A Non-Interactive Attribute-Based Access Control Scheme by Blockchain for IoT

: As an important method of protecting data conﬁdentiality in the Internet of Things (IoT), access control has been widely concerned. Because attribute-based access control mechanisms are dynamic, it is not only suitable to solve the dynamic access problem in IoT, but also to deal with the dynamic caused by node movement and access data change. The traditional centralized attribute-based access control mechanism has some problems: due to the large number of devices in IoT, the central trusted entity may become the bottleneck of the whole system. Moreover, when a central trusted entity is under distributed denial-of-service (DDoS) attack, the entire system may crash. Blockchain is a good way to solve the above problems. Therefore, we developed a non-interactive, attribute-based access control scheme that applies blockchain technology in IoT scenarios by using PSI technology. In addition, the attributes of data user and data holder are hidden, which protects the privacy of both parties’ attributes and access policy. Furthermore, the experimental results indicate that our scheme has high efﬁciency.


Introduction
As the evolution of the Internet, the Internet of Things (IoT) [1] has been more and more widely used in people's lives. IoT generates a large amount of data, including personal data. Once these privacies are disclosed, it will bring great losses to users. As one of the important methods of data protection, access control mechanism can guarantee that data is only accessed by users with permission, which has made access control mechanism become an important research content in the security of IoT.
Attribute-based access control mechanism [2,3] is a dynamic access control model that uses attributes as determinants of access control. Compared with the identity-based access control mechanism, the attribute-based access control mechanism makes the attribute set be easily combined with the access structure to achieve fine-grained access control. Attribute sets can also easily represent the identities of certain groups of users, enabling one-to-many communication. Therefore, attribute-based access control can not only solve the dynamic access problem of nodes in the IoT, but also cope well with the dynamics caused by node movement and access data changes.
In traditional access control models, there is a centralized decision-maker to make access decisions based on access control policy and attribute information. Each access request is directed to the same central trusted entity, which holds all the information and makes all decisions based on the stored information. This approach has some drawbacks: when there are many devices in IoT networks, a central trusted entity may become the bottleneck of the entire system. Moreover, when a central trusted entity is under DDoS attacks, the entire system may be disabled.
Blockchain [4] is a good way to solve the above problems. Blockchain is well qualified to become the trusted third party in the access control mechanism in the IoT scenario due to its security, auditability, immutability, anonymity, and other characteristics. In terms of storage capacity, the storage capacity of blockchain is not cheap because it can only add blocks, not delete historical blocks, and as a distributed system, blockchain will keep the same content on every complete node. With the continuous development of blockchain, blockchain has evolved from a ledger database to a secure and trusted platform. The Ethereum-based blockchain has a Turing-complete virtual machine that can execute smart contracts for arbitrarily complex algorithms. Therefore, it is very practical to use smart contracts in the access control mechanism of the IoT.
To sum up, we propose a non-interactive, attribute-based access control scheme by blockchain for IoT. In our work, the data holder stores the data resources in the cloud server. When a user wants to access the data resources, the user first sends their own attribute set confidentially to the blockchain as a transaction. Subsequently, the smart contract of the blockchain will run the private set intersection (PSI) protocol to automatically determine whether the attribute set meets the access structure of the data holder. When the element number of the intersection achieves the threshold set by the data holder, the user is given access to the data holder's cloud data. In our scheme, instead of interacting with data users to verify that a data user is qualified, the data holder deploys their own access policy on the blockchain, and a smart contract automatically determines whether a user is qualified or not. By and large, our work can be summed up in three parts:

1.
We developed a non-interactive, attribute-based access control scheme by blockchain for IoT by using PSI technology. In addition, the attributes of data user and data holder are hidden, which protects the privacy of both parties' attributes and access policy.

2.
We provide complete security proof of our scheme.

3.
We simulated our scheme under the Ethereum Truffle development framework and provide an efficiency analysis.
The rest of our work is shown below. The related work and preliminaries are given in Sections 2 and 3. In Sections 4 and 5, our system model and security model are introduced. In Section 6, we provide our concrete access control scheme. The complete security analysis is presented in Section 7. In Section 8, we present comparisons and performance analysis. In the end, we provide a summary in Section 9.

