IEEE SYSTEMS JOURNAL, VOL. 16, NO.

1, MARCH 2022 1685

A Proxy Re-Encryption Approach to Secure Data

Sharing in the Internet of Things
Based on Blockchain
Kwame Opuni-Boachie Obour Agyekum , Qi Xia , Emmanuel Boateng Sifah , Christian Nii Aflah Cobblah ,
Hu Xia , and Jianbin Gao

Abstract—The evolution of the Internet of Things has seen data in applications such as healthcare, vehicular networks, smart
sharing as one of its most useful applications in cloud computing. cities, industries, and manufacturing, among others [1]. The
As eye-catching as this technology has been, data security remains sensors measure a host of parameters that are very useful for
one of the obstacles it faces since the wrongful use of data leads to
stakeholders involved. Consequently, as enticing as IoT seems
several damages. In this article, we propose a proxy re-encryption
approach to secure data sharing in cloud environments. Data to be, its advancement has introduced new challenges to security
owners can outsource their encrypted data to the cloud using and privacy. IoT needs to be secured against attacks that hinder
identity-based encryption, while proxy re-encryption construction it from providing the required services, in addition to those
will grant legitimate users access to the data. With the Internet of that pose threats to the confidentiality, integrity, and privacy of
Things devices being resource-constrained, an edge device acts as data.
a proxy server to handle intensive computations. Also, we make A viable solution is to encrypt the data before outsourcing to
use of the features of information-centric networking to deliver
cached content in the proxy effectively, thus improving the quality
the cloud servers. Attackers can only see the data in its encrypted
of service and making good use of the network bandwidth. Further, form when traditional security measures fail. In data sharing,
our system model is based on blockchain, a disruptive technology any information must be encrypted from the source and only
that enables decentralization in data sharing. It mitigates the bot- decrypted by authorized users in order to preserve its protection.
tlenecks in centralized systems and achieves fine-grained access Conventional encryption techniques can be used, where the
control to data. The security analysis and evaluation of our scheme decryption key is shared among all the data users designated by
show the promise of our approach in ensuring data confidentiality, the data owner. The use of symmetric encryption implies that the
integrity, and security.
same key is shared between the data owner and users, or at least
Index Terms—Access control, blockchain, data security, identity- the participants agree on a key. This solution is very inefficient.
based proxy re-encryption, information-centric network (ICN), Furthermore, the data owners do not know in advance who the
Internet of Things (IoT). intended data users are, and, therefore, the encrypted data needs
to be decrypted and subsequently encrypted with a key known
I. INTRODUCTION to both the data owner and the users. This decrypt-and-encrypt
solution means the data owner has to be online all the time, which
HE Internet of Things (IoT) has emerged as a technology
T that has great significance to the world nowadays and its
utilization has given rise to an expanded growth in network traffic
is practically not feasible. The problem becomes increasingly
complex when there are multiple pieces of data and diverse data
owners and users.
volumes over the years. It is expected that a lot of devices will Although simple, the traditional encryption schemes involve
get connected in the years ahead. Data is a central notion to complex key management protocols and, hence, are not apt for
the IoT paradigm as the data collected serves several purposes data sharing. Proxy re-encryption (PRE), a notion first proposed
by Blaze et al. [2], allows a proxy to transform a file computed
Manuscript received August 28, 2020; revised December 4, 2020 and April under a delegator’s public key into an encryption intended for
10, 2021; accepted April 27, 2021. Date of publication May 27, 2021; date
of current version March 24, 2022. This work was supported in part by the
a delegatee. Let the data owner be the delegator and the data
Program of International Science and Technology Cooperation and Exchange user be the delegate. In such a scheme, the data owner can send
of Sichuan Province under Grant 2019YFH0014 and Grant 2020YFH0030 and encrypted messages to the user temporarily without revealing
in part by the Science and Technology Program of Sichuan Province under Grant his secret key. The data owner or a trusted third party generates
2020YFSY0061. (Corresponding author: Jianbin Gao.)
Kwame Opuni-Boachie Obour Agyekum, Qi Xia, Emmanuel Boateng Sifah, the re-encryption key. A proxy runs the re-encryption algorithm
Christian Nii Aflah Cobblah, and Jianbin Gao are with the School of Computer with the key and revamps the ciphertext before sending the new
Science and Engineering, University of Electronic Science and Technology ciphertext to the user. An intrinsic trait of a PRE scheme is that
of China, Chengdu 610054, China, and also with the UESTC-CDFH Joint the proxy is not fully trusted (it has no idea of the data owner’s
Institute of Blockchain, Chengdu Jiaozi Financial Holding Group Co. Ltd.,
Chengdu 610042, China (e-mail: [email protected]; [email protected]; secret key). This is seen as a prime candidate for delegating
[email protected]; [email protected]; [email protected]). access to encrypted data in a secured manner, which is a crucial
Hu Xia is with the School of Computer Science and Engineering, University of component in any data-sharing scenario. In addition, PRE allows
Electronic Science and Technology of China, Chengdu 610054, China (e-mail:
[email protected]).
for encrypted data in the cloud to be shared to authorized users
Digital Object Identifier 10.1109/JSYST.2021.3076759 while maintaining its confidentiality from illegitimate parties.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
1686 IEEE SYSTEMS JOURNAL, VOL. 16, NO. 1, MARCH 2022

