FADB: A Fine-Grained Access Control Scheme for VANET Data Based on Blockchain

Vehicular Ad Hoc Network (VANET) is an important foundation of intelligent transportation system and is widely used in trafﬁc management, automatic driving, and road optimization. With the gradual popularization and further development of VANET, a large amount of VANET data has been produced. However, it poses huge challenges to the security and privacy when using VANET data provides services for users. In this paper, combining the technologies of blockchain and ciphertext-based attribute encryption (CP-ABE), we propose a ﬁne-grained access control scheme for VANET data based on blockchain (FADB). In FADB, we employ the blockchain to replace the third-party service providers for user identity management and data storage. And different VANET data access rights can be established according to user attribute. By improving the CP-ABE, the lightweight VANET devices can outsource complex encryption and decryption operations to powerful RSUs and further improve the efﬁciency of data access. Final, we carry out a series of simulation tests and security analysis, proving that the FADB can provide effective data security and low performance overhead.

made it possible to replace third-parties. Blockchain is a distributed database for data storage and retrieval [5]. It has strong non-destructive modification. In recent years, blockchain has been applied to different fields, such as financial service, resource sharing, trade management, and Internet of Things [6]. By using blockchain to store and share VANET data, the security of VANET data is effectively guaranteed [7]. This promotes the further circulation and sharing of VANET data, and generates greater value for VANET [8]. In this paper, by using blockchain technology, we implement the access control for VANET data. To protect the security and privacy of VANET data, the access control mechanism can prevent unauthorized entities from accessing data and ensure data confidentiality.
In addition, to meet the fine-grained access control for VANET data on cloud servers, the access control mechanism needs to implement data access control that can only be accessed and decrypted by particular users. However, traditional encryption schemes cannot satisfy the access control requirements. For example, the Advanced Encryption Standard (AES) [9] is difficult to send decryption key to the intended data access user. While the asymmetric encryption based RSA encryption algorithm requires data to encrypt file [10]. In RSA, the owner obtains the public key of each user before encrypting data. Any new user cannot access the data after encrypting data. This is a great limitation for multi-users access of data. Thus, driven by the need for fine-grained access control of data, the attribute based encryption (ABE) is proposed [11]. The ABE encryption scheme is designed for one-to-many encryption, maintaining fine-grained access control of data and data confidentiality. It is divided into two categories, the key policy attribute based encryption (KP-ABE) [12] and the ciphertext policy attribute based encryption (CP-ABE) [13]. The KP-ABE has an access policy attached to user key, while the CP-ABE has an access policy attached to ciphertext. CP-ABE is a data owner that can encrypt its data under a specified access policy through a set of attributes. It decrypts data when the attributes of data visitor meet the policy requirements. The CP-ABE does not require knowledge of who will access the data. It can provide greater flexibility and control during the encryption of data.
Thus, the CP-ABE is more suitable for storage solutions than KP-ABE.
In this article, we focus on the secure storage of VANET data and fine-grained access control. By utilizing the blockchain technology and CP-ABE algorithm, we propose a Fine-Grained Access Control Scheme for VANET Data based on Blockchain (FADB), which satisfies the distributed storage of VANET data. The contributions of this article are as follows: 1) We have proposed an access control scheme called FADB. By combining the CP-ABE encryption technology, Ethereum blockchain and IPFS [14], the FADB realizes distributed storage and fine-grained access for VANET data. 2) Based on the CP-ABE algorithm, we propose an enhanced security mechanism, called HECP-ABE. It combines blockchain technology to achieve stepby-step encryption and decryption operations, providing support for lightweight devices in VANET. 3) We test the credibility of our FADB through abundant simulation experiments. We have modified the Ethereum client to test the extra storage footprint and time spent by the entire data sharing process in the real deployment scenario.
The rest of the paper is organized as follows: In part II, we introduce the related work of this paper. The part III reviews the knowledge of CP-ABE encryption and blockchain. In part IV, we elaborate on the components of FADB and the interaction process between them. We elaborate the HECP-ABE algorithm and the detailed design of smart contract in part V. The part VI discusses the performance of FADB. Finally, we give the conclusion of this paper and the future research directions.

