A Blockchain-Based CP-ABE Scheme with Partially Hidden Access Structures

Data sharing has become a key technology to break down data silos in the big data era. Ciphertext-policy attribute-based encryption (CP-ABE) is widely used in secure data-sharing schemes to realize ﬂexible and ﬁne-grained access control. However, in traditional CP-ABE schemes, the access structure is directly shared along with the ciphertext, potentially leading to users’ private information leakage. Outsourcing data to a centralized third party can easily result in privacy leakage and single-point bottlenecks, and the lack of transparency in data storage and sharing casts doubts whether users’ data are safe. To address these issues, we propose a blockchain-based CP-ABE scheme with partially hidden access structures (BCP-ABE-PHAS) to achieve ﬁne-grained access control while ensuring user privacy. First, we propose an eﬃcient CP-ABE scheme with partially hidden access structures, where the ciphertext size is constant. To assist data decryption, we design a garbled Bloom ﬁlter to help users quickly locate the position of wildcards in the access structure. Then, to improve storage eﬃciency and system scalability, we propose a data storage scheme that combines blockchain technology and the interplanetary ﬁle system, ensuring data integrity. Finally, we employ smart contracts for a transparent data storage and sharing process without third-party participation. Security analysis and performance evaluation show that the proposed BCP-ABE-PHAS scheme can preserve policy privacy with eﬃcient storage and low computational overhead.


Introduction
Cloud computing promotes the aggregation of storage and computational resources and has a tremendous market value. However, when data owners outsource data to cloud services, they lose control of their data, and their private information is at risk of leakage [1]. Recently, data security incidents have occurred frequently, and such events undermine users' confidence in data security and raise concerns regarding cloud storage.
In 2005, Sahai and Waters [2] proposed attribute-based encryption (ABE) to achieve fine-grained access control. e ABE scheme is mainly categorized into ciphertext-policy ABE (CP-ABE) [3] and key-policy ABE (KP-ABE) [4]. In the KP-ABE scheme, the secret key and ciphertext are associated with the access structure (or access policy) and attribute set, respectively. In this case, the ciphertext can only be decrypted when the attribute set satisfies the access policy. Contrarily, in the CP-ABE scheme, the ciphertext and secret key are associated with the access policy and attribute set, respectively. e CP-ABE scheme features fine-grained access control and one-to-many secure data sharing. However, in the traditional CP-ABE scheme, the access policy is directly shared along with the ciphertext. Consequently, anyone can get this access policy while obtaining the ciphertext; however, the access policy may contain the user's sensitive information.
Consider a scenario in which a patient with a social security number (SSN) 123-456-789 wants to outsource his (or her) health data to the cloud and establish an access policy, as shown in Figure 1(a).
is patient designs an access policy based on which only this patient or the psychologist at the city hospital can access the data. If the patient uses the traditional CP-ABE scheme to send the encrypted data and access policy to the cloud, anyone with access to this cloud can obtain the patient's access policy. us, the data security of this patient, who is suffering from psychological problems, is undoubtedly threatened. e most effective way to protect a user's access policy information is to hide the attribute information. Policy hiding involves fully and partially hiding. In the CP-ABE scheme, fully hidden access policies imply that no attribute information in the access policy is revealed, and partially hidden access policies imply that only sensitive attribute values are hidden. As shown in Figure 1(b), the partially hidden access policy is expressed as (SSN: * OR (Affiliation: * AND Occupation: * )), where the attribute values that may expose a user's information are hidden. A tradeoff is obtained between the efficiency of the CP-ABE scheme and the fully hidden access structure using a partially hidden access structure embedded in the CP-ABE scheme to reduce computational costs [5]. Additionally, centralized storage architectures are vulnerable to various network attacks such as single point of attack, man-in-the-middle attack, and distributed denial-ofservice attack [6,7]. Owing to such attacks, data owners may lose control of their data. Because blockchain technology is transparent, decentralized, and unforgeable, blockchainbased data storage and sharing schemes have been proposed to resist such attacks. Blockchain is an append-only distributed database, so large-scale data can quickly bloat the blockchain and make it expensive and inefficient to scale. To alleviate the storage pressure of the blockchain, we propose a storage scheme that combines blockchain technology and the interplanetary file system (IPFS) [8].
erefore, we propose a blockchain-based CP-ABE scheme with a partially hidden access structure (BCP-ABE-PHAS) to realize secure data storage and sharing. Our main contributions are summarized as follows: (1) We propose a CP-ABE scheme with partially hidden access structures to achieve fine-grained access control and ensure user privacy. Moreover, to assist data decryption, we design a garbled Bloom filter (GBF) to locate the position of wildcards in the access policy. (2) To ensure data integrity and improve system scalability, we adopt a storage scheme that combines blockchain technology and the IPFS, in which the real ciphertext is stored in the IPFS, and meanwhile, the access policy is stored on the blockchain. (3) We employ smart contracts to achieve automated and trusted access control, where the entire data storage and sharing process is transparent without third-party participation. (4) Security analysis and performance evaluation show that the proposed scheme can achieve effective privacy preservation without incurring considerable overhead. e remainder of this paper is organized as follows. In Section 2, we introduce the related work. In Section 3, preliminaries are described. We then present the system architecture and security model in Section 4, followed by the detailed construction of the proposed scheme in Section 5. e security analysis and the performance evaluation are performed in Section 6, and the conclusions are presented in Section 7.

