Non-Repudiation Storage and Access Control Scheme of Insurance Data Based on Blockchain in IPFS

The insurance business plays a quite significant role in people’s lives, but in the process of claim settlement, there are still various frauds such that the insurance companies’ refusal to compensate or customers’ malicious fraud to obtain compensation. Therefore, it is very important to ensure fair and just claims. In this paper, by combining the blockchain technology and the ciphertext-policy attribute-based encryption system, we build a scheme for secure storage and update for insurance records under the InterPlanetary File System (IPFS) storage environment in the insurance system. In this scheme, we use the fog node to outsource encryption of insurance records to improve the efficiency of the staff; In addition, we store encrypted insurance records on IPFS to ensure the security of the storage platform and avoid the single point failure of the centralized mechanism. In addition, we use the immutability of the blockchain to achieve the non-repudiation of both insurance companies and the client. The security proof shows that the proposed scheme can achieve selective security against selected keyword attacks. Our scheme is efficient and feasible under performance analysis and real data set experiments.


I. INTRODUCTION
With the improvement of the people's life quality, various insurances have emerged at the historic moment. However, in the process of participating in insurance, there are always various unfair events. On the one hand, insurance company maliciously deceives the client or refuse to compensate for damaging the rights of the client; On the other hand, the client will maliciously scam the insurance company for compensation. Therefore, how to achieve a fair and just insurance business between insurance company and the client is particularly important. The immutability and traceability of blockchain technology can solve this problem well.
Blockchain is a decentralized, immutable and trusted distributed ledger, which provides a secure, stable, transparent, auditable and effective way to record transactions and data information interactions. Therefore, storing the information of insurance records on the blockchain can not only ensure The associate editor coordinating the review of this manuscript and approving it for publication was Gautam Srivastava . the originality of the data, but also solve the security problem of the central authorization mechanism. In this way, a fair and just insurance business can be achieved between the insurance company and the client. However, To ensure client's privacy, the insurance staffs need to encrypt the insurance records before storage. The heavy computing operations will reduce the efficiency of the staff, for the purpose of improving the staff's efficiency, and reducing the client's computing burden, therefore, it is a good choice to outsource the encryption and decryption of insurance records to fog nodes.
In 2014, Cisco proposed the definition of fog computing [1]. The fog node is located on the layer between the cloud and the end user. Compared with the cloud, it is closer to the end user. Therefore, the fog node can provide a large amount of computing for resource-constrained devices and reduce the computing burden of resource-constrained devices, so it is very suitable as an outsourcing agent.
Therefore, we outsource great majority computing operations to fog nodes for processing. However, fog nodes are incompletely trusted and vulnerable to attack, which will VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ seriously threaten the security of insurance records. An effective solution is that encrypts the insurance records before outsourcing encryption. Attribute-based encryption (ABE) [2] is an one-to-many encryption technology, it has an access control mechanism that allows access control of encrypted data using access policies and attributes. In particular, ciphertextpolicy attribute-based encryption (CP-ABE )is the data owner to define the access strategy, and only the user who meet the access policy can decrypt, so it can ensure data security and fine-grained access control. However, the existing ciphertext-policy attribute-based encryption scheme still cannot solve the situation of nonrepudiation in the insurance system. Therefore, we propose a storage and access control scheme based on blockchain in the insurance system. In this scheme, we stored the insurance record on IPFS to ensure the security of the storage platform. Secondly, the hash of the insurance record is recorded on the blockchain, and it can take effect only after the client issues a confirmed transaction. This effectively prevents repudiation between the insurance company and the client. In addition, we also outsource a large amount of encryption and decryption computations to the fog node, improving the computational efficiency of the staff. Finally, we update each claim of the insurance records to prevent insurance companies and the client from infringing on each other's rights.
Our contribution: In our scheme, we use the nontamperable of blockchain technology to achieve nonrepudiation between the insurance company and the client. Our scheme has the following advantages: Secure content storage: We stored insurance records on the InterPlanetary File System (IPFS). IPFS is a distributed storage protocol that is content addressable, it not only can ensure the security of the stored content, but also generate a unique hash value for the stored file to avoid duplicate storage of the file.
Client confirmation: The staff of the insurance company first records the hash of the insurance information on the blockchain, and then the client verifies whether the hash value is consistent with the hash of the insurance records. If they are consistent, a confirmation transaction is issued on the blockchain by the client, and at this time, the insurance policy is officially effective.
Outsourcing encryption: We outsource a large amount of computations in the encryption and decryption process to the fog node, which not only reduces the computation amount of the staff and the client but also improves work efficiency.
Update of ciphertext: After each claim, we update the content of the claim to our insurance record to ensure fair transactions between the insurance company and the client.