II. RELATED WORK A. BLOCKCHAIN
Blockchain technology originated from the Bitcoin system [15]. As the economic value inherent in Bitcoin has gradually increased, more and more crypto currencies have emerged (Ethereum [16], Ripple [17], EOSIO [18]). This has greatly promoted the development of blockchain technology. At present, blockchain has been widely used in financial field [19] and some other fields. For example, in reference [20], blockchain was used to construct a new digital content distribution system, and the distributed copyright authentication mechanism was realized. The reference [21] constructed an anonymous data collection platform based on blockchain, which did not require a centralized trusted third party. In [22], the blockchain built a distributed shared platform for managing medical data.
A blockchain service framework for IoT data integrity was proposed in [23]. The framework provided more reliable data integrity verification for all data owners and users, and it did not rely on any trusted third-party auditing agency. In order to solve the security and privacy problems caused by VOLUME 8, 2020 third-party storage of sensitive data, the authors [24] proposed a block-based data usage auditing architecture based on the layered identity-based encryption mechanism. It effectively protected users' privacy and ensured that data was shared confidentially with multiple service providers. In [25], a distributed cloud data architecture based on blockchain was proposed. This enabled tamper resistance to data sources, user privacy protection and reliable storage of data.
From the above researches, we can get that the blockchain-based distributed storage system can provide security and reliability far beyond the traditional storage method. It can avoid data loss and privacy leakage caused by third-party service providers. Therefore, by introducing the blockchain into VANET, we can effectively guarantee the secure storage of data and provide a durable and efficient data access service in this paper.

B. CP-ABE
In [26], the Hierarchical Identity Based Encryption System (HIBE) and CP-ABE were combined to help enterprises effectively share confidential data on cloud servers. In order to solve the problem of some users' attributes affecting other users, an ABE scheme for avoiding user collusion was proposed in [27]. It effectively solved the attribute revocation problem by using the concept of attribute group. When the user revoked the attribute, the group manager would automatically update the keys of other users. In [28], a multi-authority cloud storage data access control scheme was proposed, which had efficient decryption and attribute revocation functions. It could achieve forward security and backward security. In [29], for the field of mobile cloud computing, an attribute-based encryption scheme for privacy-protected password policies was proposed. It enabled lightweight devices to outsource complex encryption and decryption operations to cloud service providers without revealing the content of the data. In [30], an efficient and revocable data access control scheme of multi-privileged cloud storage systems was designed as the basic technology of data access control scheme.In [31], it proposed an efficient revocable CP-ABE scheme for big data access control in cloud using proxy-based updates. The proxy server performed the ciphertext and secret key updates instead of data owner and data user respectively during revocation. In [32], the secure homomorphic encryption algorithm was combined with CP-ABE algorithm to construct a searchable CP-ABE access control scheme. The scheme not only ensured the security of data access, but also realized the retrieval of ciphertext and shortened query time.

C. DATA SECURITY
In [23], it proposed a blockchain-based framework for data integrity service. Under such framework, a more reliable data integrity verification could be provided for both the data owners and data consumers without relying on any Third Party Auditor (TPA). This ensured the security of the data and provided a global authentication service. However, the blockchain-based framework cannot provide users with fine-grained access control services. It restricts the efficiency and flexibility of data access.
In [27], it proposed an ABE scheme for cloud storage system with effective attribute revocation function to avoid user collusion ciphertext strategy. The problem of attribute revocation could be effectively solved by using the concept of attribute group. After revoking attributes from a user, the group administrator would update the keys of other users. However, this scheme does not adopt additional measures to ensure data security, which may cause some problems.
So, we combine the advantages of blockchain and CP-ABE. Through the blockchain to ensure data storage security and user identity authentication, use CP-ABE to achieve authorized access control of data to ensure efficient and flexible access. this paper designs HECP-ABE in FADB. It is possible to provide powerful distributed fine-grained data access services for VANET, which can greatly promote VANET data sharing.

III. PRELIMINARIES
In this section, we mainly introduce the relevant background and preliminary knowledge designed in this paper. Tab. 1 shows some symbols and abbreviations involved in this article. A. ATTRIBUTE-BASED ENCRYPTION 1) BILINEAR MAP Assume that there exist two cyclic multip-licative groups with big prime order, G 0 and G T . We set the g is a generator of G 0 . Then we can get a bilinear map e : G 0 × G 0 → G T [13].

2) ACCESS STRUCTURE
Let L = {a 1 , a 2 , . . . , a n } be the set of all attributes in the system. Then we call L is the system attribute set. The a i represents an attribute in the system. In this paper, the user attribute set is represented by S, (S should be a non-empty subset of L). Thus, we can construct the access structure A ⊆ 2 {a 1 ,a 2 ,...,a n } [13]. The characteristic of A is monotone.
If ∀B, C : B ∈ A and B ⊆ C, we can get C ∈ A.

3) ACCESS TREE
Let T represent the access tree for an access structure A, and x be a node of T . Thus, T x is represented the sub-tree of T rooted at the node of x. We set the R as the root node of T . Then, if x = R, T x can be seen as T R . For each non-leaf node of T x , it is described by its children node number num x and threshold gate k x , where k x ∈ [1, num x ]. When k x = 1, the threshold gate k x is an OR gate. When k x = num x , the threshold gate k x is an AND gate. For each leaf node of T x , it is stated by user attribute set S and threshold k x . If user attribute set S satisfies T x , we donate T x (S) = 1. T x (S) can be computed recursively. If x is a non-leaf node, we compute all children nodes denoted by x . If the number of T x (S) is more than k x , T x (S) outputs 1. If x is a leaf node, and att(x) ∈ S (att(x) denotes the attribute related to the leaf node x ), T x (S) outputs 1.
In this paper, we define some functions to work with the access tree: parent (x) denotes the parent node of x in T ; att (x) denotes the related attributes of x; num (x) denotes the number of children nodes of x; index (x) denotes the index of each children node of x.

