Blockchain-based multi-authority revocable data sharing scheme in smart grid

1.   Introduction

The smart grid is a new type of modern electric grid, which integrates energy technology and grid infrastructure with a high degree of integration of sensing and measurement technology, information and communication technology, analysis and decision-making technology and automatic control technology. In addition, it integrates the computing system and communication network's virtual environment with the physical environment of the power system to form a complex system that enables real-time sensing, dynamic changes and seamless information communication ^[1]. Digital twin is a technology that digitizes physical objects in the real world, models and simulates the various components of the power grid system and helps power grid operators achieve a comprehensive understanding and control of the grid. By combining digital twin technology, the smart grid can achieve more efficient, secure, and reliable power system operations ^[2,3,4]. This system is characterized by its user-friendly interface, high economic efficiency, exceptional reliability, compatibility and timely information updates. Users can use this system to access real-time information about electricity prices, electricity usage and other related information, making it easier to plan their energy usage. At the same time, smart grid terminals can continuously collect information about users' electricity usage and transmit it to the power company in real-time, allowing for real-time pricing and load balancing to ensure the stable operation of the grid system ^[5,6]. However, large-scale data collection undoubtedly raises concerns about user privacy and security. During the data collection process, there is a risk of leakage or tampering of critical information, such as user personal identification information or the power company's business secrets, which could potentially result in immeasurable losses for both the users and the power company ^[7,8,9]. Therefore, in the smart grid, data encryption protection and user access control have become critical for ensuring secure data sharing.

The ciphertext policy attribute-based encryption (CP-ABE) scheme associates user attributes with their encryption keys, allowing data owners to implement access control over their data while encrypting it, making it easier to achieve secure data sharing in the smart grid. Sahai et al. ^[10] first proposed the scheme of CP-ABE. Subsequently, data security sharing schemes based on CP-ABE and suitable for various real-life scenarios have been proposed one after another ^{[11,12,13,14,15,16]}. These schemes improve computational efficiency, security and attribute set size to varying degrees. However, these schemes do not consider user tracking and revocation, resistance to collusion attacks and how to achieve message integrity verification.

In traditional ciphertext policy attribute-based encryption schemes, in addition to storing the ciphertext, the cloud server not only stores the ciphertext but also holds the access policy. Therefore, all users who obtain the ciphertext can also obtain the access policy. However, an adversary can exploit the details in the access policy to deduce and obtain some private data. To prevent private data leakage through access policy, Zhang et al. ^[17] proposed a scheme to protect private data by hiding attribute values in access policy. However, Zhang's scheme is constructed by the composite order group, so its computation is less efficient, which is not suitable for the smart grid environment. Hui et al. ^[18] proposed a scheme for hiding attribute values in prime order groups, which achieves privacy protection for users while reducing computational overhead.

Moreover, some CP-ABE schemes are vulnerable to collusion attacks among users, in which users share their keys to obtain data. Therefore, tracing the malicious user who leaked the keys is also an important issue. Liu et al. ^[19,20] proposed a black-box and white-box tracking scheme to track malicious users. Only user tracking is insufficient for secure data sharing in the smart grid. An efficient user revocation mechanism is also necessary. Shi et al. ^{[21,22,23,24]} proposed different revocable CP-ABE schemes. Liu et al. ^[25] proposed a scheme that combines user tracking with revocation. Han et al. ^[26] further improved the scheme by incorporating privacy protection and enhancing computational efficiency. Then, Li et al. ^[27] proposed a traceable and revocable access control scheme which supports large attribute space, the decryption phase only requires constant-level bilinear pairing operations. Since a single attribute authority is not fully trusted and is not conducive to system expansion, Chase et al. ^[28] proposed a scheme for multiple attribute authorities. Later, De et al. ^[29] proposed a multi-authority CP-ABE scheme with higher encryption efficiency. Xiao et al. ^[30] proposed an access control scheme that incorporated revocation and multi-attribute authorities, but the scheme does not support user tracking. Sethi et al. ^[31] proposed a multi-authority scheme with revocable and traceable users. Datta et al. proposed a multi-authority scheme ^[32] based on asymmetric pairings; the scheme enhances security but is not efficient enough.

Online/offline encryption technology ^[33] preprocesses time-consuming operations such as bilinear pairing offline and completes them at idle time, so that users can simply perform simple operations online to get the data they need. This technology transfers the main computational overhead to the cloud server, greatly reducing the communication overhead and the computational overhead on the user. Hybrid encryption technology is to encrypt the primary data using a symmetric encryption algorithm such as AES and encrypt the key of the symmetric encryption algorithm using attribute encryption. The computational efficiency is further improved because the symmetric encryption algorithm has less overhead.

In real life, the cloud servers that store power grid data are semi-honest and curious, which poses potential risks to users' private data. With the development of blockchain-related technologies, the problem of semi-honest and curious third-party servers can be addressed using blockchain technology. Blockchain is a distributed ledger and database with the advantages of being tamper-proof, open and transparent ^[34]. The "transparency" feature of blockchain can solve the problem of information asymmetry between parties, enabling multiple entities to collaborate and trust and act in unison. The combination of blockchain and attribute-based encryption enhances the usability of encryption schemes.

To realize the secure sharing of grid data within the smart grid, we propose a blockchain-based multi-authority revocable data sharing scheme in the smart grid. The contributions can be summarized as follows:

1) The computational overhead of data owner and data user have been greatly reduced by introducing the online/offline encryption technology. The cloud server stores the conversion key to partially decrypt the ciphertext. Therefore, the data user requires a constant computation to decrypt the partially decrypted ciphertext. In addition, to reduce the communication overhead, we encrypt the grid data with symmetric encryption and encrypt the symmetric key with attribute-based encryption.

2) Data integrity verification. Based on the tamper-proof feature of the blockchain, the data owner can generate message verification credentials and upload them to the blockchain. The data user can download the verification credentials to compare with the received data to verify if the data has been tampered with.