Related Work
Traditional centralized attribute-based access control mechanisms have emerged one after another. For example, Yuan et al. [5], in order to deal with the issues around the fact that the access control models at that time were mostly static and coarse-grained, and thus were not suitable for the dynamic and temporary network service-oriented environment of information access, they proposed an attribute-based access control model, which was depended on the attributes of subjects, environments, and so on. To protect data access in the IoT, Hemdi et al. [6] developed an attribute-based access control mechanism. Their system is able to apply policies to find unauthorized users. Ouechtati et al. [7] proposed an access control system for IoT named Trust ABAC to deal with problems such as the limited storage capacity of mobile devices in the IoT.
However, this type of centralized attribute-based access control mechanism has some drawbacks: firstly, when there are many devices in IoT networks, a central trusted entity may become the bottleneck of the entire system. Moreover, when a central trusted entity is under DDoS attacks, the entire system may be disabled. To solve these problems, blockchain technology has been extensively studied by many scholars and applied to access control mechanisms [8][9][10][11][12].
Blockchain has the ability to technically force all participants to comply with the integrity under the assumption that none of the participants are trustworthy, and it has immutability and privacy protection. Thus, blockchain can become a trusted third platform in the access control for IoT. Some researchers focus on the reliable storage capacity of blockchain. They make use of the characteristics of blockchain, such as immutability and auditability, to provide a secure storage space. Dorri et al. [13] came up with an access control scheme in which the access policies are stored on blockchain and the immutable property of blockchain is used to generate a chronological and immutable transaction history. Alansari et al. [14] used blockchain as a platform to store access policies and users' attributes. The computation-intensive part is executed in Intel SGX, which is a secure hardware external to the chain. Blockchain is only used as a trusted platform to prevent data tampering.
In terms of storage capacity, since blockchain can only add blocks, it cannot delete historical blocks. In addition, as a distributed system, blockchain stores the same content on every full node, and thus the storage capacity of blockchain is not cheap. Therefore, some scholars do not store data on blockchain, the blockchain only stores hashes pointing to the data, and the blockchain is treated as a trusted platform for executable smart contracts. For example, a blockchain-based data access control protocol was provided by Rifi et al. [15] to address the issue of private personal data and sensitive medical data being collected. They took advantage of the computing power of blockchain to maintain authentication and communication between different nodes through three different types of smart contracts, and the transaction data are kept in another database. Cruz et al. [16] proposed a platform called RBAC-SC that leverages Ethereum's smart contract technology for the cross-organizational utilization of users. Zhang et al. [17] developed an access control scheme using smart contract to implement access control in IoT scenarios. An attribute-based access control scheme called TrustAccess was provided by Gao et al. [18] to prevent access policy and attributes leakage.
Blockchain has now evolved from a ledger database to a secure and trusted platform. The trusted computing power provided by blockchain is more valuable than the expensive storage capacity. Therefore, when using blockchain storage, users should store access control data, not data generated by IoT devices. In our proposed scheme, the blockchain stores access policies and users' attributes. The smart contract is applied to determine whether an attribute of a data user meets the access structure of the data holder.

Private Set Intersection (PSI)
Private Set Intersection protocol [19][20][21][22] can compute the intersection of two parties' sets secretly, and the two parties know only the cardinality or elements of the intersection and no other information.

Threshold Secret Sharing Scheme
In (S, T)-threshold secret sharing structure [23], let secret A be divided into T pieces, each of which is held by one party, such that A can be reconstructed from pieces held by at least S parties. In addition, these parties cannot obtain any information from pieces less than S.

