Blockchain-assisted data sharing supports deduplication for cloud storage

Abstract

Offloading data to cloud storage has changed the way people live and work, which reduces data management costs and increases productivity. People can use their devices to download data from cloud storage regardless of location and time. It means that data can be shared across domains through cloud storage. However, offloading data to cloud storage brings convenience as well as various challenges, such as how to solve the performance bottleneck of cloud storage and how to achieve secure data sharing in cloud storage. Blockchain has played an important role in secure data sharing based on its tamper-evident nature. In this paper, a blockchain-assisted data sharing scheme is proposed which implements the detection of deduplicated data and completes the ciphertext combination after deduplication. In order to verify the legitimacy of the ciphertext, blockchain is used to assist in verifying the ciphertext based on its tamper-evident nature. Furthermore, partial ciphertext parameters are calculated at free time to improve server operation efficiency. Finally, we simulated all algorithm of the proposed scheme on the PBC library and the results show that it achieves a balance between usability and performance.

Keywords:

• Data sharing
• cloud storage
• blockchain-assisted
• deduplication

1. Introduction

With deeper exploration of cloud storage, the ways in which files are stored have changed dramatically. Storing data on an external server makes life and work easier, allowing access to the data in the server using electronic devices. Date is interacting in the cloud server every minute. It not only facilitates life and work but also brings challenges. Cloud server is a third-party entity which wants to collect more information to derive profit. Achieving secure data sharing is an urgent issue at present, which concerns the profit of each user. Attribute-based encryption (ABE) (Sahai & Waters, 2005) is widely used for data interaction. Each user can be described by attributes (e.g. “student”, “18 years old”). Users can set who can correctly recover files when they are encrypted. When the ciphertext is downloaded, only legitimate users (i.e.the attributes are satisfied) can decrypt it correctly. Furthermore, the server malicious insiders also cannot access information about the file. There have been many studies on ABE, but with the development of smart devices (C. Wang et al., 2023), traditional ABE calculations are expensive and not suitable for easily portable devices. Portable devices have low computational power and small storage space, so it is necessary to design an efficient and secure data sharing.

On one hand, the data in the server is increasing exponentially compared to previous years. Huge amounts of files are being outsourced and stored in the server, putting enormous pressure on memory management. A large number of invalid files and duplicate data consume server resources, which is not conducive to sustainable development of cloud storage. However, it is difficult for the server to determine which is the duplicate data. Since ABE is used to encrypt files, the files are difficult to distinguish for the server. In order to overcome the performance bottleneck of cloud storage, resource rationalisation is a critical issue to be addressed today. It is a challenge for the server to be able to identify duplicate data without compromising data privacy. On the other hand, incorrect files being sent to users will bring huge losses due to carelessness or laziness of the server. Once a mismatched file is sent to the user in a traditional ABE scheme, the user cannot determine the legitimacy of the file. It will not only cause the user to make a wrong decision, but also reduce the credit rating of the server provider.

At the same time, blockchain as a decentralised database technology, many researches (H. Yang et al., 2021; Z. Zheng et al., 2018) have been proposed. Information is stored in blocks, which are connected by creation time. Blockchain (X. Li et al., 2020) is used in a variety of scenarios based on its unforgeable and untamperable properties. Although blockchain storage has stronger security compared to traditional cloud storage, the storage is lower in efficiency in blockchain systems. If distributed storage is combined with traditional centralised storage (Deebak et al., 2022), security and utility will be balanced.

Designing an efficient data sharing scheme can effectively drive industrial development. On the one hand, when data can be circulated in an orderly manner and fully shared, it can flow to the place where it can generate the greatest value, and then push the multiplier effect on the economy and society to the maximum. On the other hand, data sharing can drive industry towards digital transformation. It will better meet the digital collaboration of industry in different businesses such as R&D and production to optimise industry as a whole.

1.1. Contributions

This paper is an expanded version of the conference paper (T. Zhang, Wang, et al., 2022). The ciphertext combination algorithm has been improved by using a method where some of the ciphertext parameters are generated by the offline phase to improve the efficiency of the server operation. In addition, the security and performance analysis in this paper is expanded, selective CPA security is confirmed and a comparison of related work is done.

A data sharing scheme using ABE cryptographic primitive is proposed which supports deduplication. After the deduplication, a combined ciphertext is formed to ensure that all legitimate users can decrypt it correctly. What's more, based on its tamper-evident nature, the blockchain is used to assist users in verifying the legitimacy of files. The proposed scheme not only reduces the storage cost but also improves the decryption efficiency of users. The decryption complexity of the data user is $O(1)$. The contributions are shown below.

1. A data sharing scheme using ABE cryptographic primitives is proposed which supports deduplication. In the proposed scheme, files are encrypted and uploaded to cloud server. A server deduplication algorithm is designed and run when multiple ciphertexts are received by the server. Particularly, key blinding is used to offload the expensive computational operations of traditional ABE. The decryption computation complexity is $O(1)$.

2. The combined deduplication method is designed so that legitimate users in the deduplication access policy can access the file. In order to reduce the waste of storage space, a data combination algorithm is designed for the server. What's more, considering the data processing latency of cloud servers, re-randomisation techniques are employed to improve the efficiency of server operation.