3) User tracking and revocation. We introduce user binary tree and revocation list to manage users. The attribute authority can track a malicious user by the user's secret key, and then an attribute authority can add the user to the revocation list and update the ciphertext.

4) Privacy protection. Based on the scheme proposed in ^[26], user identity privacy is protected by combining it with policy hiding mechanism. By hiding the attribute values in the access policy, the adversary cannot infer user information from the access policy.

2.   Preliminaries

2.1.   Bilinear pairing

Let $\mathit{\boldsymbol{G}}$ and ${\mathit{\boldsymbol{G}}_T}$ be two multiplicative cyclic groups of prime order $p$, and $g$ be a generator of $\mathit{\boldsymbol{G}}$. ${\mathit{\boldsymbol{G}}_T}$ has an efficient bilinear map $e:\mathit{\boldsymbol{G}} \times \mathit{\boldsymbol{G}} \to {\mathit{\boldsymbol{G}}_T}$ that satisfies the following three features:

1) Non-degeneracy: $e(g, g) \ne 1$.

2) Computability: For any element $M, N \in \mathit{\boldsymbol{G}}$, $e(M, N)$ could be efficiently computed by a polynomial-time algorithm.

3) Bilinearity: For any element $M, N \in \mathit{\boldsymbol{G}}$ and $a, b \in {Z_p}$, we can obtain $e({M^a}, {N^b}) = e{(M, N)^{ab}}$.

2.2.   Access structure

Let $P = \{ {P_1}, {P_2}, ..., {P_n}\}$ denote the set of $n$ users. The collection $\widehat A$ is monotone for $\forall B, C$: if $B \in \widehat A$ and $B \subseteq C$, then $C \in \widehat A$. Let $\widehat A$ be a monotone nonempty subset of $P$, i.e., $\widehat A \subseteq {2^{\{ {P_1}, {P_2}, ..., {P_n}\} }}\backslash \{ \emptyset \}$, and then call $\widehat A$ a monotone access structure. The sets in $\widehat A$ are called authorized sets, and the rest of the sets are called the unauthorized sets.

2.3.   User binary tree

Let $U$ be the set of all users, $RE$ be the revocation list and ${T_y}$ be the user binary tree. ${T_y}$ has the following features:

1) Every leaf node is related to a user $u$. Consider that $|U|$ denotes the number of users, and then there are $2|U| - 1$ nodes in the ${T_y}$. Number these nodes by breadth-first traversal as $0\sim 2|U| - 2$.

2) $path(\zeta)$ denotes the set of nodes on the path from the root node to the node $\zeta$.

3) $cover(RE)$ denotes the minimal set of nodes for the users who are not included in the revocation list $RE$.

According to the above features of user binary tree, if a user is not in the revocation list $RE$, then there exists a unique node satisfying ${\zeta _i}{\text{ = }}path({\zeta _u}) \cap cover(RE)$.

Figure 1 is a simple example of user binary tree. If the revocation list $RE$ is set to $RE = \{ {u_5}, {u_7}\} = \{ 11, 13\}$, then $cover(RE) = \{ 1, 12, 14\}$. The path of ${u_3}$ is $path({u_3}) = \{ 0, 1, 4, 9\}$. Therefore, the unique node ${\zeta _i} = cover(RE) \cap path({u_3}) = \{ 1\}$.

2.4.   Linear secret sharing scheme

Let ${A^*} = \{ A_1^*, A_2^*, ..., A_n^*\}$ be the set of all attribute names, and each attribute name $A_i^* \in {A^*}$ corresponds to a set of attribute values $A_i^* = \{ va{l_{i, 1}}, va{l_{i, 2}}, ..., va{l_{i, {n_i}}}\}$, where ${n_i}$ is the order of $A_i^*$. The access policy is denoted as $T = (M, \rho, V)$ in a linear secret sharing scheme (LSSS), where $M$ is a matrix that has $l$ row size and $n$ column size. $\rho$ is a function that maps every row of $M$ into an attribute name in ${A^*}$. $V = {\{ {v_{\rho (i)}}\} _{i \in [1, l]}}$ is the set of attribute values associated with $(M, \rho)$. A LSSS includes the following two algorithms:

1) Distribute: For secret value $s \in {Z_p}$, randomly select a vector $f = {(s, {f_2}, ..., {f_n})^{\text{T}}}$, where ${f_2}, ..., {f_n} \in {Z_p}$. Calculate ${\lambda _i} = {M_i} \cdot f$, where ${M_i}$ is the ${i^{th}}$ row of matrix $M$. ${\lambda _i}$ is a share of $s$ that corresponds to $\rho (i)$.

2) Reconstruct: Let $S \in {A^*}$ be any authorized set, and $I = \{ i:\rho (i) \in S\} \subseteq \{ 1, 2, ..., l\}$. Then, there exists a set of constants $\{ {\omega _i} \in {Z_p}\}$ satisfying $\sum\limits_{i \in I} {{\omega _i}{M_i}} = (1, 0, ..., 0)$. We could reconstruct the secret $s$ by calculating $\sum\limits_{i \in I} {{\omega _i}{\lambda _i}} = s$.

Let ${\text{S}} = \{ {I_u}, S\}$ be the set of user attributes and $\overline T = (M, \rho)$ be the access policy that hides the set of attribute values. ${I_u} \subseteq {A^*}$ is the set of user attribute names. $S = {\{ {s_i}\} _{i \in {I_u}}}$ is the set of the user attribute values. For $\forall i \in I$, where $I = \{ i:\rho (i) \in S\} \subseteq \{ 1, 2, ..., l\}$, if $i$ satisfies $(M, \rho)$ and ${s_{\rho (i)}} = {v_{\rho (i)}}$, then we say that ${\text{S}}$ matches $T$.

