Multiauthority Attribute-Based Access Control for Supply Chain Information Sharing in Blockchain

Liu, Chenlei; Xiang, Feng; Sun, Zhixin

doi:https://doi.org/10.1155/2022/8497628

Security and Communication Networks

On this page

Abstract Introduction Related Works Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 8497628 | https://doi.org/10.1155/2022/8497628

Multiauthority Attribute-Based Access Control for Supply Chain Information Sharing in Blockchain

Chenlei Liu,^1,2Feng Xiang,³and Zhixin Sun⁴

Academic Editor: Hu Xiong

Received28 Aug 2021

Accepted08 Mar 2022

Published12 Apr 2022

Abstract

Information sharing has become an important application in modern supply chain management systems with business technology development. Because traditional supply chain information systems have problems such as easy data tampering, low information transparency, and interaction delays, blockchain has been taken consideration into supply chain information sharing research. Furthermore, blockchain technology is expected to provide decentralized supply chain information sharing solutions to enhance security, availability, and transparency. However, with the in-depth study of the application of blockchain technology in supply chain information sharing, people have found that the data stored publicly in the blockchain are still threatened by privacy leakage. In addition, due to the openness and accessibility of the blockchain, the lack of fine-grained access control is also apparent. In order to improve the security of data, we propose a novel privacy-preserving multiauthority attribute-based access control scheme for secure blockchain-based information sharing in a supply chain. In this scheme, blockchain stores encrypted supply chain information on distributed nodes. Multiple attribute authorities manage different attributes of users to achieve fine-grained access control and flexible authorization. Even if some attribute authorities fail, the user’s private key will not be leaked. In user secret key generation, we adopt an anonymous key generation protocol to realize the secure distribution of user keys by the attribute authorities. Furthermore, in order to meet the protection of communication privacy between blockchain nodes, properties of policy hiding and identity hiding are considered. Finally, we design experiments to analyze the performance of our scheme, including secret key sizes and running time of encryption and decryption.

1. Introduction

A supply chain is a huge and complex network that tightly integrates suppliers, carriers, manufacturers, and consumers. In the supply chain, information sharing has played an important role in resource utilization, demand analysis, and production management for upstream suppliers and downstream manufacturers in each industry. In addition, as consumers pay more attention to raw materials, product processing, and logistics, the research on the transparency and traceability of supply chain information has become a research hotspot in the field of the supply chain. However, a supply chain is often characterized by high levels of globalization, a large number of participating corporations, and complex product processing links, which contain the confidential and critical private information of corporations and consumers. Therefore, a traditional centralized supply chain system is vulnerable to facing a single point of failure, which makes the entire network and organizations involved in potential danger (e.g., hacking or corruption) [1]. In addition, since centralized organizations introduce third parties for management, there is also a problem of inefficient access and limited control of information. Therefore, finding decentralized solutions to improve the security, availability, and transparency of information sharing in the supply chain is very crucial.

Blockchain is a novel deneutralized computing model, which is expected to provide decentralized solutions for information sharing in a supply chain system. It was firstly described in the context of Bitcoin [2], which Satoshi Nakamoto designed. Blockchain integrates distributed data storage, independent peering transactions, consensus mechanisms, programmable smart contracts, dynamic encryption algorithms, etc. It enables multiparty transactions in a distributed environment. It also has the characteristics of traceable information sources and is difficult to tamper with transaction data [3]. With the development of blockchain technology, it is increasingly applied in many fields such as medical care [4], banking system [5], and Internet of Things (IoT) applications [6]. In recent years, scholars have paid more attention to the application of blockchain in supply chain information sharing. Abidi et al. [7] constructed a new privacy preservation model in supply chain networks based on blockchain technology, where blockchain plays a promising role for secure information sharing. Venkatesh et al. [8] developed a system architecture that integrates the use of blockchain, IoT, and big data analytics to allow suppliers to efficiently and effectively monitor supply chain social sustainability.

However, with the application of technologies such as deep learning and data mining, the blockchain is still facing the threat of network attacks such as DDoS attacks [9], DNS attacks [10], and deanonymity analysis [11], which hinders the availability of services to users and threatens blockchain node security. Therefore, the data in the blockchain system are not completely secure because it transfers data through address identification similar to e-mail addresses, which may cause user privacy issues. Furthermore, although the address identification is not directly related to the real-world user identity, the blockchain data are completely open and transparent, leading to privacy leaks. So, it is indispensable to optimize the access control scheme for the traditional blockchain-based supply chain information sharing systems.

Attribute-based encryption (ABE) [12] is proposed as an encryption system that inherits the advantages of identity encryption, in which the secret key of a user and the ciphertext are dependent on attributes (e.g., phone number or e-mail address). It can provide fine-grained access control for an information sharing system. Due to the excellent performance of ABE in controlling and managing access to data, it has been considered to be one of the key technologies that can continuously improve the security and privacy performance of a blockchain system in recent years [13]. In this paper, we propose a blockchain-based supply chain information sharing access control scheme based on the privacy-preserving multiauthority ciphertext-policy ABE. This scheme also introduces the user attribute revocation mechanism to enhance flexibility and security.

In our scheme, the main contributions are summarized as follows:(1)A novel multiauthorities attribute-based encryption scheme has been proposed to solve the problems of privacy leakage and incomplete anonymity in blockchain-based information sharing systems of the supply chain.(2)We take properties of attribute revocable, policy hiding, identity hiding, and secret key anonymous generation into account to improve the security and flexibility of our scheme.(3)An anonymous key generation protocol is proposed to solve the problem of secure key issuance between users and attribute authorities.

The rest of the article is structured as follows: Section 2 reviews the relevant issues of the research topic. Section 3 introduces the mathematical preliminaries involved in the paper. Section 4 explains the access control system model and security model. Section 5 describes our work in detail. Section 6 analyzes the correctness and security of the scheme we proposed. Section 7 analyzes the security of the anonymous key generation protocol. The results of the comparison and experiments will be shown in Section 8. Finally, Section 9 summarizes the work of this article and looks forward to future work.

In this section, we review some existing works associated with the blockchain-based access control scheme and the applications of ABE and MA-ABE on it.

2.1. Blockchain-Based Access Control

The leakage of sensitive data in the block can pose a great threat to the security of the blockchain and its applications. Therefore, the research on the data access control scheme of the blockchain has become a hot topic in blockchain security. Huang et al. [14] created a new type of blockchain system with a credit-based workload consensus mechanism (Proof of Work), and researchers also designed a method for regulating sensor data access. The data authentication management method realized the data privacy protection of the Industrial Internet of Things and the efficiency improvement of the blockchain under the Internet of Things. Khan et al. [15] proposed a role-based fine-grained access control model for blockchain resource management. This model can monitor a resource continuously during the operation and update the attributes accordingly. Tan et al. [16] presented a general access control framework, which provided a unified and feasible way for users to achieve decentralized, lightweight, and fine-grained access control of the blockchain-based green Internet of Things. However, these studies mainly focused on optimizing the blockchain consensus mechanism and smart contracts, that is, more improvements to the blockchain security technology itself, without taking into account the encryption algorithm cracking, key leakage, and privacy leaks in the blockchain.

