Novel Searchable Attribute-Based Encryption for the Internet of Things

As the product of the third information technology revolution, the Internet of Things (IoT) has greatly altered our way of lifetime. Cloud storage has gradually become the best choice for data processing due to its scalability and ﬂ exibility. However, the cloud is not a completely trusted entity, such as tampering with user data or leaking personal privacy. Therefore, cloud storage usually adopts attribute-based encryption schemes to accomplish data con ﬁ dentiality and ﬁ ne-grained access control. However, applying the ABE scheme to the Internet of Things still faces many challenges, such as dynamic user revocation, data sharing, and excessive computational burden. In this paper, we propose a novel searchable attribute encryption system that replaces the traditional key generation center with consortium blockchain to generate and manage partial keys. In addition, our scheme can perform predecryption operations in the cloud, and users only need to spend a small amount of computational cost to achieve decryption operations. Security analysis proves that our scheme achieves security under both the chosen keyword attack and the chosen plaintext attack. Compared with other schemes, this scheme is more economical in terms of computing and storage.


Introduction
The Internet of Things (IoT) originated in the media field, and it is an important part of the new generation of information technology. It connects all items to the Internet through information sensing devices to achieve positioning, tracking, supervision, and intelligent identification [1]. Simply put, the IoT is the Internet that connects everything. In recent years, the IoT has gradually become digitized in the real world, reduced the dispersion of information, and integrated the digital information between objects. The IoT is widely used in the fields of transportation and logistics, industrial manufacturing, medical care, and smart environments [2][3][4][5][6][7].
Sahai and Waters first proposed the concept of attributebased encryption (ABE) in 2005 [8]. Because the access structure needs to be more flexible to adapt to more application scenarios, Goyal et al. [9] and Bethencourt et al. [10], respectively, proposed the concepts of key policy ABE (KP-ABE) and ciphertext policy ABE (CP-ABE). In KP-ABE, the ciphertext is associated with a set of attributes, and the access policy is embedded in the key. In contrast, in CP-ABE, the ciphertext is associated with the access policy, and a set of attributes is embedded in the key [11][12][13][14].
Although IoT has now blossomed in various fields, there are still many problems in applying ABE to the IoT. Compared with the traditional Internet, the IoT lacks standardization. In addition, the IoT itself is a complex network system involving many application domains, which is difficult to manage [15]. This makes it challenging to achieve its security and privacy. Therefore, blockchain technology is widely used in IoT for its persistence, anonymity, and auditability [16].
In this article, we will present a new blockchain-aided searchable attribute-based encryption (BC-SABE) scheme. This scheme replaces a traditional centralized server using a distributed consortium blockchain consisting of a predefined set of trusted consensus nodes. Our main contributions can be summarized as follows: (i) We present a novel BC-SABE scheme. Our scheme uses a distributed consortium blockchain containing a set of credible consensus nodes to achieve the function of key generation. Pedersen secret sharing protocol [17] and reciprocal protocol [18] are used to generate all secret parameters, which also means that the master key is not needed. Our scheme can also support keyword search under cloud assistance. Users only need to provide user identity information and partial token information to the blockchain, and the cloud server will receive the complete token from the blockchain and search for it. Moreover, the scheme can realize predecryption in the cloud, which can greatly reduce the burden of users (ii) In our scheme, the Pedersen secret sharing protocol enables the sharing of subsecrets between consensus nodes, and each consensus node can combine the subsecrets as the master secret. And the reciprocal protocol ensures that the key information is shared without a trusted party (iii) In addition, we use blockchain technology to realize the dynamic revocation of users. Because consensus nodes in the blockchain can use time period tags and status tags to update the user revocation list, this also means that we can use the blockchain to update the user revocation list to achieve user revocation. And our scheme does not require the user to re-encrypt the ciphertext for user revocation Our scheme can also be applied in simple medical scenarios. For example, hospital can register admission information for patient and store the admission information in the blockchain. Registered patients can enter their data and information into the cloud server. When searching for relevant information, he/she only needs to submit a partial token to blockchain, and then, blockchain can produce the complete token for him/ her and send it to the cloud server for search operations. In addition, patients can access data information from the cloud, which will first generate a predecryption key for them, and the patient can fully decrypt the data with a simple calculation.
The remainder of this paper is organized as follows. In Section 2, we reviewed some related work, and then, we gave some preliminaries in Section 3, including the complexity assumptions, binary trees, and blockchain. The system model, system procedure, and security model are given in Section 4, and the detailed structure of the system is given in Section 5. We give the security proof of the scheme in Section 6 and compare the performance of the scheme in Section 7, and finally, we give a brief summary in Section 8.