System Model
In this section, as shown in Figure 1, our system model is given. The model consists of four parties, which are blockchain, cloud server, data user, and data holder.
(1) A data holder stores data in a cloud server.
(2) The data holder uploads access policy to blockchain as a transaction.
(3) If a user wants to obtain the data holder's data, the user first sends their attributes set and public key to blockchain as a transaction.
(4) The smart contract of blockchain runs PSI protocol to obtain cardinality of the intersection. When the element number of the intersection reaches the threshold set by the data holder, the user is allowed to access the data holder's data.
Electronics 2021, 10, 1855 4 of 11 (5) The data holder uses the public key that belongs to the selected data user to encrypt the data address or access token. (6) The data holder sends the ciphertext to the data user.
(3) If a user wants to obtain the data holder's data, the user first sends their attributes set and public key to blockchain as a transaction.
(4) The smart contract of blockchain runs PSI protocol to obtain cardinality of the intersection. When the element number of the intersection reaches the threshold set by the data holder, the user is allowed to access the data holder's data. (5) The data holder uses the public key that belongs to the selected data user to encrypt the data address or access token. (6) The data holder sends the ciphertext to the data user.

Security Model
We only assume that adversaries are semi-honest rather than malicious in our security model. This is because if a data holder is malicious in our scenario, they may lie about having some important data to attract users to access. Users will no longer trust the data holder if they find that they have been cheated. The data holder will lose the opportunity to service data users and earn service fees. If a data user is malicious in our scenario, they may fake their own attributes to accommodate the data holder's access structure. Since the PSI protocol is used in our scheme, neither the data user nor the data holder knows which attributes the other has.
In the security model, the adversary corrupts one of the parties. This party abides the protocol directives but may learn more information than allowed after getting transcript of messages. Security of a two-party computing protocol means that both parties do not disclose their input, i.e., security is confidentiality.
R p q and 2 ( , ) R p q are the first element and the second element of ( , ) R p q , respectively. Let TPP be a twoparty protocol that computes R .

Security Model
We only assume that adversaries are semi-honest rather than malicious in our security model. This is because if a data holder is malicious in our scenario, they may lie about having some important data to attract users to access. Users will no longer trust the data holder if they find that they have been cheated. The data holder will lose the opportunity to service data users and earn service fees. If a data user is malicious in our scenario, they may fake their own attributes to accommodate the data holder's access structure. Since the PSI protocol is used in our scheme, neither the data user nor the data holder knows which attributes the other has.
In the security model, the adversary corrupts one of the parties. This party abides the protocol directives but may learn more information than allowed after getting transcript of messages. Security of a two-party computing protocol means that both parties do not disclose their input, i.e., security is confidentiality. Let and R 2 (p, q) are the first element and the second element of R(p, q), respectively. Let TPP be a two-party protocol that computes R. V IEW TPP 1 (p, q) = p, d 1 , n 1 1 , · · ·, n t 1 represents the view of the data holder, where d 1 is the random number generated by the data holder during the execution of the protocol, and n i 1 (i = 1, · · ·, t) represents the i message received by the data holder. Similarly, V IEW TPP 2 (p, q) = q, d 2 , n 1 2 , · · ·, n t 2 represents the view of the data user. Let OUTPUT TPP 1 (p, q) and OUTPUT TPP 2 (p, q) be the outputs of the two respective parties.
We say that TPP computes R securely if there exist probabilistic polynomial time algorithms Sim 1 and Sim 2 such that where |p|=|q|, Sim 1 and Sim 2 are simulators. The symbol c ≡ represents computationally indistinguishable.

Our Proposed Scheme
Let algorithms 1 Sim and 2 Sim such that Sim and 2 Sim are simulators. The symbol c ≡ represents computationally indistinguishable.

Our Proposed Scheme
Let  be a group of prime order q , g and h be generators of  , and : e × →    be a bilinear map. Let (1) A data holder creates a polynomial The data holder selects (2) For each y Y ∈ , a data user chooses s randomly from * q  . Then, they compute and send to blockchain. Sim p R p q R p q VIEW Sim and 2 Sim are computationally indistinguishable.