2.2. ABE for Blockchain-Based Access Control

Due to its wide application scenarios, attribute-based encryption has become a very popular research direction in cryptography. The emergence of ABE provides another solution to meet the needs of secure access control in blockchain applications. Xu et al. [17] created a distributed attribute-based keyword search (ABKS) scheme, where ABKS is a keyword search mechanism that introduces public key encryption using keyword search into the context of the attribute cryptosystem. The scheme allowed data owners have the flexibility to share data content with groups of users that meet access control conditions. Yu et al. [18] provided an update-oriented access control scheme for blockchain-based IoT systems, which is compatible with the ABE technique. In the scheme, historical on-chain data can only be accessible to new members and inaccessible to the revoked members. Qin et al. [19] proposed an access control scheme with lightweight decryption based on ABE and blockchain technologies, where a user credibility incentive mechanism is designed to calculate the user’s credibility according to the user’s access behavior and gives a reputation score to adjust the endorsement protocol dynamically. These studies enhance the blockchain’s ability to protect data and user privacy in its applications and enrich the research on the ABE-based blockchain information sharing access control scheme. However, in traditional attribute-based cryptography, a trusted entity known as a Key Generation Center (KGC) is responsible for generating users’ private keys, which contradicts the decentralized blockchain.

2.3. MA-ABE for Blockchain-Based Access Control

The multiauthority ABE was first proposed in [20]. This solution is based on the fact that different types of transactions are handled exclusively by different organizations in reality, and it is improved on the standard ABE scheme. MA-ABE and its variants have been applied in researching and applying blockchain access control security. Guo et al. [21] constructed a multiauthority attribute-based encryption and signature scheme and introduced pseudorandom functions to achieve data sharing and collision avoidance. Qin et al. [22] proposed a blockchain-based multiauthority access control called BMAC for secure data sharing in the cloud, where the Shamir secret-sharing scheme and a permission blockchain were introduced. In this scheme, multiple authorities jointly managed each attribute to avoid a single point of failure. Banerjee et al. [23] offered a new blockchain-envisioned fine-grained user access control scheme for data security and scalability in IIoT environment, which supported multiple attribute authorities and constant size key and ciphertext. Hei et al. [24] designed a novel MA-ABE scheme based on blockchain, which ensured that a relevant user could obtain the final decryption attribute key only after all attribute authorities had publicly issued their keys to the blockchain. Sethi et al. [25] presented a practical decentralized multiauthority traceable and efficiently revocable attribute-based cryptosystem with outsourcing decryption advantage. Rouhani et al. [26] proposed a distributed attribute-based access control (ABAC) system based on blockchain to provide trusted auditing of access attempts and presented a level of transparency that both access requesters and resource owners can benefit from this system. In this paper, we have considered four cryptographic properties to improve the security of MA-ABE for the blockchain-based access control scheme. Furthermore, the current multiauthority attribute-based encryption schemes are mainly based on prime order and composite-order bilinear groups. Prime order bilinear groups are better than composite-order bilinear groups in terms of computational efficiency. However, the number of bilinear groups satisfying prime order is relatively small, and the structure of bilinear groups is single, which cannot meet the practical application needs. Therefore, we constructed a multiauthority attribute-based encryption scheme based on composite-order bilinear groups.

3. Preliminaries

3.1. Composite-Order Bilinear Group

The concept of the composite-order bilinear group was firstly proposed by Boneh et al. in [27].

Let be distinct primes and and be cyclic groups of order . The map is a bilinear map if it meets the following three properties:(1)Bilinearity: for and , we have .(2)Nondegeneracy: such that hold.(3)Computability: , is efficiently computable.

Let G be a composite-order bilinear group and be the subgroups of order in , we can get that and , then is an identity element in , which has been explained in [28]. The orthogonal property of subgroups will be used in dual-system encryption to achieve semifunctionality.

3.2. Assumption

There will be four assumptions illustrated in the proof of the security of our scheme. For assumptions 1–4, we refer to the assumptions 1–4 from Lewko and Waters’s scheme [29], where means randomly selecting in .

3.2.1. Assumption 1

For a given group generator , we define the following distribution:

We define is the advantage of algorithm in breaking Assumption 1. The assumption is true if no algorithm exists that can respectively distinguish and in and in polynomial time.

3.2.2. Assumption 2

For a given group generator , we define the following distribution:

We define is the advantage of algorithm in breaking Assumption 2. The assumption is true if no algorithm exists that can, respectively, distinguish and in and in polynomial time.

3.2.3. Assumption 3

For a given group generator , we define the following distribution:

We define is the advantage of algorithm in breaking Assumption 3. The assumption is true if no algorithm exists that can, respectively, distinguish and in and in polynomial time.

3.2.4. Assumption 4

For a given group generator , we define the following distribution:

We define is the advantage of algorithm in breaking Assumption 4. The assumption is true if no algorithm exists that can respectively distinguish and in polynomial time.

3.3. Access Structure

Let be the collection of participants. A collection is monotone, if any arbitrary and can get that and , and then holds. An access structure (monotone access structure) is a collection (monotone access structure) . The sets in are authorized sets, besides the sets not in are unauthorized sets.

3.3.1. Linear Secret-Sharing Scheme (LSSS) [30]

Linear secret-sharing scheme is an effective method to build an access structure. Let be the collection of participants; be a matrix with rows and columns. The map pairs each row with each participant by labeling. A linear secret-sharing scheme over the set and for access structure , if satisfies the following two polynomial-time algorithms:(1)Share : the algorithm takes the shared secret as input and randomly chooses a group of elements to generate a column vector . Then, it outputs . We define that is the -th row of matrix so that is the element belonging to participant .(2)Recover : the algorithm sets a set S of participants as input. Then, we define another set . If , there will exist a group of constants , which can satisfy that . So, we can recover the secret. However, if , we cannot recover the right secret.

3.4. Commitment Scheme

The commitment scheme we used is based on Pedersen [31], which uses the discrete logarithm assumption. A commitment scheme is composed of three following algorithms:(1)Setup : this algorithm takes a security parameter as input and outputs the set of public parameters.(2)Commit : this algorithm takes the public parameter set and a message as input and outputs a commitment and a decommitment , where can decommit com to .(3)Decommit : this algorithm takes the public parameter set , a message , a commitment , and a decommitment as input and outputs 1 if can decommit to ; otherwise, the algorithm outputs 0.