The specific structure of our scheme is as follows: In the section II, we analyze the existing scheme, in the section III, we list the knowledge points that may be used in the scheme, in the section IV, we overview the system model of our scheme, the algorithm in our scheme is described in detail in the section V, and the security of our scheme is proved in the section VI, the performance of our scheme is analyzed in the section VII, and finally, we are in the Section VIII summarizes our scheme.

II. RELATED WORK
In Table 1, we give a brief overview the outsourcing computing, searchable and ciphertext update of existing schemes. Zhang et al. [3] proposed an access control scheme that supports fog computing outsourcing and attribute updating. The heavy calculation operations of encryption and decryption are outsourced to the fog nodes, Therefore, the calculation in the encryption and decryption process is independent of the number of attributes. However, this scheme cannot provide keyword search, so the saved data cannot be retrieved in real-time. Huang et al. [4] proposed a fine-grained access control scheme with ciphertext update and computing outsourcing for fog computing in the Internet of Things. It first encrypts data based on attributes and then outsources to cloud storage. Therefore, only the users who meet the access policy can decrypt the stored data. However, this scheme only focuses on data encryption, decryption, update processes, but the data is not searchable, so it cannot be applied to various practical scenarios. Green et al. [5] proposed a new paradigm for ABE which largely eliminates the defect that the time required for decryption increases with the complexity of the access formula. However, in this scheme, the stored data cannot be searched and does not have the ciphertext update function. Asim et al. [6] proposed a new scheme for attribute-based encryption based on ciphertext policy, which allows outsourcing of computationally intensive encryption and decryption operations. In this scheme, the agent cannot learn any information about the ciphertext from the part encrypted text. The user can decrypt the stored ciphertext only if he has the secret key associated with a set of attributes that satisfy the association policy. However, although this scheme reduces the decryption operation for users with limited resources, the stored data cannot be retrieved and updated at any time, so it is not suitable for practical scenarios. Zuo et al. [7] first proposed a CCA security model with outsourced decryption ABE, and then it proposes a specific ABE solution for CCA security with outsourced decryption. However, in this scheme, data encrypted based on attributes cannot be efficiently retrieved, and the ciphertext cannot be updated. Zhang et al. [8] proposed a CP-ABE scheme with a fixed amount of calculation and ciphertext length. Because the access policy of this scheme is an AND gate with multiple attribute values, so, it is a good choice for data sharing in the cloud. However, effective retrieval cannot be performed in the shared data, and the shared content cannot be updated. Zhang et al. [9] proposed a technique to add a matching stage before the decryption stage. This ciphertext is used to test whether the attribute key matches the access policy in the ciphertext. This scheme will generate a special key component during the decryption process, which can be quickly decrypted by pairing, although the decryption speed of this scheme is very fast, the data in this scheme does not have search capabilities. Zheng et al. [10] proposed a verifiable attribute-based keyword search (VABKS) scheme. The scheme outsources cumbersome search operations to the cloud, and can verify that the cloud honestly performed the search operations. In addition, users whose attributes meet the access control policy specified by the data owner can search outsourced data. However, this scheme does not have the ciphertext update function, so it cannot be used in medical, logistics, insurance and other practical scenarios. Zhao et al. [11] proposed a novel data sharing protocol by combining and using attribute-based encryption (ABE) and attribute-based signature (ABS). In this agreement, the data owner outsources heavy encryption and decryption computations to the fog node, and supports outsourced data retrieval and ciphertext update. However, the user cannot verify the source of the data. Chen et al. [12] first introduced the rational laziness and partially dishonest workers in the outsourcing computing model. In addition, the scheme proposes a new fair conditional payment scheme based only on traditional electronic cash systems for outsourcing calculations. The proposed construction uses semi-trusted third parties to achieve fairness and efficiency. However, only in exceptional cases (i.e. in case of dispute) participate in the agreement. In addition, since neither the secret sharing / split scheme nor the cut selection protocol be used to generate or verify payment tokens, this scheme has certain advantages in terms of efficiency. However, the protocol in this scheme does not have search capabilities. Zhang et al. [13] introduced a reliable keyword search scheme for encrypted data without any trusted or untrusted third parties. In this scheme, the digital signature-based encrypted data index allows users to search outsourced encrypted data and check whether the search results returned by the cloud meet predetermined search requirements. In particular, the scheme achieves server-side verifiability for the first time, which protects honest cloud servers from malicious data owners during the data storage phase. In addition, even if the user or cloud is malicious, the blockchain technology and hash function can be used to achieve the fairness of the payment of search fees without introducing any third party. However, this solution focuses on the search of outsourced data and fair payment, without considering the update of outsourced data. After outsourcing encryption and decryption operations to fog nodes in most documents, the outsourced data does