B. BLOCKCHAIN TECHNOLOGY 1) BLOCKCHAIN
The blockchain originated from a paper entitled ''Bitcoin: A Peer-to-Peer Electro-nic Cash System'', which was published by a scholar named Nakamoto Satoshi [15]. It proposed a de-trusted cryptocurrency called Bitcoin, which was officially released and had been running smoothly for ten years. The success of Bitcoin has led to the rapid prosperity of cryptocurrencies, and further contributes to the rapid development of the underlying blockchain technology. Currently, blockchain technology has been widely applied in the field of financial services, and gradually expanded to asset registration, social credit investigation, resource sharing and other industries. Blockchain technology has the following characteristics: • Decentralized control: All transactions in blockchain are voted by all nodes, which avoids the centralization of the blockchain.
• Unalterable: Each node stores the same copy, and the copies can be verified between nodes. This makes it necessary to change 51% of copies to change the records of the entire system.
• Irreversibility: Transactions recorded on the blockchain cannot be deleted or changed after a certain number of confirmations.

FIGURE 2. Blockchain struct.
Blockchain is a distributed database that backs up all transactions to each node. It consists of a series of block links. As shown in Figure 2, each block contains a hunk and a series of transactions. The hunk contains the timestamp, version number, hash of the previous block, and transaction information for the Merkle root tree. The old blocks are locked when a new block is created by referencing the hash value of the previous block. By creating new blocks in this way, a growing chain structure is formed. Block generation is the consensus result of the whole blockchain network. This mechanism guarantees the inelastic modification of blockchain.

2) ETHEREUM
Ethereum is seen as a blockchain 2.0 platform that supports reliable cryptocurrency transactions and smart contracts [33]. Compared to Bitcoin, Ethereum has a built-in Turing-complete programming language. This allows users to programmatically create, compile, deploy, and run a variety of standardized, scalable, and fully featured smart contracts. Once the smart contract is deployed, the smart contract can be invoked to complete the corresponding transaction.

a: ETHEREUM ACCOUNT
In Ethereum system, the user state consists three parts: account object state, the transfer state of value, and the state of information transition. In general, Ethereum has two types of accounts: external accounts (EOAs, controlled by private key) and contract accounts (controlled by contract code). The EOAs is controlled by user through a personal private key, which is sent by creating and signing a transaction. When the contract account receives messages, it activates the internal code and reads/writes the internal storage.

b: SMART CONTRACT
A smart contract is a computer trading agreement that runs on the terms of an implementation contract in Ethereum [34]. It is located at a specific location in Ethereum blockchain and is stored in Ethereum specific binary format (EVM bytecode).

VOLUME 8, 2020
The smart contract is called by the Ethereum Virtual Machine (EVM). Once a smart contract is deployed to the EVM, it can be automated and self-verified without manual intervention. It interacts with smart contracts through contract addresses and application interfaces. Smart contracts guarantee the stability and efficient operation of the system in the environment where there is no trusted third party.
Therefore, by introducing Ethereum into VANET, an equally decentralized trust system is constructed. The problems of centralization in the original data sharing scheme are solved, such as the data loss caused by third party, privacy disclosure, key abuse and other security risks.

3) IPFS
Inter Planetary File System (IPFS) is a global, peer-to-peer distributed version of the file system. The goal of IPFS is to connect all computing devices with a unified file system. IPFS can be seen as a complement and improvement to the Hypertext Transfer Protocol (HTTP). But it also act as a standalone BitTorrent cluster. By combining distributed hash tables (DHT), block exchange incentives, and self-certified namespaces, IPFS has no single point of failure and no mutual trust between nodes. In addition, IPFS provides a high-throughput content-addressable block storage model with content-addressed hyperlinks. After the file is uploaded to IPFS, it generates a hash string, which is used to retrieve the file. IPFS implements content-based addressing in this way. File distribution uses a BitTorrent-based protocol that enables files to be transferred, stored, and accessed in a distributed manner. This can conducive to saving bandwidth and preventing the DDoS attacks of HTTP protocol.
IPFS is a new generation of distributed data storage solution. It supports large-scale persistent storage of data and provides version control to facilitate management of data at different stages. Therefore, applying the IPS to VANET can effectively improve the security of data and provide support for large-scale data sharing in VANET.

IV. SYSTEM MODEL
The proposed FADB describes a new type of distributed VANET data storage and access control system by combining Ethereum, CP-ABE, IPFS and other technologies. Figure 3 describes FADB's system model in detail including the system components and interactions.
DO is the data producer. It is a group of vehicles or devices that need to share data in VANET. Due to its performance limitations, DO does not have high computing performance and large data storage space. Thus, DO does not have the conditions for large-scale storage and sharing of data in this paper. DO can upload data to the IPFS through the RSU . Due to the performance limitations of DO and its own dynamic nature, the blockchain network in FADB does not contain DO. In the blockchain network, we use RSU as proxy node to process transactions that related to data upload.