A commitment scheme must provide two properties of hiding and binding. The hiding property needs the message to keep unreleased until the user releases it. Other property only needs the to decommit the commitment to .

3.5. Zero-Knowledge Proof

The zero-knowledge proof scheme we used is based on [32]. By , we define a zero-knowledge proof of knowledge of , and , where and respectively hold by the group and . Commonly, the values in the parenthesis represent the knowledge that needs to be proven, while the rest of the values are known by the verifier. There is an extractor that can be used to rewind the knowledge from the successful prover.

4. System and Security Model

4.1. System Model

In this paper, we propose a MA-ABE access control scheme for a blockchain-based supply chain information sharing system. The system model is shown in Figure 1. Our system model considers five main participants: supply chain, data owner, blockchain, data users, and attribute authorities. The definition and functions of each participant are as follows: Supply chain: the supply chain is the source of all data. We assume the source data in a supply chain is correctly uploaded by suppliers, who record the data in materials production, product processing, logistics transportation, warehouse storage, goods purchasing, etc. Furthermore, because of the limited size of blockchain blocks, the supply chain data involved in this article only contains small-capacity data such as transaction records, cargo numbers, and logistics processes. For large-capacity data such as videos and images, we will not discuss in this paper, but we will do more researches on it in the future. Data Owner: the owner encrypts his/her goods’ supply chain information and sends encrypted data to the blockchain with the access policy. An access policy can be defined as follows: (Attribute 1: (Researcher identified by Authority 1)) OR (Attribute 2: (Analyst identified by Authority 2)) AND (Attribute 3: (User identified by Authority 3)), so only the users with Attributes 1 and 2 or the users with Attributes 1 and 2 can correctly decrypt owner’s ciphertext. Furthermore, the owner can update the encrypted data in a new block. Attribute Authorities: each attribute authority can generate and distribute attribute public keys based on data users’ attributes within the scope of the attributes it manages, such as phone numbers, identities, and affiliation. When data users’ attributes changed, the attribute authority has to change user attribute secret keys. In addition, attribute authority can create a block. It has to package the data owner’s encrypted data in the block and add it to the blockchain. Blockchain: blockchain is the distributed environment for storing data owner’s encrypted data in storage nodes and making it public to users who can connect to the blockchain system. Data Users: data users get their attribute secret keys from the attribute authorities and decrypt data owner’s encrypted data. However, only the users with the correct attribute secret keys can decrypt the ciphertext properly.

4.2. Security Model

We let be an adversary and be a challenger, then the game between and will carry out as follows: GlobalSetup: executes this algorithm and sends global parameter set to . Then, returns a group of corrupted authorities and gives the challenge access structure , where is the set of all authorities. AuthoritySetup: challenger obtains attribute authorities’ public and private keys and then sends the public keys to the adversary. Key Query Phase 1: adversary queries the secret key by submitting a pair to challenger , where belongs to good authorities. Then, responds by providing the relative secret keys. However, cannot make queries on any attribute set which satisfies the access structure . Besides, the request of cannot belong to the corrupted authorities. Challenge: adversary transmits two messages with the same length, and , and the access structure to challenger . It is worth noting that every attributes of the corrupted authority set cannot satisfy . randomly selects a bit and returns the encrypted data of message under the access structure to . Key Query Phase 2: adversary makes more key queries as long as the attribute sets do not satisfy the challenge access structure . Guess: adversary tries to guess whether the message meets the encrypted data . If , the advantage of adversary to win this game is calculated as follows:

5. Our Works

5.1. System Scheme

Our system scheme’s workflow is shown in Figure 2. We divide the system workflow into five stages: Setup, Key Generation, Encrypt, Decrypt, and Revoke and Update. The details are as follows.(1)Setup: multiple attribute authorities generate the system’s public parameters through the GlobalSetup algorithm and use the consensus algorithm to negotiate and reach an agreement. After that, each attribute authority executes the AuthoritySetup algorithm to create its public key and private key. At the same time, attribute tags are assigned to users according to their attributes, such as phone number, identification, and affiliation.(2)Key generation: the attribute authority uses the KeyGen algorithm to generate the user’s public and private key according to the user’s attributes.(3)Encrypt: the data owner uses the Encrypt algorithm to encrypt the access structure and data.(4)Block generation: when the encrypted data need to be uploaded to the blockchain, the data owner broadcasts ciphertext to the blockchain network. When attribute authorities have collected enough ciphertexts, use a hash function to calculate the hash value of each ciphertext and construct a Merkle tree structure. Then, the attribute authority puts all ciphertexts into the block body and adds them into the blockchain along with the block. The structure of the block is shown as Figure 3. Finally, storage nodes store the blockchain data. It is noted that the size of the block is related to the number and size of the ciphertext stored in the block body.(5)Decrypt: the data user requests the data owner’s encrypted data from the blockchain node and decrypts it through the Decrypt algorithm.(6)Revoke and update: the attribute authority center can use the KeyUpdate algorithm to update the user key flexibly according to the user’s attribute change. In addition, users can also update the encrypted data using the CTUpdate algorithm and pack it in a new block.

5.2. Algorithm Construction

Like other schemes [33, 34], although our scheme is based on the composite-order bilinear group construction, the whole system is limited to subgroups . Subgroups and are only used in the security proof process to construct the semifunctional key and the semifunctional ciphertexts. Here, the specific seven main algorithms of the cryptography involved in our scheme are as follows: GlobalSetup .(1)Let be an algorithm to generate composite-order bilinear groups. takes the security parameter as input and randomly selects number as the order of the group , where is a generator of . Then, set , where is randomly chosen. We set and as two strong collision resistance hash functions for mapping random numbers to values in and . Let be a bilinear map.(2)The algorithm generates a user’s unique global indicator in the system and uses the hash function to get . Then, user public key will be represented as .(3)We define the set of attribute authorities as , where each attribute authority manages its attribute set .(4)We set . AuthoritySetup . Each attribute authority runs this algorithm. For attribute belonging to , chooses two random exponents . Then, randomly selects a exponent for itself and gets its public key and secret key as follows: Encrypt .(1)Data owner executes the Encrypt algorithm and selects a LSSS-based access policy , in which for each attribute involved, the owner sets a random number and replaces as in the LSSS matrix .(2)The algorithm firstly chooses a secret as the sharing secret. Then, it generates a random column vector with as the first element, where .(3)We set , where is the -th row of matrix . Then, the algorithm generates another random column vector with 0 as the first element, where . For each row of the matrix , the algorithm randomly selects . At least, the encrypted data of the message can be defined as follows: Here, . KeyGen . Attribute authorities use the anonymous key distribution protocol to generate the attribute secret keys to users. For each attribute , where is user s attributes set which is verified by authorities. Then, the user attribute secret keys can be computed as follows: Here, is used to hide the attribute , and . Decrypt . Each data user has to query the owner’s encrypted data (ciphertext) from blockchain and uses the Decrypt algorithm to get the original message . Furthermore, data user can replace his/her attribute by calculating in the access policy . Then, the user gains a set from . Finally, the user chooses a constant , which meets . The Decrypt algorithm is run to decrypt the ciphertext . If the data user has the secret keys of each , he/she will decrypt the ciphertext as follows: KeyUpdate . Assume that is an attribute revoked and updated by the authority . Then, must regenerate a corresponding new user attribute secret key for through the following steps:(1)Authority regenerates two new attribute random exponents .(2)For users who have the attribute , calculates .(3)In the end, user computes CTUpdate . If the access policy involves the revoked and updated attribute , i.e., , the data owner will update his/her ciphertext stored in a new block in blockchain. The ciphertext can be updated as follows:

5.3. Anonymous Key Generation Protocol

Algorithm 1 shows the anonymous key generation protocol built in this paper. The details of this algorithm are shown as follows:(1)The data user selects randomly and calculates . Then, sends to authority .(2) chooses randomly and returns it to .(3) computes , and sends and to .(4) verifies and . If they are verified rightly, will continue. If not, will abort.(5) computes by two-party secure computation (2PC Protocol).(6) generates randomly. Then, it calculates and sends to .(7) returns a random number to .(8) computes and returns .(9) checks and . If verifications are correct, will get his/her user attribute secret keys by calculating and . Otherwise, aborts.

(1) User has his/her global ID .
(2) Authority has this identity and ’s attribute ’s parameters .
(3) randomly chooses .
(4) computes and sends them to .
(5) should proof he/she knows in zero-knowledge
(6) if the proof is successful then
(7) continues.
(8) else
(9) aborts.
(10) end if
(11) : .
(12) computes and sends them to .
(13) proofs it knows in zero-knowledge to Users
(14) if the proof is successful then
(15) computes and as his/her user attribute secret keys.
(16) else
(17) aborts.
(18) end if

6. Security Analysis

6.1. Correction

6.1.1. Correction of Decryption

We assume that

So, we can compute

Also, we can get , in which .

6.2. Correction of Update

(1).(2).(3).

6.3. Security of Our Scheme

In this paper, the dual-system encryption [35] is applied to prove the security of our scheme. We refer to the proof method in [29, 36, 37]. In the dual-system encryption technology, secret keys and ciphertexts are divided into two forms: normal and semifunctional. It is noteworthy that a normal key can decrypt normal ciphertexts and semifunctional ciphertexts, while a semifunctional key can only decrypt normal ciphertexts, but it cannot decrypt semifunctional ciphertexts. In addition, the semifunctional key and ciphertext only exist in the security certification, and they will not appear in the actual system application. To more accurately describe the semifunctional ciphertext and the semifunctional key, we select two fixed random values for each attribute , and these two random numbers are the same for the semifunctional ciphertexts and the semifunctional keys, and they will not be changed by different users.

6.3.1. Semifunctional Ciphertext

To generate the semifunctional ciphertext, we randomly choose . Then, we set for each row in the access policy matrix . In addition, we set as the subset of related rows, which is marked by corrupted attribute authorities in , and we set as the subset of rows marked by good attribute authorities in . Three exponents are chosen randomly.

At first, we set the original ciphertext as follows:

For each , if , the semifunctional ciphertext will be computed as follows:

6.3.2. Semifunctional Key

There are two kinds of semifunctional keys, namely, type-1 and type-2. We set as the value in the subgroup of and select an exponent at random. The type-1 semifunctional key is calculated as follows: The type-2 semifunctional key is calculated as follows: Here, is the normal key.

When we apply a type-1 semifunctional key to decrypt a semifunctional ciphertext, the extra part will prevent the ciphertext from being directly decrypted unless . Similarly, when we apply a type-2 semifunctional key to decrypt a semifunctional ciphertext, the extra part will prevent the ciphertext from being directly decrypted unless .

6.3.3. Attack Games

The games we used in this paper are defined as follows: : this game is a real game, where the ciphertext and user secret key are normal. : comparing with , the challenging ciphertext is a semifunctional. : comparing with , the first keys obtained are type-2 semifunctional keys, while the -th key is the type-1 semifunctional key, and other keys are normal keys. In addition, the challenging ciphertext is the semifunctional ciphertext. If is the number of times that the adversary queries for the key, the range of will be 1 to . : comparing with , the first keys obtained are type-2 semifunctional keys, while other keys are normal. Moreover, the challenging ciphertext is the semifunctional ciphertext, and all keys in are type-2 semifunctional keys. : in this game, all keys are type-2 semifunctional keys, and the ciphertext is a semifunctional ciphertext of a random message. We can get that the adversary has no advantage in winning the game.

6.4. Lemma 1 and Its Proof

Lemma 1. If there is a polynomial-time algorithm that can distinguish and at the nonnegligible advantage , another polynomial-time algorithm will be constructed to break Assumption 1 with the advantage .

6.4.1. Proof

GlobalSetup: challenger runs the GlobalSetup algorithm. Simulator receives the global parameter from the challenger and simulates or between the adversary and . specifies a set of corrupted attribute authorities , where represents the set of all attribute authorities in the system. Then, develops an access structure that he/she needs to challenge. AuthoritySetup: executes the AuthoritySetup algorithm. For the corrupted attribute authorities, sends their public and private keys to , and for good attribute authorities, only sends its public key to . Key Query Phase 1: when queries the key of , runs the KeyGen algorithm to generate the related keys. Challenge: submits two messages and with the same length to . randomly chooses a bit and sends the confidential message under the access structure to .

selects a random shared number and sets . also selects two random column vectors and . Then, sets , where is the -th row in the matrix .

provides with the random parameters for the attribute contained in the access structure , which belongs to the corrupted attribute authorities. Here, represents a subset of the relevant rows of attributes with good attribute authorities in , while represents a subset of the relevant rows with corrupted attribute authorities in . For each in , randomly selects and relatively selects for each in , where . We set the part of as , the part as , and the part as , where are selected randomly.