Related Work
Since the concepts of ABE were introduced, many improved ABE schemes have been proposed, such as traceable ABE [19], anonymous ABE [20,21], and hierarchical ABE [22][23][24][25]. However, the application of ABE to IoT is still an issue that needs to be discussed. The resources of the Internet of Things devices are limited, and most of the ABE algorithm encryption and decryption calculation costs are relatively large, so the outsourcing ABE scheme has been proposed [26][27][28][29]. In addition, IoT systems should be able to revoke malicious users and update legitimate users with new attributes. How to implement dynamic user revocation is also an issue. Liu et al. [30] proposed a direct revocation scheme; however, in this scheme, all data owners are required to maintain the revocation list. Recently, Cui et al. [31] proposed a server-aided revocable ABE scheme. This scheme outsources all the workload to the server at the time of user revocation, and each user stores only a fixed size private key.
However, this single authorization ABE scheme has limited security and cannot carry a large number of IoT devices. Many multiauthorization-based ABE schemes have been proposed by scholars [32][33][34][35]. Chase [32] first presented the concept of multiauthority attribute-based encryption (MA-ABE) in 2007. Recently, Belguith et al. [34] presented a policy-hidden outsourced MA-ABE scheme, which hides the access structure to protect user privacy. In [35], a new MA-CP-ABE scheme was presented by Sethi et al. This system decentralizes authority and can support white box traceability along with outsourcing decryption.
Recently, the widespread application of data sharing has deepened the academic research on searchable encryption schemes, and many searchable attribute-based encryption (SABE) schemes have also been proposed [36][37][38][39][40][41][42][43][44]. In [36], Miao et al. presented a multikeyword SABE scheme, which supports comparable attributes by using 0-encoding and 1encoding. Xu et al. [37] proposed for the first time a decentralized attribute-based keyword search (ABKS) scheme for multikeyword search in cloud storage. In this scheme, data sharing and data searching can be achieved without a fully trusted central authority. Recently, a seed string searchable ABE (SSS-ABE) solution for sharing and querying encrypted data was proposed by Sun et al. [38]; data users can query the entire ciphertext by substring without presetting keywords.
Blockchain technology originated from Bitcoin; the concept of blockchain was first proposed by Satoshi Nakamoto in [45]. Blockchain is a distributed shared ledger and database. Compared with the previous centralized accounting model, blockchain can achieve decentralization, which means removing the trust intermediary, which also makes the transactions on blockchain more open and transparent. Recently, Wu et al. [46] used blockchain technology to propose a privacy-protected and traceable ABE scheme, using blockchain to achieve data integrity and nonrepudiation. In [47], Pournaghi et al. proposed a scheme to share medical data based on blockchain technology and attribute-based encryption (MedSBA), which utilizes blockchain to share medical data. Recently, Liu et al. [48] presented a blockchain-aided attribute-based searchable encryption scheme, and Zheng et al. [49] proposed a fair outsourcing decryption ABE scheme utilizing blockchain and sampling technology. In [50], Guo et al. used  Wireless Communications and Mobile Computing dynamic access control, which implements dynamic access control and can flexibly update the access structure. As of late, blockchain technology has been universally exploited in ABE scheme, because compared to the traditional server structure, blockchain has no central node, which allows no single institution or member to achieve control over global data, while any node stops working without affecting the overall operation of the system. In addition, blockchain is also superior to traditional key management center in ensuring the confidentiality of data. Therefore, we adopt blockchain technology to assure the security and robustness of the system.

