A Blockchain-Enabled Multi-Authority Secure IoT Data-Sharing Scheme with Attribute-Based Searchable Encryption for Intelligent Systems

Abstract

With the advancement of technologies such as 5G, digital twins, and edge computing, the Internet of Things (IoT) as a critical component of intelligent systems is profoundly driving the transformation of various industries toward digitalization and intelligence. However, the exponential growth of network connection nodes has expanded the attack exposure surface of IoT devices. The IoT devices with limited storage and computing resources struggle to cope with new types of attacks, and IoT devices lack mature authorization and authentication mechanisms. It is difficult for traditional data-sharing solutions to meet the security requirements of cloud-based shared data. Therefore, this paper proposes a blockchain-based multi-authority IoT data-sharing scheme with attribute-based searchable encryption for intelligent system (BM-ABSE), aiming to address the security, efficiency, and verifiability issues of data sharing in an IoT environment. Our scheme decentralizes management responsibilities through a multi-authority mechanism to avoid the risk of single-point failure. By utilizing the immutability and smart contract function of blockchain, this scheme can ensure data integrity and the reliability of search results. Meanwhile, some decryption computing tasks are outsourced to the cloud to reduce the computing burden on IoT devices. Our scheme meets the static security and IND-CKA security requirements of the standard model, as demonstrated by theoretical analysis, which effectively defends against the stealing or tampering of ciphertexts and keywords by attackers. Experimental simulation results indicate that the scheme has excellent computational efficiency on resource-constrained IoT devices, with core algorithm execution time maintained in milliseconds, and as the number of attributes increases, it has a controllable performance overhead.

1. Introduction

With the deep integration and rapid development of technologies such as artificial intelligence, big data, and cloud computing, intelligent systems have become the core driving force for the new round of technological revolution and industrial transformation. By simulating human cognition and decision-making processes, intelligent systems achieve perception, analysis, learning, and autonomous responses to complex environments, and they are widely applied in intelligent manufacturing, smart healthcare, intelligent transportation, and other fields. As the “senses” and “nerve endings” of intelligent systems, the Internet of Things (IoT) undertakes the key functions of real-time data collection, device interconnection, and edge control, serving as the fundamental infrastructure for the deep integration of the physical world and the information space. The evolution of IoT technology has greatly enhanced the perception capabilities and coverage of intelligent systems. As a vast and complex ecosystem, the IoT encompasses multiple dimensions, ranging from hardware devices to software platforms, and from data collection to intelligent analysis. With its remarkable convenience, powerful integration, and flexible scalability, the IoT demonstrates unique advantages [1]. With the acceleration of digital transformation, the IoT has been extensively implemented in various sectors, including telemedicine, smart communities, and the Internet of Vehicles (IoV). It not only significantly improves the operational efficiency and service quality of various industries but also accelerates the digital technological transformation of society to a certain extent [2].

According to the GSMA, the global scale of IoT connections will surpass the 6.3 billion recorded in 2017, reaching a staggering 25.2 billion [3]. The exponential growth of network connection nodes has expanded the attack exposure of IoT devices, and security issues at the device end need to be urgently addressed. To reduce costs and power consumption, IoT terminal devices are typically equipped with weak computing capabilities and low levels of intelligence, making it difficult for them to perform complex data encryption operations. Meanwhile, IoT devices have a long life cycle, and many of them have stopped updating, leaving limited room for upgrades. In this scenario, complex security policies are challenging to implement on a significant number of low-power devices due to their limited computing and storage capabilities and lack of the ability to deal with new types of attacks. A report shows that 98% of IoT endpoints transmit data without encryption, and 83% of medical imaging devices in the United States have discontinued security updates. In addition, many IoT devices transmit data in plain text and lack mature authorization and authentication mechanisms, which can easily lead to data leakage and unauthorized access. However, assigning complex computing tasks to edge computing devices can also trigger data security risks and threaten user privacy. Without compromising control over data, the cloud server must store and process the vast distributed data collected from the sensors involved in the intelligent system, and it is difficult for traditional data-sharing solutions to meet its security requirements [4].

Attribute-based encryption (ABE) technology ensures data confidentiality while also enabling data owners to formulate flexible access control policies. However, relying on a single attribute authority may encounter performance limitations and the risk associated with having a single point of failure. Therefore, we design a multi-authority attribute-based encryption method to enhance the system’s reliability and flexibility. In addition, considering that cloud computing platforms typically provide computing and storage services to multiple users, the issue of how to quickly retrieve the required data from massive data needs to be addressed. For this reason, we suggest a searchable encryption scheme that is attribute-based to enhance the efficacy of information retrieval. In the current cloud computing environment, IoT data are at risk of tampering and misuse. To safeguard the credibility of search outcomes and the integrity of data, we implement blockchain technology. The immutability and transparency of blockchain provide a strong guarantee for data integrity, while the smart contract function can automatically execute and verify data operations.

In summary, we present a blockchain-based multi-authority IoT data-sharing scheme using attribute-based searchable encryption for intelligent systems (BM-ABSE). In this scheme, individuals with constrained resources can delegate the decryption tasks to a cloud computing platform by using the attribute decryption key, thereby reducing their own computational burden to adapt to the resource-constrained computing environment. The hash values derived from plaintext data will be recorded on the blockchain for easily verifying the computation results of the cloud platform. Moreover, the alignment procedure between search trapdoors and indexes is executed via smart contracts, providing a guarantee for the credibility of search results of ciphertext data. The proposal in the paper aims to achieve a safe, reliable, and efficient data-sharing environment for the IoT, highlighting the following major contributions:

• We propose a multi-authority attribute-based encryption scheme, BM-ABSE, employing LSSS. By decentralizing management responsibilities, it enhances the reliability and flexibility of the system, prevents system paralysis caused by the failure of a single administrator, and strengthens the robustness of the system.
• We adopt blockchain to replace the trusted certificate authority (CA) in traditional CP-ABSE, establishing a trustless collaborative mechanism between blockchain and attribute-based encryption. This approach eliminates reliance on a single center authorization and solves the challenge of rapidly locating required information in massive encrypted data. By automatically executing and verifying data operations through smart data, we effectively guard against malicious behaviors of cloud servers, thereby enhancing the reliability of ciphertext search.
• We conduct a thorough security analysis and formally prove that the proposed scheme achieves static security and indistinguishable under chosen keyword attack (IND-CKA) in the random oracle model. In addition, in the performance evaluation and simulation experiments, we employ three elliptic curves to achieve different security levels, analyzing and confirming the reliability and efficiency of our scheme.

The subsequent sections of this work are organized as follows: Section 2 analyzes the related work. Section 3 presents the theoretical foundations of adopted cryptography and definitions of relevant notations used in this paper. Section 4 presents the system overview, threat model, and security definitions. In Section 5, our proposed scheme is elucidated in depth. A comprehensive security analysis of our methodology is presented in Section 6. Section 7 discusses the performance evaluation and simulation experiments of the system. Ultimately, we conclude the paper in Section 8.

2. Related Work

2.1. ABE-Based Searchable Encryption

In the environment of IoT and cloud computing, a rising volume of enterprise and user data is uploaded to cloud servers. However, these data and associated resources in cloud computing rely on unreliable network communication and semi-trusted cloud storage services [5]. To guarantee the security of information, a current efficient method involves the data owner encrypting the data before uploading it to server, while the data user decrypts it when needed.

Searchable encryption (SE) technology is developed to enable data users to have control over ciphertexts in cloud storage, that is, to search encrypted data without decrypting it. Boneh et al. developed the public key encryption with keyword search (PEKS) scheme [6]. Ref. [7] presented a forward secure searchable symmetric encryption (FSE) scheme using only symmetric cryptography, which supports dynamic file insertion and deletion, guarantees forward privacy protection, achieves sublinear search complexity, and attains partial backward privacy through a space reclamation mechanism after deletion. Li et al. designed a lightweight encrypted phrase search scheme (LPSSE) that can efficiently accomplish the phrase search in encrypted documents in the cloud through only one round of interaction, taking into account both lightweight and non-adaptive security [8]. Caldarola et al. proposed a consensus protocol that balances privacy, fairness, and efficiency, utilizing neural networks, elliptic curve cryptography (ECC), and verifiable cryptographic lotteries (VCLs) to achieve fair node selection and privacy protection [9]. However, fine-grained access control in multi-user settings cannot be realized using traditional public key cryptography and a symmetric cryptosystem.

To realize fine-grained access control and efficient search capabilities while simultaneously guaranteeing data privacy and confidentiality, researchers have introduced attribute-based searchable encryption approaches that integrate the concepts of ABE. Khader systematically defined attribute-based searchable encryption (ABSE) primitive, which integrates the concept of ABE into public-key searchable encryption (PKSE), allowing the sender to control both decryption and search permissions with attribute policies [10]. Zheng et al. initially presented the verifiable attribute-based keyword search (ABKS) method, allowing authorized users to authenticate the accuracy of cloud-returned results after conducting keyword searches on encrypted data stored in the cloud, all without needing to interact with the data owner [11].