For , the ciphertexts are computed as follows:

A ciphertext is generated in two cases: and . If , it will be a normal ciphertext. When , it is a semifunctional ciphertext. Due to and are indistinguishable, the game and cannot be distinguished. The proof is shown as follows:(1)When , the part of is . For each , , because the first random value of the vector is 0, we make the ciphertext a normal ciphertext. For each , and are normal ciphertexts, because of and . Finally, we can get that when , all ciphertexts are normal. When , we can know that . If , in the ciphertext . In the semifunctional ciphertext, and , so can be seen as a semifunctional ciphertext. According to the remainder theorem, if , , and will be uncorrelated for a random value . We can set exponents , and . Because and of and are all distributed randomly, and are semifunctional ciphertexts.(2)In a semifunctional ciphertext, we can get and , where and are random vectors. In this game, the first element of is 0, and adversary cannot distinguish whether the value is random or not. When , according to the monotone span program [36], we can know that and can generate the same secret-sharing value, which means adversary cannot figure out whether the first element is 0 or another . When , is random in . If , the exponent of will be represented by . So, the secret-sharing value can be hidden, and the shared value is appropriately distributed from the perspective of adversary . The exponent of is still appropriately distributed for the same reason. Therefore, when , ciphertexts are normal and simulator can simulate the . When , ciphertexts are semifunctional and simulator can simulate the . can use to break Assumption 1 with advantage .

6.5. Lemma 2 and Its Proof

Lemma 2. If there is a polynomial-time algorithm that can distinguish and at the nonnegligible advantage , then another polynomial-time algorithm B can be constructed to break Assumption 2 with the advantage .

6.5.1. Proof

The proof of Lemma 2 is similar to that of Lemma 1, but challenger needs to send the public parameter to simulator . GlobalSetup and AuthoritySetup: the same as in Lemma 1. According to the difference of , and will simulate and . For each attribute belonging to a good attribute authority , generates its random parameters and sends the public key to . Key Query Phase 1: assume that indicates the identity of the -th user queried by adversary , which means performs a key query . Then, needs to perform the following feedback: When , , where is normal. When , , where is semifunctional of type-2, and . When , if , let , then and , where is normal; if , let , then and , where is semifunctional of type-1, and . Challenge: submits two messages and with the same length to . randomly chooses a bit and sends the confidential message under the access structure to selects a random shared number and sets ; selects three random column vectors and . Then, sets , where is the -th row in the matrix . The definitions of and are the same as in the proof of Lemma 1.

If , randomly selects for each in . Then, ciphertexts can be computed as follows:

If , randomly selects for each in , where , then ciphertexts are as follows:(1)The proof method of the first aspect is the same as Lemma 1. If , , where and are and , so we can set the exponent and of and , so is semifunctional. If , , the exponents of , and will be random, because and are uncorrelated. Therefore, we can set . , where we can set . So, ciphertexts are semifunctional.(2)The proof method of the second aspect is the same as Lemma 1 too. In dual-system encryption, both the simulator and the adversary are required to be unable to determine whether the key is a semifunctional key. Even though the secret-sharing value of is hidden from , the secret-sharing value needs to be set to 0. By setting the secret-sharing value of to 0, the ciphertext generated by is a nominal semifunctional ciphertext. In this way, if wants to test whether the -th key is a semifunctional key or a normal key, it will generate challenge ciphertexts that this key can decrypt. However, the ciphertexts are all nominal semifunctional ciphertexts, and users can successfully decrypt them. In other words, cannot tell whether the -th key is a semifunctional key of type-1 or a normal key. Therefore, when , the keys are normal and simulator can simulate the . When , keys are semifunctional keys of type-1 and simulator can simulate the . can use to break Assumption 2 with advantage .

6.6. Lemma 3 and Its Proof

Lemma 3. If there is a polynomial-time algorithm that can distinguish and at the nonnegligible advantage , another polynomial-time algorithm will be constructed to break Assumption 3 with the advantage .

6.6.1. Proof

The proof of Lemma 3 is similar to that of Lemma 3, but challenger needs to send the public parameter to simulator . GlobalSetup and AuthoritySetup: the same as in Lemma 2. According to the difference of , and will simulate and . For each attribute belonging to a good attribute authority , generates its random parameters and sends the public key to . Key Query Phase 1: assume that indicates the identity of the -th user queried by adversary , which means performs a key query . Then, needs to perform the following feedback: When , , where is normal. When , , where is semifunctional of type-2, and . When , if , let , then and , where is the semifunctional key of type-1, where ; if , let , then and , where is semifunctional of type-2, and . Challenge: submits two messages and with the same length to . randomly chooses a bit and sends the confidential message under the access structure to selects a random shared number , sets , and chooses three random column vectors and . Then, sets . The definition of and is the same as in the proof of Lemma 2.

If , will randomly choose . Then, the ciphertexts can be calculated as follows:

If , will randomly choose , where . Then, the ciphertexts can be calculated as follows:

Similar to the proof of Lemma 2, we can set .(1)If , , the exponents of and will be random, because and are uncorrelated, where . So, ciphertexts are semifunctional. If , , the exponents of and will be computed as . , and the exponents of and will be computed as . So, ciphertexts are semifunctional.(2)When , the key is a semifunctional key. So, whether it is a type-1 semifunctional key or a type-2 one, the ciphertexts cannot be decrypted, which means that the key is indistinguishable.

Therefore, when , the keys are normal and simulator can simulate the . When , keys are semifunctional keys of type-1 and simulator can simulate the . can use to break Assumption 3 with advantage .

6.7. Lemma 4 and Its Proof

Lemma 4. If there is a polynomial-time algorithm that can distinguish and at the nonnegligible advantage , another polynomial-time algorithm will be constructed to break Assumption 4 with the advantage .

6.7.1. Proof

The proof of Lemma 4 is similar to that of Lemma 3, but challenger needs to send the public parameter to simulator . GlobalSetup and AuthoritySetup: the same as in Lemma 2. According to the difference of , and will simulate and . For each attribute belonging to a good attribute authority , generates its random parameters and sends the public key to . We set and , where . Key Query Phase 1: when performs a key query , needs to generate the following keys: We can set and , so keys are type-2 semifunctional keys. Challenge: submits two messages and with the same length to . randomly chooses a bit and sends the confidential message under the access structure to .

selects a random shared number and sets , where . If , it will be the encryption of message . Otherwise, it will be the encryption of a random message. The definition of and is the same as them in the proof of Lemma 3.

If , will randomly choose two random vectors and , where 1 and 0 are the first elements of them, respectively. According to the nature of the complexity assumption [34], we can find a vector with 1 as the first element, which can be orthogonal to all the rows in .

We set and . For each row , randomly selects and lets .

So, we can get . We define as follows:

randomly generates two vectors and a number , where . We define as follows:where and are the exponents of , and . randomly chooses . Then, can be computed as follows:where and are uncorrelated under and . So, we can get that , and are random. Therefore, ciphertexts are semifunctional.