2) DATA USER (DU)
DU is the data consumer. And DU needs to request data through the proxy RSU in VANET. Sometimes, DO and DU may be the same entity at the physical level. For example, a vehicle may request and share data at the same time. In this paper, both DOs and DU s are the users in our system model.

3) RSU
RSU is a communication unit distributed along a certain distance on both sides of road, and each RSU is equipped with an improved Ethereum client, sufficient processing performance, storage space and good network connection. In FADB, we build the entire blockchain network with RSU s as the nodes. The RSU proxies the data upload and access operations of DOs and DU s within its coverage, while leveraging its high performance to perform most of the work in data encryption and decryption. This alleviates the performance requirements of DOs and DU s, enabling data sharing more efficient.

4) IDENTITY CHAIN (IC)
In FADB, IC manages user's identity registration and changes. Each transaction stored in IC corresponds to user's identity information. Transactions are encrypted by smart contracts. Only through smart contracts can they access user's identity information. This effectively prevents user's privacy from being leaked and misused. Each user is registered on IC when it enters FADB system. The registration method is to authenticate user through RSU . After the authentication is passed, the RSU calls the smart contract belonging to IC to generate a private key for user. The smart contract constructs a transaction and records it on IC, the transaction containing the authenticated identity information of user.
The main fields in the transaction of IC are the following: • Device ID: This field is user's unique identifier. When user makes a property change, Device ID is used to confirm whether it is the same user. 85194 VOLUME 8, 2020 • Attribute set: This field is stored in S. When user's attributes are changed, the type of data that the user can access in FADB also changed.
• Private key: This field stores user's private key. The ability to access data through a private key is a representation of user rights.

5) SMART CONTRACT OF IDENTITY CHAIN (SC ic )
A set of operating methods for IC are defined in SC ic . SC ic is responsible for the generation of MSK and PK . After the SC ic completes the generation of MSK , RSU can write user's registration information to IC by calling SC ic . When DU accesses the data, the SC ic needs to perform preliminary verification to confirm whether the DU is a registered user in FADB.

6) DATA CHAIN (DC)
With respect to IC, DC is another blockchain in FADB. The data stored in DC is a metadata that the user uploads to IPFS. The transaction in DC includes the following fields: • hash: This field is used to ensure the correctness of data. It is to avoid problems such as incomplete files caused by network transmission errors.
• kws: This filed means the keyword digest of data. It is represented by kws. In this paper, the kws is public, and is used to match data by matching the keyword.
• CT : The decryption key of data is encrypted and stored in this field. This field CT can only be accessed by smart contract.
• F address : This field means the address of data file in IPFS. It is represented by F address . By using F address , the encrypted data file stored in IPFS can be accessed.

7) SMART CONTRACT OF DATA CHAIN (SC dc )
SC dc has the DC operating rights for reading, writing, and retrieving. When data is uploaded to IPFS, a transaction is generated by SC dc and the transaction is written to DC. The flag of successful data upload is that the data can be retrieved and accessed by DC. First, DU calls the SC dc through RSU . Then, the SC dc calls the SC ic to verify the DU identity on IC.
Final, SC dc sends DC to RSU after the verification is passed.

B. SYSTEM INTERACTION
In FADB, the interactions between components mainly include the following stages: user registration, data upload, and authorized access. Here, we introduce them separately.

1) SYSTEM INITIALIZATION
The FADB system is initialized, as shown in Figure 4.
When SC ic is deployed to FADB system, it executes the Setup(1 λ , L) → (PK , MSK ) algorithm, and generates the MSK and PK . The input parameters of the Setup algorithm are the system security parameter λ and system attribute set L. λ is a constant that guarantees the security of the system. And it specifies the length of key generation. After completing the above steps, SC ic constructs a transaction to write PK and MSK to the IC. The MSK is encrypted by SC ic and only SC ic can access it. The PK is cached in each RSU , ensuring that any node can access it. After system initialization, users can access the system by registering.

2) USER REGISTRATION
When user enjoys our FADB system, he/she sends a registration request to RSU. In FADB system, user connects to the RSU through a wireless access technology based on the IEEE 802.11p protocol. The registration request contains the device ID and user attribute set S. The RSU verifies the authenticity and validity of registration message. After verification is passed, the RSU forwards the registration message to the SC ic . The user registration algorithm, Register(MSK , S) → SK , is executed to generate the SK by registration algorithm.
The SK is bound to S. When users accesses the data, SK can be used to verify whether users satisfies the access requirements. After the transaction is constructed, SC ic writes the transaction to IC and finally gets the serial number UID :< XX , YY > of the transaction in IC. For example, in Figure 4, OK < SK , 168 : 07 > means OK < SK , XX : YY >. XX represents the block number of the transaction, and YY is the transaction number in the block. Through the serial number, XX can directly locate the block where the transaction is located, and YY can directly determine where the transaction is stored in the block. This reduces the complexity of the query to a constant level. Thus, we can quickly retrieve user's identity information on the chain by XX and YY . Finally, SC ic returns UID and SK to RSU . After receiving the message of successful registration, RSU sends UID and SK to the user, and the registration is completed.

