Revocable and Traceable Decentralized ABE for P2P Networks
Dan Gao, Huanhuan Xu, Shuqu Qian

TL;DR
This paper introduces a new decentralized encryption scheme for P2P networks that allows access control, revocation, and accountability while maintaining security and efficiency.
Contribution
The novel R-T-D-ABE scheme introduces threshold key generation, versioned revocation, and identity-key binding for secure and efficient decentralized access control.
Findings
The proposed scheme achieves IND-CPA security under the Generic Group Model.
It provides efficient decentralized encryption and decryption with revocation and accountability.
The system resists collusion attacks and ensures forward/backward security.
Abstract
Ciphertext-Policy Attribute-Based Encryption (CP-ABE) technology provides fine-grained access control capabilities for P2P networks. However, its long-term development has been constrained by three major challenges: the trade-off between computational efficiency and functional completeness, decentralized trust security issues, and the problems of attribute revocation and traceability. This paper proposes a decentralized CP-ABE scheme based on multiple authorities (R-T-D-ABE). By leveraging three core techniques, including threshold distributed key generation, versioned attribute revocation, and identity-key binding verification, the scheme efficiently achieves both revocation and accountability while ensuring resistance against collusion attacks and forward/backward security. Security analysis demonstrates that the proposed scheme satisfies IND-CPA security under the Generic Group Model…
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8- —National Natural Science Foundation of China
- —Basic Research Project of Science and Technology Plan of Guizhou Province
- —Guizhou Provincial Science and Technology Projects
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Access Control and Trust · Security in Wireless Sensor Networks
1. Introduction
Peer-to-peer (P2P) networks, leveraging their decentralized nature, have demonstrated significant advantages in a wide range of applications, from blockchain systems [1,2,3] to critical infrastructure domains such as smart grids, distributed energy trading, and vehicular networks [4,5,6]. However, they also introduce new security challenges for access control [7,8]. Traditional access control techniques, which employ static permission assignment models [9], struggle to meet the demand for dynamic permission allocation in P2P networks [7,10]. To address this, researchers have introduced Attribute-Based Encryption (ABE), a concept first proposed by Sahai and Waters in 2005 [11]. Building upon this, Bethencourt et al. proposed Ciphertext-Policy Attribute-Based Encryption (CP-ABE) in 2007 [12]. This scheme allows data owners to directly specify access policies during encryption, enabling more flexible and fine-grained access control, and has been widely adopted to protect shared data security in P2P networks [13,14,15]. Despite its advantages, CP-ABE still faces three interrelated core challenges in the decentralized P2P environment, making it difficult for existing schemes to simultaneously achieve attribute revocation and user traceability under decentralization constraints without incurring efficiency bottlenecks.
First, there exists a difficult-to-reconcile contradiction between computational efficiency and functional completeness in ABE scheme design. Attribute matching in CP-ABE relies on bilinear pairing operations. Most current CP-ABE frameworks, including those based on classic schemes such as BSW CP-ABE [16], FAME CP-ABE [17], and ABGW CP-ABE [18], struggle to fundamentally overcome the efficiency bottleneck of large-scale attribute matching. On one hand, pursuing extreme efficiency often comes at the cost of functionality. For instance, optimizing data structures to improve efficiency may sacrifice policy flexibility [19], or relying on online/offline techniques may introduce centralized components [20]. Notably, even the fastest scheme like FABEO [21] does not consider implementing attribute revocation under a multi-authority setting. On the other hand, complex mechanisms introduced to enhance functionality, such as proxy re-encryption [22] or composite-order bilinear groups [23], significantly increase computational overhead, rendering many schemes impractical for deployment in P2P networks.
Second, the decentralized nature of P2P networks conflicts with the traditional centralized trust model of CP-ABE [24]. Multi-Authority CP-ABE (MA-CP-ABE) aims to address this by allowing multiple independent authorities to manage different attributes, thereby mitigating single points of failure [25,26,27,28]. However, existing approaches still face issues: some fail to completely eliminate centralized architecture [26], while others incur high key generation latency or additional computational and trust overhead due to the use of smart contracts [25], proxy nodes [28], or ring signatures [27].