2.5.   Complex assumption

Definition 1. (q-BDHE assumption)

Let $\mathit{\boldsymbol{G}}$ and ${\mathit{\boldsymbol{G}}_T}$ be two multiplicative cyclic groups of prime order $p$ and $g$ be a generator of $\mathit{\boldsymbol{G}}$. ${\mathit{\boldsymbol{G}}_T}$ has an efficient bilinear map $e:\mathit{\boldsymbol{G}} \times \mathit{\boldsymbol{G}} \to {\mathit{\boldsymbol{G}}_T}$. Randomly select $t, f \in {Z_p}$ and compute vector $J = (g, {g^t}, {g^f}, {g^{{f^2}}}, ..., {g^{{f^q}}}, {g^{{f^{q + 2}}}}, ..., {g^{{f^{2q}}}})$. Then, the $q - {\text{BDHE}}$ assumption is defined as follows: There is no polynomial-time algorithm that can distinguish between $e{(g, g)^{{f^{q + 1}}t}} \in {\mathit{\boldsymbol{G}}_T}$ and $B \in {\mathit{\boldsymbol{G}}_T}$ by a non-negligible advantage $\varepsilon$.

3.   System and secure models

3.1.   System model

The system model consists of the following five entities:

1) Data Owner (DO): DO collects grid data from users' houses and specifies an access policy to encrypt grid data, then generates verification credential and uploads it to the blockchain.

2) Cloud Server (CS): CS stores the ciphertext and the verification credentials while generating the transformed ciphertext for DU. CS is semi-honest.

3) Data User (DU): DU obtains ciphertext from CS. DU can decrypt ciphertext only if DU's attributes satisfy the access policy. There may be malicious users in DU.

4) Attribute Authority (AA): AA generates public parameters and private keys. AA cannot access user secret keys or user identity information alone.

5) Blockchain: Blockchain stores and transmits public parameters and verification credentials, preventing them from being tampered with.

The system model is shown in Figure 2.

3.2.   Formal definition

The proposed scheme consists of nine algorithms, and we describe each algorithm as follows:

1) Setup: AA generates public parameter $PP$ and master key $MSK$, and then AA publishes public parameter $PP$ to other entities.

2) KeyGen: AA runs the algorithm and inputs user's attribute set ${\text{S}} = \{ {I_u}, S\}$; AA outputs user's secret key $SK$.

3) CKeyGen: DU runs the algorithm. DU randomly chooses recover key $H{K_u}$ and then generates conversion key $C{K_u}$ according to $H{K_u}$.

4) Enc.offline: DO executes the algorithm. DO outputs intermediate ciphertext $IT$ according to the public parameter $PP$.

5) Enc.online: DO executes the algorithm. DO inputs grid data $MSG$, revocation list $RE$, public parameter $PP$ and outputs ciphertext $CT$.

6) Conversion: CS executes the algorithm. DU inputs ciphertext $CT$, conversion key $C{K_u}$, public parameter $PP$. Then, CS outputs conversion ciphertext $\widehat {CT}$.

7) Decrypt: DU executes the algorithm. DU inputs conversion ciphertext $\widehat {CT}$, secret key $SK$, recover key $H{K_u}$, public parameter $PP$ and outputs the decrypted and verified grid data $MS{G^{'}}$.

8) Track: AA runs the algorithm. First, check if the secret key $SK$ satisfies the required conditions for tracking. If $SK$ is satisfied, the user identity is calculated based on the public parameter $PP$, the conversion ciphertext $\widehat {CT}$ and the secret key $SK$. Eventually, AA gets the tracked user $u$ and the updated revocation list $R{E^{'}}$.

9) Update: AA and CS run this algorithm. AA inputs the updated revocation list $R{E^{'}}$, and CS outputs the updated ciphertext $C{T^{'}}$.

The system flow chart is shown in Figure 3.

3.3.   Security model

The indistinguishability under chosen-plaintext attack (IND-CPA) of the proposed scheme can be described as a security game between a challenger ${\text{C}}$ and an adversary ${\text{A}}$. The procedures are as follows:

Setup: ${\text{A}}$ selects and submits an access policy ${T^*} = \{ {M^*}, {\rho ^*}, V\}$ and a user revocation list $R{E^*}$ to ${\text{C}}$, where $M$ is a matrix that has $l$ row size and $n$ column size. $\rho$ is a function that maps every row of $M$ into an attribute name in ${A^*}$. ${\text{C}}$ runs Setup algorithm in Section 3.2 and generates public parameter, then sends public parameter to ${\text{A}}$.

Phase 1: ${\text{A}}$ asks ${\text{C}}$ for the decryption key of attribute sets $({u_1}, {{\text{S}}_1})({u_2}, {{\text{S}}_2})...({u_q}, {{\text{S}}_q})$, where $q$ means the number of users.

If ${{\text{S}}_i} \in {T^*}$ and ${u_i} \notin R{E^*}$, which indicates the user's attribute sets satisfy the access policy, and the user is not listed in the revocation list, then abort.

If ${{\text{S}}_i} \notin {T^*}$ or ${u_i} \in R{E^*}$, which indicates the user's attribute sets do not satisfy the access policy, or the user is listed in the revocation list, then ${\text{C}}$ generates a decryption key and sends it to ${\text{A}}$.

Challenge: ${\text{A}}$ submits two messages ${m_0}$ and $m{}_1$ of the same length. Next, ${\text{C}}$ randomly chooses $\varpi \in \{ 0, 1\}$, then encrypts message ${m_\varpi }$ under access policy ${T^*} = \{ {M^*}, {\rho ^*}, V\}$ and revocation list $R{E^*}$. Eventually, ${\text{C}}$ sends ciphertext $C{T^*}$ as a challenge to ${\text{A}}$.

Phase 2: Phase 2 remains the same as the operation of Phase 1.