Data disclosures can be minimized through the use of encryption 4) The security analysis of our scheme is presented, and
since only users delegated by the data owner can effectively we also test and compare its performance with existing
access the outsourced data. schemes.
Motivated by this scenario, this article proposes an improve- This article is structured as follows. Section II reviews some
ment in IoT data sharing by combining PRE with identity-based literature on PRE, IBE, ICN, and blockchain for data sharing
encryption (IBE), information-centric networking (ICN), and and access control. Security definitions and preliminaries are
blockchain technology. Shamir [3] first presented the notion of formally described in Section III. In Section IV, we define
IBE, in which a sender encrypts a message to a recipient using the a data-sharing problem and present the system model. The
identity (email ) as the public key. It is a very powerful primitive implementation of our model is illustrated in Section V and the
used to combat numerous key distribution problems and has formal security analysis is outlined in Section VI. Section VII
consented to the development of several cryptographic proto- evaluates and discusses our proposed scheme, while Section VIII
cols, including public-key searchable encryption [4], [5], secret concludes the article.
handshakes [6], and chosen ciphertext attack (CCA) secure
public-key encryption [7]. IBE is preferred over attribute-based II. RELATED WORKS
encryption (ABE) because ABE involves heavy computations
In this section, we review some of the applications of the
on data encryption, decryption, and key management, and these
technologies used in this article in relation to data sharing and
processes are not convenient for the resource-constrained IoT
access control in the cloud.
devices. The strength of this article is increased by borrowing
the idea of ICN to cater for the growth in information sharing.
The appeal for low-latency applications introduced the notion A. PRE Data Sharing
of ICN [8]–[11], where data owners can distribute and assign Yu et al. [15] combined key-policy ABE (KP-ABE) and PRE
unique names to their data which can be replicated and saved in to propose a system for data sharing in the cloud. The data was
network caches [12], [13]. This ensures that there is an efficient encrypted using KP-ABE which meant that only an appropriate
data delivery and utilization of network bandwidth, which is a collection of the attribute secret keys can make decryption
prerequisite for the IoT ecosystem regardless of the enormous possible. Besides the encrypted data, the cloud also managed
growth in network volumes. On issues of trust, a decentralized, all attribute secret keys except one special secret key in order to
distributed system that can smoothen secure and trusted data handle revocation of users. When users are revoked, new keys
sharing was introduced by Nakamoto [14]. This is the blockchain were distributed to the remaining users by the data owner and the
technology, and it has gained much attention due to its ability to encrypted data had to be re-encrypted. Although the scheme was
preserve data privacy. Although there exist optimization issues efficient, the re-encryption was performed in a lazy way, and,
when storing vast sizes of data, emerging system applications therefore, the security of the scheme was weakened. Park [16]
have used the blockchain for access control in database man- provided a modification to the scheme in [15], where collusion
agement. Data confidentiality and user revocation can also be between the service provider and revoked users is avoided. Their
achieved using blockchain. scheme was to basically replace the service provider with a
PRE, together with IBE and the features of ICN and trusted third party, which implies that there should be reliance
blockchain, will enhance security and privacy in data-sharing on stronger trust assumption. Other schemes [17]–[19] have
systems. PRE and IBE will ensure fine-grained data access made similar approaches but utilized ciphertext-policy ABE
control, while the concept of ICN promises a sufficient quality of (CP-ABE) rather, in which the access policy is associated with
service in data delivery because the in-network caching provides the ciphertext instead of the secret keys. Liu et al. [20] also
efficient distribution of data. The blockchain is optimized to proposed a time-constrained access control scheme based on
prevent storage and data-sharing overheads and also to ensure a PRE and ABE. ABE was used to design time-based access
trusted system among entities on the network. In our article, the control policies while PRE was used to update the time attributes.
data owner propagates an access control list which is stored on Although these schemes have their advantages, they are not
the blockchain. Only the authorized users are able to access the suitable in the context of IoT due to the heavy computations
data. The contributions of this article are summarized as follows. on encryption and decryption.
1) We propose a secure access control framework to realize An IBE PRE scheme suitable for data sharing was presented
data confidentiality, and fine-grained access to data are by Han et al. in [21]. The re-encryption keys were not only
achieved. This will also guarantee data owners’ complete bound to the users’ identities but also to a specific ciphertext.
control over their data. This implied that the data owner had to create a different re-
2) We give a detailed description of our PRE scheme and encryption key for each pair of data user and shared file. A
the actualization of a complete protocol that guarantees similar idea was proposed by Lin et al. [22] where they used a
security and privacy of data. hierarchical PRE instead of an identity-based PRE. These two
3) To improve data delivery and effectively utilize the network schemes tend to be inefficient when multiple and complex data
bandwidth, edge devices serve as proxy nodes and perform pieces are considered. An identity-based broadcast encryption
re-encryption on the cached data. The edge devices are (IBBE) combined with PRE was proposed by Zhou et al. in [23]
assumed to have enough computation capabilities than for data sharing. Their scheme was a hybrid one that allowed
the IoT devices and as such provide high performance the conversion to be done between the two protocols without
networking. leaking any sensitive information. Wang et al. [24] also designed
AGYEKUM et al.: PROXY RE-ENCRYPTION APPROACH TO SECURE DATA SHARING IN THE IOT BASED ON BLOCKCHAIN 1687

an identity-based PRE (IBPRE) scheme for accessing health TABLE I

NOTATION
records. The scheme achieved coarse-grained access control.
If a proxy receives the re-encryption key from the data owner,
either all the ciphertexts can be re-encrypted and accessible to
the intended users or none at all. On that note, Shao et al. [25]
proposed an IBE PRE scheme that is based on conditions. In their
proposal, the proxy could transform a subset of ciphertexts under
an identity to other ciphertexts under another identity. However,
decryption rights to a group of users could not be authorized. In
addition to the above, PRE has been used to mitigate security
problems in IoT [26].

B. Blockchain-Based Access Control and Data Sharing

the content. The proposed scheme achieves privacy by hiding
Zyskind et al. [27] used blockchain to provide distributed the access policy in the content name, but user revocation is not
personal data management and ensure privacy as well. The guaranteed.
blockchain was utilized as an automatic access control manager, For decentralized access control systems, Misra et al. [33] pro-
and, hence, no third party was required. Only the data address posed a secure content delivery ICN framework using Shamir’s
was stored on the blockchain and a distributed hash table was threshold secret sharing scheme and broadcast encryption but
used as the implementation of the data storage. This reduced the without the services of a third party. A symmetric key is used
risk of data leakage. However, no specific access control model to encrypt the content which is broadcast to the network along
was proposed in their scheme. Maesa et al. [28] proposed a with the key generation materials. Only authorized users can use
blockchain-based access control scheme where the data owner these keying materials and decrypt the encrypted data using their
defines policies on the data and stores them on the blockchain. individual keys. The scheme provides user revocation services,
The policies are then assigned to the users as access rights. but an account of each content access or the history of keying
Fan et al. [29] designed a similar model to [28] where the materials’ update is not kept. This makes auditing difficult. Ab-
encrypted data is uploaded to the cloud and access policies on the dallah et al. [34] made use of the Diffie–Hellman (DH) protocol
data are stored on the blockchain as transactions. Although these in the process of content publishing to achieve decentralized
two schemes achieve tamper-proof systems and easy auditing, access control. The content, its name, and metadata are sent to
there is a leakage of access policies since the blockchains used the ICN, while only the content name is published. After going
are public ones and are thus visible to everyone. Singh and through the various stages of the DH key exchange protocol,
Kim [30] presented a blockchain-based model for sharing data the ICN verifies the metadata and sends the encrypted data
in vehicular networks and also enable secure communication together with the shared key. There is no single point of failure
among vehicles. However, the use of a public blockchain does in this scheme; however, the cached content in the ICN is in the
not work well in peer-to-peer (P2P) data sharing among vehicles plaintext form which makes it vulnerable to attacks.
due to the high cost involved in establishing a public blockchain Cloud servers are used to facilitate IoT data sharing and
in resource-constrained vehicles. provide seamless, efficient, and robust sharing services in [35]–
[37]. However, there are privacy concerns [38], [39]; the cloud
C. Access Control Schemes for ICN is not trusted, and, hence, it is indispensable to enforce data
In order to control content in ICN frameworks, several cen- access control over potentially untrusted platforms. Besides
tralized and decentralized access control mechanisms have been these, several schemes [40]–[42] are based on ABE. Although
proposed in literature. Silva and Zorzo [31] presented an access they are efficient, the high computations in key generation and
control system for named data networking which relied on an distribution are not opportune for IoT. Inspired by the drawbacks
ABE scheme and a proxy server. Before a content is published, in the applications of the various technologies for access control
the data owner encrypts the content and generates an access and data sharing, this article utilizes PRE, IBE, and the features
policy that binds it. The encrypted data is stored in the immediate of ICN and blockchain to solve the challenges in data sharing.
routers while the access policy is stored on the server. When a To the best of our knowledge, this article is the first to combine
user wants to access content, the user retrieves the content from these mechanisms to establish secure data sharing in the cloud.
the router, obtains the access policy from the proxy server, and Ateniese et al. [43] proposed a re-encryption scheme that is
then decrypts the data. Their scheme enables user revocation; unidirectional, noninteractive, of multiuse, and nontransitive.
however, it suffers from a single point of failure if a proxy server These properties are suitable for our proposed architecture,
fails to work because the proxy server takes part in each content and, hence, the scheme is adopted in this article. A detailed
access. Li et al. [32] designed a privacy enhancing scheme using construction of the security proof is also provided.
ABE for access control in ICN, and a trusted third party is
deployed to manage attributes. A content publisher generates
an access policy based on the attributes defined by the third III. SECURITY DEFINITIONS
party and uses a random symmetric key to encrypt the data. The In this section, we outline the security settings and computa-
publisher then hides the random key and the access policy in tional problems to be used in this article, after which the PRE
the content name and only authorized users can gain access to scheme is defined. For ease of understanding, Table I shows the
1688 IEEE SYSTEMS JOURNAL, VOL. 16, NO. 1, MARCH 2022

significant mathematical symbols and their notations. However, as inputs and returns the message m. The constraint in the
all other symbols are duly explained. following equation must be satisfied:

A. Bilinear Maps ∀m ∈ M : Decrypt

Consider G1 and G2 to be two groups of order p for some large (params, Encrypt(params, ID, M ), α) = m. (2)
prime p. Our scheme utilizes a bilinear map ê : G1 × G1 → G2
among these two groups. The following conditions about the
map should be satisfied. D. Identity-Based Proxy Re-Encryption
r Bilinear: A map ê : G1 × G1 → G2 is said to be bilinear This scheme is an extended version of the IBE scheme. The
if ê(uP, vQ) = ê(P, Q)uv , ∀P, Q ∈ G1 , ∀u, v ∈ Z. difference between IBPRE and IBE schemes is the introduction
r Nondegenerate: The map is nondegenerate (i.e., all pairs of two algorithms; a re-encryption key generation algorithm
in G1 × G2 are not sent to the identity in G2 ). Observe that ReKey and a re-encryption algorithm ReEnc. The data owner
because G1 , G2 are groups of prime order, whenever P is generates the re-encryption key RK and hands it to the proxy.
a generator of G1 , ê(P, P ) becomes a generator of G2 . Then the proxy uses RK to transform ciphertexts. ReKey and
r Computable: There exists an efficient algorithm that com- ReEnc algorithms are defined below.
putes ê(P, P ) for any P, Q ∈ G1 . 1) ReKey: On inputting the public parameters, corresponding
secret key, and IDs (IDDO , IDDU ) ∈ {0, 1}∗ , the algo-
B. Decisional Bilinear Diffie Hellman Assumption (DBDH) rithm returns the re-encryption key RK which is given as
RKIDDO →IDDU ← (params, αIDDO , IDDO , IDDU ).
The security of our scheme is based on a variant of the com- 2) ReEnc: When the inputs are the public parameters, re-
putational Diffie–Hellman assumption known as the decisional encryption key, and the original ciphertext under identity
bilinear Diffie–Hellman assumption (DBDH) in G1 , G2 . It is IDDO , the re-encrypted ciphertext is produced. That is
defined as follows: with ê : G1 × G1 → G2 , let g be a generator CTIDDU ← (params, RKIDDO →IDDU , CTIDDO ).
of G1 . When given a tuple (g, g u , g v , g w , J) ∈ G41 × G2 , a Correctness: To ascertain the correctness of the scheme,
decision needs to be made as to whether J is just one random an IBPRE scheme is correct when the expected outcome
element in G2 or J = e(g, g)uvw . of a properly formulated ciphertext is obtained if the
Define λ to be a security parameter. For all probabilistic Decrypt algorithm is run. More formally, let αIDDO ←
polynomial time (p.p.t) algorithms A, there exists the condition KeyGen(msk, IDDO ), αIDDU ← KeyGen(msk, IDDU ),
shown in (1) where ψ(·) is a negligible function. That is, for all and ReKey ← (params, αIDDO , IDDO , IDDU ), for this
polynomial functions p(·), ψ(λ)p(λ) < 1, the DBDH assump- constraints (3)–(5), shown at the bottom of the next page, must
tion holds in the groups (G1 , G2 ) as can be seen from (1) as be satisfied.
shown at the bottom of this page.
E. Security Model
C. Identity-Based Encryption
For a scheme defined by the tuples as stated earlier, its security
Setup, KeyGen, Encrypt, and Decrypt are four algorithms is based on the indistinguishability against proxy identity and
that characterize an IBE scheme, and they are defined below. chosen plaintext attack (CPA), IN DPRID/CPA . There are five
1) Setup [(params, msk) ← λ]: The setup algorithm takes a stages involved in this security game where the adversary A
security parameter λ, as the input and outputs a set of public engages the challenger C in a series of games.
parameters params and a master key msk. The public 1) Select phase: The attacker selects μ ∈ (0, 1) and gives to
parameters contain a description of the message space M the challenger.
and also a description of the ciphertext CT. The public 2) Setup phase: The challenger obtains params, msk after
parameters are known while the master key is kept secret. running the Setup algorithm and gives params to A.
2) KeyGen [α ← (params, msk, ID)]: The key generation 3) Find phase: The adversary makes the following queries. A
algorithm takes the public parameters, the master key, selects an id∗ ∈ (0, 1)∗ and (m0 , m1 ∈ M 2 ) at the conclu-
and an arbitrary ID ∈ (0, 1)∗ as inputs and produces a sion of this phase.
decryption key α, which corresponds to the ID. a) C returns msk = KeyGen(params, msk, id) to A
3) Encrypt [CT ← (params, ID, m ∈ M )]: The encryption when a query of (KeyGen, id) is made.
algorithm returns a ciphertext CT after taking the public b) For the situation where idDO = idDU , the re-
parameters, an ID, and a message m as inputs. encryption key IDDU is given to A when a query of
4) Decrypt [m ← (params, CT, α)]: The decrypt algorithm the form (ReKey, idDO , idDU ) is made.
takes the public parameters, CT , and the decryption key c) When A queries (Dec, id, CT ), return ⊥.

   
 $ 
 P b u, v, w ←− Zp∗ ; 1 ← A (g, g u , g v , g w , e(g, g)uvw ) , − 
 
 
    ≤ ψ(λ) (1)
 $ $ 
 P b u, v, w ←− Zp∗ ; J ←− G2 ; 1 ← A (g, g u , g v , g w , J) , 
AGYEKUM et al.: PROXY RE-ENCRYPTION APPROACH TO SECURE DATA SHARING IN THE IOT BASED ON BLOCKCHAIN 1689

d) When A queries (ReEnc, idDO , idDU , CT ), return ⊥.

A is not authorized to choose id∗ in such a way that there
is a possibility of a trivial decryption using keys generated
during this phase.
4) Decision and Challenge phase: C computes and gives
CT ∗ = Enc(params, id∗ , mμ ) to A, when the adversary
presents (choice, id∗ , m0 , m1 ).
5) Guess phase: Just as in the find phase, the adver-
sary continues to make queries until at the end of
this stage A yields μ∗ , where μ∗ ∈ (0, 1). The adver-
sary wins the game if μ∗ = μ. With the security in
the random oracle, let (KeyGen, RK, Dec, ReEnc) and
(KeyGen , RK , Dec , ReEnc ) be algorithms in the find
and guess phases, respectively. The adversary’s advantage
in the game is defined in (5). The security of the scheme
against the attack is achieved if for all p.p.t algorithms A,
IN DPRID/CPA
AdvA ≤ ψ(λ).
Fig. 1. Simplified data-sharing platform.
IV. PROBLEM DEFINITION AND SYSTEM OVERVIEW
In this section, we illustrate a simple data-sharing problem
and introduce the system model. not only comprise people but devices as well. These data users
must access the shared data from the CSP which is a semitrusted
party that offers storage services to the data. It houses the
A. Problem Definition
encrypted data from the owner and the data is received through
IoT data sharing has become prevalent in several applications, a secure communication channel. They provide data-sharing
ranging from healthcare and vehicular networks to smart homes services without being able to learn anything about the plaintext.
and energy trading. Whenever an IoT device (sensor, page Any information that must be accessed should be encrypted
maker, smart phone, etc.) wants to share its data among other from the source and decrypted by only legitimate users.
users, the data is usually encrypted and outsourced to cloud Nonetheless, due to its semitrust nature, the CSP may have
repositories. Access rights and privileges are bound to this data incentives for trying to read the data. With data sharing comes
to preserve privacy, enable an efficient access mechanism, and instances where user2 might want to access a particular data
prevent malicious activities in the network. Fig. 1 epitomizes a which had been previously shared between the data owner and
data-sharing scenario. user1 . To improve the quality of service in data delivery and
In such a system, the data producers are the entities that have an efficient use of the bandwidth, there is the need for the
generate the data. They can participate in data protection from cached content in edge nodes to be shared with user2 using
the onset by encrypting the data and outsourcing it to the cloud its identity or credentials, instead of obtaining that same data
service providers (CSPs) themselves. Generation does not neces- from the cloud server and performing another encryption. This
sarily translate to ownership and, hence, the distinction between prevents overhead and increases the network performance.
data producers and the data owners. The data owners usually
center on who owns the data. The data owner generates a random
number which is used to encrypt the data before uploading into B. System Model
the cloud and sharing with prospective users. Access rights on Our system model in Fig. 2 introduces a blockchain-based
the data are initiated. Data owners can be producers themselves; PRE approach to data sharing. The additional entities to the
however, this does not rule out the possibility of separate entities data-sharing model as discussed in Fig. 1 are the edge devices
getting involved in data production. It is assumed that the data and the blockchain. The edge devices serve as proxy nodes and
owners communicate with other entities through an agent/server provide re-encryption services to the authorized user(s). When
that runs on a trusted computer. the data is cached at the edge of the network, the edge devices
The data user domain consists of legitimate recipients of the provide services to users with high availability and performance.
information that is shared by the owners/producers. The users They receive the re-encryption key from the data owner, fetch