3) DATA UPLOAD
In this stage, DO uses RSU as a proxy to upload data to IPFS, as shown in Figure 5. A short-range and high-speed connection is established between DU and RSU through the IEEE802.11P protocol. Before data is uploaded, the file F is encrypted by AES. The input of the encryption algorithm FileEncrypt(F) → (CT f , K , kws) is F, and the output is the encrypted file CT f , file decryption key K , and the file VOLUME 8, 2020

4) AUTHORIZED ACCESS
In this stage, DU can access data through RSU . Figure 6 shows the specific process of authorized access. First, a DU sends a data request < UID, keyword > to RSU . RSU invokes the SC dc and sends this request. SC dc splits the request into two parts. One is to retrieve the data by matching the keyword from the DC. The other is to call the SC ic to verify the UID of DU , and get DU 's partial private key for decryption in RSU . After retrieving the eligible transaction, SC dc reads F address , CT and hash from the transaction. When SC ic received the request from RSU , it obtains the corresponding user identity information from IC according to the UID. If the UID is forged or unregistered by DU , the RSU does not get the correct CT . Thus, it guarantees the security of data. If the UID is correct, the DU identity information can be quickly retrieved based on UID. The SK is intercepted to construct a key SK for RSU decryption. After the SC dc successfully receives replies from both DC and SC ic , it constructs a new message < hash, F address , SK , CT > and sends to RSU . Then the RSU requests CT f from IPFS based on F address in the message < hash, F address , SK , CT >.
When RSU obtains CT f , it checks the correctness of CT f according to the hash. If CT f is corrupted due to transmission, the RSU needs to request CT f again from IPFS. After that, the RSU runs the decryption algorithm RSU .Decrypt(PK , CT , SK ) → CT , and the CT is initially decrypted by PK and SK . If the DU does not satisfy the decryption request of CT , the RSU fails to decrypt. The access failure message is sent back to DU . CT is generated when the RSU decrypts CT successfully. Then, the RSU sends CT and CT f to DU . The DU executes the decryption algorithm DU .Decrypt(CT , SK ) → K , which decrypts the CT based on the original RSU decryption to obtain the encrypted content. The DU only needs one calculation to get K , making the decryption speed much higher. Then, DU needs to use K to perform AES decryption on CT f to access data. After the above steps, DU completes fine-grained access to the shared data.

V. ALGORITHM DESIGN
The FADB is designed on the basis of Ethereum and CP-ABE. In the previous section, we have introduced the entire process of FADB's fine-grained access to data and how smart contracts guarantee data security and privacy.
Below we introduce the algorithms involved in FADB, HECP-ABE and smart contract. By improving the CP-ABE algorithm, we have designed the HECP-ABE algorithm so that it can ignore the difference in hardware performance in VANET and has a good performance improvement. In this section, we detail the implementation principle of HECP-ABE algorithm. In addition, we have improved the Ethereum client so that it can handle two parallel blockchains. Therefore, this section also gives a detailed introduction to the key points and pseudo-code implementation of smart contract.

A. HECP-ABE ALGORITHM
HECP-ABE is a specific attribute encryption algorithm for VANET. It is improved on the basis of CP-ABE. It solves the CP-ABE' problem of demanding too much from VANET devices. In HECP-ABE, most of the encryption and decryption operations are transferred from users to the RSU s.
Thus, the VANET devices can be lightweight without high computing and storage capacity.
Phase 1 (Initialization): Setup 1 λ , L → (PK , MSK ). The setup algorithm chooses two bilinear group G 0 and G T . It randomly chooses three elements α, β ∈ Z p and h ∈ G 0 . For each a i ∈ L, the algorithm chooses a random v i and computes PK i = g v i . Thus, the public key is published as: PK = G 0 , g, h, g α , g β , e (g, g) αβ , PK i = g v i |a i ∈ L And the master key is MSK = {α, β}. The setup algorithm is automatically executed by SC ic when it is deployed to the blockchain network. The blockchain makes sure the proper generation and secure storage of MSK and PK . Phase 2 (User Register): Register (MSK , S) → SK . The register algorithm takes S and MSK as input. It outputs a secret key SK . In user register function of HECP-ABE algorithm, it first selects a random γ ∈ Z p , which is a unique assigned to each of users in FADB. After that, it random chooses ε ∈ Z p for each attribution in S. Finally, it computes the user secret key as:

Register(MSK , S) is executed by SC ic
After the SC ic receives a user registration request from RSU . This registration request contains the user's attribute set S, the MSK is stored in IC and read by SC ic . After finishing the register, the SC ic return the user's private key SK through a secure channel.
Phase3 (Encryption): FileEncrypt (F) → CT f , K , kws . This encryption algorithm computes CT f = Enc AES (F) and sends CT f to RSU , then keeps K for the next encryption algorithm in the iteration of HECP-ABE.
RSU .Encrypt (PK , A) → CT . When the function works, it first selects a polynomial q x for each node x in the access tree T . The polynomial is beginning from the root node of T . In a top-down manner, each node in T is selected a polynomial. Here, The threshold value k x is more than the degree d x of q x , like that, k x = d x + 1. Starting from the root node R, RSU selects a random s 1 ∈ Z p and sets q R (0) = s 1 . After that, it chooses d R other points to define q R completely. For any other node x in T , it sets q R (0) = q parent(x) (index (x)), and selects d x other points randomly to completely define q x .
Then, the intermediate ciphertext CT can be constructed as: The X in CT is the set of attributes associating with the leaf nodes.
DO.Encrypt PK , K , CT → CT . In this algorithm, the DO randomly chooses s ∈ Z p and computes that: Finally, it outputs the ciphertext as: The SK is a part of user's secret key, and The CT is got from the SC dc . The RSU .Decrypt function includes a child function RSU .DecryptNode CT , SK , x , which is defined as a recursive algorithm.
When the RSU .Decrypt function works, it faces two situations: 1) x is a leaf node of T . We let a i = att(x). If a i / ∈ S, we get RSU .DecryptNode CT , SK , x = ⊥. Otherwise, we get: 2) x is a non-leaf node. RSU .DecryptNode CT , SK , x is worked as same that: for all nodes z that are children of x, we call another process RSU .DecryptNode CT , SK , z and let F z as output. If S x is an arbitrary k x − sized set of child nodes z, we get F z = ⊥. If z does not exist, F z = ⊥. Then, we can compute and return the result as: The decryption algorithm on the root node R of T is defined as: can satisfies the access tree T . After that, RSU continually computes: When RSU completes the calculation of B, it can structure the intermediate ciphertext CT = {CT f , C 1 = K × e (g, g) αβS , C = g S , B}. Finally, RSU sends CT to DU and completes the decryption algorithm.
DU .Decrypt CT , SK → K . When DU accepts CT from RSU , it puts SK into the encryption algorithm. The algorithm computes SK and CT as: DU can easily computes K . Because most of the calculation work has been completed by RSU . In this way, DU can quickly access the key K and decrypt the encrypted data.

B. SMART CONTRACT DESIGN
Smart contracts are the core modules of the blockchain network in FADB. It manages user registration, transaction records and data validation in VANET. Programmatically, a variety of different functions can be deployed for smart contracts to provide continuous scalability for FADB system. In this section, we elaborate on the workflow and intrinsic logic of each functional module in smart contract. Our work is based on the Ethereum client. In Ethereum, smart contracts are programmed using the Turing-complete Solidity language, which provides general tool functions for getting block information and transaction data.
The functions and variables covered in this paper exist in the global namespace of the smart contract in a predefined way. Here are some of the main variables for designing smart contracts: tx.origin: we can get the originator of transaction by calling tx.origin. In Ethereum, smart contracts call each other to forms a chain of calls. Final, the tx.origin gets the originator of chain of calls.
msg.sender: we can get the sender address of current message by calling msg.sender. By deploying or invoking smart contracts, the system can get the corresponding user address.

1) USER MANAGEMENT CONTRACT
User management contract is a specific implementation of SC ic . It mainly provides the following functional interfaces to implement user management operations: addUser (ID driver , S): This function is executed when the RSU calls SC ic for user registration. It first verifies that the user identity of the contract is correct, and the RSU is a working blockchain node in the network. After the verification is passed, it searches on the IC based on the serial number of the registered device, verifying that the device has already been registered. After that, it reads the MSK and runs the Register(MSK , S) to generate the user's private key SK . After SK is successfully generated, it constructs a transaction and scatters into the transaction pool Tx.pool. Finally, the SK and UID are passed back to RSU over the secure channel.
getUser (UserID): This function is used to retrieve user's registration information from IC via UID. It is called by SC ic for protecting user information security. There are two ways to retrieve the search method in the function. One is to search by the device number ID driver . This method is suitable for  (MSK , (a 1 , a 2 , . . . , a m )) 8 Tx =< ID driver , MSK , msg.sender, S, TimeStamp> 9 SignTx(msg.sender, type.Tx, IC) 10 while submitTransaction(Tx) do 11 Wait until transaction successfully submitted The other way is to use UID for the search. It is easier than the way of searching by ID driver . User information can be read directly from the IC based on the block number and transaction number recorded in UID.
updateUser (UID, S new ): This function is used to update user information. When the user attribute is changed, the range of data that the user can access will also change accordingly. The input of function is the user's UID and the new attribute set S new . First, it retrieves user information on the IC based on the UID. If the return is empty, the user does not exist. Otherwise we use S new to re-run the registration

