Enabling Privacy-Preserving Data Sharing with Bilateral Access Control for Cloud

: Cloud computing plays an essential role in various ﬁelds. However, the existing cloud services face a severe challenge, which is how to share the data among a large scale of devices securely. In this paper


Introduction
Recently, cloud services [1] have been rapidly promoted by the development of the internet technique.As a widely used paradigm of outsourcing service, the cloud has been accepted by the market (e.g., iCloud, Dropbox, and Microsoft Cloud), providing a convenient and low-cost method for data storage and data sharing [2].As shown in Figure 1, cloud services play an important role in our daily life, such as smart healthcare, smart agriculture, smart cities, and smart transport [3][4][5][6].According to the report released by Gartner in 2021, more than 45% of IT spending will be on building infrastructure, applications, and business process outsourcing, shifting from traditional solutions to the cloud by 2024.Despite the proliferation of the cloud, data security and privacy preservation arise as long-term concerns from the user side, since they lose physical control of their data.Therefore, cloud service providers (CSPs) are commonly treated as honest-but-curious (HBC) entities.On the other hand, different cloud services should prevent data breaches on the cloud to enhance CSPs' reliability [7].Therefore, it is crucial to design a secure and privacy-preserving data sharing scheme for cloud services.
The General Data Protection Regulation (GDPR) sets strict privacy requirements for CSPs.Specifically, three principles must be satisfied: (1) Receiver access control.From the data collection limitation principle, the data should only be sent to receivers that meet the data sender's access policies.(2) Sender access control.From the data quality principle, the data sender should be identified to ensure data accuracy.(3) Data privacy.From the data privacy principle, sensitive data (e.g., access policies and shared data) should not be disclosed.Thereby, the access control in the data sharing scheme should be designed by both the sender and receiver.Moreover, the cloud-based data sharing scheme should guarantee data privacy when devices share data and store it on the cloud.Inherently, several significant challenges arise when applying existing data sharing schemes to cloud services [8][9][10][11][12][13][14], which are not only caused by data breaches but also by the users' strict privacy requirements.Taking the smart transport system as an example, end devices (e.g., distance sensors, speed sensors, and temperature sensors) collect information from vehicles [15].By analyzing the relevant information, the smart transport system is able to perform more precise and effective traffic management.Due to the restricted computational resources and storage capability of end devices, vehicles primarily outsource the data collection to the cloud server.As is shown in Figure 1, vehicles are willing to share their data for the purpose of avoiding traffic jams and planning optimal travel paths.The data collections are transmitted from end devices to the cloud server.Then, the required data will be sent to target vehicles by the cloud server.Commonly, the collected data might contain sensitive information such as individuals' daily action trajectories and real-time locations.If this information stored on the cloud server is accessible to anyone, it will directly threaten users' data security.Therefore, it is necessary to ensure that sensitive information cannot be snooped on by the cloud server and prevent unauthorized entities from illegal access.
However, most current access control schemes only support one-side access control (i.e., sender/receiver access control).The one-side access control schemes cannot satisfy the practical privacy requirements, but result in vast communication overhead for transmitting information in the system.By applying bilateral access control, the access policy can be designed both by senders and receivers.Specifically, vehicles expect to grant access privileges to their information to the designated end devices.The end devices can also decide to get the information from the specified vehicles or other devices simultaneously.Intuitively, attribute-based encryption (ABE) seems to be a possible solution to address access control among multiple users [16].The standard ABE approaches cannot support bilateral access control.To tailor the ABE technique for bilateral access control, ABE with a keyword search (ABKS) enables receivers to seek suitable senders using keywords [10].Their scheme, however, requires additional interactions between the users and the cloud server, introducing extra communication overheads to users.Later, Ateniese et al. [17] presented an encryption primitive on CRYPTO'19, named Matchmaking Encryption (ME), to achieve bilateral access control without revealing any privacy for both senders and receivers.When the matching fails, nothing (i.e., the access policies and data) will be disclosed.However, the matching process brings heavy computation and communication overhead to end devices.To further improve efficiency, it is desirable to delegate the matching process to the cloud without revealing any users' private information.To summarize, the practical secure data sharing for cloud services should be with privacy preservation and bilateral access control in order to facilitate the blossom of cloud services.
In this paper, we introduce a cloud-based privacy-preserving data sharing scheme with bilateral access control.By analyzing the practical security requirements, we formalize the crucial challenges in the state-of-the-art.Specifically, to provide bilateral access control, we construct our scheme based on identity-based matchmaking encryption (IB-ME) for realizing both sides designing the match policies simultaneously.To achieve high efficiency, we delegate the matching process to the cloud server while protecting the user's private information and data by designing a signature-based match tag.The contributions of our work are summarized as follows:

•
We suggest a data-sharing scheme for cloud services, derived from identity-based matchmaking encryption, named IBME-DS.The access policies in IBME-DS are specified by both the sender and receiver to achieve bilateral access control.