not have search capabilities, and in general, the outsourced data will not be updated. Li et al. [14] proposed a ciphertext strategy that can realize the fine-grain access control of encrypted IOT data on the cloud based on an attribute encryption scheme, which can ensure user privacy. However, this solution does not involve outsourcing operations of encryption and decryption so that it owning huge computational and storageburden for cloud, nor does it support keyword search. Li et al. [15] proposed a verifiable ABE scheme for outsourcing decryption, which not only provides authorized and unauthorized users with outsourcing decryption services, but also verifies the correctness of outsourcing decryption. However, in this scheme, keyword search and ciphertext update are not involved. Li et al. [16] proposed an attribute-based encryption scheme with outsourcing key release and outsourcing encryption and decryption, which supports keyword search. However, this solution does not have the ciphertext update function. Miao et al. [17] proposed an attribute-based keyword search scheme that hides the access strategy in shared multi-owners and demonstrates improvements to it. However, this scheme does not outsource heavy encryption and decryption calculations to fog nodes, so it owning higher computational and storage burden for cloud than our scheme. Therefore, we propose a secure storage and ciphertext update scheme in the insurance system. In this scheme, we outsource the encryption and decryption operations to the fog node for processing, and the outsourced data can be searched and updated at any time, In addition,the scheme can achieve client-side verification, which makes our scheme more suitable for various practical scenarios.

III. PRELIMINARIES
A. BILINEAR MAP Definition 1 (Bilinear Map) [18]: Let G 1 and G 2 be two multiplicative cyclic groups of prime order p, g is the generator VOLUME 8, 2020 of G 1 and e : G 1 × G 1 −→ G 2 be the bilinear map which has several properities: can be effectively calculated.

Definition 2 (Decision Bilinear Diffie-Hellman (DBDH)
Assumption) [19]: Given the bilinear map parameters (G 1 , G 2 , p, g, e) and elements a, b, c, Z ∈ Z * p , the DBDH assumption states that no probabilistic time adversary A can distinguish the tuple g, g a , g b , g c , e (g, g) abc from the tuple g, g a , g b , g c , e (g, g) Z with a non-negligible advantage,where the advantage of adversary A is defined as monotone. An access structure (or monotone access structure) A is a non-empty subset of {P 1 , P 2 , · · · , P n }, the set in A is an authorized set, and the set not in A is called an unauthorized set. Definition 4 (Access Tree): As in literature [21], let T be an access tree, we first define some functions to simplify the use of T , x is a node in T , num x is the number of children of node x, I x represents the threshold where I x ∈ [1, num x ], and att(y) represents the attribute related to a leaf node y, parent(x) represents the parent node of node x in the tree, and index returns the label associated with node x, these index values ??are uniquely assigned to the nodes in the access tree in any way. Each non-leaf node of T represents a threshold gate, which can be described by its child nodes num x and a threshold I x , and each leaf node represents an attribute, and the threshold value of each leaf node is I x = 1, when I x = 1, it means OR gate, and when I x = num x , it means AND gate.

IV. OVERVIEW OF OUR SYSTEM A. SYSTEM MODEL
The model includes five entities, namely, blockchain, IPFS, fog nodes, insurance company system and clients.
When a client needs to purchase insurance, he first registers in the insurance company system and generates his own public-private key pair based on the system's private key. For the generated insurance record, the staff stores the insurance record for future claims. Because the insurance record involves the privacy of the client, so, it should be encrypted before saving.
In our system, the client and the insurance company staff first generate the insurance record through negotiation, as shown in step 1; The staff first signs the insurance record, then extracts the keywords, and generates an index for the file, finally he saves it to the insurance company system. For efficiency, we outsource the insurance record to the fog node for encryption. However, the insurance record involves the privacy of the client, so the insurance record needs to be encrypted before outsourcing, and then the encrypted insurance record is outsourced to the fog node. The fog node returns the encrypted insurance record to the staff, as shown in step 2, 3, finally, the staff signed the insurance record returned by the fog node and uploaded it to IPFS for storage, and then IPFS returned a hash address for it, as shown in step 4, 5 ; Then, the staff broadcasts the Hash value of the insurance record and the Hash address returned by IPFS to the blockchain by a transaction, and obtains the block ID, as shown in step 6, 7; In order to facilitate client verification, the staff will send the ID to the client, as shown in step 8; After the client obtains the transaction ID, he checks whether the staff has correctly saved the insurance record according to the transaction ID. If the hash is correct, a confirmation transaction is issued by the client on the blockchain, as shown in step 9; At this point, the data storage phase is complete. When a claim is needed, the client first sends a claim request to the insurance company. After the system smart device of the insurance company matches the index, the system smart device sends a token containing a hash address for it, as shown in step 10, 11; The client downloads the corresponding insurance record on IPFS according to the hash address, as shown in step 12, 13; The client sends the insurance records to the fog node for decryption, as shown in step 14, 15; Then, the client negotiates the details of the claim with the staff, and then updates the insurance record, as shown in step 16; After updating, storing the insurance policy in encrypted form, and repeat steps 2 − 7.