Composite Order Bilinear Groups and Complexity
Assumptions. First of all, the concept of bilinear group is reviewed as follows. Let G and G 1 be the multiplicative groups of order N = p 1 p 2 p 3 , g is a generator of G, and p 1 , p 2 , p 3 are three different prime. Then, e : G × G ⟶ G 1 is a bilinear map, and it has these properties as follows: (1) Bilinearity: For ∀x, y ∈ Z N , eðg x , g y Þ = eðg, gÞ xy (2) Nondegeneracy: eðg, gÞ ≠ 1 G 1 (3) Computability: There is an algorithm to calculate e efficiently Now, we show the definition of the composite order bilinear groups. It is similar to bilinear groups except the order of the group is the product of two or more distinct prime numbers. That is to say, G is a composite order group; G p 1 , G p 2 , G p 3 are its three subgroups of order p 1 , p 2 , p 3 . For ∀x ∈ G p i and ∀y ∈ G p j , if x ≠ y, then eðx, yÞ = 1.
Decisional bilinear Diffie-Hellman problem (DBDH). Given g α , g β , g γ ∈ G and P ∈ G 1 , any PPT algorithm is difficult to distinguish P = eðg, gÞ αβγ from P = eðg, gÞ p , where α , β, γ, p ∈ Z * p . If for any P, Q satisfies the condition P ∈ A and P ⊆ Q, namely Q ∈ A, and then set A ⊆ O is monotonic. Authorized set refers to the set in A; on the contrary, the unauthorized set is not in A.

Definition 2.
In the linear secret sharing matrix formed by the access policy, each row corresponds to an attribute value, that is, row vector and attribute value form a one-to-one mapping relationship. If the following two properties are satisfied, and then, a secret sharing scheme Σ on a set of Ο = fattr 1 , ⋯, attr n g is called linear.
(1) The shared secret key for each attribute is a vector formed on Z p (2) In scheme Σ, there is an n × m secret sharing matrix A, whose row label is bðiÞ, i ∈ f1, 2, ⋯, ng. Given a secret sharing column vector u = ðμ, u 2 , ⋯, u m Þ, where μ ∈ Z p is the secret key to be shared, u 2 , ⋯, u m is selected at random, Au represents the vector of n shared secret keys according to Σ. Shared γ i = ðAuÞ i , that is the inner product Au belongs to the property bðiÞ, where b is a function that maps i ∈ f 1, 2, ⋯, ng to bðiÞ The LSSS matrix has an important feature, that is, linear reconstruction. Suppose Σ is a LSSS scheme representing access structure A, Q ∈ A is an authorized set, and then, we can define T ⊂ ½n as T = fi : bðiÞ ∈ Qg. If there has constant fβ i ∈ Z p g i∈T that can be discovered in polynomial time such that fγ i g are valid shares of the secret key μ, then ∑ i∈T β i γ i = μ. There is no such constant for any unauthorized set.

Binary Tree.
First, there is a brief review of the definition of binary tree. Suppose UT represents a binary tree, in which there are L leaves corresponding to L users, the root node of BT is Rt. pathðφÞ represents the set of all nodes on the path of leaf node φ from the root to φ. Note that φ and the root node are included here. φ l , φ r represents the left and right children of nonleaf nodes. The algorithm KUNodes is used to calculate the minimum set of nodes that need to release key updates, and only unrevoked users can decrypt the ciphertext within a period of time. That is, nodes in rl corresponding to time periods before or t do not have any ancestors in the set, and all other leaf nodes have exactly one ancestor in the set. Figure 1 gives the working principle of the KUNodes algorithm, where it first marks all ancestors of the revoked nodes as revoked and then outputs all unrevoked children of the revoked nodes. The Algorithm 1 is the formal definition of the KUNodes algorithm.