Finally, the attribute revocation and user traceability functions essential for dynamic member management face a contradiction between privacy and efficiency in P2P networks. Efficient attribute revocation requires effective key and ciphertext update mechanisms to prevent replay attacks, but existing techniques are often limited due to coarse-grained revocation [29], reliance on trusted third parties [30], the need for additional delegated nodes [22], or dependency on specific communication protocols [31]. Simultaneously, user traceability is crucial for deterring attacks, yet existing schemes either suffer from high computational complexity when protecting privacy (e.g., requiring linear search [1]) or compromise decentralization for the sake of efficiency (e.g., relying on blockchain for permission table updates [32]), making it challenging to achieve both [33,34].
To address the aforementioned challenges, this paper proposes a Revocable and Traceable Decentralized ABE scheme (R-T-D-ABE) suitable for P2P networks. The core contribution of this work lies in its successful resolution of the efficiency bottleneck that arises from the simultaneous implementation of attribute revocation and user traceability within the highly dynamic and decentralized context of P2P networks. The main contributions are as follows:
- Design of an efficient decentralized key management mechanism for P2P networks. Utilizing distributed authority signatures and Shamir’s secret sharing technology, we achieve key generation and distribution without central coordination, eliminating single points of failure and enabling efficient encryption and decryption.
- Realization of real-time lightweight attribute revocation. Through version number control and coordination among distributed authorities, lightweight dynamic key updates within the P2P network are ensured, achieving attribute-level fine-grained real-time revocation.
- Proposal of a privacy-preserving and non-repudiable user traceability scheme. By binding user identities to their keys, our scheme enables fast and accurate tracing of key leakage sources without exposing user identities, effectively resolving the conflict between privacy and traceability efficiency.
- Provision of provable security guarantees. Through security proofs, our scheme is demonstrated to achieve IND-CPA security, collusion resistance, forward security, and backward security under the Generic Group Model (GGM).
The remainder of this paper is organized as follows. Section 2 reviews the preliminary knowledge. Section 3 elaborates on the detailed construction of the proposed R-T-D-ABE scheme. Security analysis and proofs are presented in Section 4. Section 5 discusses both theoretical and experimental evaluations. Finally, conclusions and future work are outlined in Section 6.
2. Preliminaries
2.1. Bilinear Maps
Let be the security parameter, and , , and be three multiplicative cyclic groups of prime order p. Let and be generators of and , respectively. A bilinear map is a function satisfying:
- Bilinearity: , , , we have .
- Non-degeneracy: .
- Computability: There exists an efficient algorithm to compute within deterministic polynomial time with respect to the security parameter .
2.2. Generic Group Model (GGM)
The Generic Group Model (GGM) [35,36] treats group elements as opaque handles, allowing adversaries to perform group operations only via oracles. Boneh et al. [37] extended it to bilinear groups. In our proof, we analyze security in an extended GGM that incorporates:
- Integration of Random Oracle: The hash function is modeled as a random oracle H.
- Embedding of Scheme-Specific Oracles: The adversary is allowed to access oracles , , and .
- Extended Adversarial Capabilities: Besides basic group operations, the adversary can also compute pairings through an oracle.
These extensions preserve the core limitation of GGM—that adversaries cannot directly manipulate the algebraic representation of group elements—while enabling the model to accurately reflect the security environment of the actual scheme. In Section 4.5, we prove that the scheme achieves IND-CPA security under the extended GGM by constructing a sequence of indistinguishable games ( , , ), with an advantage upper bounded by , where Q denotes the number of adversary queries and p is the group order. The proof also demonstrates that the scheme satisfies forward security, backward security, and collusion resistance.
2.3. Monotone Span Programs (MSP)
Let be an attribute set, and A be a monotone access structure on , meaning A is a collection of non-empty subsets of with the monotonicity property: if an authorized attribute set , then any superset is also authorized.
In this CP-ABE scheme, the access structure A is described by MSP, defined as follows:
- Matrix Representation: Let be a matrix over the finite field , where m is the number of rows and n is the number of columns. The row labeling function associates the i-th row of matrix M with an attribute in , i.e., .
