A blockchain-based multi-authority hierarchical attribute encrypted data sharing scheme in the Internet of Medical Things

Figures Abstract With the rapid development of the Internet of Medical Things (IoMT), the secure and efficient sharing of massive amounts of sensitive medical data has become a core challenge. Addressing the limitations of existing Ciphertext-Policy Attribute-Based Encryption (CP-ABE) schemes, such as the lack of data source authentication, computational redundancy, and single-point-of-failure risks when handling hierarchical data, this paper proposes a blockchain-based multi-authority hierarchical attribute-based encryption scheme. First, the scheme integrates a Distributed Key Generation (DKG) protocol and combines threshold BLS signature technology to establish a collaborative authentication mechanism, thereby enhancing the verification of data source authenticity. Additionally, a dynamic update mechanism ensures the long-term security of collaborative key management. Second, the scheme optimizes the encryption logic for structured data by constructing a hierarchical access tree, and introduces a multi-authority collaboration mechanism and proxy re-encryption (PRE) technology to mitigate single-point-of-failure risks and enable efficient user permission revocation. Security analysis demonstrates that the scheme is resistant to chosen-plaintext attacks (IND-CPA) and collusion attacks by authorities under standard models. Meanwhile, the DKG protocol has been proven to satisfy validity, robustness, confidentiality, and resistance to Sybil attacks. Performance evaluation indicates that the CP-ABE algorithm in this scheme outperforms existing solutions in terms of computational and storage overhead. In large-scale testing on a 100-node Hyperledger Fabric environment, the system achieved a consensus latency of approximately 280 ms and a key update propagation delay of 1.52 s, validating the feasibility of deploying this solution in real-world IoMT environments with limited resources and certain real-time requirements. Citation: Yuan H, Dong G, Zhao L (2026) A blockchain-based multi-authority hierarchical attribute encrypted data sharing scheme in the Internet of Medical Things. PLoS One 21(5): e0349767. https://doi.org/10.1371/journal.pone.0349767 Editor: Asadullah Shaikh, Najran University College of Computer Science and Information Systems, SAUDI ARABIA Received: July 19, 2025; Accepted: May 5, 2026; Published: May 27, 2026 Copyright: © 2026 Yuan et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited. Data Availability: All relevant data are within the manuscript and its Supporting information files. Funding: The author(s) received no specific funding for this work. Competing interests: The authors have declared that no competing interests exist. 1. Introduction With the exponential growth of the IoMT, massive numbers of wearable sensors and remote monitoring devices are driving the transformation of healthcare services toward real-time, intelligent capabilities. While this trend enhances personalized medical care, it also poses significant challenges for the secure sharing and granular governance of medical data [1]. Given the highly sensitive nature of medical data and the need to comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR), ABE is regarded as a key cryptographic solution for achieving fine-grained data authorization [2]. This technology primarily comprises two branches: Key Policy Attribute-Based Encryption (KP-ABE) [3], and CP-ABE [4]. In comparison, CP-ABE allows data owners to autonomously define access policies and embed them within the ciphertext, aligning more closely with patients’ stringent privacy controls in healthcare settings. As a result, CP-ABE is widely recognized as the core tool for safeguarding the privacy of IoMT data [5–8]. However, in practical IoMT applications, existing CP-ABE schemes still face the following critical technical bottlenecks when deployed in distributed environments and resource-constrained devices (as illustrated in Fig 1). Firstly, data sources lack lightweight mechanisms for verifying authenticity. As shown in the upper half of Fig 1, IoMT terminals are typically deployed in uncontrolled physical environments. Attackers can easily hijack or tamper with terminal devices to replace genuine physiological data M1 with fabricated data . Traditional CP-ABE schemes often focus solely on confidentiality protection during static storage, neglecting the legitimacy of the encryption initiator’s identity. If falsified data bypass verification and enter the system directly, they will mislead subsequent clinical decision support. Therefore, integrating a lightweight decentralized traceability mechanism into the encryption process constitutes the first line of defense for securing IoMT systems. Secondly, traditional CP-ABE encryption schemes struggle to accommodate the hierarchical structure of medical data, leading to severe efficiency bottlenecks. In IoMT scenarios, data inherently exhibits logical interconnections. As shown in the lower half of Fig 1, the detailed surgical records M1 and the routine vital sign monitoring data M2 for the same patient correspond to the access policies p1 and p2, respectively. Existing solutions typically require separate encryption processes for each data file, resulting in substantial redundant ciphertext. For IoMT devices constrained by computational power and storage capacity, this non-hierarchical approach not only causes severe storage waste but also significantly increases data processing latency. Leveraging hierarchical data relationships to achieve single encryption with multi-level authorization is key to enhancing IoMT sharing efficiency. Finally, trust models based on a single centralized authorization face single-point-of-failure risks. In complex IoMT management architectures, if key generation and distribution rely entirely on a single authority, an attack or failure at this core node would collapse the entire system’s trust boundary. Furthermore, as healthcare personnel roles dynamically change, achieving low-overhead attribute revocation and key rotation in distributed scenarios involving multiple authorities remains a major challenge for existing solutions, particularly in terms of system scalability and robustness. To address these challenges, we propose BMHADS, a blockchain-based multi-authority hierarchical CP-ABE framework. To balance security and efficiency in IoMT environments, the scheme is instantiated on Type-3 pairing-friendly curves (e.g., BLS12−381). Compared to traditional Type-1 pairings, Type-3 curves yield shorter ciphertexts and superior computational efficiency at the same security level, making them ideal for resource-constrained devices. Our main contributions are as follows: - (1) A collaborative authentication mechanism that integrates blockchain-based DKG with BLS threshold signatures has been proposed. This mechanism uses auxiliary nodes for collaborative verification, transforming centralized authentication into a distributed consensus process that ensures data authenticity and decentralized fault tolerance. Furthermore, the mechanism incorporates Proactive Secret Sharing (PSS) technology to support periodic key updates, enhancing the long-term security of system credentials without altering public keys. - (2) This paper proposes a hierarchical multi-authority CP-ABE scheme optimized using Type-3 curves. The scheme utilizes a hierarchical access tree to encrypt multiple associated files in a single operation, thereby eliminating computational redundancy. At the same time, by having multiple authorities independently issue key fragments and aggregate them to generate the user’s private key, the scheme fundamentally alleviates the key escrow problem. Thanks to the compact representation of group elements in Type-3 curves, the scheme reduces storage and computational overhead, thereby ensuring its feasibility for deployment on resource-constrained IoMT sensors. - (3) This paper proposes a periodic revocation mechanism based on PRE to address the efficiency bottleneck associated with user revocation in dynamic environments. By strategically offloading computationally intensive key update and ciphertext re-encryption tasks to healthcare cloud service providers, this mechanism enhances system scalability and reduces local overhead. - (4) Security analysis demonstrates that the proposed BMHADS scheme achieves IND-CPA security and effectively resists collusion attacks. Furthermore, the validity, robustness, confidentiality, and resistance to Sybil attacks of the DKG protocol have been further verified, providing a trusted environment for the sharing of sensitive medical data. Experimental results indicate that the proposed BMHADS scheme outperforms existing schemes in terms of storage and computational overhead. Furthermore, implementation and testing were conducted on a Hyperledger Fabric platform comprising 100 nodes. The system maintained acceptable blockchain storage overhead and low consensus latency, validating the feasibility of deploying this scheme in real-world IoMT scenarios. Organization of the Paper. The organizational structure of the BMHADS proposal is as follows: First, Sections 2 and 3 provide a review of the current state of research and introduce the necessary theoretical background. Subsequently, Section 4 defines the proposal’s system architecture and security model. Building on this foundation, Section 5 details the specific design aspects of the BMHADS proposal. The security validation and performance evaluation of the proposal are discussed in Sections 6 and 7, respectively. Finally, Section 8 summarizes the entire work and provides a look ahead to future research. 2. Related work To circumvent the inherent risks of single points of failure and key custody in traditional CP-ABE architectures, multi-authority collaboration mechanisms have become a key focus in academic research. Chase et al. [9] pioneered a multi-authority framework that leverages global identity identifiers to achieve cross-institutional anti-collusion properties. However, this approach remains highly dependent on central authorities and faces risks of user privacy leakage. Building upon this foundation, functional optimizations tailored for specific scenarios have subsequently emerged. Duan et al. [10] combined PRE to enable efficient authorization delegation across chains, empowering data owners to update access policies dynamically. Zhao et al. [11] focused on enhancing terminal performance by proposing an online/offline multi-authority scheme supporting Linear Secret Sharing Scheme (LSSS) policy hiding, effectively reducing computational overhead on mobile devices. However, while multi-authority architectures ensure flexibility, they pose stringent challenges to the security and overhead of dynamic revocation mechanisms. To address this, Liu et al. [12] designed a multi-authority framework that enables instant revocation by removing central authorities and incorporating server-side key deletion. However, its security heavily relies on cloud integrity. Subsequently, Varri et al. [13] introduced a dual-authority collaborative architecture that supports identity tracing and achieves indirect revocation through evolutionary key generation. However, its substantial communication overhead severely limits scalability when handling large numbers of terminals. Beyond functional and revocation management, researchers have also focused on deepening the theoretical boundaries of decentralization through mathematical frameworks. A landmark contribution in cryptography was achieved by Lewko et al. [14], who proposed the first fully decentralized multi-authority scheme requiring no global coordination. Building on this foundation, Liang et al. [15] introduced an anonymous distribution protocol that provides dual privacy concealment for both user identities and access policies. Subsequently, Qian