m ← Decrypt (params, CTIDDO , αIDDO ) (3)

m ← Decrypt (params, αIDDU ReEnc (params, RKIDDO →IDDU , CTIDDO )) (4)
 ⎡  ⎤ 
  μ ← (0, 1); Setup(λ) → (params, msk) 
  [KeyGen(·),RK(·),Dec(·),ReEnc(·)] 
 ⎢ ∗ A ∗ ⎥
(params) → (id , m0 , m1 , j) ⎥ 
P b ⎢ μ = μ  
 ⎣  CT ∗ ← Enc (params, id∗ , mμ ) ⎦ − 1/2 (5)
  [KeyGen (·),RK (·),Dec (·),ReEnc (·)] 
 A (params, CT ∗ , j) → μ∗ 
1690 IEEE SYSTEMS JOURNAL, VOL. 16, NO. 1, MARCH 2022

produces a digital signature on the data by using his private key

to sign the hash function.
The data owner generates the re-encryption key based on the
identity of the user and gives it to the proxy server. The user
is included in an access list which is sent to the proxy server.
The proxy verifies the owner’s signature for authenticity. Having
stored CT on the CSP, the proxy retrieves a uniform resource
locator (URL) to the ciphertext and generates and assigns an
ID (dID ) to the URL. The server appends its signature on dID
which is then cached in the proxy server. Finally, the metadata,
access control policy, signatures of both the data owner and the
proxy server, hash, and dID are uploaded to the blockchain.
When a user places a request for data access, the user queries
the metadata on the blockchain. The authenticity of the data
is verified by checking the signatures of the data owner and
Fig. 2. Data-sharing system model. the proxy server. A timestamp is appended if authentication
is successful, after which the signed data is sent to the proxy
the ciphertext from the CSP, and transform the ciphertext in the server in a request for the actual data. The related information
identity of the data user. It is an honest-but-curious entity. on the data is fetched from the cache, while the associated
The blockchain serves as the trusted authority (TA) that ciphertext is also retrieved from the CSP. The proxy server
initiates the system parameters. The TA also provides secret performs ciphertext re-encryption and sends the result to the
keys that are bound to the users’ identities. By utilizing this user. The user can now decrypt the ciphertext with his private
distributed ledger, authenticity, transparency, and verifiability key. The blockchain beforehand verifies the authenticity of the
are achieved in the network, which enhances the security and user by using his signature. The timestamp is verified and the
privacy of data. Data owners are therefore able to manage their request is stored on the blockchain for auditing purposes.
data effectively. The blockchain network registers and issues
membership keys to the data owner(s) and user(s). When a user
requests data access, the owner generates a re-encryption key B. Blockchain
by using the identity of the user and sends it to the proxy server. Blockchain technology is seen as a disruptive technology that
Access rights and policies on the use of the data are instantiated can play a major role in securing IoT devices. As a decentralized,
and sent to the blockchain network. A data user is verified before distributed paradigm, the blockchain uses a cryptographically
access is granted. linked chain of blocks to validate and store processed data. A
The TA runs the Setup algorithm to generate system pa- consensus algorithm is used by the processing nodes in generat-
rameters and a master key in the system initialization phase. ing the blocks. Smart contracts, which are programmable scripts
Simultaneously, the KeyGen algorithm is used to create keys that are automatically executed, are used to manipulate the data.
for the users. The data owner runs the Encrypt algorithm to A generated block consists of a header and a body. Constituents
create a ciphertext CT . The ciphertext is then outsourced to the of a block header include a current version number, the address
CSP and the metadata is stored on the blockchain. of the previous block, the target hash value of the current block,
In our model, incorporating data caches in the forwarding pro- a Merkle root, a nonce, and a timestamp. A block body typically
cess ensures that content delivery is more robust against packet consists of transactions, and they differ in application areas.
losses, and this improves the availability of the content. Not only The components of the block header are vital in generating an
does it support content caching but functionality caching (which accurate and reliable header. The previous block’s hash is a 32-b
is re-encryption in this case) as well. Also, the multipoint deliv- long string that effectively secures the chain by being linked to
ery system of ICN assures an effective utilization of bandwidth the previous block or the parent block. A 4-b long nonce is a value
and storage. When the number of users increases, the content used by miners to create different permutations and also create a
will not be unicasted and this will reduce the bandwidth usage. correct hash in the sequence. The timestamp enables everyone to
see the encoded record of a particular event. It usually provides
V. SYSTEM IMPLEMENTATION the date and time of block creation, and it is 4-b long. The Merkle
root is a 32-b long string that contains all the hashed transactions
In this section, we give concrete details of the workflow of the
within a hashed transaction. The version number keeps track of
system and how the blockchain works as well. The re-encryption
changes and updates while the target difficulty is used to adjust
scheme is also described.
how hard it is for miners to solve the block. Their byte length is
4 each. In all, the header is an 80-b long-string. The structure of
A. System Workflow
a block is shown in Fig. 3.
Data storage and retrieval on the system are detailed as fol- Practical byzantine fault tolerance (PBFT) is a consensus
lows. The hash of the data is calculated using the (SHA − 256) algorithm that is adopted in this article. Processing nodes in
hashing algorithm to achieve data integrity. The data owner the blockchain serve as miners responsible for block creation.
generates a random number which is used to encrypt the data Whenever a block is received, the nodes get engaged in a voting
and the resulting ciphertext is uploaded to the CSP. A metadata process before reaching consensus. The PBFT algorithm verifies
is created to support search functionality and the data owner the correctness of a block. Each processing node can become a
AGYEKUM et al.: PROXY RE-ENCRYPTION APPROACH TO SECURE DATA SHARING IN THE IOT BASED ON BLOCKCHAIN 1691