- Authorization Set Determination: For a user’s attribute set S, let denote the set of row indices whose associated attributes belong to S. Let be the submatrix of M consisting of all rows where . Given a target vector , if S is an authorized set ( ), there exists a weight vector such that holds; otherwise, S is unauthorized ( ).
2.4. FABEO
In 2022, Riepel and Wee proposed a fast attribute-based encryption (ABE) scheme achieving optimal adaptive IND-CPA security, based on asymmetric (Type-III) bilinear groups. The core idea is to allocate most computations to the group and to optimize the number of bilinear pairing operations during decryption. A brief description of the CP-ABE scheme in FABEO is given below.
Setup: The system master key is . Define a hash function . Let for each attribute , and . The master public key is KeyGen: For an attribute set , choose a random and generate the secret key Encrypt: To encrypt a message M under an access structure , where denotes the maximum reuse count of attributes in , choose random vectors and . The ciphertext is constructed as: and Decrypt: If S satisfies , there exists a set of constants such that . Decryption is performed as follows:
FABEO incorporates the above CP-ABE scheme into the Pair Encoding Scheme ABE (PES-ABE) proof framework and proves that [21]: any PES-ABE scheme satisfying (1,1)-symbolic security automatically satisfies strong symbolic security. Consequently, under the Generic Group Model (GGM) and the Random Oracle Model (ROM), the scheme achieves optimal adaptive multi-ciphertext IND-CPA security.
2.5. PES-ABE
The Pair Encoding Scheme for Attribute-Based Encryption (PES-ABE) is a framework that modularizes security proofs [38,39], primarily comprising the following deterministic algorithms:
- : On input the security parameter , the policy space , and the attribute space , this algorithm outputs , specifying the number of hash attributes in the master secret key, which serves as a global public parameter.
- : Given a user’s attribute set y, it outputs two linear functions and , where m is the length of the key’s random vector, denotes the number of elements in the key, and denotes the number of elements.
- : Given an access structure x (specifically modeled as a Monotone Span Program in this work), it outputs two linear functions and , where w is the length of the ciphertext’s random vector, is the number of elements in the ciphertext, and is the number of elements.
In a concrete ABE scheme, these deterministic algorithms are instantiated over bilinear groups, with computations performed in the exponent to generate the corresponding ciphertexts and keys.
It has been explicitly defined and proven within the FABEO scheme that any scheme satisfying symbolic security under the PES-ABE framework also satisfies strong symbolic security. Consequently, such a scheme achieves adaptive, multi-challenge IND-CPA security under both the Generic Group Model (GGM) and the Random Oracle Model (ROM).
Therefore, in our security proof, we first abstract the proposed R-T-D-ABE scheme into the PES-ABE framework and prove that it satisfies symbolic security. Based on the conclusion from FABEO, this is equivalent to satisfying strong symbolic security. Finally, leveraging this strong symbolic security, we prove that our scheme achieves IND-CPA security, collusion resistance, forward security, and backward security in the GGM.
3. R-T-D-ABE
3.1. System Mode
This scheme addresses the requirements for privacy preservation in peer-to-peer (P2P) networks. The proposed R-T-D-ABE scheme aims to achieve fine-grained access control, decentralized trust, dynamic revocation, and leakage traceability. Security is proven in the Generic Group Model (GGM) with the hash function modeled as a Random Oracle (ROM), achieving adaptive IND-CPA security with an optimal security bound.
As illustrated in Figure 1, the proposed architecture comprises four core entities:
Data Owners (DOs): Entities that encrypt sensitive data and define the access policies.Data Users (DUs): Entities that request and access data, with their permissions governed by their attributes.Authorization Authority Cluster (AA): A decentralized set of authorities that collectively manage user attributes and are responsible for key generation and updates.Cloud Server (CS): A service provider that offers storage and computational resources, hosting the encrypted data.
Its key operational phases detailed as follows:
Distributed Key Generation: Multiple Authorization Authorities (AAs) collaboratively generate the system master key and user private keys using distributed authority signatures and Shamir’s Secret Sharing technique. This process eliminates single points of failure and establishes a foundation for a decentralized trust framework.