In recent years, driven by the dual imperatives of data security and searchability, the application of ABSE schemes in industrial IoT devices has gained significant momentum. Ali et al. proposed a verifiable online/offline multi-keyword search (VMKS) approach, which enables resource-constrained IIoT nodes to conduct fine-grained, thresholded keyword searches in the cloud and verify results correctness without downloading the entire dataset, thus balancing efficiency and security [12]. For industrial IoT, Zhou et al. designed a device-oriented keyword searchable encryption (Do-KSE) scheme to realize “device-centric” rather than “user-centric” data localization and status monitoring [13]. Yin et al. embedded access policies within encrypted inverted indexes to achieve fine-grained keyword retrieval authority control for ciphertext data in cloud-assisted IIoT scenarios [14]. Nevertheless, the ABSE schemes that are currently in place are dependent on a single authority to issue keys and policies, which leads to risks of single-point failure and cross-domain mutual exclusion and also make it difficult to meet the demand of large-scale data sharing in the IoT. We introduce an IoT data-sharing scheme called BM-ABSE to address this issue, which delivers dynamic access control and a verifiable fine-grained keyword search.

2.2. Multi-Authority Attribute-Based Encryption

In single-authority ABE approaches, the key distribution work is entirely undertaken by a sole CA. When the user scale or attribute dimension expands dramatically, the computing and communication load that CA needs to complete increases exponentially, making it a critical performance bottleneck. Moreover, the system security must be forced to build on the assumption that the CA is unconditionally trustworthy. Once the CA is compromised or malicious, it can arbitrarily forge user keys, tamper with access policies, and even decrypt all the historical ciphertexts offline through the global master key, thereby triggering a disaster of key escrow and a single point of failure. Conversely, in a multi-authority ABE (MA-ABE) system, the attribute space is split into several mutually invisible subsets according to the domain or organizational boundaries. Each attribute authority independently governs its own master key and attribute private key fragments within its domain. The attributes are managed by autonomous attribute authorities, and the collusion of one or more attribute authorities cannot undermine the security of the entire system. In real-world scenarios, different organizations need to apply different strategies to share information; for example, hospitals belong to different legal entities, cloud service providers have separate compliance domains, and equipment vendors maintain independent identity repositories. A single authorization authority cannot satisfy the governance requirements of “each governing its own attributes, policies can be cross-domain”. Consequently, multiple authorization authorities are needed to control the attributes of all users separately, and constructing a secure and reliable MA-ABE system is the key to solving the above problems.

To mitigate the inherent constraints of a singular authority on efficacy and reliability, the development of MA-ABE can be characterized as a progression through four paradigms: centralized, weakly decentralized, fully decentralized, and on-chain governance. The corresponding core contradiction is the degree of decentralization, security, functionality, and governance cost. In 2007, Chase implemented the first MA-ABE scheme, where a central authority is tasked with creating public and private keys for various attribute authorities, while the latter distribute keys and manage attributes [15]. Compared with the single-authority scheme, resisting collusion among users becomes more challenging. Chase introduced a global identity (GID) for each user, binding private keys tightly to GID so that colluding users still cannot decrypt ciphertexts. However, malicious authorities in this scheme can trace users’ GIDs to aggregate their attributes, thus violating users’ privacy. In 2009, Chase et al. presented an MA-ABE scheme without a centralized authorization center, which eliminates the need for a reliable central authority through the use of a distributed pseudo-random function (PRF) [16]. In particular, the user obtain its private key by using an anonymous key distribution protocol, during which the authorities are unable to obtain any relevant information regarding user’s GID, thus resolving the privacy preservation issue. Liu et al. constructed the first MA-ABE model without a central authorization center under the standard model [17]. In their scheme, the system must be initialized by a combination of authorities during the setup phase. In addition, if an attribute needs to be added to the system, multiple authorities must collaborate to reconfigure the system. Lewko et al. developed an MA-ABE approach within the random oracle model using composite-order bilinear groups [18]. This scheme supports monotone span programs but is restricted to the attribute of a small universe, indicating that the quantity of attributes in the system is directly proportional to the magnitude of the public parameters.

At present, MA-ABE has been widely implemented in the realm of cloud and edge computing. Zhou et al. introduced a multi-authority CP-ABE access control framework for multi-cloud storage environments [19]. By introducing an attribute mapping mechanism, it resolves cross-cloud policy conflicts and achieves decentralized and semantically consistent fine-grained data sharing. However, the scheme still relies on a centralized cloud service broker (CSB) as the global root of trust, which fails to completely eliminate the risks of single points of failure and privacy leakage. Huang designed a multi-authority CP-ABE scheme for a large attribute domain environment in edge computing that combines an offline reusable ciphertext pool and online lightweight encryption with outsourced decryption by an edge server, reducing decryption and encryption overhead on the user side to a single exponential operation while preserving static security and high efficiency for resource-constrained IoT devices [20]. Guo et al. demonstrated a multi-authority CP-ABE method without a pairing operation, which leverages the construction of an elliptic curve discrete logarithm and cloud-edge outsourcing to compress terminal encryption and decryption overhead to a constant number of exponential operations, simultaneously achieving fine-grained policy, collusion resistance, and lightweight performance [21].

3. Preliminary

This section provides an overview of the fundamental cryptographic building blocks. The symbols employed in our paper are illustrated in

Table 1. The symbols employed throughout this paper and their corresponding definitions.

Notation	Definition
$PP$	Public parameters
$GID$	Global identifiers
$AID$	Identifiers of attribute authorities
$UID$	Identifiers of data user and data owner
U	Attribute universe
S	Attribute set
$S_{uid,aid}$	Attribute set managed by the attribute authority $aid$ belongs to the data user $uid$
$MP{K}_{\theta },MS{K}_{\theta }$	Master secret key pair of authority $\theta$
$AD{K}_{uid,aid}$	Attribute decryption key for user $uid$ from authority $aid$
$CT$	Ciphertext of the IoT data
$Addr$	Storage address
$I_{dx}$	Data index
$Td$	Search trapdoor generated by data user
$SCT$	Semi-decrypted ciphertext generated by cloud
$(\mathbb{A},\delta )$	The data access policy
$\delta \left(x\right)$	A function that maps a row of matrix $\mathbb{A}$ to an attribute
$\rho \left(x\right)$	A function that maps a row of matrix $\mathbb{A}$ to an attribute authority
$N_u$	The quantity of user attributes
k	The quantity of attributes in the access policy
$d,d^{\prime }$	The quantities of keywords derived from the plaintext and contained in search trapdoor
$E,P$	The exponential operations on groups and bilinear pairing operations
$\left|\mathbb{G}\right|,|{\mathbb{G}}_T|,|{\mathbb{Z}}_p|$	The lengths of elements in group $\mathbb{G}$, ${\mathbb{G}}_T$ and ${\mathbb{Z}}_p$

.

3.1. Bilinear Pairing

The bilinear pairing maps two group elements from an elliptic curve group to an element in a multiplicative group while preserving their isomorphic properties. The scheme in this paper is theoretically based on symmetric bilinear pairings, which are denoted as $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$, where $\mathbb{G}$ and ${\mathbb{G}}_T$ are cyclic groups of prime order p. With the generators $(u,v)$ of $\mathbb{G}$, the bilinear pairing has the following properties:

• Bilinearity: For all $u,v\in \mathbb{G}$ and $a,b\in {\mathbb{Z}}_p$, it holds that $e(u^a,v^b)=e{(u,v)}^{ab}$, where ${\mathbb{Z}}_p=\{0,1,2,\dots ,p-1\}$;
• Non-degeneracy: If $e(u,v)=1$, then either $u=1$ or $v=1$;
• Computability: For any $u,v\in \mathbb{G}$, an efficient algorithm exists to compute $e(u,v)$.

3.2. Access Structure

Let a set of participants be $P=\{p_1,p_2,\dots ,p_n\}$, where each $p_i$ represents a user or entity in the system. A set $\mathbb{C}\subseteq 2^P$ is monotonic when it satisfies the following: for any two sets $\mathbb{X}$ and $\mathbb{Y}$, if $\mathbb{X}\in \mathbb{C}$ and $\mathbb{X}\subseteq \mathbb{Y}$, then $\mathbb{Y}\in \mathbb{C}$.

Definition 1.

A monotone access structure is defined as $\mathbb{C}\subseteq 2^P\setminus \{\varnothing \}$; that is, $\mathbb{C}$ includes all non-empty subsets of P. This guarantees that every set in $\mathbb{C}$ contains at least one participant, thus avoiding the special case of an empty set. The sets in $\mathbb{C}$ are called authorized sets. Otherwise, they are called unauthorized sets.

3.3. Linear Secret Sharing Scheme

Assume that $\mathbb{P}=\{P_1,P_2,\dots ,P_n\}$ is a set of participants. A secret sharing scheme $\mathrm{\Pi }$ on $\mathbb{P}$ is linear if and only if the following two conditions are satisfied:

• The secret shares s held by all participants can form a vector on ${\mathbb{Z}}_p$.
• There exists a secret share generation matrix ${\mathbb{M}}_{l\times n}$; each row ${\mathbb{M}}_i$ of the matrix can be mapped to a participant $p_i$ through a function $\rho \left(i\right)$. Define a vector $\mathbf{v}=(s,v_2,\dots ,v_n)$, where $s\in {\mathbb{Z}}_p$ is the secret value to be shared, and $v_2,\dots ,v_n$ are randomly selected from ${\mathbb{Z}}_p$. The secret share of s on each row of the secret generation matrix can be represented as ${\phi }_i={\mathbb{M}}_i·\mathbf{v}$; that is, the secret share held by each participant $\rho \left(i\right)$ is ${\phi }_i$.