3. Blockchain is adopted to assist users in verifying file integrity, and only legitimate users can successfully verify. Based on the tamper-evident nature of blockchain, blockchain is adopted to assist users in completing cryptographic verification of the centralised server storage.

4. The proposed scheme achieves a balance between security and practicality. The security proof of scheme is given and scheme is simulated in PBC library. The simulation results show that the proposed scheme has a lower computational overhead compared to the related schemes.

1.2. Related works

Since ABE was introduced, it has been widely used for data sharing. It solves one-to-many communication compared to identity-based encryption (IBE). In 2005, ABE was first introduced in Sahai and Waters (2005), which is a derivative of IBE. Then, there is a large amount of research on ABE. In Bethencourt et al. (2007), the construction of CPABE was first proposed. Keys are randomised to achieve resistance against collusion attacks. However, this scheme only proved security under the random oracle model. Then, Cheung and Newport (2007) proposed the first CPABE scheme under the standard model. There has been a lot of related works (Ge et al., 2021a; Jammula et al., 2022; Xiao et al., 2022) about CPABE.

In traditional ABE, full control of the file can be achieved. Users can specify who has access to the files. However, with the development of smart devices, various easy-to-deploy devices have been designed. These devices have characteristics such as easy portability and limited computing power. The computational overhead of traditional ABE is no longer suitable for these devices for data sharing. In Green et al. (2011), a new paradigm is proposed to reduce the computational overhead of the decryption device. But with the changing needs of life, it is not enough to consider the overhead of decryption device. Securely offloading computational overhead to third parties has become a growing focus of research. A novel paradigm (Zhou & Huang, 2012) is proposed to outsource encryption and decryption, which realises a constant level of overhead on the user side. However, access structure is AND gate in Zhou and Huang (2012). To support arbitrary access structures, J. Li et al. (2012) proposed an outsourced encryption using MapReduce. On the other hand, a technique to split the algorithm into two phases is presented. Hohenberger and Waters (2014) proposed the Online/Offline technique to reduce system online overhead. Although, many schemes (Tu et al., 2021; L. Zhang et al., 2021) improve the efficiency of system operation, little work is done to consider that the cloud server will send an error file to the user because of laziness. J. Li et al. (2017) proposed a verifiable ABE which achieves a constant ciphertext size. Ge et al. (2021b) proposed a verifiable and fair ABE which can detect the return ciphertext.

Meanwhile, some works are combining cloud storage with blockchain. Blockchain is a distributed database shared among the nodes of a computer network with features such as decentralisation, traceability, and immutability. Rahulamathavan et al. (2017) proposed a blockchain architecture using ABE for privacy protection. H. Wang and Song (2018) combined ABE and blockchain to construct an electronic medical data system. In H. Zheng et al. (2020), blockchain and sampling are adopted to ensure fairness between users and servers. Liu et al. (2020) proposed a blockchain-assisted ABE scheme which supports efficient revocation. In Liu et al. (2020), the revocation operation is performed by the blockchain. There is no longer a need to update the ciphertext and key compared to traditional revocable ABE. L. Zhang, Zou, et al. (2022) proposed a novel blockchain-based data sharing scheme (BDSS) which can achieve efficient revocation. Cui et al. (2016) offloaded the overhead caused by user revocation to an untrusted server. In this scheme, each user only needs to store a constant size key. In 2015, Qin et al. (2015) presented a ciphertext conversion method to achieve efficient decryption by users. However, the verification overhead in this scheme is expensive for lightweight devices. To reduce the verification overhead of ABE-based schemes, X. Yang and Zhang (2022) proposed a cloud-chain collaborative ABE scheme which enables user verification efficiently. J. Ma et al. (2021) designed an ABE algorithm using blockchain in vehicular networking environment. Vehicles with different attributes will access different information bulletins. Based on the decentralised and tamper-evident nature of blockchain, C. Wang et al. (2020) proposed a blockchain-assisted trustworthiness calculation to reduce the overhead of vehicle authentication. To prevent data tampering, H. Yang et al. (2021) proposed a data transfer protocol using blockchain. W. Wang et al. (2022) integrate the smart contract and mobile devices to establish a secure, interactive, and fair blockchain-based MCS system. Shifting the data evaluation process to the requester side reduces the computational cost of blockchain nodes.

In terms of deduplication, T. Zhang et al. (2023) proposed a multi-server assisted attribute-based encryption scheme which can support deduplication. In this scheme, users can achieve lightweight encryption and support data duplication detection. H. Ma et al. (2019) proposed an attribute-based encryption scheme that supports efficient deduplication and attributes revocation for eHealth systems. Xu et al. (2019) proposed an ABE-based deduplication which can support access policy update. Based on edge computing and blockchain technology, Wu et al. (2022) proposed a secure deduplication framework to achieve one-to-many data sharing. Although many ABE-based deduplication schemes have been proposed, it remains a challenge to achieve efficient verification of outsourced data.

2. Preliminary

2.1. Bilinear map

Definition 2.1

Given two cyclic group $G_1$, $G_2$ with prime oder p, a linear map e: $G_1\times G_1\to G_2$. The bilinear pairing satisfies the following propertie:

1. Bilinearity: for all $W,V\in G_1$ and $\alpha ,\beta \in {\mathbb{Z}}_p$, we have $e(W^{\alpha },V^{\beta })=e(W,V{)}^{\alpha \beta }$.