Our Proposed Scheme
Let  be a group of prime order : (1) A data holder creates a polynomial The data holder selects {( ( , ( , )), ( , Sim p R p q R p q Sim computationally indistingui

Our Proposed Scheme
Let  be a group of prime order q , g and h be generators of  (1) A data holder creates a polynomial The data holder selects (2) For each y Y ∈ , a data user chooses s randomly from * q  . Then, they compute and send to blockchain.
and makes T 0 = g t 0 , t 1 , · · ·, S m = hg qm tm are sent to the smart contract of blockchain by the data holder.
(2) For each y ∈ Y, a data user chooses s randomly from We say that   (1) A data holder creates a polynomial The data holder selects to blockchain.
If and only if y ∈ X, Q(y) = 0, E = e(F, h), then the smart contract outputs 1, which means the y uploaded by the data user is in the data holder's attributes set. Otherwise, the smart contract outputs 0. In the above process, the smart contract only knows the number of y that is in the data holder's attributes set. Therefore, in our scheme, the privacy of the access policy and the privacy of the attributes of both parties are protected.

• The function of h:
If there is no h in our scheme, S 0 = g q 0 t 0 , S 1 = g q 1 t 1 , · · ·, S m = g qm tm . In this case, anyone Since ∑ m i=0 t i y i is a random polynomial, e(g, g) Q(y) is hidden by e(g, h) ∑ m i=0 t i y i .

• The function of s:
If there is no s, then for any y, anyone can figure out T

Security Analysis
(1) A data user is a semi-honest adversary: The simulator Sim 1 , which simulates the data holder, is created as follows: X, |X ∩ Y|, and |Y| are taken as inputs, which means that the simulator Sim 1 can obtain nothing except the data holder's input X and |X ∩ Y| and |Y| obtained after the end of the protocol.
Moreover, Sim 1 obtains public parameters T 0 = g t 0 , T 1 = g t 1 , · · ·, T m = g t m , and S 0 = 2 , · · ·, T sy m m ) = (g st 0 y 0 , g st 1 y 1 , g st 2 y 2 , · · ·, g st m y m ) sent by the data user to blockchain can be simulated by Sim 1 . The following procedure is performed |Y| times (X 0 is initially set to be empty): • If the smart contract outputs 1,

Security Analysis
(1) A data user is a semi-honest adversary: The simulator 1 Sim , which simulates the data holder, is created as follows: X , | | X Y  , and | | Y are taken as inputs, which means that the simulator Sim . The following procedure is performed | | Y times ( 0 X is initially set to be empty): • If the smart contract outputs 1, The data holder can obtain X , | | X Y  , and | | Y . Anything else the data holder sees can be simulated by 1 Sim . Thus, the data holder cannot obtain any other useful information about the protocol.

computes and outputs
(2) A data holder is a semi-honest adversary: , x ← R X\X 0 , computes and outputs h). Moreover, due to the randomness of s, the tuple T sx 0 0 , T sx 1 1 , · · ·, T sx m m is indistinguishable from the tuple of the data user sent to blockchain in the real experiment.
• If the smart contract outputs 0, x ∈ G\X, compute T sx 0 0 , T sx 1 1 , · · ·, T sx m m so that E = e(F, h) is not true, unless Q(x) = 0. However, the probability of this event is negligible.
The data holder can obtain X, |X ∩ Y|, and |Y|. Anything else the data holder sees can be simulated by Sim 1 . Thus, the data holder cannot obtain any other useful information about the protocol.
(2) A data holder is a semi-honest adversary: The simulator Sim 2 , which simulates the data user, is constructed as follows: Y, |X ∩ Y|, and |X|= m are taken as inputs, and |X ∩ Y| elements are picked in Y. Moreover, m−|X ∩ Y| elements are picked in G\Y to form set X. Then, construct polynomial