generated as params = (G1 , H1 , g, g δ ). δ is the secret key

which is selected from the group Zp∗ .
2) Key Generation: Given the public parameters, the secret
key, and an ID, this algorithm extracts the decryption key
for identity id ∈ (0, 1)∗ and returns the secret key of the
data owner, xkIDDO = H1 (idDO )δ .
3) Encryption: In order to encrypt m using the identity of
the data owner, a random number r ∈ Zp∗ is selected and
Fig. 3. Block structure. the output ciphertext is given as CTIDDO = (CT1 , CT2 )
where CT1 = g r , CT2 = m · e(g δ , H1 (idDO ))r .
4) Re-encryption Key Generation: ϑ is selected from G2
leader because each has complete access to the transaction. In a and the tuple Ψ1 , Ψ2 = Enc(params, idDU , ϑ). The
consortium blockchain, the leader is chosen until after the con- resulting re-encryption key is given as RKIDDO →IDDU =
sensus process unlike in public blockchains where mining incurs −1
Ψ1 , Ψ2 , xkID · H2 (ϑ) .
DO
high costs and lengthy delays because there is a cryptographic 5) Re-encryption: In order to re-encrypt CT from the data
puzzle to be solved in Proof of Work consensus algorithm. owner to the data user, RKIDDO →IDDU = (Ψ1 , Ψ2 , Ψ3 )
Digital signatures are used to sign the encrypted transactions and the re-encrypted ciphertext is defined as CTIDDU =
to guarantee their authenticity. The signed transactions are then CT1 , CT2 · e(CT1 , Ψ3 ), Ψ1 , Ψ2 .
cryptographically linked to form a tamper-proof block. Several 6) Decryption: To obtain the message, m=
such blocks are then chronologically linked by hash pointers to CT2 /e(CT1 , xkID ). For the re-encrypted ciphertext,
form a chain. CTID = CT3 , CT4 , compute ϑ2 = Dec(xkID , CTID )
In dynamic IoT environments, centralized data services re- and retrieve the plaintext via ϑ = CT2 /e(CT1 , H2 (ϑ2 )).
sult in high bandwidth use and server load and are, therefore, Correctness: For a ciphertext produced from the Enc algo-
not scalable to meet the growing demands of IoT systems. A rithm, CTIDDO = (g r , m · e(g δ , H1 (idDO ))r ) and xkIDDO =
consortium blockchain is adopted due to its suitability to access H1 (idDO )δ , m can be recovered as follows:
control and privacy preservation. Only authorized users can have
access to the data. Data owners can effectively manage their CT2
m=
data and audit logs. Consortium blockchains provide a high e (CT1 , xkIDDO )
level of security. IoT security concerns that are addressed by r
m · e g δ , H1 (idDO )
the blockchain network include verifying the identity of the = 
connected users or devices, their account information, and also e g r , H1 (idDO )δ
preventing cached data from being misused.
Because edge devices have enough computing resources and = m.
storage, they act as proxy servers to provide re-encryption ser-
Having CTIDDO = (g r , CT2 ) and RKIDDO →IDDU =
vices and other computations for the resource-constrained IoT
( Ψ1 , Ψ2 = (params, idDU , ϑ)Ψ3 ), the re-encrypted
devices. It is, therefore, easy to cache data at these edge nodes.
ciphertext can be obtained as CTIDDU = (g r , CT2 =
Retrieving data via high-speed networks, the user can make re-
CT2 · e(g r , Ψ3 ), Ψ1 , Ψ2 ) where
quests for data access, thus providing a smooth user experience.
Due to the dynamic nature and mobility of edge networks, it is CT2 = CT2 · e (g r , Ψ3 )
a requirement that the edge devices and stakeholders in general 
have unique identities. The ID of all entities on the network is = m · e (g r , H1 (idDO ))r · e g r , H1 (idDO )−δ · H2 (ϑ)
represented by the tuple (id, kpu , kpr , rl). id is the cryptographic
hash of the public key kpu , i.e., id = hash(kpu ). kpr denotes = m · e (g, H2 (ϑ))r .
the private key and rl is the role of the entity. Apart from the The resulting ciphertext CTIDDU = (g r , CT2 , Ψ1 , Ψ2 ),
data owner and users serving their roles as their names suggest, and when given xkIDDU = H1 (idDU )δ , the message
the edge devices themselves could also be data users. Before a can be obtained as follows. Let CTIDDU = Ψ1 , Ψ2 .
transaction can be initiated, all identities need to be known and This can be decrypted under xkIDDU to obtain ϑ =
verified. If the verification fails, the connection is terminated. Dec(params, xkIDDU , CTIDDU ). The message can then
The S/Kademlia static crypto puzzle [44] is used to create the be computed as
public and private keys to prevent Sybil attack. The public key
is used to sign messages (transactions) in order to verify their CT2
m=
authenticity. e (g r , H2 (ϑ))
m · e (g, H2 (ϑ))r
C. Scheme Construction =
e (g r , H2 (ϑ))
The scheme is formally described in this section.
= m.
1) System Setup: Let the bilinear map be defined as ê :
G1 × G1 → G2 , where G1 = g and the order of G2 is In practice, it is observed that the scheme exhibits unidirec-
p. H1 and H2 are two hash functions defined by H1 : tionality since RKDO→DU can be used to transform ciphertexts
G1 ← (0, 1)∗ , H2 : G1 ← G2 . The public parameters are from the data owner to the data user and not vice versa. Also, the
1692 IEEE SYSTEMS JOURNAL, VOL. 16, NO. 1, MARCH 2022

b) When η1 = 1, A receives RKIDDO →IDDU =

(g r , e(g u , H1 (IDDU )r ) · ϑ, (g u )−θ1 · H2 (ϑ)) from C.
3 Challenge phase: A outputs ID∗ , m0 , m1 at the end of the
find phase but such that the choice of ID∗ is not trivial. C
selects μ ← (0, 1) and then recovers ID∗ , h, θ, η by eval-
uating H1 (ID∗ ). The ciphertext CT ∗ = {g v , J θ · mμ } is
given to A.
4) Guess phase: (KeyGen, . . .) and (ReKey, . . .) queries
are made by A as in the find phase, except with a restriction
on making queries that result in trivial solutions. A outputs
Fig. 4. Structure of IND-CPA security proof.
its guess μ∗ ∈ (0, 1). If any of the following conditions
turns out to be false, C terminates the simulation. Else, it
outputs 1 if μ∗ = μ, or 0 otherwise.
data user is not involved in RKDO→DU generation, and, hence, a) The corresponding value of ID∗ , η = 0.
that makes it noninteractive. Moreover, the proxy is not granted b) ni = 1, for each (KeyGen, IDi ) query made by A.
the permission to generate a new RKDO→DU from existing ones For a correctly formed DBDH tuple g, g u , g v , g w , J , the
making the scheme nontransitive. Finally, the scheme exhibits a view given by the adversary is identical to the real attack
multiuse property. That is, the proxy can perform re-encryption if C does not terminate the simulation. A, therefore, cannot
on an already re-encrypted message multiple times. Realizing distinguish the simulation since it cannot notice the improp-
that CT3 is just the identity of the data user, the re-encryption erly formed re-encryption keys. The definition of A holds that
protocol can be recursively applied to CT3 by the proxy to allow |P b[μ = μ∗ ] − 12 | =  if CT ∗ is a correctly formed ciphertext
another data user recover the original message m. for the encryption of mμ under ID∗ when the DBDH tuple
is the input to C. C thus outputs 1 with probability, |P b[μ =
VI. SECURITY PROOF AND ANALYSIS μ∗ ]| =  + 12 . With a random input to C, CT ∗ is the ciphertext
The security proof and analysis of our scheme are discussed in formed for a random element in G2 , regardless of C’s choice of
this section. Furthermore, we outline the attacks that our system μ. The probability becomes |P b[μ = μ∗ ]| = 12 . Hence, C has a
can counter. non-negligible advantage in distinguishing the DBDH tuples.