B. SECURITY MODEL
Now, we define the selected plaintext security of our scheme, and the polynomial time probability adversary will develop an access structure T * at the beginning of the security game.
• Init: The PPT adversary A specifies an access structure T * and sends it to the challenger C.
• Setup: The challenger C gets the public key pk by calling the Setup algorithm and sends it to the adversary A.
• Phase 1: The adversary A can commit any attribute set S to the challenger C, and query the private key for S . The only limitation is that all the queried attribute sets do not satisfy T * . For the attribute set S, the challenger C calls the KeyGen algorithm and sends the corresponding secret key sk to the adversary A.
• Challenge: The adversary A commits two messages of equal length m 0 and m 1 to the challenger C. After receiving the messages, the challenger C first selects θ ∈ {0, 1} at random, and then calls the DO-Encrypt and Fog-Encrypt algorithms to encrypt m 0 , and generates the ciphertext CT * . Finally, the challenger C sends the challenge ciphertext CT * to the adversary A . • Phase 2: The adversary A can query more secret keys of other attribute sets. The only limitation is that the secret key cannot decrypt the challenge ciphertext CT * .
• Guess: The adversary A outputs a guess θ * . In this security model, The adversary A's advantage is Adv(A) = |Pr(θ = θ) − 1 2 |. During the search process, the adversary is allowed to submit the search token during the challenge phase, but he cannot learn any content with keywords hanging from the search token. We formalize the security model by selectively chosen-keyword game and keyword secret games.
• Setup: The challenger C inputs the security parameter k, and calls the KeyGen algorithm to get the secret key sk, at this time, the adversary A just know the public key pk, and mk is only known by the challenge C.
• Phase1: The adversary A queries Trap oracle for a series of keyword sets (w 1 , · · · , w τ ), as follows: -Trap(sk, w): The challenger C generates the trapdoor T w by calling Trap(sk, w) algorithm, and then sends it to the adversary A.
• Challenge: The adversary A first chooses two keyword set w 0 , w 1 , and sends them to the challenger C, then the challenger C selects a bit θ ∈ {0, 1} at random, while it is required that w 0 and w 1 cannot be issued in the Trap oracle. Finally the challenger C sets I b = Enc{pk, w b , W } and sends it to the adversary A.
• Phase2: The adversary A queries Trap oracle for keyword set {w i+1 , · · · , w τ } as follow: − − Trap{sk, w i = w 0 , w 1 }. The challenger C first calls Trap{sk, w i = w 0 , w 1 } algorithm to generate the trapdoor T w i , and then sends it to the adversary A.
• Guess: The adversary A outputs a guess θ ∈ {0, 1}, it will win the game if θ = θ . In this game, the advantage of the adversary A in breaking our scheme is defined as Adv(1 k ) = |Pr(θ = θ ) − 1 2 |. In order to ensure keyword security, our scheme must ensure that malicious adversary will not get any content from encrypted keywords and search tokens. Specifically, if there is no time probability polynomial adversary A can obtain any content related to the keyword from the index and search token, the keyword security can be ensured. Keyword security games are as follows: • Setup: The challenger C inputs a security parameter k, and then calls setup(k, U ) algorithm to get the public-master key pair (pk, mk).
• Phase 1 : The adversary A queries KeyGen algorithm for many times. VOLUME 8, 2020 − − KeyGen: The challenger C sends corresponding secret key sk to the adversary A and then adds the queried keyword set to the list I KeyGen .
− − Trap: The challenger C inputs the secret sk and the keyword set w, and then calls the Trapdoor algorithm to get T w , finally, he sends it to the adversary A.
• Challenge: The adversary A first selects a challenge secret key sk and sends it to the challenger C, then the challenger C selects a keyword set w in the keyword space and calls Encrypt algorithm to get the index I , and finally sends it to the adversary A.
• Guess: After querying τ different keyword sets, the adversary A outputs a keyword set w , if w = w , the adversary A wins the keyword secrecy game.

