FACOS: Enabling Privacy Protection Through Fine-Grained Access Control with On-chain and Off-chain System
Chao Liu, Cankun Hou, Tianyu Jiang, Jianting Ning, Hui Qiao, Yusen Wu
TL;DR
FACOS tackles privacy-preserving, fine-grained access control for data across on-chain and off-chain storage in a permissioned blockchain. It combines three access-control schemes (ABE, BE, TE) with asynchronous BFT off-chain storage and a TEE-based verifier to secure data and policies while avoiding efficiency pitfalls of smart contracts. The work provides formal privacy and security analyses, details a comprehensive system design, and demonstrates improved scalability and practicality over prior approaches through extensive experiments on a multi-VM deployment with Hyperledger Fabric. The results show FACOS effectively protects message, hash, and policy privacy, supports robust data availability, and offers flexible, client-centric access control suitable for regulated domains like finance, government, and healthcare. The open-source FACOS framework demonstrates practical applicability for secure sharing and governance of sensitive data in real-world, data-driven ecosystems.
Abstract
Data-driven landscape across finance, government, and healthcare, the continuous generation of information demands robust solutions for secure storage, efficient dissemination, and fine-grained access control. Blockchain technology emerges as a significant tool, offering decentralized storage while upholding the tenets of data security and accessibility. However, on-chain and off-chain strategies are still confronted with issues such as untrusted off-chain data storage, absence of data ownership, limited access control policy for clients, and a deficiency in data privacy and auditability. To solve these challenges, we propose a permissioned blockchain-based privacy-preserving fine-grained access control on-chain and off-chain system, namely FACOS. We applied three fine-grained access control solutions and comprehensively analyzed them in different aspects, which provides an intuitive perspective for system designers and clients to choose the appropriate access control method for their systems. Compared to similar work that only stores encrypted data in centralized or non-fault-tolerant IPFS systems, we enhanced off-chain data storage security and robustness by utilizing a highly efficient and secure asynchronous Byzantine fault tolerance (BFT) protocol in the off-chain environment. As each of the clients needs to be verified and authorized before accessing the data, we involved the Trusted Execution Environment (TEE)-based solution to verify the credentials of clients. Additionally, our evaluation results demonstrated that our system offers better scalability and practicality than other state-of-the-art designs.