Data Encryption and Upload: Data Owners (DOs) define access policies and encrypt sensitive data accordingly, then upload the resulting ciphertext to the Cloud Server (CS) for storage.
Data Download and Decryption: Data Users (DUs) can successfully decrypt and access the encrypted data if and only if their attribute set and key version number satisfy the access policy and version requirements embedded within the ciphertext.
Dynamic Attribute Revocation:
- Upon receiving a revocation request, the Authorization Authority cluster (AA) cooperatively generates key update information.
- Non-revoked users can subsequently use this information to independently update their credentials without any system downtime.
Leakage Traceability: The scheme incorporates unique identity markers into the cryptographic keys, enabling the multiple AAs to precisely trace the source of any private key leakage, thereby providing non-repudiation support for auditing purposes.
In summary, the proposed scheme exhibits three salient features:
- The elimination of single points of failure through a fully decentralized architecture;
- Support for dynamic, attribute-level privilege management;
- Built-in, efficient leakage traceability that enhances system accountability.
3.2. Scheme Construction
The scheme operates over public parameters , where p is a large prime, are cyclic groups of order p with bilinear map , are generators, is a hash function modeled as a random oracle (ROM), and is the attribute universe.
It provides six core algorithms:
- : Distributed system initialization.
- : Attribute-based key generate.
- : Policy-based encryption.
- : Conditional decryption.
- : Attribute revocation.
- Trace : Leakage tracing.
3.2.1. System Initialization: AASetup(λ)→(mpk,msk)
The initial authority AA_0_ generates the system parameters using a security parameter :
It then selects random numbers and , and computes:
Subsequently, AA_0_ publishes the initial authority key:
Upon receiving , each of the other authorities AA_i_ performs an identical operation: it selects random numbers and , then publishes its commitment:
After k authorities have broadcast their commitments, all are revealed. The system verifies the validity of each commitment by checking if the equation holds. If all checks pass, the protocol proceeds; otherwise, it outputs an error.
Given that all commitments are valid, the authority aggregate public key is computed as:
The authorities then collaboratively compute the master key in a decentralized manner using a Joint Shamir RSS scheme:
- Each authority AAk generates a random secret .
- With randomly chosen coefficients , each AAk constructs a polynomial of degree t (where t is the threshold for reconstructing ):
- Each AAi computes and sends the secret share to authority AAj.
- Each AAk receives n such shares from other authorities and computes its master secret share:
- Finally, the master key is reconstructed by any set of k authorities using Lagrange interpolation over their shares :
The revocation value is computed similarly through the same protocol.
Let be a hash function, where denotes the set of global attributes. The system’s master secret key and public key are then defined as:
3.2.2. Authority-Issued User Keys: AAkeyGen(msk,uid)→(sk)
A user submits their to j authorities for attribute registration. Each generates a partial secret key for the user:
Let be a version number. For a user with an attribute set and each attribute , a random number is selected, and the following components are computed:
The complete secret key for each attribute is then constructed as:
3.2.3. Data Owner Encryption: DOEncryptionEnc(Message),mpk,(M,π),ppu→ct
The Data Owner (DO) constructs an access control structure and conceals the original key k of using the system public key and user public key .
Let random numbers be generated as follows: , , . Given an access structure where M is an matrix and denotes a row index, the DO collaboratively generates the ciphertext with authorities corresponding to the attributes in the access policy:
The complete ciphertext is constructed as:
where:
- In the access control matrix M, represents the maximum allowable number of repetitions for a single attribute.
- The blinding factor is given by .
3.2.4. Data User Decryption: DUDecrypt(M,π),S,ct,sk→key
If the data user’s attribute set S is an authorized set under the access control structure , then there exists a set of constants such that: .
Furthermore, since the signatures embedded in the user’s secret key coincide with those embedded in the ciphertext by the data owner, the following computation can be performed:
3.2.5. Attribute Revocation: Revoked→(Update)
The revocation protocol executes the following operations periodically:
The Authority (AA) updates the version number , collaboratively generates a new revocation value .
The AA then publishes Update to non-revoked users and refreshes the following components:
Upon receiving the update, non-revoked users can autonomously update their secret keys:
Concurrently, the data owner updates the ciphertext using :
3.2.6. Accountability
If a secret key is compromised, the Attribute Authority (AA) can initiate a tracing procedure using the component .