A. Security Proof
B. System Security Analysis
Theorem 6.1. The system is IN DPRID/CPA secure under the
In this subsection, we analyze the attacks that our proposed
DBDH assumption.
system mitigates.
Proof: The interaction between the adversary and the chal-
1) Man-in-the-Middle Attack: Our system is secure against
lenger is shown in Fig. 4. Consider A to be a p.p.t algorithm
man-in-the-middle (MITM) attacks. MITM attacks get to the
with non-negligible advantage  in eIN DPRID/CPA . In order to for-
certificate authority (CA) to provide the user with forged public
mulate another algorithm C that has non-negligible advantage in
keys. This often leads to the decryption of sensitive information.
solving the DBDH problem in G1 , G2 , A is engaged. C’s input
In our system, the blockchain acts as the CA. The public keys of
is the tuple G1 = g , g u , g v , g w , J ∈ G41 × G2 for which the
the users are put in published blocks, and the data is distributed
output will be 1 if J = e(g, g)uvw . The interaction between A
over the participating nodes with links to both the previous and
and C is shown below.
following blocks. This makes the public key immutable and it
The random oracle G1 ← H1 : (0, 1)∗ is simulated by C as
becomes harder for attackers to publish fake keys. Also, there is
follows: When an ID query is received, a random number
no single point of failure due to the distribution.
θ → Zp∗ is selected and a randomly flipped coin η → 1 with
2) Data Tampering: When hackers compromise a system, they
probability χ is set. Otherwise, η → 0. h ← (g w )θ when η → 0, inject their own versions of the data into the system. There is no
else h ← g θ . The tuple (ID, h, θ, η) is recorded. h is returned definite way to make sure that the data has not been tampered
as the query result, for which it has a random distribution. with if the hash can be compromised and changed. In contrast,
C continues to simulate the random oracle H2 : G1 ← G2 . It our blockchain-based model permits every user to publish a hash
returns random elements in G1 . associated with a particular data which needs to be protected
1) Setup phase: A is given params = (G1 , H1 , H2 , g, g u ) as from tampering. While an attacker might be able to compromise
generated by C. the storage location and tamper with the data, he will not be able
2) Find phase: C evaluates H(ID) after A has submit- to change the hash stored on the blockchain. This will make it
ted (KeyGen, ID) to obtain (ID, h, θ, η). A secret key known to everyone that the data has been manipulated.
mskID = (g u )θ belonging to the queried ID is given to 3) Anomaly Attacks: In blockchain-based systems and ap-
A. When A sends the query (ReKey, IDDO , IDDU ), C plications, forks become important with every chance of the
$ $ $
selects random numbers r ←− Zp∗ , x ←− G1 and ϑ ←− evolution of a malicious purpose. Although attacks may happen
G2 and evaluates (η1 , θ1 ) ← H1 and (η2 , θ2 ) ← H2 for once within a device, their repetition over time against other
IDDO and IDDU , respectively. devices almost behaves in the same way. In our model, informa-
a) When η1 = 0, A receives RKIDDO →IDDU = tion on previous attacks is collected and blacklisted in order to
((g v )r , J rθ2 · ϑ, x) from C. prevent the attacks on entities that have not been attacked yet.
AGYEKUM et al.: PROXY RE-ENCRYPTION APPROACH TO SECURE DATA SHARING IN THE IOT BASED ON BLOCKCHAIN 1693

TABLE II
FUNCTIONAL COMPARISON

Information collected on forks include the start time of the fork, TABLE III
COMPUTATION COST COMPARISON
detection time of the fork, and the number and type of malicious
transactions. These details are propagated in the network to all
the peers.

VII. PERFORMANCE EVALUATION

Our performance evaluation is classified into two categories,
functional comparison and performance analysis, and they are
TABLE IV
described in different sections. Our scheme is compared with EXPERIMENTAL PERFORMANCE IN ms
the schemes in [23]–[25].
In [23], the authors presented a hybrid IBPRE scheme that
allowed data that has been encrypted to multiple users to be re-
encrypted to one user. It involved two separate techniques: IBBE
and IBE. These schemes had different parameters and algorithms
but maintained a seamless connection. IBBE was employed for
users with powerful computing abilities while IBE was deployed
for users with limited computing resources. Nonetheless, both
security point of view, schemes in [23]–[25] are secure against
schemes were used to achieve an efficient access control over
IND-ID-CCA attack, while our scheme is secure against IND-
outsourced data. The authors in [24] discussed the possibility of
ID-CPA attacks. This is also achieved in [25]. Furthermore, all
integrating IBE and IBPRE techniques and a signature scheme
schemes are based on the DBDH assumption.
into an electronic-health cloud system for efficient data sharing.
Basically, the work focused on proposing schemes that would
be cost-effective for E-health cloud systems. The novelty of B. Performance Analysis
their work was the manner in which they embedded the master
The functional analysis is complimented with an experimental
secret key in the private key. They analyzed the security of their
evaluation. Our execution environment was a Windows operat-
approach and also showed the performance of their scheme. An
ing system desktop computer with 3.0 GHz, Intel i7, 16 GB
ID-based conditional PRE scheme for secure and fine-grained
RAM, 1600 MHz DDR3 specifications. We implemented the
forwarding of encrypted email was proposed by the authors
pairing-based schemes using the jPBC library [45], which is a
in [25]. In their work, they combined several schemes to achieve
pairing-based cryptography library for Java. A super-singular
chosen ciphertext and identity attack and constructed and proved
curve of the form y 2 = x3 + 3 with 3072 b of field size and a
their model’s security.
group order of 256 b was used. This achieves 128 b of security
and is secure against the discrete logarithm problem in G1 and
A. Functional Comparison G2 . Group-based schemes were also implemented using elliptic
Here, we compare our scheme with the ones in literature in curve cryptography over a field of prime order, and the NIST
terms of the encrypted data confidentiality, the condition(s) for P-256 curve which also provides 128 b of security [46]. We
re-encryption, the achieved security notion and its assumption, made use of exponentiation and pairing operations for efficiency
and whether the scheme supports decentralization. The results satisfaction. These are the main operations for which computa-
are shown in Table II. tional costs are based on. The results of this analysis are shown
From the table, it is realized that all the schemes use IBE to in Table III.
share encrypted data with (a set of) recipients except [23], which Let TP be the cost of a single pairing operation, TE be the
uses IBBE. For the re-encryption technique used, our scheme exponent operation cost, N be the number of users, TG be the
and the scheme of Shao et al. [25] can achieve re-encryption operation in group G2 , and TM be a multiple exponentiation
via a proxy using an access policy and keyword, respectively. operation cost. Simple multiplication, symmetric encryption
However, the schemes presented by Zhou et al. [23] and Wang and decryption, and hash costs are ignored. Interestingly, there
et al. [24] allow the authorized data user to re-encrypt all the is a great difference in performances of the various schemes.
data belonging to the data owner. Our scheme is decentralized For instance, few exponentiations are needed in our scheme as
in nature due to the use of blockchain, while the other schemes opposed to the others, which require as much as 4 in [25], 2
are centralized and rely on only CSPs for data storage and access in [24], and an infinite number in [23] due to the number of users,
control. They have the tendency to experience a single point of N . The increase in the exponentiation is due to the fact that there
failure should the computations increase exponentially. From a are additional costs incurred in achieving CCA-security.
1694 IEEE SYSTEMS JOURNAL, VOL. 16, NO. 1, MARCH 2022

Fig. 5. Data encryption computation time. Fig. 7. Decryption-1 computation time.

Fig. 6. Data re-encryption computation time. Fig. 8. Decryption-2 computation time.