2) DATA SHARING CONTRACT
Data sharing contract is deployed to handle related matters such as data sharing. Its corresponding operation object is DC. The functions defined in the data sharing contract are responsible for publishing data metadata to the blockchain and providing data retrieval functions to the DU . Below we introduce the functional interfaces provided by data sharing contract. quickly write metadata information to the DC. First, it checks the input. If the input is wrong, it throws the corresponding exception. Otherwise, it constructs a corresponding transaction and signs the transaction. Then, we store the transaction in Tx.pool and wait this transaction to be written into the DC. The transactions of Tx.pool are broadcasted to the whole blockchain network, allowing all RSU s to confirm the legality of transactions. When the blockchain network has accumulated a large of transactions that can be accommodated by a block, the transactions are packaged in bulk and written into a new block. After the new block is successfully backed up by all nodes, it indicates that the metadata is successfully written into the DC.

Algorithm 4 uploadMetadata
uploadMetadata (UID, keyword): This function retrieves data quickly on the DC via kws. After checking the correctness of kws, it checks the validity of user by calling the getUser function. And then it truncates the SK for subsequent CP-ABE decryption. After that, it realizes the address mapping according to kws and gets the addressList. For zero address in addressList, the function queryData returns a null value. For multiple addresses, the function accesses each address and obtains the data metadata stored in the corresponding transaction. Finally, all retrieved metadatas are encapsulated in an array and returned with the key SK to the requested RSU .

VI. EVALUATION
In this section, we simulate FADB under various conditions. Then we analyze and contrast the results obtained by simulation. Because the FADB introduces new components, blockchain and HECP-ABE. They does not exist in current VANET. Thus, it brings unknown performance impact and cost for VANET environment. We need test the blockchain VOLUME 8, 2020 network and the HECP-ABE separately to evaluate the performance of FADB in actual deployment.

A. EXPERIMENT ENVIRONMENT
The simulation is done on an Ubuntu 16.04.4 LTS desktop equipped with an Intel Core i7-8086K @4.0GHz processor and 16G of RAM. We use Docker to virtualize a physical machine into multiple virtual machines, and configure different hardware resources to simulate RSU and OBU devices in FADB. On the basis of the Ethereum ganache-cil, a certain repair is carried out to meet the needs of our simulation. The encryption scheme uses the CP-ABE encryption toolkit and uses the PBC library for algebraic operations which provides four command-line tools for performing various operations. An 80-bit security level is achieved by using a 160-bit elliptic curve group.

B. PERFORMANCE 1) ENCRYPTION CONSUMPTION
In HECP-ABE, the complexity of the calculation is related to the size of the user attribute set. The increase of attributes leads to a complex ciphertext strategy. This affects the time of encryption and decryption and the final ciphertext length. To test how our solution is affected by the size of attribute set, we constructed 100 different size of attribute set. The number of attributes in each set is increased from 1 to 100. Finally we generate a key for each set.  For Figure 7(a), we can get that the resulting ciphertext size is about 47 KB under the ciphertext policy with the attribute set, which contains 100 attributes.
For Figure 7(b), the initialization phase of the HECP-ABE algorithm is not so slow, and it takes about 0.66 seconds to generate the system master key in the case of 100 attributes.
For Figure 7(c), as the number of attributes increases, the RSU time cost increases linearly for executing encryption/decryption algorithm. But the time cost growth rate of the decryption algorithm is smaller than the encryption algorithm. Under the premise of 100 attributes, it takes about 1.33 seconds and 0.45 seconds for encryption and decryption respectively.
For Figure 7(d), compared with RSU in Figure 7(c), user (DO/DU ) time cost is faster in encryption and decryption. DO needs about 0.025 seconds to encrypt the ciphertext policy containing 100 attributes. While DU needs 1.9 milliseconds to decrypt the ciphertext. Because the decryption process of DU is basically unaffected by the number of attributes contained in the ciphertext policy. As expected, our solution splits the encryption and decryption process by transferring most of the encryption and decryption operations to the high-performance RSU . The time on VANET devices in the process of encryption and decryption is greatly reduced. Compared with the uploading and downloading of data, the entire encryption and decryption process does not take up too much time cost. Thus, we can get that our CP-ABE scheme is applicable to FADB.