Given: User identifier and version parameter .Compute:
Trace: The AA can pinpoint the accountable user by checking if .
4. Security Proofs
4.1. Security Model
We define the security of our revocable attribute-based encryption scheme against chosen-plaintext attacks (R-IND-CPA) via the following security game between a challenger and a probabilistic polynomial-time (PPT) adversary .
Initialization Phase: The challenger runs the setup algorithm , where the master secret key is distributed among multiple authorities. provides the public parameters to the adversary and initializes the version number for each attribute along with a revocation list .Query Phase 1: The adversary may adaptively issue a polynomial number of queries to :
- Private Key Query : submits an attribute set S and a user identity . runs and returns the secret key to .
- Revocation Query : specifies an attribute . simulates the attribute authorities to execute the revocation algorithm , updates the ciphertext to version , and sends the update information to .
- Corrupted Authority Query : may corrupt up to authorities. returns the internal state (including secret shares) of authority to . Challenge Phase: submits two equal-length messages and , along with a challenge access policy . None of the attribute sets S queried in Phase 1 can satisfy , and for any revoked attribute in , cannot possess a key with version (the latest version after revocation). randomly selects a bit , runs , and sends the challenge ciphertext to .Query Phase 2: may continue to issue a polynomial number of , and : queries as in Phase 1, with the restriction that none of the queried attribute sets S satisfy the challenge policy . uses the latest attribute version numbers when generating keys.Guess Phase: The adversary outputs a guess . The advantage of in this game is defined as:
The scheme is said to be secure if for any PPT adversary , the advantage is negligible in the security parameter .
Security Properties: The security game captures not only IND-CPA security but also the following properties:
- Collusion Resistance: Even if obtains multiple private keys from different users and/or corrupts up to authorities, they cannot decrypt a ciphertext if none of the individual key’s attribute sets satisfies the access policy .
- Forward Security: A secret key for an attribute at version cannot decrypt a ciphertext for the same attribute that has been updated to a newer version via a revocation query.
- Backward Security: A ciphertext for an attribute at version cannot be decrypted by a secret key for the same attribute that has been updated to a newer version .
4.2. Notations and Encoding Definitions
Following the FABEO scheme, our construction can be defined within the following PES-ABE framework.
-
System Parameters:
-
Master key:
-
Revocation key:
-
Attribute hash base:
-
Hash function for attributes:
-
User identity hash:
-
Master secret key: Secret Key Encoding: For version and user attributes , the secret key is encoded as :
Here, denotes the version number of attribute u at key generation. Notably, our scheme introduces an additional verification component
- Ciphertext Encoding: For an access policy , the ciphertext is encoded as :
Here, denotes the version number of attribute at encryption time.
- Decryption: When the key version matches the ciphertext version and the attribute set S satisfies the access policy, the decryption process symbolically recovers .
4.3. Symbolic Security
If our PES-ABE encoding is symbolically secure, then the system fails to decrypt correctly when either the user’s attributes do not satisfy the access policy, or the user’s attribute version number does not match the current version number.
We prove by contradiction. Specifically, we need to show that for and , if , then:
Here, is the label containing the ciphertext version number; is the label containing the key version number; and are formal variables.
Assume, for contradiction, that there exists a non-zero vector and non-zero coefficient vectors , such that:
If the attribute set S does not satisfy the access structure yet decryption is possible, there must exist a vector such that for all , and .
Let . Then, the polynomial in Equation (38) can be transformed into:
By comparing coefficients:
- For : The term on the left has no corresponding term on the right. Thus, .
- For : The term on the left must equal on the right. Hence, .
- For : Since for , the equation simplifies to:
This polynomial can be factored as , so all coefficients must be zero. In particular, implies , and thus .
This contradicts the assumption that is a non-zero vector. Therefore, no such non-zero vectors , , exist when the attribute set does not satisfy the access policy or the key version mismatches the ciphertext version. Our scheme is symbolically secure under the PES-ABE encoding.