Shamir Secret
Sharing [51]. The Shamir secret sharing scheme is based on Lagrange interpolation polynomials, which are described as follows: (1) A trusted dealer D first randomly chooses a polynomial gðxÞ = a 0 + a 1 x + ⋯+a l−1 x l−1 with order l-1 such that a 0 = s, where a 1 , a 2 , ⋯, a l−1 are in finite filed F p = GFðpÞ. Then, D computes s 1 = gð1Þ,…,s m = gðmÞ and sends s i to each shareholder p i secretly (2) More than l shareholder p r ⊂ p (jp r j ≤ l) work together can reconstruct the secret using the Lagrange interpolating formula 3 Wireless Communications and Mobile Computing 3.5. Pedersen (l, m) Secret Sharing [17]. The Pedersen secret sharing scheme allows each dealer (shareholder) to randomly select a secret as a subsecret and can share the subsecret with other shareholders. Therefore, each shareholder can merger all the subsecrets as the master secret. The Pedersen secret sharing scheme is described as follows: (1) Each shareholder H i (i ∈ ½1, ⋯, m) randomly independently picks a subsecret S i , and then, the master secret can be described as S = ∑ m i=1 S i (2) For each subsecret S i , a l-1 polynomial gðxÞ is randomly selected by shareholder H i such that S i = g i ð 0Þ.
After that, it calculates s ij = g i ðx j Þ ,ðj = 1, 2, ⋯, mÞ for other shareholders by using Shamir's secret sharing. Finally, H i sends each s ij to other H j secretly, and each shareholder H i has m subshares s ij (3) Each shareholder H i calculates its own master share More than l shareholders p r ⊂ p (jp r j ≤ l) work together can reconstruct the secret by using the Lagrange interpolating formula 3.6. Reciprocal Protocol [18]. Suppose that shareholders H i ði ∈ ½1, ⋯, mÞ share a secret μ using Pedersen (l, m) secret sharing protocol. The role of the reciprocal protocol is to get share μ −1 without disclosing relevant message about μ and μ −1 . The description of this protocol is as follows: (1) Shareholders jointly run the Pedersen (l, m) secret sharing scheme to generate a (l, m) sharing of a random element α ∈ Z q . Denote all shares α 1 , (2) Shareholders jointly run the Pedersen (2l, m) secret sharing scheme to generate and retain a share of zero value β i (3) Shareholders need to pass the value μ i α i + β i and interpolating the corresponding 2l degree polynomial to reconstruct the value η = μα (4) Each shareholders sets δ i = η −1 α i to calculate it share δ i of μ −1 3.7. Blockchain. On January 3, 2009, Satoshi Nakamoto generated the first Bitcoin block. A few days later, a second bitcoin block appeared to connect with the first block to form the chain, marking the birth of the blockchain. Because of its four main features, immutability, irreproducible uniqueness, smart contracts, and decentralized self-organization or community, blockchain is widely used in various fields.
In simple terms, a hash function (SHA-256) is used to form a blockchain. Each block contains a parent block hash, a timestamp, and a Merkle root. Where the parent block hash stores the hash value of the previous block header and is used to connect the previous block, the timestamp records the approximate time when the block was created, and the Merkle root is the Merkle tree root hash generated by the transaction list. There are three general types of blockchains: public blockchains, consortium blockchains, and private blockchains. Our system uses a consortium blockchain. Figure 2 illustrates the basic structure of a consortium blockchain.
In our consortium blockchain, consensus node nodes perform the consistency protocol to renovate the blockchain and reserve all nodes in the system with a consistent state. The consortium blockchain used in our system is similar to the scheme [48] in that firstly the consensus nodes can Inputs: a binary tree UT, a revocation list rl, a time period t, two empty sets P, Q.
Algorithm 1: KUNodes. 4 Wireless Communications and Mobile Computing initialize the system parameters using the Pedersen secret sharing scheme and the reciprocity protocol. Secondly, the consensus nodes manage the associated keys of the users. Updating the user revocation list requires the joint participation of all consensus nodes, which effectively improves the system security. Users can submit searches to the blockchain, and the cloud server is able to perform predecryption operations for the users.

System
Model. Our data management system includes the following four participants: Data owner (DO): The data owner stores the generated index and encrypted data in the cloud, where the index is used for the cloud to perform search operations.
Data user (DU): The data user is able to store the generated partial token in the consortium blockchain and is able to get the predecrypted message from the cloud to fully decrypt it using their private key.
Blockchain (BC): The consortium blockchain in the system consists of a set of credible predefined consensus nodes, a data pool, and a distributed ledger. The blockchain is responsible for initializing the system, storing the users' public identity keys, and generating the users' public decryption keys, key update information, and predecryption keys. In addition, the blockchain is also responsible for generating the complete token and sending it to cloud.
Cloud server (CS): Cloud server can search and predecrypt for users, and putting predecryption operations in the cloud can effectively reduce the burden of users. Figure 3 shows the system procedure.