et al. [16] proposed a multi-authority key-generation scheme in which authorities use shared random seeds to collaboratively generate key components. Combined with PRE techniques, this approach achieved a favorable trade-off between security and revocation efficiency. To address the complex hierarchical structure of medical records, hierarchical encryption techniques were introduced to enhance efficiency further. Bobba et al. [17] employed recursive set construction to form hierarchical properties. Wang et al. [18] and Xiao et al. [19] achieved ciphertext component reuse by integrating multi-level access frameworks, significantly reducing redundancy overhead. In the field of electronic health record and personal health record sharing, Guo et al. [20] and Roy et al. [21] implemented a layered scheme combining one-time encryption with multi-level authorization. Unlike layered schemes based on Type-1 symmetric pairs [20,21], this study employs Type-3 asymmetric pairs. This choice reflects a core design trade-off: although fine-grained parameter partitioning across heterogeneous groups increases implementation complexity, it fundamentally resolves the parameter bloat issue at high security levels. Compared to the 3,072-bit characteristic width required by Type-1 curves to achieve a 128-bit security level, Type-3 curves require only 381 bits to withstand attacks of the same severity, making them better suited to the resource constraints of IoMT endpoints. Furthermore, most of these layered methods focus on post-storage static confidentiality while neglecting data source authentication at the perception layer, leaving the system highly vulnerable to data injection attacks at the source stage. Ensuring data reliability throughout its entire lifecycle is another core requirement in IoMT scenarios. Traditional auditing solutions [22–24] heavily rely on third-party intermediaries, posing risks of single points of failure. To address this, Liang et al. [25] and Tian et al. [26] attempted to build decentralized auditing mechanisms using blockchain technology. However, existing blockchain-assisted solutions still fall short in terms of security depth. While Yu et al.’s [27] approach enhanced management capabilities, it lacked integrity auditing. Lee et al.’s [28] solution reinstated auditing functionality but neglected upstream authenticity verification. Addressing this gap in data source validation, researchers pioneered a technical pathway from identity matching to collaborative authentication. Ateniese et al. [29] pioneered the secret handshake protocol. Subsequently, Xu et al. [30] and the latest Yao et al. [31] proposals ensured participant authenticity through bidirectional attribute matching. However, such passive authentication models struggle to resist false data injection after terminal physical hijacking. Although Qi et al. [32] and Zhang et al. [33] attempted to address the aforementioned shortcomings by using aggregated signatures, their models typically follow a collect-then-compress logic, combining signatures from multiple sources for verification. This approach makes the system highly vulnerable to single points of failure when the credentials of a specific device are compromised. To address this issue, the collaborative authentication mechanism proposed in this paper achieves substantial improvement over aggregate signature methods by integrating DKG-based threshold signatures. Unlike traditional signature aggregation, this mechanism ensures that a valid data-source signature can be generated only when at least t assistant nodes reach consensus. This design provides decentralized fault tolerance and guarantees that the authenticity of the medical data stream remains unforgeable even if up to t − 1 assistant nodes are compromised—a security feature not present in the literature [32,33]. In this study, although the hierarchical access tree mechanism and the attribute revocation mechanism are borrowed from schemes [20,21] and scheme [16], respectively, the proposed BMHADS scheme achieves a fundamental evolution in its underlying mathematical framework. By adopting Type-3 asymmetric pairing, this scheme eliminates the parameter redundancy issue present in traditional Type-1 schemes from an algebraic perspective, thereby making it more suitable for resource-constrained IoMT scenarios. Furthermore, building upon the aggregated signature approach in [32,33], we introduce a threshold signature mechanism based on the DKG protocol. This improvement facilitates a shift from simple signature aggregation to decentralized consensus verification, thereby enabling robust data-source verification for hierarchical CP-ABE schemes in IoMT environments. 3. Preliminaries 3.1. Bilinear mapping A cryptographic bilinear map operates over cyclic groups , and of prime order r, defined as a function satisfying: - (1) Bilinearity: For any , and . - (2) Non-degeneracy: if g1 and g2 are generators. - (3) Computability: Effective algorithms exist to compute . The proposed BMHADS scheme is instantiated using Type-3 pairings, where security is underpinned by the Elliptic Curve Discrete Logarithm Problem (ECDLP) within and , as well as the Finite Field Discrete Logarithm Problem (FFDLP) in the target group . Due to the absence of efficient computable isomorphisms between and in Type-3 structures, security degradation associated with group homomorphisms is effectively eliminated. This structural advantage provides a more robust mathematical foundation for implementing multi-authority hierarchical CP-ABE and DKG-based collaborative authentication. 3.2. Decisional Bilinear Diffie-Hellman (DBDH) assumption Given a valid Type-3 pairing defined over a parameter set , the DBDH hypothesis is said to hold if there is no probabilistically polynomial-time (PPT) algorithm capable of distinguishing, with non-negligible advantage, a DBDH tuple from a random tuple . Here, , , , and are uniformly randomly selected. 3.3. Hierarchical access tree As shown in Fig 2, denotes a hierarchical access structure that integrates diverse access policies and security levels into a unified framework. This structure is partitioned into l distinct access levels, with the root node designated as R. To facilitate the formal analysis of this hierarchical framework, the following nomenclature and characteristics are introduced: Non-leaf nodes: These represent threshold gates (e.g., AND, OR, or n-of-m gates, where 1 ≤ n ≤ m). For instance, nodes A and B in Fig 2 are non-leaf nodes. Leaf nodes: These represent specific attributes, such as nodes C and G. : Denotes the number of child nodes of node (x,y). For example, numR = 2 and numB = 3. : The access tree is hierarchically organized into l levels. Let (xm, ym) denote the coordinates of a node situated at the m-th level, where 1 ≤ m ≤ l. Specifically, the root node R resides at level m = 1 and is represented as (x1, y1). As m increases, the depth of the node within the tree increases accordingly. : The threshold value associated with node (x,y), where . It defines the logical behavior of non-leaf nodes: it functions as an OR gate if th(x,y) = 1, and as an AND gate if . Transmission node: A node (x,y) is classified as a transmission node if at least one of its children is a non-leaf node (threshold gate). As illustrated in Fig 2, node A serves as a transmission node. : The ensemble of threshold gates among the offspring of the transmission node (x,y) within , i.e., , for instance, . : Denotes a subtree of , with node (x,y) its apex. determines if attribute set S conforms to access tree . Additionally, is computed recursively: For a leaf node (x,y), precisely when . For non-leaf nodes (x,y), if and only if at least th(x,y) child nodes satisfy the condition. 4. System framework This section provides a detailed discussion of the system model, system threat model and assumptions, security model, and related considerations for the proposed BMHADS approach. 4.1. System model Fig 3 displays the system model of the BMHADS method in the IoMT, and the model contains: Internet of Medical Things Device (IoMTD), Data Owner (DO), Healthcare Cloud Service Provider (H-CSP), Assistant Nodes (ANs) Attribute Authorities (AAs), Data User(DU), Blockchain (BC), Central Authority (CA). The block labeled “DKG Protocol” encapsulates the phases of initialization, commitment and share distribution, complaint, and key reconstruction. For a detailed illustration of the protocol interactions, refer to Fig 4. IoMTD: IoMTD includes implantable sensors, everyday wearables, etc., which can collect a variety of medical data, sign the collected medical data using their BLS private key, and securely send it to an assistant periodically. ANs: ANs are the core computational entities of this protocol, each with a unique identity and sufficient computing resources. They obtain participation qualifications by registering blockchain addresses and encrypted public keys, and by staking funds. They collaboratively build a decentralized trust infrastructure and execute distributed cryptographic protocols to achieve reliable data source verification. DO: DO is the owner of the IoMTD, can manage one or more loMTDs, and is responsible for collecting threshold signatures from assistants. DO packages the transactions to the blockchain, defines the corresponding access policies for the raw data, and encrypts and transfers them to the H-CSP. H-CSP: In our scheme, the H-CSP serves as a semi-trusted third party responsible for storing medical data collected via IoMTD and is curious about sensitive data. AAs: Multi-authority AAs are responsible for managing user attribute sets, issuing attribute keys and data owner public keys, communicating with users using anonymous key exchange protocols, and switching to a standalone mode of operation after configuring pseudo-random functions (PRFs) through interactions among AAs during the initialization phase. DU: The DU first uses blockchain credentials to verify the authenticity of the data source. Upon success, the DU requests, downloads, and decrypts the data from the H-CSP. If the DU’s attribute set satisfies the access structure for part or all of the encrypted data, the corresponding private key allows decryption of the ciphertext to obtain the medical data. CA: The CA produces the system’s public parameters and does not carry any keys or perform key-generation algorithms for other entities. BC: The foundation of this agreement is a permissioned consortium blockchain with Byzantine Fault Tolerance (BFT) consensus operated by ANs; the on-chain smart contracts (SC) serve as a trustless arbitrator, responsible for node identity management, stake escrow, and enforcement of penalty rules. 4.2. Threat model and assumptions To ensure the reliability of data sharing and the resistance against Sybil attacks, we establish the following assumptions regarding the blockchain environment and the adversary’s economic behavior: 4.2.1. Blockchain and smart contract trust assumptions. - Consistency of the state tree: BFT consensus ensures the global state tree (which records all nodes’ registration addresses, public keys, stake amounts, penalty records, etc.) is immutable and consistent across honest nodes, preventing any adversary from forging historical data or identity records through local ledger tampering. - Honest arbitrator: The SC deployed on the blockchain is regarded as an honest arbitrator. Its execution logic, including identity activation, stake escrow, and penalty enforcement, is strictly enforced by the decentralized consensus protocol. An adversary cannot bypass the contract logic to activate unauthorized identities unless they satisfy the necessary conditions, such as submitting a valid stake or completing identity verification. 