According to the proof in FABEO, if a PES-ABE scheme is symbolically secure, then it also satisfies strong symbolic security. This means the security model can be extended to multiple keys, multiple ciphertexts, and dynamic version queries as defined in . Consequently, our scheme also achieves strong symbolic security.
4.4. Enhanced Security Analysis
4.4.1. Collusion Resistance Formal Proof
Multiple Users ColludeEach user’s secret key contains a unique random value r. Consider two users A and B with .If they attempt to combine their keys for decryption, they might use components from both users:
where indicates which user’s component is used for each , and indicates which user’s is used.For successful decryption, the terms must cancel:
This requires , which only holds if all , that means all components come from the same user. Similarly, the terms require .Therefore, colluding users cannot combine partial key components to decrypt a ciphertext that none could decrypt individually.Authority CollusionConsider the scenario where an adversary compromises up to attribute authorities, thereby obtaining their secret shares of the master keys.With compromised authorities, the adversary obtains shares and , where and are degree- polynomials satisfying and .By the fundamental property of Shamir secret sharing, any set of at most shares provides zero information about the secret. Formally, for any candidate values , the conditional probability equals the prior probability: , Consequently, even with shares, the adversary cannot reconstruct or , compute or , or generate valid key components or .To demonstrate security rigorously, suppose an adversary could break IND-CPA security using only authority shares. We could then construct an algorithm that takes shares of an unknown secret s, embeds them into a simulation of our scheme, and uses ’s attack to gain information about s—contradicting the information-theoretic security of Shamir secret sharing. This reduction argument proves that authority collusion cannot compromise the system’s security.
4.4.2. Forward/Backward Security Proof
The version mechanism ensures:
Forward Security: After revocation to , new ciphertexts contain . Old keys have . The mismatch term prevents decryption.
Backward Security: Symmetrically, new keys with cannot decrypt old ciphertexts with .
In our symbolic proof, this corresponds to causing non-cancellation of terms.
4.5. Security Reduction
Under the Generic Group Model (GGM), given a security parameter , we consider an adversary that performs at most Q group operations and oracle queries in the security game . If our scheme satisfies strong symbolic security, then the advantage of in is negligible:
The security proof proceeds via a sequence of security games.
- :The challenger and the adversary interact according to the real scheme in . The challenge ciphertext is computed as .
- :This game is identical to , except that during random oracle queries , if is queried for the first time, the pair is recorded and is returned to , where is chosen uniformly at random.
- :This game is identical to , except that the blinding factor in the challenge ciphertext is replaced. Specifically, , where and is random. Under the GGM and based on the proven strong symbolic security of our scheme, adversary cannot distinguish between and .
Indistinguishability:
- Transition from to : The difference lies in the use of the random oracle model to ensure the randomness of the hash output. The adversary cannot recover from the public parameters to distinguish between and the random . The advantage loss for in this transition is .
- Transition from to : Here, is replaced with a random variable t. According to the strong symbolic security, and under the constraints of the security game , that here all queried attribute sets do not satisfy the challenge access policy, the polynomial does not lie in the span of the other polynomials. Therefore, cannot distinguish from a random t. By the standard argument of strong symbolic security within the GGM, the adversary’s advantage in this step is bounded by . In summary, the advantage of the adversary in is:
This completes the proof.
Therefore, our scheme is IND-CPA secure under the GGM, and also achieves forward security, backward security, and collusion resistance.
5. Performance Evaluation
5.1. Theoretical Analysis
As shown in Table 1, we compare the key size and ciphertext size of each scheme, and as shown in Table 2, we compare their computational overhead. Our R-T-D-ABE scheme demonstrates significant theoretical advantages across all key performance metrics.
For key and ciphertext size, our scheme achieves a key size of , which is comparable to the FABEO scheme’s . Compared to the structurally simplest OO-MA-CPABE-CRF scheme that does not support revocation, our scheme implements fine-grained attribute revocation by introducing only a minimal number of group elements, achieving an excellent balance between storage efficiency and functional richness. This compactness stems from our design strategy of component embedding rather than module appending. The revocation key is integrated into ( ), avoiding separate storage allocation while adding only one element for traceability ( ).