2) STORAGE COST
Due to the introduction of blockchain in VANET, it is inevitable that blockchain can result in more storage usage. In order to evaluate the additional storage usage caused by maintaining two chains (IC and DC) in FADB, we simulate the block growth in real-world situations by simulating transactions. We build a blockchain network with RSU nodes. The reason for constructing only RSU nodes is to reduce the number of simulation steps and to shorten the simulation time. In the simulation, the RSU node directly constructs the transactions of user registration and data upload. And we simulate real transactions by random functions. Figure 8 shows the storage occupancy of the IC and DC under 1-1,000,000 transactions. It can be seen from the Figure 8 that the overall storage occupancy grows linearly and is positively correlated with the number of transactions. This is because that the size of each transaction in FADB is fixed, which is different from traditional Ethereum. Each transaction in traditional Ethereum has a data field. This field allows for the embedding of external information, which makes the size of each transaction not fixed. However, in our FADB, the transaction is dedicated to user registration and data management. So the size of each transaction is fixed. The growth rate of storage occupancy in DC is smaller than IC. Because the size of the user attribute set is an unknown quantity, and the larger attribute set leads to an increase in the space occupied by the transaction. It causes the IC to take up more storage. Under 1,000,000 transactions, the IC occupies 1172.3MB of storage space. While the DC occupies 810.3MB of storage space. IC and DC together occupy 1982.6MB of storage space. Suppose that the entire blockchain network generates 100 transactions per second in real situation. Then the entire network produces 17129MB of block files a day, which is only a small value relative to the shared VANET data volume. For multiple machines, FADB's storage consumption is much lower than expected. Because the number of DO/DUs is much larger than the RSUs on multiple machines. DO/DUs do not participate in the storage of blocks. Blocks are only stored in RSUs. This significantly reduces storage consumption per machine. And the storage consumption does not increase significantly as the number of machines increases.

3) TRANSMISSION RATE
We test the transmission rate of sharing data files under different file sizes in FADB. We define the files below 10MB as small files. Figure 9 shows the test results for small files. It can be seen that the average transmission rate increases exponentially with the increase in file size. This is because the main factors affecting the overall transmission speed are not the physical bandwidth and the network delay. The main factors of time cost are encryption and decryption of files, the storage of metadata in blockchains, and the retrieval of files. The consumption of this part is fixed and much longer than the consumption of file transfer. So the growth of the front part of the curve is very flat. When the file exceeds a certain size, network delay and physical bandwidth are the main factors, as shown in Figure 10. In the case of large file sharing, the time consuming of the whole process is basically linear with the size of the file. The larger the transmission bandwidth, the faster the transmission speed. But the occasional fluctuations are related to network delay and file retrieval.

VII. CONCLUSION
In this article, we introduce the design and implementation of a new data sharing architecture called FADB. By combining blockchain technology, IPFS distributed storage, and CP-ABE encryption, the FADB provides a data sharing platform that integrates data security, privacy protection, and authorized access. FADB seamlessly accesses VANET to provide users with reliable data storage and sharing services.
The FADB contains a blockchain network consisting of RSUs. Two blockchains (IC and DC) are maintained in FADB. They are responsible for managing the user identity information and shared data. All data on the chains is read/written and maintained through smart contracts. All RSUs have all block backups, which makes user information and metadata recoverable and can effectively resist external attacks. In FADB, IPFS can effectively avoid single points of failure compared to traditional cloud storage solutions. It uses replication proof, erasure coding and incentives to provide better reliability and availability.
We have also implemented a new type of efficient encryption scheme HECP-ABE in FADB. It combines the traditional CP-ABE encryption scheme with the blockchain, which makes our solution can provide a distributed, fine-grained data sharing service. By using HECP-ABE encryption scheme, the DO can restrict access to the data for a specific user by establishing an access policy. Thus, it enables the fine-grained access control. In HECP-ABE, we have split the encryption and decryption steps, by transferring most of the calculation operations to the RSU . It effectively reduces the computational pressure of the lightweight device in VANET.
In future work, we will further optimize the retrieval function of VANET data on blockchain, implement the user attribute revocation function in HECP-ABE scheme. Furthermore, we will consider more data security protection features (e.g. level of anonymity, stateless access, etc.) and strengthen experiments to prove the effectiveness of security protection.
DAN LIAO is currently a Professor with the University of Electronic Science and Technology of China (UESTC). His research interests include next generation networks, and wired and wireless computer communication networks and protocols SONG CHEN received the bachelor's and master's degrees in computer science from the University of Electronic Science and Technology of China. He is currently a Senior Engineer and Expert with the No. 30 Research Institute of China Electronic Technology Corporation (CETC). He presided over many advanced projects in communication and network field, including pre-study and model development ones. His research interests include network switching and routing, software defined networks, and network security.
MING ZHANG is currently a Senior Engineer with the Chengdu Research Institute, University of Electronic Science and Technology of China (UESTC). His research interests include the Internet of Things, blockchain, embedded intelligent control, and high-performance motion control. He has coauthored ten technical publications including articles in refereed journals, conferences, and book chapters.
DU XU is currently a Professor with the University of Electronic Science and Technology of China (UESTC), Chengdu, China. He presided over many advanced research projects, including NSFC, National 863 Plans, and National Key Research and Development Program of China.