4.2.2. Adversary financial capability. - Financial rationality: The adversary is assumed to be financially rational, meaning its primary objective is to maximize illicit profit. An attack will only be initiated if the potential gain (e.g., unauthorized access to sensitive medical data) exceeds the total cost of the attack (e.g., hardware costs and forfeited stakes). - Bounded resources and economic stake: The financial resources of are bounded. To prevent Sybil attacks where an attacker creates multiple identities to gain control over the DKG process, the system enforces a minimum stake threshold during node registration: where f denotes the maximum number of Byzantine nodes the system can tolerate, and represents the preset non-negative minimum stake per node. To ensure economic security, must be significantly higher than the potential illegal gains from accessing medical data, thereby making a large-scale Sybil attack economically unfeasible. 4.3. Security model We define the security of our BMHADS scheme against IND-CPA under the selective security model based on the DBDH assumption. The security game takes place between a PPT adversary and a challenger , consisting of the following stages: System Setup: determines and submits to the challenge access structure that it intends to attack, which will embed the encryption in plaintext form, meaning this scheme does not provide a strategy hiding feature. A collection of corrupt authority institutions that it wishes to control is defined as , and this collection must satisfy , meaning at least two authority institutions are honest and not controlled by . will acquire the private keys of all authority institutions in the collection in subsequent stages. In response, executes the system setup algorithm, generates the public parameters, and sends them to . Authority Setup: For each corrupt authority , also provides its corresponding public-private key pair to . For honest authorities, only provides the corresponding public key PKk. QueryPhase 1: adaptively submits a series of attribute sets to request user key generation. For each attribute set S, runs the KeyGen algorithm, but only returns the corresponding private key if S does not satisfy the challenge access structure . Challenge: submits two messages, M0 and M1, of equal length. randomly flips a coin , encrypts using the algorithm under the challenge structure, and returns the resulting challenge ciphertext CT* to . QueryPhase 2: can continue to adaptively query more sets of attributes for the key, with the restriction that these sets must not satisfy . Guess: outputs a guess value for . If , then the adversary wins the game. The advantage of the adversary in this secure game is defined as . Definition 1: Suppose the system has at least two honest authoritative institutions, and the advantage of any adversary who operates in polynomial time in the aforementioned security game is negligible. In that case, the BMHADS scheme is secure against IND-CPA and is resistant to collusion among authorities according to the selective model. During the execution phase of the DKG protocol, a computationally bounded adaptive adversary exists that can control at most f nodes. These controlled nodes can exhibit arbitrary Byzantine behaviour, including, but not limited to, sending incorrect messages, refusing to respond to protocol requests, or engaging in other collusive actions. To ensure the protocol’s availability, honest nodes must constitute an absolute majority. Assume there are a total of P assistant nodes in the system, with f being the number of malicious nodes and H = P − f being the number of honest nodes. According to the requirements of Byzantine fault-tolerant consensus mechanisms, the total number of nodes must satisfy ; thus, the number of honest nodes . In the key reconstruction phase, the protocol sets a threshold t = 2f + 1, meaning that collecting only t valid shares is sufficient to reconstruct the system’s master private key. In addition to satisfying IND-CPA security and resistance to collusion by authorities, the BMHADS scheme proposed in this paper should also achieve the following security properties: - Validity: ensures the successful execution of the DKG process through three key requirements. Firstly, any t honest nodes can cooperatively reconstruct the master private key and aggregate a valid signature. Secondly, all honest participants must maintain a single, consistent protocol public key PKgroup. Finally, the local private key share skv of each honest node must remain valid and usable for generating threshold signatures that are verifiable by the global public key PKgroup. - Robustness: Even if there are f malicious nodes, as long as the total number of nodes P in the system satisfies , all honest nodes can output valid group public keys PKgroup and their respective valid private key shares skv, thereby enabling participation in subsequent threshold signature operations. - Confidentiality: ensures that attackers gain no computational advantage in obtaining the master private key SKgroup, thereby maintaining static secrecy against any colluding group and providing forward secrecy by preventing expired key shares obtained after time T from compromising historical data. - Sybil attack resistance: ensures that the cost of identity acquisition increases superlinearly with the number of nodes P, rendering large-scale attacks economically unfeasible as established in the threat model (Section 4.2). 4.4. Discussion on security models The proposed BMHADS scheme has demonstrated selective security under the DBDH difficulty assumption. The following discussion addresses the selection and application of security models: - Feasibility of full security: The full adaptive security model allows an adversary to dynamically choose their challenge access structure after observing the public parameters and performing multiple secret-key queries, providing a more realistic simulation of high-intensity attack environments. However, in the field of ABE, particularly in complex scenarios involving multi-authority and hierarchical verification, achieving adaptive security often requires Dual System Encryption techniques. Such techniques often lead to a significant increase in the number of ciphertext components and require more complex bilinear pairing operations. Given the stringent requirements for real-time processing and low computational overhead in IoMT and PHR systems, our scheme adopts the selective security model to strike an optimal balance between functional integrity and computational efficiency. - Practical limitations and justification: The primary limitation of the selective security model is the requirement that the adversary commit to the target access structure before system initialization, which limits the adversary’s ability to adjust attack strategies dynamically. However, in practical distributed medical scenarios, user attribute permissions (e.g., chief physicians, researchers, or head nurses) and the system’s access policies are usually determined by a stable organizational hierarchy. These structures are relatively static and do not undergo fundamental changes within milliseconds. Therefore, the selective security model sufficiently covers the vast majority of threat scenarios in real-world healthcare applications. 5. BMHADS scheme Before presenting the specific details of the proposed BMHADS scheme, Table 1 summarizes the key symbols used in the scheme’s development. 5.1. Blockchain-based DKG protocol As shown in Fig 4, the proposed DKG protocol consists of seven phases, namely registration, initialization, commitment and share distribution, complaint, key reconstruction, signature, and key update. The detailed construction process of each phase is as follows. The step numbers correspond to the descriptions in the text. 1. Registration This protocol allows P assistant nodes to jointly generate a global public key PKgroup and the corresponding private key share in the presence of up to f Byzantine nodes. The protocol is built on an asynchronous network model and satisfies the honest-majority condition , a prerequisite for achieving BFT. The agreement process is as follows: Device self-registration: A medical terminal device independently generates a private key locally and calculates the corresponding identity public key . The device then uploads its public key, pkd, and identity identifier, IDd, to the blockchain smart contract for anchoring. Node registration: Before the protocol initialization, all ANs intending to join the collaborative network must complete identity registration on the blockchain. Given the public and transparent nature of the blockchain ledger, each assistant node ANu must submit its unique identifier IDu and on-chain address to the smart contract, where . Additionally, the smart contract incorporates an economic penalty mechanism for malicious nodes; therefore, assistant nodes must also deposit a security deposit of Stakeu into the contract during registration. Upon completing registration, the node’s status is activated, allowing it to participate formally in the DKG protocol. Furthermore, to ensure the security of subsequent distributed communications, each node ANu publishes an encryption key pair and a signing key pair to secure private share transmission and message authentication. 2. Initialization First, define the set of assistant nodes as and set the system security threshold to t. According to BFT requirements, the total number of nodes must satisfy , where f is the maximum number of malicious nodes the system can tolerate. At this stage, each assistant node ANu independently selects a set of random coefficients locally and uses them to construct a random polynomial of order t − 1 as shown below, where . (2)3. Commitment and share distribution Each assistant node ANu generates a commitment for every coefficient of the polynomial, where . These commitment coefficients are subsequently broadcast to all other assistant nodes to ensure data consistency across the network. After a successful distribution, the nodes submit the commitment set to the smart contract for on-chain anchoring. To ensure the confidentiality and reliability of the source of the private key component during distribution, sender ANu performs the following operations: First, ANu computes the private key fragment , where , and encrypts component using the public key of recipient ANv, resulting in . Next, to prevent third parties from forging or tampering with the message, ANu uses its private signing key to sign the ciphertext, generating the proof . Finally, ANu sends the tuple to ANv via the peer-to-peer (P2P) network. To prevent malicious nodes from forging shards or executing replay attacks, upon receiving the data shard packet sent by sender ANu, recipient ANv performs the following steps. ANv first retrieves sender ANu‘s identity public key via a blockchain smart contract and executes verification logic on the signature . If the signature verification fails, the message is deemed untrustworthy and discarded. Assuming the source is authentic, ANv decrypts Cu,v using its locally held encryption private key to recover the secret share . To ensure that the distributor ANu has honestly executed the polynomial distribution protocol, ANv uses the decrypted in combination with the publicly available commitment on the smart contract to verify whether the following equation holds: (3)4. Complaint If the verification fails, the ANv will file a complaint against the ANu with the smart contract. The specific complaint process is as follows. ANv does not simply discard the data. Instead, they immediately construct a publicly verifiable evidence package. This evidence package includes the on-chain address of the accused node ANu, the private key share , the corresponding ciphertext of the encrypted share Cu,v, the original signature , and the relevant coefficient commitment , all published on-chain. Subsequently, ANv uses their local private key to sign this evidence package, obtaining digitally, and broadcasts it to other nodes. Upon receiving the message, all honest nodes collectively execute the Byzantine