V. OUR SCHEME CONCRETE
In table 2, we give some symbol description which we will use in our scheme. • Setup:The system takes two multiplicative cyclic groups G 1 , G 2 of the order p . g ∈ G 1 is generator of G 1 and e : G 1 × G 1 −→ G 2 is bilinear map. Two collision resistant hash function are named as H 1 : {0, 1} * −→ Z * p , H 2 : {0, 1} * −→ G 1 , the system randomly selects a, b ∈ Z * p , h ∈ G 1 , for each attribute j ∈ S, the system selects u j ∈ Z * P at random. Finally, the system outputs the public key mpk = {G 1 , G 2 , p, g, H 1 , H 2 , e, h} and the master private key msk = {a, b, {u j |1 ≤ j ≤ m}}.
• KeyGen: According to the system private key msk, the client and staff generate their public-private key pair separately. The system first computes Y = e(g, g) The staff randomly selects α, β, γ ∈ Z * p , he computes A = g α , B = g β , Z = g γ and gets their public and private key pair The client selects t ∈ Z * p at random, he computes λ = g αγ −t β , for each attribute j, he randomly selects t j ∈ Z * p , and computes δ j = g t H 2 (j) t j , ξ j = g t j . He first selects a unique secret r, then it also selects σ ∈ Z * p , and computes D = g β+αr ,D 1 = g αr h σ ,D 2 = g σ ,D j = g The staff defines an access tree T and sends it to the fog node, and then the staff and the fog node run the Encrypt algorithm to encrypt ck. The Encrypt algorithm includes two sub-algorithms, namely DO-Encrypt and fog-Encrypt.
fog-Encrypt: For each node x in the access tree T , the fog node first selects a polynomial q x , which starts with the root node R and is selected in a top-down manner. For each node x in T , its threshold value k x needs to have 1 more order than the degree d x of q x , that is k x = d x + 1.
Starting from the root node R, the fog node is randomly selected s 1 ∈ Z * p and set q R (0) = s 1 , and other points in the random selection are used to completely define the polynomial q R . For each node x, it sets q R (0) = q parent(x) (index(x)), and randomly chooses other points of d x and q x to fully define it. In the tree T , let X be the set of attributes related to leaf node. Fog node computes C 1 = g s 1 Finally, the fog node sends the ciphertext CT 1 = {T , C 1 , C 2 , {C j |∀j = att(x) ∈ X }} to the staff. DO-Encrypt: The staff randomly selects s 2 ∈ Z * p and computes C = ck · e(g, g) βs 2 , C 1 = g s 2 , C 1 = C 1 · g s 2 , The staff first stores the ciphertext CT on the IPFS, and gets a hash address H returns by the IPFS. Second, the staff uses the SHA 256 algorithm to hash the file M and gets h = SHA 256 M , then he broadcasts H , h to the blockchain and gets the block ID, and sends the block ID to the client. The client verifies the hash of M according to the block ID, If the verification is passed, the client issues a confirmation transaction. At this time, the data storage phase is completed.
• Index: The staff first picks the keyword set w = {w I 1 w I 2 , · · · , w I m } out from the records, and he randomly selects r 1 , r 2 ∈ Z * p , when I j = 1, it represents the keyword of length j in w, otherwise,it means that the file does not include the keyword. Then he sets ϕ i = A r 1 H 2 (w i ) , where i ∈ {1, · · · , m}, E 0 = A r 2 , E 1 = B r 2 , E 2 = Z r 1 , ϕ y = g q y (0) , θ y = H 1 (att ( y ) q y (0) ), finally, he gets the index I = • Trapdoor: When applying for a claim, in order to search the keyword set w = (w 1 , w 2 , · · · , w t ), the client first selects a τ ∈ Z * p at random, and he computes T 1 = t i=1 g τ αh 1 (w i ) ,T 2 = g τ γ , T 3 = λ τ , and then he computes Finally he gets the trapdoor Trap = {S, T 1 , T 2 , T 3 , {δ j , ξ j }|j ∈ S} and sends the Trap to the staff of the insurance company.
• search: The staff verifies that the user satisfies the access structure.
2) If x is a non-leaf node, for all the child nodes x of x, let ω x be a set of any size of the child node, so that D x = ⊥. If there is no such set, then let D x = ⊥, otherwise he sets 3) The staff verification 1)if it is true, then the relevant Hash value is found to the client, otherwise, it returns ⊥.
• Decrypt: If the client's attributes satisfy the access policy W , the client can decrypt the file using the Decrypt algorithm. The Decrypt algorithm consists of two parts: fog-Decrypt and user-Decrypt.
The user sends part of the key sk to the fog node, where sk = {D 1 , D 2 , {D j |∀j ∈ S}}. The Decrypt algorithm is a recursive algorithm: 1) If x is a leaf node, he sets j = att(x), and if j ∈ S, he computes e(D j , C j ) = e(g 1 αru j ,g u j qx (0) ) = e(g, g) αrq x (0) , and if j / ∈ S, it returns ⊥ .