The linear secret sharing scheme (LSSS) features linear reconfiguration. Suppose that an LSSS $\mathrm{\Pi }$ represents an access structure, let $\mathbb{S}\subseteq \mathbb{P}$ represent an authorized attribute set, and the index set $I\subset \{1,\dots ,l\}$ is defined as $I=\{i:\rho (i)\in \mathbb{S}\}$. Based on linear reconstruction properties, there exists a collection of constants ${\{{\omega }_i\in {\mathbb{Z}}_p\}}_{i\in I}$, such that $s={\sum }_{i\in I}{\omega }_i{\phi }_i$. Moreover, these constants can be determined in polynomial time. For each unlawful set, it is infeasible to identify a set of constants that fulfill the criterion.

4. System Overview and Security Requirements

4.1. System Model

The BM-ABSE consists of several roles: the central trusted authority, a set of attribute authorities, the data user, the data owner, and the cloud computing platform. The central trusted authority is a completely trusted entity that is responsible for the system initialization and the establishment of public parameters, while attribute authorities oversee separate sets of attributes and create corresponding attribute-related keys. The system model is depicted in Figure 1.

4.2. Threat Model

Our threat model assumes the reliability of attribute authorities and distributes attribute decryption keys to authenticated individuals through secure channels. IoT data users might be interested in the ciphertexts stored on the chain and may collude with unauthorized parties to obtain plaintext information. To evaluate the security of the proposed approach, we describe two categories of attackers:

• The initial kind seeks to cooperate by employing their secret keys to decode material that they are unable to decrypt independently.
• The second kind of adversary concentrates on differentiating among various ciphertexts.

4.3. Security Requirements

4.3.1. Static Security

The static security model is utilized to demonstrate the security of the scheme that supports the setting of a multi-attribute authority. Even if attackers can select and corrupt a certain number of attribute authorities after obtaining the public parameters, the encrypted data will not provide them with any further information regarding the plaintext. In this model, the attacker is permitted to corrupt a certain quantity of attribute authorities following the acquisition of the public parameters, and the chosen authorities remain unchanged until the end of the security game. The attacker’s queries are forwarded to the challenger right after receiving the public parameters. Under the static security model, if the advantage of any probabilistic polynomial-time (PPT) attacker $\mathcal{A}$ in the following security game with challenger $\mathcal{C}$ is negligible, then the BM-ABSE scheme is considered static secure.

• Init: The challenger $\mathcal{C}$ runs the $Initialization$ to create public parameters $PP$ and translates them to $\mathcal{A}$.
• Query: First, a group of compromised attribute authorities is specified by $\mathcal{A}$, which is denoted as $C_{AAs}\subseteq AID$. Afterward, the following queries are executed by $\mathcal{A}$:

  (a)

  $\mathcal{A}$ specifies a set of uncompromised attribute authorities, denoted as $N_{AAs}$, and queries the public keys $MP{K}_{\theta }$ of this authorities, where $C_{AAs}\cap N_{AAs}=\varnothing$.

  (b)

  $\mathcal{A}$ submits an attribute set $\{uid,S_{uid}\}$ to $\mathcal{C}$, in which it is required that this set must not be under the control of the compromised attribute authorities. Then, $\mathcal{A}$ queries the attribute decryption key $AD{K}_{uid,aid}$ of $S_{uid}$.

  (c)

  $\mathcal{A}$ presents two plaintexts $m_0,m_1\in {\mathbb{G}}_T$ of the same length along with an access structure $({\mathbb{A}}^{\ast },{\delta }^{\ast })$ to $\mathcal{C}$.

• Response: $\mathcal{C}$ selects a random plaintext $m_b,b\in \{0,1\}$, and replies to $\mathcal{A}$’s queries according to the following process:

  (a)

  $\mathcal{C}$ executes the $AuthSetup$ to return the public key $MP{K}_{\theta }$ of an uncompromised attribute authority.

  (b)

  $\mathcal{C}$ executes the $ADKGen$ to return the attribute decryption key $AD{K}_{uid,aid}$ corresponding to the attribute set $\{uid,S_{uid}\}$.

  (c)

  $\mathcal{C}$ executes $DataEncrypt$ to return the ciphertext $C{T}^{\ast }$ of $m_b$.

• Guess: $\mathcal{A}$ produces its guess $b^{\prime }\in \{0,1\}$. The probability advantage of $\mathcal{A}$ to guess correctly is defined as

  $$Ad{v}_{\mathcal{A}}^{static}\left(1^{\theta }\right)=|2Pr[b^{\prime }=b]-1|.$$

  (1)

4.3.2. IND-CKA Security

This security model is used to evaluate whether an attacker can distinguish different ciphertexts under a chosen keyword attack. Even if attackers can select specific keywords and obtain the corresponding ciphertext, they are unable to acquire any supplementary information regarding the keywords from it. Under the IND-CKA security model, the BM-ABSE scheme is deemed IND-CKA secure if the advantage of any probabilistic polynomial-time (PPT) adversary $\mathcal{A}$ in the subsequent security game with challenger $\mathcal{C}$ is insignificant.

• Init: The $Initialization$ is executed by the challenger $\mathcal{C}$ to produce public parameters $PP$, which are then transmitted to $\mathcal{A}$.
• Phase 1: $\mathcal{A}$ submits a set of keywords and issues a search trapdoor query to $\mathcal{C}$. $\mathcal{C}$ executes the $TrapGen$ to output the search trapdoor $Td$ and transmits it to $\mathcal{A}$.
• Challenge: $\mathcal{A}$ randomly selects two keywords of the same length $k{w}_0,k{w}_1$ and submits them to $\mathcal{C}$. In Challenge, keywords that were submitted in Phase 1 are not permitted. The $KeywordEncrypt$ function is executed by $\mathcal{C}$ to arbitrarily encrypt one of the keywords $k{w}_b,b\in \{0,1\}$, and it sends the data index $I_{dx}$ back to A.
• Phase 2: $\mathcal{A}$ can issue any of the queries from Phase 1; the keywords that were submitted in the Challenge are not eligible for submission.
• Guess: $\mathcal{A}$ generates its estimate of $b^{\prime }\in \{0,1\}$. The ability of $\mathcal{A}$ to accurately predict is defined as

  $$Ad{v}_{\mathcal{A}}^{IND-CKA}\left(1^{\theta }\right)=|2Pr[b^{\prime }=b]-1|.$$

  (2)

5. Details of Our Proposed Scheme

5.1. System Initialization

• $Initialization\left(1^{\lambda }\right)\to PP$: The central trusted authority selects two cyclic groups $\mathbb{G}$ and ${\mathbb{G}}_T$ of prime order p with $g\in \mathbb{G}$ as a generator of group $\mathbb{G}$. Then, it creates a bilinear map $\widehat{e}:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$ and chooses three hash functions $H:{\{0,1\}}^{\ast }\to {\mathbb{Z}}_p^{\ast }$, $H_0:GID\to \mathbb{G}$, and $H_1:U\to \mathbb{G}$. Randomly select an element $\gamma \in {\mathbb{Z}}_p^{\ast }$ and establish $PP=\{\widehat{e},\mathbb{G},{\mathbb{G}}_T,g,g^{\gamma },p,H,H_0,H_1\}$.
• $AuthSetup(PP,\theta )\to (MP{K}_{\theta },MS{K}_{\theta })$: Each attribute authority with a unique identifier $\theta$ manages a disjoint set of attributes. It randomly selects two exponents ${\alpha }_{\theta },{\beta }_{\theta }\in {\mathbb{Z}}_p^{\ast }$ and generates the master secret key pair:

  $$MP{K}_{\theta }=\{\widehat{e}{(g,g)}^{{\alpha }_{\theta }},g^{{\alpha }_{\theta }},g^{{\beta }_{\theta }}\},MS{K}_{\theta }=\{{\alpha }_{\theta },{\beta }_{\theta }\}.$$

  (3)
• $IdKeyGen\left(PP\right)\to (P{K}_{\ast },S{K}_{\ast })$: Every data user with a unique identifier $uid$ or data owner with $oid$ executes this process to generate a pair of keys. The algorithm randomly selects $z_{\ast }\in {\mathbb{Z}}_p^{\ast }$ and computes $g^{z_{\ast }}$ where ∗ stands for $uid$ or $oid$. Then, we output the key pair for the data owner or data user:

  $$P{K}_{\ast }=g^{z_{\ast }},S{K}_{\ast }=z_{\ast }.$$

  (4)
  Using the data user’s public key $P{K}_{uid}$ and identifier $uid$, the central trusted authority assigns an attribute set $S_{uid}$ and issues a blockchain transaction $T{x}_{reg}=\{uid,S_{uid},Timestamp\}$.
• $ADKGen(PP,MS{K}_{\theta },P{K}_{uid},S_{uid,aid})\to AD{K}_{uid,aid}$: After the data user is successfully registered, each attribute authority runs this process to produce attribute decryption key $AD{K}_{uid,aid}$ for the attributes it manages. For each attribute $at{t}_i\in S_{uid,aid}$, the attribute authority randomly selects $t\in {\mathbb{Z}}_p^{\ast }$ and calculates

  $$\left\{\begin{array}{c}{K}_{uid,at{t}_i}=g^{z_{uid}{\alpha }_{\theta }}{H}_0{\left(uid\right)}^{{\beta }_{\theta }}{H}_1{\left(at{t}_i\right)}^t,\hfill \\ L_{uid,at{t}_i}=g^t.\hfill \end{array}\right.$$

  (5)
  The technique ultimately produces the attribute decryption key associated with the attribute set $S_{uid,aid}$ and sends it to the data user for constructing a partially decrypted ciphertext:

  $$AD{K}_{uid,aid}={\{K_{uid,at{t}_i},L_{uid,at{t}_i}\}}_{at{t}_i\in S_{uid,aid}}.$$

  (6)