•
To further improve the system efficiency, we design a privacy-preserving matching mechanism to delegate the matching process to the cloud server, which ensures user privacy and data confidentiality during the matching procedure.

•
We formally define the system model, threat model, and security model of IBME-DS.Then, a comprehensive security analysis is to demonstrate that our proposed scheme meets the practical security requirements.• Finally, we evaluate the performance of IBME-DS by conducting extensive experiments on a real-world dataset to show that IBME-DS is more efficient than relevant works.
Organization.The remainder of this paper is structured as follows.Section 2 discusses the preliminary adopted in this paper.In Section 3, we define the system model, threat model and security model of our scheme.Section 4 provides the concrete construction based on bilinear groups.Then, in Section 5, we give rigorous security proof to prove the security of our scheme.Then, Section 6 presents the theoretical analysis and experimental performance.In Section 7, we introduce relevant works on access control and matchmaking encryption.In Section 8, we discuss the advantages of our research and the limitations of it.Finally, we conclude our work in Section 9.

Preliminary
Definition 1 (Bilinear Pairing).Let G 1 , G 2 and G T be multiplicative cyclic groups of order p, with p being a large prime.We call them bilinear groups with such a bilinear map e : G 1 × G 2 → G T , if they hold the properties as follows.

1.
Bilinearity: The map e is bilinear, if e(g a , h b ) = e(g b , h a ) = e(g, h) ab , for ∀g ∈ G 1 , h ∈ G 2 and a, b ∈ Z * p .

2.
Non-degeneracy: There exists e(g, h) = 1 G T , where 1 G T is the identity in G T .
Our scheme is constructed on symmetric pairing that G 1 = G 2 .In the following part of this paper, we denote the bilinear pairing e as e : G × G → G T .

Matchmaking Encryption
In this part, we briefly review the matchmaking encryption [17].In ME, the access control is specified by both sender and receiver.Specifically, ME contains six algorithms:

•
PolGen(kpol, S) → dk S : Given the access policy S, and the master policy key kpol, the algorithm is to generate the decryption key dk S for the access policy S.
• Enc(ek σ , R, m) → c: Given the encryption key ek σ , the access policy R, and the message m, the algorithm is to generate the ciphertext c. • Dec(dk ρ , dk S , c) → m or ⊥: Given the decryption key dk ρ , the decryption key dk S , and the ciphertext c, the algorithm is to output either the message m or ⊥.
If ρ = R and σ = S, the given ciphertext will be correctly decrypted by the receiver.Worthy, it will reveal nothing except the matching does not occur.

Identity-Based Matchmaking Encryption
Additionally, we recap identity-based matchmaking encryption, including five algorithms:

•
SKGen(msk, σ) → ek σ : Given the sender's identity σ, and the master secret key msk, the algorithm will output the encryption key ek σ .• RKGen(msk, ρ) → dk ρ : Given the receiver's identity ρ, and the master secret key msk, the algorithm will output the decryption key dk ρ .• Enc(mpk, ek σ , rcv, m) → c: Given the target receiver's identity rcv, the master public key mpk, the encryption key ek σ , and the message m ∈ {0, 1} n , and the algorithm will output the ciphertext c, associated to both σ and rcv.• Dec(mpk, dk ρ , snd, c) → m or ⊥: Given the target sender's identity snd, the master public key mpk, the decryption key dk ρ , and the ciphertext c, the algorithm will compute and output either the message m or ⊥.The message will be correctly recovered from the decryption algorithm if ρ = rcv and σ = snd.

Definition and System Model
In this section, we formally define the system model of IBME-DS.Furthermore, we describe the potential threats to IBME-DS and formally define the security model and the design goal of our proposed scheme.

