A dynamic policy-aware conditional proxy re-encryption system for fine-grained access control in IoT pub/sub systems

Why smarter locks for connected devices matter

Billions of sensors in homes, hospitals, factories and cities now send data through cloud services using a “publish and subscribe” model. Keeping that data private is hard, especially when many different people and apps need access at different times and places. This paper shows how to lock and unlock Internet of Things (IoT) data in a far more flexible way, so that encrypted messages can still flow smoothly while access rules change with real-world conditions.

The challenge of sharing data without giving it away

Modern IoT systems rely on message brokers that relay information from devices to subscribers. Today, transport security mainly protects the route between each device and the broker, but the broker itself often sees the raw data. Earlier work used a tool called conditional proxy re-encryption, which lets the broker convert one user’s encrypted message into another user’s encrypted message without learning the contents. However, that earlier design had serious limits: it could only handle a single simple condition, it could not easily adapt to changes in time or location, and it leaked parts of the rule used for access control. Revoking a user was also clumsy, forcing publishers to refresh keys for many remaining users.

Adding real-world context to access rules

The authors introduce a new system that lets access rules reflect the messy reality of IoT deployments. Instead of a single condition, policies can now combine several dimensions: when a request is made, where it comes from, what role the requester has, and what the device status is. Policies are written in a familiar JSON format, so they can capture logic such as “only during office hours,” “only inside the hospital,” or “only if this sensor reports normal operation.” A dedicated policy management engine stores and updates these rules, distributes them to devices and the message broker, and ensures they stay consistent as circumstances change.

Keeping the rules themselves secret

An important innovation is that the broker can enforce these rich policies without seeing their exact details. The system hides sensitive parts of a rule using a cryptographic technique known as a commitment, which works like a sealed envelope that can later be checked for honesty but not read in advance. Devices encrypt outgoing data together with a hidden version of the policy, and the policy engine prepares matching keys for each subscriber. When the broker receives a message, it checks in a privacy-preserving way whether the subscriber’s attributes satisfy the hidden policy. Only if both the cryptographic link and the logical rule match will the broker transform the ciphertext so the subscriber can decrypt it.

Architecture, security, and performance in practice

The proposed design fits into existing publish and subscribe systems built on the MQTT protocol by extending a popular broker called HiveMQ. The architecture separates four roles: constrained IoT devices that encrypt data with bound policies, a central policy engine that defines and commits to policies, a broker that performs re-encryption, and subscribers that finally decrypt the data. The authors carefully model attackers who might try to learn data at the broker, collude as misbehaving subscribers, or infer business secrets from the shape of policies. They prove, under standard mathematical assumptions, that their scheme keeps messages confidential, hides policies, and resists chosen-ciphertext attacks, even when adversaries can query decryption and re-encryption oracles.

How well the system performs under load

To test whether this added flexibility is practical, the team built a full prototype using Go libraries, a modified HiveMQ broker, simulated IoT devices, and a web dashboard for managing policies. Experiments on server hardware and Raspberry Pi clients measured the added cost of the new features. Encrypting with policies took about 7% longer than a simpler baseline, mainly due to computing policy commitments, while re-encryption and decryption times remained close to those of traditional schemes. Policy creation and updates completed in a couple of milliseconds, and matching a subscriber against as many as 10,000 stored policies took only fractions of a microsecond. Under high concurrency, the system scaled well, achieving thousands of operations per second and supporting up to 10,000 subscribers with stable throughput and manageable latency.

What this means for future connected systems

In everyday terms, this work shows that it is possible to keep IoT data encrypted from end to end while still applying rich, changing rules about who may see what, when, and from where, and without exposing those rules to curious intermediaries. The scheme adds modest overhead compared with simpler approaches but delivers far more control and privacy. As IoT deployments grow in size and sensitivity, such dynamic, policy-aware encryption could help organizations share data safely across devices, users, and domains while keeping both the messages and the rules that guard them out of sight.

Citation: Lin, S., Ke, N., Jun Ru, H. et al. A dynamic policy-aware conditional proxy re-encryption system for fine-grained access control in IoT pub/sub systems. Sci Rep 16, 15832 (2026). https://doi.org/10.1038/s41598-026-46939-3

Keywords: Internet of Things security, publish subscribe, access control, proxy re-encryption, data privacy