5.2. Data Processing

• $DataEncrypt(PP,MP{K}_{\theta },F,(\mathbb{A},\delta ))\to CT$: The data owner formulates a data access policy $(\mathbb{A},\delta )$, where $\mathbb{A}\in {\mathbb{Z}}_p^{l\times n}$ is a $l\times n$ matrix. The data owner chooses a collection of random numbers $s,x_2,\dots ,x_n,y_2,\dots ,y_n\in {\mathbb{Z}}_p^{\ast }$ and then constructs two vectors $\mathbf{x}=(s,x_2,\dots ,x_n)$ and $\mathbf{y}=(0,y_2,\dots ,y_n)$. For each row ${\mathbb{A}}_i$ of matrix $\mathbb{A}$, the algorithm calculates ${\lambda }_i={\mathbb{A}}_i·\mathbf{x}$ and $w_i={\mathbb{A}}_i·\mathbf{y}$, respectively, where ${\lambda }_i$ denotes a secret share of the i-th row of matrix $\mathbb{A}$ and $w_i$ represents a share of 0 in the i-th row of matrix $\mathbb{A}$. Furthermore, we define two functions $\delta \left(i\right)$ and $\rho \left(i\right)$, where $\delta \left(i\right)$ maps a row of matrix $\mathbb{A}$ to an attribute and $\rho \left(i\right)$ maps a row of matrix $\mathbb{A}$ to an attribute authority. The data owner chooses a random element $t_i\in {\mathbb{Z}}_p^{\ast }$ and computes the components of the ciphertext of the IoT data F as follows:

  $$\left\{\begin{array}{c}{C}_0=F·\widehat{e}{(g,g)}^s,\hfill \\ C_{1,i}=g^{{\lambda }_i}{g}^{{\alpha }_{\rho \left(i\right)}{t}_i},\hfill \\ C_{2,i}=g^{{\beta }_{\rho \left(i\right)}{t}_i}{g}^{w_i},\hfill \\ C_{3,i}=g^{-t_i},\hfill \\ C_{4,i}=H_1{\left(\delta \left(i\right)\right)}^{t_i}.\hfill \end{array}\right.$$

  (7)
  The data owner outputs the IoT data ciphertext $CT$ and subsequently uploads the ciphertext to the cloud computing platform for storage. The upload is in the form of $\left\{Hash\right(CT),CT\}$, and a successful upload will return a storage address $Addr$.

  $$CT=(C_0,{\{C_{1,i},C_{2,i},C_{3,i},C_{4,i}\}}_{i\in [1,l]}).$$

  (8)
• $KeywordEncrypt(PP,P{K}_{oid},KW)\to I_{dx}$: The data owner extracts a collection of keywords $KW=\{k{w}_1,\dots ,k{w}_d\}$ from the IoT data F and then encrypts these keywords. The data owner selects random numbers $\xi ,{\xi }_1\in {\mathbb{Z}}_p^{\ast }$ and calculates the components of the data index $I_{dx}$ as follows:

  $$\left\{\begin{array}{c}{W}_1=g^{z_{oid}\xi },\hfill \\ W_2=g^{\gamma {\xi }_1},\hfill \\ W_3=g^{{\xi }_1},\hfill \\ W_i=g^{\gamma H\left(k{w}_i\right)\xi }.\hfill \end{array}\right.$$

  (9)
  The data owner outputs the multi-keyword index:

  $$I_{dx}=(W_1,W_2,W_3,{\left\{W_i\right\}}_{i\in [1,d]}),$$

  (10)
  Finally, the data owner submits the data index $I_{dx}$ and storage address $Addr$ to the blockchain in the form of $\{Hash\left(CT\right),I_{dx},Addr\}$.

5.3. Data Searching

• $TrapGen(PP,S{K}_{uid},K{W}^{\prime })\to Td$: The data user generates a search trapdoor using the keywords of interest $K{W}^{\prime }=\{k{w}_1^{\prime },\dots ,k{w}_{d^{\prime }}^{\prime }\}$. The algorithm randomly chooses $\eta \in {\mathbb{Z}}_p^{\ast }$ and computes the components of the search trapdoor as below:

  $$\left\{\begin{array}{c}{T}_1=g^{\eta z_{uid}},\hfill \\ T_2=g^{\gamma \eta z_{uid}},\hfill \\ T_3=\prod _{i=1}^{d^{\prime }}{g}^{\gamma H\left(k{w}_i^{\prime }\right)}.\hfill \end{array}\right.$$

  (11)
  The data user outputs the multi-keyword search trapdoor:

  $$Td=(T_1,T_2,T_3).$$

  (12)
• $SearchMatch(I_{dx},Td)\to 0/1$: This progress is implemented by a smart contract, taking the data index $I_{dx}$ and search trapdoor $Td$ as inputs. The consensus node executes the smart contract to validate the subsequent equation after receiving a search mechanism from the data user:

  $$\widehat{e}(T_3,W_1)\widehat{e}(T_2,W_3)=\widehat{e}(T_1,W_2)\widehat{e}(P{K}_{oid},\prod _{i=1}^{d^{\prime }}{W}_i)$$

  (13)
  Upon equation satisfaction, the process transmits the storage address $Addr$ of the ciphertext to the data user and returns 1. Conversely, the equation produces 0 if it is not valid to indicate a failed search.

5.4. Data Decryption

• $SemiDecrypt(PP,P{K}_{uid},AD{K}_{uid,aid},CT)\to SCT$: The cloud computing platform runs this algorithm to perform complex decryption operations representing the data user. The algorithm will terminate if the attributes of the data user do not match the access policy. Otherwise, the attribute set satisfying the data access structure $(\mathbb{A},\delta )$ is $I={\{i:\delta \left(i\right)\in S_{uid}\}}_{i\in [1,l]}$. For each element $i\in I$, the cloud computing center calculates as follows:

  $$\left\{\begin{array}{c}{V}_{1,i}=\widehat{e}(P{K}_{uid},C_{1,i}),\hfill \\ V_{2,i}=\widehat{e}(K_{uid,at{t}_i},C_{3,i}),\hfill \\ V_{3,i}=\widehat{e}(H_0\left(uid\right),C_{2,i}),\hfill \\ V_{4,i}=\widehat{e}(L_{uid,at{t}_i},C_{4,i}).\hfill \end{array}\right.$$

  (14)

  $$\begin{array}{cc}\hfill tc{t}_i& =V_{1,i}·V_{2,i}·V_{3,i}·V_{4,i}\hfill \\ \hfill & =\widehat{e}{(g,g)}^{z_{uid}{\lambda }_i}\widehat{e}{(H_0\left(uid\right),g)}^{w_i}\hfill \end{array}$$

  (15)
  The cloud computing center calculates a set of constants ${\{c_i\in {\mathbb{Z}}_p^{\ast }\}}_{i\in I}$, such that ${\sum }_{i\in I}{c}_i{\lambda }_i=s$ and ${\sum }_{i\in I}{c}_i{w}_i=0$. Combining the constants ${\{c_i\in {\mathbb{Z}}_p^{\ast }\}}_{i\in I}$, the cloud computing center performs the following calculation:

  $$\begin{array}{cc}\hfill tct& =\prod _{i\in I}{\left(tc{t}_i\right)}^{c_i}\hfill \\ \hfill & =\widehat{e}{(g,g)}^{z_{uid}s}.\hfill \end{array}$$

  (16)
  Then, we output the partially decrypted ciphertext:

  $$SCT=\{C_0,tct\}.$$

  (17)
  Finally, the cloud computing platform sends $SCT$ to the data user.
• $DataDecrypt(SCT,S{K}_{uid})\to F$: This algorithm is implemented by the data user, utilizing its private key $P{K}_{uid}$ and partially decrypted ciphertext $SCT$ as inputs. The algorithm decrypts plaintext data through the following computation:

  $$F={\displaystyle \frac{C_0}{tc{t}^{\frac{1}{S{K}_{uid}}}}}.$$

  (18)

6. Security Analysis

6.1. Correctness

6.1.1. Search Matching Algorithm

By verifying whether equation holds, the matching of the data index $I_{dx}$ and the search trapdoor $Td$ is achieved.

The expansion of the left-hand side of Equation (13) is as follows:

$$\begin{array}{cc}\hfill \mathrm{LHS}& =\widehat{e}(T_3,W_1)\widehat{e}(T_2,W_3)\hfill \\ \hfill & =\widehat{e}(\prod _{i=1}^{d^{\prime }}{g}^{rH\left(k{w}_i^{\prime }\right)},g^{z_{oid}\xi })\widehat{e}(g^{\gamma \eta z_{uid}},g^{{\xi }_1})\hfill \\ \hfill & =\widehat{e}(g^{z_{oid}\xi },\prod _{i=1}^{d^{\prime }}{g}^{rH\left(k{w}_i^{\prime }\right)})\widehat{e}(g^{\eta z_{uid}},g^{r_{{\xi }_1}}).\hfill \end{array}$$

(19)

The expansion of the right-hand side of Equation (13) is as follows:

$$\begin{array}{cc}\hfill \mathrm{RHS}& =\widehat{e}(T_1,W_2)\widehat{e}(P{K}_{oid},\prod _{i=1}^{d^{\prime }}{W}_i)\hfill \\ \hfill & =\widehat{e}(g^{\eta z_{uid}},g^{r_{{\xi }_1}})\widehat{e}(g^{z_{oid}},\prod _{i=1}^{d^{\prime }}{g}^{rH\left(k{w}_i\right)\xi })\hfill \\ \hfill & =\widehat{e}(g^{\eta z_{uid}},g^{r_{{\xi }_1}})\widehat{e}(g^{z_{oid}\xi },\prod _{i=1}^{d^{\prime }}{g}^{rH\left(k{w}_i\right)}).\hfill \end{array}$$

(20)

When the search keywords are successfully matched, the left and right sides of the equation are equal.

6.1.2. Data Decryption Algorithm

The correctness of this algorithm ensures that the data user whose attributes are satisfied with $(\mathbb{A},\delta )$ can obtain partial decrypted ciphertext $tct$ through the cloud computing platform and decrypt it to obtain the IoT data F. In particular, calculate Equation (15) first:

$$\begin{array}{cc}\hfill tc{t}_i& =V_{1,i}·V_{2,i}·V_{3,i}·V_{4,i}\hfill \\ \hfill & =\widehat{e}(P{K}_{uid},C_{1,i})·\widehat{e}(K_{uid,at{t}_i},C_{3,i})·\widehat{e}(H_0\left(uid\right),C_{2,i})·\widehat{e}(L_{uid,at{t}_i},C_{4,i})\hfill \\ \hfill & =\widehat{e}(g^{z_{uid}},g^{{\lambda }_i}{g}^{{\alpha }_{\rho \left(i\right)}{t}_i})·\widehat{e}(g^{z_{uid}{\alpha }_{\theta }}{H}_0{\left(uid\right)}^{{\beta }_{\theta }}{H}_1{\left(at{t}_i\right)}^t,g^{-t_i})·\hfill \\ \hfill & \widehat{e}(H_0\left(uid\right),g^{{\beta }_{\rho \left(i\right)}{t}_i}{g}^{w_i})·\widehat{e}(g^t,H_1{\left(\delta \left(i\right)\right)}^{t_i})\hfill \\ \hfill & =\widehat{e}(g^{z_{uid}},g^{{\lambda }_i})\widehat{e}(g^{z_{uid}},g^{{\alpha }_{\rho \left(i\right)}{t}_i})·\widehat{e}(g^{z_{uid}{\alpha }_{\theta }},g^{-t_i})\widehat{e}(H_0{\left(uid\right)}^{{\beta }_{\theta }}{H}_1{\left(at{t}_i\right)}^t,g^{-t_i})·\hfill \\ \hfill & \widehat{e}(H_0\left(uid\right),g^{{\beta }_{\rho \left(i\right)}{t}_i})\widehat{e}(H_0\left(uid\right),g^{w_i})·\widehat{e}(g^t,H_1{\left(\delta \left(i\right)\right)}^{t_i})\hfill \\ \hfill & =\widehat{e}{(g,g)}^{z_{uid}{\lambda }_i}\widehat{e}{(g,g)}^{z_{uid}{\alpha }_{\rho \left(i\right)}{t}_i}·\widehat{e}{(g,g)}^{-z_{uid}{\alpha }_{\theta }{t}_i}\widehat{e}(H_0{\left(uid\right)}^{{\beta }_{\theta }},g^{-t_i})\widehat{e}(H_1{\left(at{t}_i\right)}^t,g^{-t_i})·\hfill \\ \hfill & \widehat{e}(H_0\left(uid\right),g^{{\beta }_{\rho \left(i\right)}{t}_i})\widehat{e}{(H_0\left(uid\right),g)}^{w_i}·\widehat{e}(H_1{\left(\delta \left(i\right)\right)}^{t_i},g^t)\hfill \\ \hfill & =\widehat{e}{(g,g)}^{z_{uid}{\lambda }_i}\widehat{e}{(H_0\left(uid\right),g)}^{w_i}·\left(\widehat{e}{(g,g)}^{z_{uid}{\alpha }_{\rho \left(i\right)}{t}_i}·\widehat{e}{(g,g)}^{-z_{uid}{\alpha }_{\rho \left(i\right)}{t}_i}\right)·\hfill \\ \hfill & \left(\widehat{e}{(H_0\left(uid\right),g)}^{-t_i{\beta }_{\rho \left(i\right)}}·\widehat{e}(H_0\left(uid\right),g^{{\beta }_{\rho \left(i\right)}{t}_i})\right)\left(\widehat{e}{(H_1\left(\delta \left(i\right)\right),g)}^{-t_{i}t}·\widehat{e}(H_1{\left(\delta \left(i\right)\right)}^{t_{i}t},g)\right)\hfill \\ \hfill & =\widehat{e}{(g,g)}^{z_{uid}{\lambda }_i}\widehat{e}{(H_0\left(uid\right),g)}^{w_i}.\hfill \end{array}$$

(21)

Then, Equation (16) is calculated as

$$\begin{array}{cc}\hfill tct& =\prod _{i\in I}{\left(tc{t}_i\right)}^{c_i}\hfill \\ \hfill & =\prod _{i\in I}{\left(\widehat{e}{(g,g)}^{z_{uid}{\lambda }_i}\widehat{e}{(H_0\left(uid\right),g)}^{w_i}\right)}^{c_i}\hfill \\ \hfill & =\prod _{i\in I}\left(\widehat{e}{(g,g)}^{z_{uid}{\lambda }_i{c}_i}·\widehat{e}{(H_0\left(uid\right),g)}^{w_i{c}_i}\right)\hfill \\ \hfill & =\widehat{e}{(g,g)}^{z_{uid}s}.\hfill \end{array}$$

(22)

Finally, the calculation process of Equation (18) is ${\displaystyle \frac{C_0}{tc{t}^{\frac{1}{S{K}_{uid}}}}}={\displaystyle \frac{F·\widehat{e}{(g,g)}^s}{{\widehat{e}{(g,g)}^{z_{uid}s}}^{\frac{1}{z_{uid}}}}}=F$.

6.2. Static Security

Theorem 1. 

In the event that the q-DPBDHE2 problem is difficult, an adversary without probabilistic polynomial-time (PPT) can defeat the BM-ABSE scheme by statically corrupting a collection of attribute authorities.

Lemma 1. 

Let $\mathbb{A}$ be the access matrix constructed using LSSS. The rows of the matrix controlled by the corrupt attribute authorities are denoted as $C\subseteq \left[l\right]$. The corrupted rows can span a subspace of dimension c. According to the secret shares divided by $\mathbb{A}$, they are the same as those divided by ${\mathbb{A}}^{\prime }$, where $A_{x,j}^{\prime }=0,\forall (x,j)\in C\times [n-c]$. This lemma enables the adversary to isolate the matrix rows related to the corrupted attribute authorities. $\mathbb{A}=\left[\begin{array}{cccc}{A}_{1,1}& A_{1,2}& \cdots & A_{1,n}\\ A_{2,1}& A_{2,2}& \cdots & A_{2,n}\\ A_{3,1}& A_{3,2}& \cdots & A_{3,n}\\ ⋮& ⋮& \ddots & ⋮\\ A_{\ell ,1}& A_{\ell ,2}& \cdots & A_{\ell ,n}\end{array}\right]⇝{\mathbb{A}}^{\prime }=\left[\begin{array}{c}\begin{array}{cccccc}0& \cdots & 0& A_{1,n-c+1}^{\prime }& \cdots & A_{1,n}^{\prime }\\ A_{2,1}^{\prime }& \cdots & A_{2,n-c}^{\prime }& A_{2,n-c+1}^{\prime }& \cdots & A_{2,n}^{\prime }\\ 0& \cdots & 0& A_{3,n-c+1}^{\prime }& \cdots & A_{3,n}^{\prime }\\ ⋮& \ddots & ⋮& ⋮& \ddots & ⋮\\ A_{\ell ,1}^{\prime }& \cdots & A_{\ell ,n-c}^{\prime }& A_{\ell ,n-c+1}^{\prime }& \cdots & A_{\ell ,n}^{\prime }\end{array}\end{array}\right]$

Proof. 

Suppose there exists an adversary $\mathcal{A}$ that can break the BM-ABSE scheme with advantage $\epsilon$ in the static security model. The q-DPBDHE2 problem can be resolved by constructing a simulator $\mathcal{B}$ that is based on $\mathcal{A}$.

• Init: $\mathcal{B}$ generates public parameters $PP$ using the $(D,T)$ of q-DPBDHE2 problem challenger and sends them to $\mathcal{A}$.
• Query–Attacker: $\mathcal{A}$ specifies a collection of compromised attribute authorities denoted as $C_{AAs}$, uncorrupted attribute authorities denoted as $N_{AAs}$, already queried attribute sets $Q_a={\{ui{d}_i,Sui{d}_i\}}_{i=1}^m$, two plaintexts of the same length $m_0,m_1\in {\mathbb{G}}_T$, and the access policy $({\mathbb{A}}^{\ast },{\delta }^{\ast })$ to be challenged. $H_0$ and $H_1$ are represented as random oracles, and $\mathcal{A}$ specifies the identity set $Q_{H_0}$ for querying $H_0$ and the attribute set $Q_{H_1}$ for querying $H_1$.
• Query–Public Key of Attribute Authorities: $\mathcal{B}$ converts $\mathbb{A}$ to ${\mathbb{A}}^{\prime }$, where $n^{\prime }=n-c$, and responds to $\mathcal{A}$’s query for the public key of the attribute authorities as follows:
  • If the queried attribute authority is not in the access policy $({\mathbb{A}}^{\ast },{\delta }^{\ast })$, that is, $aid\notin \rho [\ell ]$, then $\mathcal{B}$ sends $MP{K}_{aid}=\{g^{{\alpha }_{aid}},g^{{\beta }_{aid}}\}$ to $\mathcal{A}$, where ${\alpha }_{aid},{\beta }_{aid}\in {\mathbb{Z}}_p^{\ast }$.
  • If the queried attribute authority is in the access policy $({\mathbb{A}}^{\ast },{\delta }^{\ast })$ and its managed matrix rows are denoted as $I=\{i\in [\ell \left]\right\}$, then $\mathcal{B}$ randomly selects ${\alpha }_{aid}^{\prime },{\beta }_{aid}^{\prime }\in {\mathbb{Z}}_p^{\ast }$ and sets

    $$\left\{\begin{array}{c}{a}_{aid}={\alpha }_{aid}^{\prime }+\sum _{i\in I}{b}_i{a}^{q+1}{A}_{i,1}^{\prime },\hfill \\ b_{aid}={\beta }_{aid}^{\prime }+\sum _{i\in I}\sum _{j=2}^{n^{\prime }}{b}_i{a}^{q+2-j}{A}_{i,j}^{\prime }.\hfill \end{array}\right.$$

    (23)
  Finally, $\mathcal{B}$ sends $MP{K}_{aid}=\{g^{{\alpha }_{aid}},g^{{\beta }_{aid}}\}$ to $\mathcal{A}$.
• Query–$H_0\left(Q_{H_0}\right)$: Depending on the different conditions satisfied by the queried identity identifier and attribute set, $\mathcal{B}$ responds to $\mathcal{A}$’s query in the following situations:
  • If $ui{d}_i\notin Q_a$ and $ui{d}_i\in Q_{H_0}$, $\mathcal{B}$ responds to $\mathcal{A}$’s query with a random element from the group $\mathbb{G}$.
  • If $ui{d}_i\notin Q_a$ and $S_{ui{d}_i}\notin (A^{\ast },{\delta }^{\ast })$, $\mathcal{B}$ randomly selects ${\tilde{h}}_i\in {\mathbb{Z}}_p^{\ast }$ and sets the following:

    $$H_0\left(ui{d}_i\right)=g^{{\tilde{h}}_i}{g}^{{\sum }_{k=2}^{n^{\prime }}{a}^{k-1}}.$$

    (24)
  • If $ui{d}_i\notin Q_a$ and $S_{ui{d}_i}\in (A^{\ast },{\delta }^{\ast })$, there exists a set of matrix rows $I^{\prime }\subseteq [\ell ]$ such that $\delta \left(i^{\prime }\right)\in S_{ui{d}_i}$, and this set of matrix rows can be seen as managed by the corrupted attribute authorities. There exists a vector ${\mathbf{d}}_i\in {\mathbb{Z}}_p^{1\times n}$ with the first element being 0 satisfying $A_x^{\prime }·{\mathbf{d}}_i=0$. In addition, this vector is orthogonal to the corrupted matrix rows. $\mathcal{B}$ chooses a random element ${\tilde{h}}_i\in {\mathbb{Z}}_p^{\ast }$ and sets the following:

    $$H_0\left(ui{d}_i\right)=g^{{\tilde{h}}_i}{g}^{{\sum }_{k=2}^{n^{\prime }}(a^{k-1}·d_{i,k})}.$$

    (25)
  Finally, $\mathcal{B}$ sends $H_0\left(ui{d}_i\right)$ to $\mathcal{A}$.
• Query–$H_1\left(Q_{H_1}\right)$: Let $aid$ be an attribute authority managing an attribute in $Q_{H_1}$. $\mathcal{B}$ responds to $\mathcal{A}$’s query based on the following:
  • If $aid\notin \rho [\ell ]$ or $aid\in C_{AAs}$, $\mathcal{B}$ responds to $\mathcal{A}$’s query with a random element from the group $\mathbb{G}$.
  • If $aid\in \rho [\ell ]$, then the matrix rows controlled by this attribute authority are denoted as $I^{″}=\left\{i\right|\rho \left(i\right)=aid\}\setminus \left\{i\right|\delta \left(i\right)=at{t}_i\}\subseteq [\ell ]$. $\mathcal{B}$ randomly selects ${\tilde{h}}_i\in {\mathbb{Z}}_p^{\ast }$ and sets the following:

    $$H_1\left(at{t}_i\right)=g^{{\tilde{h}}_{at{t}_i}}{g}^{{\sum }_{i\in I^{″}}{\sum }_{j\in \left[n^{\prime }\right]}(b_i{a}^{q+1-j}·A_{i,j}^{\prime })}.$$

    (26)
  Finally, $\mathcal{B}$ sends $H_1\left(at{t}_i\right)$ to $\mathcal{A}$.
• Query–Attribute Decryption Key: $\mathcal{A}$ submits an attribute set $(ui{d}_i,S_{ui{d}_i})$ to $\mathcal{B}$. For an attribute $at{t}_i\in S_{ui{d}_i}$, $\mathcal{B}$ responds to $\mathcal{A}$’s query according to the following situations:

  (a)

  If the attribute authority of attribute $at{t}_i$ is not in the access policy $({\mathbb{A}}^{\ast },{\delta }^{\ast })$, $\mathcal{B}$ randomly selects ${\alpha }_{aid},{\beta }_{aid},t\in {\mathbb{Z}}_p^{\ast }$ and outputs the following:

  $$\left\{\begin{array}{c}{K}_{ui{d}_i,at{t}_i}=g^{z_{ui{d}_i}{\alpha }_{aid}}{H}_0{\left(ui{d}_i\right)}^{{\beta }_{aid}}{H}_1{\left(at{t}_i\right)}^t,\hfill \\ L_{ui{d}_i,at{t}_i}=g^t.\hfill \end{array}\right.$$

  (27)

  (b)

  If the attribute authority of attribute $at{t}_i$ is in the access policy $(A^{\ast },{\delta }^{\ast })$ but $S_{ui{d}_i}\notin ({\mathbb{A}}^{\ast },{\delta }^{\ast })$, the matrix rows controlled by this attribute authority are denoted as $I^{\prime }=\left\{i\right|\rho \left(i\right)=aid\}\subseteq [\ell ]$. $\mathcal{B}$ sets $t=-{\sum }_{k\in \left[n^{\prime }\right]}{a}^k$ and computes the following:

  $$\left\{\begin{array}{c}{K}_{ui{d}_i,at{t}_i}=g^{ui{d}_i}{H}_0{\left(ui{d}_i\right)}^{{\sum }_{i\in I^{\prime }}{\sum }_{j=2}^{n^{\prime }}{b}_i{a}^{q+2-j}{A}_{i,j}^{\prime }}{g}^{{\alpha }_{aid}^{\prime }}·\hfill \\ H_1{\left(at{t}_i\right)}^t{g}^{{\sum }_{i\in I^{\prime }}{b}_i{a}^{q+1}{A}_{i,1}^{\prime }}{H}_0{\left(ui{d}_i\right)}^{{\beta }_{aid}^{\prime }},\hfill \\ L_{ui{d}_i,at{t}_i}=g^{-{\sum }_{k\in \left[n^{\prime }\right]}{a}^k}.\hfill \end{array}\right.$$

  (28)

  (c)

  If the attribute authority of attribute $at{t}_i$ is in the access policy $({\mathbb{A}}^{\ast },{\delta }^{\ast })$ and $S_{ui{d}_i}\in ({\mathbb{A}}^{\ast },{\delta }^{\ast })$, $\mathcal{B}$ sets $t=-{\sum }_{k\in \left[n^{\prime }\right]}{a}^k{d}_{i,k}$ and calculates the following:

  $$\left\{\begin{array}{c}{K}_{ui{d}_i,at{t}_i}=g^{ui{d}_i}{H}_0{\left(ui{d}_i\right)}^{{\sum }_{i\in I^{\prime }}{\sum }_{j=2}^{n^{\prime }}{b}_i{a}^{q+2-j}{A}_{i,j}^{\prime }}{g}^{{\alpha }_{aid}^{\prime }}·\hfill \\ H_1{\left(at{t}_i\right)}^t{g}^{{\sum }_{i\in I^{\prime }}{b}_i{a}^{q+1}{A}_{i,1}^{\prime }}{H}_0{\left(ui{d}_i\right)}^{{\beta }_{aid}^{\prime }},\hfill \\ L_{ui{d}_i,at{t}_i}=g^{-{\sum }_{k\in \left[n^{\prime }\right]}{a}^k{d}_{i,k}}.\hfill \end{array}\right.$$

  (29)

• Query–Ciphertext: $\mathcal{B}$ calculates $C_0=m_b·T,b\in \{0,1\}$; then, it constructs two vectors $\mathbf{v}=(s{a}^{q+1},0,\dots ,0),\overrightarrow{w}=(0,s{a}^q,\dots ,s{a}^{q-n^{\prime }+2},0,\dots ,0)$ and computes the ciphertext components based on the following situations:

  (a)

  For the matrix rows $i^{\ast }$ controlled by the corrupted attribute authority in the access structure $({\mathbb{A}}^{\ast },{\delta }^{\ast })$, there exists ${\lambda }_{i^{\ast }}=0$, $w_{i^{\ast }}=0$. $\mathcal{B}$ computes the corresponding ciphertext components:

  $$\left\{\begin{array}{c}{C}_{1,i^{\ast }}=g^{{\alpha }_{\rho \left(i^{\ast }\right)}{t}_{i^{\ast }}},\hfill \\ C_{2,i^{\ast }}=g^{{\beta }_{\rho \left(i^{\ast }\right)}{t}_{i^{\ast }}},\hfill \\ C_{3,i^{\ast }}=g^{-t_{i^{\ast }}},\hfill \\ C_{4,i^{\ast }}=H_1{\left(\delta \left(i^{\ast }\right)\right)}^{t_{i^{\ast }}}.\hfill \end{array}\right.$$