Fault-Tolerant consensus protocol. First, they use to verify whether the signature validates the accusation initiated by ANv; if so, they proceed to vote according to the protocol. If it is confirmed that ANu sent an erroneous share, the contract will automatically deduct the collateral staked by ANu, remove ANu from the list of qualified nodes, and invalidate ANu’s registration information and public commitment. Then, the smart contract broadcasts the latest blocklist, . The remaining assistant nodes update their local set of qualified participants based on the consensus conclusion, remove the cheating node’s weight, and renegotiate the system’s public key. 5. Key reconstruction After the validation and consensus phases are complete, each honest assistant node ANu will reconstruct the global public key and its local private key share. The global public key PKgroup is established by aggregating the initial commitments of all participants, calculated as follows: (4)Each assistant node ANv obtains its local private key share skv by aggregating the valid fragments received from all P nodes. (5)Subsequently, each honest assistant node ANv calculates its encrypted share and the corresponding hash value , and submits them to the blockchain as tamper-proof on-chain evidence. According to the protocol design, although the global master private key SKgroup is theoretically computable, the full key cannot be reconstructed unless the predefined collusion threshold t is exceeded. (6)6. Signature After the DKG protocol completes the initialization of distributed trust anchors, the system enters the real-time data authentication phase. This phase aims to establish a dual-verification defense mechanism against unauthorized data injection through local pre-authentication on IoMT terminals and distributed threshold signatures on assistant nodes. The specific formalized process is as follows: Each IoMT terminal device collects raw medical data Md. The device uses the private key , which it generated autonomously during the registration phase, to execute the BLS lightweight signature algorithm. To ensure the uniqueness of the data packet and defend against replay attacks, the device constructs a data packet containing the current timestamp TS and a random number , and calculates the signature value as follows: (7)Subsequently, the device broadcasts the data packet to its associated assistant node pool. Upon receiving the packet , the assistant node ANv first verifies the timeliness of the data by checking the timestamp offset . Subsequently, the assistant node retrieves the device’s anchored public key, pkd, from the blockchain and verifies the legitimacy of the device’s signature through a bilinear pairing operation, as shown below: (8)If the equation holds, the process proceeds to the next step. Otherwise, the data is discarded, and an error log is recorded. In high-frequency data transmission scenarios, such as real-time IoMT monitoring, this scheme introduces a batch verification mechanism to further reduce the computational overhead on assistant nodes. Suppose assistant node ANv receives Np consecutive data packets and their corresponding signatures from the same device Devd, where the device’s unique identifier is IDd, the anchored public key is pkd, and p is the packet index sequence for the current batch task. The node uses the additive homomorphism of the bilinear mapping over to accumulate the Np signature components and their corresponding message hash map values in the group space. The message hash map values are computed from the original data Md,p, the timestamp TSp, and the random number . The specific verification equation is shown in the following formula. (9)After verifying the authenticity of the IoMT terminal data source through single-point or batch verification, each assistant node ANv invokes the local private key share skv obtained during the DKG phase to generate a local signature for the current medical data. Here, . (10)When any node receives at least t valid signature fragments , it uses the Lagrange interpolation coefficient to aggregate and generate a system-level threshold signature . (11)After the DO collects the threshold signature , it verifies its validity using the system-wide public key PKgroup as follows. (12)After successful verification, DO generates a public-private key pair in a secure environment, selects the current transaction timestamp ts1, and concatenates the verified threshold signature , the original message hash , and the personal public key pkdo to construct the final notarized digest , which is then packaged and uploaded to the BC. (13)7. Key update To counter attacks from mobile adversaries and ensure the system’s forward security, the proposed scheme introduces a share update mechanism based on active secret sharing. This mechanism allows assistant nodes to periodically evolve their private key shares without changing the global public key PKgroup. When the system enters the preset update cycle T + 1, each eligible assistant node ANu initiates a local update algorithm. ANu randomly selects a t − 1 time random polynomial , with its constant term set to 0, i.e., . Simultaneously, ANu computes and broadcasts the increment commitment coefficient to other assistant nodes ANv. (14)ANu calculates the share increment for other nodes ANv, encrypts this increment using ANv’s public key , and sends it to ANv. Upon receiving , ANv decrypts using their private key to obtain , and performs verifiability checks using the public increment commitment as follows: (15)where . If the verification fails, the aforementioned challenge process is triggered. After confirming that all received increment shards are valid, ANv computes the private key share for the new round. (16)Once the above updates are complete, ANv recalculates the new local share ciphertext and its hash value , upload to the blockchain, and overwrite the old hash value . 5.2. Data sharing phase Fig 5 depicts the complete interaction process for data sharing, with key steps as follows. 1. System Setup . CA first takes the security parameter as input and sets three groups , , and , each of prime order r. A bilinear map exists. Let g1 be a generator of , and g2, h2 be generators of . Define four hash functions: , , . For each global identity GID, compute . The system public parameter is . 2. Authority Setup . Each attribute authority AAk chooses a random exponent as its master secret key component and computes the public key component . For each attribute under its jurisdiction, a random value is selected to compute the corresponding public key component . To facilitate anonymous exchange, any two authorities Ak and Aj choose secret values and establish a shared seed via a secured channel, which remains confidential between them. The pseudo-random function is thus defined as . Additionally, each authority initializes a cycle identifier epoch = 1, which is embedded into the keys. The master secret key (MSKk and the public key PKk are defined as follows: (17)(18)3. Key generation . When a user requests a secret key using their global identifier GID, the attribute authority AAk computes and chooses a random value . For each user attribute (where ), AAk calculates the attribute key component . Regarding the anonymous exchange protocol, the intermediate component Dkj is computed based on the indices k and j: If k > j, ; If k < j, . Finally, the user aggregates these components to obtain the complete secret key , where DU is defined in the following formula. (19)4. Encryption (4). Given a dataset with l access levels, DO constructs a hierarchical access tree and performs the following encryption: First, DO selects a random content key ckm for each level and computes the level ciphertext components . Next, DO selects a polynomial q(x,y) of degree for each node (x,y) in . For nodes (xm, ym) representing a level, set the value of their polynomial at the origin to satisfy , where is the random secret value for each level. For other nodes (x,y) in the access tree, the value of their polynomial is determined by the parent node, i.e., . Thus, DO uses the level secret to construct the CP-ABE ciphertext components and corresponding to the level message as follows: (20)After establishing the hierarchical tree structure of the hierarchical access tree , DO further constructs fine-grained ciphertext components for different types of nodes in . Specifically, for each leaf node (x, y), the associated attribute value is set to . DO performs a blinding operation using the value q(x, y)(0) of the node’s polynomial at the origin, thereby constructing the attribute-related ciphertext components and . Furthermore, if node (x, y) is a transport node, the set of its subordinate sub-threshold nodes is defined as . Based on this, DO further computes and generates the transport node ciphertext . The detailed construction equations for the relevant attribute ciphertext components and transport node components are shown below: (21)Finally, DO outputs the ciphertext . 5. Verification . After successfully downloading the ciphertext, the data user must first retrieve and verify the tuple from the blockchain. The overall verification process consists of the following two core stages. Specifically, the tuple is defined as . The first stage verifies the validity of the threshold signature. This step ensures that the participating working nodes have reached mathematical consensus and that the data source is trustworthy. The specific verification equation is as follows: (22)The second stage involves verifying the secondary signature executed by the data owner. This operation further enhances the data’s non-repudiation, and its verification equation is as follows: (23)If both of the above verification equations hold, the algorithm outputs 1 and formally initiates the hierarchical CP-ABE decryption process. If either equation fails verification, the data user will deem the data packet untrustworthy and immediately terminate the current operation. To demonstrate the rigor and completeness of the above verification logic, this section provides the relevant correctness proof below. Correctness. The validity of the threshold signature verification is demonstrated through the following derivation. (24)Similarly, the correctness of the secondary signature generated by the DO is verified as follows: (25)6. Decryption . DU executes this algorithm to recover the message content key ckm at a specific level using the set of multi-authority attribute private keys it holds. The core of the decryption process lies in processing the hierarchical access tree in the ciphertext by calling the recursive algorithm . The detailed execution logic of this algorithm is as follows: If node (x, y) is a leaf node of the hierarchical access tree, the execution logic of the recursive function is as follows: If its associated attribute is , then since the attribute does not satisfy the access policy, is returned. Conversely, if its associated attribute is , the computation process for is as shown below: (26)If node (x, y) is a non-leaf node, the algorithm employs a bottom-up recursive reconstruction strategy. First, for each child node Z of node (x, y), is computed recursively, and S(x,y) is defined as the set of all child nodes for which the return result is not empty. The algorithm then performs a threshold check: if the cardinality of the set |S(x,y)| is less than the threshold value th(x,y), it indicates that the subtree branch cannot satisfy the access policy, and the function returns the empty value . Conversely, if the condition is satisfied, select any th(x,y) child nodes from S to form a subset , where . The specific reconstruction equation is as follows: (27)Thereafter, the decryption algorithm is executed to retrieve the content key ckm. Provided that the attribute set of the DU satisfies the hierarchical access tree either partially or fully, the intermediate components are derived via the recursive operations described previously, where and . Specifically, for each level node (xm, ym), the target bilinear pairing value is reconstructed as follows: (28)Assuming satisfies all underlying nodes, the ciphertext element enables the recursive reconstruction of hierarchical values. Consequently, the sequence is retrieved in succession. (29)As demonstrated in the derivation below, for each hierarchy level where the access policy is satisfied, the DU can precisely recover the corresponding level content key ckm through algebraic cancellation: (30)Upon acquiring the hierarchical key ckm, the user invokes the corresponding symmetric decryption algorithm to decrypt the hierarchical ciphertext , thereby recovering the plaintext message Mm for each level . 