A Survey of Data Security Sharing

Abstract

In the digital era, secure data sharing has become a core requirement for enabling cross-domain collaboration, cloud computing, and Internet of Things (IoT) applications, as well as a critical measure for safeguarding privacy and defending against malicious attacks. In light of the risks of data leakage and misuse in open environments, achieving efficient, controllable, and privacy-preserving data sharing has emerged as a key research focus. This paper first provides a systematic review of the prevailing secure data sharing technologies, including proxy re-encryption, searchable encryption, key agreement and distribution, and attribute-based encryption, summarizing their design principles and application features. Subsequently, game-theoretic modeling based on incentive theory is introduced to construct a strategic interaction framework between data owners and data users, aiming to analyze and optimize benefit allocation mechanisms. Furthermore, the paper explores the integration of game theory with secure sharing mechanisms to enhance the sustainability and stability of the data sharing ecosystem. Finally, it outlines the critical challenges currently faced in secure data sharing and discusses future research directions, offering theoretical insights and technical references for building a more comprehensive data sharing framework.

1. Introduction

Cybersecurity focuses on safeguarding cyberspace against unauthorized access, malicious disruptions, and interference [1]. As an interdisciplinary research domain, cybersecurity investigations extend beyond developing protective technologies, to encompass the examination of security- and privacy-related incidents, as well as human-centered processes [2,3]. Recent advancements have broadened the data sources for cybersecurity research, incorporating network/application tracing, database and information system activities, along with user behavioral patterns [4]. Notably, government agencies, commercial entities, and nonprofit organizations now systematically aggregate cybersecurity-related information that holds significant potential for research applications [5].

Data play a pivotal role in cybersecurity research. As threats continually evolve with increasing sophistication and detection challenges, researchers require access to more comprehensive datasets, to maintain predictive capabilities against potential risks and devise adaptive solutions within dynamic environments [6,7]. Mitigating emerging forms of malware, ransomware, and phishing attacks necessitates a proactive collaborative cybersecurity paradigm involving real-time knowledge exchange, data sharing, and technological interoperability [8]. However, organizational silos persist in cybersecurity operations, where corporations and research teams frequently operate in isolation, exhibiting reluctance to disclose sensitive information, even for collective security enhancement—a practice that substantially constrains the scope and efficacy of research [9]. Data serve as a multifaceted digital commodity, enabling intra-organizational optimization, enrichment of existing products/services, knowledge acquisition, and commercial monetization. Fundamentally, data sharing entails transferring datasets or granting access rights for algorithmic training purposes, thereby provisioning third parties with resources to achieve specific objectives (e.g., value creation or process optimization) [10,11]. This practice simultaneously facilitates novel inter-organizational collaborative–competitive dynamics through complementary data integration. Nevertheless, persistent concerns regarding privacy vulnerabilities and operational barriers continue to deter organizations and research teams from engaging in data sharing initiatives [12,13].

The imperative for data sharing has reached heightened urgency in the contemporary landscape, where sensor technologies and ubiquitous digitalization continuously generate real-world process data. A European Commission study [14] revealed that 80% of industrial data remain untapped, underscoring a substantial underutilization of digital assets. Complementing this finding, PwC research [15] identified corporate data sharing practices as primarily customer-centric, followed by supplier-oriented and external entity engagements, while predicting the increasing importance of cross-scale data exchanges between large enterprises and SMEs in coming years. Within the European Union, the evolving significance of inter-organizational data governance has crystallized through legislative advancements. Beyond the foundational General Data Protection Regulation (GDPR), emerging frameworks including the Data Governance Act (DGA) and Data Act (DA) systematically supplement legal infrastructure for secure data sharing. These regulatory innovations are projected to stimulate additional GDP growth of up to EUR 270 billion by 2028 through optimized data circulation [14,15,16].

Recently, there have been calls to provide cybersecurity data to broader academic communities, but these calls have not received timely responses. This is partly because, in practical processes, data sharing usually requires the participants to consume a certain amount of resources and involves costs. Under the absence of effective participant incentive mechanisms, it is difficult to balance multi-party interests. Therefore, most companies and research teams are unwilling to proactively share data or forward messages [17]. Thus, to improve data sharing willingness, the key lies in formulating effective incentive mechanisms. Simultaneously, a reward–punishment combination strategy should be adopted. These incentive mechanisms can motivate all participants to contribute high-quality services and effectively reduce the possibilities of data leaks and tampering, while avoiding vicious competition and improper resource consumption [18].

As a novel technology, cloud computing facilitates the integration of storage and computational resources in the era of big data, enabling continuous aggregation of data resources and unleashing immense potential value. With the rapid advancement of Internet technologies, cloud computing has emerged as a mainstream data-sharing paradigm [19], due to its cost-effectiveness, high performance, and rapid accessibility, effectively addressing the issue of ‘data silos’. A viable solution involves constructing secure and efficient data storage and sharing frameworks through cloud computing, where users and organizations frequently delegate their data to cloud servers with superior computational and storage capabilities for storage and sharing [20]. However, while enabling data sharing, cloud servers pose increasing security risks, as outsourced data becomes physically separated from direct user management, rendering it vulnerable to theft and tampering. To protect data privacy and prevent leakage of outsourced data [21,22], users typically encrypt their data prior to cloud uploads [23]. This encryption mechanism ensures that neither cloud servers nor other adversaries can access sensitive information, thereby preserving data confidentiality and user privacy. In recent years, achieving secure data sharing has become a focal point of domestic and international research efforts.

Among various data-intensive domains, the healthcare sector has emerged as a key focus of data sharing research, due to the highly sensitive nature of personal health information involved. Medical data encompass not only structured information such as electronic medical records, imaging data, and prescription histories, but also real-time physiological signals and behavioral traces collected by wearable devices. These data hold significant value for disease prediction, personalized treatment, and public health response.

To enhance the utility of medical data, while preserving patient privacy, recent research has called for the establishment of cross-institutional sharing platforms and collaborative mechanisms. However, in practice, data sharing among hospitals, research institutions, and third-party platforms remains limited. This is primarily due to the absence of effective incentive mechanisms, insufficient security safeguards, and a lack of mutual trust. The high commercial value and legal risks associated with medical data further prompt data holders to adopt conservative management approaches, thereby exacerbating the problem of ‘data silos’. The key terms and their definitions relevant to this study are presented in

Table 1. Glossary of key terms.

Term	Definition
Data Silo	Data are distributed across different systems or organizations and cannot be effectively shared.
Secure Data Sharing	The exchange of data among multiple parties under the premise of ensuring privacy and security.
Game Theory	A mathematical tool for analyzing how rational agents make strategic decisions and allocate benefits during interactions.
Bounded Rationality	Due to limitations in information, cognition, and time, individuals are unable to make fully rational decisions.

.

The motivation for this study stemmed from the pressing challenges of privacy protection and security in data sharing within the digital era. Although existing research has proposed various encryption and sharing schemes—such as searchable encryption, proxy re-encryption, and attribute-based encryption—there remain significant technical and theoretical gaps in effectively balancing security and sharing efficiency in practical applications. The novelty of this paper lies in providing a comprehensive survey of mainstream data security sharing technologies, and in introducing game-theoretic models to address critical issues such as insufficient incentives and privacy leakage. This offers new perspectives and potential solutions for secure and efficient data sharing.

The remainder of this paper is organized as follows: Section 2 provides an overview of the fundamental models and key components of secure data sharing, clarifying the roles and interactions of the various stakeholders involved in the sharing process. Section 3 presents a systematic review of the foundational theories and core technologies closely related to secure sharing, offering theoretical support for the subsequent analysis. Section 4 examines and compares four mainstream secure data sharing approaches from a technical perspective, and further introduces game-theoretic incentive mechanisms to explore strategy evolution and optimal design under bounded rationality. Finally, Section 5 concludes the paper and, in light of current research bottlenecks, outlines potential future research directions. This study conducted a classified and comprehensive review of the key technologies underpinning secure data sharing based on a systematic literature search and screening process.

2. Data Security Sharing Model

2.1. Initial System Model

A data secure sharing system model can be summarized as shown in Figure 1, comprising three entities: cloud servers, data owners, and data users. In the healthcare data sharing ecosystem, the data owner refers to the legitimate holder of medical data, typically the patient, who possesses individual health-related records such as electronic medical records. Encryption methods adopt searchable encryption (SE), proxy re-encryption (PRE), attribute-based encryption (ABE), or key agreement. A cloud server, acting as a third-party data custodian, is responsible for the unified integration, centralized management, and access control of the collected medical data. The data user represents the ultimate recipient of the medical data, such as research institutions, who obtain access to the data through legitimate authorization for the purposes of scientific research or technological development. In this model, the data owner stores the plaintext data and, in order to ensure secure data sharing, encrypts the data before uploading it to the cloud server. The cloud server provides services such as storage and retrieval for secure data sharing. It stores the encrypted data uploaded by the data owner. When a data user requests the encrypted data from the cloud server, the server returns the encrypted data to the user. Once the data user determines which data to download from the data owner, they download the encrypted data from the cloud server, decrypt it, and obtain the plaintext data.

2.2. Threat Model

In the data security sharing system, data move through seven stages from the data owner to the data user: generation, encryption, transmission, storage, sharing, decryption, and destruction. In this process, data security faces multiple threats, including key attacks [24], data leakage [25], identity impersonation [26], data theft [27], data tampering [28], data corruption [29], and data misuse [30]. It is important to emphasize that the term ‘data corruption’ as used in this paper not only refers to the alteration of ciphertext in transit, but also includes the compromising of auxiliary elements such as associated indexes, integrity tags, and re-encryption keys cached on the server side. The destruction of any of these components may render the data undecryptable or cause distorted decryption results, thereby threatening the system’s availability and integrity. To better illustrate the real-world impact of these threats in secure data sharing scenarios, this paper presents the following representative cases:

(1) Key Attacks: In 2023, the U.S.-based password management company LastPass experienced a significant security breach. Attackers exploited vulnerabilities on an employee’s computer and leveraged key leakage to successfully steal encrypted backups containing customers’ sensitive data. This incident revealed weaknesses in key management processes and highlighted the critical importance of key security and protective measures.

(2) Data Tampering and Leakage: In 2022, the Australian telecommunications operator Optus suffered a cyberattack in which hackers infiltrated the company’s database, tampered with and exfiltrated sensitive information from nearly 10 million users, including names, dates of birth, and passport numbers. This breach exposed the serious risks of large-scale data tampering and leakage.

(3) Identity Impersonation and Data Misuse: In early 2023, the South African branch of the global credit reporting agency TransUnion experienced a massive data breach. Hackers impersonated legitimate users to bypass access controls and illegally accessed sensitive data of approximately 54 million South African citizens, including social identity information and credit records. This led to long-term misuse of user data and a heightened risk of financial fraud.

(4) Data Corruption: In 2022, Microsoft’s cloud platform Azure experienced a global storage outage, resulting in data corruption and loss for numerous customers. For some, critical business data were permanently damaged, significantly impacting business operations.

These cases demonstrate that the threats encountered during secure data sharing are not only persistent but also involve increasingly broad and complex data management scenarios. As such, it is imperative to continuously strengthen security measures and risk control mechanisms in the design of data sharing systems. The corresponding threat model is illustrated in Figure 2.