Comparisons and Performance Analysis
As can be seen in Table 1, we first compared our scheme with [8][9][10]18] in terms of attribute privacy, access policy privacy, and so on. In terms of no intermediary party involved, Zhang et al. [8] and Chen et al. [10] need an intermediary party to distribute keys. However, in our scheme, no intermediate party is required to distribute keys. In terms of access policy privacy, in our scheme, the smart contract runs the private set , outputs T 0 = g t 0 , T 1 = g t 1 , · · ·, T m = g t m and S 0 = hg q 0 t 0 , S 1 = hg q 1 t 1 , · · ·, S m = hg qm tm . These two tuples make |X ∩ Y| elements in Y satisfy E = e(F, h).
The data user can obtain Y, |X ∩ Y|, and |X|. Anything else the data user sees can be simulated by Sim 2 . Thus, the data user cannot obtain any other useful information about the protocol.
(3) Access policy privacy In our scheme, the smart contract runs the private set intersection protocol to determine whether the attributes set of a data user meets the access structure of the data holder. The data user does not know the specific access policy of the data holder.
(4) Attribute privacy In our scheme, the attributes of the data holder X = {x 1 , x 2 , · · ·, x m } are converted to a polynomial Q(x), and the coefficients of the polynomial q 0 , . . . , q m are then placed on the exponent of S 0 , S 1 , · · ·, S m . Next, S 0 = hg q 0 t 0 , S 1 = hg q 1 t 1 , · · ·, S m = hg qm tm are sent to the smart contract of blockchain by the data holder. Thus, the privacy of data holder's attributes is protected. Moreover, for each y ∈ Y, a data user chooses s randomly from (1) A data holder creates a polynomial The data holder selects (2) For each y Y ∈ , a data user chooses s randomly from  2 , · · ·, T sy m m ) = (g st 0 y 0 , g st 1 y 1 , g st 2 y 2 , · · ·, g st m y m ) to blockchain. The attributes of the data user are hidden in the exponent of g. Therefore, the privacy of data user's attributes is protected.

Comparisons and Performance Analysis
As can be seen in Table 1, we first compared our scheme with [8][9][10]18] in terms of attribute privacy, access policy privacy, and so on. In terms of no intermediary party involved, Zhang et al. [8] and Chen et al. [10] need an intermediary party to distribute keys. However, in our scheme, no intermediate party is required to distribute keys. In terms of access policy privacy, in our scheme, the smart contract runs the private set intersection protocol to determine whether the attributes set of a data user meets the access structure of the data holder. The data user does not know the specific access pol-icy of the data holder. In terms of attribute privacy, in our scheme, the attributes of the data holder X = {x 1 , x 2 , · · ·, x m } are converted to a polynomial Q(x), and the coefficients of the polynomial q 0 , . . . , q m are then placed on the exponent of S 0 , S 1 , · · ·, S m . Then, t 1 , · · ·, S m = hg qm tm are sent to the smart contract of blockchain by the data holder. Thus, the privacy of data holder's attributes is protected. Moreover, for each y ∈ Y, a data user chooses s randomly from computationally indistinguishable.