For key generation, the required overhead is , with complexity growing linearly with the number of attributes, m. The additional pairing operation (‘P’) primarily stems from the construction of the non-interactive traceability component , which introduces only one element. Despite supporting multi-authority attribute revocation and accountability—a feature that leads to considerable complexity in MTA-CP-ABE and TR-AP-CPABE—our approach maintains a lower key generation overhead. This efficiency makes it particularly suitable for complex P2P network applications characterized by large attribute sets.
For encryption performance, the required overhead is , where complexity scales with the number of rows l in the access policy matrix. A key factor contributing to this performance is that our scheme, similar to FABEO, shifts the bulk of the computational load to the smaller group. Importantly, the revocation component is multiplied as a common factor into each , adding only constant multiplication overhead without changing the asymptotic complexity. This strategic choice results in significantly faster encryption compared to other schemes, highlighting a clear advantage in encryption performance.
For decryption efficiency, our scheme requires only in computational overhead. This is substantially lower than the demanding pairing operations (up to or ) in other schemes. The minimal 3 pairings result from algebraic cancellation: the factors in and cancel during pairing, while is excluded from normal decryption. This preserves the efficiency of the core CP-ABE structure despite added functionalities. The exceptional decryption efficiency underscores the suitability of our scheme for resource-constrained devices, such as mobile terminals and IoT nodes.
In summary, our scheme demonstrates well-rounded performance across multiple metrics: key/ciphertext size, key generation, encryption, and decryption overhead. It successfully integrates multi-authority attribute revocation and accountability into P2P networks, achieving an effective equilibrium between functionality, efficiency, and security. Consequently, the proposed scheme offers a practical and efficient solution for P2P applications.
5.2. Experimental Analysis
We conducted a comparative evaluation of our scheme against several schemes, including FABEO, MTA-CP-ABE, OO-MA-CP-ABE, and R-CP-ABE-Key-Tree. All implementations were executed on an ASUS TUF Gaming A15 laptop equipped with an AMD Ryzen 97940H processor and 16 GB RAM, running Windows 11. The experimental code was developed using the Charm-Crypto library 0.5 and Python 3.7. All tests were conducted under worst-case scenarios, as detailed below:
- For Setup, Key Generation, Encryption, and Decryption Tests: We fixed the number of users to 1, varied the number of attributes from 10 to 500 with a step size of 10, and employed the strictest access policy by connecting all attributes using AND gates only.
- For Ciphertext Update and Key Update Tests: We fixed the number of attributes to 3, set the access policy to , simulated the revocation of attribute 2, and varied the number of users from 10 to 500 with a step size of 10.
- For Accountability Tests: We simulated the worst-case tracing scenario requiring traversal of the entire user list to identify the malicious user, while varying the number of users from 10 to 500 with a step size of 10.
Setup Time: As shown in Figure 2, the setup time of our R-T-D-ABE scheme exhibits a curvilinear growth pattern. Notably, in small-to-medium systems with fewer than 370 attributes, our scheme outperforms MTA-CP-ABE, demonstrating good practicality. Considering that system initialization is an infrequent operation in real-world applications, and our scheme achieves excellent performance in subsequent high-frequency operations such as key generation, encryption, and decryption, this initialization overhead is entirely acceptable. More importantly, our scheme supports both attribute revocation and accountability through a single initialization, providing significant advantages in practical deployment.
Key Generation Time: As shown in Figure 3, under the worst-case testing conditions (single user, all-AND policy), our scheme demonstrates exceptional performance in key generation. When the number of attributes reaches 500, R-T-D-ABE requires only approximately 0.6 s to complete key generation, significantly outperforming other schemes, and is only slightly slower than the optimal FABEO scheme (0.3 s). It is noteworthy that our scheme additionally supports revocability and traceability, which are features not offered by FABEO, making the achieved key generation efficiency particularly remarkable.
Encryption Time: As shown in Figure 4, under the worst-case all-AND policy, our scheme maintains encryption performance comparable to the optimal scheme, FABEO. With 500 attributes, our scheme requires 0.9 s for encryption, while FABEO requires 0.7 s. Although slightly slower than FABEO, our scheme still significantly outperforms other comparative schemes. The ability to maintain such high encryption efficiency while simultaneously achieving revocation and traceability functionalities fully demonstrates the superiority of our approach.