Guess Phase: ${\text{A}}$ outputs a guess ${\varpi ^{'}}$ about $\varpi$ and wins the game if $\varpi = {\varpi ^{'}}$. The advantage of ${\text{A}}$ winning the security game can be described as: $\varepsilon = \left| {\Pr [\varpi = {\varpi ^{'}}] - 1/2} \right|$.

Definition 2: In polynomial time, if the adversary ${\text{A}}$ cannot win the above security game with non-negligible advantage, then the proposed scheme is indistinguishable under chosen-plaintext attacks.

4.   Scheme construction

4.1.   Setup

In this section, the attribute authorities generate the public parameter $PP$ and the master key, then publish the public parameters to other entities.

The scheme contains $N$ attribute authorities $\{ A{A_1}, ..., A{A_N}\}$. Attribute authorities generate public parameter $PP$ as follows:

1) Attribute authority $A{A_1}$ selects two multiplicative cyclic groups $\mathit{\boldsymbol{G}}$ and ${\mathit{\boldsymbol{G}}_T}$ of prime order $p$. ${\mathit{\boldsymbol{G}}_T}$ has an efficient bilinear pairing which can be described as $e:\mathit{\boldsymbol{G}} \times \mathit{\boldsymbol{G}} \to {\mathit{\boldsymbol{G}}_T}$, and $g$ is a generator of $\mathit{\boldsymbol{G}}$. $A{A_1}$ randomly selects $m, n \in G$. ${E_f}$ and ${D_f}$ are symmetric encryption and decryption algorithms.

2) $A{A_1}$ selects collision-resistant hash functions ${H_0}():G \to {\{ 0, 1\} ^*}$, ${H}_{1}():{\{0, 1\}}^{*}\to {\left\{0, 1\right\}}^{{\ell }_{{H}_{1}}}$ and secure key generation function $H$.

3) Each attribute authority randomly chooses ${k_{f, j}} \in G$, then sends it over a secure channel to other attribute authorities ($j \in \{ 1, 2, ..., N\}$). Each attribute authority computes and gets the symmetric key ${k_f} = H(\prod\nolimits_{j = 1}^N {{k_{f, j}}})$ used to encrypt the user's identity.

4) For each node in ${T_y}$, $A{A_1}$ randomly selects ${\delta _i} \in {Z_p}$ to get $\{ {\delta _i}\} _{i = 0}^{2|U| - 2}$ and calculates $\{ {\psi _i} = {g^{{\delta _i}}}\} _{i = 0}^{2|U| - 2}$. $A{A_1}$ sends $\{ {\delta _i}\} _{i = 0}^{2|U| - 2}$ over a secure channel to other attribute authorities. Each leaf node in ${T_y}$ is associated with a user $u$ and assigned a unique value ${v_u} \in {Z_p}$.

5) Each attribute authority randomly chooses ${\alpha _j}, {a_j} \in {Z_p}$ and calculates ${Y_j} = e{(g, g)^{{\alpha _j}}}$, ${g^{{a_j}}}$. Then, it sends ${Y_j}$ and ${g^{{a_j}}}$ to other attribute authorities. After receiving ${Y_j}$ and ${g^{{a_j}}}$ from other attribute authorities, each attribute authority calculates

For ease of presentation, $\widetilde A$ and $A$ are used below to represent $\sum\nolimits_{j = 1}^N {{\alpha _j}}$ and $\sum\nolimits_{j = 1}^N {{a_j}}$.

6) Attribute authorities publicize the system parameter $PP = \{ p, G, {G_T}, e, g, m, n, Y, A, \{ {\psi _i}\} _{i = 0}^{2|U| - 2},$ ${E_f}, {D_f}, {H_0}(), {H_1}(), H()\}$ and upload $PP$ to the blockchain. Each attribute authority saves its secret key $MS{K_j} = \{ {a_j}, {\alpha _j}, \{ {\delta _i}\} _{i = 0}^{2|U| - 2}\}$.

4.2.   KeyGen

In this section, the attribute authorities generate the secret key $SK$ for data users.

${\text{S}} = \{ {I_u}, S\}$ is the set of user attributes, where ${I_u} \in {A^*}$ is the attribute name, and $S = {\{ {s_i}\} _{i \in {I_u}}}$ is the set of attribute values. Attribute authorities generate the secret key $SK$ as follows:

1) Each attribute authority calculates ${E_{id}} = {E_f}({k_f}, {v_u})$.

2) Every attribute authority randomly selects ${r_j} \in {Z_p}$, then calculates ${D_1} = {g^{A{r_j}}}, {D_2} = {g^{{r_j}}},$ ${D_3} = {E_{id}}$, ${K_j}^{'} = {m^{{r_j}}}$ and sends to other attribute authorities.

3) Let ${\zeta _u}$ be the leaf node associated with the user $u$ in the binary tree and the set of leaf nodes be $path({\zeta _u}) = \{ {\zeta _0}, {\zeta _1}..., {\zeta _u}\}$. ${\zeta _0}$ is the root node. Each attribute authority calculates ${D_0} = {g^{{r_j}/{\delta _{{\zeta _u}}}}}$ and sends to other attribute authorities.

After receiving components from other attribute authorities, each attribute authority calculates secret key as follows:

4) The secret key $SK = \{ \widetilde {{D_0}}, \widetilde {{D_1}}, \widetilde {{D_2}}, {D_3}, {\{ {\delta _\zeta }\} _{\zeta \in path({\zeta _u})}}, K, {\{ \widetilde {{D_\theta }}\} _{\theta \in {I_s}}}, {\text{S}}\}$. $R$ is used below to represent $\sum\nolimits_{j = 1}^N {{r_j}}$.

4.3.   CKeyGen

In this section, the data user generates the recover key and the conversion key, then sends these keys to the cloud server.

The data user randomly selects ${x_u} \in {Z_p}$ as recover key $H{K_u}$ and calculates the conversion key $C{K_u}$ as follows:

The conversion key $C{K_u} = \{ {L_1}, {L_2}, {L_3}, {L_4}, {L_\theta }\}$.