System Model
To clarify the system architecture of IBME-DS, we describe the system model in this section.There are four entities involved in our scheme, including key generation center (KGC), cloud server (CS), sender and receiver, as shown in Figure 2. The CS is responsible for storing and managing the data, sent from users (i.e., sender and receiver), who are registered in KGC.Once the senders and receivers have been registered in KGC, both of them will be distributed a pair of keys for the further communications.
• Key Generation Center: KGC is defined as the fully trusted party in the system, to initialize system parameters and generate master public/secret keys for users.By taking the identity from users as input, it secretly outputs the encryption key and decryption key to senders and receivers via the secure channel.

•
Cloud Server: CS receives the information from users and performs matching.Then, it returns the successful matching results to the receiver.

•
Sender: The sender has his/her own unique identity σ.Through the identity σ, the sender can be uniquely designated.In particular, the sender can specify the target receiver in the ciphertext.The sender's identity will not be revealed even if the match fails.

•
Receiver: The receiver also has his/her own unique identity ρ.Similarly, the receiver can also specify the target sender.

•
SKGen(msk, σ) → ek σ : Given the sender's identity σ and the master secret key msk, the probabilistic algorithm will output the encryption key ek σ .
• RKGen(msk, ρ) → dk ρ : Given the receiver's identity ρ and the master secret key msk, the probabilistic algorithm will output the decryption key dk ρ .• Enc(mpk, ek σ , ρ r , m) → C: Given the target receiver's identity ρ r , the master public key mpk, the encryption key ek σ , and the message m ∈ {0, 1} n , the probabilistic algorithm will output the ciphertext C.

•
MatchTag(mpk, σ s ) → Tag: Given the target sender's identity σ s , the master public key mpk, the probabilistic algorithm will output the match tag Tag.

•
Match(mpk, C, Tag) → "accepted" or "failed": Given the master public key mpk, the ciphertext C, and the match tag Tag, the deterministic algorithm will output "accepted", if the match occurs.Otherwise, "failed".

Threat Model
KGC is fully trusted and is responsible for generating master public/secret keys and secretly distributing encryption/decryption keys via the secure channel.In our system, CS is considered to be HBC as a semi-trusted party.CS will return correct results to users, but keep curious about users' data.Moreover, both senders and receivers are considered to be untrusted.The sender may pretend to be another sender to generate the ciphertext.The receiver may try to access the unauthorized data.Specifically, we summarize the threat model of IBME-DS as follows: Type I Adversary: The Type I adversary is the HBC cloud server, which receives the ciphertext message from the sender and the match tag from the receiver.Then, it completes the matching operation based on the received information.In this process, the Type I adversary will launch the ciphertext-only attack to spy on the user's data, designing an access policy.
Type II Adversary: The Type II adversary is the malicious user (sender and receiver), who possesses the encryption key.The malicious users initiate the chosen ciphertext attack to get others' data and the access policy.

Security Model
Definition 2. Our proposed IBME-DS is said to be IND-CPA secure if it can resist the probabilistic polynomial-time (PPT) adversary by a game, as follows: • Setup: The system is established with the input security parameter.Then, the challenger sets the master public/secret key {mpk, msk}.
• Hash Query: The adversary requests the hash oracle to get the corresponding hash values for polynomial times.• KeyGen Query: The adversary requests the key generation oracle O SKGen (msk, •) and O RKGen (msk, •) for polynomial times to obtain the corresponding ek i , dk j , respectively.• Challenge: The adversary claims m 0 , m 1 to be challenged, and provides two instances I 0 = (m 0 , ρ r,0 , σ 0 ) and I 1 = (m 1 , ρ r,1 , σ 1 ).Then, the challenger chooses b ∈ {0, 1} randomly.By running Enc algorithm, the challenger can compute C * = Enc(ek σ b , ρ r,b , m b ).Finally, C * will be sent to the adversary.• Guess: After receiving C * from the challenger, the adversary outputs a guess b on b.
If the adversary can give a correct guess on b, that b = b, we say the adversary can break our proposed IBME-DS.We define the advantage of the adversary breaking the security of IBME-DS as Equation ( 1): Definition 3. Our proposed IBME-DS holds authenticity if it can resist the PPT adversary by a game, as follows.
• Setup: The system is established with the input security parameter.Then, the challenger sets the master public/secret key {mpk, msk}.

