FACOS: Enabling Privacy Protection Through Fine-Grained Access Control with On-chain and Off-chain System

TL;DR

FACOS is a blockchain-based system that provides fine-grained, privacy-preserving access control for sensitive data across sectors, enhancing security, scalability, and auditability through innovative on-chain and off-chain solutions.

Contribution

The paper introduces FACOS, a novel permissioned blockchain system that integrates TEE and Byzantine fault tolerance to improve off-chain data security and access control.

Findings

Enhanced off-chain data security with Byzantine fault tolerance

Improved client verification using TEE-based solutions

Better scalability and practicality than existing systems

Abstract

Data-driven landscape across finance, government, and healthcare, the continuous generation of information demands robust solutions for secure storage, efficient dissemination, and fine-grained access control. Blockchain technology emerges as a significant tool, offering decentralized storage while upholding the tenets of data security and accessibility. However, on-chain and off-chain strategies are still confronted with issues such as untrusted off-chain data storage, absence of data ownership, limited access control policy for clients, and a deficiency in data privacy and auditability. To solve these challenges, we propose a permissioned blockchain-based privacy-preserving fine-grained access control on-chain and off-chain system, namely FACOS. We applied three fine-grained access control solutions and comprehensively analyzed them in different aspects, which provides an intuitive perspective for system designers and clients to choose the appropriate access control method for their systems. Compared to similar work that only stores encrypted data in centralized or non-fault-tolerant IPFS systems, we enhanced off-chain data storage security and robustness by utilizing a highly efficient and secure asynchronous Byzantine fault tolerance (BFT) protocol in the off-chain environment. As each of the clients needs to be verified and authorized before accessing the data, we involved the Trusted Execution Environment (TEE)-based solution to verify the credentials of clients. Additionally, our evaluation results demonstrated that our system offers better scalability and practicality than other state-of-the-art designs.