2. Nondegeneracy: for all $W,V\in G_1$, $e(W,V)\ne 1$ whenever $W,V\ne 1_{G_1}$.

3. Computable: for all $W,V\in G_1$, $e(W,V)$ is computable.

2.2. Linear secret-sharing scheme

Definition 2.2

A secret sharing P is called linear if

1. Each party involved can be represented by a vector.

2. The share-generating matrix is ${\mathbb{M}}_{l\times n}$ and each row is labelled by a party $\rho (i)$. Suppose that s, $r_2$,..,$r_n$ are randomly chosen and s is the secret to be shared; then, $\mathbb{M}v$ is the vector of l shares of the secret s according to $\prod$. The share $(\mathbb{M}v{)}_i$ is owned by the party $\rho (i)$.

3. System & security model

3.1. System model

As shown in Figure 1, data storage in cloud computing environment is considered, which includes five entities. The description of each entity is given as follows. First, Du needs to complete the registration. Files are encrypted and uploaded to CS and blockchain by Do. Du downloads data from the cloud when it needs to be used. Du uses private key to recover files and complete verification using the blockchain.

Figure 1. System model.

1. Key Generation Center(KGC): KGC is recognised as a trusted authority. It is responsible for checking user legitimacy and distributing keys for legitimate users. The system is also initialised by KGC.

2. Data Owner(Do): Before uploading the file, Do encrypts it to achieve data privacy protection. At the same time, Do chooses who can access the data. Then, the encrypted file is uploaded to CS to store it.

3. Data User(Du): Du submits a collection $Att=(At{t}_1,At{t}_2,\dots ,At{t}_n)$ to KGC. As a response, the private key is sent to Du. The download request is sent to cloud sever when data needs to be downloaded. Files are recovered using the private key and verified using the blockchain.

4. Cloud Server(CS): CS is a semi-trusted entity. It is responsible for storing the file uploaded by Du. In addition, the ciphertext is transmitted to Du and the legitimate download request is verified.

5. Blockchain: Blockchain is a chained data structure combining blocks of data in a sequentially linked format. Blockchain is unforgeable and untamperable due to its structure and set characteristics. Note that the proposed scheme uploads the tags used for verification into the blockchain to achieve secure verification of decrypted data.

Meanwhile, the system flow is further provided in Figure 2. In the proposed scheme, it can be divided into 9 steps. The first step is for Do to select an access policy $(\mathbb{M},\rho )$ to complete the encryption of the file. The ciphertext $C_{Do}$ and tag Tag generated by the encryption $En{c}_{Do}$ are uploaded to CS and Blockchain respectively. In the cloud server, the ciphertext is successively filtered and combined. Then, $C{C}_{Do}$ is stored in the storage pool. CS completes the ciphertext conversion when a conversion request $B{K}_{Du}$ is received from the user. As a result, $C{C}_{CS}$ is sent to Du. Finally, Du downloads the tag from the blockchain to complete the verification and recover the file.

Figure 2. System flow.

3.2. Formal definition

3.2.1. KGC side

At the KGC side, algorithms are designed to make an initial system and a user registration. SETUP is run to initialise the system and parameters SP and MK are output as a response. KGen is run to help Dus to register and the tuple $(Bk,Rk)$ is output when receiving the set Att where B is the Du's blinded key and Rk is the recover key. Note that SP is public to other entities. The algorithms are defined as follows.

$SETUP(\zeta )\to (SP,MK):$ SETUP is run by KGC. Output SP and MK when ζ is input.

$KGen(Att,MK)\to (Bk,Rk):$ KGen is run by KGC. Output the tuple $(Bk,Rk)$ when the set Att and MK are input.

3.2.2. Owner side

At the owner side, algorithms are designed to help Do complete file F encryption. To protect the security of file, Do needs to complete encryption of the file before uploading to an external server. ABE cryptographic primitives are adopted in the proposed scheme. Thus, the user is able to specify who can access the file. Let $\mathbb{A}$ be an access structure. Particularly, access structure is $(\mathbb{M},\rho )$ in this paper. Enc is run by Do to encrypt F and $C_{Do}$ and a tag is output when receiving F and $\mathbb{A}$. The algorithm is defined as follows.

$En{c}_{Do}(F,\mathbb{A})\to (C_{Do},Tag):$ Enc is run by Do. Output $C_{Do}$ and Tag when the file F and $\mathbb{A}$ are input.

3.2.3. Server side

At the server side, algorithms are designed to complete file filtering and file combination. In particular, InCip is run when the server is free. Filter is run to filter the encrypted files When multiple encrypted files are uploaded. With the designed algorithm, duplicate data will be removed after filtering. Then, Comb is run to combine the encrypted files so that the legitimate user of the filtered file can be accessed. In order to increase the speed of server operation, pre-deployment is used to reduce the computational overhead of the online phase. InCip is run to generate partially encrypted files. After the combination is completed, $C{C}_{Do}$ is sent to storage pool. $C{C}_{Do}$ is converted to $C{C}_{Du}$ when receiving the blinded key sent by a legitimate user. In response, the result of the conversion is sent to Du. The algorithms are defined as follows.