Most threat models in existing schemes assume the following:

(1) Cloud servers are considered to be semi-honest in the context of data security sharing. While cloud servers store encrypted data and are capable of honestly performing retrieval operations, they are inherently curious about the encrypted data. This curiosity introduces potential risks, such as data leakage, data tampering, data corruption, and the possibility of attackers impersonating authorized identities.

(2) A maliciously authorized external attacker, leveraging a legitimate identity, may download encrypted data from the cloud server and attempt to decrypt it.

(3) A malicious unauthorized external attacker may eavesdrop on the key exchange process between the data owner and the data user, attempting to exploit key attack techniques to steal the shared encryption key. During the transmission of encrypted data over the network, network attacks may result in data loss or leakage, exposing sensitive information to unauthorized parties. Additionally, an attacker may impersonate a legitimate identity, download encrypted data from the cloud server, and attempt to decrypt the data using stolen or forged credentials.

In the field of information system security design, the STRIDE model proposed by Microsoft’s Security Development Lifecycle (SDL) has become one of the most widely adopted threat modeling frameworks in the industry [31]. STRIDE systematically enumerates potential threats through a checklist of six high-level categories—Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege—to assist researchers in identifying risks at the architectural stage and developing targeted mitigation strategies. For scenarios involving intensive personal data, the LINDDUN framework [32] provides a complementary perspective by focusing on privacy threats. It categorizes risks into Linkability, Identifiability, Non-repudiation, Detectability, Disclosure, Unawareness, and Non-compliance. When combined with Data Flow Diagram (DFD) analysis, LINDDUN enables early detection of issues such as identity linkages, information leakage, and regulatory compliance, offering a quantitative basis for selecting technologies like differential privacy, minimal recognizable sets, and lawful auditing mechanisms. In practice, these two models are often used in combination: STRIDE is first applied to address traditional security concerns, covering CIA+A (Confidentiality, Integrity, Availability, and Auditability), while LINDDUN is then used to delve deeper into privacy-specific risks. This dual-layered checklist—‘security + privacy’—is particularly well suited for cross-domain applications centered around sensitive data, such as secure data sharing.

2.3. Security Requirements

The security requirements for data secure sharing and the cryptographic primitives that ensure these requirements can be summarized as shown in

Table 2. Security requirements and associated cryptographic primitives.

Security Requirement	Functionality	Cryptographic Primitives/Protocols	Typical Application Scenario
Key Confidentiality	The shared key must be stored in an encrypted form during storage to prevent unauthorized access and theft.	Secret Sharing, Quantum Key Distribution	Secure key escrow systems in cloud-based medical record platforms.
Non-Repudiation	Ensure that the key and ciphertext cannot be forged, thus preventing attackers from fabricating keys to decrypt data or creating counterfeit ciphertext to deceive data users.	Signatures, Zero-Knowledge Proofs	Verifying source authenticity in blockchain-based health data transactions.
Data Confidentiality	Ensure that the data remain encrypted during storage, re-encryption, and transmission, thereby preventing unauthorized disclosure. Even if the ciphertext is intercepted, attackers without the decryption key cannot access the plaintext.	Encryption, Key Management	Secure electronic health record (EHR) exchange across institutions.
Data Integrity	Ensure that the exchanged ciphertext corresponds exactly to the original data, preventing errors or tampering. The recipient must be able to verify that the decrypted content matches the original data.	Auditing Protocols	Medical audit logs ensuring clinical data consistency and traceability.
Privacy Protection	Ensure that both the identities of the data owner and recipient, as well as the data privacy, are protected during the proxy re-encryption process, preventing unauthorized exposure of identity information or tampering with the data.	Encryption, Unintentional Storage, Homomorphic Techniques	Privacy-preserving clinical trial data sharing between hospitals and research institutions.

.

In addressing the aforementioned security requirements, cryptographic primitives such as encryption, signatures, authentication, and key exchange play a critical role. For instance, signatures are used to verify the authenticity of transformed keys and ciphertexts, preventing forgery; attribute-based encryption and key management ensure legitimate delegation of transformation rights; encryption techniques safeguard data confidentiality; auditing protocols verify data integrity; and the combined application of multiple cryptographic primitives, such as encryption with unintentional storage and homomorphic techniques, effectively protects privacy.

3. Relevant Knowledge

3.1. Bilinear Mapping

Given that $G_1$ and $G_2$ are cyclic multiplicative groups of order p, where p is a prime, and the bilinear map $e:G_1\times G_1\to G_2$ satisfies the following properties:

(1) bilinear: For any $a,b\in {\mathbb{Z}}_q^{*}$ and $R,S\in G_1$, there exists $e(R^a,S^b)=e{(R,S)}^{ab}$.

(2) non-degenerate: There exist $R,S\in G_1$ such that $e(R,S)\ne 1_{G_2}$, where $1_{G_2}$ denotes the identity element of the group $G_2$.

(3) computable: For any $R,S\in G_1$, there exists a probabilistic polynomial-time algorithm to compute $e(R,S)$.

Let $G_1$ and $G_2$ be cyclic multiplicative groups of prime order p. A bilinear map $e:G_1\times G_1\to G_2$ is said to satisfy the following properties:

(1) Bilinearity: For all $a,b\in {\mathbb{Z}}_q^{*}$ and $R,Q\in G_1$, the mapping satisfies $e(R^a,Q^b)=e{(R,Q)}^{ab}$.

(2) Non-degeneracy: There exist $R,Q\in G_1$ such that $e(R,Q)\ne 1_{G_2}$, where $1_{G_2}$ denotes the identity element of group $G_2$.

(3) Computability: For any $R,Q\in G_1$, there exists a probabilistic polynomial-time algorithm that efficiently computes $e(R,Q)$.

3.2. Shamir Secret Sharing Scheme

Secret sharing schemes are typically based on mathematical principles such as polynomial interpolation, linear algebra, and others. The core idea of these schemes is to divide a secret S into n shares according to a specific rule and distribute these shares among n participants. These shares possess the following properties:

(1) A single share, or a subset of shares, does not reveal any information about the secret S.

(2) When a sufficient number of shares (reaching the threshold) have been collected, the original secret S can be accurately reconstructed through a specific algorithm or computation process.

The Shamir Secret Sharing Scheme is as follows:

(1) Construction Process: Let the secret be denoted by S, with a threshold value k, and let p be a prime number such that $p>maxS,n$. All arithmetic operations—addition, multiplication, and inversion—are performed over the finite field $GF\left(p\right)$. A random polynomial $f\left(x\right)$ of degree $k-1$ over $GF\left(p\right)$ is constructed as

$$f\left(x\right)=a_0+a_{1}x+a_2{x}^2+\cdots +a_{k-1}{x}^{k-1}modp,$$

(1)

where $a_0=S$ is the secret, and the remaining coefficients $a_i$ ($i=1,2,\dots ,k-1$) are randomly selected from $GF\left(p\right)$. For each participant i ($i=1,2,\dots ,n$), their individual share is computed as $s_i=f\left(x_i\right)$, where $x_i\in GF\left(p\right)$ is a unique non-zero value serving as the identifier for participant i. Thus, each participant i holds a secret share represented as the pair $(x_i,s_i)$.

(2) Reconstruction Process: When k participants want to reconstruct the secret, they need to collect their secret shares $(x_i,s_i)$. Using the Lagrange interpolation formula, the original polynomial $f\left(x\right)$ can be constructed as

$$f\left(x\right)={\sum }_{i=1}^k{s}_i{\displaystyle \frac{{\prod }_{j\ne i}(x-x_j)}{{\prod }_{j\ne i}(x_i-x_j)}}modp$$

(2)

By substituting $x=0$ into $f\left(x\right)$, the secret value S is obtained:

$$S=f\left(0\right)=a_0$$

(3)

This scheme ensures that the secret can only be reconstructed when k or more participants collaborate. Fewer than k participants have no information about the secret. To prove the existence of the Lagrange interpolation polynomial, we construct it as follows:

$$f\left(x\right)=\sum _{i=1}^k{s}_i·{\displaystyle \frac{{\prod }_{j\ne i}(x-x_j)}{{\prod }_{j\ne i}(x_i-x_j)}}modp$$

(4)

It is easy to verify that the polynomial $f\left(x\right)$ constructed in this manner satisfies all the given interpolation points $(x_i,s_i)$. Specifically, when $x=x_i$, we have

$$f\left(x_i\right)=\sum _{m=1}^k{s}_m·{\displaystyle \frac{{\prod }_{j\ne m}(x_i-x_j)}{{\prod }_{j\ne m}(x_m-x_j)}}modp$$

(5)

In this expression, for the term where $m=i$, the numerator and denominator are equal, so the fraction equals 1 and the term becomes $s_i·1$. For all $m\ne i$, the numerator contains the factor $(x_i-x_i)=0$, so those terms vanish. Hence,

$$f\left(x_i\right)=s_i·1+\sum _{m\ne i}{s}_m·0=s_i$$

(6)

Therefore, the constructed polynomial satisfies all the interpolation conditions. This proves that the Lagrange interpolation polynomial exists.

3.3. Searchable Encryption Technology

Searchable encryption is a cryptographic mechanism that enables keyword or condition-based searches to be performed directly over encrypted data, without requiring decryption. Only the ciphertexts or results corresponding to matching entries are returned. Throughout the entire process, the cloud server or search engine remains unaware of the underlying plaintext content and the user’s search intent.

3.3.1. Public Key Searchable Encryption

The formal definition of Public Key Searchable Encryption (PKSE) typically involves several key steps: key generation, data encryption, index construction, trapdoor generation, search, and result retrieval. It is defined as a tuple of six probabilistic polynomial-time algorithms:

$$PKSE=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{IndexGen},\mathsf{TrapdoorGen},\mathsf{Search},\mathsf{Dec})$$

(7)

The definitions of these algorithms are as follows:

(1) Key Generation Algorithm $KeyGen\left(\lambda \right)$: Given a security parameter $\lambda$, this algorithm generates a public–private key pair $(PK,SK)$. The public key $PK$ is used to encrypt data and construct searchable indexes, while the secret key $SK$ is securely held by the data owner for decrypting search results and performing related operations.

(2) Data Encryption Algorithm $Enc(PK,M,r)$: Given a public key $PK$, a plaintext message M, and a random value r, the data owner uses this algorithm to produce a ciphertext C encrypting M.

(3) Index Generation Algorithm $IndexGen(PK,W)$: Given the public key $PK$ and a keyword set $W=\{w_1,w_2,\dots ,w_n\}$ extracted from the message M, this algorithm outputs an index set $I=\{I_1,I_2,\dots ,I_n\}$ associated with the ciphertext C. Both I and C are stored on the cloud server.

(4) Trapdoor Generation Algorithm $\mathsf{TrapdoorGen}(SK,W^{\prime })$: Given the secret key $SK$ and a query keyword $W^{\prime }$, the data user uses this algorithm to generate a trapdoor T.

(5) Search Algorithm $\mathsf{Search}(PK,T)$: Given the public key $PK$ and trapdoor T, the cloud server performs a search over the stored index set I. If the keyword matches (i.e., $W=W^{\prime }$), it returns the corresponding ciphertext C; otherwise, the search fails.

(6) Decryption Algorithm $Dec(C,SK)$: Given a ciphertext C and the secret key $SK$, this algorithm outputs the original plaintext message M.