7. Revocation When revoking a specific attribute set , the relevant attribute authority Ak performs this operation for each attribute to be updated. The authority selects a new parameter , calculates a new public key component , and re-encrypts the key . Subsequently, the authority transitions the system into a new security epoch and outputs the local re-encryption key . The values from all authorities collectively form the global re-encryption key . The medical cloud server executes the algorithm. First, it verifies the epoch identifier of the ciphertext CT against the re-encryption key . If the version is not the latest, the server calculates a new ciphertext component for all attributes in the hierarchical access structure using the re-encryption key chain . Finally, the server outputs the new ciphertext with the epoch identifier refreshed. For non-revoked users, their keys need to be updated to decrypt new-cycle ciphertexts. Like ciphertext re-encryption, the server checks the epoch of the user key SKU. For each attribute owned by the user, the server computes the updated key component . Finally, it outputs the new key with synchronized epoch updates. When policies update, DO does not need to download and re-encrypt entire files. The algorithm only regenerates the ciphertext component for attributes that change the access structure. Specifically, for newly added or modified attribute nodes (x, y), DO computes based on their new polynomial share value q(x,y)(0). Finally, the algorithm outputs an updated ciphertext containing most of the original components alongside the newly generated component. 6. Security analysis This section describes the security analysis of the proposed BMHADS scheme. Theorem 1 (IND-CPA security). Assuming that the DBDH assumption holds, it is computationally infeasible for any probabilistic polynomial-time adversary to break the proposed BMHADS scheme under chosen-plaintext attacks. Therefore, the BMHADS scheme effectively achieves IND-CPA security. Assume an adversary with polynomial-time computational capability can exploit the benefits of to compromise this system. Subsequently, we construct a simulator to refute the hypothesis, which will break the DBDH hypothesis with , Where nk indicates the total count of attributes under the control of authority Ak. Proof: selects three cyclic groups , , of prime order r, along with corresponding generators and . It randomly chooses and then uniformly samples a random bit : If , sends the real tuple to . If , sends the random tuple to , where is a uniformly random element of . System Setup: At the start of the experiment, selects a challenging hierarchical access tree structure to be attacked and sends a set of corrupt authorities under its control to simulator , where satisfies the collusion constraint . Subsequently, randomly selects and computes . Through this construction, implicitly embeds the DBDH challenge a into the system parameter h2. Due to the randomness of , the generated h2 is statistically indistinguishable from the true parameter, thereby ensuring the soundness of the secure reduction. Authority Setup: randomly selects an authority Ak from the set of honest authorities as the target authority for the challenge and implicitly embeds the DBDH puzzle instance into that authority’s parameter configuration. Case 1: For corrupted authorities . Since the simulator possesses the complete secret parameters of all corrupted authorities, it randomly selects and computes according to the scheme’s algorithm. For each attribute , randomly chooses and . In this context, the PRF seed is shared between two corrupted authorities Ak and Aj. Subsequently, transmits and to the adversary , where . Case 2: For honest authorities . selects . Regarding the hierarchical access tree , if attribute , computes . Otherwise, if , utilizes the component from the DBDH instance to compute . For the component , if , computes . If , embeds the challenge term ab into the public parameters by constructing as follows: (31)Finally, selects random seeds for honest authorities Ak and Aj to simulate the shared secrets, ensuring the transparency of PRF seed interactions to the adversary . Subsequently, transmits the public components , which incorporate the embedded DBDH challenge terms, to . This procedure achieves a statistically perfect simulation of the public parameter distribution in the real system. QueryPhase 1: Under this security model, can issue a sequence of private key queries for attribute sets . According to the security game definition, none of the queried attribute sets satisfy the challenge access structure pre-selected by . Case 1: For corrupted authorities . Since has already disclosed the complete secret parameters of these authorities to during the authority setup phase, directly invokes the actual algorithms defined in the scheme to generate the corresponding attribute secret keys. Case 2: For honest authorities . constructs the key component depending on whether the attribute is involved in the challenge access structure: - If attribute , randomly chooses and computes . - If attribute , computes . Regarding the interactive key component Dkj, employs an algebraic cancellation technique to simulate the key structure containing the unknown term , categorized into two scenarios: When authority Ak is not the target authority (), possesses the auxiliary secret bvk and constructs: - If k > j, . - If k < j, . When authority Ak is the target authority (), the simulator is unaware of the product ab from the DBDH instance. To construct a valid key without this knowledge, utilizes as follows: - If k > j, . - If k < j, . Based on the analysis above, the distribution of Dkj is statistically correct. Due to the mirror symmetry between k > j and k < j, we focus on k > j for brevity. In the following, we prove that Dkj is mathematically consistent with the real scheme through algebraic equivalence derivation. To demonstrate that the interactive key Dkj constructed by the simulator is mathematically consistent with the real scheme, we first provide its algebraic equivalence derivation. In this derivation, expands the terms by directly utilizing the random exponent selected during the simulation process along with other known parameters: (32)As illustrated in the derivation above, the core logic relies on expanding and consolidating exponential terms to achieve algebraic substitution. Specifically, achieves algebraic cancellation by leveraging the pre-configured cancellation term and the public parameter h2 to neutralize the term derived from the mapping involving the challenge component b. This step ensures that can successfully retain the challenge term (representing the master secret key) within the final key structure without requiring explicit knowledge of the secret ab from the difficulty problem instance. By defining an implicit random mask , the interactive key Dkj finally satisfies the following equation: (33)Challenge: submits two equal-length messages M0 and M1 to the simulator . In response, tosses a random coin and implicitly sets the secret value s = c. Utilizing the components from the DBDH instance, constructs the challenge ciphertext , where , and . The aforementioned construction establishes a rigorous connection between the scheme’s security and the DBDH hardness assumption. If , it follows that . At this point, since c is uniformly and randomly distributed in , the simulated challenge ciphertext CT* is statistically indistinguishable from a valid ciphertext produced by the real encryption algorithm. Furthermore, by aggregating the public components of all authorities, the structural consistency of the simulated challenge ciphertext for can be proved via the following derivation: (34)When , algebraic cancellation of the public components from each authority causes the decryption term to coincide exactly with the challenge term . Hence, can construct a challenge ciphertext CT* that is statistically indistinguishable from a real-system ciphertext, thereby ensuring the rigor of the security reduction. QueryPhase 2: This phase proceeds identically to QueryPhase 1. Guess: The adversary submits its guess for the challenge bit . Based on this, outputs its decision for the DBDH instance. If , outputs (judging as a valid tuple); otherwise, it outputs (judging as a random element). To evaluate the advantage of , we consider the following two cases: When , the challenge term is a random element in the target group . In this case, the challenge ciphertext CT* contains no effective information regarding for , meaning that is information-theoretically hidden. Thus, obtains no advantage, and . Accordingly, the probability that outputs is . When , the challenge term . Based on the previous analysis, provides an attack environment that is statistically indistinguishable from the real scheme. If breaks the scheme with a non-negligible advantage , then . Based on the decision logic, the probability of making a correct decision is . Assuming the challenger chooses uniformly at random and the simulation does not abort, the overall probability that makes a correct decision is as follow: (35)Thus, the advantage of achieves a DBDH advantage of . To complete the security reduction, must ensure that the simulation does not abort due to the inability to respond to the private-key queries issued by the adversary . Specifically, a simulation collapse occurs if the attribute combination requested by allows to extract secret components unknown to via linear combinations. Following the combinatorial analysis in [16], let Ni denote the number of combinations that can yield valid private keys when requests i private keys. In the worst-case scenario, where possesses nk − 1 private keys controlled by authority Ak, the upper bound of the abort probability for a single authority Ak is estimated as: (36)where r is the prime order of the cyclic group, given that the number of attributes nk managed by each authority satisfies , this abort probability is negligible in polynomial time. Since the initialization processes of all authorities are mutually independent, the lower bound for the probability that does not abort during the entire game is . By combining the decision advantage derived previously, the final global advantage lower bound for to break the DBDH hardness assumption satisfies: (37)Since the advantage of is non-negligible and , the overall success probability of the simulation remains non-negligible, establishing a valid reduction: any polynomial-time adversary with non-negligible advantage against the proposed scheme can solve the DBDH problem with non-negligible advantage, completing the proof. Collusion and key escrow mitigation: The security of the BMHADS scheme is built upon a decentralized key construction logic. First, any two authorities, Ak and Aj, collaborate to generate a PRF seed , which remains strictly confidential between them. As established in our IND-CPA security proof (Theorem 1), even if corrupts N − 2 authorities, it remains unaware of the PRF seeds shared by the remaining two honest authorities, ensuring that the challenge ciphertext cannot be distinguished without solving the DBDH problem. Furthermore, the