4.4.   Enc.offline

In this section, the data owner completes time-consuming operations such as bilinear pairing offline to reduce the communication overhead, while generating the symmetric key.

The data owner sets access policy $T = (M, \rho, V)$ and generates intermediate ciphertext as follows:

1) Randomly select ${R_u} \in G$ and secret value $s \in {Z_p}$, and calculate symmetric key ${k_u} = H({R_u})$. Then, calculate $C = {R_u}e{(g, g)^{\widetilde As}}$, ${C_0} = {g^s}$, ${C_0}^{'} = {g^{\widetilde As}}$ and $\{ {\psi _i}^s\} _{i = 0}^{2|U| - 2}$.

2) For ${b^{th}}$ row ${M_b}$ in the matrix $M$, randomly select ${z_b}, {q_b}, {t_b} \in {Z_p}$, where $b = 1, 2, ..., l$. The data owner calculates ${C_{b, 1}} = {m^{{z_b}}}{n^{{q_b}}}$, ${C_{b, 2}} = {g^{ - {q_b}{t_b}}}{g^{{z_b}}}$ and ${C_{b, 3}} = {g^{{q_b}}}$.

3) The intermediate ciphertext $IT = \{ s, C, {C_0}, {C_0}^{'}, {R_u}, {k_u}, \{ {\psi _i}^s\} _{i = 0}^{2|U| - 2}, \{ {z_b}, {q_b}, {t_b}, {C_{b, 1}}, {C_{b, 2}},$ ${C_{b, 3}}{\} _{b = 1, 2, ..., l}}\}$.

4.5.   Enc.online

In this section, the data owner encrypts the grid data using the symmetric key generated in Section 4.4 and then encrypts the symmetric key using the attribute-based encryption algorithm.

The data owner executes the following processes to encrypt symmetry key and grid data:

1) Calculate the verification credential $Token = {H_1}({H_0}({R_u})||MSG)$ and send it to the blockchain. Then use the symmetric key ${k_u}$ to encrypt grid data $MSG$ and obtain grid data ciphertext $C{T_M}$.

2) Randomly select a vector $\kappa = {(s, {f_2}, ..., {f_n})^{\text{T}}}$. For each row ${M_b}$ in the matrix $M$, calculate ${z_b}^{'} = {M_b}\kappa$.

3) Calculate ${C_{b, 4}} = {z_b}^{'} - {z_b}$ and ${C_{b, 5}} = {q_b}({v_{\rho (b)}} - {t_b})$, and then get the minimal set $cover(RE)$ through the binary tree ${T_y}$. Next, select the cipher component ${\{ {F_i} = {\psi _i}^s\} _{i \in cover(RE)}}$ according to $cover(RE)$.

4) The ciphertext $CT = \{ \overline T, RE, C{T_M}, C, {C_0}, {C_0}^{'}, {\{ {C_{b, 1}}, {C_{b, 2}}, {C_{b, 3}}, {C_{b, 4}}, {C_{b, 5}}\} _{b \in 1, 2, ..., l}}, {\{ {F_i}\} _{i \in cover(RE)}}\}$, where $\overline T$ is the access policy of hidden attribute values.

4.6.   Conversion

In this section, the cloud server preprocesses the ciphertext data and sends the conversion ciphertext to the data user.

The cloud server executes the following processes to generate conversion ciphertext $\widehat {CT}$:

1) Check if user $u$ is included in the revocation list $RE$. If the user is included in $RE$, it means the user is illegal, and then terminate the process. Otherwise, according to the attributes set uploaded by the user, get the set of rows ${I_r} = \{ b:\rho (b) \in S\} \subseteq \{ 1, 2, ..., l\}$ and the set of constants ${\{ {\omega _b} \in {Z_p}\} _{b \in {I_r}}}$. When $\{ {z_b}^{'}\}$ is valid, $\sum\limits_{b \in {I_r}} {{\omega _b}{z_b}^{'}} = s$.

2) If the value of attribute ${s_{\rho (b)}}$ in the user's secret key $SK$ satisfies the value ${v_{\rho (b)}}$ in the access policy, calculate as follows:

3) The cloud server sends the conversion ciphertext $\widehat {CT} = \{ RE, {C_t}, C, {\{ {F_i}\} _{i \in cover(RE)}}\}$ to the user.

4.7.   Decrypt

In this section, the data user decrypts the conversion ciphertext and gets the symmetric key. Then the data user uses the symmetric decryption algorithm to get the grid data ciphertext and completes the data integrity verification using the verification credential downloaded from the blockchain.

The data user $u$ executes the algorithm to decrypt ciphertext as follows:

1) If $u$ is not included in the revocation list $RE$, then there exists a unique node ${\zeta _i} = path({\zeta _u}) \cap cover(RE)$, where ${\zeta _u}$ is the leaf node associated with $u$.

2) According to the node ${\zeta _i}$ and user's secret key $\{ \widetilde {{D_0}}, {\{ {\delta _\zeta }\} _{\zeta \in {\text{path}}({\zeta _u})}}\}$, get ${\delta _{{\zeta _u}}}$ and ${\delta _{{\zeta _i}}}$, and then calculate $o = {\delta _{{\zeta _u}}}/{\delta _{{\zeta _i}}}$.

3) Calculate the components as follows:

4) The symmetric key ${k_u}^{'} = {H_0}({R_u}^{'})$. Use ${k_u}^{'}$ to decrypt grid ciphertext, then obtain the grid data $MS{G^{'}} = {D_f}({k_u}^{'}, C{T^{'}})$.

5) Download the verification credential $Token$ from the blockchain, and if the equation $Token = H{}_1({H_0}({R_u}^{'})||MS{G^{'}})$ holds, then the grid data $MS{G^{'}}$ is valid.