Table IV shows the cost in ms of the operations of the

schemes. The figures measured were as a result of the average
CPU time of 50 executions for each type of operation. Fig. 5
shows the computation time for data encryption in the various
schemes. It can be realized that [23] exhibits a linear growth in its
encryption algorithm because it is executed for a group of users
using the broadcast encryption method. In contrast, our scheme
and those of [24] and [25] show a constant growth because the
encryption is meant for an individual user. A similar analysis is
given for the re-encryption execution time in Fig. 6. It is worth
noting that the high performance of [23] is due to the increasing
number of users.
Figs. 7 and 8 reveal the computation times on the user side
to decrypt the first- and second-level ciphertexts, respectively. It
can be realized that the computation time for the other schemes
Fig. 9. Transaction latency.
grows at a faster pace than our scheme. This is reasonable
because extra pairing operations are required in both decryption
phases for those schemes. Also, CPA schemes have less-sized
ciphertexts compared to CCA schemes since the latter involves Latency in blockchain networks is as a result of the overheads
additional elements such as signature, for the validation of on the flow of messages. In our simulation, the average time
ciphertexts. it takes for a transaction to be processed by the nodes is the
In the blockchain simulation, the feasibility of our work time it takes for the node to receive an order and propagate the
was tested on a Hyperledger Fabric blockchain, using Ubuntu transaction through the system components. It was evident that
16.04.1 operating system. We utilized Java-based application there was a steady, linear increase in the latency as the number of
web3.js in generating transactions in JSON payload to peers. transactions increases. This is shown in Fig. 9. The simulation
Transaction latency, which is the amount of time it takes for result provides an insight to system optimizations that can be
a transaction to be completed and recorded, was simulated. made to improve the efficiency.
AGYEKUM et al.: PROXY RE-ENCRYPTION APPROACH TO SECURE DATA SHARING IN THE IOT BASED ON BLOCKCHAIN 1695

VIII. CONCLUSION [17] G. Wang, Q. Liu, J. Wu, and M. Guo, “Hierarchical attribute-based
encryption and scalable user revocation for sharing data in cloud servers,”
The emergence of the IoT has made data sharing one of its Comput. Secur., vol. 30, no. 5, pp. 320–331, Jul. 2011.
most prominent applications. To guarantee data confidentiality, [18] J. Hur, “Improving security and efficiency in attribute-based data shar-
integrity, and privacy, we propose a secure identity-based PRE ing,” IEEE Trans. Knowl. Data Eng., vol. 25, no. 10, pp. 2271–2282,
Apr. 2011.
data-sharing scheme in a cloud computing environment. Secure [19] P. K. Tysowski and M. A. Hasan, “Hybrid attribute-and re-encryption-
data sharing is realized with IBPRE technique, which allows based key management for secure and scalable mobile applications
the data owners to store their encrypted data in the cloud and in clouds,” IEEE Trans. Cloud Comput., vol. 1, no. 2, pp. 172–186,
Nov. 2013.
share them with legitimate users efficiently. Due to resource [20] Q. Liu, G. Wang, and J. Wu, “Time-based proxy re-encryption scheme
constraints, an edge device serves as the proxy to handle the in- for secure data sharing in a cloud environment,” Inform. Sci., vol. 258,
tensive computations. The scheme also incorporates the features pp. 355–370, Feb. 2014.
of ICN to proficiently deliver cached content, thereby improving [21] J. Han, W. Susilo, and Y. Mu, “Identity-based data storage in cloud
computing,” Future Gener. Comput. Syst., vol. 29, no. 3, pp. 673–681,
the quality of service and making great use of the network Mar. 2013.
bandwidth. Then, we present a blockchain-based system model [22] H.-Y. Lin, J. Kubiatowicz, and W.-G. Tzeng, “A secure fine-grained access
that allows for flexible authorization on encrypted data. Fine- control mechanism for networked storage systems,” in Proc. IEEE 6th Int.
Conf. Softw. Secur. Rel., Jun. 2012, pp. 225–234.
grained access control is achieved, and it can help data owners [23] Y. Zhou et al., “Identity-based proxy re-encryption version 2: Making
achieve privacy preservation in an adequate way. The analysis mobile access easy in cloud,” Future Gener. Comput. Syst., vol. 62,
and results of the proposed model show how efficient our scheme pp. 128–139, Sep. 2016.
is, compared to existing schemes. [24] X. A. Wang, J. Ma, F. Xhafa, M. Zhang, and X. Luo, “Cost-effective secure
e-health cloud system using identity based cryptographic techniques,”
Future Gener. Comput. Syst., vol. 67, pp. 242–254, Feb. 2017.
[25] J. Shao, G. Wei, Y. Ling, and M. Xie, “Identity-based conditional
REFERENCES proxy re-encryption,” in Proc. IEEE Int. Conf. Commun., Jun. 2011,
pp. 1–5.
[1] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, and M. Ayyash, [26] K. O. B. Obour Agyekum et al., “A secured proxy-based data sharing
“Internet of Things: A survey on enabling technologies, protocols, and module in IoT environments using blockchain,” Sensors, vol. 19, no. 5,
applications,” IEEE Commun. Surveys Tut., vol. 17, no. 4, pp. 2347–2376, Jan. 2019, Art. no. 1235.
Oct./Dec. 2015. [27] G. Zyskind et al., “Decentralizing privacy: Using blockchain to protect
[2] M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols and atomic personal data,” in Proc. IEEE Secur. Privacy Workshops, May 2015,
proxy cryptography,” in Proc. Int. Conf. Theory Appl. Cryptographic pp. 180–184.
Techn., Springer, May 1998, pp. 127–144. [28] D. D. F. Maesa, P. Mori, and L. Ricci, “Blockchain based access control,”
[3] A. Shamir, “Identity-based cryptosystems and signature schemes,” in in Proc. IFIP Int. Conf. Distributed Appl. Interoperable Syst., Springer,
Proc. Workshop Theory Appl. Cryptographic Techn., Springer, Aug. 1984, Jun. 2017, pp. 206–220.
pp. 47–53. [29] K. Fan, Y. Ren, Y. Wang, H. Li, and Y. Yang, “Blockchain-based efficient
[4] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, “Public privacy preserving and data sharing scheme of content-centric network in
key encryption with keyword search,” in Proc. Int. Conf. Theory Appl. 5G,” IET Commun., vol. 12, no. 5, pp. 527–532, Mar. 2018.
Cryptographic Techn., Springer, May 2004, pp. 506–522. [30] M. Singh and S. Kim, “Branch based blockchain technology in intelligent
[5] B. R. Waters, D. Balfanz, G. Durfee, and D. K. Smetters, “Building an vehicle,” Comput. Netw., vol. 145, pp. 219–231, Nov. 2018.
encrypted and searchable audit log,” in NDSS, vol. 4. Citeseer, Feb. 2004, [31] R. S. Da Silva and S. D. Zorzo, “An access control mechanism to ensure
pp. 5–6. privacy in named data networking using attribute-based encryption with
[6] D. Balfanz et al., “Secret handshakes from pairing-based key agreements,” immediate revocation of privileges,” in Proc. 12th Annu. IEEE Consum.
in Proc. IEEE, Symp. Secur. Privacy, 2003, pp. 180–196. Commun. Netw. Conf., Jan. 2015, pp. 128–133.
[7] R. Canetti, S. Halevi, and J. Katz, “Chosen-ciphertext security from [32] B. Li, D. Huang, Z. Wang, and Y. Zhu, “Attribute-based access control for
identity-based encryption,” in Proc. Int. Conf. Theory Appl. Cryptographic ICN naming scheme,” IEEE Trans. Dependable Secure Comput., vol. 15,
Techn., Springer, 2004, pp. 207–222. no. 2, pp. 194–206, Apr. 2016.
[8] T. Koponen et al., “A data-oriented (and beyond) network architecture,” [33] S. Misra et al., “Accconf: An access control framework for leveraging
in Proc. Conf. Appl., Techn., Architectures, Protoc. Comput. Commun., in-network cached data in the ICN-enabled wireless edge,” IEEE Trans.
Aug. 2007, pp. 181–192. Dependable Secure Comput., vol. 16, no. 1, pp. 5–17, Feb. 2017.
[9] N. Fotiou, P. Nikander, D. Trossen, and G. C. Polyzos, “Developing [34] E. G. AbdAllah, M. Zulkernine, and H. S. Hassanein, “DACPI: A decen-
information networking further: From PSIRP to pursuit,” in Proc. Int. tralized access control protocol for information centric networking,” in
Conf. Broadband Commun., Netw. Syst., Springer, Oct. 2010, pp. 1–13. Proc. IEEE Int. Conf. Commun., May 2016, pp. 1–6.
[10] C. Dannewitz, J. Golic, B. Ohlman, and B. Ahlgren, “Secure naming [35] Y. Zhang, R. H. Deng, D. Zheng, J. Li, P. Wu, and J. Cao, “Efficient and
for a network of information,” in Proc. INFOCOM IEEE Conf. Comput. robust certificateless signature for data crowdsensing in cloud-assisted
Commun. Workshops,2010, pp. 1–6. industrial IoT,” IEEE Trans. Ind. Inform., vol. 15, no. 9, pp. 5099–5108,
[11] A. Carzaniga, M. J. Rutherford, and A. L. Wolf, “A routing scheme for Jan. 2019.
content-based networking,” in Proc. IEEE INFOCOM 2004, vol. 2, 2004, [36] J.-S. Fu, Y. Liu, H.-C. Chao, B. K. Bhargava, and Z.-J. Zhang, “Secure
pp. 918–928. data storage and searching for industrial IoT by integrating fog comput-
[12] I. Psaras, W. K. Chai, and G. Pavlou, “Probabilistic in-network caching for ing and cloud computing,” IEEE Trans. Ind. Inform., vol. 14, no. 10,
information-centric networks,” in Proc. 2nd ed. ICN Workshop Inform.- pp. 4519–4528, Jan. 2018.
Centric Netw., Aug. 2012, pp. 55–60. [37] M. Ma, D. He, N. Kumar, K.-K. R. Choo, and J. Chen, “Certificateless
[13] Y. Sun et al., “Trace-driven analysis of ICN caching algorithms on video- searchable public key encryption scheme for industrial Internet of Things,”
on-demand workloads,” in Proc. 10th ACM Int. Conf. Emerging Netw. Exp. IEEE Trans. Ind. Inform., vol. 14, no. 2, pp. 759–767, May 2017.
Technol., Dec. 2014, pp. 363–376. [38] Z. Wei, J. Li, X. Wang, and C.-Z. Gao, “A lightweight privacy-preserving
[14] S. Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System, vol. 4. protocol for VANETs based on secure outsourcing computing,” IEEE
Bitcoin.org, 2008. Available: https://bitcoin. org/bitcoin. pdf Access, vol. 7, pp. 62785–62793, 2019.
[15] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable, and [39] Y. Zhang, D. Zheng, and R. H. Deng, “Security and privacy in smart
fine-grained data access control in cloud computing,” in Proc. IEEE health: Efficient policy-hiding attribute-based access control,” IEEE In-
INFOCOM, Mar. 2010, pp. 1–9. ternet Things J., vol. 5, no. 3, pp. 2130–2145, Apr. 2018.
[16] N. Park, “Secure data access control scheme using type-based re- [40] L. Zhang, Q. Wu, Y. Mu, and J. Zhang, “Privacy-preserving and secure
encryption in cloud environment,” in Semantic Methods Knowledge Man- sharing of PHR in the cloud,” J. Med. Syst., vol. 40, no. 12, pp. 1–13,
agement and Communications. Berlin, Germany: Springer, 2011, pp. 319– Dec. 2016.
327.
1696 IEEE SYSTEMS JOURNAL, VOL. 16, NO. 1, MARCH 2022