user’s secret key is constructed by incorporating the master private keys of all authorities. This cumulative structure implies that even if N − 1 authorities exhibit malicious behavior or collude, the adversary remains unable to derive a valid, functional secret key because of the missing component provided by the single honest authority. Consequently, the scheme is designed to withstand attacks by up to N − 1 corrupted authorities. This architecture effectively mitigates the key escrow problem. Since complete decryption capability can be achieved only through the product of components from all N independent authorities (as shown in Eq. (19)), no single authority, including the CA, possesses sufficient information to reconstruct a user’s private key independently. Additionally, the anonymous key-issuing mechanism ensures that authorities do not learn the user’s GID, preventing the feasible collection of user attributes through tracing. In summary, BMHADS eliminates single-point key escrow risks while safeguarding user privacy in multi-authority IoMT environments. Theorem 2 (Validity). A proposed DKG protocol is valid if, under the honest majority assumption (), it effectively resists attacks from a PPT adversary and satisfies the following three conditions: - (1) All honest assistant nodes obtain an identical global public key PKgroup. - (2) Each honest node’s local private key share sku is valid and verifiable against public commitments. - (3) The global threshold signature , aggregated from valid partial signatures, is verifiable by PKgroup via bilinear pairing. Proof: Consider a PPT adversary that adaptively controls up to f Byzantine nodes to disrupt the protocol by submitting forged shares, broadcasting inconsistent commitments, or initiating malicious complaints. Firstly, when a malicious node acts as a dealer, it might attempt to induce divergence in the global public key by providing inconsistent coefficient commitments to different honest nodes. However, our protocol mandates that all commitments be directly anchored on the blockchain. Leveraging the inherent consensus and immutability of the distributed ledger, honest nodes accept only the singular version of commitments ratified by the underlying BFT consensus. Consequently, for any honest node ANv, the set of qualified nodes and their corresponding commitments remain globally consistent, ensuring the uniqueness and integrity of the global public key . Secondly, may attempt to disseminate forged shares that deviate from the intended polynomial distribution to undermine the algebraic integrity of subsequent signatures. Upon receiving , an honest node ANv executes a Verifiable Secret Sharing (VSS) check against the commitments publicly anchored on-chain. If distributes erroneous shares, the VSS verification equation will fail. In such an event, ANv immediately invokes a challenge mechanism on the blockchain, providing the non-compliant share and its cryptographic signature as evidence. Since on-chain commitments are immutable, the system identifies and disqualifies the malicious actor via the BFT consensus. Furthermore, the economic penalty mechanism ensures that the malicious node’s deposit Stakeu is forfeited, thereby significantly increasing the cost of such adversarial behavior. Finally, may attempt to forge a valid threshold signature using its f compromised private key fragments. According to the Lagrange interpolation principle, reconstructing the complete threshold signature necessitates at least t = 2f + 1 valid partial signatures. Given that the number of nodes controlled by satisfies f < t, and assuming the computational hardness of the DLP, is incapable of deriving the missing t − f secret shares from the known fragments. Therefore, as long as honest nodes generate partial signatures in accordance with the protocol, the aggregated signature will satisfy the bilinear pairing verification. remains powerless to forge valid authentication credentials without reaching the requisite threshold of authorized shares. Theorem 3 (Robustness). Under the honest majority assumption , the proposed DKG protocol and threshold signature scheme are robust. Specifically, in the presence of controlling at most f nodes, the honest nodes can still output a valid global public key PKgroup and collaboratively complete threshold-signature tasks. Proof: Suppose controls up to f Byzantine nodes to initiate conflicts, send invalid shares during the key exchange phase, or launch silence attacks during the signature phase. To counter these threats, the protocol incorporates a BFT design requiring assistant nodes. To ensure liveness and safety, the number of honest nodes must be at least 2f + 1, i.e., . Even if compromises f nodes, it cannot achieve majority control or break the threshold t, as H ≥ t is consistently satisfied. If a node fails to respond or submits erroneous shares, an accusation protocol is triggered. Once malicious behavior is evidenced, the smart contract disqualifies the offender from the candidate set . Consequently, the protocol remains resilient and will not stall due to f faulty nodes. Theorem 4 (Confidentiality). cannot obtain the system master key SKgroup during or after protocol execution. Proof: The primary private key SKgroup is the sum of the polynomial constant terms from each assistant node. Since we use a threshold of t = 2f + 1 in our Byzantine-tolerant DKG protocol, an adversary controlling at most f malicious nodes can obtain at most f partial shares . However, reconstructing the polynomial requires at least t = 2f + 1 shares. Even if colludes all f malicious nodes, they still lack f + 1 additional shares from honest nodes to reach the threshold. Furthermore, the shares are encrypted using the recipient’s public key , and only authorized nodes can decrypt them. cannot eavesdrop on or decrypt shares belonging to honest nodes. Finally, during the key update phase, a new polynomial with constant term zero is generated, updating the share to . Old shares become invalid, and cannot infer the new share. Thus, the scheme satisfies static secrecy and forward secrecy. Theorem 5 (Sybil attack resistance). cannot create multiple fake identities to increase control, disrupt consensus, or compromise key generation. Proof: As established in the threat model (Section 4.3), each assistant node ANu must deposit a mandatory stake during the registration phase. To pose a substantive threat to the DKG process or BFT consensus, must control at least f + 1 nodes. Consequently, the minimum financial cost incurred by is . Under the assumption of a financially rational adversary, will only initiate an attack if the illicit gain from compromising medical data exceeds . By setting such that , the protocol renders large-scale Sybil attacks economically unfeasible. Furthermore, the blockchain ensures a unique one-to-one mapping between a node’s identity and its on-chain address. If utilizes its Sybil nodes to transmit inconsistent coefficient commitments or forged shares, honest nodes will generate accusation messages containing cryptographic evidence . Upon verifying the breach via BFT consensus, the smart contract automatically executes the penalty mechanism. This results in the irreversible forfeiture of the total stake and the immediate invalidation of all associated public keys. 7. Scheme analysis In this section, we provide the theoretical and experimental analyses of the BMHADS scheme. Table 2 lists the notations employed. 7.1. Theoretical analysis 7.1.1. Functional comparison. To evaluate the comprehensive performance of the proposed BMHADS scheme, we compare it with several state-of-the-art schemes [18,16,15,21,33,32] in Table 3. Regarding functional completeness, while schemes [18] and [21] support hierarchical access, they lack blockchain-based security guarantees. Schemes [15,16,21] implement multi-authority authorization, yet fall short in data source authentication and verification, which are critical in IoMT scenarios. In terms of security and traceability, only schemes [33], [32], and our proposed framework integrate blockchain technology. However, [33] and [32] fail to support complex hierarchical data sharing and multi-authority collaboration simultaneously. Notably, most existing schemes still rely on Type-1 symmetric pairings. According to modern cryptographic standards, Type-1 curves exhibit significant parameter redundancy at a 128-bit security level. In contrast, our scheme is the only one to adopt Type-3 asymmetric pairing curves while achieving all the listed security features. This choice not only enhances computational efficiency but also significantly reduces the storage overhead for resource-constrained IoMT devices. In summary, the proposed scheme outperforms existing solutions in both functional coverage and technical architecture, making it better suited to complex medical data-sharing environments. 7.1.2. Storage overhead. Table 4 provides a theoretical comparison of the storage overhead across various schemes, utilizing the notations defined therein to evaluate key parameters: the authority’s public key (PKk), the master secret key (MSKk), the user’s private key (SKU), and the ciphertext (CT). A detailed analysis of the storage expressions reveals that most existing schemes [13,15,16,26,27] rely on symmetric pairings (), where the storage cost is determined by the element sizes of the finite field , and the groups and . However, these schemes, notably [27], often employ traditional Type-1 curves that offer only 80–100 bits of security—a level insufficient for the stringent security requirements of modern IoMT environments. In contrast, the proposed scheme utilizes asymmetric pairings (), delivering a standard 128-bit security level that aligns with contemporary cryptographic benchmarks. Examination of the storage expressions shows that while the overhead in [13,15,16,26,27] is primarily linearly correlated with the number of attributes (ngl, ndu) and the size of elements, the total overhead of our scheme, expressed as , maintains linear growth across all terms, achieved despite the distinction between and . In practical deployments using BLS12-381 curves, elements are notably compact, even though elements are larger. Given that medical data-sharing access policies often involve a large number of attributes, the ciphertext is predominantly composed of group elements. Although the inclusion of introduces some overhead, it remains well within acceptable limits for most IoMT scenarios. Ultimately, the proposed scheme provides a superior security-to-overhead trade-off, making it highly suitable for resource-constrained yet security-sensitive IoMT applications. 7.1.3. Computational overhead. Tables 5 and 6 present a comparative analysis of the computational overhead of existing schemes and the proposed BMHADS framework, focusing on key generation, user revocation, user joining, policy updates, and encryption/decryption. The evaluation focuses exclusively on the execution time of exponentiation operations across groups , , , , and , as well as the bilinear pairing operations and . As illustrated in Table 5, the key generation cost in schemes [10,11,12] correlates primarily with the number of user attributes. In contrast, our proposed scheme exhibits a linear relationship with both the number of authorities and the attributes possessed by a user. Regarding user revocation in scheme [12], the algorithm involves the cloud server removing corresponding user entries from a key list; since this primarily entails storage deletion, its computational overhead for user departure is negligible (zero). However, the proposed scheme incurs a computational cost of for user revocation, where the complexity scales linearly with the number of revoked users (nre) to maintain decentralized security. For user joining, the computational cost of scheme [12] is , whereas our scheme requires . This overhead arises because users must interact with multiple authorities via anonymous protocols to ensure decentralized trust. Furthermore, while the compared schemes do not address policy updates, our framework minimizes this cost by only updating modified attributes, resulting in an efficient overhead of . As shown in Table 6, in schemes such as [13,15,16,26,27], data owners must generate independent access policies and perform separate encryption operations for each of the l files. Consequently, the encryption complexity is determined by the cumulative set of attributes across all files, denoted as . Similarly, during decryption, users must simultaneously satisfy l distinct access policies, making the complexity proportional to the set of smallest internal nodes across all structures. This results in a computational burden that scales linearly with the file count l. In contrast, the proposed approach introduces an integrated hierarchical access structure. By unifying access control for multiple files into a single policy, our design significantly reduces redundant computations. This one-time encryption for multi-level files eliminates the need for repetitive policy processing, thereby substantially lowering overall computational overhead and enhancing system efficiency. 