System
Procedure. Based on [48], the basic process of the scheme is defined as follows: 4.2.1. System Init. All consensus nodes run Setupð1 k , σÞ ⟶ GPK algorithm to get the GPK. Pedersen (l, m) secret sharing protocol and reciprocal protocol are used by all con-sensus nodes to jointly determine the master key, and the exact value of the master parameter is unknown.

User Registration and Revocation
(1) The data user runs the IdKGðGPK, Id U Þ ⟶ ðsk Id U , pk Id U Þ to get its identity key pair to join the system and sends pk Id U to BC. Then, the user public decryption key is generated by the consensus nodes using pk Id U . In the meantime, the user's predecryption key is also generated later using the public decryption key (2) For user revocation, based on a time period t, a state mark sm, and the revocation list rl, consensus node runs the RvðId U , t, rl, smÞ ⟶ rl to update rl whenever a user wishes to be revoked 4.2.3. Key Gen. In this step, consensus nodes generate three keys: (1) Public decryption key generation: In this step, consensus nodes use the user identity Id U , an access structure ðD, bÞ to run PubDecKGðGPK, Id U , ðD, b Þ, smÞ ⟶ ðPubDK Id U , smÞ algorithm to generate the user public decryption key, which is used to verify whether the user has the attributes included in its attribute set  Figure 2: Consortium blockchain. Consensus node nodes perform the consistency protocol to renovate the blockchain.

Wireless Communications and Mobile Computing
U t Þ ⟶ PreDK Id U ,t Þ; it generates the predecryption key for user 4.2.4. Encryption. First, the data owner selects several keywords related to his/her data to generate a keyword set fw g, and then, he/she uses a symmetric algorithm with the key k s to encrypt the data. Then, data owner runs the Encð GPK, S, t, k s Þ ⟶ CT to hide the symmetric encryption key and runs the IdxGðGPK, S, fwgÞ ⟶ Idx to generate an index set, where the same attribute set S is used. Finally, data owner sends CT and Idx to cloud.

Token Gen
(1) Patrial token generation: first, the data user runs the PTokGðGPK, sk Id U , wÞ ⟶ Tok ′ to generate the partial token. Then, data user sends ðTok ′ , HðwÞÞ to BC  Figure 3: System procedures. The data management system contains four participants, and each participant operates as shown in the figure. Challenge. A hands over two symmetric keys with same length SK * 1 and SK * 2 , an attribute set S * , and a time period t * satisfying the following restrictions: (i) If an identity Id * U has performed to the IdKey query, S * of Id * U satisfies a query on ðId * U , ðD * , b * ÞÞ issued to the PubDKey query. Then, the revocation query must be queried on ðId * U , t * Þ with t = t * or any t occurs before t * , and the PreDKey query cannot be queried on ðId * U , t * Þ (ii) If Id * U with access structure ðD * , b * Þ can be satisfied by S * is not revoked before or at t * , then Id * U has never been queried by the IdKey query B picks random ρ ∈ f0, 1g and runs EncðGPK, S * , t * , SK * ρ Þ ⟶ CT * to encrypt SK * ρ , and then, it returns CT * to A. Phase 2. A can adaptively perform the same five queries to B as in phase 1; the queries sent by A must also meet the above conditional restrictions.
Guess. A makes a guess ρ ′ for ρ; if ρ ′ = ρ, it wins. The advantage of the adversary A in this game is described as Pr ½ρ = ρ′ − 1/2.
If the advantages of any (l, m) PPT adversary defined above are negligible, then a BC-SABE scheme is IND-CPA secure. Challenge. A submits two keywords K * 1 and K * 2 of the same size. B picks random ρ ∈ f0, 1g, and then it returns the Ind * to A by running the IdxGðGPK, S * , w ρ Þ algorithm with the challenge access structure S * .

Index
Phase 2. A can perform IdKey query, token query, and index query to B; the queries sent by A must also meet the above conditional restrictions.
Guess. A makes a guess ρ′ for ρ; if ρ′ = ρ, it wins. The advantage of the adversary A in this game is described as Pr ½ρ = ρ′ − 1/2.
If the advantages of any PPT adversary defined above are negligible, then a BC-SABE scheme is IND-sCKA secure.