2) If x is a non-leaf node, the recursive algorithm is defined as: for all the child nodes x of x, let ω x be a set of any size of the child node, it returns F z = ⊥, otherwise, F z can be ∈ ω x }, then the Decrypt algorithm can be defined by calling the root node R in the W . If S satisfied W , the fog node can get: F R = e(g, g) αrq R (0) = e(g, g) αrs 1 . Fog node can compute k = e(D 1 ,C 1 ) e(D 2 ,C 2 ) = e(g αr h σ ,g s 1 g s 2 ) e(g σ ,h s 1 h s 2 ) = e(g, g) αr(s 1 +s 2 ) , H = K F R = e(g, g) αrs 1 . Finally fog node sends G = {E ck (M , sig M ), C , C, H } to the client. Upon receive G from the fog node, the client can run the following sub-algorithms to obtain the symmetric key ck.
• Update: The client sends an update request to the staff, and the staff first generates a global key GK = { K x = g q x (0) }, where is x ∈ X , and X is the set of leaf nodes in the tree T , for each attribute j ∈ X , the client randomly selects t j ∈ Z * p and computes: . Then the client randomly selects λ ∈ Z * p and outputs the signature ST = {P, S 1 , S 2 , S 3 }, where S 1 = H 2 (P) λ ·D, S 2 = g λ , S 3 = S j S j |j ∈ X . Finally the client sends ST to the staff, the staff signs the file and selects µ ∈ Z * p at random, and computes S 1 = S 1 · H 2 (P) µ · D, S 2 = S 2 ·g µ , finally, the staff outputs the signature ST = (P, S 1 , S 2 ) and sends it to the fog node to verify. 1): If x is the leaf node, then the fog node sets j = att x , and if j ∈ S X , then: : If x is non-leaf node, for all child nodes x of the node x, the fog node lets ω x be a set of any size for this child node x , such that S x = ⊥, if there is no such set, it returns ⊥, otherwise, lets If the attribute S satisfies the update policy W , we set the overall evaluation result of the update tree to I = e(g, g) γβ r q x (0) = e(g, g) γβ . Finally, the staff will check whether the equation holds: e(g,S 1 ) e(H 2 (P),S 2 )·I = e(g,H 2 (P) λ+µ ·g (α+λ)β ) e(H 2 (P),g λλ+µ )·e(g,g) γβ = e(g, g) αβ If this equation holds, it means that the staff receives the signature, allowing the user to update the ciphertext.

VI. SECURITY PROOF A. SECURITY OF THE ENCRYPT PROCESS
Theorem 1: If there is a PPT adversary A who can win the proposed solution with a non-negligible advantage ε(ε > 0), then there is a PPT simulator B that can distinguish DBDH tuples from random tuples with advantages ε 2 .

VOLUME 8, 2020
Proof: Let G 1 , G 2 be bilinear group of the order p, g is the generator of G 1 , and e : G 1 × G 1 −→ G 2 is an efficient and computable bilinear map. Firstly, the challenger randomly selects α, β, γ , ∈ Z * p , and b ∈ {0, 1}, as well as a random element T ∈ G 2 . We let T = e(g, g) αβγ , and if b = 0, then T is a random element, otherwise, the challenger sends {g, A, B, S, T } = {g, g α , g β , g γ , T } to the simulator B. Now, the simulator B plays the challenger in the following games.
Init: The adversary A specifies a challenge access policy W * and sends it to the simulator B.
Setup: In order to provide the adversary a public key mpk, the simulator B selects b ∈ Z * p at random, and computes b = b + αβ, then he sets µ = e(g, g) b = e(g, g) b · e(g, g) αβ , υ = g a = g α = A, h = g x , For each attribute j ∈ S, the simulator B randomly chooses t j , if j ∈ W * , he computes pk j = g αt −1 j , otherwise, he computes mpk j = g t j = g v j where t j = v j where . Finally, the simulator B sends the public key {G 1 , G 2 , p, g, H 1 , H 2 , e, h} to the adversary A.
