English

Revocation-Ready CP-ABE Key Management for Blockchain-Based IoT Data Sharing

Cryptography and Security 2026-05-07 v1 Distributed, Parallel, and Cluster Computing

Abstract

Blockchain-based IoT data sharing systems increasingly adopt a hybrid architecture in which a permissioned ledger stores tamper-evident metadata while encrypted payloads are placed in content-addressed storage. In such systems, a central security bottleneck is key access control: enforcing dynamic, multi-user authorization for releasing or using bulk-data decryption keys. Existing designs often rely on always-online RBAC or smart-contract gates that return keys to authorized users, reintroducing a trusted online policy enforcement point and weakening auditability. This paper presents a revocation-ready key management layer that replaces online key release with ciphertext key publication: the ledger records metadata of the form (CID, CK, PolicyID, epoch), where CK is a CP-ABE ciphertext encapsulating an AES-GCM key. Users retrieve CK from the ledger and decrypt locally if their attributes satisfy the policy. To support forward revocation and policy evolution without re-encrypting large files, the design introduces an epoch/time-bound attribute and a lightweight CK-rotation protocol that updates only small ciphertext keys and ledger entries. We implement a minimal end-to-end prototype using a local content-addressed store, a hash-chained ledger, and a CP-ABE backend, with the goal of isolating key-management costs rather than benchmarking production blockchain throughput. Experiments on a commodity MacBook show that CP-ABE encryption dominates store latency, with approximately 186 ms for a k=6 mixed-Boolean policy, while ledger and storage operations remain around 1-2 ms. Epoch-based revocation amortizes key update cost under churn, gateway-assisted mode reduces median client-side decryption time by more than 4x under a simulated 4x client slow-down, and ledger growth scales with the number of shared assets rather than the number of readers.

Keywords

Cite

@article{arxiv.2605.04280,
  title  = {Revocation-Ready CP-ABE Key Management for Blockchain-Based IoT Data Sharing},
  author = {Chun Yin Chiu},
  journal= {arXiv preprint arXiv:2605.04280},
  year   = {2026}
}

Comments

14 pages, 7 figures, 4 tables. Accepted by the 2026 8th Blockchain and Internet of Things Conference (BIOTC 2026). Preprint

R2 v1 2026-07-01T12:51:49.598Z