  (30)

  (b)

  For the normal matrix rows $i^{\ast }$ in the access structure $({\mathbb{A}}^{\ast },{\delta }^{\ast })$, there exists ${\lambda }_{i^{\ast }}=s{a}^{q+1}·A_{i^{\ast },1}^{\prime },w_{i^{\ast }}={\sum }_{j=2}^{n^{\prime }}s{a}^{q+2-j}{A}_{i^{\ast },j}^{\prime }$. $\mathcal{B}$ computes the corresponding ciphertext components:

  $$\left\{\begin{array}{c}{C}_{1,i^{\ast }}={\left(g^{{\sum }_{i\in I\setminus \left\{i^{\ast }\right\}}s{b}_i{a}^{q+1}/b_{i^{\ast }}}\right)}^{-A_{i^{\ast },1}^{\prime }},\hfill \\ C_{2,i^{\ast }}={\left(g^{{\sum }_{i\in I\setminus \left\{i^{\ast }\right\}}{\sum }_{j=2}^{n}s{b}_i{a}^{q+2-j}/b_{i^{\ast }}}\right)}^{-A_{i^{\ast },j}^{\prime }},\hfill \\ C_{3,i^{\ast }}=g^{-t_{i^{\ast }}}=g^{s/b_{i^{\ast }}},\hfill \\ C_{4,i^{\ast }}={\left(g^{{\sum }_{i\in I^{\prime \prime }}{\sum }_{j\in \left[n^{\prime }\right]}s{b}_i{a}^{q+1-j}/b_{i^{\ast }}}\right)}^{-A_{i^{\ast },j}^{\prime }}.\hfill \end{array}\right.$$

  (31)

• Guess: $\mathcal{A}$ outputs its guess $b^{\prime }$. If $b^{\prime }=b$, then $\mathcal{B}$ returns $T=\widehat{e}{(g,g)}^{s{a}^{q+1}}$; otherwise, $T=R$. According to the security game rules mentioned above, $\mathcal{A}$ cannot easily compute $\widehat{e}{(g,g)}^{s{a}^{q+1}}$ based on the known information. Although $g^{s{a}^{q+1}{b}_j/b_{j^{\prime }}}$ is known, the q-DPBDHE2 problem remains difficult since $j\ne j^{\prime }$.

□

6.3. IND-CKA Security

Theorem 2. 

Adversaries who lack probabilistic polynomial-time (PPT) are capable of defeating the BM-ABSE scheme through a chosen-keyword attack if the DBDH problem is difficult.

Proof. 

Suppose that the BM-ABSE scheme proposed in the IND-CKA security model can be breached by an adversary $\mathcal{A}$ with an advantage of $\epsilon$. The DBDH problem can be resolved by constructing a simulator $\mathcal{B}$ that is based on $\mathcal{A}$.

• Init: The simulator $\mathcal{B}$ generates public parameters and transmits them to the attacker $\mathcal{A}$.
• Phase 1: The attacker $\mathcal{A}$ performs a trapdoor search query by submitting a collection of keywords $K{W}^{\prime }=\{k{w}_1^{\prime },\dots ,k{w}_d^{\prime }\}$ to the simulator $\mathcal{B}$. The simulator $\mathcal{B}$ selects a random element $\eta \in {\mathbb{Z}}_p^{\ast }$ and runs the $TrapGen$ to create a search trapdoor that is linked to $K{W}^{\prime }$:

  $$Td=(T_1=g^{\eta z_{uid}},T_2=g^{\gamma \eta z_{uid}},T_3=\prod _{i=1}^{d^{\prime }}{g}^{\gamma H\left(k{w}_i^{\prime }\right)}).$$

  (32)
• Challenge: The simulator $\mathcal{B}$ is sent two keyword sets $K{W}_0^{\prime },K{W}_1^{\prime }$ by the attacker $\mathcal{A}$ that are not interrogated in Phase 1. The simulator $\mathcal{B}$ then runs the $KeywordEncrypt$ to arbitrarily encrypt a keyword set in $K{W}_b^{\prime },b\in \{0,1\}$.
• Phase 2: The attacker $\mathcal{A}$ can continue the query in Phase 1, but it is prohibited from querying the search trapdoor of $K{W}_0^{\prime }$ or $K{W}_1^{\prime }$.
• Guess: The attacker $\mathcal{A}$ outputs its conjecture $b^{\prime }$. If $b^{\prime }=b$, the adversary $\mathcal{A}$ prevails in the aforementioned security game. The adversary $\mathcal{A}$ has an advantage of $\epsilon /2$ in differentiating between $g^{\phi }$ and $g^{\gamma H\left(k{w}_0\right)\tau }$ if it can succeed in the IND-CKA security game with an advantage of $\epsilon$, where $\phi \in {\mathbb{Z}}_p^{\ast }$. The advantage of the attacker $\mathcal{A}$ in differentiating between $g^{\gamma H\left(k{w}_0\right)\tau }$ and $g^{\gamma H\left(k{w}_1\right)\tau }$ is tantamount to the benefit of differentiating between $g^{\phi }$ and $g^{\gamma \tau }$. Due to the difficulty of the DBDH problem, the advantage $\epsilon$ can be neglected.

□

7. Performance and Evaluation

7.1. Functionality Comparison

Table 2. Functionality comparison.

	[22]	[24]	[25]	[26]	[27]	[23]	[28]	Ours
Attribute authority	multiple	single	single	single	single	multiple	single	multiple
Access structure	LSSS	Tree	AND	LSSS	LSSS	LSSS	LSSS	LSSS
Multiple keywords	✓	✓	×	×	✓	×	×	✓
Results verification	×	×	×	×	✓	×	✓	✓
Blockchain	×	×	×	×	✓	✓	✓	✓
Data storage	cloud	cloud	cloud	cloud	cloud	cloud	cloud	cloud
Security model	IND-CPA, IND-CKA	IND-CPA, IND-CKA	IND-CP-CKA	ACKSA	IND-CKA	CKA	CKA	static, IND-CKA

presents a functional comparison between the proposed BM-ABSE scheme and existing similar schemes. Similar to references [22,23], our scheme has multi-authority to decentralize management responsibilities and avoid single points of failure. All of these schemes are based on cloud storage, making them suitable for large-scale data scenarios in IoT. In addition, like only a few schemes, we support multi-keyword search to improve query efficiency. By integrating blockchain technology and smart contracts, our scheme ensures the integrity and verifiability of data as well as the credibility of search results. Finally, whereas most schemes guarantee IND-CKA security, we are the only one that formally proves static security.

7.2. Storage Overhead

Table 3. Storage overhead comparison.

	[24]	[26]	[27]	Ours
Attribute decryption key	$(2N_u+4)\left|\mathbb{G}\right|$	$(N_u+3)\left|\mathbb{G}\right|$	$(2N_u+1)\left|\mathbb{G}\right|$	$2N_u\left|\mathbb{G}\right|$
Data index	$\left(2d\right)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$(2N_u+2)\left|\mathbb{G}\right|$	$(d+3)\left|\mathbb{G}\right|$	$(d+3)\left|\mathbb{G}\right|$
Search trapdoor	$(2d^{\prime }+1)\left|\mathbb{G}\right|$	$(N_u+2)\left|\mathbb{G}\right|$	$3\left|\mathbb{G}\right|$	$3\left|\mathbb{G}\right|$
Partially decrypted ciphertext	$2|{\mathbb{G}}_T|$	-	$2|{\mathbb{G}}_T|$	$2|{\mathbb{G}}_T|$
Ciphertext	$(2k+2d+2)\left|\mathbb{G}\right|+2|{\mathbb{G}}_T|$	$(4k+2)\left|\mathbb{G}\right|+2|{\mathbb{G}}_T|$	$(3k+2)\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$	$4k\left|\mathbb{G}\right|+|{\mathbb{G}}_T|$

illustrates the storage cost analysis of the our scheme. In the BM-ABSE scheme, the attribute decryption key size is $2N_u\left|\mathbb{G}\right|$, aligning with schemes that feature a single attribute authority such as [24,27]. Except for scheme [26], the storage overhead of the data index in the other approaches is linearly related to the number of keywords defined by the data owner. Meanwhile, the data index storage overhead of scheme [27] is the same as our scheme and exceeds the other schemes to achieve the optimum. Scheme [26] integrates access control into the search algorithm, which leads to an increase in its data index storage overhead with the quantity of attributes, and each search procedure is capable of matching only one keyword at a time. Moreover, only our scheme and scheme [27] have a constant storage overhead for search trapdoors. In schemes [24,26], the size of the search trapdoor exhibits a linear relationship with the quantity of keywords or attributes, leading to a substantial increase in storage burden as the number of keywords increases. Every comparison approach has a constant storage overhead for the partially decrypted ciphertext. Specifically, the partially decrypted ciphertext consists of two ciphertext components within the group ${\mathbb{G}}_T$: one computed by the cloud platform and the other derived from the original ciphertext.

7.3. Computational Overhead

This section provides a theoretical analysis of the computational overhead of the BM-ABSE scheme based on

Table 4. Computational overhead comparison.