$Filter(C_{D{o}_1},C_{D{o}_2})\to 1/0:$ CS filters the ciphertexts before storing them. CS runs the Filter algorithm to check if $C_{D{o}_1}$ and $C_{D{o}_1}$ are duplicate data. If $C_{D{o}_1}$ and $C_{D{o}_2}$ are duplicate data, output 1; otherwise, output 0.

$IntCip(\psi )\to C_{CS}:$ CS generates pre-deployment ciphertext $C_{CS}$ in offline phase which is prepared for Comb algorithm. Let ψ is the number of assumed attributes.

$Comb(({\mathbb{M}}^{\ast },{\rho }^{\ast }),C_{D{o}_1},C_{CS})\to C{C}_{Do}:$ New access structure $({\mathbb{M}}^{\ast },{\rho }^{\ast })$ combined by CS. The combined ciphertext $C{C}_{Do}$ is generated and stored in CS.

$OutDe(C{C}_{Do},Bk)\to C{C}_{CS}:$ OutDe is run to convert $C{C}_{Do}$ and the result of the conversion is $C{C}_{CS}$. The conversion process is triggered by the receipt of the blinded key Bk from the legitimate user. Then, CS sends $C{C}_{CS}$ to Du.

3.2.4. User side

At the user side, algorithms are designed to help Du to complete the recovery of files and verify them. Du downloads the encrypted file from CS. BK is sent to CS to complete the ciphertext conversion. The file F is recovered using the private key when Du receives $C{C}_{CS}$ from CS. Then, Tag is downloaded from blockchain and V erify is run to verify the legitimacy of the file. The algorithms are defined as follows.

$Dec(C{C}_{CS},R{K}_{Du})\to F:$ Du downloads the $C{C}_{CS}$ from CS. Then, the file F is recovered using the recover key $R{K}_{Du}$. Finally, V erify is run to check the legitimacy of file. If V erify outputs 1, the file is output; otherwise, ⊥ is output.

$Verify(F,Tag)\to 1/0:$ The V erify algorithm is run to verify the validity of F when F is recovered.

3.3. Security model

Suppose that there is an interaction which occurs between an adversary A and the challenger B. The details are summarised as follows.

Init: ${\mathbb{A}}^{\ast }$ is chosen by A and sent to B.

Setup: B generates some system parameters SP and sends it to A.

Query1: A can adaptively initiate a query to B about the private key. B runs KGen when receives a key query with the attribute set Att. Then, the private key will be sent to A. Particularly, the only restriction is $Att\notin {\mathbb{A}}^{\ast }$.

Challenge: A chooses two data $M_0$, $M_1$ with the same bit and sends them to B.

Query2: A can adaptively initiate the same query as $Query1$.

Guess: A guess b is output.

Definition 3.1

The proposed scheme is selective CPA-secure if there is no adversary can win the above game.

Suppose that there is an interaction which occurs between an adversary A and the challenger B. The details are summarised as follows.

Setup: B runs SETUP and sends SP to A.

Challenge: A selects an attribute set $At{t}^{\ast }$ and sends it to B. Then, B runs KGen to obtain $(Bk,Rk)$ and sends it to A.

Output: The tuple $(C{C}_{Do}^{\ast },B{k}^{\ast },R{k}^{\ast },Ta{g}^{\ast },C{C}_{C{S}_1}^{\ast },C{C}_{C{S}_2}^{\ast })$ is output, where $C{C}_{Do}^{\ast }$ is an original ciphertext, $B{k}^{\ast }$ is the blinded key, $R{k}^{\ast }$ is the recover key, $Ta{g}^{\ast }$ is the tag, $C{C}_{C{S}_1}^{\ast }$, $C{C}_{C{S}_2}^{\ast }$ are the converted ciphertexts. A wins the game if

1. $Dec(C{C}_{C{S}_1},R{k}^{\ast })\to F_1$ $\wedge$ $Verify(F_1,Ta{g}^{\ast })\to 1$.

2. $Dec(C{C}_{C{S}_2},R{k}^{\ast })\to F_2$ $\wedge$ $Verify(F_2,Ta{g}^{\ast })\to 1$.

3. $C{C}_{C{S}_1}\ne C{C}_{C{S}_2}$.

Definition 3.2

The proposed scheme is verifiable if there is no adversary can win the above game.

4. Specific construction

4.1. The construction of the proposed scheme

4.1.1. KGC side

$SETUP(\zeta )\to (SP,MK)$: When the system starts, the security parameter ζ is inputted. Then, the security bilinear mapping $D=(p,G_1,G_2,e)$ is chosen according to ζ. KGC chooses five random elements g, u, h, w, v from $G_1$ and a random number η. The system parameters SP and the master key MK are shown as follows, where H is a hash function chosen by KGC. Note that SP is public and MK is secret. (1) $SP=(D,g,h,w,v,u,e(g,g{)}^{\eta },H)MK=\eta$(1) $KGen(Att,MK)\to s{k}_{Du}:$ Du completes registration using the attribute set Att. First, KGC randomly chooses numbers r and $r_j$ in $Z_p^{\ast }$, where j is from 1 to n. Then, KGC computes $s{k}_{D{u}_0}$ and $s{k}_{D{u}_1}$. (2) $s{k}_{D{u}_0}=g^{\eta }{w}^{r}s{k}_{D{u}_1}=g^r$(2) Second, $s{k}_{D{u}_{j,2}}$ and $s{k}_{D{u}_{j,3}}$ are computed for each $At{t}_j$. (3) $s{k}_{D{u}_{j,2}}=g^{r_j}s{k}_{D{u}_{j,3}}=(u^{At{t}_j}h{)}^{r_j}{v}^{-r}$(3) Finally, KGC chooses $\varrho \in Z_p^{\ast }$ as the recover key and computes $Bk=(B{k}_0=s{k}_{D{u}_0}^{1/\varrho },B{k}_1=s{k}_{D{u}_1}^{1/\varrho },\{B{k}_{j,2}=s{k}_{D{u}_{j,2}}^{1/\varrho },B{k}_{j,3}=s{k}_{D{u}_{j,2}}^{1/\varrho }{\}}_{[1,n]}).$ As a response, Bk and $Rk=\varrho$ are returned to Du.

4.1.2. Owner side

$Enc(F,\mathbb{A})\to (C_{Do},Tag):$ The file F is encrypted by Do to protect file privacy. First, $Tag=H(F)$ is computed and uploaded to blockchain. Then, Do chooses who can access F and uses it to encrypt the file. A secret value s and n−1 random numbers $x_2,x_3,\dots ,x_n$ are chosen by Do. Then a vector $\overrightarrow{x}=(s,x_2,x_3,\dots ,x_n)$ can be obtained and ${\lambda }_i=M\overrightarrow{x}$. Second, Do computes T, $C_{-1}$, $C_0$ and $C_1$ as follows. (4) $T=g^{sH(F)}{C}_{-1}=F\cdot e(g,g{)}^{\eta s}{C}_0=g^s{C}_1=w^s$(4) In addition, $C_{i,1}$, $C_{i,2}$ and $C_{i,3}$ are computed for each row in the matrix M. The details of these parameters are shown as follows. (5) $C_{i,1}=w^{{\lambda }_i}{v}^{t_i}{C}_{i,2}=(u^{\rho (i)}h{)}^{-t_i}{C}_{i,3}=g^{t_i}$(5) Finally, $C_{Do}$ is uploaded to CS, where $C_{Do}=((\mathbb{M},\rho ),T,C_{-1},C_0,C_1,\{C_{i,1},C_{i,2},C_{i,3}{\}}_{[1,l]})$.

4.1.3. Server side

$Filter(C_{D{o}_1},C_{D{o}_2})\to 1/0$: The Filter algorithm is run by CS to filter duplicate file before storing file. CS runs the Filter algorithm when multiple files are taken as input. Suppose the input is $C_{D{O}_1}$ and $C_{D{O}_2}$. The details of the construction are given as follows. $\begin{array}{rl}{C}_{D{o}_1}& =(({\mathbb{M}}_1,{\rho }_1),T^{\prime },C_{-1}^{\prime },C_0^{\prime },{C_1}^{\prime },\{C_{i,1}^{\prime },C_{i,2}^{\prime },C_{i,3}^{\prime }{\}}_{[1,l]})\\ C_{D{o}_2}& =(({\mathbb{M}}_2,{\rho }_2),T^{″},C_{-1}^{″},C_0^{″},C_1^{″},\{C_{i,1}^{″},C_{i,2}^{″},C_{i,3}^{″}{\}}_{[1,l]})\end{array}$ CS computes $e(T^{\prime },C_0^{″})$ and $e(T^{″},C_0^{\prime })$. (6) $e(T^{\prime },C_0^{″})=e(T^{″},C_0^{\prime })$(6) If (6(6) $e(T^{\prime },C_0^{″})=e(T^{″},C_0^{\prime })$(6) ) holds, $C_{D{o}_2}$ is filtered and $C_{D{o}_1}$ is input to the Comb algorithm.

$IntCip(\psi )\to C_{CS}$: To improve the efficiency of server operation, CS generates some pre-deployed ciphertext $C_{CS}$. First, a secret value $s^{\prime }$ and $\psi -1$ random numbers $x_1^{\prime },x_2^{\prime },\dots ,x_{\psi }^{\prime }$ are chosen, where ψ is the number of assumed attributes. Then, the vector ${\overrightarrow{x}}^{\prime }=(s^{\prime },x_2^{\prime },x_3^{\prime },\dots ,x_n^{\prime })$ can be obtained. CS randomly chooses $t_i^{\prime }$ and computes $C_{c{s}_{-1}}$ and $C_{c{s}_0}$. (7) $C_{c{s}_{-1}}=e(g,g{)}^{\eta s^{\prime }}{C}_{c{s}_0}=g^{s^{\prime }}$(7) For each assumed attribute, CS computes $C_{c{s}_{i,1}}$, $C_{c{s}_{i,2}}$ and $C_{c{s}_{i,3}}$. (8) $C_{c{s}_{i,1}}=v^{t_i^{\prime }}{C}_{c{s}_{i,2}}=h^{-t_i^{\prime }}{C}_{c{s}_{i,3}}=g^{t_i^{\prime }}$(8) Finally, the pre-deployed ciphertext is $C_{CS}=({\overrightarrow{x}}^{\prime },t_i^{\prime },C_{c{s}_{-1}},C_{c{s}_0},\{C_{c{s}_{i,1}},C_{c{s}_{i,2}},C_{c{s}_{i,3}}{\}}_{[1,\psi ]})$.

