The key security management scheme of cloud storage based on blockchain and digital twins

As a secure distributed ledger technology, blockchain has attracted widespread attention from academia and industry for its decentralization, immutability, and traceability characteristics. This paper proposes a cloud storage key security management scheme based on blockchain. To resist brute-force attacks launched by adversaries on ciphertexts, the scheme uses an oblivious pseudo-random function (OPRF) to generate randomized convergent keys and improve data confidentiality. Second, the scheme enhances the reliability of concurrent key management through a secret sharing mechanism, where convergent keys are split into key fragments and distributed on blockchain for storage. Even if a certain number of key fragments are lost or damaged, users can still recover complete key information through block transaction records. In addition, the scheme effectively supports file-level and block-level data security deduplication. Security analysis and experimental performance evaluation indicate that this scheme can ensure the security of keys and the confidentiality of data, and it has a low computational overhead for generating file-level encryption keys under this scheme. Even for a 100 MB file, the computational overhead required for generating encryption keys is less than 2 s, which improves computational efficiency.


Introduction
Cloud computing [1] as a new type of computing model and service category, uses technologies such as virtualization, distributed computing, and dynamic scheduling to provide flexible demand allocation, scalable computing services, and elastic resource scheduling for enterprises and users.This effectively addresses issues such as imbalanced resource sharing and low storage efficiency, greatly improving the utilization rate of computing resources [2].In the cloud computing service model, enterprises and users can reasonably configure resources, obtain the corresponding computing and storage resources as needed through cluster functions, distributed systems, and heterogeneous storage devices, and thus reduce their own data management costs.Cloud storage, as an important technology extension of cloud computing development [3], provides remote and efficient data storage services for enterprises and users through network services and collaboration with a large number of heterogeneous storage devices.This not only changes the traditional local data storage mode but also reduces the high data management and maintenance costs for enterprises and users.With advantages such as high efficiency, high scalability, low cost, and low energy consumption, cloud storage has become the mainstream data storage model.
The increasing volume of user data has placed a significant burden on cloud storage service providers.According to a report by the Internet Data Center (IDC) [4], in 2016, the total global data volume reached approximately 16ZB, and by 2025, it is estimated that the global data volume will reach about ten times that of 2016, reaching 163ZB.In the face of such a massive amount of data, cloud storage service providers typically employ data deduplication techniques to detect redundant data and optimize data storage [5,6].To reduce storage costs, deduplication technology has been widely adopted by cloud storage service providers and has become an indispensable data optimization technology on cloud servers [3].However, users will apply secure encryption algorithms to their data to ensure data security.Implementing traditional encryption algorithms will produce randomized ciphertexts, which will cause the deduplication technology to lose effectiveness [7].Converging encryption algorithm has been proposed to solve the compatibility issue between encryption algorithms and deduplication technology.In this algorithm, the keys required for encryption (also known as converging keys) are derived from the data content itself, ensuring the consistency of the data plaintext and ciphertext [8], i.e., the same plaintext data can generate the same ciphertext.Therefore, converging encryption algorithms [9] have been widely used in cloud storage systems.However, securing converging keys in assembling encryption algorithms is always a considerable challenge.If the converging key is stored locally by the User, although it can ensure the security of the key, as the volume of user data increases, the number of converging keys will also present a geometric growth trend, which will be a considerable storage burden for the User.Most cloud storage systems that support vital management will choose to introduce a trusted third party to assist users in managing their keys to share the computation and communication overhead on the user side.However, raising the third-party management server will make the system vulnerable to collusion attacks launched by attackers, resulting in the leakage of the original keys and ciphertexts.As early as 2018, over 50 million user profiles on Facebook were leaked, obtained and utilized by another data analysis company without the users' knowledge.In the same year, the MyFitnessPal platform, owned by the famous American sports brand Under Armour, experienced a data breach affecting 150 million users, including leaked information such as user account passwords and home addresses.In 2021, a large-scale data breach occurred on Twitch, a live streaming platform owned by Amazon, where at least 100 GB of platform data was stolen by hackers.Therefore, how to resist collusion attacks and ensure the confidentiality and security of convergent keys remains a significant research topic in cloud security storage systems [10,11].
In recent years, blockchain technology has attracted widespread attention from the academic community, industry, and government institutions.Its decentralization, immutable data, and traceability characteristics have become the focus of many researchers.In a blockchain network, all participants can complete the processes of generating, transmitting, packaging, and verifying transaction information without relying on trusted third-party authorities or management centers.Once the transaction information is successfully added to the chain, participants cannot tamper with or forge the transaction information on the block.Therefore, blockchain provides users with security guarantees such as immutability, transparency, and traceability for their transaction information, which has led to the widespread application of blockchain technology in various fields, including the education industry, financial sector, industrial manufacturing, supply chain, medical system, and intelligent transportation.Similarly, the decentralization characteristics of blockchain will also provide new solutions and directions for the security issues in the cloud mentioned above storage systems.
In response to the issues mentioned above, this paper proposes a cloud storage key security management scheme based on blockchain, which mainly contributes as follows: • A cloud storage key security management scheme based on blockchain is proposed, which ensures the security of encryption keys without introducing a trusted third-party key management server.In this scheme, the user's critical information is uploaded to the blockchain as block transactions, ensuring the vital information cannot be maliciously tampered with.• A distributed critical management method is constructed using a secret sharing mechanism to improve the reliability of key management.In this scheme, the encryption key is cut into key fragments and distributed to the blockchain for storage.The original key can be recovered only when a pre-set threshold number of critical pieces is obtained.• Different secret factors are introduced in file-level secure storage and block-level secure storage to enhance the secrecy of the convergent encryption algorithm.The adversary cannot obtain the original data through brute-force attacks even if the user data belongs to a predictable dataset.Security analysis shows that this scheme can ensure data confidentiality and critical security.
This article is mainly divided into six parts, conducting in-depth research on the cloud storage key security management scheme.The specific arrangement is as follows: The first section is the introduction, which describes the research background of cloud storage and analyzes the shortcomings and defects of existing cloud storage key schemes.The second section is the framework of the scheme, introducing the blockchain system model, explaining its threat model, and providing the system's security objectives.The third section is the implementation of the system scheme, proposing a blockchain-based cloud storage key security management scheme to achieve key security management without a trusted third party and ensure the security of the encryption keys.The fourth section on security analysis and the fifth section on experimental analysis show that this scheme has a low computational overhead in terms of time.Finally, there is a summary.