Construction
5.1. System Init. Cu = ðCu 1 , Cu 2 , ⋯, Cu m Þ is a consensus node set which has m consensus nodes. First, consensus nodes exploit the Pedersen (l, m) secret sharing protocol [17] and the reciprocal protocol [18] to run the Setupð1 k , σ Þ ⟶ GPK to generate the global public key GPK, the user revocation list rl, and the user tree UT, where σ ∈ f0, 1g polyðkÞ is a randomly public string. Let G be groups of a prime order p, g is a generator of G, and e : G × G ⟶ G 1 is a bilinear map. Then, it chooses random u 0 , ⋯, p be the collision-resisted hash function, and D = ðe, G, G 1 , p, g, HÞ be the admissible bilinear group parameters. Then, Cu i share two secret parameters a, r ∈ G and using Pedersen (l, m) secret sharing scheme and reciprocal protocol to compute shares of r −1 . Based on its shares a i , r i , and j i , each consensus node Cu i computes and broadcasts g a i , g r i , and g j i ; excess l consensus nodes cooperate to recre- LðiÞ⋅j i ; and each nodes spreads g a i /r . The public parameters of the system are also generated in this way: The IdKG algorithm inputs the GPK , the user identity Id U , and UT; it picks random g 3 ∈ G and b 1 , b 2 ∈ Z p ; and then, it calculates g 1 = g . The user runs this algorithm to generate the user public and private key pair ðpk Id U , sk Id U Þ = ððg 1 , g 2 , g 2 Þ, ðb 1 , b 2 ÞÞ, and then the user sends pk Id U to BC. An undefined leaf node φ is selected by BC from the UT to storage Id U and pk Id U .

User Revocation.
The revoke algorithm is run by the consensus node to update the user revocation list rl whenever user want to be revoked. It inputs the user identity Id U , a state mark st, a time period t, and rl; then, it will find all nodes y associated with the identity Id U and put (y, t) into the rl list and outputs the revised rl. For each y ∈ pathðφÞ, it takes g y and computes g y,i ′ = g v y,i /g y and stores g y in the node y. Then, share γ 1 , γ 2 , fγ y,j g j∈Id U among consensus nodes by exploiting the Pedersen (l, m) secret sharing scheme, and each consensus nodes computes and spreads fg γ y,j,i , FðbðiÞÞ γ y,j,i g j∈Id U based on share fγ y,j,i g j∈Id U . Then, excess l consensus nodes cooperate to compute the public decryption key as follows: . Finally, BC stores PDK Id in the ledger: 5.3.2. Key Update Messages Gen. Consensus nodes run the UpKG algorithm to generate the update information U t ; it inputs the GPK, the revocation list rl, a time period t, the user tree UT, and a state mark sm. Share s y among consensus nodes by exploiting the Pedersen (l, m) secret sharing scheme, and each consensus nodes computes and spreads g s y,i , PðtÞ s y,i based on share s y,i . For all y ∈ KUNodesðUT, rl, tÞ, it takes g y from the node y. Then, more than l consensus nodes cooperate to compute the update information as follows: s y,i ⋅LðiÞ = g s y . BC stores U t in the ledger:

Predecryption Key Gen.
Consensus nodes run the Pre-DecKG algorithm to generate the update information Pr eDK t ; it inputs the GPK, a time period t, user identity Id U , an access structure ðD, bÞ, the user tree UT, a state mark sm, the revocation list rl, user public decryption key PubDK Id , and a update information U t . Then, let I = PathðθÞ and J = KUNodesðUT, rl, tÞ, so we have U t = ðfy, U y,1 , U y,2 g y∈J Þ and PDK Id = ðfy, fD y,1,j , D y,2,j g i∈½l g y∈pathðφÞ , D 3 , D 4 Þ. If I ∩ J = ∅, it returns ⊥. Then, share s y and fγ y,j g j∈Id U among consensus nodes by exploiting the Pedersen (l, m) secret sharing protocol. Based on share s y,i ′ and fγ y,j,i ′ g j∈Id U , each consensus nodes computes and spreads fg γ y, j,i ′ , FðbðiÞÞ γ y, j,i ′ g j∈Id U , g s y,i ′ , P ðtÞ s y,i ′ . Then, more than l consensus nodes cooperate to compute the predecryption key.