3.3.2. Symmetric Searchable Encryption

Unlike Public Key Searchable Encryption, Symmetric Searchable Encryption (SSE) utilizes symmetric keys to encrypt data and construct indexes, enabling efficient search operations over ciphertexts, while ensuring data confidentiality. The SSE scheme comprises five primary steps, defined as a tuple of five probabilistic polynomial-time algorithms:

$$SSE=(\mathsf{KeyGen},\mathsf{Enc},\mathsf{TrapdoorGen},\mathsf{Search},\mathsf{Dec})$$

(8)

The definitions of these algorithms are as follows:

(1) Key Generation Algorithm $KeyGen\left(\lambda \right)$: Given a security parameter $\lambda$, this algorithm generates a symmetric key K. The key K is used for encrypting data, generating verifiable indexes, and decrypting data.

(2) Encryption Algorithm $Enc(K,M)$: Given the symmetric key K and plaintext data M, the data owner uses this algorithm to produce a ciphertext C and a corresponding searchable index I.

(3) Trapdoor Generation Algorithm $TrapdoorGen(K,W^{\prime })$: Given the symmetric key K and a search keyword $W^{\prime }$, this algorithm outputs a trapdoor T.

(4) Search Algorithm $Search(I,T)$: Given the searchable index I and trapdoor T, the cloud server performs a search operation over the stored index collection. If the keyword matches (i.e., $W=W^{\prime }$), the corresponding ciphertext C is returned; otherwise, the search fails.

(5) Decryption Algorithm $Dec(C,K)$: Given the symmetric key K and ciphertext C, this algorithm returns the original plaintext message M.

3.4. Proxy Re-Encryption

Proxy Re-Encryption (PRE) is a public key cryptographic technique that enables a proxy server to convert a ciphertext encrypted under User A’s public key into a ciphertext under User B’s public key without learning the underlying plaintext. This mechanism allows secure data sharing between User A and User B without requiring either party to reveal their private keys. The algorithm for secure data sharing from User A to User B proceeds as follows:

(1) Key Generation Algorithm $KeyGen\left(\lambda \right)$: Given a security parameter $\lambda$, this algorithm generates a key pair $(p{k}_i,s{k}_i)$ for each user. Let $(p{k}_A,s{k}_A)$ denote User A’s public and private keys, and $(p{k}_B,s{k}_B)$ denote User B’s public and private keys.

(2) Re-Encryption Key Generation Algorithm $Re\_KeyGen(s{k}_A,p{k}_B)$: User A inputs their private key $s{k}_A$ and User B’s public key $p{k}_B$, and this algorithm outputs a re-encryption key $r{k}_{A\to B}$.

(3) Encryption Algorithm $Enc(p{k}_A,M)$: Given User A’s public key $p{k}_A$ and the plaintext message M, the algorithm outputs a ciphertext C encrypted under $p{k}_A$. User A then sends the ciphertext C and the re-encryption key $r{k}_{A\to B}$ to the proxy server.

(4) Re-Encryption Algorithm $Re\_Enc(r{k}_{A\to B},C)$: The proxy server takes the re-encryption key $r{k}_{A\to B}$ and the ciphertext C as inputs and outputs a re-encrypted ciphertext $C^{\prime }$ under User B’s public key $p{k}_B$.

(5) Decryption Algorithm $Dec(C^{\prime },s{k}_B)$: User B inputs their private key $s{k}_B$ and the re-encrypted ciphertext $C^{\prime }$, and the algorithm outputs the original plaintext M.

4. Data Security Sharing Schemes

At present, numerous researchers both domestically and internationally have conducted in-depth studies on various data security sharing schemes, achieving a series of notable results. From a technical perspective, these results have mainly focused on four key areas: proxy re-encryption, searchable encryption, key agreement and distribution, and attribute-based encryption. In addition, leveraging the decentralized, tamper-resistant, and transparent nature of blockchain technology, many existing solutions have integrated blockchain to enhance the security and trustworthiness of the data sharing process.

A well-designed incentive mechanism not only effectively motivates data owners to provide high-quality data services but also serves as a driving force in building a secure and sustainable data sharing ecosystem. To further explore the synergistic mechanisms between data security sharing technologies and incentive mechanisms, this study systematically reviews and summarizes recent representative cases in this field.

Blockchain-based data sharing features decentralization, tamper resistance, and strong auditability, which significantly enhance the transparency and trustworthiness of data transmission. This makes it particularly suitable for multi-party collaboration scenarios lacking a strong trust foundation. Additionally, smart contracts enable automated incentive distribution and access control. However, such systems also face challenges, including high system complexity, substantial on-chain storage and computation costs, and relatively high processing latency. In contrast, non-blockchain data sharing models rely on centralized platforms, such as cloud servers, for data hosting and access management. These approaches offer advantages such as simplified deployment, fast response times, and lower computational overhead. Nonetheless, they are more vulnerable to issues such as centralized trust dependency, difficulty in tracing data tampering, and heightened risks of privacy breaches. As a result, a trade-off exists between security and efficiency, and the appropriate technological choice should be made based on the specific requirements of the application scenario.

In the context of healthcare data sharing, a regional medical consortium adopted a blockchain-plus-Attribute-Based Encryption (ABE) scheme to enable cross-institutional sharing of patients’ electronic medical records (EMRs). In this system, patients—as data owners—define access policies, and medical institutions obtain data access only after permission verification via the blockchain. However, during deployment, issues such as policy abuse, metadata leakage on the blockchain, and insufficient revocation mechanisms in ABE emerged. These problems prompted deeper reflection on the design of privacy-preserving mechanisms. This case highlights the practical challenges that theoretical solutions may encounter and suggests that future research should focus on revocation mechanisms, encrypted metadata, and dynamic authorization strategies.

4.1. Searchable Encryption and Secure Data Sharing

The application of Searchable Encryption (SE) technology in secure data sharing models is illustrated in Figure 3, aiming to enable encrypted data to be searched without requiring decryption on the cloud server side. This model involves four key entities: a Trusted third party, Data owner, Data user, and Cloud server. First, the trusted third party is responsible for generating and securely distributing the cryptographic keys required for the search, ensuring confidentiality and integrity during key transmission. The data owner uses the system’s keys to encrypt the original data, producing ciphertexts, and simultaneously constructs secure searchable indexes (also encrypted). Both the ciphertext and the encrypted index are uploaded to the cloud server for storage. When a data user wishes to retrieve specific information, they use the keys obtained from the trusted third party to convert a keyword into an encrypted form known as a search trapdoor. This trapdoor is submitted to the cloud server, which then locally performs a matching operation against the encrypted index, without decrypting the underlying data. Once matching entries have been identified, the server returns the corresponding ciphertexts to the data user, who then decrypts them using their own private key to recover the original information. This model effectively balances data confidentiality and search efficiency, making it well suited for cloud-based data sharing environments with stringent privacy requirements. A comparison of related studies is shown in

Table 3. Comparison table of searchable encryption techniques.

Searchable Encryption Technique	References	Main Security Goals	Blockchain Usage
Searchable Encryption with Key Aggregation	[33,34,35]	Simplified search process, protection of user operation privacy, reduced computational burden on cloud servers, decentralized access control	No blockchain
Optimized Basic Searchable Encryption Schemes	[36,37,38]	Enhanced retrieval efficiency, data privacy protection, dynamic updates, secure search process	No blockchain
Access Control in Multi-user Scenarios	[39,40,41]	Support for independent searches by multiple users, effective access control, prevention of unauthorized access, improved multi-user data security	No blockchain
Searchable Encryption Combined with Blockchain	[42,43]	Key security, data privacy, data auditing, integrity verification, query accuracy	Public blockchain
Blockchain-enhanced Key Management	[28,44,45]	Efficient key distribution, dynamic key management, resistance to key leakage and attacks	Consortium or public blockchain
Blockchain-enhanced Index Structure	[29,46,47]	Keyword search security, fine-grained access control, retrieval accuracy, cross-organizational access management	Consortium or public blockchain
Trapdoor Authorization-based Blockchain Scheme	[48]	Secure data access control, multi-keyword search privacy	Public blockchain

.

(1) Without Blockchain Integration

In research on searchable encryption (SE), early work by D. Song, D. Wagner, and A. Perrig [36] first proposed an efficient searchable encryption scheme based on symmetric encryption. This allowed keyword searches of encrypted data without the need for decryption, offering a balance between privacy protection and practicality in data sharing scenarios. It enabled users to securely store encrypted data with third parties (e.g., cloud servers), while still supporting controlled query operations, laying the foundation for secure data sharing and fostering further developments in SE technology. Cui et al. [33] combined SE with key aggregation, allowing users to search across multiple documents using a single key. However, their solution did not address cloud server load issues and relied on a trusted third party (TTP) to generate system parameters. Zhou et al. [49] supported cross-domain search by multiple data owners, enabling users to access data from different owners using a single aggregated key. Nevertheless, it lacked computational efficiency, as all search requests had to be handled by the cloud server. Oh et al. [34] extended traditional Key-Aggregate Searchable Encryption (KASE), enabling users to generate keyword trapdoors using a single aggregate key to retrieve only target data rather than all documents. They introduced fog nodes to pre-verify keywords, reducing cloud server workload (traditional KASE relies entirely on the cloud for verification). Data owners could generate aggregated keys directly without TTP involvement, realizing fully decentralized access control. Li et al. [50] supported enterprise-level data sharing and monitoring via hierarchical keyword search, suitable for multi-user scenarios. However, the computational overhead increased with user numbers, and the single-key exposure issue remained unresolved. Curtmola et al. [37] proposed the first sub-linear SSE scheme, enhancing medical data retrieval efficiency, but lacking dynamic update capabilities. Stefanov et al. [38] introduced dynamic SSE with support for incremental data updates, but required significant client storage. Zhang et al. [51] conducted a systematic classification and technical comparison of SE for medical cloud data sharing, highlighting dynamic updates, verification mechanisms, and complex queries as core directions for future optimization. Popa and Zeldovich [39] introduced Multi-Key SSE (MKSE), allowing users to search shared documents using individual keys. However, their solution did not support revocation and had a weak security model vulnerable to insider attacks. Patel et al. [40] proposed a dynamic document sharing and revocation scheme, addressing the inefficiency of traditional multi-user SSE in revoking access. They introduced a cross-user leakage graph to quantify leakage via graph component analysis, offering a novel approach to privacy evaluation in multi-user scenarios. Curtimola et al. [37] extended SE to multi-user settings, but only supported single-owner authorization for multiple users and failed to handle bidirectional authorization where users act as both data owners and searchers. Tang [41] proposed a multi-party SE scheme featuring both worst-case and average-case security models to address scenarios involving server–user collusion and partial user trust, respectively. By separating searchable content between data owners and authorized users within indexes, this avoided the search pattern leakage seen in Popa-Zeldovich’s model. A Follow algorithm was introduced to allow users to distribute tokens via public channels, enabling search permission delegation without interaction, solving the key distribution scalability issue present in the Popa-Zeldovich scheme. Niu et al. [52,53] combined PRE and SE to enable multi-keyword search, but their proposal lacked dynamic revocation, preventing patients from withdrawing previously granted access. Costa et al. [54] constructed encrypted indexes, allowing healthcare professionals to perform private keyword searches over patient data without decrypting it. Shao et al. [55] were the first to integrate Proxy Re-Encryption (PRE) with SE, enabling keyword-searchable ciphertext conversion, though their approach relied on a centralized cloud server, lacked access control, and was vulnerable to single-point failure. Ateniese et al. [56] designed a unidirectional PRE scheme resistant to collusion attacks but that did not support keyword search, thus failing to enable ciphertext retrieval. Li et al. [25] combined blockchain with SE, using B+ tree indexes and dynamic access control to enhance the security, efficiency, and flexibility of data sharing. Their solution used a consortium blockchain and IPFS for cloud-chain cooperation, balancing storage and security, while optimizing retrieval efficiency through B+ trees. The scheme of Trivedi et al. [26] used attribute tokens for multi-user authentication, but only supported single-keyword search and incurred high computational overhead. Li et al. [57] combined KP-ABE and CP-ABE for access control, though key management complexity increased significantly with the number of users. Lee et al. [35] improved decentralization and reduced reliance on TTP: KASE keys were generated directly by data owners, removing the need for TTP, and supporting efficient key management, enabling a single key to decrypt multiple files and mitigating the key explosion problem.