System model
As shown in Fig. 1, we will introduce the system model of the proposed scheme, which mainly includes the User, cloud storage provider (CSP), and blockchain (BC).
• User entity.Due to limited storage space, users choose to outsource their data to cloud storage service providers to save local storage space.To ensure data security, users need to perform secure encryption on the data and generate ciphertext, and finally, entrust the cloud storage service provider to store the ciphertext on the cloud server [12].
• Cloud storage provider.Cloud storage service providers can offer users sufficient storage space.In a cloud storage system that supports data deduplication optimization, cloud service providers must perform duplicate detection on user data and then allocate appropriate storage space to eliminate redundant data [13].• Blockchain.Blockchain is a distributed, innovative database technology that has garnered widespread public attention since its proposal in 2008.Bitcoin and Ethereum, applications designed with blockchain as the underlying technology, have thrived and gained increasing recognition and importance among researchers.The development of blockchain has gone through three stages so far: blockchain 1.0, blockchain 2.0, and blockchain 3.0, with each stage seeing a broader scope of applications compared to the previous one.The security issues inherent in blockchain systems have also become a focus of many researchers.Malicious attackers can still exploit blockchain protocols to devise targeted attacks, such as Sybil attacks [14][15][16], dust attacks, double-spend attacks [17,18], DDoS attacks [19], and mining attacks [20][21][22][23], among others.These can disrupt blockchain systems, preventing them from functioning normally, or even causing them to collapse altogether.The foundational architecture of blockchain generally consists of a six-layer model, from top to bottom: the application layer, the contract layer, the incentive layer, the consensus layer, the network layer, and the data layer.Each layer is responsible for specific functions, with the layers working together to construct a decentralized, distributed ledger system.such as cryptography, distributed network architecture, and consensus algorithm [24], which can provide highsecurity guarantees for users' transaction information [25].In the proposed solution of this paper, we will use the Ethereum blockchain to achieve secure and reliable convergence key management, and design a cloud storage key security management scheme.