Decryption Time: As shown in Figure 5, under the worst-case all-AND policy, the decryption performance curve of our scheme almost completely overlaps with that of FABEO, far surpassing other schemes. This excellent performance confirms the high efficiency of our scheme during decryption, making it particularly suitable for P2P networks where nodes often have limited computational resources or require high responsiveness.
Key Update and Ciphertext Update Time: As shown in Figure 6 and Figure 7, we tested attribute revocation by fixing the access policy and simulating revocation events. The results indicate:
- Key Update: Our scheme demonstrates outstanding performance in key update. As shown in Figure 6, even with 500 users, the key update time remains below 0.003 s, significantly outperforming R-CP-ABE-Key-Tree. This near-real-time key update capability makes our scheme particularly suitable for highly dynamic P2P network environments.
- Ciphertext Update: As illustrated in Figure 7, our scheme requires only 1.4 s for ciphertext update with 500 users. Although this is slightly higher than the R-CP-ABE-Key-Tree scheme, it is better than MTA-CP-ABE. Notably, the R-CP-ABE-Key-Tree scheme requires up to 4 s for key update. Therefore, considering the overall revocation efficiency, our scheme exhibits a clear advantage.
Accountability Time: As shown in Figure 8, we simulated the worst-case accountability scenario (requiring traversal of all users to locate the malicious user). Our scheme requires only 0.95 s for tracing even with 500 users. This result indicates that the traceability feature of our scheme does not introduce significant performance overhead in practical deployment, demonstrating highly efficient tracing capability.
6. Conclusions and Future Work
In this paper, we propose a decentralized, revocable, and accountable CP-ABE scheme for P2P networks. By using a threshold-based distributed protocol for master key generation and a user identity binding mechanism, the scheme addresses key challenges in P2P environments: efficiency, centralized trust reliance, and dynamic user management. Theoretical and experimental results show that our scheme retains encryption/decryption performance close to non-revocable schemes while supporting near-real-time key updates and efficient traceability.
Future work will focus on strengthening the formal security proof and extending the scheme to support cross-domain collaboration and dynamic policies in complex P2P scenarios.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Liu Z. Cao Z. Wong D.S. Blackbox traceable CP-ABE: How to catch people leaking their keys by selling decryption devices on ebay Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security Berlin, Germany 4–8 November 2013475486
- 2Sitharthan R. Padmanaban S. Dhanabalan S.S. Manoharan R. Peer-to-peer energy trading using blockchain technology Energy Rep.2022823482350
- 3Khan I. Majib Y. Ullah R. Rana O. Blockchain applications for Internet of Things—A survey Internet Things 20242710125410.1016/j.iot.2024.101254 · doi ↗
- 4Shang Y. Shang W.L. Cui D. Liu P. Chen H. Zhang D. Zhang R. Xu C. Liu Y. Wang C. Spatio-temporal data fusion framework based on large language model for enhanced prediction of electric vehicle charging demand in smart grid management Inf. Fusion 202510310369210.1016/j.inffus.2025.103692 · doi ↗
- 5Li Z. Shang Y. Lei X. Shao Z. Jia Y. Jian L. An accessible close-loop V 2V charging mechanism under charging station with non-cooperative game Energy Rep.202281038104410.1016/j.egyr.2022.08.129 · doi ↗
- 6Gan W. Zhou Y. Wu J. Taylor P.C. Net Zero without the gridlock through peer-to-peer coordinated flexibility Adv. Appl. Energy 20251910023110.1016/j.adapen.2025.100231 · doi ↗
- 7Du Z. Li Y. Fu Y. Zheng X. Blockchain-based access control architecture for multi-domain environments Pervasive Mob. Comput.20249810187810.1016/j.pmcj.2024.101878 · doi ↗
- 8Maftei A.A. Lavric A. Petrariu A.I. Popa V. Massive data storage solution for Io T devices using blockchain technologies Sensors 202323157010.3390/s 2303157036772609 PMC 9918928 · doi ↗ · pubmed ↗