If , will randomly choose , and ciphertexts can be computed as follows:

Because and are uncorrelated, these ciphertexts are normal.

If , ciphertexts will be semifunctional ciphertexts, which are properly distributed. If is the semifunctional encryption of the message , the game will simulate . In addition, if is random, will simulate . Therefore, can use to break Assumption 4 with advantage .

So, in the final attack game of Lemma 4, when the challenger encrypts a random message, the adversary’s attack advantage is negligible. As a result, according to the defined Assumptions 1–4, we can prove that real attack games and the above attack games are indistinguishable. Thus, it proves that the adversary’s advantage in winning the real attack game is negligible.

7. Security of the Anonymous Key Generation Protocol

The security proof of the anonymous key generation protocol is divided into two parts, namely, leak-freeness and selective-failure blindness, which are used for legitimate and malicious attribute authorities.

7.1. Leak-freeness

We assume that a malicious user interacts with a legitimate attribute authority and runs this anonymous key generation protocol in a real security game. In an ideal security game, there is a simulator that can execute the KeyGen algorithm with a trusted party. Nevertheless, there is no distinguisher that can distinguish an ideal game from a real one. The interaction between and can be simulated by the simulator , and can perform the following steps.(1) sends the public keys of to .(2) sends to , then uses zero-knowledge proof to prove he/she does own .(3) sends the element to the trusted attribute authority , then generates user attribute secret keys and to .(4) computes and . Then, returns and to .

If and are correct keys generated from a trusted attribute authority in the ideal game, and will be considered to be the right keys of in the real game. Hence, cannot distinguish whether the game is real or ideal.

7.2. Selective-Failure Blindness

We assume that a malicious attribute authority generates its public key and two global user identifiers and . produces a random bit and then it accesses two oracles in a black-box manner, namely, and , which are adopted to play the role of legitimate users. and execute the anonymous key generation protocol and then can get two kinds of keys and . If there are some errors during the execution of the anonymous key generation protocol, the returned key will be considered meaningless and return .

If and , outputs and , outputs ; and , outputs ; and , outputs .

In the anonymous key generation protocol, provides to and computes . Then, performs two oracles, which are regarded incalculable distinguished. Otherwise, the indistinguishability of the zero-knowledge proof and the hidden policy of the commitment scheme will be broken. If can use any of the calculation strategies to output the key of the first oracle , it will predict the key without interacting with the two oracles.(1) verifies . If the proof is a fault, will output .(2) generates a pair of different keys for the second oracle and verifies . If the proof is a fault, will output .(3)If the verification fails, that is, if and , will output . If and , will output , and if and , will output .(4)If the verification is successful, will execute the anonymous key generation protocol by itself using the inputs and the output .

When is verified like a trusted , the two predictions will have the same distribution. So, can predict the output of the two predictions and has the same advantages in distinguishing and as the same final output. Therefore, the advantage of in distinguishing two predictions comes from the received and authentication . However, because of the witness indistinguishability of zero-knowledge proof and the strategic hiddenness of the commitment mechanism, we can infer that the advantage of in distinguishing between the two predictions is negligible.

8. Performance Analysis

In this section, we have the comparisons between our scheme with other schemes in Qin et al. [22], Liang et al. [37], and Malluhi et al. [38] from the view of property and efficiency to reflect the feasibility as well as the practicality of our work.

8.1. Property Analysis

In Table 1, we can find comparisons in scheme properties, such as attribute revocable, policy hiding, user identity hiding, and anonymous key generation, which reflects the comprehensiveness of our scheme in those compared schemes. Considering the actual application scenarios, more comprehensive features are of greater significance for protecting system data security and user privacy.

8.2. Theoretical Analysis

We compare our scheme with other schemes for blockchain-based access control in terms of attribute authority ’s secret key size, user secret key size, ciphertext size, and decryption overhead. We define that is the total number of attributes. is the number of attribute authorities. is the access structure. , , and are the lengths of the group , , and in the paring group. and are the attribute number of user and authority . is the cost of performing a bilinear operation. is the cost of performing an exponential operation. It is worth noting that there is not the concept of attribute authority in [38], but a special key user can realize the function of generating secret keys for other users in the whole system. When comparing the schemes in this paper, we considered the special key users as attribute authorities.

As shown in Table 2, the size of the attribute authority secret key of our work is smaller than the other works. For the size of user secret, our work is the same as [37] and [38]. When 2 is smaller than , it will also be smaller than [22]. In terms of ciphertext, our work is slightly higher than [22, 38]. Because the exponential operation cost is much higher than the bilinear operation cost in the paired group, our work is most efficient when decrypting. In conclusion, our work has advantages in storage, communication, and computing.

8.3. Experiment Analysis

We use a 64 bit Windows 10 laptop with an eight-core 2.40 GHz Intel Core(TM) i5-1135G7 processor and 16 GB memory for experiments. Moreover, we implemented the above scheme in Java by using IntelliJ IDEA 2019.3. The JPBC (Java Pairing-Based Cryptography) Library [39] and a Type-A1 curve with 160 bits are respectively used to deal with the pairing computations and provide test parameters.

In order to compare the actual running time cost of the Encryption and Decryption phase under different access control structures, we designed two kinds of experiments. In Experiment 1, the number of total attributes increases while the number of access attributes is fixed. It simulates the impact on the running cost of data owners and data users when attribute authorities continuously add new attributes. In Experiment 2, the number of access attributes increases while the number of total attributes is fixed. It simulates the impact on the running cost of data owners and data users when the data owner changes the access structure. In each experiment, we simulate five attribute authorities that manage the same number of different attributes. An access structure specifies that each data user needs a given number of attributes to decrypt the ciphertext properly. We repeated each group of experiments 5 times and computed the average running time of the encryption and decryption phase. Note that each message consists of 124 random integers in these experiments. The running time is shown in Table 3. It should be noted that, according to the actual model of each scheme, we used all attribute keys to encrypt the ciphertext in the process of encryption and stored the access structure in the ciphertext. Moreover, we simulated a legal user only with access attributes to decrypt the ciphertext. Therefore, the encryption algorithm generally needs more attributes, which makes the running time cost of the encryption algorithm much higher.

For a more intuitive comparison, the comparison charts in running time of encryption, decryption, and total are shown in Figures 4 and 5. For the running time cost in encryption, our scheme is more efficient than the other scheme in [22, 38] but slightly higher than [37]. Meanwhile, the running time cost of our work has obvious advantages compared with other schemes in the decryption phase. Our scheme has obvious advantages compared with the schemes in [22, 38] for the total running time comparison. It shows that our scheme is more suitable for application in the supply chain information sharing system where many data users need to access user data frequently.