4.8.   Track

In this section, the attribute authority checks the user's secret key $SK$ and tracks the user with the binary tree. Then, the attribute authority adds the user to the revocation list $RE$ and updates the revocation list.

The attribute authority executes the algorithm to trace users as follows:

1) Check whether the user's secret key $SK$ satisfies the following conditions:

a) ${D_3} \in {Z_p}$, $\widetilde {{D_0}}, \widetilde {{D_1}}, \widetilde {{D_2}}, K, \widetilde {{D_\theta }} \in G$

b) $e(g, {D_1}) = e({g^A}, {D_2}) \ne 1$

c) $e(K, {g^A}{g^{{D_3}}}) = e{(g, g)^{\widetilde A}}e({\widetilde {{D_2}}^{{D_3}}} \cdot \widetilde {{D_1}}, m) \ne 1$

d) $\exists \theta \in {I_s}, s.t.{\text{ }}e(\widetilde {{D_\theta }}, g)e({\widetilde {{D_2}}^{{D_3}}} \cdot \widetilde {{D_1}}, n) = e{(\widetilde {{D_2}}.g)^{{s_\theta }}} \ne 1$

2) If the user secret key $SK$ passes the above check, then calculate ${v_u} = {D_s}({k_f}, {D_3})$. Next, use ${v_u}$ to find the corresponding user $u$ in the binary tree and add $u$ to the revocation list. $R{E^{'}} = RE \cup \{ u\}$ is the updated revocation list.

4.9.   Update

In this section, the attribute authorities and the cloud server complete the ciphertext update after user revocation based on the updated nodes set $cover(R{E^{'}})$.

The attribute authority and the cloud server execute the algorithm as follows together:

1) Each attribute authority randomly selects ${\varphi _j} \notin {Z_p}$ and sends it to other attribute authorities. Then, each attribute authority calculates $\widetilde \varphi = \sum\nolimits_{j = 1}^N {{\varphi _j}}$ and ${\delta ^{'}} = \{ \widetilde \varphi \cdot {\delta _i}\} _{i = 0}^{2|U| - 2}$ and sends $\widetilde \varphi$ and ${\delta ^{'}}$ to the cloud server.

2) The cloud server obtains new nodes set $cover(R{E^{'}})$ from $R{E^{'}}$. For node ${\zeta _{{i^{'}}}} \in cover(R{E^{'}})$, there exist two cases when updating the ciphertext:

a) For the revocation list $RE$ before the update, there exists a node ${\zeta _i} \in cover(RE)$ that makes ${\zeta _{{i^{'}}}} = {\zeta _i}$ hold. Then, set ${F_{{i^{'}}}} = {F_i}$.

b) For the revocation list $RE$ before the update, there exists a node ${\zeta _i} \in cover(RE)$ such that ${\zeta _i}$ is an ancestor of ${\zeta _{{i^{'}}}}$. Suppose that $path({\zeta _{{i^{'}}}}) = path({\zeta _i}) \cup \{ {\zeta _{i + 1}}, ..., {\zeta _{{i^{'}}}}\}$, let ${P_i} = {\psi _i}$ and calculate iteratively as follows, where $k = i + 1, ..., {i^{'}}$:

Next, set ${F_{{i^{'}}}} = {P_{{i^{'}}}}$.

Eventually, the updated ciphertext is $C{T^{'}} = \{ \overline T, R{E^{'}}, C{T_M}, C, {C_0}, {C_0}^{'}, \{ {C_{b, 1}}, {C_{b, 2}}, {C_{b, 3}}, {C_{b, 4}},$${C_{b, 5}}{\} _{b \in 1, 2, ..., l}}, {\{ {F_{{i^{'}}}}\} _{{i^{'}} \in cover(R{E^{'}})}}\}$

5.   Security analysis

5.1.   Collusion Attack Resistance

Theorem 1. The proposed scheme can resist the collusion attack by $N - 1$ attribute authorities if the discrete logarithm hardness assumption (Discrete Logarithm Problem, DLP) holds.

Proof: Each attribute authority randomly selects ${a_j} \in {Z_p}$ and sends ${g^{{a_j}}}$ to other attribute authorities. From the discrete logarithmic difficulty problem, it is difficult for an adversary to infer ${a_j}$ from ${g^{{a_j}}}$. Thus, even if there exist $N - 2$ attribute authorities in collusion with the adversary, there will still be a parameter that cannot be determined, and the adversary cannot guess valid ${g^A}$. Then, the adversary cannot construct a valid master key. Therefore, the proposed scheme can resist the collusion attack by $N - 1$ attribute authorities.

5.2.   Security proof

Theorem 2. The proposed scheme has indistinguishability under chosen-plaintext attack (IND-CPA) if $q - {\text{BDHE}}$ hardness assumption holds, where $q > 2|U| - 2$.

Proof: Assume an adversary ${\text{A}}$ can break the proposed scheme with a non-negligible advantage $\varepsilon$, and then there exists a challenger ${\text{C}}$ that can solve the $q - {\text{BDHE}}$ problem with the advantage $\varepsilon /2$. ${\text{C}}$ executes algorithms as follows:

Let $\mathit{\boldsymbol{G}}$ and ${\mathit{\boldsymbol{G}}_T}$ be two multiplicative cyclic groups of prime order $p$ and $g$ be a generator of $\mathit{\boldsymbol{G}}$. ${\mathit{\boldsymbol{G}}_T}$ has an efficient bilinear map $e:\mathit{\boldsymbol{G}} \times \mathit{\boldsymbol{G}} \to {\mathit{\boldsymbol{G}}_T}$. ${\text{C}}$ randomly selects $\mu \in \{ 0, 1\}$. Give a vector $J = (g, {g}^{t}, {g}^{f}, {g}^{{f}^{2}}, \mathrm{...}, {g}^{{f}^{q}}, {g}^{{f}^{q+2}}, \mathrm{...}, {g}^{{f}^{2q}})$, and if $\mu = 1$, then ${\text{C}}$ calculates $Z = e{(g, g)^{{f^{q + 1}}t}}$. Otherwise, ${\text{C}}$ randomly selects $Z \in {\mathit{\boldsymbol{G}}_T}$.