7.1.4. Complexity of the DKG Protocol. The formal communication complexity of the DKG protocol is modeled by analyzing the efficiency of its interactions across its entire lifecycle. In the registration phase, each assistant node broadcasts its identity IDu and dual public key pairs (), incurring a linear communication overhead of O(P). During the commitment phase, the blockchain BFT consensus acts as a reliable broadcast channel for nodes to upload commitment vectors , resulting in a complexity of O(P2 + Pt) derived from consensus interactions and payload weight. The share exchange phase involves P(P − 1) point-to-point transmissions of encrypted fragments Cu,v, yielding O(P2) complexity, while the complaint phase (if triggered) similarly requires O(P2) for evidence synchronization via BFT consensus. Furthermore, the collaborative authentication phase entails collecting P partial signatures (O(P)) and broadcasting a constant-size aggregate signature (O(1)). Finally, the key update phase generates O(P2) traffic by distributing encrypted share increments . Consequently, the overall communication complexity of the protocol is formally defined as O(P2). On-chain storage overhead analysis. Let P denote the number of assistant nodes, t the secret sharing threshold, and f the maximum number of tolerable malicious nodes satisfying . The on-chain storage overhead of the proposed BMHADS scheme consists of four primary components. First is the node registration phase, where each assistant node persists its unique identifier of bytes, blockchain address of Laddr bytes, encryption public key of bytes, signing public key of bytes, and security deposit of Lstake bytes on the ledger. This results in a constant per-node registration storage cost and a cumulative network load of . Subsequently, during the commitment phase, each node broadcasts a commitment vector of length t in group to facilitate VSS, generating a core storage load of bytes. Additionally, the complaint and arbitration phase generates on-demand overhead, as a single evidence package comprises the accused node’s address, invalid share ciphertexts, local signatures, accuser signatures, and corresponding commitments. The storage cost for a single complaint is defined as , leading to a total worst-case overhead of , though the impact of such rare events on long-term ledger expansion remains limited. Finally, in the key update and authentication phase, the system persists the hash evidence of new shares of bytes along with a constant-size system-level aggregate signature of bytes. Consequently, the expression for the total on-chain storage overhead is , where represents the auxiliary system metadata overhead required by the blockchain infrastructure, including transaction headers, timestamps, and block index information. 7.2. Experimental analysis The proposed BMHADS scheme is implemented in C/C++ using the MIRACL cryptographic library within the Visual Studio Code environment. To provide a comprehensive evaluation, we implement both Type-1 symmetric pairings (based on a supersingular curve) and Type-3 asymmetric pairings (based on the BLS12–381 curve) to achieve 128-bit security. Additionally, the blockchain infrastructure is deployed on the Hyperledger Fabric 2.4 consortium platform with a BFT consensus mechanism, ensuring consistent synchronization of DKG commitments and decentralized evidence storage for collaborative authentication. The specific hardware configurations, blockchain parameters, and detailed cryptographic parameter settings used in our experiments are summarized in Table 7. In the experimental configuration, the number of AAs is fixed at N = 10 to simulate a large-scale decentralized healthcare network. For the access structure, hybrid threshold gates are employed to evaluate system performance under complex policies, while the transmission node scales nT and their corresponding subnodes are kept within a small range. Two main testing scenarios are implemented. First, the file hierarchy depth is fixed at l = 5, and the number of attributes in the set Att(x,y) is varied across {10, 20, 30, 40, 50}. Second, the attribute count is fixed at 20, and the number of files l is varied across {4, 6, 8, 10, 12} to assess the efficiency of hierarchical processing. Fig 6(a) compares the ciphertext storage overhead of different CP-ABE schemes under varying numbers of attributes. The storage cost of all schemes increases with the number of attributes. Among them, the scheme in [15] shows the fastest growth, followed by the schemes in [26,27], while the schemes in [13,16] exhibit lower growth. For attribute counts ranging from 10 to 50, the ciphertext storage overhead of the proposed scheme remains lower than that of all comparison schemes. Existing schemes require embedding the entire access policy into the ciphertext, resulting in significant redundancy, whereas the proposed scheme effectively reduces ciphertext storage overhead by leveraging a hierarchical structure. (a) Ciphertext size, (b) Key generation, (c) Encryption files, (d) Decryption files, (e) Encryption attributes, (f) Decryption attributes, (g) User revocation, (h) User joining, (i) Policy update. Fig 6(b) compares the key generation time of different CP-ABE schemes under varying numbers of attributes. As shown, the computational cost of key generation increases linearly with the number of attributes. In the proposed BMHADS scheme, the number of attribute authorities is fixed at N = 10. When the number of attributes is less than 20, the key generation time of our scheme is slightly higher than that of scheme [10]. When the attribute count ranges from 10 to 12, our scheme also exhibits slightly higher key generation time than schemes [11,12]. However, when the attribute count exceeds 20, the key generation time of our scheme is lower than that of schemes [10,11,12], demonstrating superior performance. Fig 6(c) compares the computational overhead of different CP-ABE schemes in terms of encryption time as the number of files increases. The encryption overhead increases linearly with the number of attributes. The encryption overhead of scheme [15] is significantly higher than that of the other schemes. The three schemes [13,26,27] are comparable. Scheme [16] has lower overhead than these, but higher than that of the proposed scheme. The proposed scheme has the lowest overhead and the slowest growth rate due to the reduction in redundant attribute encryption achieved by its hierarchical structure. Fig 6(d) compares the computational cost of decryption as the number of files increases. The decryption overhead for each scheme increases linearly with the number of attributes. Scheme [15] has the highest cost, while [27] and [13] are similar and rank second, and [26] and [16] are similar and lower. The proposed scheme consistently has the lowest cost when decrypting 4–12 nested files. Fig 6(e) compares the computational overhead of encryption time as the number of attributes increases. The overhead of all schemes increases linearly. The schemes in [15,26,27] increase more rapidly, while those in [13,16] increase more slowly. The computational cost of the proposed scheme is lower than that of [13,16]. Therefore, for a fixed number of files, the proposed scheme always has the lowest encryption cost. As shown in Fig 6(f), the decryption time for all schemes increases with the number of attributes. Scheme [15] has the highest overhead. When the number of attributes is less than 20, scheme [13] has a higher overhead than scheme [27]. When the number of attributes is approximately 25, scheme [13] has lower overhead than scheme [27]. Schemes [26] and [16] have lower decryption times, with scheme [26] performing slightly better than scheme [16]. The proposed scheme, BMHADS, maintains the lowest decryption cost across all attribute counts. Fig 6(g) shows that the computational overhead of user revocation in the proposed scheme increases linearly with the number of attributes, due to the proposed scheme’s use of a proxy-based re-encryption key-update mechanism, which requires re-encrypting only the affected ciphertext components. Fig 6(h) compares the cost of user enrollment when the number of authorities is fixed at 10. When the number of attributes is less than 60, the cost of scheme [12] is lower than that of BMHADS, because BMHADS incurs a fixed overhead due to the execution of the anonymous exchange protocol. When the number of attributes exceeds 60, the cost of BMHADS is lower than that of scheme [12]. Fig 6(i) shows that the policy update overhead increases linearly with the number of attributes. The proposed BMHADS scheme updates only the portions of the attribute ciphertext that have changed, leaving the rest unchanged, thereby reducing policy update costs. Blockchain Experiment: To simulate realistic IoMT scenarios and evaluate the system’s performance at scale, the number of assistant nodes is fixed at P = 100, and the corresponding threshold is set to . Table 8 provides a comprehensive decomposition of the computational time, communication overhead, and blockchain interaction costs under this configuration. As illustrated in Fig 7(a), we evaluated the evolution of storage overhead as the number of nodes (P) scaled from 10 to 100. Experimental results demonstrate that the storage load increases from 16.97 KB at P = 10 to 1293.8 KB (1.27 MB) at P = 100. Although the growth follows a quadratic trend, the overhead remains well below the single-block capacity limit, verifying the system’s scalability in large-scale healthcare collaborative environments. (a) Blockchain overhead, (b) Signature overhead, (c) Latency & throughput. Fig 7(b) illustrates that the aggregate threshold signature maintains a fixed length of 96 bytes and constant space complexity. Traditional ECDSA-based schemes, by contrast, exhibit linear overhead growth relative to the number of participating nodes. Substantial storage optimization curtails the on-chain footprint and eases the communication load during blockchain consensus. Empirical measurements confirm that 100 assistant nodes complete the end-to-end key update activation within 1.52 s. Rapid state transitions ensure scalable deployment across large-scale IoMT networks involving resource-limited devices. Based on the consensus latency trends illustrated in Fig 7(c), the sub-second delay exhibited by the system has a negligible impact on the real-time availability of medical data. The BMHADS framework achieves deep decoupling between the control plane and the data plane, with the encryption and transmission of real-time physiological indicators treated as data-plane operations that bypass the blockchain consensus process. The availability of these high-frequency