(2) With Blockchain Integration

Hu et al. [58] implemented decentralized privacy-preserving search on Ethereum, using smart contracts to manage keyword indexes. Yang [45] introduced DCC-SE, which utilized a consensus committee for more efficient key distribution and dynamic management, avoiding the high latency of smart contracts. Ali et al. [59] stored encrypted indexes on the blockchain and verified access rights, but their approach relied on Attribute-Based Encryption (ABE) and a trust value model, limiting patients’ control over their data. Iqbal et al. [60] used the BGV fully homomorphic encryption scheme to protect audio medical data and integrated blockchain for audit tracing, but their solution did not support multi-keyword search. Wang et al. [46] proposed a consortium blockchain-based medical data sharing scheme, combining Conditional Proxy Re-Encryption (CPRE) with Searchable Encryption (SE). They used keywords as re-encryption conditions to support keyword search and access control, but the scheme failed to address retrieval efficiency for large-scale data, due to the use of a globally ordered index, which led to high complexity. Feng et al. [47] designed a binary-search-based index structure, but in the face of massive data, the size of the balanced binary tree caused high search overhead. The scheme only supported static access control, though it enabled fine-grained permission management. Zhang et al. [42] combined Ciphertext-Policy Attribute-Based Keyword Search (CP-ABKS) with blockchain to support data auditing and integrity verification. However, it only supported single-keyword search and did not address key management efficiency. Li et al. [43] implemented symmetric searchable encryption on the blockchain, but the search results were imprecise and inefficient. Zhang et al. [61] leveraged blockchain to enable verifiability of the search process, but did not address access control in multi-institution data sharing scenarios. Niu et al. [29] optimized the index structure using polynomial equations to improve search efficiency and supported attribute-based access control. By integrating ABE with blockchain, they enabled cross-institution fine-grained access management and proposed a complete architecture combining ‘blockchain-based index storage + cloud-based ciphertext storage’, which reduced on-chain storage pressure.

Liu et al. [44] employed the KASE-CQ scheme, which leverages the DCDH (Decisional Co-Diffie-Hellman) assumption to demonstrate resistance against Inside Trapdoor Attacks (ITA). The core of this scheme lies in the trapdoor structure, which ensures that an adversary cannot recover $g^s$ from T2, thereby preventing derivation of the aggregate key. To enhance multi-keyword search efficiency, users submit a single aggregate trapdoor Tr = {T1,T2,T3}, where T3 denotes the set of keyword fields. The server directly evaluates the conjunctive expression without generating multiple trapdoors. The trapdoor size—comprising two group elements plus keyword field indices—and the search time are both independent of the number of keywords. Only one bilinear pairing computation is required during the testing phase, significantly improving efficiency. In the healthcare domain, data sharing is essential for delivering high-quality medical services. However, the sensitivity of medical data demands strong security and privacy protection. Blockchain-based searchable encryption technologies offer a promising solution to this challenge. For instance, Niu et al. [28] proposed a blockchain-based key aggregate searchable encryption scheme that is resilient to key leakage. This scheme stores key update records and ciphertext metadata on the blockchain to prevent unauthorized decryption in the event of key compromise. Moreover, it employs smart contracts to enable dynamic key management, thereby enhancing the security and efficiency of data sharing. Another example is the scheme developed by Costa et al. [54], who constructed an encrypted index that allows healthcare practitioners to perform private searches of patient data using encrypted keywords. This approach preserves patient privacy, while ensuring the accessibility of medical data. These pilot studies and implementation cases demonstrate the practical applicability of combining blockchain and searchable encryption technologies in healthcare data sharing. However, several challenges remain, including the computational overhead, storage requirements, and protection of user privacy. These issues call for further optimization and resolution in future research. Zhang et al. [48] proposed a searchable encryption scheme with an enhanced access control mechanism. The protocol unfolds through the following stages: (1) A trusted authorization authority initializes the system by generating and distributing public and private keys to both data owners and data users. (2) The data owner encrypts the data and outsources the ciphertext to the cloud server for secure storage. (3) When a data user intends to search for specific content, they generate a search token based on the query keywords and send a data access request, along with the token, to the cloud server. (4) Upon receiving the request, the data owner performs a trust evaluation of the requesting user. If the user is deemed trustworthy, the data owner generates a corresponding authorization trapdoor and forwards it to the cloud server. (5) The cloud server then executes the search over the encrypted index using the trapdoor and returns the matching results to the data user. To further enhance security, the scheme incorporates an Authorized Label Private Set Intersection (AL-PSI) protocol, which reduces leakage from Keyword Pattern Reveal Property (KPRP) to the more restrictive Whole Result Pattern (WRP); i.e., only the number of matched documents is revealed. The use of authorization trapdoors enforces owner-enforced access control, ensuring that only authorized users can generate valid search tokens. For multi-keyword search optimization, the protocol shifts the application of PSI from the initial stage of the search (as in LSE) to a later stage, thereby preserving the combined query capability of OXT. In this setting, the data owner encrypts the index entries (xtag) using the public key, and the data user generates a corresponding search token (XTAG). The AL-PSI protocol is then used to compute the intersection between the encrypted index and the search token, avoiding the need for per-keyword verification and significantly improving efficiency. These pilot studies and implementation cases demonstrate the practical applicability of combining blockchain and searchable encryption technologies in healthcare data sharing. However, several challenges remain, including computational overhead, storage requirements, and the protection of user privacy. These issues call for further optimization and resolution in future research.

4.2. Proxy Re-Encryption and Secure Data Sharing

Proxy re-encryption (PRE) plays a pivotal role in secure data sharing models. A typical architecture, as illustrated in Figure 4, involves four key entities: the Trusted third party, Data owner, Proxy server, and Data user. The Trusted third party acts as the trust anchor of the system, responsible for generating and securely distributing key pairs. It provides public keys to both data owners and data users, while securely managing the associated private keys. The Data owner uses their public key to encrypt sensitive data, producing an initial ciphertext that is then uploaded to the Proxy Server. Based on predefined access control policies, the Proxy server performs a proxy re-encryption operation on the ciphertext, transforming it into a re-encrypted ciphertext that is decryptable by the intended Data user. Finally, the Data user applies their private key to decrypt the re-encrypted ciphertext and securely access the original data. This approach enables efficient and fine-grained data sharing, while preserving security and control over access. A comparison of various proxy re-encryption schemes is presented in

Table 4. Comparison of proxy re-encryption (PRE) schemes and blockchain integration.

Type	References	Security Properties	Blockchain Usage
Identity-Based Proxy Re-Encryption (IBPRE)	[62,63]	1. Identity privacy protection, 2. Resistance to key escrow attacks, 3. Unidirectionality, 4. Chosen-identity security	No blockchain
Certificateless Proxy Re-Encryption (CLPKC)	[64,65]	1. Certificateless binding, 2. Resistance to public key replacement attacks, 3. Type-I/II security, 4. Collusion resistance	[65]: Consortium blockchain with PBFT consensus
Attribute-Based Proxy Re-Encryption (ABPRE)	[66,67]	1. Fine-grained access control, 2. Policy hiding, 3. Adaptive security, 4. Forward security for attribute revocation	[67]: Original chain—Hyperledger Fabric (Raft); Relay chain—FISCO BCOS (PBFT)
Key-Aggregate Proxy Re-Encryption (KAPRE)	[24,30]	1. Key aggregation, 2. Resistance to key abuse, 3. High efficiency, 4. Fine-grained revocation	No blockchain
Broadcast Proxy Re-Encryption (BPRE)	[68,69]	1. Receiver anonymity, 2. Collusion-resistance scalability, 3. Dynamic membership management, 4. One-way broadcast security	No blockchain

.

(1) Identity-Based Proxy Re-Encryption (IBPRE)

Identity-Based Encryption (IBE) derives cryptographic keys directly from users’ identities. In 2007, Green and Ateniese [70] introduced the concept of identity-based proxy re-encryption. Since then, various PRE schemes with distinct security properties have been proposed for different application scenarios.

Wei et al. [27] proposed a Revocable-Storage IBE (RS-IBE) scheme that supports both forward and backward secrecy. The ciphertext update process in their design relies solely on public information, and the additional computational and storage overhead introduced by forward secrecy is upper bounded. However, Lee [71] identified correctness issues in Wei et al.’s RS-IBE scheme and presented corresponding improvements. To address fuzzy user data sharing in cloud computing environments, Meshram et al. [72] introduced a subtree-based forward-secure IBE scheme, achieving forward security for data contributors with relatively low computational costs.

In the domain of electronic healthcare, Sudarsono [73] proposed a secure data sharing scheme that integrates identity-based encryption (IBE) and digital signatures within electronic medical systems. The scheme adopts a hybrid security architecture combining IBE, BLS short signatures, and AES symmetric encryption. In this framework, the sender uses the receiver’s unique identity to perform IBE encryption on a temporary symmetric key $k_{AES}$, resulting in the encrypted key component $C_k$. The health data M are then encrypted using $k_{AES}$ to generate the ciphertext $C_M$, and a BLS signature is applied to produce the authentication tag $\sigma$. The receiver (e.g., a physician) authenticates their identity with the electronic medical server to obtain the corresponding private key $d_{ID}$. After verifying the signature $\sigma$, the receiver decrypts $C_k$ to recover $k_{AES}$, and finally decrypts $C_M$ to retrieve the original medical data. This scheme ensures data confidentiality, integrity, and authenticity, and is particularly well suited for secure and fine-grained access control in privacy-sensitive healthcare data sharing scenarios. The scheme was verified to be computationally efficient across different devices, making it suitable for embedded and mobile platforms. Zhang et al. [62] developed an IBE-based authorized searchable encryption scheme for mobile cloud-assisted electronic health information systems. This scheme supports keyword search of encrypted data and delegated upload functionality. By using signature-based authorization certificates generated by doctors, a trusted assistant handles the uploading of encrypted data, ensuring secure sharing of diagnostic data, while alleviating the processing burden on medical professionals. In the context of the Internet of Things (IoT), Sun et al. [63] proposed a practical and efficient Revocable IBE (RIBE) scheme based on SM9 cryptography, tailored for IoT applications. Their scheme offers reduced storage and bandwidth overhead. Unal et al. [74] presented a secure and efficient IoT cloud encryption scheme based on Identity-Based Cryptography (IBC), named the Secure Cloud Storage System (SCSS). Aimed at ensuring data security in cloud storage and supporting forensic investigations, the SCSS employs Type-3 pairings in its SAKKE-IBE construction, achieving significant improvements in both security and efficiency compared to traditional Type-1 pairing-based IBE schemes.