Threat model
Based on the above system model, we will elaborate on the existing threat model.For the blockchain system model, we will provide a detailed explanation of the threat model, mainly for the following reasons: Ensuring security: By analyzing the threat model, we can better understand and predict the various factors that may pose threats to the blockchain system, thus taking corresponding security measures to prevent these threats and ensure the security of the system.Preventing potential attacks: The threat model can help us identify potential security vulnerabilities and weaknesses in the blockchain system, so that we can take measures to repair and strengthen them before attackers exploit these vulnerabilities, preventing potential security attacks.Improving system robustness: The analysis of the threat model can help us enhance the robustness of the blockchain system, enabling it to better cope with and resist various attacks when facing external and internal adversaries, and maintain stable system operation.Guiding security strategy formulation: By analyzing the threat model, we can better understand the security risks faced by the blockchain system, thus providing strong support for formulating targeted security strategies and measures el, which mainly includes two kinds of adversaries: external adversaries and internal adversaries.
This model mainly involves two types of adversaries: external adversaries and internal adversaries.
• External adversaries.External adversaries can be considered unauthorized users, lacking legitimate identity or permission information, and cannot directly interact with the system.External adversaries will attempt to collude with entities within the system, such as cloud storage service providers, to obtain information about user data, which will pose a considerable threat to the proposed approach.• Internal antagonists.Internal adversaries can be considered as entities within the system who have honest and curious characteristics; on the one hand, they will honestly follow the agreements stipulated by the system; on the other hand, they will try to obtain information about user data and expose as much user data information as possible to external adversaries for profit.Generally speaking, internal adversaries have a greater opportunity to access user data than external adversaries, and their threat to user data security is higher.

Security objectives
Based on the above security threats, this article will propose a cloud storage key security management scheme based on blockchain, which needs to meet the following security objectives: • Data confidentiality.The proposed scheme must ensure that external adversaries cannot obtain any information about user data, even if the user data belongs to a predictable data dictionary.In addition, the proposed scheme must consider a more practical issue: external adversaries collude with each other to steal user data, with the most common case being cloud storage service providers colluding with external adversaries and exposing the stored data on the cloud server to external adversaries.Therefore, the proposed scheme must ensure the confidentiality of data on the cloud storage server.• Security of encryption keys.In the proposed scheme, blockchain technology provides secure and reliable key management, where critical information is integrated into a block transaction and uploaded to the blockchain via NBM(Node Business Management).However, the transaction information on the blockchain is publicly transparent, and adversaries may obtain essential details directly.Therefore, the proposed scheme must ensure that only valid users can access the transaction information on the blockchain.In addition, the proposed method still needs to address the single point of failure issue existing in key management.

Basic notations
The symbols in this paper are defined as shown in Table 1 below.

System settings
• Set the ID of the user U to ID U and file ID to ID F .The ID of CSP is ID S .The corresponding Ethereum account is EA U .The identity identifier of CSP is ID CSP , and its corresponding Ethereum account is EA U .• Take safety parameter 1 λ as input parameter and P as output system parameter.In addition H, H 1 and H 2 as three safe hash functions, to calculate the parameters N, d, in this formula, e is RSA index (N < e), and modulus N is the product of two different prime numbers.In this case, the public key is pk = (N , e) , and the private key is sk = (N , e). • In traditional cloud storage systems, when user data is successfully stored on cloud servers, users need to pay storage fees to CSP.In addition, when user data is lost or damaged, CSP needs to compensate users for a certain loss.Specifically, we represent storage fees and compensation fees as Pay stor and Pay comp .