Phase1: At this stage, the simulator B responds to the adversary A's attribute key, and the adversary A can selectively submit any attribute set L ∈ S to the simulator B. First, the simulator B randomly selects η ∈ Z * p and computes η = η − β, then he sets Finally, the simulator B sends the key to the adversary A, if the attribute j needs to be updated into the attribute list, and the new attribute set does not satisfy W * , then the simulator B lets the update key is Challenge: The adversary A submits two message M 0 , M 1 , after receiving the message, the simulator B sends W * to the fog node first, then the fog node randomly selects u 1 ∈ Z * p ,for all related attribute j, then fog node applies the linear secret sharing scheme to construct the shares ω i of u 1 . Then, for each attribute j, the fog node generates the challenge ciphertext by computing g u 1 , h u 1 and C i = g v i ω i , and sends the challenge ciphertext CT * = {g u 1 , h u 1 , {C i |∀j ∈ W * }} to the simulator B. Then the simulator B randomly selects u ∈ Z p and generates the part ciphertext CT * 2 as: = S x gxu 1 , finally the simulator B returns the challenge ciphertext CT = {W * , C , C 1 , C 2 , C j |∀j ∈ W * } to the adversary A. Phase2: Same as Phase 1. Guess: The adversary A outputs a guess θ , if θ = θ , the simulator B outputs 0, it means that T = R; Otherwise, the simulator B outputs 1and guess that T = e(g, g) αβγ . If T = e(g, g) αβγ , then CT * is a valid ciphertext. In this case, the advantage of the adversary A is 2 , then: Pr[B(g, g α , g β , g γ , T = e(g, g) αβγ ) = 0] = 1 2 + . If T = R,from the perspective of the adversary A,CT * is completely random, so Pr[B(g, g α , g β , g γ , T = R)] = 1 2 .

B. SECURITY OF THE SEARCH PROCESS
Theorem 2: In view of the general bilinear group model, our scheme is selective secure against the selective keyword attacks. Where the hash function H 1 is a random oracle model, and H 2 is a one-way function. Proof: We can prove that our scheme is secure against selective choose keyword attacks (SCKA) under a random oracle model. In the SCKA game, the adversary A tries to distinguish A rH 2 (w(0) from A rH 2 (w (1) . For an arbitrary element s ∈ Z * p , the probability of distinguishing A rH 2 (w(0) and g s is the same as the probability of distinguishing A rH 2 (w(0) and A rH 2 (w(1) , where A = g α . The SCKA games as follows: Setup: The challenger first selects a, b, c ∈ Z * p at random, and generates the public parameter (e, g.q, g a , g b , g c ) for the adversary A. Then the adversary A selects an access policy W and sends it to the challenger. H (j) can be simulation as: if the attribute j has been asked before, the challenger randomly selects t j and adds (j, t j ) to the O H 1 , then it returns g t j , otherwise, the challenger retrieve t j from and returns g t j .
Phase1: The adversary A query O keyGen and O Trap as follow: − − O keyGen (S, msk, W ): The challenger firstly selects t ∈ Z * p and computes λ = g ac−t b , then, for each attribute j, the challenger randomly selects t j ∈ Z * p and computes δ j = g t H 1 (j) t j , ξ j = g t j . Finally, the challenger returns the tuple {S, λ, {δ j , ξ j |j ∈ S}}.
− − O Trap : The challenger issues a oracle model O keyGen (sk S , S) in order to get the attribute key sk S = {S, λ, {δ j , ξ j ||i ∈ S}}. Then the challenger selects a random element r ∈ Z * P and computes T 1 = t i=1 g raH 2 (w i ) , T 2 = g rc , T 3 = λ r , if the attribute set S satisfies the access policy, the challenger adds w * to the keyword set list L w . Challenge: If two keywords set w 0 and w 1 are given, and both w 0 and w 1 are not in the keyword set list L w , the challenger randomly selects s 1 , s 2 ∈ Z * p and computes the secret of s 2 in the tree T . Then, the challenger outputs a random number θ ∈ {0, 1}, if θ = 0, he outputs ϕ i = g r 1 H 2 (w) where i ∈ {1, · · · , m},E 0 = A s 2 , E 1 = B r 2 , E 2 = Z r 2 , ϕ y = g q x (0) , θ y = H 1 (att(y)) a y (0) otherwise, the challenger Phase 2: Same to the Phase1. Theorem 3: Our scheme can ensure the privacy of keywords in a random oracle model, and H 2 is a one-way hash function.
Proof: We first construct a challenger to execute the following keyword privacy game.
Setup: The challenger first selects a, b, c ∈ Z * p , h ∈ G 1 and then selects a hash function H 2 : {0, 1} * −→ Z * P , finally, the challenger gets the public key PK = (e, g, g a , g b , g c , h) and private key SK = {a, b, c}. The challenger simulations the random oracle O H 1 (j) as follow: If the attribute j has not been queried before, the challenger selects t j ∈ Z * P at random,   then adds (j, t j ) to the O H 1 , and computes g t j , otherwise, the challenger retrieval t j from O H 1 and outputs g t j .