(2) Certificateless Proxy Re-Encryption (CLPRE)

Sur et al. [75] extended proxy re-encryption (PRE) into the domain of certificateless public key cryptography (CLPKC) and introduced the concept of certificateless proxy re-encryption (CLPRE). In their model, each user constructs a private key by combining a self-selected secret value. Following Sur’s work, a variety of CLPRE schemes have emerged. Liu et al. [76] proposed a CLPRE scheme that is secure under the IND-CCA2 model, benefiting from the simplified certificate management inherent to certificateless public key encryption. Despite its advantages, the application of CLPRE has remained limited to public cloud environments. To address this, Eltayieb et al. [77] proposed a CLPRE scheme equipped with an encrypted reverse firewall. This added component resists data exfiltration attacks, prevents information leakage by trusted third parties, and protects against ciphertext forgery, thereby enhancing overall data security.

Hundera et al. [64] introduced a novel approach that integrates certificateless cryptography (CLC) with identity-based cryptography (IBC) to create a heterogeneous secure communication environment for vehicular networks. Their scheme enables vehicular nodes in a CLC setting, to avoid certificate and key escrow management issues, while allowing authorized users in the IBC setting to circumvent public key certificate management problems. The proposed solution demonstrates significant advantages in computational overhead, communication cost, and ciphertext size, making it particularly suitable for cloud-assisted vehicular network environments. Feng et al. [65] proposed a certificateless threshold proxy re-encryption scheme supporting keyword search for industrial data sharing, based on a multi-cloud and multi-chain collaborative storage model. The scheme builds a cooperative data storage and sharing architecture that combines the concept of digital envelopes: industrial data ciphertext is stored in private enterprise clouds, while ciphertext metadata are categorized and stored across different blockchains, achieving effective data isolation. Their innovative certificateless threshold PRE scheme addresses the challenges of ciphertext retrieval and enhances system efficiency and correctness.

In practical applications, NuCypher, a decentralized key management system, launched its public testnet in 2019 and released the test results at the 2020 World Blockchain Conference. More than 2000 nodes participated in the testnet, with over 350,000 ETH staked, spanning regions across North America, Europe, and Asia. Its core technology, the Umbral protocol, enables ciphertext transformation through proxy re-encryption, supporting use cases such as medical data sharing and access control for IoT devices. For instance, in healthcare scenarios, patients can dynamically authorize doctors to access encrypted medical records via smart contracts, while token-based incentives (NKMS) ensure compliant node behavior. Test reports indicated that the network achieved a throughput of up to 200 transactions per second with latency kept under 500 ms, meeting the requirements of real-time applications [78].

(3) Attribute-Based Proxy Re-Encryption (ABPRE)

Attribute-based encryption (ABE) is a critical technique for enhancing the security of data sharing. Attribute-based proxy re-encryption (ABPRE) enables data owners to encrypt data under a set of attributes, ensuring that only users possessing the corresponding attributes can decrypt the content. This mechanism provides fine-grained access control and robust data protection. To secure cloud-stored data, Liang et al. [79] combined Key-Policy ABE (KP-ABE) with proxy re-encryption. However, due to the use of a lazy re-encryption strategy, their protocol exhibited certain security vulnerabilities. To address privacy and energy efficiency concerns in mobile social networks, He et al. [80] proposed an efficient and privacy-preserving content sharing scheme. While the scheme supports secure and fine-grained data sharing, it lacks mechanisms for secure data propagation.

In the context of cloud computing, Ge et al. [66] introduced a Verifiable and Fair Attribute-Based Proxy Re-Encryption (VF-ABPRE) scheme, and formally defined the VF-ABPRE model. This model considers both the verifiability and fairness of attribute-based encrypted data sharing in cloud environments. In this scheme, data recipients can verify the correctness of re-encrypted ciphertexts, while servers are protected from malicious accusations. For cross-blockchain data sharing, Duan et al. [67] proposed a multi-authority attribute-based proxy re-encryption scheme. This approach allows data owners to flexibly update cross-chain access policies without re-encrypting data multiple times, thereby improving the efficiency and flexibility of data sharing. By leveraging relay-chain technology, the scheme constructs a trusted and decentralized sharing environment. The use of smart contracts ensures fair profit distribution, while hybrid encryption and decentralized storage platforms significantly alleviate the storage burden on blockchains.

(4) Key-Aggregate Proxy Re-Encryption (KAPRE)

In their seminal work [81], Chen et al. were the first to integrate key-aggregate methods into proxy re-encryption schemes, thereby formulating the concept of Key-Aggregate Proxy Re-Encryption (KAPRE). To address the issues of high computational overhead, complex key management, and vulnerability to trapdoor attacks in existing searchable encryption schemes, Wang et al. [24] proposed an Efficient and Verifiable Keyword-Aggregate Searchable Encryption (EVKAKSE) scheme. In this design, the data owner first generates a public key $pk=g^{\alpha }$ and a master secret key $msk=\alpha$, and constructs a secure index $re{q}_{index}=(I_1,\dots ,I_n)$. During file encryption, a symmetric key $K_s={\displaystyle \frac{e{(g,h)}^{\tau }}{e{(g,g)}^{\tau }}}$ and a keyword ciphertext $C_w={\displaystyle \frac{e{(g,h)}^{\tau }}{e{(g,g)}^{\tau H_0\left(\omega \right)}}}$ are generated for each file, while a verification tag $ta{g}_{\omega }$ is stored on an auxiliary server. To allow access to a file set S, the data owner assigns the user a single aggregate key $K_{agg}=(g^{-1/(a-{\prod }_{i\in S}{I}_i)},h^{1/(a-{\prod }_{i\in S}{I}_i)})$. The user then generates a single trapdoor $Tr=k{\displaystyle \frac{H_0\left(w\right)}{agg,0}}{k}_{agg,1}$ and submits it to the cloud. The cloud, assisted by an auxiliary server that provides parameters such as $pu{b}_i={\prod }_{j\in S\setminus i}{I}_j$, verifies the correctness of the keyword ciphertext via the pairing equation $c_w?=e\left(c_0{c}_1^{pubi},Tr\right)$, and returns the encrypted files. Finally, the user computes $k_s=e\left(c_{pu{b}_i},K_{agg}\right)$ to decrypt the files and compares the received verification tag $ta{g}_w^{\prime }$ with the stored $ta{g}_w$ to ensure data integrity. This scheme effectively improves the efficiency and security of searchable encryption, while enabling verifiable access control in encrypted cloud data sharing. Subsequently, Pareek et al. [30] also employed key-aggregate proxy re-encryption for secure cloud data sharing. In their scheme, data owners encrypt data using public keys and generate fixed-size re-encryption keys, allowing for the re-encryption of multiple ciphertexts for a single user. This approach significantly reduces the storage and communication overheads associated with re-encryption keys.

Although the KAPRE framework demonstrates significant advantages in enhancing data confidentiality and computational efficiency in cloud environments, it faces several limitations that constrain its practicality and security. Firstly, the re-encryption process demands a larger number of keys. Secondly, KAPRE is inherently non-interactive, as re-encryption keys are generated solely by the delegator, without requiring any involvement from the delegatee. Lastly, most existing KAPRE schemes exhibit limited resistance to collusion attacks, posing further security concerns.

(5) Broadcast Proxy Re-Encryption (BPRE)

Broadcast Proxy Re-Encryption (BPRE) is one of the most effective approaches for ensuring secure data sharing, and its conceptual foundation was inspired by broadcast encryption, originally introduced by Fiat and Naor in [82]. In a BPRE framework, a data owner can perform a single encryption operation to encrypt data and disseminate it to multiple recipients. Subsequently, a proxy can re-encrypt the data for each recipient individually, without having to know the identities of the recipients.

In the context of cloud-based email systems, Xu et al. [68] introduced the concept of Conditional Identity-Based Broadcast Proxy Re-Encryption (CIBPRE) and proposed a corresponding scheme. Compared to traditional methods, their solution demonstrates advantages in communication efficiency and user experience. However, its applicability is limited to the domain of cloud email systems, restricting its broader deployment.

To address data-sharing scenarios more broadly, Sun et al. [69] proposed the concept of Proxy Broadcast Re-Encryption (PBRE) and developed a corresponding scheme. They proved its CCA security under the decisional n-BDHE assumption in the random oracle model. Notably, this scheme exhibits collusion resistance, enabling the proxy to transform the delegator’s ciphertext into ciphertexts for a group of recipients. Experimental results indicated that the re-encryption time cost of their scheme outperformed several existing methods.

4.3. Attribute-Based Encryption and Secure Data Sharing

Attribute-Based Encryption (ABE) is a form of public key encryption that enables decryption rights to be defined through sets of attributes or access policies. ABE-based data sharing schemes associate data access permissions with user attributes, offering a flexible and efficient solution for secure data distribution. The two main security models include Ciphertext-Policy ABE (CP-ABE) and Key-Policy ABE (KP-ABE). These models play significant roles across various application domains, ensuring both data security and privacy preservation in shared environments. The fundamental difference between Ciphertext-Policy Attribute-Based Encryption (CP-ABE) and Key-Policy Attribute-Based Encryption (KP-ABE) lies in the embedding position of the access policy, the authority over access control, and the directionality of the operational logic. In CP-ABE, the access policy, which may include complex logical expressions such as (Doctor AND Cardiology) OR Director, is embedded directly into the ciphertext by the data owner, who thus retains full control over the definition and enforcement of access rules. The user’s private key is associated with a set of attributes, and decryption is only possible if these attributes satisfy the policy specified in the ciphertext. This data-centric model enables fine-grained and dynamic access control, making it suitable for use cases like governmental hierarchical document sharing. However, it poses the risk of semantic leakage, as access policies in plaintext may reveal sensitive business logic (e.g., indicating that ‘directors can access this data’). Moreover, the computational burden of policy evaluation is shifted to the user side, potentially leading to higher decryption latency on resource-constrained devices such as mobile terminals. In contrast, KP-ABE embeds the access policy directly into the private key, such as (Position = Manager AND Department = R&D) OR Clearance ≥ 5, which is managed by a central authority. The ciphertext in this case only contains a lightweight set of attributes (e.g., {Department: R&D, Classification: High}). Successful decryption requires that the attributes in the ciphertext satisfy the policy hardcoded into the key. This authority-centric approach is particularly suitable for role-based access control in enterprise environments, where permissions are predefined and centrally distributed (e.g., a policy that ‘all R&D managers can access highly classified files’). KP-ABE supports efficient key management, but its flexibility is limited: once a policy has been embedded in the private key, the addition of new attributes or roles typically requires re-issuing keys or reconfiguring system-wide strategies. In summary, both CP-ABE and KP-ABE offer fine-grained access control, but with distinct trade-offs. CP-ABE favors dynamic, data owner-driven policy specification, at the cost of higher user-end computation and possible policy exposure, while KP-ABE prioritizes centralized policy enforcement and efficiency but lacks policy adaptability. The choice between the two should be informed by the rate of evolution of access requirements and the computational constraints of user devices in the target application scenario. A summary of attribute-based encryption techniques is presented in

Table 5. Table of attribute-based encryption (ABE) techniques.