•
Hash Query: The adversary requests the hash oracle to get the corresponding hash values for polynomial times.

•
SKGen Query: The adversary requests the SKGen oracle by inputting σ i , the challenger returns the sender's encryption key.

•
RKGen Query: The adversary requests the RKGen oracle by inputting φ i , the challenger returns the receiver's decryption key.

•
Forgery: The adversary sends the tuple (C, ρ, σ ) to the challenger, in which σ has never been input to the SKGen oracle.The challenger generates dk ρ by executing the RKGen algorithm.Then, the challenger computes the message m from the ciphertext C by executing the Dec algorithm.
If the above game holds, i.e., the message m belongs to the message space M, we say that the adversary can break the authenticity of our proposed IBME-DS.Specifically, the adversary can forge the valid ciphertext even if it is not authorized.We define the advantage of the adversary breaking the authenticity of IBME-DS as Equation ( 2 (2)

Design Goal
According to the system model, threat model and security definition defined for our proposed IB-ME-based data sharing scheme, we summarize the design goals to clarify the vital features of our proposed scheme.

•
Security.The security is to ensure the system is with semantic security under the attack launched by any PPT adversary.The security is the basic demand of the data-sharing scheme in cloud services, which ensures the message m is unknown to others.

•
Privacy.The privacy is aimed at preventing the stored data and access policy from being revealed to the cloud, even in the matching phase.

•
Authenticity.The authenticity means that a valid ciphertext under identity σ can only be generated by a valid encryption key ek σ from KGC.In other words, it guarantees that if a sender with the proper identity can produce a ciphertext, the ciphertext can be decrypted correctly.

•
Bilateral Access Control.The bilateral access control ensures that the access policy is designed by both the sender and receiver.Compared to the existing access control scheme, of which the policy is only designed by one side, bilateral access control is a practical requirement for data sharing to cloud services.

Concrete Construction
We will describe our proposed IBME-DS, derived from IB-ME.The notations used in IBME-DS are listed in Table 1.Then, we will give a workflow of our proposed IBME-DS, and a concrete construction based on bilinear groups.IBME-DS can provide a privacy-preserving data-sharing solution for end devices.The workflow of our scheme includes four phases: system initialization, data updating, user matching and data downloading, as shown in Figure 3.
System Initialization: By running Setup, KGC is to generate system parameters.Also, KGC generates encryption/decryption keys for users through SKGen and RKGen.
Data Upload: The sender runs Enc to generate the ciphertext.After that, the sender uploads the ciphertext to CS.
User Matching: Firstly, the receiver will generate the match tag by running MatchTag to specify the target sender.The match tag will be sent to CS.After that, CS runs Match to find the matched ciphertext, then sends the matched ciphertext to the receiver.During the matching process, CS will get nothing except whether the match occurs.
Data Download: If the matching occurs, the receiver runs Dec to decrypt the ciphertext.

IB-ME-Based Data-Sharing Scheme
The detailed construction of our proposed IBME-DS is described as the following Algorithms 1-6.
• Enc(mpk, ek σ , ρ r , m): The sender runs this probabilistic algorithm.Taking in the target receiver's identity ρ r , the master public key mpk, the sender's encryption key ek σ , and the message m ∈ {0, 1} n , the sender conducts as the following steps: 3. Compute T = g x 1 t .4. Compute Equation ( 4) Algorithm 3 Enc(mpk, ek σ , ρ r , m) Input: the target receiver's identity ρ r , the master public key mpk, the sender's encryption key ek σ , and the message m.
• MatchTag(mpk, σ s ): The receiver runs this probabilistic algorithm.Taking in the target sender's identity σ s , the master public key mpk, the receiver computes the auxiliary information as the match tag when the matching is delegated to the CS.The receiver chooses randomly x 2 ← Z p .It computes Equation ( 5) as follows: ID r = (ID r,1 , ID r,2 , ID r,3 ), The detailed computations on ID r are as Equation ( 6): The receiver sends Tag = (ID r , σ s ) to the CS.
Output: the match tag Tag.
Choose randomly . return the match tag Tag ← (ID r , σ s ).
If the equation holds, CS outputs "accepted", to indicate the match occurs.Otherwise, "failed".

Algorithm 5 Match(mpk, C, Tag)
Input: the master public key mpk, the ciphertext C, and the match tag Tag.
Output: the judgment result.