Index Generation.
Date owners run the IdxG algorithm to generate the Idx. It inputs the GPK, the same attribute set S, and a keyword set fw l g l∈U w , and then, it computes Idx 1,l = eðg, gÞ aμ⋅Hðw l Þ ,Idx 2 = g rμ , Idx 3,i = g rv i , and Idx 4,i = F ðbðiÞÞ v i . Finally, it sent index set Idx along with CT sym and CT to the cloud.
5.5. Token Gen 5.5.1. Partial Token Gen. In this phase, data users run the PTokG algorithm to get the partial token. It inputs the GPK, user private key sk Id U , and a keyword w. Then, it randomly selects q ∈ Z p ; it computes the partial token Tok′ = ðg a/r Þ ðb 1 +b 2 +qÞ and the hash value HðwÞ. Finally, it sends Tok ′ and HðwÞ to BC.

Complete Token Gen.
Blockchain runs the TokG algorithm to get the complete token. It inputs the GPK, the user identity Id U , the same access structure ðD, bÞ, and the partial token Tok ′ . Share fα j g j∈Id U among consensus nodes by exploiting Pedersen (l, m) secret sharing protocol. Based on share fα j,i g j∈Id U , each consensus nodes computes and spreads fg r⋅α j,i , FðbðiÞÞ a j,i g j∈Id U . Then, more than l consensus nodes cooperate to compute the complete token as follows: If it is satisfied, let T = fi ∈ ½n D | bðiÞ ∈ Sg, and then the algorithm can calculate a set fd i ∈ Z p g i∈T which makes ∑ i∈T d i D i = ð1, 0, ⋯, 0Þ m D . Then, it verifies whether the equation described is valid.
If the formula holds, the stored address Addr is the output.

Predecryption.
The predecryption operation is performed by the cloud, which runs the PreD algorithm to complete. It inputs the GPK, user identity Id U , the predecryption key PreDK Id U ,t , a time period t, the same set T = fi ∈ ½n D | bðiÞ ∈ Sg, and the ciphertext CT. If fv i g are valid shares of any secret μ from D, then the algorithm can compute a set 5.7.2. Decryption. The Dec algorithm inputs the GPK, private user key sk Id U , the predecryption ciphertext CT ′, and the symmetric decryption algorithm to generate the symmetric decryption key. This algorithm is run by the DU, and it can finish full decryption. The decryption is as follows.
Using k s to run symmetric algorithms can enable users to get plaintext, and users will not consume a lot of costs because the previous operations are already performed in the cloud.  Proof: In contrast to the scheme in [31], distributed consortium blockchain is used in our scheme, replacing the centralized server in [31]. This allows the security of the whole system to be improved. Supposing that the adversary in our scheme can compromise at most l-1 authority, the reasons are as follows: Our PubDKey Oracle, the UpKey Oracle, and the PreDKey Oracle have excellent performance because it needs more than l authorities that are required to execute together. In addition, during the challenge phase, we defined related restrictions. Therefore, the proof of this scheme can be deduced from the security proof of the scheme [31] under the security of Pedersen (l, m) secret sharing protocol, and reciprocity protocol.

Theorem 5.
Under the DBDH assumption, The BC-SABE scheme is IND-sCKA secure.
Proof: Assuming that there is a PPT adversary A who can win the exponential indistinguishability game with an advantage ε that cannot be ignored, then the challenge B is constructed to resolve the DBDH problem with an advantage ε/2 that cannot be ignored.
Init. Let S * be the challenge access structure defined by A. Setup. B returns the GPK to A by running the Setupð1 k , σÞ algorithm, the difference in GPK is eðg, gÞ a = eðg β , g γ Þ = e ðg, gÞ βγ and r ∈ Z * p , and other parameters are ignored here. Phase 1. A can adaptively execute the following queries:  Decrypt cost (ms) [34] [35] [37] Ours-user Ours-cloud     Challenge. A submits two keywords w 1 and w 2 of the same size. B picks random ρ ∈ f0, 1g, and then, it returns the Ind * = ðfIdx * 1,l g l∈U w , Idx * 2 , fIdx * 3,i , Idx * 4,i g i∈½n D , S * Þ to A by running the IdxGðGPK, S * , w ρ Þ algorithm with the challenge access structure S * , where Idx * 1,w ρ = Z Hðw ρ Þ , Idx * 2 = g αr , Idx * 3,i = g rv i , and Idx * 4,i = FðbðiÞÞ v i . Two different situations require attention as follows: (1) P = eðg, gÞ αβγ . Let μ = α and a = βγ, and then, the index set obtained in this case is the real index. Idx * 1,w ρ = eðg, gÞ aμ⋅Hðw ρ Þ , Idx * 2 = g μr , Idx * 3,i = g rv i ,Idx * 4,i = FðbðiÞÞ v i (2) P = eðg, gÞ p . In this case, A cannot get information about ρ because of the randomness of p Phase 2. A can perform IdKey query, token query, and index query to B. The queries sent by A must also meet the above conditional restrictions.
Guess. A performs a guess ρ′ for ρ; if ρ′ = ρ , it wins. If it is case one P = eðg, gÞ αβγ , then Pr ½ρ ′ = ρ = ε + 1/2; if it is case two P = eðg, gÞ p , then Pr ½ρ ′ = ρ = 1/2. Finally, we can get that the probability that B can resolve DBDH assumption is ð13Þ ε/2 is negligible due to the difficulty of the BDDH problem; that is, it is negligible that A can break the advantage of our scheme; that is to say, our scheme is security.

Performance Comparison
The performance of other related scheme [34][35][36][37] is compared with this scheme in this section. Let Ep and Ep T denote exponential operation in G and G 1 ; Pa denotes pairing operation. For convenience, N T indicates the number of attributes in the decryption operation and search operation in the system, N e indicates the number of attributes in the encryption operation in the system, N s denotes the number of attributes in the token generation in the system, and N w indicates the number of attributes in the index generation in the system. Let symmetric encryption and decryption operations expressed as Sym.
We use JPBC library version 2.0.0 for related experiments. The experiment was simulated on Windows system with an Intel(R) Core (TM) i5 CPU 3.20GHz and 8.00GB Search cost (ms) [36] Ours (c) Search cost Figure 5: Other time cost comparison. It can be seen that our scheme is better in terms of index generation, token generation, and search compared to scheme [36].
RAM to approximate the actual operation. We have obtained the measured values of exponentiation and pairing operations. The operating times of Ep, Pa, and Ep T are 10.9 ms, 7.8 ms, and 0.15 ms, respectively. Table 1 shows the comparison of our scheme with other schemes in terms of encryption cost, decryption cost, and other aspects. Figure 4 shows the comparison of the cost of encryption and decryption between our scheme and the other three multiauthority attribute-based encryption schemes. It is not difficult to see that the encryption and decryption time has a linear relationship with the number of attributes. Our scheme shifts the decryption process to operate on the cloud server, which makes the user's computational cost effectively reduced. Figure 5 compares our scheme with the scheme [36]. It is not difficult to see from the figure that our scheme is highly efficient in index generation, search, and token generation stages. Among them, in the token generation stage, our scheme transfers the work of token generation to the blockchain node, and users only need to generate part of the token.
Obviously, because most of the calculation and storage work in the scheme is handed over to cloud servers and blockchain nodes, this makes our scheme more efficient in all aspects, especially in user decryption and token generation. Although the performance of some algorithms will be affected by the throughput of the blockchain and other factors, the security of the scheme will not be affected.

Conclusion
In this essay, we have presented a new BC-SABE scheme that replaces the centralized key management server in [31] using a consortium blockchain. The consortium blockchain consist of a trusted set of consensus nodes and is responsible for jointly generating the relevant partial parameters. We can guarantee the confidentiality of data transmission using the Pedersen secret sharing protocol, which enables sharing of subsecrets among consensus nodes, and the reciprocity protocol ensures that key information is shared without a trusted party. The update of the user revocation list is also performed entirely by the blockchain without re-encrypting the ciphertext. In addition, we move the predecryption operations to be performed in the cloud, and users are able to fully decrypt them with only a small amount of computation. Performance analysis shows that this scheme is more efficient compared to other schemes.

Data Availability
We guarantee the confidentiality of data transmission.

Conflicts of Interest
The authors declare that there is no conflict of interest regarding the publication of this paper.