facilitating
decentralized key management functions, given its ability to distribute
the re-encryption procedure across various proxy services. Such a
method eliminates dependency on a sole service, thereby bolstering the
overall system’s security and dependability. Let g1 and Q be the gener­
ators of group G. Let Hℓ2 : G2 →Zq ,Hℓ3 : G3 →Zq and Hℓ4 : G3 × Zq →Zq
are hash functions. γ : G→{0, 1}η is a key derivation function, where η is
generated based on the security parameter φ. Sample a ∈ Zq uniformly
at random, compute ga and output the keypair (pk, sk) = (ga , a).
4. Scheme overview
4.1. System description
This scheme leverages a KEM to integrate the key management
system into the blockchain infrastructure. The proxy re-encryption node
encrypts the MSK with a generated symmetric key and is responsible for
securely storing and managing key fragments. Data users can only derive

3
Z. Ren et al.
Table 2
Notations.
Notation Description
k System security parameter
θ User identity identifier
ρ(i) Row-specific attribute
s Secret shared key
λ Secret shared key share
v Random vector for encryption algorithm selection
Mi Row i of access matrix M with dimensions l × n
x Attribute
N Number of shards
t Threshold value
S User attribute set
SK User attribute private key
U System attribute set
PK System public key
MSK System master secret key
m Plaintext of shared data
CT Ciphertext of shared data
CTMSK Ciphertext of MSK
the symmetric key by obtaining at least threshold t key fragments.
Subsequently, they use this symmetric key to decrypt the ciphertext
CTMSK and obtain MSK. With MSK, users generate the user attribute
private key SK matching the access policy. Finally, they decrypt the
ciphertext CT to obtain the plaintext data m. Additionally, to enhance
the scalability of the blockchain and reduce gas consumption, we have
developed a transaction aggregation system based on zk-SNARKs. This
system relies on the operator node to collect and execute the trans­
actions generated during the model running process. More details can be
found in Section 6.2. To further enhance network efficiency and secu­
rity, we design an economic incentive mechanism to encourage more
nodes to participate in management and verification processes. For more
details, refer to Section 4.3.
The proposed scheme has six main participants, with the following
functionalities:
(1) Data Owner (DO): When the data owner wishes to share data m
with a data user, they need to create an access policy based on the Linear
Secret Sharing Schemes (LSSS) matrix to grant access to the data user.
The data owner then executes the system initialization algorithm Setup
to generate global parameters, performs the encryption algorithm
Encrypt to generate the ciphertext CT, executes the re-encryption key
generation algorithm ReKeyGen to generate the re-encryption key kFrag,
and runs the KEMMSK algorithm to encrypt and encapsulate the master
secret key MSK, resulting in CTMSK and capsule. These operations are
followed by storing the ciphertext CT and CTMSK on IPFS and sending the
kFrag and capsule to the proxy re-encryption node on the blockchain.
(2) Data User (DU): When a data user intends to access the shared
data, they must first request the master secret key MSK from the proxy
re-encryption node on the blockchain. Upon receiving the capsule
fragment cFrag from the node, the data user decapsulates cFrag and then
decrypts the ciphertext CTMSK to obtain the MSK. Subsequently, by
executing the key generation algorithm KeyGen, key computation al­
gorithm CptKey, and key recovery algorithm KeyRes, the data user
generates the user attribute private key SK that satisfies the access
policy. With the generated SK, the user can then decrypt the ciphertext
CT to obtain the plaintext data m.
(3) Proxy Re-Encryption Node (PREN): The blockchain node is
initially elected as the proxy re-encryption node through a staking
election. Subsequently, it executes the re-encryption algorithm ReEn­
crypt to reencapsulate the capsule and obtain a cFrag. To achieve veri­
fiable re-encryption, the node generates a NIZK proof π concerning
cFrag. This process is aimed at achieving multi-party secure manage­
ment and distribution of the system master secret key.
(4) Operator Node (OPN): The blockchain node is initially elected as
the operator node through a staking election. Subsequently, the OPN
collects transactions generated during the system’s operation by
4
Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969
executing the Trading smart contract. OPN then performs batch execu­
tion and aggregation of the collected transactions by executing the
Processing smart contract. After the transaction execution, the local
Merkle tree root is transformed from the prev_state_root to the next_­
state_root, and a request for state update is made. Simultaneously, OPN
generates corresponding zk_proofs based on zk-SNARKs to verify the
validity of account state transitions.
(5) Inter Planetary File System (IPFS): The IPFS primarily functions
to provide distributed storage services for all participants. It stores
received ciphertext data CT and CTMSK, and then sends the data storage
address to the blockchain. This allows participants to download
ciphertext data based on the storage address published on the
blockchain.
(6) Blockchain (BC): On-chain nodes participate in staking within the
staking pool to elect suitable nodes for roles such as the proxy re-
encryption node, operator node, consensus validation nodes, and
computational nodes. On the blockchain, reward settlements and pen­
alties are carried out based on the contributions of each node to enhance
network security. While the blockchain records public system parame­
ters and conducts consensus validation operations, it not only achieves
traceability and auditability of the scheme’s transaction delivery but
also realizes multi-party secure management and distribution of the CP-
ABE master secret key (see Fig. 1).
Our scheme mainly consists of seven phases: Initialization Phase,
Encapsulation Phase, Encryption Phase, Re-encryption Phase, Key
Generation Phase, Identity Verification Phase, and Decryption Phase. A
detailed description of each phase is provided below:
(1) Initialization Phase
DO.Setup(1k , U)→(PK, MSK). During the system initialization phase,
the data owner Alice inputs security parameter k and attribute set U. The
setup algorithm is executed by data owner, resulting in the output of the
system public key PK and the system master secret key MSK.
(2) Encapsulation Phase
DO.KEMMSK(pkA , MSK, εK )→(CT MSK , capsule). The data owner
Alice, initially takes the public key pkA and the system master secret key
MSK as inputs to the encapsulation algorithm KEMMSK. Subsequently,
she computes a symmetric key εK and uses it to encrypt the MSK.
Simultaneously, she encapsulates the symmetric key εK and a capsule
that facilitates the re-derivation of the symmetric key εK . Finally, the
encapsulation algorithm outputs (CTMSK, capsule).
(3) Encryption Phase
DO.Encrypt(PK, A = (M, ρ), m, δ)→CT. The data owner Alice inputs
the system public key PK, plaintext data m, access policy A based on
LSSS, and identity random key δ. She then runs the encryption algorithm
Encrypt, resulting in the output of the ciphertext CT. Subsequently, Alice
sends CT to be stored on IPFS.
(4) Re-Encryption Phase
DO.ReKeyGen(skA , pkB , N, t)→KF. The data owner Alice inputs the
secret key skA and the public key of the intended delegate pkB , along
with the parameters N for the overall number of fragments and t for the
threshold, then the re-encryption key generation algorithm ReKeyGen
computes N fragments of the re-encryption key, each of them named
kFrag, which are then sent to PRENs (see Fig. 2).
PREN.ReEncrypt(capsule, kFrag)→cFrag. The proxy re-encryption
node takes as input the re-encryption key fragment kFrag and the
capsule. The re-encryption algorithm, ReEncrypt, initially checks the
validity of the capsule. Subsequently, the re-encryption algorithm reen­
capsulates to the capsule to obtain a cFrag, and finally, outputs the cFrag.
PREN.CreateNIZKP(capsule, kFrag, cFrag)→π. To achieve verifiable
re-encryption, the proxy re-encryption node, upon outputting the re-
encrypted ciphertext CTMSK, capsule, and capsule fragment cFrag, cre­
ates a NIZK proof π to demonstrate the correctness of cFrag (see Fig. 3).
(5) Key Generation Phase
BC.Verif yNIZKP(capsule, cFrag, π)→Result. The proxy re-encryption
node sends the capsule, capsule fragment cFrag, and the generated NIZK
Z. Ren et al. Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969

Fig. 1. System Model.

Fig. 2. Alice’s Domain.

Fig. 3. PREN ’s Domain.

proof π to the blockchain. Consensus validation nodes trigger the veri­
fication contract to verify the correctness of the cFrag. The verification
contract outputs the verification result.
DU.ReDecrypt(pkA , skB , {cFragi , CT MSK }ti=1 )→MSK. After the cor­
rectness verification of cFrag is successfully passed, data user Bob inputs
the secret key pkA and skB , along with a set of t re-encrypted ciphertexts
{ }t
cFragi , CTMSK i=1 . The re-decryption algorithm ReDecrypt initially
decapsulates the cFragi to produce the symmetric key εK . It then decrypts
the ciphertext CTMSK with the key εK , resulting in MSK if the decryption
is correct or ⊥ otherwise.

5
Z. Ren et al.
DU.KeyGen(PK, MSK, e, S)→{K, L, {hx }, E}. The data user Bob inputs
relevant parameters to calculate some elements of the SK triplet. Use
asymmetric encryption pair (e, d) to protect the random t, i.e. Ei =
Encryption(ei , t), send Ei and the hash value hxi corresponding to the
attribute of DU to the computational node, then it computes the key by
executing BC.CptKey(hx , E, S)→K ’x and sends it to DU. After obtaining
K′xi , Bob decrypts it using DU.KeyRes(K ’x , d, S)→SK to obtain correct key
Kxi . Bob then combines the computed Kxi values from different nodes to
form the attribute key set Kx = {Kx1 ,Kx2 ,...,Kxn }. Bob combines K, L, and
Kx previously computed to form the complete private key SK quadruple
SK = (S, K, L, Kx ) (see Fig. 4).
(6) Identity Verification Phase
The data user sends the identity identifier θ, obtained during user
registration, to the data owner. The data owner, based on the specified
access policy A, verifies the identity. If the identity information provided
by the data user satisfies the access policy, the data user is considered an
honest node. The data owner then issues an identity key δ to that data
user.
(7) Decryption Phase
DU.Decrypt(SK, CT, δ)→m. Data user Bob, based on the publicly
available ciphertext storage address on the blockchain, downloads the
ciphertext CT from IPFS. He then uses the identity key δ and private key
SK to decrypt the ciphertext CT by executing the decryption algorithm
Decrypt, resulting in the plaintext data m.
4.2. Algorithm security model
The algorithm in this paper is the in-distinguish ability against se­
lective access structure and chosen plaintext attacks (IND-SAS-CPA)
game, with specific interactive processes as follows:
(1) Initialization. The challenger initializes the system Setup(1k , U)
to generate MSK and the challenger sends PK to the adversary. the ad­
versary, in turn, sends a new challenge access policy (M* , ρ* ) to the
challenger.
(2) Queries. The adversary summits the attribute set for a KeyGen
query. When the attribute set is insufficient for access policy, the chal­
lenger generates the corresponding secret key for attribute set and re­
turn it to the adversary.
Fig. 4. Bob’s Domain.
6
Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969
(3) Challenge plaintext. ①The adversary submits two messages m0
and m1 of equal length to the challenger, and the challenger choose the
value of c ∈ {0, 1} at random and encrypt mc . ②The challenger utilizes
the policy (M* , ρ* ) and generates a corresponding ciphertext CT* . ③The
resulting CT* is given to the adversary.
(4) Repeat Step (2). The adversary sends the attribute set Sn+1 , Sn+2 ,
..., Sn+m to the challenger and requests the corresponding private key,
whose attributes do not meet the access structure (M* , ρ* ).
(5) Guess. The adversary outputs its guess c′ ∈ {0, 1} and win the
game if c = c′.
Definition 1. If the polynomial-time adversary wins the above secu­
rity model game with a negligible advantage ε = |Pr[c = c′]| − 1/2, then
the proposed scheme is secure.
4.3. Incentive mechanism
Establishing a rational system of incentives and penalties within a
trustless environment contributes to achieving fairness among partici­
pating nodes and enables verifiable computations. This approach
effectively enhances blockchain consensus security, promotes node ac­
tivity, and mitigates free-rider risks. Hence, we introduce a rewards
schedule based on the Proof of Stake (PoS) consensus mechanism, where
certain rewards are “mined.” Anyone can become a miner, but they must
first pledge a certain amount of collateral through a smart contract-
based staking pool and lock them, specifying a locking duration. The
level of trust allocated to each node is directly proportional to the
amount of collateral they stake. By staking collateral and distributing
trust among participating nodes, a higher collateral pledge implies
greater trust allocation. Consequently, the miner with higher collateral
pledge gains more opportunities.
The reward procured by participating node P is directly proportional
to its contribution WP — the greater the contribution WP, the higher the
system reward RP. With the integrity of participant nodes expressed as
probability Pr(P), and the integrity of malicious behavior expressed as
probability Prv(P), the probability of the participant node being
dishonest equals Prvc(P) = Prv(P)• (1 − Pr(P)). If the collateral staked by
the participant node is SP, the system reward obtained by the participant
node under honesty is: R(Pr(P)) = RP• (1 − Prvc(P)) − SP •Prvc(P) − WP
Z. Ren et al.
•Pr(P). When Pr(P) = 1, i.e., the participant node is honest, the
maximum reward is: R(1) = RP − WP. When Pr(P) < 0.5, RP• (1 −
Prvc(P)) − SP •Prvc(P) < 0, then R(Pr(P)) < 0. Furthermore, the system
randomly sends fabricated data to participating node to assess its
honesty in behavior. If the involved node leaks the forged data provided
by the system, this action not only exposes the node’s dishonest behavior
but also safeguards users’ interests since the fabricated data is not actual
user data. Under this mechanism, any node in the network suspecting
dishonest behavior by a particular participant can initiate this operation
by sending fabricated data to assess the node’s behavior. Upon the
system’s confirmation of the suspected node’s dishonest conduct, the
reporting node can receive an additional reward consisting of the staked
by the cheating node.
It is noteworthy that executing a 51 % attack in PoS requires holding
51 % of the total stake in the chain. Acquiring stake can only be achieved
through purchasing from existing users and is not possible through
external investment or production. As the total on-chain stake increases,
the cost of launching a 51 % attack against PoS becomes significantly
higher than conducting a 51 % attack on Proof of Work (PoW) for one
hour. The dynamic nature of fluctuations in the number of honest val­
idators and network latency makes it improbable for attackers to sustain
precise control over 50 % of the total staking. The substantial costs
associated with such attacks, coupled with the low probability of suc­
cess, act as robust deterrents for rational attackers. Additionally, PoS
incorporates a slashing mechanism, which entails executing a hard fork
initiated by an honest minority, leading to a substantial devaluation of
the attacker’s staked assets. Consequently, attackers incur significant
costs to their staked assets while launching an attack, thereby reducing
the likelihood of 51 % attack occurring.
5. Algorithm construction
The specific algorithmic construction of the proposed scheme
Fig. 5. The Overall Transaction Workflow of Our Scheme.
7
Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969
consists of two parts: CP-ABE and PRE. The overall workflow of the
scheme is illustrated in Fig. 5. In Section 5.1, the CP-ABE part begins by
introducing the user identity identifier θ and identity key δ, achieving
user identity verification through the access policy A. Subsequently, we
introduce CptKey and KeyRes, and asymmetric encryption pair (e, d) is
used to protect the SK. In Section 5.2, the PRE part focuses on the
implementation of multi-party secure management and distribution of
the MSK of CP-ABE, utilizing threshold proxy re-encryption protocols
and KEM. Additionally, correctness verification of re-encryption com­
putations is achieved through NIZK proofs.
5.1. Construction of Ciphertext-Policy Attribute-Based Encryption
(1)Setup(1k , U)→(PK, MSK). DO inputs the security parameter k, and
a tuple (p, g, G0 , G1 , e) is generated based on k. For each attribute x ∈ U,
hx represents the hash value of attribute x. A LSSS access matrix M is
input, and based on M, a random exponent s is distributed from Zp . DO
constructs and publishes the PK, constructs the MSK, and transmits MSK
to the PRENs for re-encryption. The output consists of a key pair:
g ∈ G0 , α, β ∈ Zp
{ e : G0 × G0 →G1 } (1)
PK = g, e(g, g)α , gβ , h1 , h2 , ..., h|u|
MSK = (gα )
(2)KeyGen(PK, MSK, e, S)→{K, L, {hx }, E }. DU, based on the PK and
MSK, obtains a collection of hash values {hx }, selects t ∈ Zp , and calcu­
lates K and L. Additionally, DU selects u ∈ Zp and chooses an integer e
that is less than u and coprime with u. DU encrypts t using e, resulting in
E = t⋅e.
(K, L) = (gα gβt , gt ) (2)
(3)CptKey(hx , E, S)→K′x . The DU transmits E, the hash values hx, and
the user attribute set S to the computation node for the calculation of K′x .
Z. Ren et al. Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969

K′x = hEx (3) outputs the capsule. The specific process is described in Algorithm 2:
Algorithm 2: KEMMSK
(4)KeyRes(K’x , d, S)→SK. After obtaining e’s modular multiplicative
1: Input:MSK, εK
inverse element d with respect to p, DU acquires K′x and, through d, 2: Output: CTMSK, capsule
decrypts to obtain the attribute key SK. DU performs the following key 3: Select random τ, u ∈ Zq ;
generation process: 4: Compute: P = g1τ , D = g1u ;
5: Compute: ξ = u + τ⋅Hℓ2 (P, D);
d 6: Compute: εK = γK ((pkA )τ+u );
Kx = (K′x ) = htx
(4) 7: Compute: capsule = (P, D, ξ);
SK = (S, K, L, Kx ) 8: Compute: CTMSK = εK ⋅MSK;
9: return CTMSK , capsule;
(5)Encrypt(PK, A = (M, ρ), m, δ )→CT. The PK and (M, ρ) used for
LSSS are used as the access policy A. The random key δ is used as the
input for encryption of the plaintext message m, resulting in the (3)ReEncrypt(capsule, kFrag)→cFrag. The PREN first checks the validity
ciphertext CT. Here, M is an l × n access matrix, and ρ is a mapping from of the capsule and outputs ⊥ if the check fails. Then it utilizes the
the set of row indices {1, 2, ..., l} of matrix M to attributes. The specific received valid capsule and re-encryption key fragments kFrag to com­
encryption process is as follows: putes P1 = Prk and D1 = Drk , and outputs the capsule fragment cFrag =
① DO randomly selects integers s, y2 , ..., yn from ZN , forming a col­ (P1 , D1 , id, g1ϖA ). The specific process is described in Algorithm 3:
umn vector → v = ( s, y2 , ..., yn ) in an n-dimensional vector space ZnN for Algorithm 3: ReEncrypt

secret key s splitting, and calculates the original ciphertext components 1: Input: capsule, cFrag
2: Output: cFrag
C = m⋅e(g, g)αsδ and C′ = gsδ .
3: Check the validity of the capsule = (P, D, ξ);
② For the i-th row of matrix M, DO randomly selects an integer ri ∈
4: Check: g1ξ =? D⋅PHℓ2 (P,D) ;
Z and calculates C = gβλi δ h− ri and D = gri separately. Here, λ = →
N i ρ(i) i ν⋅ i 5: if the capsule is valid then
→ 6: Compute: P1 = Prk ;
M i (i = 1, 2, ..., l) represents the i-th share obtained by splitting s, repre­ 7: Compute: D1 = Drk ;
senting a secret shared key share. Let Ψ = {(Ci ,Di )}. Then, the ciphertext 8: Output: cFrag = (P1 , D1 , id, gϖ A
1 );
CT = (C, C′, Ψ) generated by DO is given. 9: end if
10: return cFrag;
(6)Decrypt(SK, CT, δ)→m. Given a DU input attribute set S, the cor­
responding secret key SK = (S, K, L, Kx )(x ∈ S), ciphertext CT associated
{ }t
with the access structure, and a random key δ. Assuming that the S (4)ReDecrypt(pkA , skB , cFragi , CTMSK i=1 )→MSK. The DU Bob inputs
satisfies the access structure, according to the definition mentioned { }t
{ pkA ,skB , and a set of t re-encrypted ciphertexts cFragi , CTMSK i=1 . First,
above, let I = { i : ρ(i) ∈ S }⊂{1, 2, ..., l}. Let ωi ∈ Zp |i ∈ I} be such that
∑ he aggregates each cFragi and calculates the symmetric key εK . Before
i∈I ωi λi = s, if s is a valid share corresponding to M. (ωi is a set of re­ that, he performs correctness verification of the re-encryption results. If
covery coefficients, which is not unique). The plaintext message m can the verification passes, he proceeds with the above steps. Then, he uses
be recovered from the encrypted CT = (C, C′, Ψ) using the decryption the εK to decrypt the MSK from CTMSK. The specific process is described
computation formula: in Algorithm 4:
∏ ∏ ( ( βλ δ − r t ) r α βt )ωi Algorithm 4: ReDecrypt
C⋅ i∈I (e(Ci , L)e(Di , Kρ(i) ) )ωi C⋅ i∈I e g i hρ(i)i , g e(g i , g g ) { }t
m= = 1: Input:pkA , skB , cFragi , CTMSK i=1
e(C′, K) e(gsδ , gα gβt )
2: Output: MSK
∏ ∑
C⋅ i∈I e(g, g)tδβλi ωi C⋅e(g, g)tδβ i∈I λi ωi C⋅e(g, g)tδβs C 3: Let Z1 = {zx,i }ti=1 for zx,i = Hℓ5 (idi , Hℓ6 (pkA , pkB , pkbA )).
= = = = ∏ zx,j
αsδ
e(g, g) e(g, g) βstδ αsδ
e(g, g) e(g, g) βstδ
e(g, g)αsδ e(g, g)βstδ e(g, g)αsδ 4: For all zx,i ∈ Z1 , compute: χ i,Z1 = tj=1,j∕ =i ;
zx,j − zx,i
(5) ∏
5: Compute: P = i=1 P1,i
′ t ( ) χi,Z1 ′ ∏ t
D = i=1 D1,i
( )χi,Z
1 ;
b⋅ϖ A
6: Compute: εK = γ((P′, D′)Hℓ3 (g1
ϖA
,pkB ,g1 )
);
5.2. Construction of Proxy Re-Encryption 7: return MSK;

(1)ReKeyGen(skA , pkB , N, t)→KF. The DO Alice inputs skA and pkB

(5)CreateNIZKP(capsule, kFrag, cFrag)→π. Let the re-encryption key
along with the parameters N for the overall number of fragments and t
fragment be kFrag = (id,rk,g1ϖA ,Q1 ,S1 ,S2 ), and the input capsule = (P, D,
for the threshold, then generates N re-encryption key fragments kFrag,
ξ) and capsule fragment cFrag = (P1 ,D1 ,id,g1ϖA ). A correctness proof π for
which are then sent to PRENs. The specific process is outlined in Algo­
cFrag is generated as Algorithm 5:
rithm 1:
Algorithm 5: CreateNIZKP
Algorithm 1: ReKeyGen
1: Input:capsule, kFrag, cFrag
1: Input:skA , pkB , N, t
2: Output: π
2: Output: KF
3: Select a random r ∈ Zq ;
3: Select a random ϖA , y, id ∈ Zq ;
4: Compute: P2 = Pr D2 = Dr Q2 = Qr ;
4: for (j = 1; j < N;){
5: Compute: C = Hℓ (P, P1 , P2 , D, D1 , D2 , Q, Q1 , Q2 );
5: Compute: μx = Hℓ5 (id, Hℓ6 (pkA , pkB , pkaB ));
6: Compute: ρ = r + C⋅rk;
6: Compute: rk = f(μx );
7: Compute: π = (P2 , D2 , Q1 , Q2 , S1 , S2 , ρ);
7: Compute: Q1 = Qrk ; 8: return π;
y
8: Compute: S1 = Hℓ4 (g1 , id, pkA , pkB , Q1 , gϖ A
1 );
9: Compute: S2 = y − a⋅S1 ;
10: Define: kFrag = (id, rk, gϖ
1 , Q1 , S1 , S2 );
A
(6)VerifyNIZKP(capsule, cFrag, π)→Result. Let the input capsule be the
11: Compute: KF = KF ∪ {kFrag}; tuple (P,D,ξ). For each cFrag = (P1 , D1 , id, g1ϖA ) and proof π = (P2 ,D2 ,Q1 ,
12: return KF;
Q2 , S1 , S2 , ρ), blockchain executing Algorithm 6.
Algorithm 6: VerifyNIZKP

1: Input:capsule, cFrag, π
2: Output: Result
(2)KEMMSK(pkA , MSK, εK )→(CTMSK , capsule). The DO Alice encrypts the
(continued on next page)
MSK to be ciphertext CTMSK using the generated symmetric key εK and

8
Z. Ren et al.
(continued )
Algorithm 6: VerifyNIZKP
3: Check the signature (S1 , S2 );
4: if the signature is correct then
5: Compute: C = Hℓ (P, P1 , P2 , D, D1 , D2 , Q, Q1 , Q2 );
6: Check: Pρ =? P2 ⋅PC1 Dρ =? D2 ⋅DC1 Qρ =? Q2 ⋅QC1 ;
7: end if
8: return Result;
6. Verification of Re-Encryption and Transaction Aggregation
based on NIZKP
6.1. Correctness Verification of Re-Encryption
As incorrect re-encryption operations can be detected by data users,
they have the option to apply for confirmation of PREN’s violation to the
Adjudicator Node, which following these steps, the workflow illus­
trating these steps is presented in Fig. 6:
(1) Upon receiving kFrag sent by the DO, PREN first checks its val­
idity to ensure that erroneous re-encryption operations are not
executed due to errors from the DO.
(2) Next, the DU requests the master secret key MSK from PREN, to
which PREN responds with a cFrag and a NIZKP π.
(3) Subsequently, the DU verifies the validity of the cFrag using the
NIZKP π. Additionally, the DU confirms that the cFrag was
generated using their capsule by verifying that it aligns with the
correct public key.
(4) If any of the verifications fail, the DU supplies both the cFrag and
NIZKP π to the Adjudicator Node. The Adjudicator Node, through
the execution of the Adjudicator contract, examines the claim
made by the DU by checking the validity of the NIZKP π.
(5) If the Adjudicator contract confirms the invalidity of the cFrag,
the delivery of the faulty cFrag to the DU is officially deemed a
protocol violation. As a consequence, a penalty is calculated, and
the owner of the offending PREN has their stake immediately
reduced by the penalty amount.
In this process, miners are composed of four types of nodes: Proxy Re-
Fig. 6. Correctness Verification of Re-Encryption.
9
Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969
Encryption Nodes (PREN), Computation Nodes (CPN), Consensus Vali­
dation Nodes (CVN), and Adjudicator Nodes (ADN). PRENs and CPNs
earn rewards through computational tasks, while CVNs earn tokens by
performing validation tasks. The ADN is responsible for rewarding and
penalizing all nodes. It also takes on the role of arbitration in cases of
computational errors or validation failures. If a node is found to be
dishonest, the ADN enforces penalties by revoking the rewards obtained
through computation or validation tasks and seizing the collateral that
the node staked.
6.2. Validation of Transaction Aggregation
To maximize the efficiency of the proposed model, we incorporate a
transaction aggregation system based on zk-SNARKs (D1ONYS1US.,
2023) to validate the transactions. To handle the account status infor­
mation of all users off-chain, we employ a Merkle tree and store the root
of this tree in the on-chain smart contract. The root value signifies the
present state of all accounts within the system. As a user initiates a
transaction, the current state is modified, and the transaction is initially
dispatched to the transaction pool. The transaction pool stores pending
transactions and prioritizes them based on factors such as fees, priority,
and timestamp. This ensures that the transactions are processed in a
specific order, improving system efficiency and performance. The
Operator node is in charge of receiving sorted transactions from the
transaction pool and carrying out the processes illustrated in Fig. 7:
(1) Check Balance: Checks the available funds of the sender’s ac­
count to ensure sufficient balance for transaction fees.
(2) Check Nonce: Verifies the correct ordering of the sender’s Nonce
to prevent duplicate transactions and ensure proper sequencing.
(3) Check Signature: Validates the transaction’s signature to
confirm the sender’s authenticity and avoid manipulation of data.
(4) Build Batch: Constructs a batch by requesting transactions from
the transaction pool.
(5) Get Proof: To demonstrate that all transactions in a batch are
valid without revealing any underlying information, the proof creation
process translates program specifications into circuits through Circom,
enabling the compiler to produce the Rank-1 Constraint System (R1CS)
that describes a circuit within Snarkjs. Subsequently, a zk-SNARKs proof
system based on the Permutation Argument of Linear Knowledge
Z. Ren et al.
Fig. 7. Transaction Aggregation.
(PLONK) is established. Utilizing a proving key and the witness, a suc­
cinct zk_proof is generated.
(6) Forge Batch: To verify the transaction batch, the generated
proof, along with the associated pre_state_root hash and post_state_root
hash, is deployed to the blockchain within a Solidity smart contract,
ensuring that the verifier can validate the transaction for on-chain
confirmation.
(7) Synchronize State: The blockchain verifier, employing the ver­
ification_key and a file containing the public signals of the circuit, vali­
dates the submitted zk_proof. If accepted, the new state is synchronized
to the blockchain, and both the previous state root and the next state
root of the Merkle tree are stored on-chain.
We aggregate a large number of transactions generated during the
operation of the model, including key computation, publication, and
verification, off-chain. Complex computations and proof generation are
performed off-chain, while on-chain, only the verification and storage of
essential transaction data are carried out. This approach eliminates the
need for individual verification of each transaction in the on-chain
contract, as the validity of the submitted zk_proof is checked instead.
Moreover, the size and verification time of the generated proofs do not
increase with the number of transactions, making it possible to effec­
tively reduce on-chain gas consumption while ensuring privacy pro­
tection. Furthermore, through the storage of a subset of the necessary
transaction data, data availability is guaranteed, enabling the recon­
struction of the overall account state using the essential transaction data
retained within the blockchain. This eliminates the security risks asso­
ciated with data availability and allows this solution to achieve decen­
tralization and security. Additionally, through efficient coordination
between on-chain and off-chain computations, this approach can
significantly increase the transaction per second (TPS) of the blockchain
and achieve scalability.
7. Implementation and analysis
7.1. Algorithm security analysis
Theorem 1. (If the decisional q-parallel BDHE assumption holds, then no
polynomial-time adversary can break the proposed scheme by selecting a
challenge access structure (M* , ρ* ).) Proof: We briefly show that the
decisional q-parallel BDHE assumption is generically secure using the generic
proof template provided by Boneh, Boyen, and Goh (Boneh et al., 2005).
Our proof follows a similar path as presented by Waters (Waters, 2011). Due
to space constraints and the similarity to (Waters, 2011), we omit the proof
details in the main text and provide a proof process in the appendix.
Theorem 2. (If the data attribute-based encryption scheme satisfies IND-
SAS-CPA, the scheme has privacy protection.) Proof: Firstly, the
10
Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969
identity information of the transaction parties cannot be separated from their
identity information because the attributes of the transaction parties are Hash
(u), which protects the privacy of the users by virtue of hash mapping’s
collision-resistant property. Secondly, according to the improved algorithm’s
IND-SAS-CPA, even if ciphertext CT is harvested in polynomial time, no
effective information about the plaintext can be obtained from it. As a result,
this scheme ensures the confidentiality of transactions. In conclusion, this
data sharing strategy provides robust privacy safeguards for both identifica­
tion and transactional data.
Theorem 3. (If the key computation algorithm CptKey ensures that the
values of e and u are coprime, and e is less than u, then the key generation
algorithm KeyGen exhibits correctness and security, thereby demonstrating
resistance against node collusion attacks.) Proof: If e and u are coprime,
then gcd(e, u) = 1, so by Bezout’s formula, we know that:
∃d, b : e⋅d +b⋅u = 1⇒e⋅d = 1 in Zp , d is the inverse of e. When other nodes in
the blockchain network calculate the key, they obtain K′i after encrypting it
with e, and return the key to the DU, who decrypts it using the key d to obtain
the correct Ki . Since the delegated computing node can only obtain the public
e during computation and the randomly generated u is kept secret by the DU,
it cannot compute d in polynomial time, i.e., it cannot compute the correct SK.
Furthermore, within each attribute-related key fragment, hashing is applied to
both the attribute and user identity. This approach serves to prevent collusion
attacks among multiple users, as sharing attributes or using the SK for
decryption is rendered infeasible. In summary, the key generation algorithm
maintains correctness and security, effectively resisting node collusion
attacks.
7.2. Comparative study
We conducted a comprehensive comparison between the features of
our proposed solution and those of existing relevant schemes, covering
eight aspects. Our comparison includes CP-ABE schemes introduced in
Waters (Waters, 2011), Liang (Liang et al., 2009), Doshi (Doshi, 2022),
Zhang (Zhang and Sun, 2020) and Zhai (Zhai et al., 2023), and the
summarized outcomes are presented in Table 3. Our selection of refer­
ences is deliberate, encompassing historically significant contributions
such as Waters (Waters, 2011) and Liang (Liang et al., 2009), which
established foundational concepts. In Waters (Waters, 2011), the au­
thors provided a formal security proof for the standard model of CP-ABE,
introducing a CP-ABE scheme built on LSSS. Additionally, Liang (Liang
et al., 2009) proposed the first CP-ABE-PRE scheme, fusing CP-ABE with
proxy re-encryption techniques. Doshi (Doshi, 2022); Zhang (Zhang and
Sun, 2020) and Zhai (Zhai et al., 2023) were chosen due to their the­
matic relevance to our proposed scheme.
Liang (Liang et al., 2009) and Doshi (Doshi, 2022) both employed
AND gates as the access structure in their CP-ABE schemes. The
Z. Ren et al. Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969

Table 3
Feature Comparison of CP-ABE Schemes.
Schemes Feature1 Feature2 Feature3 Feature4 Feature5 Feature6 Feature7 Feature8

Waters et al. (Waters, 2011) LSSS DPBDHE £ £ £ £ £ £

Liang et al. (Liang et al., 2009) AND gate ADBDH √ £ £ £ £ £
Doshi et al. (Doshi, 2022) AND gate DBDH √ £ £ £ £ £
Zhang et al. (Zhang and Sun, 2020) LSSS q-parallel BDHE √ £ £ √ £ √
Zhai et al. (Zhai et al., 2023) LSSS q-parallel BDHE √ £ √ £ £ √
Our Scheme LSSS q-parallel BDHE √ √ √ √ √ √

Note: √ means that the scheme satisfies this feature, while × means that it does not. Feature1: Type of access structure; Feature2: Type of hardness problem;
Feature3: Whether re-encryption is supported; Feature4: Whether verifiable re-encryption is supported; Feature5: Whether the design supports distributed KMS;
Feature6: Whether the incentive mechanism is designed; Feature7: Whether the transaction aggregation is designed; Feature8: Whether it is based on blockchain.

distinction lies in Liang (Liang et al., 2009) adopting the ADBDH
(Augment Decisional Bilinear Diffie-Hellman) hardness problem, while
Doshi (Doshi, 2022) opted for the DBDH hardness problem. Zhang
(Zhang and Sun, 2020), Zhai (Zhai et al., 2023), and our proposed so­
lution all utilize LSSS as the access structure and employ the q-parallel
BDHE hardness problem. It is noteworthy that, except for Waters (Wa­
ters, 2011), all schemes incorporate re-encryption algorithms. However,
only our proposed solution implements verifiable re-encryption based
on zero-knowledge proofs. Zhang (Zhang and Sun, 2020) introduced a
blockchain-based ciphertext cloud storage sharing scheme using
attribute-based proxy re-encryption. In this scheme, nodes within the
system receive corresponding credit coins as a reward for successfully
recording a transaction. However, the incentive mechanism designed in
this scheme does not effectively enhance the correctness of re-
encryption, it merely increased node participation. In contrast, the
incentive mechanism in our proposed solution aims to improve the
correctness of node-executed re-encryption tasks through economic in­
centives. Both Zhai (Zhai et al., 2023) and our solution addressed the
centralized key management issue. However, the former only estab­
lished a distributed key generation method for SK, while our solution
further achieved multi-party secure management and distribution of the
MSK. Additionally, our solution is the only one addressing the in­
efficiency and poor scalability of blockchain networks. To reduce on-
chain gas consumption, we designed a transaction aggregation mecha­
nism and provided corresponding zero-knowledge proofs to validate the
effectiveness of account state transitions.
Table 4 provides a comparison of the computational and storage cost
of Doshi (Doshi, 2022), Zhang (Zhang and Sun, 2020), Zhai (Zhai et al.,
2023), and the proposed scheme. As indicated in Table 4, our scheme
and Zhang’s scheme (Zhang and Sun, 2020) share the same length for
PK, both being (n + 3)|G0|+|G1|, growing with the increase in the
number of attributes. The length of SK for our scheme is (2n + 3)|G0|,
slightly higher in growth rate compared to the other three schemes. On
the other hand, the CT length for our scheme is (2n + 1)|G0|, with a
growth rate slightly lower than the other three schemes. This indicates
that our proposed scheme exhibits stronger key attack resistance but
comes with slightly higher storage costs. Additionally, the computa­
tional overhead generated during the encryption, re-encryption, and
decryption processes for our scheme is (2n + 1)TE + TP, 7TE, and (2n +
6)TE + 4TP, respectively. Comparing with the other three schemes, our
scheme demonstrates similar computational overhead during encryp­
tion and decryption stages as Doshi (Doshi, 2022) and Zhai (Zhai et al.,
2023) schemes. However, in the re-encryption stage, our scheme ach­
ieves lower computational overhead by increasing the number of
multiplication operations while reducing the number of bilinear pairing
operations. Since the resources and time required for a single bilinear
pairing operation are generally higher than those for a single exponen­
tiation operation, our scheme incurs less computational overhead during
the re-encryption stage compared to the other three schemes. In sum­
mary, compared to other relevant schemes, our proposed scheme pro­
vides a better balance between computational and storage overhead, as
well as security and functional features.
7.3. Experimental analysis
To thoroughly assess how well the solution in this paper works in
practice, a series of simulation and testing experiments were conducted.
Firstly, tests were performed on the time costs of operations such as key
generation algorithm, and multi-node collaborative computing of pri­
vate key algorithm. Secondly, performance tests on blockchain key
source queries were conducted. Finally, the gas consumption of on-chain
signature verification and re-encryption result correctness verification
related smart contracts were tested, and the reduction effect of on-chain
gas consumption through transaction aggregation system was also
validated.
On a machine running the Ubuntu 22.10 operating system, all ex­
periments in this paper were carried out. The specific hardware
configuration includes an AMD Ryzen 7 6800H CPU with a clock fre­
quency of 3.20 GHz and 16.0 GB RAM. Circom (Iden3., 2023) and
Snarkjs (Iden3., 2023) for creating zk-snark circuits, and Ganache
(Truffle, 2023) for building a blockchain virtual network were all used in
the article. In our current setting, distinct elliptic curves are employed
for the PRE and CP-ABE parts. Specifically, the elliptic curve utilized in
the PRE part aligns with the one commonly employed in blockchain
systems. We have opted for the secp256k1 elliptic curve, widely used in
blockchain, with a security parameter size of 256 bits. Meanwhile, for
the CP-ABE part, we employ a Type A prime order elliptic curve from the
PBC library (Ben, 2013), with rBits = 160 and qBits = 512. For each
experiment, 50 independent trials were conducted under identical
experimental conditions, and the experiment’s outcome was determined
to be the average value.
In this paper, our proposed solution leverages blockchain technology
to achieve complete decentralization, allowing all network nodes to
participate in key computations. As depicted in Fig. 10(a), we observe

Table 4
Computation and Storage Comparison of CP-ABE Schemes.
Schemes |PK| |MSK| |SK| |CT| Encryption Re-Encryption Decryption

Doshi et al. (Doshi, 2022) (n + 3)|G0| |ZP| |G0| (2n + 3)|G0| (2n + 3)TE + TP (3n + 6)TE + 4TP (2n + 6)TE + 6TP
Zhang et al. (Zhang and Sun, 2020) (n + 3)|G0|+|G1| |G0|+|ZP| (2n + 2)|G0| (2n + 2)|G0|+|G1| (3n + 2)TE + 2TP (3n + 1)TE + 5TP (3n + 2)TE + 3TP
Zhai et al. (Zhai et al., 2023) |G0| 3|ZP| (n + 2)|G0| (2n + 2)|G0| (2n + 4)TE + TP (2n + 2)TE + 5TP (2n + 4)TE + 5TP
Our Scheme (n + 3)|G0|+|G1| |G0| (2n + 3)|G0| (2n + 1)|G0| (2n + 1)TE + TP 7TE (2n + 6)TE + 4TP

Note: n represents the number of attributes, |G0| and |G1| denote the bit lengths of elements in groups G0 and G1, respectively. TE represents the time taken for a single
exponentiation operation, while TP represents the time taken for a single bilinear pairing operation.

11
Z. Ren et al. Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969

Fig. 10. Simulation Results.

12
Z. Ren et al.
that as the number of attributes increases, the solution converges to­
wards the Waters scheme (Waters, 2011) when only one computing
node is involved. However, when three computing nodes participate,
our solution exhibits approximately one-third of the computation time
compared to the Waters scheme (Waters, 2011). This showcases the
efficiency of our key generation algorithm while meeting the re­
quirements of secure data sharing.
Fig. 10(b) and (c) illustrate that when the number of nodes is one, the
decryption computation time doubles as the number of attributes in­
creases, indicating a linear growth pattern. Nevertheless, encryption and
key generation times remain unaffected by the number of policy attri­
butes. Hence, in practical scenarios with a large accessed policy attribute
set, modifying the access control policy cannot save key generation time.
However, our proposed approach, which involves multi-node collabo­
rative computing of private keys, offers distinct advantages.
Fig. 10(d)–(f) depict experimental tests involving encryption, re-
encryption, and decryption processes, with the number of user attri­
butes as the independent variable. We observe that the time costs for
these processes increase linearly with the number of user attributes.
Notably, our solution, compared to Zhang’s scheme (Zhang and Sun,
2020) and Zhai’s scheme (Zhai et al., 2023), reduces computational
costs and minimizes time overhead by replacing some bilinear pairings
with multiplication operations.
To fully simulate the entire process of data sharing, we used Ganache
to set up 4 nodes and simulated the data flow operation using default
consensus algorithms and Solidity smart contracts. In addition, this
paper performed concurrent stress testing on the model using Python
multi-threading. As depicted in Fig. 10(g). The test objects were
randomly selected from one node in Ganache, and the test content was
to query the source of the keys in the system under concurrent condi­
tions of 20, 50, and 100. Under 100 concurrent conditions, the average
response time of a single node remained within 31 s. Each node in the
system can have a fast response speed and can provide high-
performance query services.
In addition, when executing the signature verification contract on a
single node, the transaction cost amounts to roughly 1,089,287 gas,
accompanied by an execution expense of approximately 964,982 gas.
Likewise, the contract for confirming the correctness of re-encrypted
data results in a transaction cost of around 3,600,134 gas, with an
execution overhead of approximately 3,299,517 gas. As depicted in
Fig. 10(h), it’s evident that gas consumption escalates with the
increasing number of participating validation nodes.
Finally, we also evaluated gas consumption using transaction ag­
gregation, as detailed in Table 5. With an increase in the number of
chunks within each block (30, 80, 180, and 400), a consistent reduction
in overall gas consumption became evident. Implementing transaction
aggregation led to a noteworthy decrease of over 61 % in our overall gas
consumption. Furthermore, when accounting for the concurrent reduc­
tion in the system’s operational demands due to this method, its impact
became even more pronounced.
7.4. Discussion
In this section, we discuss privacy-oriented distributed key man­
agement system for blockchain-based CP-ABE and its zero-knowledge
proof scheme. Recent studies indicate that central authority will be
unlikely to provide satisfactory services to key management in diversi­
fied scenarios because we utilize too much trust in key generation center
(KGC), especially in a blockchain system. These centers do not meet the
requirements of user privacy protection, decentralization and scalability
of blockchain technology. In our proposed scheme, we leverage a
threshold proxy re-encryption protocol and integrate the key-
encapsulation mechanism into the blockchain system. Furthermore, in
order to reduce on-chain transaction costs and enhance scalability of
decentralized system, we incorporate the Fiat-Shamir Heuristic protocol
and zk-SNARKs to verify the correctness of re-encryption and
13
Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969
Table 5
Costs of the Transaction Aggregation.
Chunks Per Deposit/ Withdraw/ Transfer/ Total/
Block Gas Gas Gas Gas
30 238,526 237,201 54,301 530,028
80 130,984 128,813 18,167 277,964
180 100,385 98,106 7,921 206,412
400 88,210 85,853 3,825 177,888
authenticity of transaction aggregation.
However, some potential performance challenges when introducing
zero-knowledge proofs in blockchain system environments. Addressing
these challenges requires optimized algorithms, lightweight proof sys­
tems, and efficient implementation strategies to make zero-knowledge
proofs feasible in such environments. On the other hand, blockchain-
based CP-ABE scheme involves incentive mechanism and algorithmic
security proof. Firstly, we analyze the economic rewards and penalties
among different types of nodes through a probabilistic model. Both the
PRE nodes and Operator nodes can obtain the incentive compatibility
according to their contribution originates from their correct behaviors.
Meanwhile, they have liveness only if each party is incented to earn the
quantity of reward with probability. Secondly, in our CP-ABE con­
struction aims to be IND-SAS-CPA secure under a q-Decisional Parallel
Bilinear Diffie-Hellman Exponent assumption on prime order bilinear
groups, it means showing that if there were an adversary capable of
breaking the IND-SAS-CPA property of the scheme, it would imply that
this adversary could solve the q-DPBDHE problem. In addition, in pro­
posed CP-ABE system adhering to a static security assumption ensures
protection against predefined attack scenarios, which follows from the
use generic proof template of Boneh, Boyen, and Goh framework that
this is generically secure (Boneh et al., 2005).
8. Conclusion and future work
In this paper, we discussed the challenges in the current blockchain-
driven attribute-based encryption schemes, such as centralized manage
of keys by authorized institutions, inefficient key management and
distribution, lack of key correctness verification, and issues related to
poor scalability and high on-chain costs in blockchain networks. Sub­
sequently, we proposed a novel blockchain-based CP-ABE scheme using
distributed KMS and zero-knowledge proof. Firstly, we conducted a
detailed blockchain security analysis and algorithm security analysis for
the proposed scheme. The comprehensive security analysis demon­
strates that the proposed scheme offers high security and privacy pro­
tection. Secondly, we conducted in-depth comparisons between the
proposed scheme and other relevant existing schemes in terms of func­
tional features, computational cost, and storage cost. Finally, we also
performed a series of simulation experiments to test the practical per­
formance of the proposed scheme. In conclusion, compared to other
schemes, our proposed solution provides a better balance between
computational and storage overhead, as well as security and functional
features. It offers effective solutions and methods to address the existing
issues in current blockchain-driven attribute-based encryption schemes.
For future research endeavors, this paper proposes deploying the
decentralized CP-ABE scheme as a tool for data sharing and exchange in
specific scenarios such as government resource information sharing, IoT
data sharing, or cross-border trade document data sharing. Furthermore,
there is a need to enhance the blockchain ciphertext access control al­
gorithm. This could involve the introduction of features such as attribute
revocation mechanisms, OBDD access structures, etc., to improve the
applicability and robustness of the solution in specific scenarios.
Availability of data and materials
The data used to support the findings of this study are available from
the corresponding author upon request.
Z. Ren et al. Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969

CRediT authorship contribution statement this article. Their professional reviews and constructive suggestions
have significantly contributed to the enhancement of the paper’s
Zhixin Ren: Conceptualization, Funding acquisition, Wri­ quality.
ting–original draft, Writing – review & editing, Visualization, Investi­
gation, Methodology. Enhua Yan: Writing – review & editing, Funding
Validation, Formal analysis, Funding acquisition. Taowei Chen:
Conceptualization, Funding acquisition, Methodology. Yimin Yu: This work is supported by the National Natural Science Foundation
Conceptualization, Funding acquisition. of China (grant numbers 61961042, 71964037),Yunnan Key Laboratory
of Blockchain Application Technology (grant numbers
Declaration of competing interest 202105AG070005, YNB202108), Yunnan International Joint Research
and Development Center for Cross-border Trade and Financial Block­
The authors declare that they have no known competing financial chain (grant number 202203AP140010),Kunming International
interests or personal relationships that could have appeared to influence (Foreign-oriented) Science and Technology Research and Development
the work reported in this paper. Center for Blockchain Technology in South Asia and Southeast Asia
(grant number GHJD-2022006), Research on Key Technologies of Cross-
Acknowledgement Border Trade Blockchain for RCEP (grant number 202202AD080011),
and Scientific Research Foundation of Yunnan Education Department
We sincerely express our gratitude to the editors and reviewers of (grant numbers 2023Y0657, 2023Y0675, 2024Y540).

Appendix

Theorem 1. (If the decisional q-parallel BDHE assumption holds, then no polynomial-time adversary can break the proposed scheme by selecting a challenge
access structure (M* , ρ* ).) Proof: Under the selected structure model in this paper, if there exists a polynomial-time adversary A with advantage ε to break the
proposed scheme, then there must be another adversary β with advantage ε/2 to solve the decisional q-parallel BDHE assumption.
The challenger sets up as follows: select two cyclic groups G0 and G1 , as well as a bilinear mapping e : G0 × G0 →G1 , randomly choose β, s, b1 , ..., bq ∈ Zp ,
publicly set:
→ q q+2
y = {g,gs , gβ , ⋯, gβ , gβ , ⋯, gβ ,
2q

s⋅bj β/bj
∀1⩽j⩽q g , g , ⋯, g βq /bj
,gβq+2 /bj 2q
, ⋯, gβ /bj (6)
β⋅s⋅bk /bj βq ⋅s⋅bk /bj
=j g
∀1⩽j,k⩽q,k∕ , ⋯, g }
q+1
y ,Z), and Z = e(g, g)β s ; if θ = 1, set Z ∈ G1 and T = (→
Randomly select θ ∈ {0,1}. If θ = 0, set T = (→ y ,Z). Upon receiving a tuple T, adversary β engages
in the following game with adversary A to determine whether T ∈ Pq− parallelBDHE or T ∈ R q− parallel BDHE . Before the game begins, β obtains the access structure (M* ,
ρ* ) that A intends to challenge, where M* has n* columns.
(1) Initialization. β selects a random number α′ ∈ Zp , and computes e(g, g)α = e(gβ ,gβ )⋅e(g, g)α . Adversary β randomly selects α = α′ +βq+1 and arranges
q ′

the group elements h1 , h2 , …, h|u| as follows. For each x(1⩽x⩽|U|), choose a corresponding random number zx , and let X denote the set of indices i that satisfy
ρ* (i) = x. Compute hx as follows:
∏ βM* /b β2 M* /b n* *
hx = gzx g i,1 i ⋅g i,2 i ⋯gβ Mi,n* /bi (7)
i∈X

Due to the randomness of gzx , hx is randomly distributed. If X ∕ = ∅, there is hx = gzx .

(2) Phase 1. A performs key extraction queries on the set S that do not satisfy the matrix M* . β chooses a random number r ∈ Zp , obtains the vector → ω=
*
(ω1 , ω2 , ⋯, ωn* ) ∈ Znp such that ω1 = − 1, and for i that satisfies ρ* (i) ∈ S, →
ω ⋅M*i = 0. According to the definition of LSSS, such a vector must exist, otherwise
the vector (1,0, 0, …, 0) lies in the span of S. Find:
n*
∏
(8)
q+1− i
L = gr (gβ )ωi
i=1

n* +1 βq+1
Define t = r + ω1 βq + ω2 βq− 1 + ωn* βq− , such that gt = L. With this definition of t, construct K such that gβt contains term g− , and eliminate the
unknown term gβ . β computes K as follows:
n*
∏
(9)
′ q+2− i
K = gα gβr (gβ )ωi
i=2

Compute Kx for ∀x ∈ S. If x ∈ S and there is no i such that ρ* (i) = x, let Kx = Lzx . If x ∈ S and there is multiple i such that ρ* (i) = x, because of M*i ⋅→
ω = 0,
q+1 /b
we can eliminate gβ i in Kx . Based on this property, let X denote the set of indices i that satisfy ρ* (i) = x. β constructs Kx as follows:
⎛ ⎞Mi,j*

∏∏ n* ⎜
⎜ (βj /b )r ∏ ⎟
⎟
(10)
q+1+j− k /b
Kx = Lzx ⎜g i
⎜ (gβ i
)ωk ⎟
⎟
i∈X j=1 ⎝ k=1,⋯,n* k∕
=j
⎠

(3) Challenge. The adversary sends two equally long challenge messages m0 and m1 . β randomly chooses β ∈ {0, 1} and computes the ciphertext com­
ponents of mβ : C = mβ ⋅Z⋅e(g, g)αs and C′ = gs . β selects a random number y′2 , ⋯, y′n* and partitions s using the following vector:

14
Z. Ren et al. Journal of King Saud University - Computer and Information Sciences 36 (2024) 101969

*
→
v = (s, sβ + y′2 , sβ2 + y′3 , ⋯, sβn− 1 + y′n* ) ∈ Zpn (11)

Random number r′1 , r′2 , ⋯, r′l is chosen. For i = 1,2,...,n* , define Ri as the set of all k satisfying ρ* (i) = ρ* (k) for k ∕
= i, i.e., the set of row indices with the same
attributes as the i-th row. The ciphertext (Ci , Di ) in the challenge is generated as follows:
( * ) ( )
r′
∏n
* ′ ( )− zρ* (i) ∏∏ βj ⋅s⋅(bi /b ) M*˙
Ci = hρi* (i) (gβ )Mi,j yj gbi ⋅s ⋅ (g k
) k,j
j=2 k∈Ri j=1 (12)
′
Di = gri g− sbi

(4) Stage 2. Similar to stage 1.

(5) Guess. A outputs a guess c′ for c. If c′ = c, then β outputs θ = 0, indicating that T ∈ P q− parallel BDHE and the adversary’s advantage is Pr[c = c′|θ = 0] =
1
2 = 0, then T ∈ R q− parallel BDHE and the adversary’s advantage is Pr[c = c′|θ = 0] = 12. The adversary’s advantage in attacking the assumed q-parallel
+ ε. If θ ∕
BDHE is:
1 1 1 ε
Pr[c = c′|θ = 0] + Pr[c = c′|θ = 1] − = (13)
2 2 2 2
Therefore, the advantage of any polynomial-time adversary in winning the IND-SAS-CPA game can be neglected.

References NSTIC., 2018. National Scientific Data Resource Development Report. Scientific and
Technology Documentation Press. 34.
Nunez, D., 2018. Umbral: a threshold proxy re-encryption scheme. University of Malaga,
Badsha, S., Vakilinia, I., Sengupta, S., 2020. BloCyNfo-Share: Blockchain based
Spain, NuCypher Inc and NICS Lab, pp. 1–8.
Cybersecurity Information Sharing with Fine Grained Access Control. In: 2020 10th
Sahai, A., Waters, B., 2005. Fuzzy identity-based encryption. Annual International
Annual Computing and Communication Workshop and Conference. Las Vegas,
Conference on the Theory and Applications of Cryptographic Techniques – Advances
pp. 317–323.
in Cryptology Advances in Cryptology (EUROCRYPT’05). Aarhus, Denmark. 457–73.
Banerjee, S., Bera, B., Das, A.K., 2021. Private blockchain-envisioned multi-authority CP-
Sammy, F., Vigila, S., 2022. An Efficient Blockchain Based Data Access with Modified
ABE-based user access control scheme in IIoT. Comput. Commun. 169, 99–113.
Hierarchical Attribute Access Structure with CP-ABE Using ECC Scheme for Patient
Beimel, A., 2021. Secure schemes for secret sharing and key distribution. International
Health Record. Security Commun. Networks. 2022, 1–11.
Conference on Security and Cryptography. 130–150.
Sookhak, M., Yu, F.R., Khan, M.K., 2017. Attribute-based data access control in mobile
BEN L., 2013. PBC Library. https://crypto.stanford.edu/pbc/(accessed 14 June 2013).
cloud computing: Taxonomy and open issues. Futur. Gener. Comput. Syst. 72,
Bethencourt, J., Sahai, A., Waters, B., 2007. Ciphertext-policy attribute-based
273–287.
encryption. IEEE Symposium on Security and Privacy (S&P’07). Oakland, California.
Truffle S., 2023. Ganache. https://github.com/trufflesuite/ganache/ (accessed 26 April
321–34.
2023).
Boneh, D., Boyen, X., Goh, E.J, 2005. Hierarchical Identity Based Encryption with
Waters, B., 2011. Ciphertext-policy attribute-based encryption: An expressive, efficient,
Constant Size Ciphertext. Advances in Cryptology – EUROCRYPT 2005. Berlin,
and provably secure realization. International workshop on public key cryptography.
Heidelberg. 3494, 440–456.
Berlin, Heidelberg, pp. 53–70.
Bramm, G.G., Mark, S., 2018. BDABE-Blockchain-based Distributed Attribute based
Xie, D., 2023. Research on big data security and privacy protection. Electron. Commun.
Encryption. International Conference on Security and Cryptography. 99–110.
Comput. Sci. 5 (3), 158–160.
CBS., 2019. Hundreds of Millions of Facebook User Records Were Exposed on Amazon
Xu, J., Wang, Y., 2022. Privacy Protection and Data Sharing in the Digital Economy:
Cloud Server. https://www.cbsnews.com/news/millions-facebook-user-records-
Perspectives on Privacy Concerns and Personal Information Falsification. Statistical
exposed-amazon-cloud-server/ (accessed 4 April 2019).
Res. 39 (2), 48–63.
Chen, T.W., Ren, Z.X., Yu, Y.M., 2023. Lattices-Inspired CP-ABE from LWE Scheme for
Xue, Y., Xue, K., Gai, N., 2019. An attribute-based controlled collaborative access control
Data Access and Sharing Based on Blockchain. Appl. Sci. 13 (13), 7765.
scheme for public cloud storage. IEEE Trans. Inf. Forensics Secur. 14 (11),
D1ONYS1US., 2023. Zero-Knowledge Rollups. https://ethereum.org/en/developers/
2927–2942.
docs/scaling/zk-rollups/ (accessed 5 May 2023).
Yan, X.X., Yuan, X.H., Tang, Y.L., 2020. A blockchain-based and verifiable attribute-
Dima, K., 2019. Lecture 5: Proofs of Knowledge. Schnorr’s protocol, NIZK https://crypto.
based searchable encryption scheme. J. Commun. 41, 187–198.
stanford.edu/cs355/19sp/lec5.pdf (accessed 15 April 2019.
Zhai, S.P., Tong, T., Bai, X.F., 2023. Blockchain-Based Attribute Proxy Re-Encryption
Dima, K., 2019. Lecture 6: Sigma Protocols, Secret Sharing. https://crypto.stanford.edu/
Data Sharing Scheme. Comput. Eng. Appl. 59 (8), 270–279.
cs355/19sp/lec6.pdf (accessed 17 April 2019).
Zhang, X.D., Chen, T.W., Feng, Y., 2021. A Data Sharing Scheme Based on Blockchain
Doshi, N., 2022. An enhanced approach for CP-ABE with proxy re-encryption in IoT
System and Attribute-Based Encryption. ICBCT ’21: 2021 The 3rd International
paradigm. Jordanian J. Comput. Informat. Technol. 8 (3), 232–241.
Conference on Blockchain Technology. 3, 195-202.
Edemacu, K., Jang, B., Kim, J.W., 2020. Collaborative ehealth privacy and security: An
Zhang, X.H., Sun, L.L., 2020. Attribute proxy re-encryption for ciphertext storage sharing
access control with attribute revocation based on OBDD access structure. IEEE J.
scheme on blockchain. J. System Simulat.. 32 (6), 1009–1020.
Biomed. Health Inform. 24 (10), 2960–2972.
Gao, S., Piao, G., Zhu, J., 2020. Trustaccess: A trustworthy secure ciphertext-policy and
attribute hiding access control scheme based on blockchain. IEEE Trans. Veh. fx1Zhixin Ren is a master in the School of Information of Yunnan University of Finance
Technol. 69 (6), 5784–5798. and Economics. He was awarded the Scientific Research Fund of Yunnan Provincial Ed­
Goyal, V., Pandey, O., Sahai, A., Waters, B., 2006. Attribute-based encryption for fine ucation Department in 2023. His research interests include Computer Architecture,
grained access control of encrypted data. Proceedings of 13th ACM conference on Blockchain Technology and Security, Cryptography, Internet of Things etc.
Computer and Communications Security (CCS’06). Alexandria. 89–98.
Guo, N., Hu, J., Deng, X., 2023. A privacy preserving CP-ABE-based access control on
fx2Yan Enhua is a master in the School of Information of Yunnan University of Finance
data sharing in VANETs. Int. J. Web Grid Serv. 19 (2), 211–232.
and Economics. Her research interests include Computer Architecture, Blockchain Tech­
Iden3., 2023. Snarkjs. https://github.com/iden3/snarkjs (accessed 12 September 2023).
nology and Security, Digital Identity Authentication etc.
Iden3., 2023. Circom. https://github.com/iden3/circom (accessed 6 July 2023).
Li, Y., Wu, C., Guo, L., 2014. Wiki-health: A big data platform for health sensor data
management. Cloud Computing Appl. Quality Health Care Deliv. 59–77. fx3Taowei Chen received the M.S. degree in computer application from Kunming Uni­
Liang, X.H., Cao, Z.F., Lin, H., 2009. Attribute based proxy re-encryption with delegating versity of Science and Technology in 2003, and Ph.D. degree in computer application from
capabilities. Proceedings of the 4th international symposium on information, Southwest Jiaotong University in 2010. He is now a Professor in the School of Information
computer, and communications security. Sydney, Australia. 276-286. at Yunnan University of Finance and Economics. His research interests include Cryptog­
Lu, X., Cheng, X., 2019. A secure and lightweight data sharing scheme for internet of raphy, Blockchain Technology and Security, Internet-of-Things etc.
medical things. IEEE Access 8, 5022–5030.
Manzoor, A., Liyanage, M., Braeken, A., 2018. Blockchain based proxy re-encryption fx4Yimin Yu received Ph.D. degree in computer application from University of Electronic
scheme for secure iot data sharing. https://arxiv.org/abs/1811.02276 (accessed 6 Science and Technology of China in 2010. He is now a Professor, Dean in the School of
November 2018). Information at Yunnan University of Finance and Economics. His research interests include
Nakamoto, S., 2009. Bitcoin: a peer-to-peer electronic cash system. https://bitcoin.org/ Blockchain, Cross-border information sharing and security, E-government etc.
bitcoin.pdf (accessed 1 November 2018).

15