(a)

(b)

(c)

(a)

(b)

(c)

In summary, our scheme has its advantages in the aspects of security, storage, and efficiency compared with the schemes in [22, 37] and [38].

9. Conclusion and Future Works

This paper aims to provide an effective access control scheme for a blockchain-based supply chain information sharing system to protect data privacy. Therefore, we propose a new privacy-preserving multiauthority attribute-based access control scheme. Our scheme ensures the confidentiality of blockchain data and provides fine-grained access control for data sharing. Taking into account the actual needs of the system, the scheme also supports user attribute key updates and ciphertext updates to cope with the dynamic change of user attribute authority. Furthermore, the scheme adopts LSSS as the access structure, which improves computational efficiency. In addition, the scheme is proven to be fully secure under the assumption of dual-system encryption. Finally, we prove that our work is feasible and effective through analysis and experimental comparison.

In order to test the safety and efficiency of our plan, we are working on implementing our scheme under a real blockchain-based supply chain information sharing system. In addition, our future research focuses on antiquantum attacks and lightweight encryption algorithms.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

Our work was supported by the National Natural Science Foundation of China, under Grant No. 61972208, and Jiangsu Postgraduate Research and Innovation Plan, under Grant Nos. KYCX20_0761 and KYCX21_0794.

References

S. A. Abeyratne and R. P. Monfared, “Blockchain ready manufacturing supply chain using distributed ledger,” International Journal of Renewable Energy Technology, vol. 5, no. 9, pp. 1–10, 2016.
View at: Publisher Site | Google Scholar
S. Nakamoto, “Bitcoin: a peer-to-peer electronic cash system,” Decentralized Business Review, vol. 21260, 2008.
View at: Google Scholar
Y. Lu, “The blockchain: state-of-the-art and research challenges,” Journal of Industrial Information Integration, vol. 15, pp. 80–90, 2019, https://www.sciencedirect.com/science/article/pii/S2452414X19300019.
View at: Publisher Site | Google Scholar
A. A. Abdellatif, L. Samara, A. Mohamed, A. Erbad, C. F. Chiasserini, and M. Guizani, “Medge-chain: leveraging edge computing and blockchain for efficient medical data exchange,” IEEE Internet of Things Journal, vol. 8, no. 21, Article ID 15762, 2021.
View at: Publisher Site | Google Scholar
M. Sumathi and S. Sangeetha, “Blockchain based sensitive attribute storage and access monitoring in banking system,” International Journal of Cloud Applications and Computing, vol. 10, no. 2, pp. 77–92, 2020.
View at: Publisher Site | Google Scholar
L. Tseng, L. Wong, S. Otoum, M. Aloqaily, and J. Ben Othman, “Blockchain for managing heterogeneous internet of things: a perspective architecture,” IEEE Network, vol. 34, no. 1, pp. 16–23, 2020.
View at: Publisher Site | Google Scholar
M. H. Abidi, H. Alkhalefah, U. Umer, and M. K. Mohammed, “Blockchain‐based secure information sharing for supply chain management: optimization assisted data sanitization process,” International Journal of Intelligent Systems, vol. 36, no. 1, pp. 260–290, 2021, https://onlinelibrary.wiley.com/doi/abs/10.1002/int.22299.
View at: Publisher Site | Google Scholar
V. G. Venkatesh, K. Kang, B. Wang, R. Y. Zhong, and A. Zhang, “System architecture for blockchain based transparency of supply chain social sustainability,” Robotics and Computer-Integrated Manufacturing, vol. 63, Article ID 101896, 2020, https://www.sciencedirect.com/science/article/pii/S0736584519301589.
View at: Publisher Site | Google Scholar
G. I. Shidaganti, A. S. Inamdar, S. V. Rai, and A. M. Rajeev, “Scef: a model for prevention of ddos attacks from the cloud,” International Journal of Cloud Applications and Computing, vol. 10, no. 3, pp. 67–80, 2020.
View at: Publisher Site | Google Scholar
H. Berger, A. Z. Dvir, and M. Geva, “A wrinkle in time: a case study in dns poisoning,” International Journal of Information Security, vol. 20, no. 3, pp. 313–329, 2021.
View at: Publisher Site | Google Scholar
C. Li, X. Jiang, X. Dai, and H. Jin, “Amvchain: authority management mechanism on blockchain-based voting systems,” Peer-to-peer Networking and Applications, vol. 14, pp. 1–12, 2021.
View at: Publisher Site | Google Scholar
S. Amit and B. Waters, “Fuzzy identity-based encryption,” Advances in Cryptology – EUROCRYPT 2005, Springer, Berlin, Germany, pp. 457–473, 2005.
View at: Google Scholar
R. Zhang, R. Xue, and L. Liu, “Security and privacy on blockchain,” ACM Computing Surveys, vol. 52, no. 3, pp. 1–34, 2019.
View at: Publisher Site | Google Scholar
J. Huang, L. Kong, and G. Chen, “Towards secure industrial iot: blockchain system with credit-based consensus mechanism,” IEEE Transactions on Industrial Informatics, vol. 15, no. 6, pp. 3680–3689, 2019.
View at: Publisher Site | Google Scholar
M. Y. Khan, M. F. Zuhairi, T. Ali, T. Alghamdi, and J. A. Marmolejo-Saucedo, “An extended access control model for permissioned blockchain frameworks,” Wireless Networks, vol. 26, no. 7, pp. 4943–4954, 2020.
View at: Publisher Site | Google Scholar
L. Tan, N. Shi, K. Yu, M. Aloqaily, and Y. Jararweh, “A blockchain-empowered access control framework for smart devices in green internet of things,” ACM Transactions on Internet Technology, vol. 21, no. 3, 2021.
View at: Publisher Site | Google Scholar
Q. Xu, C. Tan, W. Zhu, and Y. Xiao, “Decentralized attribute-based conjunctive keyword search scheme with online/offline encryption and outsource decryption for cloud computing,” Future Generation Computer Systems, vol. 97, pp. 306–326, 2019, https://www.sciencedirect.com/science/article/pii/S0167739X18329613.
View at: Publisher Site | Google Scholar
G. Yu, X. Zha, X. Wang et al., “Enabling attribute revocation for fine-grained access control in blockchain-iot systems,” IEEE Transactions on Engineering Management, vol. 67, no. 4, pp. 1213–1230, 2020.
View at: Publisher Site | Google Scholar
X. Qin, Y. Huang, Z. Yang, and L. Xing, “Lbac: a lightweight blockchain-based access control scheme for the internet of things,” Information Sciences, vol. 554, pp. 222–235, 2021, https://www.sciencedirect.com/science/article/pii/S0020025520312019.
View at: Publisher Site | Google Scholar
M. Chase, “Multi-authority attribute based encryption,” Theory of Cryptography, Springer, Berlin, Germany, pp. 515–534, 2007.
View at: Google Scholar
R. Guo, H. Shi, Q. Zhao, and Z. Dong, “Secure attribute-based signature scheme with multiple authorities for blockchain in electronic health records systems,” IEEE Access, vol. 6, Article ID 11676, 2018.
View at: Publisher Site | Google Scholar
X. Qin, Y. Huang, Z. Yang, and L. Xing, “A blockchain-based access control scheme with multiple attribute authorities for secure cloud data sharing,” Journal of Systems Architecture, vol. 112, Article ID 101854, 2021, https://www.sciencedirect.com/science/article/pii/S1383762120301405.
View at: Publisher Site | Google Scholar
S. Banerjee, B. Bera, A. K. Das, S. Chattopadhyay, and M. K. Khan, “Private blockchain-envisioned multi-authority cp-abe-based user access control scheme in iiot,” Computer Communications, vol. 169, pp. 99–113, 2021, https://www.sciencedirect.com/science/article/pii/S014036642100044X.
View at: Publisher Site | Google Scholar
Y. Hei, J. Liu, H. Feng, D. Li, Y. Liu, and Q. Wu, “Making ma-abe fully accountable: a blockchain-based approach for secure digital right management,” Computer Networks, vol. 191, Article ID 108029, 2021, https://www.sciencedirect.com/science/article/pii/S1389128621001389.
View at: Publisher Site | Google Scholar
K. Sethi, A. Pradhan, and P. Bera, “Pmter-abe: a practical multi-authority cp-abe with traceability, revocation and outsourcing decryption for secure access control in cloud systems,” Cluster Computing, vol. 24, no. 2, pp. 1525–1550, 2021.
View at: Publisher Site | Google Scholar
S. Rouhani, R. Belchior, R. S. Cruz, and R. Deters, “Distributed attribute-based access control system using permissioned blockchain,” World Wide Web, vol. 24, no. 5, pp. 1617–1644, 2021.
View at: Publisher Site | Google Scholar
D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-dnf formulas on ciphertexts,” Theory of Cryptography, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar
L. Allison and B. Waters, “New techniques for dual system encryption and fully secure hibe with short ciphertexts,” Theory of Cryptography, Springer, Berlin, Germany, 2010.
View at: Google Scholar
L. Allison and B. Waters, “Decentralizing attribute-based encryption,” Advances in Cryptology – EUROCRYPT 2011, Springer, Berlin, Germany, 2011.
View at: Google Scholar
A. Beimel, “Secure schemes for secret sharing and key distribution,” israel institute of technology technion, Haifa, Israel, 1996, phd thesis.
View at: Google Scholar
T. P. Pedersen, “Non-interactive and information-theoretic secure verifiable secret sharing,” Advances in Cryptology — CRYPTO ’91, Springer, Berlin, Germany, 1992.
View at: Google Scholar
C. Jan and M. Stadler, “Efficient group signature schemes for large groups,” Advances in Cryptology — CRYPTO ’97, Springer, Berlin, Germany, 1997.
View at: Google Scholar
J. Li, Q. Yu, and Y. Zhang, “Hierarchical attribute based encryption with continuous leakage-resilience,” Information Sciences, vol. 484, pp. 113–134, 2019, https://www.sciencedirect.com/science/article/pii/S0020025519300684.
View at: Publisher Site | Google Scholar
J. Zhang and M. Wu, “Efficient cloud-based private set intersection protocol with hidden access attribute and integrity verification,” Security and Communication Networks, vol. 2021, Article ID 3963037, 13 pages, 2021.
View at: Publisher Site | Google Scholar
B. Waters, “Dual system encryption: realizing fully secure ibe and hibe under simple assumptions,” Advances in Cryptology - CRYPTO 2009, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar
Y. Yang, X. Chen, H. Chen, and X. Du, “Improving privacy and security in decentralizing multi-authority attribute-based encryption in cloud computing,” IEEE Access, vol. 6, Article ID 18009, 2018.
View at: Publisher Site | Google Scholar
P. Liang, L. Zhang, L. Kang, and J. Ren, “Privacy-preserving decentralized abe for secure sharing of personal health records in cloud storage,” Journal of Information Security and Applications, vol. 47, pp. 258–266, 2019, https://www.sciencedirect.com/science/article/pii/S2214212618307749.
View at: Publisher Site | Google Scholar
Q. M. Malluhi, A. Shikfa, V. D. Tran, and V. C. Trinh, “Decentralized ciphertext-policy attribute-based encryption schemes for lightweight devices,” Computer Communications, vol. 145, pp. 113–125, 2019, https://www.sciencedirect.com/science/article/pii/S014036641930324X.
View at: Publisher Site | Google Scholar
A. De Caro and V. Iovino, “jpbc: Java pairing based cryptography,” in Proceedings of the IEEE Symposium on Computers and Communications (ISCC), Kerkyra, Greece, June 2011.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Chenlei Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Security and Communication Networks

