The cloud-edge collaborative data sharing supporting data confidentiality can be realized by adopting outsourced Attribute-Based Encryption (ABE) schemes. Yet, most existing schemes in such kind of scenarios are facing challenges such as vulnerable terminal devices that are easy to be attacked, lack of flexible authorization management methods for a large number of devices, and lack methods to securely specify on-demand data sharing domains. In this paper, we propose a Domain-specific On-demand Access Control scheme with fully Independent Revocation (DOACIR), which not only realizes a three-layer on-demand data sharing framework for cloud-edge collaborative IoT environments but also allows data uploader to restrict the data sharing domain through a succinct way. The attribute authority and multiple edge servers perform data access authorization collaboratively to improve the data sharing efficiency as well as avoid the key-abuse problem and key-leakage problem. Fully independent user revocation is also realized in DOACIR to flexibly manage terminal devices in IoT. Further, we improve the scheme to support cross-domain data sharing, namely Cross-Domain DOACIR (CD-DOACIR), by improving the encryption phase allowing data uploader to specify any number of sharing domains while the size of ciphertext remains constant. We provide the security proofs of DOACIR and CD-DOACIR, and the experiment results demonstrate the effectiveness and efficiency of our solutions in cloud-edge collaborative on-demand data sharing.

中文翻译：

---

云边协作物联网的特定领域细粒度访问控制


采用外包的基于属性的加密（ABE）方案可以实现支持数据机密性的云边协同数据共享。然而，此类场景下的现有方案大多面临着终端设备易受攻击、缺乏灵活的大量设备授权管理方法、缺乏安全指定按需数据共享域的方法等挑战。 。在本文中，我们提出了一种完全独立撤销的特定域按需访问控制方案（DOACIR），该方案不仅实现了云边协作物联网环境的三层按需数据共享框架，而且允许数据上传通过简洁的方式限制数据共享域。属性授权机构与多个边缘服务器协同进行数据访问授权，提高数据共享效率，避免密钥滥用和密钥泄露问题。 DOACIR还实现了完全独立的用户撤销，灵活管理物联网终端设备。此外，我们改进了支持跨域数据共享的方案，即跨域DOACIR（CD-DOACIR），通过改进加密阶段，允许数据上传者指定任意数量的共享域，同时密文的大小保持不变。我们提供了DOACIR和CD-DOACIR的安全证明，实验结果证明了我们的解决方案在云边协同按需数据共享方面的有效性和效率。