Blockchain node management
A blockchain node is one of the main components of the blockchain network systems, which can receive, transmit, and verify transaction information in a peer-to-peer network.To facilitate the description of the interaction process between the blockchain system and the proposed system model, we introduce the concept of node business management (NBM) in this scheme, which serves as the execution agent for blockchain nodes.NBM has a specific storage space and computing power, and no one can access the storage space.In addition, NBM can execute smart contracts to perform calculations and output calculation results, and it can assign specific blockchain nodes to each user to assist them in creating and uploading blockchain transactions.

File-level secure storage
This section will elaborate on the data security storage scheme at the file level.To resist violent attacks from adversaries, the proposed method adopts OPRF protocol to generate encryption keys, in which OPRF protocol can be implemented based on RSA blind signature [26,27].
The specific file-uploading process is shown in Fig. 2.
Step-1(file-level repeatability detection): In order to upload file F, user U calculates the label: User U uploads file label T F to the cloud storage server.Then, the cloud storage server will perform file repetition detection according to the file label T F .If the file F has already been stored in the cloud storage server, the server will return the file pointer σ (F ) to the user U, and the server does not need to upload the file F again.If file F has not been stored in the cloud storage server, the user U needs to encrypt file F to ensure data security.The details are in Step 2.
Step 2(File encryption): User U needs to convert the encryption key K F .Specifically, user U computes User U sends h' to NBM.NBM can select a random number r ← Z N , set up a database inside the node, record r and h', and finally send r to user U.
User U calculates blind information x User U sends x to NBM.NBM signs by blind message x.
NBM sends the signature y to U. User U can compute: User U can verify the correctness of the formula: Only if this formula is true, U can calculate the encryption key K F : Finally, U encrypts files through a symmetric encryption algorithm and obtains ciphertext C F : (1) Step-3(MAC generation): To verify the correctness of the encryption key, U can calculate the message authentication code (mac F ) of the encryption key K F : In addition, U performs a deterministic (n, k, r)-RSSS secret sharing scheme and shits MAC through the share algorithm of the partition function, that is: Step 4(Key distribution): U can perform the Share algorithm of the partitioning function to divide the key KF, that is: T K is the current time information.In the end, U uses the public key to encrypt I j and get the ciphertext: E(.) is an asymmetric encryption algorithm.
Step 5(Transaction generation): To generate a valid critical transaction, U calculates: User U sends the Data to the NBM, TX NBM will create a transaction record, including TX has a value that is: TX = From||To||Value||Data||Sig(TX), the value of the parameter From is the account of U, the value parameter To is CSP account, And the value of number value is the cost of the key distribution, the value of the number of references Data is H (ID U ) H(ID F ) H j C j and the Signature is Sig (TX).Eventually, NBM will deal with the TX chain and send the pointer σ(TX) to the User U. The complete transaction information is shown in Fig. 3.
Step 6(File download): In order to download file F, user U needs to reconstruct the recovery key K F and verify the correctness of the critical K F .Specifically, user U can obtain file F through the following steps: • User U gets Data = H(ID U )�H(ID F )�H j �C j from the blockchain via NBM.• User U calculates H (ID U ) H(ID F ) H j C j to parse ciphertext C Ij from Data and uses the private key sk to decrypt the plaintext I j = K fj �mac fj �T K .• User U verifies the correctness of T K .If that is right, I j is resolved from I j = K fj �mac fj �T K 。 • User U can repeat the preceding steps.When k copies of K fj and mac fj are obtained, user U can reconstruct and recover the encryption keys K F and MACmac F, that is:

Block-level secure storage
In this section, we will elaborate on the block-level secure storage scheme.The users must first perform the filelevel secure storage scheme in this scheme.Cloud storage, on the other hand, stores data on cloud servers, providing flexible and scalable storage services.Blocklevel storage involves dividing data into multiple blocks and storing them on different physical devices, which can improve data read and write speeds and storage efficiency.When the repetitive detection result shows that the file is not repeated, the user needs first to perform block technology on the file and then perform the blocklevel secure storage scheme.The specific uploading process of data blocks is shown in Fig. 4.
Step-1(block-level repeatability detection) User U divides file F into n data blocks as: The ID of data block Bi is ID Bi , and user U calculates that the label of data block is: User U uploads the data block tag T Bi to the cloud storage server.The cloud storage server executes file duplication detection based on the data block tag T Bi .If the data block Bi is stored in the cloud storage server, it returns the file pointer σ(Bi) to the user U; If data block Bi is not stored in the cloud storage server, user U will execute Step-2.
Step-2(data block encryption): User U treats the data block Bi as a leaf node and calculates the value of the root node by constructing a Merkle hash tree: User U calculates the data block encryption key: User U uses key K Bi to get ciphertext C Bi : User U uploads the ciphertext C Bi to the CSP: Step-3(MAC generation): User U can calculate the message authentication code mac Bi of the encryption key K Bi : User U executes the deterministic (n, k, r)-RSSS secret sharing scheme and shits MAC through the segmentation function Share algorithm, that is: Sept-6 (Fair Payment): After the data is uploaded to the cloud server, users need to pay for the storage service provided by the CSP.As shown in Fig. 6, user U (26) can submit a smart contract to the blockchain, which will be automatically activated and executed.If formula Γ 1 holds true, it means that the data block {B ij } has been completely stored on the cloud server, and at this time, user U needs to pay the corresponding storage service fees to the CSP.Otherwise, if formula Γ 1 does not hold true, it means that the data block {B ij } has been damaged or lost, and the CSP needs to assume corresponding responsibility and provide certain compensation for the damaged or lost data.
Step-7(File downloads): To restore file F, user U can perform the following steps: • User U sends pointer σ (TX) to NBM and gets K bij mac bij τ is resolved from I j .• Repeat the preceding steps for user U. When k copies of K bij and mac bij are obtained, user U can recover the keys K Bi and MACmac Bi , that is:K Bi = Recover K bij ,mac bi = Recover mac bij .

Security analysis
In this section, we will analyze the proposed scheme's security from data confidentiality and critical security.The specific analysis is as follows.

Confidentiality of data
Theorem 1: Even if Data F does not have a sufficiently sizeable minimum entropy, the proposed scheme can resist the violent attacks launched by the enemy against the ciphertext.Proof: In this scheme, user data must be uploaded and stored on the cloud server through an encryption algorithm.The adversary cannot obtain information about the original plaintext from the ciphertext itself.Thus, an adversary may infer the original plaintext F by bruteforce attacks from the known ciphertext information and the predicted file dictionary.The scheme proposed in this paper can realize data confidentiality protection under different fine-grained de-duplication, in which it is assumed that the enemy is z and the challenger is x.
1) To remove the duplication of the file storage, challenger x establishes a system protocol to encrypt file F. Specifically, OPRF is used to generate random secret information z for challenger x, and the process is as follows: (31) From the above, if the enemy z wants to obtain the original file F by brute force attack, it must first know the variables P and z, in which variable P is the system parameter, and it is assumed that there is no confidentiality in this scheme.According to formulas 31, 32, 33, and 34, it can be seen that enemy z can successfully pass the system challenge established by challenger x, and it needs to guess the value of parameter r.However, since parameter r is generated randomly by challenger x, the probability of enemy z guessing parameter r's value is almost negligible.Enemy z cannot obtain the original file F by brute force attack.
2) To remove the duplication of block-level storage, opponent z successfully passed the system challenge established by challenger x, and it is necessary to guess the variables P and τ. τ is generated by constructing a Merkle hash tree and is used as a secret factor to calculate the data block encryption key K Bi .Therefore, enemy z cannot obtain the original file F by brute force attack if he cannot obtain all the data blocks {Bi}.