Related Work
Bethencourt et al. [3] proposed the first CP-ABE scheme.
is scheme allows data owners to specify a fine-grained access policy for their data to realize secure data sharing. However, an access policy may contain a user's sensitive information which is attached to the ciphertext as a plaintext, causing privacy leakage [9].
To address this problem, some schemes that hide the access policy have been proposed. For example, Nishide et al. [10] proposed a CP-ABE scheme with hidden access policies. ey proposed two schemes in which only attribute values are hidden using AND gates on multivalued attributes with wildcards. Based on this scheme [10], Li et al. [11] implemented user accountability while hiding the access policy. Phuong et al. [12] proposed two CP-ABE schemes with a hidden access policy. In this case, the access structure employs AND gates on positive and negative attributes with wildcards, and the ciphertext length is constant. Although these schemes are secure and efficient, AND-based access policies are limited in terms of expressiveness. us, to facilitate a more expressive access policy, Lai et al. [13] proposed a partially hidden CP-ABE scheme that supports linear secret-sharing scheme-based access policy. Based on this scheme [13], Zhang et al. [14] proposed a scheme that can support a large attribute universe. However, these schemes are built using composite-order bilinear groups; thus, their efficiency is low. Katz et al. [15] first proposed the inner-product predicate encryption. However, the "superpolynomial blowup" problem makes the CP-ABE schemes that use the attribute-hiding IPE to construct a fully hidden access policy very inefficient [16]. Hur [17] proposed a CP-ABE scheme that can support any monotonous access policy. In this case, the access policy is hidden by attribute remapping, and most decryption operations are delegated to the cloud storage center to considerably reduce the requester's computational overhead.
Because blockchain technology is decentralized, tamperproof, and transparent, it is widely used in secure data sharing and access control schemes. Based on inner-product predicate encryption [15], Gao et al. [18] proposed a trustworthy secure CP-ABE scheme with a fully hidden access policy based on blockchain technology. is scheme combines inner-product encryption and homomorphic encryption to hide access policies and uses smart contracts to store the generated proof on the blockchain permanently. Zhang et al. [19] proposed an access control for the Internet of ings (IoT) based on the smart contract which consists of the judge contract, access control contract, and register contract to achieve intelligent and efficient access control. Additionally, Xu et al. [20] proposed a blockchain-based smart healthcare system for large-scale health data privacy preservation. is system uses digital envelope technology to verify the confidentiality of information; however, it can only support one-to-one secure transmission, which does not satisfy the requirements of users who simultaneously employ multiple third parties to provide services. In the IoT environment, Xu et al. [21] and Novo [22] adopted the blockchain technology to realize secure data sharing and access control; however, these schemes do not satisfy largescale storage and privacy protection requirements.

Preliminaries
In this section, we introduce some basic knowledge associated with our BCP-ABE-PHAS.