data streams is primarily determined by local computational efficiency and network bandwidth, with the measured encryption time increasing from 36.5 ms (for 10 attributes) to 126.1 ms (for 50 attributes), demonstrating linear scalability with respect to the attribute set size. In contrast, the blockchain serves solely as the control plane for low-frequency security tasks, such as DKG commitment synchronization and key updates. This architectural paradigm ensures that the 280 ms consensus latency introduces minimal authorization delay and does not obstruct the continuous ingestion or authorized retrieval of critical clinical monitoring flows. Consequently, the results confirm that the proposed scheme fulfills the stringent responsiveness requirements of emergency medical scenarios while maintaining strong consistency in security governance. BFT Experiment: As illustrated in Fig 8(a), we analyzed the impact of varying malicious node ratios f on the source authentication success rate. The results demonstrate that the system maintains a 100% authentication success rate provided that f remains below the theoretical BFT threshold f < 33%, whereas the success rate drops abruptly to zero once f exceeds this limit. These findings underscore the critical role of BFT in safeguarding the authenticity of medical data. In multi-authority collaborative healthcare environments, BFT consensus ensures that honest nodes reach a consistent, correct agreement even if a fraction of ANs are compromised by attackers attempting to inject fraudulent physiological data. Such resilience effectively mitigates the risk of clinical misdiagnosis arising from data tampering, providing a trustworthy and high-fidelity foundation for patient diagnostics. (a) Authentication success rate, (b) Performance comparison. Fig 8(b) further quantifies the additional performance overhead caused by Byzantine attacks: experimental results show that for every 5% increase in the proportion of malicious nodes, consensus latency increases by approximately 15–25 ms. In an extreme attack scenario where malicious nodes account for 30% of the network, system consensus latency rises to 250 ms due to message retransmissions and multi-round broadcast verification. Analysis indicates that, even under such hostile network conditions, a 250 ms delay remains well below the widely accepted 1-second real-time response threshold required for clinical medical monitoring. Furthermore, thanks to the architecture’s decoupling of the control plane from the data plane, high-frequency, real-time physiological data is transmitted via an ultra-fast off-chain algorithm that performs data anonymization in only 36.5 ms-126.1 ms, with availability completely independent of the on-chain consensus process. This design ensures that performance fluctuations in the consensus layer affect only low-frequency management operations, such as permission synchronization, and never block the core real-time monitoring stream. It strongly demonstrates the feasibility of deploying this solution and its ability to ensure business continuity in real-world IoMT environments where resource-constrained endpoints coexist with complex network threats. The computational offloading model validates the practical deployment feasibility of BMHADS on resource-constrained IoMT hardware. By delegating intensive tasks, including BFT consensus interactions and DKG maintenance, to capable assistant nodes, terminal endpoints, such as wearable sensors, can execute millisecond-level local operations, such as BLS signing, in approximately 0.27 ms while maintaining a minimal local storage footprint. This architecture prioritizes battery longevity and storage efficiency while ensuring that resource-limited devices maintain seamless business continuity even under complex network threats. 8. Conclusion This study proposes a BMHADS framework for the IoMT. The framework implements fine-grained access control through a hierarchical CP-ABE and utilizes blockchain-based distributed threshold signatures to enhance system integrity and traceability. The proposed DKG protocol satisfies validity, robustness, confidentiality, and Sybil attack resistance. A key update mechanism based on PRE supports efficient user revocation. Security analysis demonstrates that the system can resist collusion among multiple authorizing entities and chosen-plaintext attacks; experimental results validate its superior computational and storage efficiency compared to existing solutions. Future work will incorporate an edge computing architecture to offload computationally intensive tasks, such as the hierarchical CP-ABE algorithm, to edge nodes. It will investigate lightweight consensus mechanisms and distributed caching strategies further to enhance the system’s real-time performance and applicability. Supporting information S1 Appendix. Source code. All code used in this study is available in the following public GitHub repositories. • MIRACL Main Repository: https://github.com/mirac1/MIRACL. • MIRACL Core Library: https://github.com/mirac1/core. https://doi.org/10.1371/journal.pone.0349767.s001 (PDF) S1 File. Minimal dataset. This file contains the minimal anonymized dataset underlying the findings presented in this study. https://doi.org/10.1371/journal.pone.0349767.s002 (XLSX) References - 1. Timko D, Sharko M, Li Y. Security analysis of wearable smart health devices and their companion apps. In: 2024 IEEE Security and Privacy Workshops (SPW). IEEE; 2024. pp. 274–280. Available from: https://doi.org/10.1109/SPW63631.2024.00033 - 2. Tao Y, Zhu Y, Ge C, Zhou L, Zhou S, Zhang Y, et al. ORR-CP-ABE: A secure and efficient outsourced attribute-based encryption scheme with decryption results reuse. Future Gener Comput Syst. 2024;161:559–71. - 3. Shen C, Lu Y, Li J. Expressive public-key encryption with keyword search: generic construction from KP-ABE and an efficient scheme over prime-order groups. IEEE Access. 2020;8:93–103. - 4. Zhang L, Xie S, Wu Q, Rezaeibagha F. Enhanced secure attribute-based dynamic data sharing scheme with efficient access policy hiding and policy updating for IoMT. IEEE Internet Things J. 2024;11(16):27435–47. - 5. Acheampong EM, Zhou S, Liao Y, Antwi-Boasiako E, Obiri IA. Smart health records sharing scheme based on partially policy-hidden CP-ABE with leakage resilience. In: 2022 IEEE 24th Int Conf on High Performance Computing & Communications; 8th Int Conf on Data Science & Systems; 20th Int Conf on Smart City; 8th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys). IEEE; 2022. pp. 1408–15. Available from: https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys57074.2022.00218 - 6. Hu G, Zhang L, Mu Y, Gao X. An Expressive “Test-Decrypt-Verify” attribute-based encryption scheme with hidden policy for smart medical cloud. IEEE Syst J. 2021;15(1):365–76. - 7. Li C, Dong M, Xin X, Li J, Chen X-B, Ota K. Efficient privacy preserving in IoMT with blockchain and lightweight secret sharing. IEEE Internet Things J. 2023;10(24):22051–64. - 8. Bao Y, Qiu W, Tang P, Cheng X. Efficient, revocable, and privacy-preserving fine-grained data sharing with keyword search for the cloud-assisted medical IoT system. IEEE J Biomed Health Inform. 2022;26(5):2041–51. pmid:34329173 - 9. Chase M. Multi-authority attribute based encryption. Theory of Cryptography. Springer; 2007. pp. 515–34. https://doi.org/10.1007/978-3-540-70936-7_28 - 10. Duan P, Ma Z, Gao H, Tian T, Zhang Y. Multi-authority attribute-based encryption scheme with access delegation for cross blockchain data sharing. IEEE TransInformForensic Secur. 2025;20:323–37. - 11. Zhao C, Xu L, Li J, Fang H, Zhang Y. Toward secure and privacy-preserving cloud data sharing: online/offline multiauthority CP-ABE with hidden policy. IEEE Syst J. 2022;16(3):4804–15. - 12. Liu J, Tang H, Li C, Sun R, Du X, Guizani M. vFAC: Fine-grained access control with versatility for cloud storage. In: 2018 IEEE Global Communications Conference (GLOBECOM). IEEE; 2018. pp. 1–6. Available from: https://doi.org/10.1109/GLOCOM.2018.8647169 - 13. Varri US, Pasupuleti SK, K.V. K. Traceable and revocable multi-authority attribute-based keyword search for cloud storage. J Syst Arch. 2022;132:102745. - 14. Lewko A, Waters B. Decentralizing attribute-based encryption. In: Paterson KG, editor. Advances in Cryptology – EUROCRYPT 2011. Springer; 2011. pp. 568–88. Available from: https://doi.org/10.1007/978-3-642-20465-4_31 - 15. Liang P, Zhang L, Kang L, Ren J. Privacy-preserving decentralized ABE for secure sharing of personal health records in cloud storage. J Inf Secur Appl. 2019;47:258–66. - 16. Qian H, Li J, Zhang Y, Han J. Privacy-preserving personal health record using multi-authority attribute-based encryption with revocation. Int J Inf Secur. 2015;14(6):487–97. - 17. Bobba R, Khurana H, Prabhakaran M. Attribute-sets: a practically motivated enhancement to attribute-based encryption. In: Backes M, Ning P, editors. Computer Security – ESORICS 2009. Springer; 2009. pp. 587–604. Available from: https://doi.org/10.1007/978-3-642-04444-1_36 - 18. Wang S, Zhou J, Liu JK, Yu J, Chen J, Xie W. An efficient file hierarchy attribute-based encryption scheme in cloud computing. IEEE Trans Inform Forensic Secur. 2016;11(6):1265–77. - 19. Xiao M, Li H, Huang Q, Yu S, Susilo W. Attribute-based hierarchical access control with extendable policy. IEEE Trans Inform Forensic Secur. 2022;17:1868–83. - 20. Guo R, Li X, Zheng D, Zhang Y. An attribute-based encryption scheme with multiple authorities on hierarchical personal health record in cloud. J Supercomput. 2020;76(7):4884–903. - 21. Roy S, Agrawal J, Kumar A, Rao UP. Mh-abe: multi-authority and hierarchical attribute based encryption scheme for secure electronic health record sharing. Cluster Comput. 2024;27(5):6013–38. - 22. Sun J, Ren L, Wang S, Yao X. Multi-keyword searchable and data verifiable attribute-based encryption scheme for cloud storage. IEEE Access. 2019;7:66655–67. - 23. Ning J, Cao Z, Dong X, Liang K, Ma H, Wei L. Auditable sigma-time outsourced attribute-based encryption for access control in cloud computing. IEEE Trans Inform Forensic Secur. 2018;13(1):94–105. - 24. Miao Y, Ma J, Jiang Q, Li X, Sangaiah AK. Verifiable keyword search over encrypted cloud data in smart city. Comput Electric Eng. 2018;65:90–101. - 25. Liang W, Yang Y, Yang C, Hu Y, Xie S, Li K-C, et al. PDPChain: a consortium blockchain-based privacy protection scheme for personal data. IEEE Trans Rel. 2023;72(2):586–98. - 26. Tian T, Shen Y, Gao H, Ma Z, Guo Z, Duan P. Attribute-based heterogeneous data privacy sharing in blockchain-assisted industrial IoT. IEEE Internet Things J. 2025;12(8):10404–19. - 27. Yu J, Liu S, Xu M, Guo H, Zhong F, Cheng W. An efficient revocable and searchable MA-ABE scheme with blockchain assistance for C-IoT. IEEE Internet Things J. 2023;10(3):2754–66. - 28. Lee J, Oh J, Kwon D, Kim M, Kim K, Park Y. Blockchain-enabled key aggregate searchable encryption scheme for personal health record sharing with multidelegation. IEEE Internet Things J. 2024;11(10):17482–94. - 29. Ateniese G, Francati D, Nuñez D, Venturi D. Match Me if You Can: matchmaking encryption and its applications. J Cryptol. 2021;34(3). - 30. Xu S, Ning J, Li Y, Zhang Y, Xu G, Huang X, et al. Match in My Way: fine-grained bilateral access control for secure cloud-fog computing. IEEE Trans Dependable Secure Comput. 2020;:1–1. https://doi.org/10.1109/tdsc.2020.3001557 - 31. Yao M, Huang J, Weng J, Liu J-N, Liu H, Weng J, et al. Efficient and verifiable bilateral fine-grained access control for cloud–edge iot healthcare. IEEE Internet Things J. 2025;12(20):43181–94. - 32. Qi S, Lu Y, Zheng Y, Li Y, Chen X. Cpds: enabling compressed and private data sharing for industrial internet of things over blockchain. IEEE Trans Ind Inf. 2021;17(4):2376–87. - 33. Zhang J, Yang Y, Liu X, Ma J. An efficient blockchain-based hierarchical data sharing for healthcare internet of things. IEEE Trans Ind Inf. 2022;18(10):7139–50.