Phase 1: The adversary A publishes two random prediction models, as follows: Challenge: The adversary A first selects a attribute set S and the challenger specifies a access policy W , then he applies the KeyGen algorithm to compute SK . Given the attribute set S and private key SK , the adversary A selects a keyword set w and computes C 1 and W , where S needs satisfy the requests which specified in the keyword security game.

Guess:
The adversary A first outputs a keyword w and sends it to the challenge, the challenge applies the Encrypt algorithm to compute C 2 , if (W , I ) = 1, then the adversary A win the game.

VII. PERFORMANCE ANALYSIS
We analyze the performance of our scheme from three aspects, namely storage cost, computation cost and experimental simulation, separately.
We first analyze the storage cost of our scheme by comparing with the VABKS scheme [11], VKSE scheme [22], and EVPKE scheme [23]. Before comparing, we first define some symbols. |G| represents the element of bit length in G; G i represents the element of bit length in G i ; |Z p | represents the element of bit length in Z p ; S is the user's attribute set; In Table 3, we give the storage costs of the four schemes.
As shown in Table 3, we can see that except for the KeyGen algorithm, our storage cost is higher than the VABKS scheme, VKSE scheme, and EVPKE scheme. In other algorithms, the storage cost of our scheme is lower than the other three schemes. This is because that we outsourced the insurance records to fog nodes for partial encryption and decryption operations, and this storage cost is still within acceptable limits.
Next, we will analyze the computational cost of our program by omparing with the VABKS scheme, VKSE scheme, and EVPKE scheme. We first need to define some timeconsuming operations, as follows: O p is the bilinear pairing operation, O E is the exponential operation, In Table 4, we give the computation cost of the four schemes.
As shown in Table 4, we can see that except for the KeyGen algorithm, our computational cost is higher than the VABKS scheme, VKSE scheme, and EVPKE scheme. In other algorithms, the computational cost of our scheme is lower than the other three schemes. This is because we not only generate the client's key in the KeyGen algorithm, and a public-private key pair is generated for the fog node, which reduces the computational cost of client and staff when encrypting and decrypting files, and improves the staff efficiency.
Finally, we analyze the actual performance of our scheme through experimental simulations. We leveraged a real data set to perform an experimental simulation on an Ubuntu server 15.4 with a processing core i5 processor, which was performed in a pairing-based cryptography (PBC) laboratory. As we all know, in this experiment, |Z p | = 160 bit, |G| = 1024 bit . Since all four schemes are affected by attributes, we set S as the impact factor and let S ∈ [0, 50] .
Since we outsource a large amount of encryption and decryption computations to the fog node, the storage cost and computation cost of our scheme in the KeyGen algorithm are higher than the VABKS scheme, VKSE scheme, and EVPKE scheme, but it is still within the acceptable range, as shown in Figure 2 (a) and (d ). In the trapdoor algorithm, our scheme has the same performance as the VABKS and VAKE schemes, as shown in Figure 2 (b) and (e). However, our scheme has obvious advantages in the search algorithm, as shown in Figure 2 (c) and (f).

VIII. CONCLUSION
In the insurance system, it is a very important issue to ensure the fairness and justice of the insurance business. Therefore, we build an security storage and update scheme for insurance records under IPFS storage environment in the insurance system by combining the blockchain technology and the ciphertext policy attribute-based encryption system. The scheme realizes the non-repudiation for both insurance companies and customers, and uses distributed IPFS as a storage platform to ensure the security storage of insurance records. In addition, the stored insurance records are easy to retrieve. However, our scheme is still not perfect. The storage of expired user attributes and their keys requires a certain amount of storage space. Therefore, in future work, we will consider leveraging smart contracts to deploy our scheme on the blockchain for implementation. JIN SUN received the B.S. degree from Shaanxi Normal University, in 2000, the M.S. degree from the Xi'an University of Technology, in 2005, and the Ph.D. degree from Xidian University, in 2012. She is currently an Associate Professor with the Xi'an University of Technology. Her mainly research include cryptography, information security, network security, and blockchain.
XIAOMIN YAO received the B.Sc. degree from Tianshui Normal University, in 2018. She is currently pursuing the master's degree with the Xi'an University of Technology. She mainly studies cryptography, data security, and blockchain.
SHANGPING WANG received the B.S. degree from the Xi'an University of Technology, in 1982, the M.S. degree from Xi'an Jiaotong University, in 1989, and the Ph.D. degree from Xidian University, in 2003. He is currently a Professor with the Xi'an University of Technology. His main research areas include cryptography, information security, blockchain, and the Internet of Things.
YING WU received the B.Sc. degree from Qufu Normal University, in 2019. She is currently pursuing the master's degree with the Xi'an University of Technology. She mainly studies cryptography, data security, and blockchain. VOLUME 8, 2020