•
Dec(mpk, dk ρ , σ s , C): The receiver runs this deterministic algorithm.Taking in the target sender's identity σ s , master public key mpk, the decryption key dk ρ , and the ciphertext C, the receiver conducts the following operations: Correctness.We demonstrate the correctness of IBME-DS from Equations ( 8)-( 10): The above equations clearly show that Then, similarly, we can check To successfully recover the message, Equations ( 9) and (10) should hold.

Security
Otherwise, B sets Q i = g xγ i , and adds (ρ i , Q i , ⊥, 1) to L 1 , where x is unknown to B.
encryption algorithm, and in this paper, the IB-ME scheme is implemented.CFDS20 is an improvement on AFNV19 that implements the matchmaking encryption and MEbased data-sharing scheme using fog computing, which allows bilateral access control.These two schemes are similar to our scheme in terms of construction and implemented functionality.Therefore, we have selected these schemes to compare computational cost and communication overhead.

Theoretical Analysis
We theoretically compare the computational overhead of our proposed IBME-DS with the existing similar schemes, in terms of key generation, encryption and decryption.
Specifically, we compare the computational overhead of our proposed IBME-DS with [17][18][19] intuitively.We choose the main cryptographic operations from algorithms, such as bilinear pairing and multiplication operation, as the important references to measure the computational overhead of similar schemes.Our scheme takes for the SKGen, RKGen, Enc and Dec, respectively.Moreover, only the computational overhead of the encryption and decryption algorithm is slightly higher than that of IB-ME [17].Based on the above analysis, the comparison of computational overhead is as shown in Table 2.
Table 2. Theoretical analysis of computational overhead.

Scheme
Approach SKGen RKGen Enc Dec SKGen: the sender's encryption key generation algorithm; RKGen: the receiver's decryption key generation algorithm; Enc: the encryption algorithm; Dec: the decryption algorithm; E G : the computational cost of an exponential function in G; M G : the computational cost of a multiplication function in G; M G T : the computational cost of a multiplication function in G T ; P: the computational cost of pairing; n s : the number of senders; n r : the number of receivers; n S : the number of the sender's attributes; n R : the number of the receiver's attributes.

Experimental Setting
As is shown in Table 3, the configuration is with a laptop running 64-bit Windows 10 with Intel(R) Core(TM) i5-6200U CPU @ 2.30 GHz and 8 GB RAM.We implement the proposed scheme using JAVA 14.0.2 on the laptop using the JPBC library.Type A elliptic curves are used to implement the experiment, by initializing the system parameters from "a.properties".To make the experimental data more accurate, we average the resulting times after running each algorithm 100 times.To verify the feasibility of the scheme, we simulate a multi-user scenario by setting different numbers of senders.We choose two related schemes based on ME: IB-ME [17] and MABE [18].
Dataset: In our experiments, we combine the real-world dataset and the simulated dataset to evaluate the performance of IBME-DS.Specifically, the real data are obtained from a real-world dataset of OpenITS https://www.openits.cn/openData2/746.jhtml,consisting of the traffic data (including traffic signal control data, section travel time data and intersection lane traffic volume data) collected on 15 December 2016, in Anhui, China.The simulated dataset mainly comprises the vehicle information (consisting of the license plate number, geolocation and speed).These traffic data are used to represent the transmitted messages, and the identity of the user is set by license plate number or road ID.We implement our proposed IBME-DS to simulate data sharing among users based on the above dataset.The total number of users in the experiment will be capped at 30, and the number of attributes will be set to 5. Group Order Size 160 bits