	[22]	[24]	[26]	[27]	Ours
$ADKGen$	$\left(4N_u\right)E$	$(2N_u+6)E$	$(N_u+3)E$	$(2N_u+4)E$	$\left(4N_u\right)E$
$KeywordEncrypt$	$(2N_u+7)E+(2N_u+1)P$	$\left(2d\right)E$	$(3N_u+2)E$	$(d+3)E$	$(d+3)E$
$TrapGen$	$(N_u+1)E+P$	$(2N_u+d^{\prime })E$	$(N_u+2)E$	$3E$	$3E$
$SearchMatch$	$(2N_u+4)E+3P$	$2E+(N_u·d^{\prime }+1)P$	$(2k+1)P$	$(d^{\prime }+2)P$	$4P$
$DataEncrypt$	-	$(2k+4)E+2P$	$(6k+4)E$	$(4k+3)E+\left(k\right)P$	$(4k+1)E$
$SemiDecrypt$	$\left(4k\right)P$	$(k+2)P$	-	$\left(3k\right)E$	$\left(4k\right)P$
$DataDecrypt$	$2E$	P	$(2k+1)P$	$E+P$	E

. The scheme [22] has the same exponential computational overhead as our scheme in the $ADKGen$ phase. This is attributed to the fact that both schemes employ multiple attribute authorities to oversee the attributes in the system; compared with the single attribute authority scheme, there is a slightly higher computational overhead. However, the setting of multiple attribute authorities is more aligned with practical requirements and avoids performance bottlenecks caused by single points of failure. Scheme [27] has the same exponential computational overhead as the proposed scheme during $KeywordEncrypt$. In particular, scheme [27] requires more hash computations in the stage of $TrapGen$. Since hash operations are less computationally expensive than exponential operations and bilinear pairings, they are not included in the table. The BM-ABSE scheme requires only $(4k+1)E$ exponential operations in the $DataEncrypt$ phase. All comparison schemes delegate the intricate decryption computations to the cloud. The proposed scheme reduces the computational load on the user end to just one exponential operation by outsourcing $\left(4k\right)P$ bilinear pairing computation to the cloud.

7.4. Experimental Analysis

The development and operational stack comprises Go 1.21.6, Python 3.11.5, JDK 17.0.12, MySQL 5.7.26, Solidity 0.8.24, and Docker 27.5.1. To evaluate the performance of the BM-ABSE scheme, this section assesses the efficiency of the main algorithms under three security levels: 70-bit security, 80-bit security, and 90-bit security. The Charm framework utilizes three elliptic curves (MNT159, SS512, and MNT201) to achieve different security levels. Among them, SS512 is used for symmetric bilinear pairing, while MNT159 and MNT201 are used for asymmetric bilinear pairing. The simulation environment is configured as follows:

• OS: Ubuntu 22.04 64-bit (6.8.0-60-generic) (Canonical Ltd., London, UK);
• CPU: Intel(R) Core(TM) i5-12500H @ 2.50 GHz (Intel Corporation, Santa Clara, CA, USA);
• RAM: Samsung DDR4-3200 16 GB (Samsung Electronics Co., Ltd., Suwon, Republic of Korea);
• MB: HONOR GLO-FX6-PCB (M1020)/BIOS 1.13 (Honor Device Co., Ltd., Shenzhen, China);
• HDD: Samsung SSD 980 PRO 1 TB (Samsung Electronics Co., Ltd., Suwon, Republic of Korea).

Table 5. The overhead of basic calculations.

Operation	SS512 (ms)	MNT159 (ms)	MNT201 (ms)
$E\left({\mathbb{G}}_1\right)$	0.85806	0.31256	0.43513
$E\left({\mathbb{G}}_2\right)$	0.86236	2.92539	3.67335
$E\left({\mathbb{G}}_T\right)$	0.08363	0.70905	0.82113
P	0.63634	2.25567	2.70392

summarizes the time cost of some basic cryptographic operations in this configuration. In addition, the execution time of the algorithm at each stage under different security levels is shown in Figure 2. As illustrated in Figure 2a, the computational overhead for generating the attribute decryption key increases linearly with the number of user attributes, which corroborates the theoretical analysis above. The time-consuming computational operations in the $ADKGen$ algorithm are mainly exponential operations. Under the SS512 setting, $ADKGen$ exhibits the fastest computation. Although the execution time is slightly higher than that of SS512 in asymmetric bilinear pairing settings (MNT159 or MNT201), it remains practical for real-world IoT scenarios. The execution duration of the $KeywordEncrypt$ process is illustrated in Figure 2c, and the time overhead is approximately linear with the quantity of keywords collected by the data owner. As the number of keywords increases, the running time increases accordingly. Under the three security levels, the index construction time for 50 keywords remains within 0.2 ms, which indicates that the algorithm is still efficient even in resource-constrained application scenarios.

As observed in Figure 2d,f, the execution time of the $TrapGen$ algorithm and the $DataDecrypt$ algorithm remains almost constant with the increasing quantity of keywords or attributes at different security levels. However, it should be noted that the performance of both algorithms remains influenced by the quantity of keywords or attributes. $TrapGen$ and $DataDecrypt$ encompass multiplication and hash operations, but these contribute negligibly to the overall running time. For different security levels, the average execution time of the $DataDecrypt$ algorithm is less than 1 ms. According to Figure 2b,e, the execution times of the $DataEncrypt$ algorithm and the $SemiDecrypt$ algorithm both increase gradually as the quantity of attributes grows. For $DataEncrypt$, the encryption time for the plaintext is 0.31 s with SS512, 0.62 s with MNT159, and 0.80 s with MNT201 when the quantity of attributes is 50. For each of the three security levels, the time stays below 1 s. For $SemiDecrypt$, the maximum execution time for 50 attributes is 1.2 s, which does not present a computational burden for a powerful cloud server.

The BM-ABSE scheme implements the $SearchMatch$ algorithm using the Solidity smart contract language and deploys it on the blockchain. To further evaluate the efficiency of the chain code, we set up a blockchain network, configured with four peer nodes and two sorting nodes, using Hyperledger Fabricand. In addition, we measure transaction latency and throughput using Hyperledger Caliper, and the results are shown in Figure 3. As shown in Figure 3a, transaction latency increases almost linearly with rising transaction volume. This is a typical phenomenon of distributed consensus systems, as transactions must queue at nodes to await processing and consensus. Figure 3b shows that the actual network throughput increases linearly with the transmission rate and reaches a plateau at nearly 200 TPS, indicating that the network resources are fully utilized. Under the current test of a four-node network configuration, this is the maximum performance limit that our system can handle. These results confirm that the logic of the $SearchMatch$ algorithm is efficient. The dominant performance bottleneck stems from the processing capacity of the underlying Hyperledger Fabric platform under specific configurations. The experiment provides a benchmark for the performance of the system at a defined scale, demonstrating predictable scalability as load increases.

In an extreme massive IoT scenario, tens of thousands of terminals need to be aggregated. If each endpoint triggers one search transaction every five minutes, the transaction throughput could reach thousands of TPS. However, not all IoT terminals require frequent data search operations in practice. Monitoring devices primarily read data, and search requests are usually initiated by upper-layer applications at a frequency far lower than that of data reporting. Consequently, the average load remains at the hundreds-of-TPS level. Moreover, the proposed scheme distributes the most time-consuming search matching computation and result verification to multiple blockchain nodes for parallel execution through smart contracts, eliminating the single-point performance bottleneck of centralized servers, making it fundamentally more scalable. In summary, although the absolute throughput measured in this experiment on a single test network is limited, the architecture and methodology proposed in this paper are applicable to intelligent systems.

8. Conclusions

With the exponential growth of IoT data and the increasing demand for cross-domain collaboration, how to achieve reliable data sharing between resource-constrained terminals and untrusted clouds has become a core challenge in the deeper development of intelligent systems. In this paper, we propose a blockchain-based multi-authority IoT data-sharing scheme with attribute-based searchable encryption for intelligent system (BM-ABSE), aiming to address the issues of security, efficiency, and verifiability of data sharing in the IoT environment. This scheme adopts attribute-based searchable encryption, multi-authority mechanism, and blockchain technology to protect the confidentiality of data, achieve fine-grained access control, and guarantee the efficiency of the search and credibility of the search results. At the same time, by matching search trapdoors and data indexes on the blockchain through smart contracts, it can effectively prevent unauthorized or malicious third parties from returning biased or commercial search results. Given the resource constraints of IoT devices, partially decryption calculations can be directly completed in the cloud without the need for additional computational outsourced keys. Theoretical analysis indicates that BM-ABSE satisfies both static security and IND-CKA security under the standard model and can effectively resist the stealing or tampering of ciphertexts and keywords by attackers. Even if attackers statically corrupt any number of attribute authorities after obtaining public parameters, they still cannot obtain any additional information about plaintexts or keywords from the ciphertexts or indexes. Experimental simulation shows that our scheme has good computational efficiency on IoT devices with limited resources. The running time of the core algorithms maintains in milliseconds, and it has linearly controllable overhead as the number of attributes increases. Under the three security levels, the terminal only needs one exponential operation to complete the final decryption, which significantly alleviates the computation and energy consumption bottlenecks of IoT devices. The overall running time of the core algorithms remains in milliseconds. Among them, the time consumption of $ADKGen$, $DataEncrypt$, and $SemiDecrypt$ algorithms increases linearly with the number of attributes, but it still less than 1 s under the condition of 50 attributes, which makes it scalable for large-scale IoT deployment. In addition, when the transaction volume increases to 350, the throughput of smart contracts on the blockchain increases to nearly 200 TPS, indicating that the system can still maintain a certain degree of scalability when handling a large number of transactions. Finally, introducing revocable and dynamic attribute update mechanisms to support key rotation and permission recovery throughout the entire lifecycle of IoT devices is a future research direction.