Reference	Technique	Blockchain Usage
[83]	Access policy hiding	No blockchain
[84]	User accountability mechanism	No blockchain
[85]	Direct revocation mechanism	No blockchain
[86]	Black-box tracing	No blockchain
[87]	Optimization of national standard SM9	No blockchain
[88]	Blockchain + ABE + Searchable encryption	Consortium blockchain
[89]	Revocable ABE + Smart contract defense	Consortium blockchain

.

(1) CP-ABE and Data Sharing

The application of Ciphertext-Policy Attribute-Based Encryption (CP-ABE) in the data security sharing model is illustrated in Figure 5, involving four key entities: the Trusted third party, Data owner, Cloud server, and Data user. Initially, during the system setup phase, the Trusted third party generates and distributes the necessary system parameters to the data owner (used for encryption), and issues private keys bound to attribute sets to authorized data users—these keys and associated parameters must be kept confidential. Subsequently, the data owner defines an access policy (e.g., (A AND B) OR C) and uses the system parameters to encrypt the plaintext data accordingly, embedding the policy directly into the resulting ciphertext. The ciphertext is then outsourced to the cloud server for storage. When a data user requests access to the encrypted data, the system performs policy verification by comparing the user’s embedded attributes (contained in their private key) against the access structure encoded in the ciphertext. If the attribute set satisfies the policy, the user is able to successfully decrypt and access the data. Otherwise, the access attempt is denied. This model enables fine-grained access control and significantly enhances both the security and flexibility of data sharing, especially in environments where sensitive information must be selectively disclosed based on user roles or qualifications.

Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is a type of attribute-based encryption technique initially proposed by Bethencourt et al. in 2007 [90]. In this model, data owners define access policies and embed them into the ciphertext, allowing users to decrypt the ciphertext only if their attributes satisfy the specified policy. Yang et al. [91] proposed an efficient data access control scheme for multi-authority cloud storage systems, constructing a novel multi-authority CP-ABE framework, in which the main decryption operations are outsourced to the server. Distinct from works such as [83,84,92], Liu et al. [93] introduced a new CP-ABE model with partially hidden access structures. This model extends the expressiveness of the access structures, enabling the handling of any Linear Secret Sharing Scheme (LSSS)-representable structures and offering greater flexibility and expressiveness. Zhang et al. [94] effectively addressed data security and user privacy issues in s-health applications by introducing the PASH framework. Leveraging the decentralized nature of blockchain, Wang et al. [95] proposed a secure cloud storage access control framework based on blockchain technology. By incorporating Ethereum smart contracts, they transformed traditional CP-ABE algorithms and established distributed access control between data owner nodes and data user nodes, thereby mitigating the risk of single points of failure. Wei et al. [96] presented a blockchain-based data sharing architecture for the Internet of Things (IoT), building a multi-centric trusted environment that eliminates data silos in IoT systems and facilitates collaboration among heterogeneous IoT platforms. Qin et al. [97] proposed a blockchain-based multi-authority access control scheme, where data access logs are recorded on the blockchain, addressing issues such as single-point failures and high computational and communication costs on the user side. Wang et al. [88] developed a fine-grained electronic health record sharing scheme based on the CP-ABE model, embedding access policies into the blockchain to ensure the integrity of query results during medical service delivery. To prevent Economic Denial of Sustainability (EDoS) attacks, Zhang et al. [89] designed a fine-grained access control mechanism using the CP-ABE model. By validating whether data owners possess legitimate access rights through blockchain verification, the scheme effectively defends against collusion between semi-trusted cloud service providers and malicious users. In the context of the metaverse, Zhang et al. [98] integrated non-interactive zero-knowledge proofs into CP-ABE, achieving fine-grained access control, while ensuring data confidentiality during user information exchanges.

(2) KP-ABE and Data Sharing

The application of Key-Policy Attribute-Based Encryption (KP-ABE) in the data security sharing model is illustrated in Figure 6, involving four critical entities: the Trusted third party, Data owner, Cloud server, and Data user. In this framework, the Trusted third party—often referred to as the Key Generation Center—is responsible for generating the global system parameters and the master secret key. The system parameters are securely distributed to the data owner for data encryption, while the private key issued to each data user is embedded within an access structure, representing the user’s decryption policy. The data owner encrypts plaintext data by associating it with a set of descriptive attributes (e.g., ‘Type: Research Report’, ‘Confidentiality: High’) using the system parameters, and uploads the resulting ciphertext to the cloud server. Notably, the cloud server serves solely as a storage provider, without engaging in access control decisions or key management, thereby maintaining a separation of duties and reducing trust assumptions. When a data user retrieves ciphertext from the cloud, they attempt to decrypt it using their attribute-based private key. Decryption is successful only if the attribute set embedded in the ciphertext satisfies the access structure encoded within the user’s key (e.g., ‘Department = R&D AND Role = Supervisor’). Otherwise, the decryption attempt fails, and access to the data is denied. This model achieves fine-grained and flexible access control by embedding access policies directly into the users’ private keys, thus allowing centralized management of access privileges, while ensuring that sensitive data remain confidential and securely managed within the cloud environment.

In 2006, Goyal et al. [99] introduced KP-ABE (Key-Policy Attribute-Based Encryption), in which the ciphertext is associated with a set of attributes, and the user’s secret key embeds the access policy. A user can decrypt a message only if the attribute set satisfies the access policy. The access policy is typically represented as an access tree, where the leaf nodes are labeled with attributes, and the internal nodes are threshold gates of the form $[m,n]$, meaning that at least m out of n attributes must be satisfied for decryption to succeed. In 2017, Ma et al. [85] proposed a directly revocable and verifiable large-universe KP-ABE scheme, which supports a large attribute universe, without requiring enumeration during the setup phase. In 2020, Ye et al. [86] introduced a traceable unbounded KP-ABE scheme that maintained a fixed ciphertext size, enhancing scalability and accountability. In 2021, Ji et al. [100] presented an efficient construction method for CP-ABE based on the SM9 standard, enabling SM9 to support fine-grained access control and better serve scheduling and control in cloud environments. Building upon this, in 2024, Liu et al. [87] developed two novel KP-ABE schemes based on SM9. The first scheme, SM9-S.ABE, is optimized for small attribute domains, while the second, SM9-L.ABE, targets large attribute domains. Both schemes adopt a secret key and ciphertext structure similar to the original SM9 identity-based encryption algorithm, allowing seamless integration into SM9-based information systems, such as cloud servers and blockchain platforms.

4.4. Key Agreement and Secure Data Sharing

Key agreement refers to the process by which communicating parties (typically two or more) jointly compute and ultimately derive a shared session key through a series of interactive protocols, without relying on any pre-distributed secret keys. Each party uses their own private parameters (such as private keys or random numbers) to participate in this process. In 1976, Diffie and Hellman proposed the first public key agreement protocol [101], which addressed the key distribution problem and enabled two parties to exchange public information over an insecure channel, while establishing a shared secret key. This work laid the foundation for public-key cryptography. However, the original protocol lacked authentication mechanisms, making it vulnerable to man-in-the-middle attacks, and it did not support multi-user scenarios. Subsequently, to enhance the efficiency and security of group key agreement protocols, researchers have developed various schemes based on tree structures, identity-based cryptography, and lattice-based cryptography. In 2004, Amir et al. [102] introduced the Tree-based Group Diffie–Hellman (TGDH) protocol, which was the first to leverage tree structures to optimize communication and computation in group key agreement. Since then, group key agreement protocols have continued to evolve. In 2020, Luo et al. [103] proposed a cross-domain certificate-authenticated group key agreement (GKA) protocol tailored for 5G network slicing, enabling dynamic group membership management. Rawat et al. [104] proposed the GKAP algorithm, which combines tree structures with elliptic curve cryptography. By employing a divide-and-conquer strategy, the group is partitioned into smaller subgroups that form a hierarchical tree structure. The algorithm is resilient against passive attacks, collusion attacks, forward secrecy, backward secrecy, and man-in-the-middle attacks. An example of the group key agreement process is illustrated in Figure 7. In this example, a group of size eight is divided using the divide-and-conquer strategy. Subsequently, the Elliptic Curve Diffie–Hellman (ECDH) protocol is applied to the leaf nodes or participants $N_1,N_2,N_3,N_4,N_5,N_6,N_7$, and $N_8$ of the tree. Participants $N_1,N_3,N_5$, and $N_7$ sequentially share their public keys $P{K}_1={\alpha }_1\times G$, $P{K}_3={\alpha }_3\times G$, $P{K}_5={\alpha }_5\times G$, and $P{K}_7={\alpha }_7\times G$ with $N_2,N_4,N_6$, and $N_8$, respectively. Likewise, participants $N_2,N_4,N_6$, and $N_8$ share their public keys $P{K}_2={\alpha }_2\times G$, $P{K}_4={\alpha }_4\times G$, $P{K}_6={\alpha }_6\times G$, and $P{K}_8={\alpha }_8\times G$ with $N_1,N_3,N_5$, and $N_7$, respectively. Then, the subgroups of size 2 (i.e., tree nodes with level $l=2$), such as $N_1,N_2$, $N_3,N_4$, $N_5,N_6$, and $N_7,N_8$, each compute a shared group key based on their corresponding scalar multiplications: ${\alpha }_1\times {\alpha }_2\times G$, ${\alpha }_3\times {\alpha }_4\times G$, ${\alpha }_5\times {\alpha }_6\times G$, and ${\alpha }_7\times {\alpha }_8\times G$, respectively. These resulting group keys correspond to common generator points represented as $R_1(x_{R1},y_{R1})$, $R_2(x_{R2},y_{R2})$, $R_3(x_{R3},y_{R3})$, and $R_4(x_{R4},y_{R4})$. In 2021, Gan et al. [105] proposed an asymmetric group key agreement protocol based on attribute thresholds. In this scheme, users can participate in mutual authentication and key negotiation with the key generation center by satisfying a sufficient number of attributes, without disclosing personal information. Chen et al. [106] introduced a group authentication and key agreement scheme for medical Internet of Things (IoMT) applications, leveraging extended chaotic maps to address challenges related to energy consumption, privacy, and security. In 2022, Braeken et al. [107] proposed a single-round lightweight elliptic curve-based alternative scheme, where group members achieve self-authentication through QuVanstone certificates. Wang et al. [108] presented a two-round dynamic authenticated group key agreement protocol based on the Learning With Errors (LWE) problem and proved its security under the standard model. In 2023, Zhang et al. [109] proposed a single-round dynamic authenticated asymmetric group key agreement protocol with sender non-repudiation and privacy preservation. The protocol was shown to resist chosen ciphertext attacks (CCA) under the hardness assumptions of the Computational Diffie–Hellman (CDH) and the k-bilinear Diffie–Hellman Exponent (BDHE) problems. In the same year, Zhang et al. [110] also introduced a Threshold Authentication Group Key Agreement (TAGKA) protocol, which effectively addresses the problem of group key recovery after member disconnection. Yang et al. [111] proposed a dynamic contributory group key agreement protocol (GKA-SS) based on short signatures. The protocol utilizes bilinear pairings to support the signing and verification processes, and provides rigorous security proofs ensuring resistance against both active and passive attacks. In 2024, Cui et al. [112] designed a dynamic group authentication and key agreement protocol for C-V2X environments (V2X-GKA), which integrates Elliptic Curve Discrete Logarithm (ECDL) and Decisional Bilinear Diffie–Hellman (DBDH) assumptions. This protocol effectively mitigates the risks of certificate forgery and key compromise, while enabling dynamic member management and secure key updates. Cao et al. [113] proposed a conditionally private and efficient dynamic group key agreement protocol (SC-AGKA) based on a self-certified encryption system, aiming to address security issues in Vehicular Ad Hoc Networks (VANETs).

Meanwhile, blockchain-based group key agreement protocols have also seen significant advancements. Due to its decentralized nature, immutability, and transparency, blockchain technology has been widely adopted to enhance the security and trustworthiness of key agreement processes. In 2020, Zhang et al. [114] proposed a blockchain-based asymmetric group key agreement protocol that protects user privacy through anonymous authentication and optimizes both computational and communication overheads. In the same year, Xu et al. [115] introduced a blockchain-based identity authentication and dynamic group key agreement scheme, which improves efficiency by simplifying the authentication process. In 2021, Chen et al. [116] introduced a novel entity called the ‘device manager’ and proposed a blockchain-based authenticated group key agreement protocol to bridge IoT devices with blockchain networks. In 2022, Naresh et al. [117] proposed a blockchain-based two-party elliptic curve Diffie–Hellman protocol, while Wang et al. [118] designed a pairing-free authenticated group key agreement scheme based on blockchain, tailored for smart grid environments, with improved computational efficiency and security. In 2023, Xu et al. [119] proposed an anonymous authentication dynamic group key agreement scheme based on blockchain and a token mechanism, significantly reducing computational and transmission costs. In the same year, Chhikara et al. [120] proposed a novel blockchain-based group key agreement protocol that employs roadside units (RSUs) as semi-trusted entities to reduce latency and operational cost. In 2024, Pérez-García et al. [121] introduced a group communication key management protocol designed for IoT environments. This protocol leverages distributed blockchain infrastructure and smart contract technology to ensure anonymity and automated key revocation. During the key agreement phase, the service provider (SP) distributes keying material to group members via the blockchain, enabling each member to locally derive the group key. Initially, each node receives a pseudonym and corresponding certificate generated by the service provider to preserve anonymity within the group. The service provider then records the keying material, including member-specific key shares, onto the blockchain. Upon retrieving this information, each group member can locally compute the group key and verify its validity. A comparison of the relevant literature is presented in

Table 6. Comparison table of group key distribution methods.

References	Method	Main Security Objectives	Blockchain Usage
[101,104]	Tree structure	Confidentiality, forward secrecy	No blockchain
[103,114,115]	Elliptic curve	Identity anonymity, cross-domain authentication	Consortium/private blockchain
[108]	LWE	Post-quantum security, authentication	No blockchain
[119,120]	Bilinear mapping	Timeliness, low latency	Consortium/private blockchain
[121]	Smart contract	Anonymity, automatic key revocation	Distributed blockchain

.

4.5. Key Distribution and Secure Data Sharing

Key distribution refers to the process in communication systems whereby session keys or symmetric keys are securely delivered to communicating parties via one or more trusted entities (such as a Key Distribution Center (KDC) or a Certificate Authority (CA)). In this process, the KDC typically shares a long-term key with each communicating party in advance, which is then used to encrypt, sign, or authenticate the newly distributed session key to ensure that only legitimate entities can obtain and use the key. In 2020, Yıldız et al. [122] proposed a lightweight group authentication and key distribution protocol that integrates Physical Unclonable Functions (PUFs), factorial trees, and the Chinese Remainder Theorem (CRT). The PUFs enable lightweight identity authentication and key distribution for group members, while the factorial tree and CRT effectively reduce node storage overhead and the number of communication messages during key updates. In the same year, Kumar et al. [123] proposed a more efficient centralized group key distribution protocol that significantly reduces the computational burden on the key server during the key update phase and balances the computational cost among member nodes during key recovery. They further extended this work by introducing a cluster-tree-based enhanced CGKD protocol, which effectively addresses the scalability issues caused by dynamic group membership changes. In 2021, Harn et al. [124] introduced a novel group key distribution scheme whose underlying protocol relies solely on logical XOR operations, thereby greatly simplifying the computational complexity of protocol implementation. In 2022, Hougaard et al. [125] were the first to design a balanced-tree group key exchange protocol based on the supersingular isogeny Diffie–Hellman (SIDH) scheme, achieving linear communication and storage complexity. That same year, Taurshia et al. [126] proposed a group key management scheme for resource-constrained IoT devices, utilizing a Software-Defined Networking (SDN)-assisted trusted key management server as the central authority, improving the practicality of group key management in IoT environments. Also in 2022, Harn et al. [127] introduced the first lightweight authenticated group key distribution scheme that involves only logical operations and is compatible with various authenticated pairwise key distribution mechanisms. In parallel, Gebremichael et al. [128] proposed a novel one-way function based on lattice cryptography, leveraging well-designed lattice trapdoors for inversion. By coupling multiple private keys into a single public key for group message encryption, the scheme demonstrates potential quantum resistance. In 2023, Luo et al. [129] proposed an information-theoretically secure (ITS) group authentication scheme that reduces key consumption in quantum key distribution (QKD) networks. Through the collaboration of multiple QKD nodes, group authentication tasks can be completed with significantly reduced key usage. In 2024, Cheng et al. [130] introduced an anonymous identity authentication and group key distribution scheme based on quantum random numbers. In this scheme, vehicles generate anonymous certificates by combining quantum randomness with parameters provided by a trusted authority (TA), and mutual authentication with roadside units (RSUs) is performed via zero-knowledge proofs, preserving vehicle identity privacy. For key distribution, a joint key generation mechanism is employed, in which the TA and RSUs collaboratively generate the group key. Specifically, the TA first generates a parameter $GS{P}_c$ using a quantum random number generator and encrypts it with a pre-distributed quantum key to ensure secure transmission of keying materials. The RSU computes another key parameter $GS{P}_r$ by processing the anonymous credentials of authenticated vehicles. These parameters are then broadcast to group members, who compute the final group session key locally using the received $GS{P}_r$ and the TA-sent $GS{P}_c$. This method enhances key distribution efficiency, reduces computational and communication overheads, and guarantees both forward and backward secrecy during key updates. In the same year, Al-Mohammed et al. [131] addressed the security needs of constrained IoT devices in high-speed train (HST) environments by proposing a quantum key distribution solution tailored for high-speed space transmission systems. Their approach leverages free-space optical (FSO) communication to establish a high-speed, quantum-resistant data channel.

In the field of blockchain-based group key distribution protocols, several advances have been made to address challenges in dynamic and resource-constrained environments. In 2019, Li et al. [132] proposed a blockchain-based mutual recovery group key distribution scheme for unmanned aerial ad hoc networks (UAANETs), aimed at addressing the problem of the group key loss caused by unstable wireless channels and highly dynamic network topologies. The scheme utilizes a private blockchain maintained by the ground control station (GCS) to record and manage group key broadcasts. Through the longest-chain mechanism, nodes can effectively recover lost group keys from neighboring nodes. In 2022, Heo et al. [133] proposed a hierarchical blockchain-based group and subgroup key management scheme for urban computing scenarios. The upper-layer blockchain is used by unmanned aerial vehicles (UAVs) to monitor and record the mobility and density of IoT nodes, while the lower-layer blockchain, maintained by base stations (BSS), is responsible for tracking the mobility information of grouped IoT nodes. In 2023, Shawky et al. [134] introduced a key-based group signature method to meet the security and privacy requirements of vehicular ad hoc networks (VANETs). In the same year, Al-Mohammed et al. [135] implemented an Asynchronous Ratcheting Tree (ART) protocol based on blockchain. This protocol leverages smart contracts for distributed certificate creation and incorporates a reputation mechanism to address the heterogeneity of IoT devices in terms of resource capabilities.

4.6. Incentive Mechanisms and Secure Data Sharing

Figure 8 illustrates data sharing based on a third-party platform (e.g., cloud server). Typically, data users publish their data requests on a cloud server, which then recruits data owners to share their data. The cloud server verifies the data uploaded by data owners and, upon validation, forwards it to the data users. After receiving the data, the data users reward both the cloud server and the data owners accordingly. In data sharing models, the data owner serves as the principal rights holder of the data asset, possessing full ownership over the data. The cloud server acts as an intermediary for data transactions, responsible for collecting, storing, and auditing the data uploaded by the data owner. The data user represents the ultimate consumer of the data, employing technical means to extract the latent value of the data and thereby fully realize its potential worth. From a game-theoretic perspective, all parties may act dishonestly in pursuit of maximizing their own interests.

In constructing a sustainable data sharing ecosystem, the Shapley value, Stackelberg game, auction theory, contract theory, and evolutionary game models provide theoretical support from different perspectives, including fairness, incentive mechanism design, resource allocation efficiency, incentive compatibility, and dynamic adaptability. Specifically, the Shapley value model focuses on fair revenue distribution based on marginal contributions within a cooperative game framework, thereby fostering trust and sustained collaboration among participants. The Stackelberg game, through its leader–follower decision structure, effectively addresses information asymmetry and conflicts of interest, enabling strategic guidance and incentive constraints; it is particularly suitable for platform-driven data sharing mechanism design. Auction theory emphasizes efficient resource allocation and price discovery through bidding mechanisms, enhancing the economic efficiency of the system. Contract theory concerns itself with incentive compatibility and constraint mechanisms to resolve multi-party incentive coordination problems under information asymmetry. Evolutionary game models introduce temporal dynamics and bounded rationality to characterize the adaptive evolution of participants’ strategies in response to environmental feedback, thus better reflecting the behavioral changes of users and the stability of the ecosystem in real-world systems.

Table 7. Game-theoretic models in data sharing.

Reference	Game-Theoretic Method	Blockchain Usage
[136]	Shapley value	No blockchain
[137]	Evolutionary game	No blockchain
[138]	Contract theory	No blockchain
[139,140]	Stackelberg game	No blockchain
[141]	Auction theory	Consortium blockchain
[142]	Shapley value	Consortium blockchain
[143]	Stackelberg game	Consortium blockchain

summarizes the game-theoretic models relevant to data sharing, while

Table 8. Comparison of game-theoretic models in data sharing.

Game Model	Main Characteristics	Advantages	Limitations	Application Scenario Examples
Shapley Value	Cooperative game; payoff allocation based on marginal contribution	Emphasizes fairness; suitable for multi-party collaboration	Ignores strategy evolution and information asymmetry	Multi-party data sharing, joint incentive mechanisms
Evolutionary Game	Non-cooperative; strategies evolve dynamically over time	Models group behavior changes and game dynamics	Difficult to derive analytical solutions; strong parameter dependence	Evolution of user authorization behavior, strategy adaptation
Contract Theory	Designs contracts to incentivize participant behavior	Incentive compatibility; suitable for privacy protection	Often assumes static settings; limited adaptability to real-world contexts	Privacy-preserving mechanisms, data trading contracts
Auction Theory	Competitive bidding among multiple parties for allocation	Efficient resource allocation; includes incentives	Requires mechanism design and stability analysis	Anonymous data trading, access rights pricing
Stackelberg Game	Leader–follower sequential decision-making	Hierarchical structure; suitable for pricing and incentives	Clear role division; may rely on idealized assumptions	Platform pricing, data circulation strategy design

presents a comparative analysis of these models.