Our Proposed Scheme
Let  be a group of prime order q , g and h be generators of  , and : e × →    be a bilinear map. Let (1) A data holder creates a polynomial The data holder selects (2) For each y Y ∈ , a data user chooses s randomly from * q  . Then, they compute and send 2 , · · ·, T sy m m ) = (g st 0 y 0 , g st 1 y 1 , g st 2 y 2 , · · ·, g st m y m ) to blockchain. The attributes of the data user are hidden in the exponent of g. Thus, the privacy of data user's attributes is protected. In terms of fine granularity, since the access control mechanism we have proposed is an attribute-based access control mechanism, we can implement fine-grained access control. In terms of encrypted storage, in our scheme, after selecting a data user, the data holder uses the public key that belongs to the selected data user to encrypt the data address or access token and sends to the data user. In terms of non-interactivity, in our scheme, the data user and the data holder do not need to interact for access control operations. Only our proposed scheme can satisfy the above six properties, which are attribute privacy, access policy privacy, fine granularity, encrypted storage, non-interactive, and no intermediary party involved. In addition, as shown in Figure 2, since the scheme in [18] is interactive and our scheme is non-interactive, the efficiency of our scheme is higher than that in [18].
The scheme in [18] is interactive. Because in their scheme, the data user first generates a proof to prove his attributes set satisfies the access policy of the data owner. Then, the data owner generates the decryption key for the data user by the data user's attributes. In addition, the authors of [18] claim that their scheme protects the privacy of access policies. However, in [18], → x is a part of CT, from which we can know the specific attribute of decrypting a ciphertext. Then, we can derive all the attributes that satisfy the data owner's access policy. That is, the privacy of the access policy is compromised.
Next, we perform an experiment to simulate our proposed scheme. We simulate our proposed scheme on a laptop. The experimental settings are shown in Table 2.
For time measurement, we used Java (11.0.3) as the programming language and Java Pairing-Based Cryptography Library (JPBC Lib-2.0.0) as the Cryptography Library. As shown in Figure 3a-c, we set m = 10, 20, 30, 40, 50 attributes to measure the time cost of data holder, data user, and verification. Moreover, taking the average of five measurements, we found the setup time of our scheme to be 2719 ms. Ours       Only our proposed scheme can satisfy the above six properties, which are attribute privacy, access policy privacy, fine granularity, encrypted storage, non-interactive, and no intermediary party involved. In addition, as shown in Figure 2, since the scheme in [18] is interactive and our scheme is non-interactive, the efficiency of our scheme is higher than that in [18]. The scheme in [18] is interactive. Because in their scheme, the data user first generates a proof to prove his attributes set satisfies the access policy of the data owner. Then, the data owner generates the decryption key for the data user by the data user's attributes. In addition, the authors of [18] claim that their scheme protects the privacy of access policies. However, in [18], x  is a part of CT , from which we can know the specific attribute of decrypting a ciphertext. Then, we can derive all the attributes that satisfy the data owner's access policy. That is, the privacy of the access policy is compromised. Next, we perform an experiment to simulate our proposed scheme. We simulate our proposed scheme on a laptop. The experimental settings are shown in Table 2.   Figure 3a shows the time spent by the data holder in the first step in our scheme to create the polynomial Q(x) = ∏ m i=1 (x − x i ) = q 0 + q 1 x + · · · + q m x m according to the number of its attributes and calculate T 0 = g t 0 , T 1 = g t 1 , · · ·, T m = g t m and S 0 = hg q 0 t 0 , S 1 = hg q 1 t 1 , · · ·, S m = hg qm tm . Figure 3b shows the time spent by the data user in the second step in our scheme to calculate (T sy 0 0 , T sy 1 1 , T sy 2 2 , · · ·, T sy m m ) = (g st 0 y 0 , g st 1 y 1 , g st 2 y 2 , · · ·, g st m y m ). Figure 3c shows the time spent by the smart contract on blockchain to calculate F = ∏ m i=0 T sy i i = g s∑ m i=0 t i y i and E = ∏ m i=0 e(hg q i t i , T sy i i ). The Ethereum transaction price was 1 ETH = USD 339 when this paper was written. Suppose the gas price is 1gas = 1 × 10 9 wei. 1wei = 1 × 10 −18 ETH, so 1gas = 1 × 10 −9 ETH = 3.39 × 10 −7 USD. We measured the smart contract gas consumption of storing attribute elements. As shown in Table 3, we set 10, 20, 30, 40, and 50 attributes to perform gas consumption computations. For time measurement, we used Java (11.0.3) as the programming language and Java Pairing-Based Cryptography Library (JPBC Lib-2.0.0) as the Cryptography Library. As shown in Figure 3a-c, we set m = 10, 20, 30, 40, 50 attributes to measure the time cost of data holder, data user, and verification. Moreover, taking the average of five measurements, we found the setup time of our scheme to be 2719 ms.

Conclusions
We have developed a non-interactive access control scheme by blockchain for IoT by using PSI technology. A data holder uploads data to a cloud server. If a user wants to access the data, the data user first writes attributes to blockchain as a transaction. Next, the PSI protocol is run by a smart contract to determine whether the attributes set meets the threshold structure. If the condition is met, the data user is allowed to access the data holder's data. Then, the data holder uses the selected user's public key to encrypt the data address and sends it to the user. Our scheme is able to protect both the privacy of access policy and the privacy of attributes while ensuring trusted access control. In addition, a complete security proof is given. On the basis of the Ethereum Truffle development framework, we simulated the scheme in the Windows 10 system, and the experimental results indicate that our scheme has high efficiency.

Data Availability Statement:
The experimental data of this paper is true and reliable. The relevant code link in this paper is https://github.com/QiliangYang/An-Access-Control-Scheme-by-Using-Blockchain-in-Cloud-Storage-Environment (accessed on 1 August 2021).