Computational Cost
The first experiment is to obtain the runtime of system initialization.The second experiment is to obtain the runtime of key generation.The third and fourth experiments are to obtain the runtime for encryption and decryption.The fifth experiment is to obtain the runtime for the matching process.
In Figure 4, the experiment shows the running time required for Setup versus the number of senders.The experimental results indicate that the initialization computational cost of our scheme is between the MABE and IB-ME.Compared with IB-ME, our scheme has a slightly higher initialization time cost, for the reason that two additional parameters are set to ensure that the matching process is safely outsourced to the cloud server.Moreover, MABE needs two additional pairing calculations during the system initialization, so the time cost is higher than our scheme.
In Figure 5, the experiment shows the running time required for SKGen and RKGen.The experimental results indicate that our scheme takes about the same amount of time as IB-ME.As the characteristics of the identity-based scheme and the appropriate access control policy settings, our scheme achieves less computation cost than MABE.And as the number of senders increases, the gap becomes more pronounced.
In Figure 6, the experiment shows the running time required for Enc.The experimental results indicate that the MABE takes more time than IB-ME and ours, as directly scaling from an attribute-based setting to an identity would incur high computational cost.Our scheme adds two pairing computations to delegate the matching process to the cloud server.Thus, the computational cost of data encryption in our proposed IBME-DS is slightly higher than in IB-ME.
In Figure 7, the experiment shows the running time required for Dec.The experimental results indicate that we spend less time on decryption than MABE.Compared with IB-ME, the computational cost of data decryption in our scheme is slightly larger than that in IB-ME for a single decryption process.In IB-ME, the receivers require to determine whether the message is sent from the designed senders when they receive each ciphertext.In practical applications, such an operation will cause the waste of huge computation and communication resources on the receiver side.In Table 4, the experiment shows the running time required for Match versus the number of senders.The experimental results indicate that the computational cost of the matching process grows linearly with the number of senders.By delegating the matching process to the cloud server, the computation cost on the local side will be significantly reduced.Note: to verify the practicality of the scheme, we conduct a series of experiments, including Setup, SKGen, RKGen, Enc, Dec and Match.We develop a matching mechanism to outsource the matching process to the cloud server to reduce the computational and communication overhead on the user side.As in the theoretical analysis of the scheme, the experiments show that our algorithm has slightly higher computational overhead in Setup, SKGen, RKGen, Enc and Dec than IB-ME, since we build an outsourced matching mechanism and add E G operations to ensure data privacy.Although we have more time overhead compared to IB-ME, our scheme is capable of meeting practical requirements for cloud services.

Communication Overhead
In Table 5 and Figure 8, the experiment shows the communication overhead on the receiver and the sender side in terms of the encryption key, decryption key and ciphertext.The experimental results indicate that by delegating the matching process to the cloud server, the communication overhead on the receiver side will be significantly reduced than in others, although our scheme has slightly more communication overhead on the ciphertext than IB-ME.

Related Work
We will describe the state-of-the-art works on access control and matchmaking encryption in this section.As is shown in Table 6, we compare the existing schemes with our scheme from different perspectives.[30] first proposed access control technology and introduced the concept of subject and object and autonomous access control.The owner of autonomous access control can independently decide to grant object permissions to other subjects.To realize an access control in the cross-domain network environment, Eric et al. [20] described a dynamic Attribute-Based Access Control (ABAC).ABAC takes attributes as the core and authorization basis, providing fine-grained authorized access and large-scale user dynamic expansion in complex network environments.Specifically, Attribute-Based Encryption (ABE) was first introduced by Sahai and Waters [21] in the fuzzy identity encryption scheme in 2006, which aimed to improve the security of attribute-based access control.Subsequently, Goyal et al. [22] divided ABE into Ciphertext-Policy ABE (CP-ABE) and Key-Policy ABE (KP-ABE).But none of them satisfy the protection of sender privacy.To solve the above problem, Zheng et al. [23] first introduced the Attribute-based Keyword Search (ABKS), allowing the user to search for encrypted data outsourced by the data owner.However, their scheme cannot support multiple rounds to search the messages securely.Damgard et al. [19] proposed Access Control Encryption (ACE) based on security policies for information flow to allow fine-grained access control.In ACE, different authorizations will be given to users for reading and writing.However, to ensure secure data flow, ACE needs to introduce the sanitizer that controls the communication, which is a fully trusted party.In terms of our literature review on conventional access control, the aforementioned schemes have two crucial issues when applied to cloud services.Firstly, most access control schemes only support that one side specifies the access policy (e.g., CP-ABE, KP-ABE).Secondly, even if some access control scheme (e.g., ACE) is equipped with bilateral access control, it has to involve a fully trusted party.The strong trusted requirement will throw threats to the system security.