(1) Without Blockchain Integration

Cai et al. [136] employed the Shapley value in wireless mobile ad hoc networks to promote cooperative behavior and designed an incentive mechanism based on individual contributions to motivate service providers. Ali et al. [144] examined online data sharing in social networks from a game-theoretic standpoint, demonstrating that when blacklisting is used as a trigger strategy, sharing conditions tend to stabilize. Kantarcioglu et al. [145] proposed a game-theoretic mechanism to incentivize truthful data sharing in distributed data mining. Yassine et al. [146] introduced a game-theoretic model to balance the benefits of data utilization and individual privacy in deregulated smart grids. Kamhoua et al. [147] applied a game-theoretic approach (a zero-sum Markov game model) to help online social network (OSN) users determine optimal data sharing strategies. Xiao et al. [148] proposed a game-theoretic method for data sharing in vehicular ad hoc networks (VANETs), where the platform’s payment strategy is guided by reinforcement learning. Tosh et al. [137] developed an evolutionary game-theoretic framework to study the economic implications of cybersecurity information sharing and its incentives, aiming to foster inter-organizational threat intelligence sharing. Lu et al. [138] adopted contract theory to model incentive mechanisms for cooperative spectrum sharing in cognitive IoT networks under OFDM, especially under conditions of incomplete information in real-world scenarios. An et al. [149] combined network Data Envelopment Analysis (DEA) with the Shapley value method to explore resource sharing and revenue allocation in a three-stage system. In [150], two social-aware incentive mechanisms—a one-hop-based social-aware incentive mechanism (OSIM) and a relay-based social-aware incentive mechanism (RSIM)—were proposed to address resource sharing issues in the Industrial Internet of Things (IIoT) that are constrained by social and local factors. Yi et al. [151] analyzed and modeled a novel information diffusion process driven by service incentives, describing the dynamic evolution of device interactions in IIoT. This model aims to address the challenge of information dissemination in industrial IoT applications when diverse service demands require incentive-driven communication. To facilitate data transactions and achieve a fair evaluation of data value, while balancing the interests of multiple stakeholders, Zhu et al. [139] proposed a data trading approach that integrates a data valuation mechanism with a three-stage Stackelberg game. This method aims to guide the strategic choices of all participants and optimize their utilities through game-theoretic modeling. Yu et al. [140] introduced a tripartite incentive mechanism incorporating social relationships, which models the interactions among data requesters, service providers, and mobile users using a three-stage Stackelberg game. The approach comprehensively considers data quality, reputation, and social utility to better align incentives.

(2) Blockchain-Based Approach

Blockchain-based data sharing typically involves data users, data owners, the blockchain network, and smart contracts. Data users publish data requests on the blockchain network, while data owners provide the requested data, which data users can then access. Transaction records are immutably stored on the blockchain. Once the data have been received by the data users, the data owners are rewarded accordingly. The blockchain ensures the security of the model-sharing process, enables the identification of malicious participants, and protects the overall quality of the model. Smart contracts guarantee fair benefit distribution through automatic execution. Chen et al. [141] proposed a quality-driven auction-based incentive mechanism built on a consortium blockchain, to encourage user participation in data collection and sharing. Xuan et al. [152] introduced a blockchain smart-contract-based data sharing incentive model based on evolutionary game theory to address the issue of low user participation during data sharing. The model dynamically adjusts incentives and participation costs to maintain user engagement, although its incentive dimensions are relatively limited. Shen et al. [142] developed a data sharing model integrating blockchain and the Shapley value involving three types of participants, aiming to ensure data sharing is secure, trustworthy, and fairly incentivized. Wang et al. [153] proposed a new blockchain-based federated learning data sharing framework and an incentive mechanism based on reputation scores and the Shapley value to improve the sustainability of the federated learning system and ensure fair incentives for trusted participation and data sharing. Chen et al. [154] introduced a dynamic incentive model for federated learning (DIM-DS) based on smart contracts and evolutionary game theory. The model incorporates both reputation and monetary incentives by introducing a cryptocurrency called ‘Reputation Coin’, and analyzes the stability of user strategies using evolutionary game theory. Smart contracts are used to dynamically adjust user rewards on the blockchain, promoting frequent and stable user participation and improving the accuracy of federated learning models. Liu et al. [155] proposed a data sharing solution that integrates federated learning and blockchain to address endpoint heterogeneity and limited resources. A game-based two-stage incentive mechanism is incorporated to address privacy concerns and encourage broader participation. However, this scheme lacks consideration of complex real-world scenarios, suggesting the need for further refinement of incentive models. Li et al. [143] proposed a novel peer-to-peer electronic medical record (EMR) data management and transaction system based on consortium blockchain technology. To balance the supply and demand of EMR data, a Stackelberg pricing model was developed to evaluate the interaction between EMR data owners and consumers. Zhang et al. [156] constructed a multi-stage game theory model to investigate the interaction between blockchain adoption and information-sharing strategies, demonstrating that blockchain adoption can alleviate the bilateral marginalization effect and conditionally improve product quality. However, the study lacked effective simulation of the analytical process. Gan et al. [157] proposed a healthcare blockchain data sharing method based on asynchronous federated learning. To analyze the conflicts of interest among publishing nodes, committee nodes, and participating nodes, the study introduced a tripartite evolutionary game model, offering a theoretical framework that promotes sustainable data sharing.

5. Conclusions and Outlook

This paper described technical solutions for secure data sharing from four perspectives: proxy re-encryption, searchable encryption, key agreement and distribution, and attribute-based encryption. On the one hand, Attribute-Based Encryption (ABE) faces scalability challenges in large-scale scenarios. Future research may consider integrating ABE with blockchain technology to design decentralized attribute management and authorization mechanisms, thereby reducing reliance on centralized trust and improving the efficiency of key updates. On the other hand, Searchable Encryption (SE) lacks efficient revocation mechanisms in dynamic environments. A promising direction is to combine proxy re-encryption with revocable access control, enabling dynamic updates of ciphertext indexes and synchronized revocation of user permissions.

According to current domestic and international research developments, secure data sharing has attracted widespread attention from scholars around the world. Each of these four technologies has its own characteristics and is suitable for different secure data sharing scenarios, as shown in

Table 9. Comparison of secure data sharing technologies.

Technology	Core Advantages	Main Drawbacks	Application Scenarios	Category	Time Complexity
Proxy Re-Encryption (PRE)	Dynamic delegation, reduced user burden	Trust issues with proxy, high computational overhead	Cross-user sharing in cloud storage, medical data authorization	–	$O\left(n^3\right)$
Searchable Encryption (SE)	Direct ciphertext search, privacy protection	Information leakage risks, low efficiency with multiple keywords	Encrypted database query, EHR sharing	Symmetric/ Asymmetric	$O\left(n\right)$/$O\left(n^3\right)$
Key Agreement and Distribution	Support for dynamic groups, forward/ backward secrecy	High communication cost, synchronization challenges	IoT, IIoT, group communication networks	–	$O\left(n\right)$
Attribute-Based Encryption (ABE)	Fine-grained access control, multi-authority support	High computational complexity, difficult attribute revocation	Hierarchical data sharing, smart contract access control	CP-ABE/ KP-ABE	$O\left(n\right)$/$O\left(n\right)$

. To address the conflicts and contradictions between data privacy protection and data security, this paper also provided a detailed review of related literature based on game theory. By leveraging game-theoretic approaches, all parties can reach an equilibrium state during the process of interaction. This equilibrium ensures that, while each party pursues their own interests, they does not harm those of others, thereby enabling stable and sustainable data sharing.

However, modern encryption and decryption algorithms mainly rely on computational complexity. This high computational complexity ensures that eavesdroppers, without access to the encryption key, cannot feasibly perform the extensive calculations required to break the encryption within a limited timeframe, thus ensuring data security. At the same time, cryptographic keys must be updated regularly. As computational power continues to increase, traditional public–private key encryption methods based on large-number factorization are becoming less viable. In contrast, elliptic curve algorithms based on the discrete logarithm problem offer better computational efficiency. Nevertheless, with the advent of quantum computers, even these conventional encryption methods face significant security challenges.

Quantum Key Distribution (QKD) is based on fundamental principles of quantum mechanics—specifically, Heisenberg’s uncertainty principle and the no-cloning theorem. Unlike traditional encryption methods, QKD does not rely on assumptions about computational complexity and can provide users with unconditionally secure keys. This ensures the secure transmission of private information and effectively resists attacks by quantum computers. In Quantum Key Distribution (QKD), a secure quantum key is shared between the sender (Alice) and the receiver (Bob), following the process illustrated in Figure 9. Alice and Bob transmit quantum states via a quantum channel, while simultaneously using a public classical channel to compare measurement bases and auxiliary information. As a result, both parties securely obtain the same shared key, which is stored in their respective key management devices. If an eavesdropper (Eve) attempts to measure the quantum states using any basis, the original quantum information is necessarily disturbed, resulting in a significantly elevated error rate. To detect any potential eavesdropping, Alice and Bob sacrifice a subset of their key bits for comparison over the classical channel; if the observed error rate exceeds a predefined threshold, they conclude that the quantum channel has been compromised.

Although Quantum Key Distribution (QKD) theoretically provides information-theoretic security, it still faces multiple technical and non-technical limitations in real-world applications. Due to the limited efficiency of single-photon detectors, the key generation rate over long distances remains at the kbps level. For example, the ‘Micius’ satellite achieved a 1200 km satellite-to-ground QKD link, generating a key rate of 1.1 kbps. On fiber links over 1000 km, the key generation rate can be as low as $9.53\times {10}^{-12}$ bits per pulse. The satellite-based quantum decoy-state source transmits 250 million signal photons per second on average and extracts keys in real-time through combined uplink and downlink optical communication. A single orbital pass can generate approximately 250 kbits to 1 Mbit of secure key, with an average key rate of 3 kbps. QKD in fiber faces exponential signal attenuation caused by photon absorption and scattering. Ultra-long-distance commercial systems require intermediate relay nodes, and if such a node is physically compromised, the entire link could collapse. In addition, QKD devices are expensive and may be unaffordable for small and medium-sized organizations. Large-scale deployment of independent QKD systems over existing optical infrastructure incurs high retrofitting and operational costs, and suffers from poor scalability and flexibility.

Quantum keys generated via QKD can be used with classical cryptographic algorithms such as the one-time pad or AES to encrypt and decrypt classical data. QKD-based secure data sharing mainly includes the following two scenarios:

(1) When the data owner and the data user are located at either end of a QKD link, a symmetric quantum key is established via the quantum channel. Encrypted information is transmitted over a classical channel to achieve secure data sharing. However, due to the low key generation rate of QKD, it is difficult to encrypt large-volume data in real time.

(2) Under the scenario described in (1), only short- to medium-range, small-scale data sharing is feasible. To support high-security, high-volume, cross-domain, and multi-party collaborative data sharing with lower costs, a quantum key pool can be used to pre-store keys. Highly random quantum keys can then be distributed via classical means to users without QKD capabilities, enabling secure data sharing across multiple users.

Therefore, it is imperative to integrate quantum key distribution networks with classical communication infrastructure, to provide a secure foundation for scalable data sharing.