Multiauthority Attribute-Based Access Control for Supply Chain Information Sharing in Blockchain

Abstract

1. Introduction

2. Related Works

2.1. Blockchain-Based Access Control

2.2. ABE for Blockchain-Based Access Control

2.3. MA-ABE for Blockchain-Based Access Control

3. Preliminaries

3.1. Composite-Order Bilinear Group

3.2. Assumption

3.2.1. Assumption 1

3.2.2. Assumption 2

3.2.3. Assumption 3

3.2.4. Assumption 4

3.3. Access Structure

3.3.1. Linear Secret-Sharing Scheme (LSSS) [30]

3.4. Commitment Scheme

3.5. Zero-Knowledge Proof

4. System and Security Model

4.1. System Model

4.2. Security Model

5. Our Works

5.1. System Scheme

5.2. Algorithm Construction

5.3. Anonymous Key Generation Protocol

6. Security Analysis

6.1. Correction

6.1.1. Correction of Decryption

6.2. Correction of Update

6.3. Security of Our Scheme

6.3.1. Semifunctional Ciphertext

6.3.2. Semifunctional Key

6.3.3. Attack Games

6.4. Lemma 1 and Its Proof

6.4.1. Proof

6.5. Lemma 2 and Its Proof

6.5.1. Proof

6.6. Lemma 3 and Its Proof

6.6.1. Proof

6.7. Lemma 4 and Its Proof

6.7.1. Proof

7. Security of the Anonymous Key Generation Protocol

7.1. Leak-freeness

7.2. Selective-Failure Blindness

8. Performance Analysis

8.1. Property Analysis

8.2. Theoretical Analysis

8.3. Experiment Analysis

9. Conclusion and Future Works

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright