DSVN: A Flexible and Secure Data-Sharing Model for VANET Based on Blockchain

Abstract

Vehicular Ad Hoc Network (VANET) is an important part of the modern intelligent transportation system, which can provide vehicle communication at a certain distance. More importantly, VANET can provide route planning and autonomous driving for drivers by analyzing data. However, VANET’s data privacy and security are a huge challenge when serving drivers. In this paper, we propose a VANET data-sharing model (DSVN) that combines ciphertext-based attribute encryption (CP-ABE), blockchain, and InterPlanetary File System (IPFS). DSVN uses an outsourced and revocable ciphertext policy attribute-based encryption (ORCP-ABE) scheme, which is improved based on CP-ABE. ORCP-ABE uses key encryption key (KEK) trees to manage user attribute groups and revoke user-level attributes. It eliminates redundant attributes in the access policy by attribute-weighted access trees. Moreover, DSVN has no single point of failure. We demonstrate the indistinguishability under the chosen-plaintext attack (IND-CPA) security of DSVN by a game based on the computational Diffie–Hellman (CDH) assumption. Experimental results show that DSVN can store and share data with low overhead. Additionally, it can revoke attributes of users safely.

1. Introduction

Vehicle-to-vehicle communication across shorter distances is made possible by the vehicular ad hoc network (VANET), a particular kind of mobile ad hoc networks (MANETs) [1]. VANET can help drivers get status information and real-time road condition information from other vehicles within a certain range [2,3,4]. However, VANET may expose users’ private information, e.g., identities, location information, and trajectories. Once that shared private information is illegally used by malicious attackers, it will lead to terrible information security. Therefore, how to store and share VANET data safely is a research hotspot. Fortunately, the emergence of blockchain technology has addressed the problems above. Blockchain is decentralized, transparent, a consensus mechanism, and tamper-proof. [5,6,7]. It maintains the security of data and punishes malicious attackers for VANET. Currently, there are two types of blockchain-based VANET data-sharing schemes. The first type, the data is completely uploaded to the blockchain [8,9,10], and each node synchronizes the block data in real time. This strategy is not appropriate for large-scale data storage scenarios. The other, the data is kept on a cloud server, but transactions are recorded on the blockchain [11,12]. Such schemes cannot avoid single failure spots. To eliminate this failure, we store metadata on the InterPlanetary File System (IPFS), eliminating the high overhead and low efficiency of data storage resources on the blockchain. IPFS uses distributed storage and allows nodes to retrieve and store data as backups, avoiding single points of failure.

In addition, access control provided by a trusted third party cannot satisfy VANET data on the cloud server. This mechanism limits the flexibility of data sharing and has security concerns. It has become a new challenge to provide fine-grained access control for data-sharing scenarios. The primary method of implementing data access control is encryption. However, conventional encryption schemes cannot satisfy the access control needs in the VANET scenario. For instance, it is challenging to provide decryption keys to the desired data access users when using the Advanced Encryption Standard (AES) [13]. Before encrypting the data using the RSA encryption algorithm, the owner must collect the public key from each user. New users cannot access data that has been encrypted [14]. Attribute-based encryption (ABE), suggested by Sahai et al., allows for precise access control over encrypted data [15]. Depending on the objects connected with the access control policy, ABE is further separated into ciphertext policy attribute-based encryption (CP-ABE) [16] and key policy attribute-based encryption (KP-ABE) [17]. Compared with KP-ABE, CP-ABE is more suitable for dynamic scenes. Therefore, most of the schemes supporting fine-grained access control in VANET are based on CP-ABE. In VANET, the user’s attribute set is dynamic. Various circumstances may cause the user’s attribute set to change. For instance, Mike works as a traffic cop in the supervisory division. He is transferred outside of his department due to a change in position. The “supervisory department” in user Mike’s attribute set needs to be removed. In the traditional CP-ABE approach, the user’s attribute set is immutable. When the user’s attributes need to be modified, CP-ABE can only re-register after deleting the user. This method of processing adds overhead and is not safe during processing. We build a KEK tree based on the user set to manage the rights of different users. When revoking a specific user attribute, the revoked user updates its key while other users are unaffected.

In response to the security issues in VANET data sharing, we design a data-sharing model for VANET (DSVN). First, we build a collaborative network of consortium blockchain and IPFS with RSUs as nodes [18], a distributed storage network. The model ensures the tamper-proof and integrity of shared information through a blockchain consistency mechanism. Second, we implement an efficient encryption scheme ORCP-ABE. Our scheme supports computational outsourcing and user attribute revocation functions. In addition, we propose an attribute-weighted access tree. Data owners can eliminate redundant attributes and improve the efficiency of data encryption by constructing such access trees. Finally, we prove that the scheme is IND-CPA safe in a game model under the CDH assumption and test the scheme’s performance through simulation experiments.

2. Related Work

2.1. VANET

VANET is a mobile network formed using wireless communication technology with moving vehicles and transportation facilities as nodes. VANET is an important part of intelligent transportation system. With the widespread application of VANET, the security of private data between vehicles has become a primary concern [19,20]. To solve this problem, many scholars have proposed solutions [21,22,23,24,25]. Deng et al. propose a secure VANET authentication scheme (PAS), where a software-defined network (SDN) is integrated as a suitable infrastructure to support anonymous authentication and pseudonym management [21]. Chen et al. propose a decentralized VANETs (DVANETs) architecture, where computing tasks are decomposed from centralized cloud services to edge computing (EC) nodes, thereby effectively reducing network communication overhead and congestion delay [22]. Li et al. implement blockchain instead of third-party service providers for user identity management and data storage, and lightweight VANET devices can outsource complex encryption and decryption operations to RSUs [23]. The scheme of Ma et al. records users’ keys, uploads, and access transactions for auditing through blockchain [24]. The scheme of Zhang et al. implements outsourced encryption and revokes malicious users [25].

2.2. Blockchain

Blockchain is a chained data structure that combines data blocks in a sequentially connected manner in chronological order and is a cryptographically guaranteed, immutable, and unforgeable distributed ledger. Blockchain originated from Bitcoin, which was proposed by Satoshi Nakamoto [26]. Cryptocurrencies have developed rapidly recently, and blockchain has received widespread attention. Blockchain technology has been widely used in finance, healthcare, industry, and other fields [27,28,29].

For data storage security issues, numerous academics have suggested blockchain-based data storage schemes [30,31,32]. A blockchain-based data access architecture for the Internet of Things was put forth by Shafagh et al. [30]. The model achieves secure access control management without needing a centralized, trusted third-party organization by employing blockchain as a distributed access control layer for the storage layer. A VANET security architecture based on blockchain and mobile edge computing was presented by Zhang et al. [31]. With blockchain technology, this architecture guarantees the security of VANET data during horizontal dissemination. A VANET untrustworthy system concept based on blockchain and certificate authority (CA) was presented by Javaid et al. [32]. This model can establish distributed trust management for secure data sharing while protecting privacy. According to the former study, a distributed storage system based on a blockchain can offer security and dependability that are superior to conventional methods. It can prevent third-party-caused data loss and privacy leaks.

2.3. CP-ABE

ABE is the most promising cryptographic primitive supporting fine-grained access. ABE was first proposed by Sahai and Water in Fuzzy Identity Based Encryption (FIBE). [15]. Bethencourt presented the first CP-ABE method based on ABE [17]. This scheme allows the data owner to define an access policy. Only users who satisfy the policy can decrypt the data. Afterwards, many scholars put forward their own schemes based on this [33,34,35]. A scheme to implement access control over system attributes was put up by Water [32] utilizing a linear secret sharing scheme (LSSS) matrix. Green et al. [34] implement an effective and innovative scheme that can be outsourced. A multi-authority attributes-based encryption scheme was put forth by Lewko et al. [35].

The security of existing CP-ABE solutions is still inadequate. Most schemes cannot track down and deal with malicious users who leak their keys. Numerous academics have suggested original solutions to this issue. Praveen Kumar et al. used a dynamic traceable CP-ABE method with revocation [36]. This scheme dynamically tracks the decryptor during the outsourcing decryption process and helps to identify and revoke the malicious user who leaked the key. Kamalakanta et al. [37] suggested a practical encryption scheme with multi-authority and efficient revocation of ciphertext policy attributes. This scheme achieves user revocation by algorithmically updating the key for unrevoked users. However, this approach is only suitable for some scenarios with many users. Based on the traceable revocable ciphertext policy attribute, Yi et al. [38] suggested an equal-length ciphertext key encryption scheme. Based on achieving user revocation, the transmission efficiency is improved by constant-length ciphertext and key. These schemes effectively address the revocation of malicious users but cannot perform flexible revocation of user attributes when a user changes. A multi-permission ciphertext policy attribute and revocable permissions-based encryption scheme were presented by Yang et al. [39]. The scheme allows multiple permission authorities to participate in key distribution and enables at-tribute revocation when the user’s access rights change. A blockchain-based revocable CP-ABE method was suggested by Xin et al. [40]. The scheme supports an expressive access control policy and allows attribute permissions to revoke some user attributes.

3. System Preview

3.1. Architecture

This scheme combines consortium blockchain, attribute-based encryption, and IPFS technology to propose a new distributed VANET data storage and sharing system, as shown in Figure 1.

This system consists of six parts:

• The vehicle data owner (VDO) is the producer and sharer of data in telematics. VDO represents vehicles and corresponding onboard devices, which usually do not have the performance of storing and sharing data on a large scale. In addition, it has dynamic characteristics, so it only connects to CBN through RSU as a user.
• The roadside unit (RSU) is a communication unit distributed along both sides of the road at a certain distance. RSU has strong processing performance, sufficient storage space, and a good network connection. In this system, all RSUs form a consortium chain network as nodes. RSUs perform user data upload and access operations within their coverage area while using their high performance to do most data encryption and decryption work.
• The consortium blockchain network (CBN) is an intermediate party ensuring data sharing security and trustworthiness. In this system, CBN is composed of all RSU nodes together. The information in the system that involves user privacy and data encryption is recorded securely on the blocks of CBN.
• The smart contract (SC) is a complete set of operation methods defined on CBN, automatically performing different operations in different phases. For example, in the system initialization phase, SC is responsible for generating system keys. In the user registration phase, RSU can write user registration information to BN by calling SC.
• The data user (DU) is the user of data. The DU requests data by calling SC through RSU. In the physical layer, DU and VDO may be the same entity, and the vehicle can share its data while requesting data.
• The InterPlanetary File System (IPFS) is the data service provider. All shared source data in the system are stored in IPFS. VDO uploads metadata to IPFS via RSU.

3.2. Definitions

3.2.1. Attribute-Weighted Access Tree

Data users have different identities, and their attribute sets are complex. The attributes of data users may have containment or hierarchical relationships. For example, in the traffic management department, Constable, Superintendent, Inspector, and Superintendent are one class of attributes representing different levels of police officers. There is a clear hierarchical relationship between these attributes. The access range of the high-level attributes includes the access range of the low-level attributes, i.e., constable ⊂ superintendent ⊂ inspector ⊂ superintendent. This makes the access tree have a lot of redundant attributes. The attribute-weighted access tree can solve this problem.

As shown in Figure 2, the attribute-weighted access tree has three levels. The root node is a logical “or” the 2nd level non-leaf node is a logical “and”, and the 3rd level leaf node is an attribute expression. The construction method of the access tree for attribute assignment: The system attribute set $U$ will be divided into categories $L=\{L_1,L_2,L_3,\dots ,L_N\}$ based on entities and departments. Then, weights will be assigned to attributes in the same class where there is a continuous containment relationship for access rights. For example, if there is $L_{i,1}\subset L_{i,2}\subset L_{i,3}\cdot \cdot \cdot \subset L_{i,n}$, then the attribute $L_{i,1}$ will be assigned weight $w$ of 1, $L_{i,2}$ weight $w$ of 2, and so on for the rest. Finally, all attributes will be replaced with the corresponding category weight pairs.

3.2.2. The Key Encryption Key Tree

The key encryption key (KEK) tree is a complete binary tree constructed based on the user set [41], as shown in Figure 3. KEK tree can provide a non-revoking user update function to achieve attribute revocation. For example, suppose the system user set is $\mathrm{User}=\{u_1,u_2,\dots ,u_n\}$, and the system attribute set is $U=\{at{t}_1,at{t}_2,\dots ,at{t}_m\}$. Then, the steps for the system to construct a KEK tree are as follows:

• Each user in the user set $\mathrm{User}$ is designated in the leaf node of the binary tree, and each node stores a random value ${\theta }_i$;
• Path node generation algorithm $Path(u_i)$: For any user $u_i$, all nodes passing through the path from its corresponding leaf node to the root node are defined as the path nodes of user $u_i$;
• The minimum coverage set algorithm $Mincs(G_j)$: For the attribute group $G_j$ with the attribute $at{t}_j$, the minimum set of nodes in the KEK tree covering all users of $G_j$ is the minimum coverage set;
• Calculate the intersection of $Path(u_i)$ and $Mincs(G_j)$: If the user has the attribute $at{t}_j$, then the intersection has only one node $V_k$. ${\theta }_k$ is a random value stored in node $V_k$. If the user has no attributes $at{t}_j$, then the intersection set is empty.

3.2.3. Security Definition

• The computational Diffie–Hellman (CDH) assumption: Suppose there are cyclic groups ${\mathbb{G}}_0$ and ${\mathbb{G}}_T$ of the same prime order $p$. $g$ is a generator of ${\mathbb{G}}_0$, and $e:{\mathbb{G}}_0\times {\mathbb{G}}_0\to {\mathbb{G}}_T$ is a bilinear pair. Choose $a$,$b$ randomly from ${\mathbb{Z}}_p$. The computational Diffie–Hellman problem constructs a polynomial adversary $\mathcal{A}$ that takes the tuple $({\mathbb{G}}_0,p,g,g^a,g^b)$ as input and outputting $e{(g,g)}^{ab}\in {\mathbb{G}}_T$, which has the advantage:

  $$Ad{v}_{\mathcal{A}}=\mathrm{Pr}[\mathcal{A}({\mathbb{G}}_0,p,g,g^a,g^b)=e{(g,g)}^{ab}].$$

  (1)

  Definition 1.

  The CDH assumption holds if no probabilistic polynomial-time adversary $\mathcal{A}$ has a nonnegligible advantage in solving the CDH problem.
• Security model: Below, we define the ciphertext indistinguishability under chosen-plaintext attacks.

Setup. The challenger $C$ runs the initialization algorithm, generates the public parameters, and sends them to the adversary $\mathcal{A}$.

Phase 1. The adversary $\mathcal{A}$ is allowed to select a set $S$ of attributes for a key query. The challenger $C$ randomly runs the registration algorithm and returns the result to $\mathcal{A}$.

Challenge. The adversary $\mathcal{A}$ submits challenge access structure $T^{\ast }$ and equal-length messages $M_0$ and $M_1$, which are sent to the challenger. The challenger $C$ chooses $\theta \in \{0,1\}$ randomly, and runs pre-encryption and re-encryption algorithm to encrypt $m_{\theta }$ and generates ciphertext $C{T}^{\prime }$. Then $C$ return $C{T}^{\prime }$ to $\mathcal{A}$.

Phase 2. The adversary $\mathcal{A}$ can make a key query in the same way as in Phase 1, except that the set of attributes $S$ satisfying access structure $T^{\ast }$ related to the challenge ciphertext $C{T}^{\prime }$ cannot be queried in the key query phase.

Guess. The adversary $\mathcal{A}$ outputs a guess ${\theta }^{\ast }$ for $\theta$. If ${\theta }^{\ast }=\theta$, then $\mathcal{A}$ wins the game. The $\mathcal{A}$’s advantage is defined:

$${Adv}_{\mathcal{A}}=|\mathrm{Pr}[{\theta }^{\ast }=\theta ]-\frac{1}{2}|.$$

(2)

Definition 2.

If the adversary $\mathcal{A}$ cannot selectively win by a non-negligible advantage in polynomial time, the scheme is secure against Chosen-Plaintext Attacks.

4. System Design

4.1. System Flow

The description of the symbols and abbreviations appearing in this paper are shown in

Table 1. Description of Symbols.

Symbols	Description
$\lambda$	Safety parameters
$U$,$S$	System attribute set and user attribute set
$PK$, $MSK$	System public key and private key
$DPK$, $DSK$	Data public key and private key
$id$, $S{K}_{id}$	User id and key
$USK$	Global parameters for user access
$kek$	Attribute Encryption Information
$KEK$	User attribute group encryption information
$M$	Data address information
$T$,$T^{\ast }$	Access tree
$CT$	Pre-encrypted ciphertext
$G_x$	The attribute groups of attribute x
$C{T}^{\prime }$, $CT\ast$	Encrypted ciphertext
$Hdr$	Encryption header
$PDCT$	Pre-decrypted ciphertext
$\overline{\mathrm{M}}$	The decrypted data address information

.

As shown in Figure 4, the system has the following five main phases:

• System initialization: RSU inputs $\lambda$ and $U$ as parameters and invokes the initialization contract. The contract will execute algorithm 1 to generate $PK$, $MSK$, $DPK$, and $DSK$, and record them in the genesis block of CBN;
• User registration: VDO (or DU) sends the registration request containing the user $id$ and user attribute set $S$ to RSU. Then, RSU verifies the authenticity and validity of the registration information and then invokes the user registration contract. The contract reads the $PK$, $MSK$ and $DPK$ from CBN block and executes algorithm 2 to generate $S{K}_{id}$, $kek$, $USK$ and $KEK$. $id$ and $S$ are written to the block of CBN. Finally, RSU returns $S{K}_{id}$ and $kek$ to VDO as the result of successful registration;
• Data upload: VDO uploads Data to IPFS via RSU. IPFS returns the retrieval code to the RSU. Then RSU generates M corresponding to the retrieval code and returns it to VDO as the result of data upload. VDO receives $M$ and invokes algorithm 3 to generate the attribute-weighted access tree $T^{\ast }$, and then invokes algorithm 4 to generate $CT$. VDO sends $CT$, $G$ to RSU to invoke the data upload contract. The contract executes algorithm 5 to generate $C{T}^{\prime }$, $Hdr$ and writes the relevant information into the block of CBN. Finally, RSU broadcasts $C{T}^{\prime }$ to DUs;
• Data access: data user DU sends $S{K}_{id}$ and $C{T}^{\prime }$ to RSU. RSU invokes the data access contract. If DU satisfies the data access condition, the contract will execute algorithm 6 to calculate and get $PDCT$ and send it to DU. Otherwise, the execution of the contract will be terminated by the execution failure of algorithm 6. Then, DU executes algorithm 7 to calculate $\overline{\mathrm{M}}$ and return it to RSU. After receiving $\overline{\mathrm{M}}$, RSU will read the data retrieval code and connect IPFS to download data. Finally, DU successfully accesses data;
• User attribute revocation: RSU invokes the user attribute revocation contract with revoked user $id$ and $att$ as input. The contract calls algorithm 8 to update DPK, DSK and outputs the updated $KEK$. Then, contract reads the encrypted ciphertext $C{T}^{\prime }$ associated with the user id in the CBN block and calls algorithm 9. The algorithm 9 updates $Hdr$ and $C{T}^{\prime }$, and writes the updated $CT\ast$ on the new block in CBN. Finally, RSU broadcasts the updated $CT\ast$ to DUs.

4.2. ORCP-ABE Algorithm

The ORCP-ABE algorithm consists of the following algorithms.

• Initialization $(\lambda ,U)\to PK,MSK,DPK,DSK$: The algorithm takes security parameters $\lambda$ and system attribute set $U$ as input. Algorithm constructs a bilinear mapping $e:{\mathbb{G}}_0\times {\mathbb{G}}_0\to {\mathbb{G}}_T$. Where ${\mathbb{G}}_0$ and ${\mathbb{G}}_T$ are two bilinear groups of prime of order p. $g$ is the generator of the cyclic group ${\mathbb{G}}_0$. Then algorithm randomly selects the index value $t_i$ for each attribute $at{t}_i\in U$. Finally, algorithm randomly selects two numbers $a$, $\beta$, then calculates system key pair MSK, PK, and data key pair DSK, DPK:

  $$\begin{array}{l}MSK=\left(\beta ,g^{\alpha }\right),PK=\left(g,e{\left(g,g\right)}^{\alpha },h\right)\hfill \\ DSK=\left\{t_i\right|1\le i\le n\},DPK=\left\{T_i=g^{t_i}|1\le i\le n\right\}\hfill \end{array}$$

  (3)

  where $a,\beta ,t_i\in Z_p^{\ast }$, $h=g^{\beta }$, and n is the number of attributes in $U$ (note: The system public key PK and the data public key DPK are publicly accessible);
• Key generation $(id,S,MSK)\to S{K}_{id}$: The algorithm takes user number $id$, attribute set $S$ and system private key MSK as input. Algorithm randomly selects $uid$, $USK$, calculates user private key $S{K}_{id}$ and user attribute encryption information $kek$. For each attribute $at{t}_i\in S$, algorithm calculates node intersection $V_j$ and judges whether $V_j$ is empty. If $V_j=\varnothing$, algorithm stop the calculation, else calculates user attribute group encryption information KEK:

  $$\begin{array}{c}S{K}_{id}=\left(D=g^{\frac{\alpha +uid}{\beta }},D^{\prime }=g^{uid·USK},USK\right),\\ kek={\left\{at{t}_i,ke{k}_i=g^{t_i·uid·USK}\right\}}_{at{t}_i\in S},\\ KEK={\{KE{K}_i={\left(ke{k}_i\right)}^{\frac{1}{{\theta }_j}}=g^{\frac{t_i·uid·USK}{{\theta }_j}}\}}_{at{t}_i\in S}\end{array}$$

  (4)

  where $uid,USK\in Z_p^{\ast }$,$V_j=Path(u_i)\cap Mincs(G_j)$ and ${\theta }_j$ is the value in node $V_j$ (note: The system private key MSK is not visible and is only accessed through calls during the user registration phase);
• Access tree generation $(T,U)\to T^{\ast }$: The algorithm takes access structure $T$ and the system attribute set $U$ as input. First, algorithm classifies $at{t}_i\to L_j$ and assigns weights $w$ for each attribute $at{t}_i\in U$. Then, algorithm replaces each attribute in $T$ with the corresponding category weight pairs $L_j:w$. Finally, algorithm constructs attribute-weighted tree $T^{\ast }$;
• Pre-encryption $(M,T^{\ast })\to CT$: The algorithm takes the message $M$ and attribute-weighted tree $T\ast$ as input. First, algorithm generates a randomly univariate polynomial $Q_{node}(x)[\hspace{0.17em}]$ or each tree node. The secret value of node $node$ is $Q_{node}(0)$. Then, algorithm calculates pre-encrypted ciphertext $CT$:

  $$CT=\left(T^{\ast },\tilde{C}=Me{\left(g,g\right)}^{\alpha s},C=h^s,\forall y\in Y:C_y^{\prime }=g^{Q_y\left(0\right)}\right)$$

  (5)

  where $s$ is the secret value of root node, $y$ is a leaf node of $T^{\ast }$, and $Y$ is leaf node set;
• Encryption $(CT,G)\to C{T}^{\prime },Hdr$: The algorithm takes attribute-weighted tree $T$, pre-encrypted ciphertext $CT$ and access structure attribute set $G$ as input. Algorithm randomly selects $k_y$, and calculates $C{T}^{\prime }$:

  $$\begin{array}{c}C{T}^{\prime }=\left(T^{\ast },\tilde{C}=Me{\left(g,g\right)}^{\alpha s},C=h^s,\forall y\in Y:C_y^{\prime }=g^{Q_y\left(0\right)}·g^{k_y}\right),\\ Hdr={\{v_j,E\left(k_y\right)=g^{k_y·{\theta }_j/t_i}\}}_{v_j\in Mincs\left(G_i\right)}\end{array}$$

  (6)

  where $k_y\in Z_p^{\ast }$, $G_i$ is the set of user attributes containing attribute $at{t}_i$, and ${\theta }_j$ is the value in the leaf node $V_j$ (note: $V_j$ is different from $y$; $V_j$ is a leaf node in the key encryption key tree, where $y$ is a leaf node in the visited tree);
• Pre-decryption $(C{T}^{\prime },S{K}_{id},KEK)\to PDCT$: The algorithm takes ciphertext $C{T}^{\prime }$, access user key $S{K}_{id}$ and user attribute group encryption information KEK. Algorithm preorder traversal attribute-weighted tree $T^{\ast }$. For node $x\in T^{\ast }$, algorithm calculates the decryption value of leaf node DN or the decryption value of non-leaf node $F_x$. If $x$ is leaf node calculate DN:

  $$\begin{array}{ll}DN\left(C{T}^{\prime },S{K}_{id},KEK,x\right)& =\frac{e\left(D^{\prime },C_y^{\prime }\right)}{e\left(KE{K}_i,E\left(k_y\right)\right)},\\ & =e{\left(g,g\right)}^{uid·USK·Q_x\left(0\right)}\end{array}$$

  (7)

  else calculate $F_x$:

  $$\begin{array}{ll}{F}_x& ={\displaystyle \prod _{z\in S_x}}{F}_z^{\Delta i,S_x^{\prime }\left(0\right)}\\ & ={\displaystyle \prod _{z\in S_x}}{\left(e{\left(g,g\right)}^{uid·USK·Q_z\left(0\right)}\right)}^{\Delta i,S_x^{\prime }\left(0\right)}\\ & ={\displaystyle \prod _{z\in S_x}}{\left(e{\left(g,g\right)}^{uid·USK·Q_{parent\left(z\right)}\left(child\left(z\right)\right)}\right)}^{\Delta i,S_x^{\prime }\left(0\right)}\\ & ={\displaystyle \prod _{z\in S_x}}{\left(e{\left(g,g\right)}^{uid·USK·Q_x\left(i\right)}\right)}^{\Delta i,S_x^{\prime }\left(0\right)}\\ & =e{\left(g,g\right)}^{uid·USK·Q_x\left(0\right)}\end{array}$$

  (8)

  where $x$ represents the currently traversed node. $S_x$ denote any set of child nodes of scale $t_x$. For all leaf nodes $z\in S_x$, transfer $DN\left(C{T}^{\prime },S{K}_{id},KEK,z\right)\to F_z$. When user does not satisfy the set of attribute groups $G_x$, $DN\left(C{T}^{\prime },S{K}_{id},KEK,x\right)$ will not be calculated and will be skipped. Finally, algorithm calculates $PDCT$:

  $$PDCT=(F_{root},\tilde{C})=(e{\left(g,g\right)}^{uid·USK·s},Me{\left(g,g\right)}^{as});$$

  (9)
• Decryption algorithm $(PDCT,USK)\to \overline{M}$: The algorithm takes pre-decrypted information $PDCT$ and user data private key $USK$ as input. Algorithm calculates $\overline{M}$:

  $$\overline{M}=\frac{\tilde{C}·A^{\frac{1}{USK}}}{e\left(C,D\right)}=\frac{Me{\left(g,g\right)}^{as}}{\frac{e\left(g^{\beta s},g^{\frac{\alpha +uid}{\beta }}\right)}{e{\left(g,g\right)}^{uid·s}}};$$

  (10)
• Update KEK$(id,at{t}_x)\to KEK$: The algorithm takes user $id$ and revoked attribute $at{t}_x$ as input. Algorithm randomly selects ${\sigma }_x$, and updates data key pair DSK, DPK:

  $$\begin{array}{c}DSK=\left\{t_i\right|1\le i\le n,i\ne x\}\cup \{t_x^{\ast }=t_x·{\sigma }_x\},\\ DPK=\left\{T_i|1\le i\le n,i\ne x\right\}\cup \{T_x{}^{\ast }=T_x^{{\sigma }_x}\}.\end{array}$$

  (11)

  where ${\sigma }_x\in Z_p^{\ast }$.
  For $u_k\in G_x$, the algorithm calculates user attribute group encryption information KEK:

  $$\begin{array}{c}\overline{{\phi }_x}=Path\left(u_k\right)\cap Mincs\left(G_x\right),\\ ke{k}_x={\left(ke{k}_x\right)}^{{\sigma }_x},KE{K}_x={\left(ke{k}_x\right)}^{{\theta }_{j^{\prime }}}.\end{array}$$

  (12)

  where, ${\theta }_{j^{\prime }}$ is a value corresponding to the node $\overline{{\phi }_x}$;
• Update ciphertext $(C{T}^{\prime })\to CT\ast$: The algorithm takes ciphertext $C{T}^{\prime }$ as input. Algorithm randomly selects $s^{\prime },k_y^{\prime }$, and updates $CT\ast$:

  $$\begin{array}{c}\tilde{C}=\tilde{C}·e{\left(g,g\right)}^{\alpha s^{\prime }},C=C·h^{s^{\prime }},C_y^{\prime }=g^{Q_y\left(0\right)}·g^{k_y^{\prime }},\\ Hdr=\{\begin{array}{cc}\left\{\overline{v_j^{\prime }},E\left(k_y\right)=g^{k_y^{\prime }·{\theta }_{j^{\prime }}/t_x}\right\}& \overline{v_j^{\prime }}\in Mincs\left(G_x\right)\\ \left\{v_j^{\prime },E\left(k_y\right)=g^{k_y·{\theta }_j/t_i}\right\}& v_j^{\prime }\in Mincs\left(G_i\right),i\ne x\end{array}.\end{array}$$

  (13)

  where $s^{\prime },k_y^{\prime }\in Z_p^{\ast }$.

5. Security Analysis

Theorem 1.

If the CDH assumption holds in Group $\mathbb{G}$, then no CPA attacker can selectively corrupt the scheme in polynomial time with a non-negligible advantage.

Proof. 

Assuming that attacker $\mathcal{A}$ can selectively break the scheme proposed in this paper with a non-negligible advantage $Ad{v}_{\mathcal{A}}=\epsilon$ after executing $q_1$ times Type-1 and $q_2$ times Type-2 key queries, then a challenger $\mathcal{C}$ can be constructed to break the CDH assumption with a non-negligible advantage $Ad{v}_C=\epsilon /\left(q_1·q_2\right)$. This section describes the IND-CPA security model of the scheme, which is a game between a challenger and an attacker. The flow is as follows:

Init: The challenger $\mathcal{C}$ inputs a random CDH challenge $A=g^{Z_1}$ and $B=g^{Z_2}$. The attacker $\mathcal{A}$ selects the access structure $T^{\ast }$ and attribute $at{t}_x^{\ast }$ to be sent to $\mathcal{C}$, where $at{t}_x^{\ast }$ is a required attribute to satisfy $T^{\ast }$.

Setup: The challenger $\mathcal{C}$ generates $PK=\left(g,e{\left(g,g\right)}^{\alpha },h=g^{\beta }\right)$, $MSK=\left(\beta ,g^{\alpha }\right)$, $\overline{DPK}=\left\{T_i|1\le i\le n,i\ne x\right\}\cup \left\{\overline{T_x^{\ast }}\right\}$, and $\overline{DSK}=\left\{t_i|1\le i\le n,i\ne x\right\}\cup \left\{\overline{t_x^{\ast }}\right\}$.

Among them, $\overline{T_x^{\ast }}={\left(T_x^{\ast }\right)}^{z_1}$ is a theoretical value. Then $\mathcal{C}$ sends $PK$ to $\mathcal{A}$.

Phase 1: The attacker $\mathcal{A}$ can request two types of keys. The challenger $\mathcal{C}$ initializes two empty lists $L_1$, $L_2$ to record the requested key.

Type-1: The attributes set $S_1$ of user $u_1$ satisfies the access structure $T^{\ast }$, but the attribute $at{t}_x^{\ast }$ are revoked. The challenger $\mathcal{C}$ calculates $S{K}_{u_1}$, $kek$ and $KEK$, then sends them to $\mathcal{A}$:

$$\begin{array}{c}S{K}_{u_1}=(D,D^{\prime },US{K}_1)=(g^{\frac{\alpha +u_1·Z_2}{\beta }},g^{u_1·Z_2·US{K}_1},US{K}_1),\\ kek=\{\begin{array}{cc}\left\{at{t}_i,ke{k}_i=g^{t_i·u_1·US{K}_1}\right\}& at{t}_i\in S_1,i\ne x\\ \{at{t}_x,ke{k}_x^{\ast }=g^{t_x^{\ast }·u_1·US{K}_1·Z_2}\}& at{t}_x^{\ast }\in S_1\end{array},\\ KE{K}_{S_1}={\left\{KE{K}_i\right\}}_{i\ne x}\cup \{KE{K}_x^{\ast }={\left(ke{k}_x^{\ast }\right)}^{1/{\theta }^{\ast }}=B^{t_x^{\ast }·u_1·USK/{\theta }^{\ast }}\}.\end{array}$$

(14)

Type-2: The attributes set $S_2$ of user $u_2$ has attributes $at{t}_x^{\ast }$, but does not satisfy the access structure $T^{\ast }$. The challenger $\mathcal{C}$ calculates $S{K}_{u_2}$, $kek$ and $KEK$, then sends them to $\mathcal{A}$. The calculation here is like Type-1.

Challenge: The attacker $\mathcal{A}$ submits two messages of equal length, $M_0$ and $M_1$, and randomly selects $b=\left\{0,1\right\}$. The challenger $\mathcal{C}$ will calculate $\tilde{C}=M_{b}e{\left(g,g\right)}^{\alpha s}$, $C=h^s$ and $C_y^{\prime }$ (or $C_x^{\ast }$). For $i\ne x,C_y^{\prime }=g^{Q_y\left(0\right)}·g^{k_y}$. For $at{t}_x^{\ast }$, $C_x^{\ast }=g^{Q_y\left(0\right)}·A^{k_x}$. Then, $\mathcal{C}$ calculates $C{T}_b$ and $Hd{r}^{\ast }$:

$$\begin{array}{c}C{T}_b=\left\{\tilde{C},C,\left\{C_x^{\ast }\right\}\cup {\left\{C_y^{\prime }\right\}}_{i\ne x}\right\},\\ Hd{r}^{\ast }=\{\begin{array}{c}\left\{v_j^{\ast },E\left(k_x^{\ast }\right)=g^{k_x^{\ast }·{\theta }_j^{\ast }/t_x^{\ast }}\right\}{v}_j^{\ast }\in Mincs\left(G_x\right)\\ \left\{v_j,E\left(k_y\right)=g^{k_y·{\theta }_j/t_i}\right\}{v}_j\in Mincs\left(G_i\right),i\ne x\end{array}.\end{array}$$

(15)

Finally, $\mathcal{C}$ sends $C{T}_b$ and $Hd{r}^{\ast }$ to $\mathcal{A}$.

Phase 2: The attacker $\mathcal{A}$ is allowed to request keys as in Phase 1.

Guess: The attacker $\mathcal{A}$ outputs $b^{\prime }\in \left\{0,1\right\}$ as the prediction. Assume the attacker’s advantage $Ad{v}_A=\left|P_r\left[b^{\prime }=b\right]-\frac{1}{2}\right|=\epsilon$, and the challenger $\mathcal{C}$ chooses a key from $L_1$ and $L_2$. Exist as follows:

$$\frac{e\left(D^{\prime },C_x^{\ast }\right)}{e\left(KE{K}_x^{\ast },E\left(k_x^{\ast }\right)\right)}=\frac{e\left(g^{u_1·z_2·US{K}_1},g^{Q_y\left(0\right)}·A^{k_x}\right)}{e\left(A^{t_x^{\ast }·u_2·US{K}_2/{\theta }_j^{\ast }},g^{k_x·{\theta }_j^{\ast }/t_x^{\ast }}\right)}$$

(16)

Only if $A^{u_2}=g^{z_1{z}_2{u}_1}$, the calculation is established, then $\mathcal{C}$ calculates $g^{z_1{z}_2}={\left(KE{K}_x^{\ast }\right)}^{{\theta }_j^{\ast }/\left(u_1·t_x^{\ast }\right)}$. If $\mathcal{C}$ does not terminate the game, suppose that after $q_1$ Type-1 and $q_2$ Type-2 key queries, the probability that $\mathcal{C}$ correctly chooses from the two lists is $\frac{1}{q_1·q_2}$. Therefore, the advantage of $\mathcal{C}$ to break the CDH assumption is $\frac{\epsilon }{q_1·q_2}$. Therefore, the $\mathcal{C}$ can break the CDH assumption in polynomial time with a non-negligible advantage. The proof is over. □

6. Experiment and Analysis

6.1. Comparison

This section compares this scheme’s features and computational cost with some schemes [23,24,25]. These schemes are recent schemes in VANET and are all based on CP-ABE.

Table 2. Comparison of features.

Scheme	Access Policy	Outsourcing Calculation	Attribute Assignment	Attribute Revocation
[23]	TREE	Yes	No	No
[24]	TREE	Yes	No	No
[25]	LSSS	Yes	No	No
Ours	TREE	Yes	Yes	Yes

compares the features between our ORCP-ABE scheme and relevant schemes in recent years. The access policy is the implementation of the access policy in each scheme. “Outsourcing Calculation” refers to whether the scheme supports outsourcing part of the computation in the encryption or decryption process to the RSU for completion. “Attribute Assignment” refers to whether the scheme implements the classification and assigns weights to attributes in the access structure based on the attribute relationships. “Attribute Revocation” refers to whether the scheme can provide specific attribute revocation for malicious users. As shown in Table 2, our scheme implements attribute assignment and supports attribute revocation at the user level. Our scheme is flexible in dealing with malicious users by revoking only some of their attributes.

Table 3. Comparison of computational cost.

Scheme	Key Generation	User Encryption	Outsourced Encryption	User Decryption	Outsourcing Decryption	Attribute Revocation
[23]	$\left(4+\left|S\right|\right)E$	$P+4E$	$\left(2+2\left|T\right|\right)E$	$P+2E_T$	$2\left|S\right|P+\left|I\right|E$	/
[24]	$\left(2+3\left|S\right|\right)E$	$P+(4+\left|T\right|)E$	$\left(2+2\left|T\right|\right)E$	$P+2E_T$	$2\left|S\right|P+\left|I\right|E$	/
[25]	$\left(1+6\left|S\right|\right)E$	$\left|L\right|P+E_T+\left(1+6\left|L\right|\right)E$	/	$E_T$	$\left(6+\left|L\right|\right)P+\left|L\right|E$	/
Ours	$\left(4+\left|S\right|\right)E$	$P+E$	$\left(2+3\left|T\right|\right)E$	$P+2E_T$	$2\left|S\right|P+\left|I\right|E$	$\left|R\right|P+\left(4+2\left|R\right|\right)E$

illustrates the comparison of computational cost. The values in Table 3 are calculated by mathematical formulas and codes after reproduction. We use $\left|S\right|$, and $\left|T\right|$ to represent the number of attributes of the user attribute set $S$ and access structure $T$, respectively. $\left|I\right|$ represents the number of attributes satisfying the access structure $T$ and $\left|L\right|$ represents the number of rows of the access matrix. $\left|R\right|$ is the number of ciphertexts involved in the attribute revocation.$E$ and $E_T$ represent exponential operations on $\mathbb{G}$ and ${\mathbb{G}}_T$, respectively, and $P$ represents bilinear pairing operations. As shown in Table 3, our scheme is more efficient than the other three schemes in the encryption phase since we simplify the access structure by attribute assignment.

6.2. Experimental Simulation

6.2.1. Experimental Environment

We implemented our ORCP-ABE scheme in Python, and experiments were run on Ubuntu operating system with Intel core i7 3.00GHz and 8GB 2133MHZ LPDDR3 RAM. We set the size of an element in $\mathbb{G}$ and ${\mathbb{G}}_T$ to 512 bits and established a simulation experiment based on the Charm–Crypto Library V0.50.

6.2.2. Computational Cost

We added 50 unique attributes to the system attribute set. During the key generation phase, users with various attribute sets are randomly generated. For each user, we evaluated the cost of key generation. The average results are shown in Figure 5. We use a zip file of size 1MB as encrypted data in the encryption phase. Then, we tested the encryption cost of the access tree with a different number of attributes. The average results are illustrated in Figure 6. In the decryption phase, we test the decryption cost using different users that satisfy the access structure, and the average results are illustrated in Figure 7. In the attribute revocation phase, we tested the overhead of revoking a single attribute to update a different number of ciphertexts and the overhead of revoking multiple attributes to update a single ciphertext. The results are illustrated in Figure 8.

Figure 5 shows that the time overhead of key generation increases as the number of user attributes increases. To know the key generation efficiency of this scheme, we tested the schemes [23,24,25]. When the number of user attributes is 10, the overhead of this scheme is 24 ms, and the overheads of schemes [23,24,25] are 42 ms, 67 ms, and 115 ms, respectively. When the number of user attributes reaches 50, the overhead of the scheme [25] is nearly 500 ms, while the overhead of this scheme is only 99 ms. When the number of user attributes is large, the overhead of this scheme is the smallest.

As shown in Figure 6a, the encryption overhead at the user side of this scheme and scheme [23] is not affected by the number of attributes in the access structure. While the encryption overhead at the user side of the scheme [24] increases with the number of attributes in the access structure. The overhead of this scheme is about 2 ms, and the scheme [23] is about 4.5 ms. As shown in Figure 6b, the encryption overhead at the outer packet side of the three schemes increases with the number of attributes in the access structure. When the number of attributes of the access structure is 5, the overhead of this scheme is 21 ms, and schemes [23,24] are 37 ms and 27 ms, respectively. When the number of attributes of the access structure reaches 50, the overhead of this scheme is 190 ms which is better than schemes [23,24]. There is no outsourcing in the encryption phase of the scheme [25], so it is not compared here.

As shown in Figure 7a, the decryption overhead at the user side of each scheme is not affected by the number of user attributes. The decryption overhead of this scheme is maintained at 1.8 ms, while the overheads of schemes [23,24,25] are 4.3 ms, 1.8 ms, and 2.1 ms, respectively. As shown in Figure 7b, the decryption overhead of each scheme increases with the number of user attributes at the outer packet side. However, the decryption overheads of each scheme are very similar. When the number of user attributes is more than 30, the decryption overhead of this scheme is slightly less than the other schemes.

As shown in Figure 8a, when revoking a single attribute, the revocation overhead increases with the number of updated ciphertexts. As shown in Figure 8b, when the revocation of a single attribute is updated with only one cipher, the overhead revocation increases with the number of attributes. From the above results, attribute revocation is mainly affected by the number of updated ciphertexts. When the number of updated ciphertexts required for an attribute is small, the overhead of revoking a single attribute is less than 100 ms.

6.2.3. Transaction Cost and Transmission Rate

In blockchain simulation phase, we built the FISCO BCOS [42] consortium blockchain using the build_chain.sh scripts and deployed the IPFS command line version on numerous servers with Ubuntu 20.04 system environment. The consortium blockchain uses PBFT consensus. Therefore, we set the initial number of consensus nodes to 4 to satisfy the 3f+1 requirement [43]. We evaluated the performance of processing a single transaction with different numbers of nodes. Furthermore, we evaluated the model’s transactional concurrency capabilities. The file size in the test transaction is 1 MB. The experimental results are shown in Figure 9.

As shown in Figure 9a, there are two types of test transactions: data upload confirmation and data download confirmation. The results show that the latency of the two types of transactions increases linearly with the increase of the number of nodes. The increase in delay is mainly due to the increased communication overhead caused by adding nodes in the blockchain to reach a consensus. In addition, the delay of data upload is about 360 ms higher than that of data download. The data upload delay is mainly the overhead of data encryption and metadata storage, and the data download delay is mainly the overhead of data download and data decryption. The difference in latency is because the metadata storage overhead in IPFS is much greater than the data download overhead. As shown in Figure 9b, the transaction throughput of the model is positively linearly related to nodes. The number of nodes is initially 4, and the throughput of the model is 47 transaction/s. When the number of nodes increases to 34, the throughput is 54 transaction/s. The throughput of the model grows slowly. After the number of nodes reaches 34, the throughput of the model roughly stabilizes between 54–56 transaction/s.

In addition, the experiments tested the performance of data file upload and download. Figure 10 shows the time spent on file transfers of different sizes. The experimental file sizes range from 1 MB to 1024 MB. The experimental results show that the time overhead of transfer increases exponentially with the file size. When the file size is less than 16 MB, the transfer time is less than 5 s for uploading and less than 2 s for downloading. The main factors affecting the transfer time are not the network bandwidth but the data encryption and decryption and the metadata storage. When the file size exceeds 16 MB, the average upload transfer rate is about 12.8 MB/s and the average download transfer rate is about 27.6 MB/s. Therefore, the network bandwidth is the main factor affecting the transfer time.

7. Conclusions

This paper studies a safe and efficient data-sharing model for VANET. This model provides a data-sharing platform with privacy-preserving and authorized access by CP-ABE, blockchain, and IPFS. It has no single point of failure and can undo user-level attributes. Experiments show that our scheme has certain advantages compared with other schemes in data encryption and data decryption at the user end. In the scheme, the revocation overhead of a single attribute of a user is relatively low. The transaction processing delay of the model is short and has certain concurrency capabilities. The model is proved to be IND-CPA safe in the game under the CDH assumption. In future work, we will optimize the on-chain information storage. We are considering adopting an editable blockchain to reduce old blocks with invalid information. In addition, we will increase the concurrency performance of our model by improving the consensus mechanism.