Bilinear Map.
Let G and G T be multiplicative cyclic groups of prime order q. A bilinear mapping is a function e: G × G ⟶ G T which has the following properties: (1) Bilinearity: ∀u, v ∈ G and ∀a, b ∈ Z * q , there exists e(u a , v b ) � e(u, v) ab (2) Nondegeneracy: there exists g ∈ G such that e(g, g) ≠ 1 (3) Computability: ∀u, v ∈ G, e(u, v) can be effectively computed

Blockchain.
Blockchain is an append-only data structure in a peer-to-peer network environment, where data blocks are connected chronologically in a chain and the data in a blockchain are assured to be tamperproof, unforgeable, and traceable using cryptography [23]. As shown in Figure 2, a block comprises the block header and block body. e block header consists of four components: (1) PreBkHash, which is the digest of the previous block; (2) TS, which is the timestamp of the block creation; (3) nonce, which is the consensus proof computed by miners and guarantees the consensus of the block; (4) Merkle root, which is the root hash of the Merkle hash tree. e block body stores transaction details. e concept of smart contracts was first proposed by Szabo [24]. A smart contract is a program that contains code (its function) and data (its state). Smart contracts are used in Ethereum blockchain [25]. e contract address is usually given when a contract is deployed to the blockchain. Contract address is the address to a collection of codes on the blockchain that executes functions. ese functions of a contract address are executed when a transaction is made to the contract address. Once a smart contract is deployed in the network, it can run as programmed without human intervention.

Bloom Filter.
e Bloom filter is a space-efficient probabilistic data structure used to determine whether an element is contained in a specific set [26]. e Bloom filter is an m-bit array that can represent a set S of maximum n elements. e Bloom filter has k independent hash functions H � (h 1 , . . . , h k ), where h i : 0, 1 { } * ↦[1, m] and 1 ≤ i ≤ k indicates that the value generated by the hash function is uniformly distributed in [1, m]. Herein, a Bloom filter with parameters (m, n, k, H) is represented as (m, n, k, H)0BF, a Bloom filter encoding the set S is represented as BF S , and the value at index i in BF S is represented as First, all bits in the Bloom filter are set to 0. As shown in Figure 3, when we add the element x in the set S � x, y to the Bloom filter, we set BF S [h i (x)] � 1 for 1 ≤ i ≤ 3. When we verify the existence of an element y in set S, if BF S [h i (y)] � 0 exists for 1 ≤ i ≤ 3, this proves that y ∉ S; otherwise, y ∈ S with a high probability. e Bloom filter yields false positives; in other words, it yields an element that does not belong to the set S, but the corresponding position values are all 1. As shown in Figure 3, the element z does not belong to the set x, y ; however, BF S [h i (z)] � 1 for 1 ≤ i ≤ 3. According to Bose et al. [27], the false positive probability is negligible if we select the optimal k and m values.

Secret Sharing.
Secret sharing technology is an important aspect of cryptography research. For example, Shamir [28] proposed a (k, n)-threshold secret-sharing scheme. e Security and Communication Networks basic concept of this scheme is that the secret s to be shared is divided and distributed to n participants. e secret can be recovered in the case of minimum k participants; otherwise, the secret cannot be recovered. When k � n, secret sharing can be obtained using the ⊕ (XOR) operation. Randomly generate n − 1 bit strings r 1 , . . . , r n−1 with the same length as the secret s, and calculate r n � r 1 ⊕ . . . ⊕ r n−1 ⊕ s; each of r i is a part of the secret s. Finally, the secret s can be obtained by computing r 1 ⊕ . . . ⊕ r n . Figure 4, we define two attribute vectors

Attribute Vector. As shown in
e decryption algorithm discussed in this paper employs the following polynomial identity, where w i is the attribute value at position i in the attribute vector.
We use Viète's formulas [29] to construct the polynomial j∈J (i − j) � x n + a n−1 x n− 1 + · · · + a 0 in equation (1), and the coefficients are calculated as follows: where n � |J|. Here, if J is clear, we can calculate the polynomial coefficients a i . For example, when and calculate the coefficients: 3.6. Decision Linear Assumption. Let G be a bilinear group of prime order q with a generator g. For any probabilistic polynomial-time (PPT) adversary A, its advantage Adv A (λ) in solving the decision linear (DLIN) problem [30] in G is where the probability is taken over all possible choices of a, b, c, d, r ∈ Z * q . We say that the DLIN assumption holds in G if there exists a negligible function ε(λ) such that Adv A (λ) < ϵ for any PPT algorithm A.

System Architecture.
e system architecture of the proposed scheme is shown in Figure 5. As illustrated, the system architecture involves five entities, i.e., attribute authority (AA), IPFS, data owner (DO), data user (DU), and blockchain.
AA: the AA manages all attributes in the system and assigns attributes to users. It is also responsible for generating public parameters and issuing secret keys based on the users' attributes. In this paper, the AA is fully trusted. IPFS: the IPFS is a distributed file storage system based on content addressing. Note that there is no central server node in the IPFS; thus, it can avoid the risk of a single point of failure. e IPFS uses an encryption algorithm to calculate the hash value hashipfs of a file, and this hashipfs is used as the file's address. is approach reduces the repeated storage of files and ensures the integrity of files.   (ω 1 Figure 4: Attribute vector.
DO: the DO selects the file to be shared and creates a corresponding access policy. First, the DO encrypts the file using the symmetric key aeskey and stores the ciphertext encfile in the IPFS. en, the proposed CP-ABE scheme is used to encrypt aeskey and generate the ciphertext CT. Finally, hashipfs and CT are stored on the blockchain using a smart contract. DU: the DU sends a request to the AA, and the AA generates a secret key based on the attribute set of the DU. e DU obtains CT stored on the blockchain using the smart contract and decrypts CT based on its secret key. Here, if the attribute set satisfies the access structure set by the DO, then the DU can obtain the file from the IPFS using aeskey and hashipfs. Blockchain: the blockchain is an append-only distributed database, where data are stored permanently and are tamperproof. To ensure secure data sharing and fine-grained access control, the DO only stores hashipfs and CT on the blockchain using smart contracts.

e Definition of the BCP-ABE-PHAS Scheme.
Here, we present the definition of our scheme. is scheme mainly involves the following four algorithms: the Setup algorithm is executed by the AA. is algorithm takes security parameter 1 λ as the input and outputs the public parameters PK and master secret key MSK.
for some negligible function ϵ(λ). Based on [29], the security game Exp A (λ) is described as follows: Security and Communication Networks 5 Init: A selects two different challenge attribute vectors W 0 , W 1 ∈ Σ L * , for at least one w i ≠ * . Setup: the challenger B runs Setup(1 λ ) algorithm, which outputs PK and MSK. It sends PK to A and keeps MSK to itself. Query phase 1: A adaptively issues key queries for the attribute vector W ∈ Σ L , under the restriction that w i ≠ w 0i and w i ≠ w 1i . B runs KeyGen(PK, MSK, W) algorithm to obtain SK W and sends SK W to A. Challenge: A submits two messages M 0 , M 1 (|M 0 | � |M 1 |) and sends them to B. Given W 0 and W 1 , B randomly selects β ∈ 0, 1 { } and encrypts M β under W β . Finally, B sends CT β to A. Query phase 2: query phase 2 is the same as query phase 1. Guess: finally, A outputs its guess β ′ ∈ 0, 1 { } for β. If β ′ � β, then return 1; else, return 0.

Setup Phase.
In this paper, we use U � att 1 , . . . , att L to represent the attribute universe in the system. Here, V i � v i,1 , . . . , v i,n i is the set of possible values of the i th category attribute, where n i � |V i |. us, the user's attribute vector is we use W⊨W to denote that the user's attribute vector W satisfies the access policy W; otherwise, we use W⊭W to denote that the user's attribute vector W does not satisfy the access policy W. Here, the wildcard * in the access structure means "do not care." e upper bound of the wildcard in the access structure is defined as N, where N ≪ L.
e setup phase is run by the AA. Here, G and G T are the multiplicative cyclic groups of a large prime order q, g is a generator of G, and e: G × G ⟶ G T is a bilinear map. e AA randomly chooses α, t 1 , t 2 , (x 1 , . . . , x N ) ∈ Z q and V 0 , U 1 , . . . , U L ∈ G and sets Ω 1 � e(g, V 0 ) αt 1 and erefore, the public parameters are expressed as follows: Additionally, the master secret key is expressed as follows:

Data Encryption Phase.
e encryption phase is executed by the DO and involves three main parts, which are described in the following section.

IPFS Storage.
e DO selects the file to be shared, generates the symmetric key aeskey using the Advanced Encryption Standard (AES), and encrypts the file using aeskey to generate the ciphertext encfile.
To relieve the pressure on blockchain storage, the proposed scheme stores encfile in the IPFS using the ipfs add encfile command, and the IPFS returns unique hash value ipfshash to retrieve encfile. Note that anyone can obtain the ciphertext encfile stored in the IPFS using the ipfs get ipfshash command.

Hidden Access Policy.
e blockchain is public, all participants can obtain the data on the blockchain, so we need to hide the attribute information of the access policy. e access policy developed by the DO is W � (w 1 , . . . , w L ). Assume that the access policy W contains n ≤ N wildcards that occur at positions J � j 1 , . . . j n .
When data are decrypted, determining the position of the wildcard symbols is essential; however, directly sending the set J may reveal the user's private information.
us, to solve this problem, we adopt an efficient positioning algorithm based on the GBF. e GBF is a combination of a Bloom filter and secret sharing technology. Differing from traditional Bloom filters that use a bit array, the GBF uses an array of λ bits. e GBF can verify whether an attribute exists in the specified set and locate the position index of the attribute to realize the hidden set J and protect the user's private information. In addition to the probability of hash function collisions, the probability of string matching must be verified. erefore, the false positive probability of the GBF is less than that of the traditional Bloom filter.
When the DO adds an element att j , j ∈ J, to the GBF, the algorithm first uses the (k, k)-secret-sharing scheme to randomly generate k − 1 λ-bit strings r 1,j , . . . , r k−1,j and sets r k,j � r 1,j ⊕ . . . ⊕ r k−1,j ⊕ j. en, it hashes att j with k independent hash functions H � (h 1 , . . . , h k ) and obtains h 1 (att j ), . . . , h k (att j ), where h i (att j ) is uniformly distributed in [1, m]. Finally, generated r i,j is stored in the GBF based on the position index generated by h i (att j ).
When elements are further added to the GBF, if a certain position is already occupied by previously added elements, we reuse the share already stored in the GBF. As shown in Figure 6, when we add j 2 to the GBF, the hash value of h d (att j 2 ) is the same as the hash value of h i (att j 1 ). If we modify r i,j 1 , the previously added element j 1 cannot be restored; thus, we set r d,j 2 � r i,j 1 . e construction of the GBF is presented in Algorithm 1.
e DO constructs a GBF to hide the set J of wildcard positions based on Algorithm 1 and then uses Viète's formulas to compute a i 1 ≤ i ≤ n . Here, m � ( n k�0 x k a k ) − 1 , where x 0 � 1. It randomly chooses r 1 , r 2 ∈ Z * q . e DO then creates CT as where M is aeskey. erefore, the ciphertext is CT � (C 0 , C 1 , C 2 , C 3 , GBF).

Blockchain Storage.
A blockchain is an append-only distributed database that stores data on the blockchain permanently, which ensures that the data can be tamperproof but increases the storage pressure on the blockchain. erefore, in this paper, the ciphertext encfile is stored in the IPFS, and only ipfshash and CT are stored on the blockchain. To achieve secure data sharing and fine-grained access control, we employ smart contracts to ensure that the data storage and sharing process is open and transparent without third-party participation. Here, the public and private keys of the DO in the blockchain are represented by BPK DO and BSK DO , respectively.
Generally, the DO is the creator of the access control contract (ACC) who wants to share data with DUs. e ACC provides application binary interfaces (ABIs) to manage and implement access control. e ABIs of the ACC are presented in Table 1.
e DO creates and deploys the ACC and then obtains the contract address and ABIs. Furthermore, the DO sends a transaction to execute the uploadfile ABI of the ACC to upload the data on the blockchain (Algorithm 2).

Security and Communication Networks
K � g αs , erefore, the secret key of the DU is SK � (K, K 1 , K 1 ′ ).

Data Decryption
Phase. Data decryption is performed by the DU and mainly comprises the following three phases.

Obtain Data on the Blockchain.
e DU sends a transaction to execute the getfile ABI of the ACC to obtain the data stored on the blockchain (Algorithm 3). erefore, the DU obtains ipfshash and CT stored on the blockchain.

QueryGBF.
e DU obtains the data stored on the blockchain, where CT � (C 0 , C 1 , C 2 , C 3 , GBF). As observed from the data encryption phase, obtaining J is the key to decrypting CT. Here, the DU obtains J according to Algorithm 4.
First, we determine whether the hash value of the attribute exists in the GBF. If the corresponding position of the attribute in the GBF is 0, the attribute must not be in J. When all GBF positions corresponding to the k hash values of the attribute are not empty, the DU must calculate the position index of the wildcard in the access policy using ⊕ ; if the calculated value is the same as the position index corresponding to the attribute vector of the DU, the attribute is present in J; otherwise, this attribute is not in J.

Data Decryption
When the DU successfully decrypts the data, it obtains aeskey. en, the DU obtains encfile stored in the IPFS using ipfshash. Subsequently, aeskey is used to decrypt encfile to obtain the file shared by the DO.

Security Analysis and
Performance Evaluation 6.1. Correctness. In this section, we verify the correctness of the proposed scheme. When we use a decryption key that satisfies the given access policy, the Decrypt algorithm indeed returns the correct message.   (1) J � new set of length n; �� NULL then (7) break; (8) else (9) recovered � recovered ⊕ GBF[j]; (10) end if (11) end for (12) if recovered �� x then (13) J.add(x); (14) end if (15) If the secret key of the DU is valid, then w i � w i , i ∉ j 1 , . . . , j n . us,

Theorem 1. e proposed BCP-ABE-PHAS scheme is semantically secure in the selective model assuming that the DLIN assumption holds in group G.
Proof. Assume there exists a PPTadversary A that can break the selective semantic security. We then build an algorithm B that uses A to solve the DLIN problem in G.
Here, the challenger selects a bilinear group G of prime order q and a generator g ∈ G, as well as the group G T and a bilinear map e: G × G ⟶ G T . en, the challenger randomly chooses five values a, b, c, d, r ∈ Z * q and computes Z 0 � g b(c+d) and Z 1 � g r . e challenger randomly chooses β ∈ 0, 1 { } and sends the tuple (g, g a , g b , g ac , g d , Z β ) to B. Note that the goal of B is to guess β with a probability greater than 1/2. To generate a guess, B interacts with A in the following selective semantic security experiment. chooses v 0 , u 1 , . . . , u L ∈ Z q uniformly at random and sets the following: i ju i for j � 0, . . . , N, Here, B randomly chooses σ 1 , σ 2 , σ 3 ∈ Z q and computes Ω 1 � e(g a , V 0 ) σ 1 − σ 2 and Ω 2 � e(g σ 3 · (g a ) − σ 2 , V 0 ). e public key is expressed as follows: PK � e, G, G T , g, q, Additionally, the master secret key is expressed as follows: Query phase 1: in this phase, B will respond to the key query of A. Each time, A will commit an attribute vector W � (w 1 , . . . , w L ) and set s � σ 2 , s 1 � t 1 + σ 2 , and s 2 � σ 2 + σ 3 /a − σ 2 � σ 3 /a. en, B responds by computing K � g aσ 2 , Finally, B sends SK � (K, K 1 , K 1 ′ ) to A. Challenge: when query phase 1 is over, A sends two messages M 0 , M 1 ∈ G T , (|M 0 | � |M 1 |), to B. en, B randomly chooses and outputs its guess and selects a message M c to encrypt under W c . en, B creates C 0 � M c · e g ac , g bv 0 σ 1 − σ 2 · e g ac , g B sends the challenge ciphertext CT � (C 0 , C 1 , C 2 , C 3 , GBF) to A. Query phase 2: query phase 2 is the same as query phase 1.

Guess: A outputs its guess
Finally, if c ′ � c, B outputs 1; otherwise, B outputs 0.
In the following, we analyze the probability of success for B. Here, if β � 0, then B will behave correctly as a challenger to A. Furthermore, A will have the probability of 1/2 + ϵ of guessing c. If β � 1, A will have the probability of 1/2 of guessing c.
To conclude this proof, we obtain the following: Pr B g, g a , g b , g ac , g d , g b(c+d) � 1 − Pr B g, g a , g b , g ac , g d , g r � 1 which is nonnegligible, thereby contradicting the DLIN assumption.  Figure 7 shows the transmission time required by the two schemes. Note that all experimental results are the average of 30 trials. As shown in Figure 7, the upload and download time of files in the IPFSbased scheme are less than those of the files in the cloudbased scheme. Moreover, the time required for uploading and downloading the files in the cloud-based scheme exhibits a faster growth trend than the IPFS-based scheme when the file size increased. erefore, the IPFS-based scheme can improve storage efficiency and system scalability.

GBF Efficiency.
We conduct another experiment to verify the storage and query efficiency of the GBF. Here, we use double hashing technology, and the k hash functions of the GBF are constructed using the 128-bit SpookyHash and MurmurHash. e length of the GBF is set to m � 1024, and λ � 8 in this experiment. Furthermore, the number of attributes in the access policy is 5-35, the number of wildcards is 2-14, and the number of hash functions is k � 6, 8, and 10. Note that all reported experimental results are the average values obtained over 30 trials. As shown in Figure 8, for k � 8, the time required to add 10 wildcards to the GBF is approximately 4.5 ms, and the query time is approximately 3.5 ms. erefore, introducing the GBF does not increase the computational overhead of the system.

Performance Evaluation.
We also analyze the performance of our scheme and five existing CP-ABE schemes with AND gates in terms of the ciphertext size, decryption consumption, whether access policies are hidden, and so on. e results are presented in Table 2, where p represents the pairing operation, e represents the exponentiation operation, l represents the number of attributes in the access structure, m represents the number of possible values for an attribute, and n represents the number of wildcards in the access structure. From Table 2, among all schemes that support wildcards and the hidden access policy, our scheme exhibits the smallest ciphertext size. Furthermore, the ciphertext size of our scheme is constant. Note that the decryption consumption of our scheme is related to the number of wildcards n, where n ≪ l; thus, our scheme has the advantage in terms of decryption consumption.
To evaluate the actual performance of our scheme, we compare it to schemes proposed in [10,31]. Here, we implement our scheme on a desktop PC (3.4 GHz Intel Core i7 CPU with 16 GB RAM) based on Ubuntu 18.04 LTS and Java Pairing-Based Cryptography Library (JPBC) 2.0.0. is implementation uses a 160-bit elliptic curve group based on the supersingular curve y 2 � x 3 + x over a 512-bit finite field. e number of attributes in the access policy is 5-35, and the number of wildcards is 2-14. To ensure accuracy in our experiments, all reported experimental results are the averages obtained over 30 trials. Figure 9(a) shows the size of the public parameters in the setup phase. e size of public parameters in all schemes increases linearly with the increase in the number of attributes. Nishide et al. [10] defined all possible values for each attribute in the public parameter; thus, the size of the public parameters is larger than other schemes. Figure 9(b) presents the execution time of the key generation phase. In our scheme, the key is generated by the AA with high computational power; therefore, although the time required in our scheme is greater than other schemes, it will not affect the efficiency of our scheme. Figure 9(c) presents the execution time of the encryption operation. Here, the number of exponentiation operations in the encryption algorithm is related to the attribute; thus, the required time increases with the increase in the number of attributes. e scheme in [10] exhibits more exponentiation operations in the encryption phase than our scheme and the scheme in [31]; thus, the required time is greater than the other two schemes. Figure 9(d) shows the execution time of the decryption operation. Note that the existing scheme [31] does not hide the access policy; thus, its decryption time is fixed. e decryption time of our scheme is less than that of the scheme in [10].      [10] Prime AND gates on multivalued attributes |G T | + (2ml + 1)|G| (3l + 1)p √ √ [12] Prime AND gates on ± |G T | + (4n + 2)|G| (4n + 2)p √ √ [31] Prime AND gates on multivalued attributes |G T | + 2|G| 2p × × [32] Composite AND gates on multivalued attributes |G T | + (2ml + 2)|G| (l + 1)p √ √ [33] Prime AND gates on ± |G T | + (l + 1)|G| (l + 1)p √ × Ours Prime AND gates on multivalued attributes |G T | + 3|G| 3p + 2ne √ √  In summary, our scheme has advantages in terms of data encryption and decryption when implementing the hidden access policy.

Conclusion
In this paper, we propose a BCP-ABE-PHAS scheme to achieve trustworthy access while ensuring user privacy. Traditional centralized storage architectures are vulnerable to various network attacks, e.g., single point of attack, manin-the-middle attack, and distributed denial-of-service attack.
erefore, we adopt a data storage scheme that combines blockchain technology and the IPFS; this approach relieves the storage pressure on the blockchain and guarantees data integrity. e experimental results demonstrate that our scheme is efficient and maintains a constant ciphertext size. Furthermore, to assist data decryption, we design a GBF to help users quickly locate the position of wildcards in the access policy. e proposed scheme uses smart contracts to guarantee that the entire data storage and sharing process is transparent, dynamic, and automated. e results of security analysis and performance evaluations demonstrate that our scheme is secure and efficient.

Data Availability
As part of the data in the paper is confidential, the code cannot be published for the time being. If data needed, send the corresponding author an email.

Conflicts of Interest
e authors declare that they have no conflicts of interest.