Multiauthority Attribute-Based Access Control for Supply Chain Information Sharing in Blockchain

,


Introduction
A supply chain is a huge and complex network that tightly integrates suppliers, carriers, manufacturers, and consumers. In the supply chain, information sharing has played an important role in resource utilization, demand analysis, and production management for upstream suppliers and downstream manufacturers in each industry. In addition, as consumers pay more attention to raw materials, product processing, and logistics, the research on the transparency and traceability of supply chain information has become a research hotspot in the field of the supply chain. However, a supply chain is often characterized by high levels of globalization, a large number of participating corporations, and complex product processing links, which contain the confidential and critical private information of corporations and consumers. erefore, a traditional centralized supply chain system is vulnerable to facing a single point of failure, which makes the entire network and organizations involved in potential danger (e.g., hacking or corruption) [1]. In addition, since centralized organizations introduce third parties for management, there is also a problem of inefficient access and limited control of information. erefore, finding decentralized solutions to improve the security, availability, and transparency of information sharing in the supply chain is very crucial.
Blockchain is a novel deneutralized computing model, which is expected to provide decentralized solutions for information sharing in a supply chain system. It was firstly described in the context of Bitcoin [2], which Satoshi Nakamoto designed. Blockchain integrates distributed data storage, independent peering transactions, consensus mechanisms, programmable smart contracts, dynamic encryption algorithms, etc. It enables multiparty transactions in a distributed environment. It also has the characteristics of traceable information sources and is difficult to tamper with transaction data [3]. With the development of blockchain technology, it is increasingly applied in many fields such as medical care [4], banking system [5], and Internet of ings (IoT) applications [6]. In recent years, scholars have paid more attention to the application of blockchain in supply chain information sharing. Abidi et al. [7] constructed a new privacy preservation model in supply chain networks based on blockchain technology, where blockchain plays a promising role for secure information sharing. Venkatesh et al. [8] developed a system architecture that integrates the use of blockchain, IoT, and big data analytics to allow suppliers to efficiently and effectively monitor supply chain social sustainability.
However, with the application of technologies such as deep learning and data mining, the blockchain is still facing the threat of network attacks such as DDoS attacks [9], DNS attacks [10], and deanonymity analysis [11], which hinders the availability of services to users and threatens blockchain node security. erefore, the data in the blockchain system are not completely secure because it transfers data through address identification similar to e-mail addresses, which may cause user privacy issues. Furthermore, although the address identification is not directly related to the real-world user identity, the blockchain data are completely open and transparent, leading to privacy leaks. So, it is indispensable to optimize the access control scheme for the traditional blockchain-based supply chain information sharing systems.
Attribute-based encryption (ABE) [12] is proposed as an encryption system that inherits the advantages of identity encryption, in which the secret key of a user and the ciphertext are dependent on attributes (e.g., phone number or e-mail address). It can provide fine-grained access control for an information sharing system. Due to the excellent performance of ABE in controlling and managing access to data, it has been considered to be one of the key technologies that can continuously improve the security and privacy performance of a blockchain system in recent years [13]. In this paper, we propose a blockchain-based supply chain information sharing access control scheme based on the privacy-preserving multiauthority ciphertext-policy ABE.
is scheme also introduces the user attribute revocation mechanism to enhance flexibility and security.
In our scheme, the main contributions are summarized as follows: (1) A novel multiauthorities attribute-based encryption scheme has been proposed to solve the problems of privacy leakage and incomplete anonymity in blockchain-based information sharing systems of the supply chain. (2) We take properties of attribute revocable, policy hiding, identity hiding, and secret key anonymous generation into account to improve the security and flexibility of our scheme. (3) An anonymous key generation protocol is proposed to solve the problem of secure key issuance between users and attribute authorities.
e rest of the article is structured as follows: Section 2 reviews the relevant issues of the research topic. Section 3 introduces the mathematical preliminaries involved in the paper. Section 4 explains the access control system model and security model. Section 5 describes our work in detail. Section 6 analyzes the correctness and security of the scheme we proposed. Section 7 analyzes the security of the anonymous key generation protocol. e results of the comparison and experiments will be shown in Section 8. Finally, Section 9 summarizes the work of this article and looks forward to future work.

Related Works
In this section, we review some existing works associated with the blockchain-based access control scheme and the applications of ABE and MA-ABE on it.

Blockchain-Based Access Control.
e leakage of sensitive data in the block can pose a great threat to the security of the blockchain and its applications. erefore, the research on the data access control scheme of the blockchain has become a hot topic in blockchain security. Huang et al. [14] created a new type of blockchain system with a credit-based workload consensus mechanism (Proof of Work), and researchers also designed a method for regulating sensor data access. e data authentication management method realized the data privacy protection of the Industrial Internet of ings and the efficiency improvement of the blockchain under the Internet of ings. Khan et al. [15] proposed a role-based fine-grained access control model for blockchain resource management. is model can monitor a resource continuously during the operation and update the attributes accordingly. Tan et al. [16] presented a general access control framework, which provided a unified and feasible way for users to achieve decentralized, lightweight, and fine-grained access control of the blockchain-based green Internet of ings. However, these studies mainly focused on optimizing the blockchain consensus mechanism and smart contracts, that is, more improvements to the blockchain security technology itself, without taking into account the encryption algorithm cracking, key leakage, and privacy leaks in the blockchain.

ABE for Blockchain-Based Access
Control. Due to its wide application scenarios, attribute-based encryption has become a very popular research direction in cryptography. e emergence of ABE provides another solution to meet the needs of secure access control in blockchain applications. Xu et al. [17] created a distributed attribute-based keyword search (ABKS) scheme, where ABKS is a keyword search mechanism that introduces public key encryption using keyword search into the context of the attribute cryptosystem. e scheme allowed data owners have the flexibility to share data content with groups of users that meet access control conditions. Yu et al. [18] provided an update-oriented access control scheme for blockchain-based IoT systems, which is compatible with the ABE technique. In the scheme, historical on-chain data can only be accessible to new members and inaccessible to the revoked members. Qin et al. [19] proposed an access control scheme with lightweight decryption based on ABE and blockchain technologies, where a user credibility incentive mechanism is designed to calculate the user's credibility according to the user's access behavior and gives a reputation score to adjust the endorsement protocol dynamically.
ese studies enhance the blockchain's ability to protect data and user privacy in its applications and enrich the research on the ABE-based blockchain information sharing access control scheme. However, in traditional attribute-based cryptography, a trusted entity known as a Key Generation Center (KGC) is responsible for generating users' private keys, which contradicts the decentralized blockchain.

MA-ABE for Blockchain-Based Access Control.
e multiauthority ABE was first proposed in [20]. is solution is based on the fact that different types of transactions are handled exclusively by different organizations in reality, and it is improved on the standard ABE scheme. MA-ABE and its variants have been applied in researching and applying blockchain access control security. Guo et al. [21] constructed a multiauthority attribute-based encryption and signature scheme and introduced pseudorandom functions to achieve data sharing and collision avoidance. Qin et al. [22] proposed a blockchain-based multiauthority access control called BMAC for secure data sharing in the cloud, where the Shamir secret-sharing scheme and a permission blockchain were introduced. In this scheme, multiple authorities jointly managed each attribute to avoid a single point of failure. Banerjee et al. [23] offered a new blockchainenvisioned fine-grained user access control scheme for data security and scalability in IIoT environment, which supported multiple attribute authorities and constant size key and ciphertext. Hei et al. [24] designed a novel MA-ABE scheme based on blockchain, which ensured that a relevant user could obtain the final decryption attribute key only after all attribute authorities had publicly issued their keys to the blockchain. Sethi et al. [25] presented a practical decentralized multiauthority traceable and efficiently revocable attribute-based cryptosystem with outsourcing decryption advantage. Rouhani et al. [26] proposed a distributed attribute-based access control (ABAC) system based on blockchain to provide trusted auditing of access attempts and presented a level of transparency that both access requesters and resource owners can benefit from this system. In this paper, we have considered four cryptographic properties to improve the security of MA-ABE for the blockchain-based access control scheme. Furthermore, the current multiauthority attribute-based encryption schemes are mainly based on prime order and composite-order bilinear groups. Prime order bilinear groups are better than composite-order bilinear groups in terms of computational efficiency. However, the number of bilinear groups satisfying prime order is relatively small, and the structure of bilinear groups is single, which cannot meet the practical application needs. erefore, we constructed a multiauthority attributebased encryption scheme based on composite-order bilinear groups.

Composite-Order Bilinear Group.
e concept of the composite-order bilinear group was firstly proposed by Boneh et al. in [27].
Let p 1 , p 2 , p 3 be distinct primes and G and G T be cyclic groups of order N � p 1 p 2 p 3 . e map e: G × G ⟶ G T is a bilinear map if it meets the following three properties: (1) Bilinearity: for ∀a, b ∈ Z N and u, v ∈ G, we have e(u a , v b ) � e(u, v) ab . (2) Nondegeneracy: ∀g ∈ G such that e(g, g) ≠ 1 hold.
Let G be a composite-order bilinear group and G p i be the subgroups of order p i in G, we can get that ∀g i ∈ G p i and ∀g j ∈ G p j , then e(g i , g j ) is an identity element in G T , which has been explained in [28]. e orthogonal property of subgroups will be used in dual-system encryption to achieve semifunctionality.

Assumption.
ere will be four assumptions illustrated in the proof of the security of our scheme. For assumptions 1-4, we refer to the assumptions 1-4 from Lewko and Waters's scheme [29], where g← R G means randomly selecting g in G.
3.2.1. Assumption 1. For a given group generator G, we define the following distribution: We define A dv 1 A,G � |Pr[A(D, T 1 )] − Pr[A(D, T 2 )]| is the advantage of algorithm A in breaking Assumption 1.
e assumption is true if no algorithm exists that can Security and Communication Networks 3 respectively distinguish T 1 and T 2 in G and G p 1 in polynomial time.

Assumption 2.
For a given group generator G, we define the following distribution: (2) e assumption is true if no algorithm exists that can, respectively, distinguish T 1 and T 2 in G p 1 and G p 2 in polynomial time.

Assumption 3.
For a given group generator G, we define the following distribution: e assumption is true if no algorithm exists that can, respectively, distinguish T 1 and T 2 in G p 1 p 2 and G p 1 p 3 in polynomial time.

Assumption 4.
For a given group generator G, we define the following distribution: e assumption is true if no algorithm exists that can respectively distinguish T 1 and T 2 in polynomial time.

Access Structure.
Let P � p 1 , p 2 , . . . , p n be the collection of participants. A collection A⊆2 P is monotone, if any arbitrary B and C can get that B ∈ A and B⊆C, and then C ∈ A holds. An access structure (monotone access structure) is a collection (monotone access structure) A ∈ 2 P / ∅ { }. e sets in A are authorized sets, besides the sets not in A are unauthorized sets. [30]. Linear secret-sharing scheme is an effective method to build an access structure. Let P be the collection of participants; A be a matrix with m rows and r columns. e map ρ: 1, 2, . . . , m { } ⟶ P pairs each row with each participant by labeling. A linear secret-sharing scheme Π: (A, ρ) over the set P and Z * P for access structure A, if π satisfies the following two polynomial-time algorithms:

Linear Secret-Sharing Scheme (LSSS)
(1) Share (A, ρ): the algorithm takes the shared secret s ∈ Z * p as input and randomly chooses a group of (2) Recover (S): the algorithm sets a set S of participants as input. en, we define another set I � i|ρ(i) ∈ S. If S ∈ A, there will exist a group of constants ω i |i ∈ I, which can satisfy that i∈I ω i · λ ρ(i) � s. So, we can recover the secret. However, if S ∉ A, we cannot recover the right secret.

Commitment Scheme.
e commitment scheme we used is based on Pedersen [31], which uses the discrete logarithm assumption. A commitment scheme is composed of three following algorithms: (1) Setup (1 λ ) ⟶ params: this algorithm takes a security parameter 1 λ as input and outputs the set of public parameters. A commitment scheme must provide two properties of hiding and binding. e hiding property needs the message M to keep unreleased until the user releases it. Other property only needs the decom to decommit the commitment com to M.

Zero-Knowledge Proof.
e zero-knowledge proof scheme we used is based on [32]. By PoK (a, b, c): y � g a h b ∧y � g a h c }, we define a zero-knowledge proof of knowledge of a, b, and c, where y � g a h b and y � g a h c respectively hold by the group G � < g > � < h > and G � < g > � < h > . Commonly, the values in the parenthesis represent the knowledge that needs to be proven, while the rest of the values are known by the verifier. ere is an extractor that can be used to rewind the knowledge from the successful prover.

System Model.
In this paper, we propose a MA-ABE access control scheme for a blockchain-based supply chain information sharing system. e system model is shown in Figure 1. Our system model considers five main participants: supply chain, data owner, blockchain, data users, and attribute authorities. e definition and functions of each participant are as follows: Supply chain: the supply chain is the source of all data. We assume the source data in a supply chain is correctly uploaded by suppliers, who record the data in materials production, product processing, logistics transportation, warehouse storage, goods purchasing, etc. Furthermore, because of the limited size of blockchain blocks, the supply chain data involved in this article only contains small-capacity data such as transaction records, cargo numbers, and logistics processes. For large-capacity data such as videos and images, we will not discuss in this paper, but we will do more researches on it in the future.
Data Owner: the owner encrypts his/her goods' supply chain information and sends encrypted data to the blockchain with the access policy. An access policy can be defined as follows: (Attribute 1: (Researcher identified by Authority 1)) OR (Attribute 2: (Analyst identified by Authority 2)) AND (Attribute 3: (User identified by Authority 3)), so only the users with Attributes 1 and 2 or the users with Attributes 1 and 2 can correctly decrypt owner's ciphertext. Furthermore, the owner can update the encrypted data in a new block. Attribute Authorities: each attribute authority can generate and distribute attribute public keys based on data users' attributes within the scope of the attributes it manages, such as phone numbers, identities, and affiliation. When data users' attributes changed, the attribute authority has to change user attribute secret keys. In addition, attribute authority can create a block. It has to package the data owner's encrypted data in the block and add it to the blockchain. Blockchain: blockchain is the distributed environment for storing data owner's encrypted data in storage nodes and making it public to users who can connect to the blockchain system. Data Users: data users get their attribute secret keys from the attribute authorities and decrypt data owner's encrypted data. However, only the users with the correct attribute secret keys can decrypt the ciphertext properly.

Security Model.
We let A be an adversary and C be a challenger, then the game between A and C will carry out as follows: GlobalSetup: C executes this algorithm and sends global parameter set gp to A. en, A returns a group of corrupted authorities AA ′ ⊆AA and gives the challenge access structure A * � (A * , ρ * ), where AA is the set of all authorities. ′ � b, the advantage of adversary A to win this game is calculated as follows:

System Scheme.
Our system scheme's workflow is shown in Figure 2. We divide the system workflow into five stages: Setup, Key Generation, Encrypt, Decrypt, and Revoke and Update. e details are as follows.
(1) Setup: multiple attribute authorities generate the system's public parameters through the GlobalSetup algorithm and use the consensus algorithm to negotiate and reach an agreement. After that, each attribute authority executes the AuthoritySetup algorithm to create its public key and private key. At the same time, attribute tags are assigned to users according to their attributes, such as phone number, identification, and affiliation.
(2) Key generation: the attribute authority uses the KeyGen algorithm to generate the user's public and private key according to the user's attributes. (3) Encrypt: the data owner uses the Encrypt algorithm to encrypt the access structure and data. (4) Block generation: when the encrypted data need to be uploaded to the blockchain, the data owner broadcasts ciphertext to the blockchain network. When attribute authorities have collected enough ciphertexts, use a hash function to calculate the hash value of each ciphertext and construct a Merkle tree structure. en, the attribute authority puts all ciphertexts into the block body and adds them into the blockchain along with the block. e structure of the block is shown as Figure 3. Finally, storage nodes store the blockchain data. It is noted that the size of the block is related to the number and size of the ciphertext stored in the block body. (5) Decrypt: the data user requests the data owner's encrypted data from the blockchain node and decrypts it through the Decrypt algorithm.