Security of the key
Theorem 2: The encryption key distribution and recovery process is secure in this scheme.Proof: According to theorem 1, the generation of the key has certain confidentiality, and enemy z cannot obtain the key through brute force attacks to recover the original data.In this scheme, a malicious CSP may act as an internal adversary to collude with an external adversary to obtain the encryption key (CK).To ensure the security of CK, this scheme adopts two methods to resist such collusive attacks. 1) Dividing CK into key fragments by a secret sharing mechanism can avoid single-point failure and provide security and reliability for CK.Even if any r of n key fragments are damaged or replaced by the enemy, the original key CK can be recovered through the remaining key fragments.2) CK information will be integrated into a transaction in this scheme and uploaded to the blockchain.Due to the decentralized characteristics of blockchain, if opponent z does not have more than 51% of the total network computing power, it cannot modify CK.Therefore, CK information stored on the blockchain is secure.In addition, CK information is protected by the private key sk held by the User, which can make CK information on the blockchain to anyone (except the User who has the secret key sk) unordered ciphertext, which will (35) K F = KeyGen(F , P, H I (z) ensure that enemy Z cannot access any CK information from the blockchain.

Security of data
Theorem 3: If H is a collision-resistant hash function, under the assumption of the CDH problem being difficult, the proposed scheme can resist forgery attacks initiated by the adversary X and ensure data integrity.Proof: Assume there exists an adversary X and a challenger €.Furthermore, g is the generator of the group G, v and u are elements in the CDH problem, which v and u satisfy the equation v = g x and u = g y .
Initialization: The challenger € sends the system's public information, such as the generator g of the group G, the public key spk and pk, to the adversary X.
Hash query: The adversary X sends a hash query to the challenger, who obtains the hash function H and returns it to the adversary X.
Signature query: The adversary X forges an invalid aggregate signature L* according to the system protocol and passes the verification of the challenger €.The adversary X can calculate: Therefore, At this point, the adversary X has broken the CDH difficult problem with a negligible advantage, but according to the definition of the CDH difficult problem, this is not feasible computationally.

Experiment and performance analysis 1) Comparison of different schemes.
Regarding cloud storage key security management, Li [28] first proposed Dekey, a cloud storage security deduplication scheme, to achieve secure and reliable control of convergent keys.However, when user data belongs to a predictable data set, the method is vulnerable to brute-force attacks launched by adversaries.Wang [5] proposed a cloud storage security deduplication scheme (36) that supports key sharing to improve the management efficiency of convergent keys.However, this scheme introduces the third-party index server IS to manage the data, which may cause the information of user data to be leaked by the index server [29].Kwon [30] proposed a cloud storage security deduplication scheme, which uses pair-based cryptography technology to achieve scalable and reliable converging key management.However, due to the introduction of the third-party key management server KS [31,32], this scheme is also prone to conspiratorial attacks launched by adversaries.The method proposed in this article realizes secure and reliable key management by using blockchain and secret sharing mechanisms and ensures the security of the key [33].Table 2 provides a security comparison between the scheme proposed in this article and other methods.
Compared with other cloud storage key security management schemes, the method proposed in this article can resist violent attacks and collusion attacks launched by adversaries and has a higher security guarantee [14,34].
(Attack I means violent attack, and attack II means conspiratorial attack).
2) The computing cost of file label generation, key distribution, and key recovery is evaluated.
In Table 3, we provide the symbols used in the proposed scheme and the amount of memory they occupy.In Table 4, we summarize the computational costs of different methods in three phases: file label generation (phase I), key distribution (phase II), and critical recovery (phase III).As seen from Table 4, the calculation cost of the proposed scheme is lower in the three stages, especially in stage I, which is lower than Wang's scheme and Kwon's scheme.
3) Evaluate the amount of storage space required for the key.
Table 5 summarizes the different entities in the different scenarios, such as the User, provider, key management server(KS), index management server (IS), and blockchain (BC) need to allocate storage space for encryption keys.The table shows that the scheme proposed in this article needs to give less storage space for encryption keys.

