Abstract:
As a widely used ciphertext authorization access mechanism in cloud environments, ciphertext-policy attribute-based encryption (CP-ABE) has fine-grained, one-to-many and owner-controlled properties. However, the traditional CP-ABE mechanism is difficult to obtain the identities of authorized users who maliciously abuse their decryption privileges since multiple users may have the same attribute set. Although numerous existing studies achieve the identity tracking for some specific decryption privilege abuses (i.e., white-box attacks and black-box attacks), they are challenging to audit authorized users’ identities for ciphertext access behaviors, which may lead to potential data security and owners’ right-to-be-informed compliance issues. Based on CP-ABE mechanism, to realize identity tracing of ciphertext data access behavior in real application scenarios, this scheme designs a cross-domain ciphertext data sharing method, which generates the access request by binding the traceable decryption key with the authorized user’s access behavior. The integrity of access requests is protected by blockchain. Meanwhile, this scheme introduces an encrypted inverted index structure to address the inefficiency of the identity traceability caused by blockchain traversal. The privacy-preserving of index queries is achieved through the BLS signature and privacy set intersection. Theoretical analysis and experimental results demonstrate that the proposed cross-domain ciphertext sharing scheme with authorized users’ access behaviors audit trail is efficient and practical.