$Comb(({\mathbb{M}}^{\prime },{\rho }^{\prime }),C_{D{o}_1},C{C}_{CS})\to C{C}_{Do}$: CS runs the Comb algorithm to combine the encrypted files so that the legitimate user of the filtered file can be accessed. $({\mathbb{M}}^{\prime },{\rho }^{\prime })$ is assumed to be the combined access structure. CS computes $C{C}_{-1}$ and $C{C}_0$ as follows. (9) $\begin{array}{rl}C{C}_{-1}& =C_{-1}\cdot C_{c{s}_{-1}}=F\cdot e(g,g{)}^{\eta s}\cdot e(g,g{)}^{\eta s^{\prime }}=F\cdot e(g,g{)}^{\eta (s+s^{\prime })}\end{array}$(9) (10) $\begin{array}{rl}C{C}_0& =C_0\cdot C_{c{s}_0}=g^{s+s^{\prime }}\end{array}$(10) For each row of ${\mathbb{M}}^{\prime }$, CS computes $C{C}_{i,1}$, $C{C}_{i,2}$, $C{C}_{i,3}$, and $C{C}_{i,4}$. (11) $\begin{array}{rl}C{C}_{i,1}& =w^{{\lambda }^{\prime }}\cdot C_{c{s}_{i,1}}=w^{{\lambda }^{\prime }}{v}^{t_i^{\prime }}\end{array}$(11) (12) $\begin{array}{rl}C{C}_{i,2}& =u^{-\rho (i{)}^{\prime }{t}_i^{\prime }}\cdot C_{c{s}_{i,2}}=u^{-\rho (i{)}^{\prime }{t}_i^{\prime }}{h}^{-t_i^{\prime }}\end{array}$(12) (13) $\begin{array}{rl}C{C}_{i,3}& =C_{c{s}_{i,3}}=g^{t_i^{\prime }}C{C}_{i,4}=C_1^{{\mathbb{M}}_{i,1}^{\prime }}=w^{s{\mathbb{M}}_{i,1}^{\prime }}\end{array}$(13) Finally, the combined ciphertext $C{C}_{Do}$ is stored into the storage pool. $C{C}_{Do}=(({\mathbb{M}}^{\prime },{\rho }^{\prime }),C{C}_{-1},C{C}_0,\{C{C}_{i,1},C{C}_{i,2},C{C}_{i,3},C{C}_{i,4}\})$ $OutDe(C{C}_{Do},Bk)\to C_{CS}$: When BK is received from a legitimate user, CS computes $ke{y}^{\ast }=\frac{e(C{C}_0,B{k}_0)}{\prod _{i\in I}(e(C{C}_{i,1},B{k}_1)e(C{C}_{i,2},B{k}_{j,2})e(C{C}_{i,3},B{k}_{j,3})e(C{C}_{i,4},B{k}_1{)}^{{\omega }_i}}.$ Finally, the converted ciphertext $C_{CS}=(C{C}_{-1},ke{y}^{\ast })$ is sent to Du.

4.1.4. User side

$Decrypt(C{C}_{CS},Rk)\to F$: When $C{C}_{CS}$ is received from CS, Du computes key and recovers the file F. (14) $key=ke{y}^{\ast \varrho }=e(g,g{)}^{\eta s}F=C{C}_{-1}/key$(14) Then, V erify is run to verify the legitimacy of F. If V erify output 1, F is legal and output; otherwise, ⊥ is output.

$Verify(F,Tag)\to 1/0$: File legitimacy is verified by determining whether the equation $Tag=H(F)$ holds, where Tag is downloaded from blockchain. If it holds, output 1; Otherwise, output 0.

5. Security analysis

5.1. Correctness

Here, the correctness of the server-side conversion process is shown as follows. $\begin{array}{rl}ke{y}^{\ast }& =\frac{e(C{C}_0,B{k}_0)}{\prod _{i\in I}(e(C{C}_{i,1},B{k}_1)e(C{C}_{i,2},B{k}_{j,2})e(C{C}_{i,3},B{k}_{j,3})e(C{C}_{i,4},B{k}_1{)}^{{\omega }_i}}\\ & =\frac{e(g^{s+s^{\prime }},g^{\eta /\varrho }{w}^{r/\varrho })}{\prod _{i\in I}(e(w^{{\lambda }_i^{\prime }}{v}^{t_i^{\prime }},g^{r/\varrho })e((u^{\rho (i{)}^{\prime }}h{)}^{-t_i^{\prime }},g^{r_j/\varrho })e(g^{t_i^{\prime }},(u^{At{t}_j}h{)}^{r_j/\varrho }{v}^{-r/\varrho })e(C_1^{M_{i,1}^{\prime }},g^{r/\varrho }){)}^{{\omega }_i}}\\ & =\frac{e(g^{s+s^{\prime }},g^{\eta /\varrho })e(g^{s+s^{\prime }},w^{r/\varrho })}{e(w^{s+s^{\prime }},g^{r/\varrho })e(g^{s^{\prime }},g^{r/\varrho })}\\ & =e(g,g{)}^{\eta s/\varrho }\end{array}$

5.2. Security proof

Theorem 5.1

The proposed scheme is selectively CPA-secure under the assumption that ACM2013 (Rouselakis & Waters, 2013) is a selectively CPA-secure CPABE scheme.