4) Test the time cost of encryption key generation.
This scheme includes a file-level encryption key (F-CK) and a block-level encryption key (B-CK).Therefore, this experiment will be divided into two parts for testing.
• The effect of file size on the time overhead of filelevel encryption key generation.
In this scheme, the file-level encryption key is generated mainly through the OPRF protocol construction [35], and its calculation cost primarily depends on the original file's size.As shown in Fig. 7, a set of files is selected for testing in the experiment, whose file sizes (unit: MB) are 20, 40, 60, 80, and 100 as the abscissa variables.The experimental results show that this scheme has low computational cost in file-level encryption key    generation.The encryption key is generated even for 100 MB files, and the calculation cost is only about 2 s.
• The effect of file size on the time overhead of blocklevel encryption key generation.
In this scheme, generating a block-level encryption key includes three stages: file segmentation, Merkel hash tree construction, and hash operation.Therefore, the computational cost of a block-level encryption key primarily depends on the file size and data block size [36].As shown in Fig. 8, a group of files (unit MB) was selected in the experiment with lengths of 10, 20, 30, 40, and 50 and a group of data blocks with sizes of 8 KB and 12 KB, respectively.The experimental results show that the proposed scheme has a low computational cost in terms of block-level encryption key generation, and the larger the data block is, the smaller the time cost of block-level encryption key generation.

Application
In the ever-expanding world of the Internet of Things (IoT), managing security and privacy has become crucial.The number of IoT resources, including smart sensors, is continuously increasing, necessitating a comprehensive approach to ensure access and protect sensitive data.To address these issues, we have introduced a groundbreaking method that integrates the concepts of digital twins and blockchain to revolutionize IoT management.Digital twins are virtual representations of physical or virtual entities that are constantly updated and capable of autonomous communication.They encapsulate data access and view configurations, providing a layer of protection for IoT resources.Stakeholders do not directly access IoT resources but interact with digital twins, ensuring an additional layer of security.This method helps prevent unauthorized access to sensitive data and protects personal privacy.Blockchain technology is the cornerstone of our IoT management solution.It provides decentralization, transparency, and reliability, making it an ideal choice for protecting IoT systems.By validating digital twins and storing their configurations, blockchain ensures the legitimacy and identity of IoT resources.Smart contracts are programmed as trust structures to manage access to digital twins.This prevents third parties from directly accessing IoT resources, enhancing security and protecting privacy.The application of digital twins and blockchain has expanded to various IoT ecosystems, including healthcare, supply chains, and smart agriculture.In smart city scenarios, different stakeholders Fig. 7 The computing overhead of F-CK generation Fig. 8 The computing overhead of B-CK generation need to access data streams from smart sensors for different purposes.Digital twins play a key role in providing views of data streams, enhancing security, and protecting privacy.Our method abstracts the complexity of data access management, making it applicable to a wide range of IoT use cases.

Conclusions
In this paper, firstly, a blockchain-based critical management system model is introduced, and the external and internal threats of attacks faced by this system model are described.Among them, under the assumption of honest and curious external and internal enemies, they will follow the system protocol honestly on the one hand.On the other hand, they will try to peep at the related user data information.To resist the malicious attacks launched by the adversaries, this article proposes a blockchain-based cloud storage key security management scheme to address the security issues faced by traditional critical management systems that rely too much on trusted third-party management servers.The method mainly cuts the converging key into several key fragments through the secret sharing scheme and submits them to achieve the reliable management of the converging key through the blockchain system while ensuring that the key management has a certain degree of fault tolerance and security.Security analysis shows that the proposed scheme has high safety and can resist brute-force attacks and conspiracy attacks launched by adversaries.Experimental and performance evaluation show that the proposed method has low time calculation overhead.
The proposal mentioned in this article aims to construct a secure and reliable cloud data storage system by combining blockchain technology, mainly utilizing the features of smart contracts, block structure, and transaction information in the blockchain system to achieve this goal.However, the blockchain system includes other features like consensus mechanisms, mining and broadcasting protocols, etc.The question of how to apply more characteristics of the blockchain system and digital twins to the cloud storage model and make the blockchain better compatible with existing cloud storage systems is also worth further exploration.

Table 1
Basic notations and parses ciphertext C Iij from Data.• User U uses the private key sk to get the plaintext

Table 2
Comparison with other schemes

Table 3
Notations and descriptions

Table 4
Computation comparison in different stages

Table 5
Storage comparison for key