Matchmaking Encryption
Ateniese et al. [17] proposed the matchmaking encryption (ME) on CRYPTO '19.In their work, an efficient identity-based matchmaking encryption scheme (IB-ME) is given as an instantiation.Both senders and receivers are allowed to specify their access policies simultaneously, which realizes bilateral access control.But none of the schemes proposed in this paper support outsourced matching, which may become a performance bottleneck for devices with limited resources.To support the outsourced matching, Li et al. [27] proposed a bilateral friend-matching scheme by combining ME with ABE.However, the outsourcing center in their scheme can identify which party does not meet the access policy of the others.Chen et al. [26] proposed an efficient certificateless matchmaking encryption (CL-ME) scheme for IoT.In the cloud-fog computing environment, Xu et al. [24] proposed a data-sharing system based on lightweight ME.Subsequently, Xu et al. [18] proposed a data-sharing system specified for cloud-fog devices (CFDS), based on matchmaking attribute-based encryption (MABE).In the field of IIoT, Sun et al. [25] proposed a privacypreserving bilateral access control scheme, which is based on fine-grained access control and ME.In 2022, Wu et al. [29] extended ME to cross-domain scenarios and proposed a cross-domain IB-ME, by which users from different domains can get their secret keys from different authority centers.However, the aforementioned ME-based works are constructed under the attribute-based cryptosystem, with huge computation overhead to the resource-restricted devices.Moreover, Danilo et al. [28] proposed an IB-ME scheme based on standard assumption.The matching is conducted by users while decrypting the ciphertext.Also, the resource-restricted devices are not competent to resolve the complex computation and huge communication overhead.Hence, there is a certain gap in implementing a privacy-preserving data-sharing scheme with bilateral access control, supporting the matching delegation for devices in cloud services.

Discussion
In this section, we focus on discussing the advantages of our research and the limitations of it.The advantages of our proposed scheme are obvious by reviewing the related works as shown in Table 6.Our proposed IBME-DS possesses the semantic security, authenticity and data privacy, where the delegation will not reveal sensitive information (e.g., access policies and shared data) for cloud services.As a new way to protect both receiver and sender access control simultaneously, ME enables bilateral access control [17].We construct our scheme based on IB-ME to fulfill the practical requirements of identity authentication in cloud services.To enhance the security, we design a privacy-preserving matching mechanism to realize the secure outsource match.There is a limitation to be improved, which concerns the communication overhead that needs to be further reduced during large-scale deployment of cloud services.

Conclusions
In this work, we propose a data-sharing scheme with bilateral access control, based on IB-ME.Our scheme can provide effective privacy preservation for both the sender and receiver in cloud services.Due to delegating the matching process to the cloud server, our scheme can provide more efficient data-sharing capabilities, and reduce the computation overhead on end devices without revealing any private information.Additionally, we point out some interesting issues to be resolved in the future.Firstly, we consider protecting forward secrecy by applying the key exposure resistant cryptographic primitives.Secondly, our scheme is designed for devices in cloud services.We will attempt to further enhance the efficiency of our scheme by applying the edge computing technique [31].

Figure 1 .
Figure 1.Data-sharing system for cloud-based services.

•Figure 2 .
Figure 2. System model of data sharing scheme with bilateral access control.

4 .Algorithm 6
Recover the message m by the reversibility of φ(m).Dec(mpk, dk ρ , σ s , C) Input: the target sender's identity σ s , the master public key mpk, the decryption key dk ρ , and the ciphertext C. Output: the message m.Parse
Assume that a PPT adversary A can break IBME-DS, a simulator B can use A to break the underlying IB-ME.Setup: Choose random values α, β, u, t ∈ Z p and set g α = g α , g β = g β , g u = g u , ĝα = g α•u , and g t = g t .The master secret key is msk = (α, β, u, t) and the master public key is the tuple mpk = (p, G, G T , e, g, g α , g β , ĝα , g u , g t , H 1 , H 2 ).Then, the mpk is sent to B. B selects a random value β ∈ Z p .Then, B sends system parameters (p, G, G T , e, g, g α , ĝα , g u , g t , H 1 , H 2 ) to A. And the padding function Φ is under control.
Analysis Theorem 1.If the underlying IB-ME is IND-CPA secure, our proposed IBME-DS is secure.Proof.H 1 Queries: B performs the hash queries on H 1 to construct hash table list L 1 : 1.If query ρ i has been requested before, that the query can be found in

Table 4 .
Running time for match.

Table 5 .
Space cost of different schemes.

Figure 8 .
Communication overhead of different schemes.

Table 6 .
Comprehensive comparison among the state-of-the-art schemes.