Proof.

We assume that A can break the selectively CPA-secure of the proposed scheme and C is a challenger of ACM2013. Then, a simulator B can be designed to train A. The details of the game are shown as below.

Init: The challenge access structure $({\mathbb{M}}^{\ast },{\rho }^{\ast })$ is sent to B. Then, B sends $({\mathbb{M}}^{\ast },{\rho }^{\ast })$ to C.

Setup: C generates PK and sends it to B. B sends SP to A, where Pk has the same distribution as SP.

Query1: B builds a table table. A can initiate queries adaptively.

$Create(At{t}_i^{\ast }):$ B receives the private key query from A, then passes it to C to obtain SK. B chooses a random number ${\varrho }^{\ast }$ as the recover key and computes $B{k}_o=S{K}^{1/\varrho }$, $B{k}_1=S{K}^{1/\varrho }$, $B{k}_{i,2}=S{K}_{i,2}^{1/\varrho }$, $B{k}_{i,3}=S{K}_{i,3}^{1/\varrho }$. B stores $(At{t}_i^{\ast },SK,Bk)$ in table.

$Corrupt(Bk):$ B checks whether $(At{t}^{\ast },Bk)$ in table. If so, it returns Bk. Otherwise, it returns ⊥.

Challenge. A chooses two data $(F_0,F_1)$ with same bits and sends to B. Then, $(F_1,F_2)$ are sent to C to generate the ciphertext $C_{Do}$. C randomly chooses $F_c$ and computes $C_{-1}=F_{c}e(g,g{)}^{\eta s}$, $C_0=g^s$, where $c\in \{0,1\}$. For each row in ${\mathbb{M}}^{\ast }$, C computes $C_{i,1}=w^{{\lambda }_i}{v}^{t_i}$, $C_{i,2}=(u^{\rho (i)}h{)}^{-t_i}$, $C_{i,3}=g^{t_i}$. B computes $C_1=w^s$ and $C_{Do}=(C_{-1},C_0,C_1,\{C_{i,1},C_{i,2},C_{i,3}\})$ to A. B runs OutDe to obtain $C{C}_{CS}=(C{C}_{-1}=F_{c}e(g,g{)}^{\eta s},ke{y}^{\ast }=C_{-1}/F_c)$.

$Query2$: A outputs a guess c.

We can find that this paper has the same distribution as the ciphertext of ACM2013. The security of ACM is proven under the DBDH assumption. If A can win the above game, then B will successfully use A's method to break the selectively CPA-secure in ACM2013. It means that the DBDH assumption will be broken.

Theorem 5.2

The proposed scheme is verifiable under the assumption that hash function can resist collision.

Proof.

We assume that adversary A can break the verifiability of the proposed scheme. B is a challenger of the proposed scheme. The details of the game are shown as follows.

Setup: B runs SETUP to generate the public parameters SP and the master key MK. $SP=(D,g,h,w,v,u,e(g,g{)}^{\eta },H)MK=\eta$ Challenge: A selects an attribute set $At{t}^{\ast }$ and sends it to B. Then, B runs KGen to obtain $(Bk,Rk)$ and sends it to A.

Output: The tuple $(C{C}_{Do}^{\ast },B{k}^{\ast },R{k}^{\ast },Ta{g}^{\ast },C{C}_{C{S}_1}^{\ast },C{C}_{C{S}_2}^{\ast })$ is output, where $C{C}_{Do}^{\ast }$ is an original ciphertext, $B{k}^{\ast }$ is the blinded key, $R{k}^{\ast }$ is the recover key, $Ta{g}^{\ast }$ is the tag, $C{C}_{C{S}_1}^{\ast }$, $C{C}_{C{S}_2}^{\ast }$ are the converted ciphertexts. Then, the following conditions hold:

1. $Dec(C_{C{S}_1},R{k}^{\ast })\to F_1$ $\wedge$ $Verify(F_1,Ta{g}^{\ast })\to 1$.

2. $Dec(C_{C{S}_2},R{k}^{\ast })\to F_2$ $\wedge$ $Verify(F_2,Ta{g}^{\ast })\to 1$.

3. $C_{C{S}_1}\ne C_{C{S}_2}$.

It can be found that A has $F_1$, $F_2$ by verification. It means that $H(F_1)=Ta{g}^{\ast }$ and $H(F_2)=Ta{g}^{\ast }$, where $F_1\ne F_2$. However, hash functions are known to satisfy the collision resistance property. Therefore, the proposed scheme is verifiable.