[41] S. Wang, Y. Zhang, and Y. Zhang, “A blockchain-based framework for data Emmanuel Boateng Sifah received the B.Sc. de-
sharing with fine-grained access control in decentralized storage systems,” gree in telecommunications engineering from Ghana
IEEE Access, vol. 6, pp. 38437–38450, 2018. Technology University College, Accra, Ghana, in
[42] S. Niu, L. Chen, J. Wang, and F. Yu, “Electronic health record sharing 2014 and the M.Eng. degree in computer science
scheme with searchable attribute-based encryption on blockchain,” IEEE and technology in 2017, from the School of Com-
Access, vol. 8, pp. 7195–7204, 2019. puter Science and Engineering, University of Elec-
[43] G. Ateniese, K. Fu, M. Green, and S. Hohenberger, “Improved proxy tronic Science and Technology of China (UESTC),
re-encryption schemes with applications to secure distributed storage,” Chengdu, China, where he is currently working to-
ACM Trans. Inform. Syst. Secur., vol. 9, no. 1, pp. 1–30, Feb. 2006. ward the Ph.D. degree in computer Science and
[44] R. Pecori, “S-kademlia: A trust and reputation method to mitigate a sybil technology.
attack in Kademlia,” Comput. Netw., vol. 94, pp. 205–218, Jan. 2016. His current research interests include blockchain
[45] A. De Caro and V. Iovino, “ JPBC: Java pairing based cryptography,” in technology and its application and big data security and privacy.
Proc. IEEE Symp. Comput. Commun., Jun. 2011, pp. 850–855.
[46] E. Barker, L. Chen, S. Keller, A. Roginsky, A. Vassilev, and R. Davis,
“Recommendation for pair-wise key-establishment schemes using discrete
logarithm cryptography,” National Institute of Standards and Technology,
Gaithersburg, MD, USA, Tech. Rep. 800-56Ar3, Aug. 2017.

Christian Nii Aflah Cobblah received the B.Sc.

degree in information science from the University of
Ghana, Accra, Ghana, in 2014, and the M.Eng. degree
in computer science and technology, in 2019 from the
Kwame Opuni-Boachie Obour Agyekum received University of Electronic Science and Technology of
the B.Sc. degree in telecommunications engineering China (UESTC), Chengdu, China, where he is cur-
from Kwame Nkrumah University of Science and rently working toward the Ph.D. degree in computer
Technology, Kumasi, Ghana, in 2014, and the M.Eng. Science.
degree in communication and information engineer- His current research includes blockchain technol-
ing in 2017, from the University of Electronic Science ogy and applications, named data networking, and
and Technology of China (UESTC), Chengdu, China, IoT security and privacy.
where he is currently working toward the Ph.D. degree
in computer science and technology.
His research interests include blockchain technol-
ogy and its application, data and network security and
privacy, and wireless communication.

Hu Xia received the Ph.D. degree from the Univer-

sity of Electronic Science and Technology of China,
Chengdu, China, in 2012.
He was a Visiting Scholar with the University of
Minnesota, Twin Cities, MN, USA, from 2010 to
Qi Xia received the B.Sc., M.Sc., and Ph.D. degrees in 2011. He is currently an Associate Research Fellow
computer science from the University Electronic Sci- with University of Electronic Science and Technol-
ence and Technology of China (UESTC), Chengdu, ogy of China.
China, in 2002, 2006, and 2010, respectively.
She is a Professor with the UESTC. She is cur-
rently the Deputy Director of the Cyberspace Secu-
rity Research Centre, the Executive Director of the
Blockchain Research Institute, the Executive Director
of the Big Data Sharing and Security Engineering
Laboratory of Sichuan province, and a Chief Scientist
with YoueData Company Limited. She serves as the Jianbin Gao received the Ph.D. degree in computer
Principal Investigator of the National Key Research and Development Program science from the University Electronic Science and
of China in Cyber Security and has overseen the completion of more than Technology of China (UESTC), Chengdu, China, in
30 high profile projects. She was a Visiting Scholar with the University of 2012.
Pennsylvania (UPenn), Philadelphia, PA, USA, from 2013 to 2014. She has He was a Visiting Scholar with the University of
authored or coauthored more than 40 academic papers. Her research interests Pennsylvania, Philadelphia, PA, USA, from 2009 to
include network security technology and its application, big data security, and 2011. He is currently an Associate Professor with
blockchain technology and its application. UESTC.
Dr. Xia has won the second place at the National Scientific and Technological
Progress Awards in 2012. She a member of the CCF blockchain committee.