Setup: ${\text{A}}$ selects and submits an access policy ${T^*} = \{ {M^*}, {\rho ^*}, V\}$ and a user revocation list $R{E^*}$ to ${\text{C}}$, where $M$ is a matrix that has $l$ row size and $n$ column size. $\rho$ is a function that maps every row of $M$ into an attribute name in ${A^*}$. ${\text{C}}$ randomly selects ${\sigma ^{'}}, a \in {Z_p}$ and sets $e{(g, g)^\alpha } = e{(g, g)^{{\sigma ^{'}}}}e({g^t}, {g^{{t^q}}})$, then calculates ${g^a}$, $m = {g^f}$, $n = {g^{{f^q}}}$, where $\alpha = {\sigma ^{'}} + {t^{q + 1}}$.

For the revocation list $R{E^*}$, ${\text{C}}$ sets ${I_{R{E^*}}} = \{ {\zeta _i} \in path(u)|u \in R{E^*}\}$ and randomly selects ${\{ {d_i} \in {Z_p}\} _{i \in \{ 0, 2|U| - 1\} }}$. If ${\zeta _i} \in {I_{R{E^*}}}$, set ${\psi _i} = {g^{{d_i}}}{g^{{f^i}}}$, and then ${\delta _i} = {d_i} + {f^i}$. Otherwise, set ${\psi _i} = {g^{{d_i}}}{g^{{f^q}}}$, and then ${\delta _i} = {d_i} + {f^q}$.

${\text{C}}$ sends the public parameter $PP = \{ p, \mathit{\boldsymbol{G}}, {\mathit{\boldsymbol{G}}_T}, e, g, m, n, e{(g, g)^\alpha }, {g^a}, \{ {\psi _i}\} _{i = 0}^{2|U| - 2}\}$ to ${\text{A}}$.

Phase 1: ${\text{A}}$ submits user attribute sets $u, {\text{S}} = \{ {I_u}, S\}$ to require corresponding secret keys. ${I_u} \in A$ is user's attribute name. $S = {\{ {s_i}\} _{i \in {I_u}}}$ is user's attribute value set. For every attribute value ${s_j}$ in attribute space and $\forall i \in \{ 1, 2, ..., {l^*}\}$, if ${s_j} = {v_{{\rho ^*}(i)}}$, it means that ${s_j}$ satisfies the attribute value in the access policy, and set ${\tau _j} = {s_j} + \sum\limits_{h = 1}^{{n^*}} {{f^h}M_{j, h}^*}$. Otherwise, set ${\tau _j} = {s_j}$. If $u \notin R{E^*}$, then set ${\delta _i} = {d_{{\zeta _i}}} + {f^q}$. If $u \in R{E^*}$, then for $\forall {\zeta _i} \in path(u)$, there exists ${\zeta _i} \in {I_{R{E^*}}}$, and set ${\delta _i} = {d_{{\zeta _i}}} + {f^{{\zeta _i}}}$. If ${\text{S}} \in {T^*}$, randomly select $\iota \in {Z_p}$ and calculate $t = [{f^{q- 1}}/(a + \iota)] \cdot (M_{i, 1}^*/M_{i, 2}^*) + [- {f^q}/(a + \iota)]$. Otherwise, randomly select vector $\stackrel{\rightharpoonup }{b} = ({b}_{1}, {b}_{2}, \mathrm{...}, {b}_{{n}^{*}})\in {Z}_{p}$, where ${b_1} = - 1$, and all $i$ in ${\rho ^*}(i) \in {I_u}$ satisfy ${M}_{i}{}^{*}\cdot \stackrel{\rightharpoonup }{b} = 0$. Then, randomly select $r, \iota \in {Z_p}$ and calculate $t = (r + {b_1}{f^q} + \cdot \cdot \cdot + {b_{n*}} \cdot {f^{q - {n^*} + 1}})/(a + \iota)$.

Challenge: ${\text{A}}$ submits two messages ${m_0}$ and $m{}_1$ of the same length to ${\text{C}}$. ${\text{C}}$ randomly selects $\varpi \in \{ 0, 1\}$ and computes $C = {m_c}e{(g, g)^{\alpha t}}$, ${C_0} = {g^t}$, ${C_0}^{'} = {g^{\alpha t}}$. Next, ${\text{C}}$ randomly selects ${k_2}, ..., {k_{{n^*}}} \in {Z_p}$ and compute the vector $\stackrel{\rightharpoonup }{h} = (t, tf+{k}_{2}, \mathrm{...}, t{f}^{{n}^{*}-1}+{k}_{{n}^{*}})$. Then ${\text{C}}$ computes as follows:

For $\forall \zeta \in path(u)$, due to $\zeta \notin {I_{R{E^*}}}$, ${\text{C}}$ can obtain ${\psi _i} = {g^{{d_i}}}{g^{{f^q}}}$ and ${\delta _i} = {d_i} + {f^q}$. Finally,

${\text{C}}$ sends the ciphertext $C{T^*} = \{ C, {C_0}, {C_0}^{'}, {\{ {C_{i, 1}}, {C_{i, 2}}, {C_{i, 3}}\} _{i \in [1, {l^*}]}}, {\{ {F_i}\} _{i \in cover(R{E^*})}}\}$ to ${\text{A}}$.

Phase 2: Phase 2 remains the same as the operation of Phase 1.

Guess Phase: ${\text{A}}$ outputs a guess ${\varpi ^{'}}$ about $\varpi$. If $\varpi = {\varpi ^{'}}$, ${\text{C}}$ outputs the guess ${\mu ^{'}} = 1$ about $\mu$, and then ${\text{A}}$ obtains the normally generated ciphertext. The advantage that ${\text{A}}$ obtains the normally generated ciphertext is $\varepsilon = {\text{Pr[}}\varpi = {\varpi ^{'}}|\mu = 1{\text{]}} - (1/2)$, and it means ${\text{Pr[}}\varpi = {\varpi ^{'}}|\mu = 1] = {\text{Pr[}}\mu = {\mu ^{'}}|\mu = 1]$. Therefore, the probability that ${\text{C}}$ wins the game is ${\text{Pr[}}\mu = {\mu ^{'}}|\mu = 1{\text{] = }}\varepsilon + (1/2)$. Otherwise, ${\text{C}}$ outputs the guess ${\mu ^{'}} = 0$ about $\mu$, ${\text{A}}$ obtains a randomly selected element from ${\mathit{\boldsymbol{G}}_T}$, so that ${\text{A}}$ cannot obtain any information from $\varpi$, ${\text{Pr[}}\varpi = {\varpi ^{'}}|\mu = 1{\text{] = 1/2}}$. Then ${\text{Pr[}}\varpi \ne {\varpi ^{'}}|\mu = 0] = {\text{Pr[}}\mu = {\mu ^{'}}|\mu = 0]$ can be concluded. Thus, the probability that ${\text{C}}$ wins the game is ${\text{Pr[}}\mu = {\mu ^{'}}|\mu = 0{\text{] = }}1/2$.

Eventually, if ${\text{C}}$ can solve the $q - {\text{BDHE}}$ problem, then the advantage of ${\text{C}}$ can be described as follows:

6.   Performance

In this section, we compare several existing schemes ^{[26,27,29,30,31]} with our scheme. Table 1 defines the symbols that appear below.

The hardware and software environments for implementing the experiment are as follows: A laptop equipped with 3.2GHz AMD Ryzen 7 6800H CPU and 8GB RAM was used, and the operating system is 64-bit Windows 11. We used JPBC 2.0.0 library for the experiment. The prime-order bilinear pairing is constructed on the 160-bit elliptic curve group, which is based on the curve ${y^2} = {x^3} + x$. Table 2 lists the runtime of the three cryptographic operations in the above environment. Table 3 compares the proposed scheme with previous ABE schemes in terms of the number of attribute authorities, verification, revocation, policy hiding, ability to encrypt offline, and whether blockchain technology is introduced. Table 4 shows the performance of the proposed scheme versus other schemes in the encryption and other phases. Figures 4 to 7 present the variation of the computation time as the user attribute space grows.

Table 3 presents an analysis of various schemes. Specifically, the scheme ^[26] provides traceability, while the scheme presented in ^[27] adds policy hiding and revocation. However, both schemes rely on a single attribute authority and thus fail to resist collusion attacks from malicious users and attribute authorities. On the other hand, the scheme proposed in ^[29] adopts multiple attribute authorities to resist collusion attacks and employs online/offline encryption to enhance efficiency. While the schemes in ^[30,31] support flexible revocation, they suffer from high computational overhead. However, the above schemes lack support for integrity verification. In contrast, the proposed scheme integrates revocation, hidden policy, multiple attribute authorities and online/offline encryption. Additionally, the proposed scheme incorporates verification and blockchain technology to ensure data integrity.

Table 4 shows the computational overhead of various schemes. From Table 4, we can observe that the encryption time of ^[27,29] and the proposed scheme is much less than other schemes. Furthermore, the proposed scheme attains a constant level of computational overhead in the decryption and update phase. In the tracking phase, both the proposed scheme and the other schemes contain a large number of complex operations, so the computational overhead is approximated.

Figure 4 describes the change in online encryption time as the attribute space grows. We can find that the computation time for encryption grows linearly as the attribute space grows, and the encryption overhead is reduced because the proposed scheme uses online offline encryption to pre-process the data.

Figure 5 illustrates the decryption time variation. The schemes ^[26,27,30] do not consider the case of large attribute space, and the computational overhead of these schemes increases rapidly as the attribute number grows. The scheme ^[29,31] and the proposed scheme outsource the complex calculations such as bilinear pairing to the cloud server. Therefore, the proposed scheme achieves constant-level decryption time.

Figure 6 shows the tracking time of various schemes. Due to more bilinear pairing operations, the scheme ^[31] takes more time than other schemes. Even with the realization of data integrity verification at the same time, the tracking time of the proposed scheme remains at a low growth rate.

Figure 7 shows the ciphertext update time. The ciphertext update times for the proposed scheme and the scheme ^[26] are only related to the number of revoked users. Therefore, the update time is much lower than other schemes. From the indicated results, the proposed scheme is more efficient and suitable for smart grid, while achieving the desired security goals. In summary, the experimental results are consistent with the above theoretical analysis in Table 4.

7.   Conclusions

To address the important issues in the existing CP-ABE schemes, such as the inability to resist collusion attacks, high computation overhead and lack of support for outsourced verification, this paper proposes a blockchain-based multi-authority revocable data sharing scheme. The proposed scheme can resist collusion attacks and realize access control with users' attribute sets. Moreover, the proposed scheme can trace malicious users and then revoke the user by using the binary tree. The proposed scheme introduces online/offline encryption and hybrid encryption, so that the computation overhead of the decryption phase is not affected by user attributes. Thus, the proposed scheme supports large attribute space and is more suitable for secure data sharing in multi-user smart grid. We also presented security proof to demonstrate that the proposed scheme is IND-CPA-secure under the hardness assumptions of $q - {\text{BDHE}}$.

Acknowledgments

The authors appreciate the editors and reviewers for their valuable comments and insightful suggestions. This work was supported by National Natural Science Foundation of China (No. 61662069), the China Postdoctoral Science Foundation (No. 2017M610817).

Conflict of interest

All authors declare there is no conflict of interest.