6. Performance analysis

6.1. Theoretical analysis

Function Comparison. The functional comparison of the schemes is shown in Table 1. We can find that the proposed scheme is compared with X. Yang and Zhang (2022), Qin et al. (2015) and Cui et al. (2016) in terms of functionality. The proposed scheme has a rich functionality compared to them. Based on the tamper-evident property of blockchain, the proposed scheme achieves efficient decryption and verification. To reduce invalid data in the cloud server, file filtering and file combination are further supported in the proposed scheme. In X. Yang and Zhang (2022), a blockchain-based ABE scheme is proposed. In Qin et al. (2015), hash function is used to verify the decryption result. In Cui et al. (2016), efficient decryption by users is achieved. However, it does not implement verification of the decryption result. Therefore, the proposed scheme is rich in functionality compared with related schemes.

Table 1. Function comparison.

Schemes	Outsourcing decryption	Verification	File filtering	File combination
X. Yang and Zhang (2022)	$✓$	$✓$	×	×
Qin et al. (2015)	$✓$	$✓$	×	×
Cui et al. (2016)	$✓$	×	×	×
Ours	$✓$	$✓$	$✓$	$✓$

Communication cost comparison: The communication comparison of the schemes is shown in Table 2. Table 2 compares the communication cost of the proposed scheme with X. Yang and Zhang (2022), Qin et al. (2015) and Cui et al. (2016). $|G_1|$ is an element size in $G_1$, $|G_2|$ is an element size in $G_2$, $|Z_p^{\ast }|$ is an element size in $Z_p^{\ast }$ and n is the number of attribute in Att. The size of Bk is $2|G_1|+|Z_p^{\ast }|$ in X. Yang and Zhang (2022) and the size of ours is $(2n+2)|G_1|$. Although the overhead of BK in the proposed scheme is higher than X. Yang and Zhang (2022), our scheme has advantages compared to other schemes. The size of $C_{Do}$ in the proposed scheme is $(3n+3)|G_1|+|G_2|$ and $2G_1$ is used to complete the filtering of files. Compared with Cui2016, the performance of the proposed scheme is similar to that of the scheme. Most of the computational cost of decryption is delegated to an untrusted server, while the data user only needs to perform an exponentiation operation to decrypt a ciphertext. Both Cui et al. (2016) and the proposed scheme can achieve efficient decryption by users and the computational overhead is lightweight. However, based on the characteristics of blockchain, the proposed scheme achieves efficient user verification of the decryption results and ensures the correctness of the file. Therefore, we insist that the proposed solution has good performance.

Table 2. Communication cost comparison.

Schemes	Bk	$C_{Do}$	$C_{CS}$
Yang2022	$2|G_1|+|Z_p^{\ast }|$	$(3n+1)|G_1|+(n+1)|G_2|$	$|G_2|$
Qin2015	$2|G_1|+n|G_2|$	$(2n+1)|G_1|+|G_2|$	$2|G_2|$
Cui2016	$(2n+3)|G_1|$	$(3n+2)|G_1|+|G_2|$	2$|G_2|$
Ours	$(2n+2)|G_1|$	$(3n+3)|G_1|+|G_2|$	2$|G_2|$

6.2. Experimental analysis

To further illustrate the performance of the scheme, the experimental simulations was done on a VMware Workstation. All algorithms of the proposed scheme were simulated based on the PBC library.

As shown in Figure 3, we simulated the computational overhead of KGC. In our simulation, we consider the number of Atts from 0 to 10. The number of Atts is reasonable considering the actual application. We can find that the computational overhead of KGen grows as the number of Atts grows. If the error is ignored, the overhead of KGen grows linearly. KGen runtime is 0.086 seconds when the number of Atts reaches 10. This means that it takes only 0.086 seconds to complete user registration for a user assuming he has ten attributes. The user registration overhead of the proposed scheme is acceptable for a cloud storage system. At the same time, the ciphertext combination Comb algorithm is also simulated and the simulation results are given in Figure 4. We can see that the Comb time overhead is 0.02 seconds when the number of Atts is 10. This means that if the user has ten attributes, it takes only 0.02 seconds for the server to complete the ciphertext combination. The server can complete the combination of data with low latency.

Figure 3. KGen time.

Figure 4. Comb time.

The Enc computation overhead is also simulated and the simulation results are given in Figure 5. In our simulation, we consider the number of Atts from 0 to 10. The number of user attributes is reasonable considering the actual application. We can find that the computational overhead of both X. Yang and Zhang (2022) and ours grows with the number of Atts. As the number of Atts grows, the proposed scheme has a higher computational overhead than X. Yang and Zhang (2022). However, we can find that the difference between X. Yang and Zhang (2022) and ours is only 0.02 seconds when the number of attributes is 10. We think this is acceptable and the proposed scheme has more functionality compared to X. Yang and Zhang (2022).

Figure 5. Enc time.

7. Conclusion

In this paper, a data sharing scheme using ABE cryptographic primitive is proposed, which further supports deduplication. Blockchain technology is applied to achieve quick verification of ciphertext legitimacy by users. To improve memory space, the data is checked if it is a duplicate ciphertext. Moreover, re-randomisation technology is used to improve the efficiency of combining ciphertexts on cloud servers. Finally, we simulate the algorithm of the proposed scheme on the PBC library and the experimental results show that it achieves a balance between usability and performance.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

This work was supported by National Natural Science Foundation of China [grant numbers 61922045, U21A20465, 62172292] and Science Foundation of Zhejiang Sci-Tech University (ZSTU) [grant number 22222266-Y].