Algorithm Construction.
Like other schemes [33,34], although our scheme is based on the composite-order bilinear group construction, the whole system is limited to subgroups G p1 . Subgroups G p2 and G p3 are only used in the security proof process to construct the semifunctional key and the semifunctional ciphertexts. Here, the specific seven main algorithms of the cryptography involved in our scheme are as follows: (1) Let φ be an algorithm to generate composite-order bilinear groups. φ takes the security parameter 1 λ as input and randomly selects number N � p 1 p 2 p 3 as the order of the group G, where g 1 is a generator of { } * ⟶ G as two strong collision resistance hash functions for mapping random numbers to values in Z * N and G. Let e: G × G ⟶ G T be a bilinear map.
(2) e algorithm generates a user's unique global indicator GI D in the system and uses the hash function H to get u � H(GI D) ∈ Z * N . en, user public key will be represented as PK u � g u 1 .
Each attribute authority AA i runs this algorithm. For attribute a j belonging to AA i , AA i chooses two random exponents α j , β j ∈ Z * N . en, AA i randomly selects a exponent c i for itself and gets its public key PK i and secret key SK i as follows: (1) Data owner executes the Encrypt algorithm and selects a LSSS-based access policy A � (A, ρ), in which for each attribute a j involved, the owner sets a random number t ∈ Z * N and replaces a j as θ j � e algorithm firstly chooses a secret s ∈ Z N as the sharing secret. en, it generates a random column A. en, the algorithm generates another random column vector ω � (0, ω 2 , ω 3 , . . . , ω m ) T ∈ Z m N with 0 as the first element, where ω x � A x ω. For each row of the matrix A, the algorithm randomly selects r x ∈ Z N . At least, the encrypted data of the message M ∈ Z N can be defined as follows: Here, ct KeyGen (gp, PK i , SP i , A u , u, PK u ) ⟶ K u,j .
Attribute authorities use the anonymous key distribution protocol to generate the attribute secret keys to users. For each attribute A u is user u ′ s attributes set which is verified by authorities. en, the user attribute secret keys K u,j can be computed as follows: Here, K 3 is used to hide the attribute a j , and K u,j � K 1 , K 2 , K 3 .
Each data user has to query the owner's encrypted data (ciphertext) from blockchain and uses the Decrypt algorithm to get the original message M. Furthermore, data user can replace his/her attribute a j ∈ A i u by calculating θ j � e(K 3 , C 1 ) in the access policy A.
en, the user gains a set X � x: ρ(x) from A. Finally, the user chooses a constant c x ∈ Z N , which meets x∈X c x A x � (1, 0, . . . , 0). e Decrypt algorithm is run to decrypt the ciphertext ct. If the data user has the secret keys of each A x , he/she will decrypt the ciphertext ct as follows: KeyUpdate (pg, a j , PK i , SK i , PK u ) ⟶ K u,j ′ . Assume that a j is an attribute revoked and updated by the authority AA i . en, AA i must regenerate a corresponding new user attribute secret key for a j through the following steps: (1) Authority AA i regenerates two new attribute random exponents α j ′ , β j ′ ∈ Z N . (2) For users who have the attribute a j , AA i calculates In the end, user u computes CTUpdate (ct, A, UKα j , UKβ j ) ⟶ ct ′ . If the access policy (A, ρ) involves the revoked and updated attribute a j , i.e., ρ(x) � j, the data owner will update his/her ciphertext stored in a new block in blockchain. e ciphertext can be updated as follows:

Anonymous Key Generation
Protocol. Algorithm 1 shows the anonymous key generation protocol built in this paper. e details of this algorithm are shown as follows: (1) e data user u selects ρ, a 1 , a 2 ∈ Z * N randomly and calculates P � g Security and Communication Networks (2) AA i chooses c ∈ Z * N randomly and returns it to u. (3) u computes a 1 ′ � a 1 − c/ρ, a 2 ′ � a 2 − cu, and sends a 1 ′ and a 2 ′ to AA i . (4) AA i verifies P ′ � P c g a 1 ′ 1 and Q ′ � Q c h a 2 ′ . If they are verified rightly, AA i will continue. If not, AA i will abort. (5) AA i computes η � (c i + u)ρ by two-party secure computation (2PC Protocol).
If verifications are correct, u will get his/her user attribute secret keys by calculating K 1 � K 1 ′ and K 2 � K 2 ′ . Otherwise, u aborts.

Security of Our Scheme.
In this paper, the dual-system encryption [35] is applied to prove the security of our scheme. We refer to the proof method in [29,36,37]. In the dual-system encryption technology, secret keys and ciphertexts are divided into two forms: normal and semifunctional. It is noteworthy that a normal key can decrypt normal ciphertexts and semifunctional ciphertexts, while a semifunctional key can only decrypt normal ciphertexts, but it cannot decrypt semifunctional ciphertexts. In addition, the semifunctional key and ciphertext only exist in the security certification, and they will not appear in the actual system application. To more accurately describe the semifunctional ciphertext and the semifunctional key, we select two fixed random values z j , t j ∈ Z N for each attribute a j , and these two random numbers are the same for the semifunctional ciphertexts and the semifunctional keys, and they will not be changed by different users.

Semifunctional Ciphertext.
To generate the semifunctional ciphertext, we randomly choose g 2 ∈ G 2 , g 3 ∈ G 3 , u 2 ∈ Z m N , u 3 ∈ Z m N . en, we set δ x � A x u 2 , σ x � A x u 3 for each row A x in the access policy matrix A. In addition, we set B as the subset of related rows, which is marked by corrupted attribute authorities in A, and we set B as the subset of rows marked by good attribute authorities in A.
ree exponents a x , b x , c x ∈ Z N are chosen randomly. At first, we set the original ciphertext as follows: For each x, if A x ∈ B, the semifunctional ciphertext will be computed as follows:

Security and Communication Networks
For each x, if A x ∈ B, the semifunctional ciphertext will be computed as follows:

Semifunctional Key.
ere are two kinds of semifunctional keys, namely, type-1 and type-2. We set H(u) � h 1/u+c i as the value in the subgroup G p 1 of G and select an exponent c ∈ Z N at random. e type-1 semifunctional key is calculated as follows: e type-2 semifunctional key is calculated as follows: Here, K 1 ′ � g α j 1 h β j /u+c i is the normal key. When we apply a type-1 semifunctional key to decrypt a semifunctional ciphertext, the extra part e(g 2 , g 2 ) cδ x will prevent the ciphertext from being directly decrypted unless δ x � 0. Similarly, when we apply a type-2 semifunctional key to decrypt a semifunctional ciphertext, the extra part e(g 3 , g 3 ) cσ x will prevent the ciphertext from being directly decrypted unless σ x � 0.

Attack Games.
e games we used in this paper are defined as follows: Game real : this game is a real game, where the ciphertext and user secret key are normal. Game 0 : comparing with Game real , the challenging ciphertext is a semifunctional. Game j,1 : comparing with Game 0 , the first j − 1 keys obtained are type-2 semifunctional keys, while the j-th key is the type-1 semifunctional key, and other keys are normal keys. In addition, the challenging ciphertext is the semifunctional ciphertext. If q is the number of times that the adversary A queries for the key, the range of j will be 1 to q. Game j,2 : comparing with Game 0 , the first j keys obtained are type-2 semifunctional keys, while other keys are normal. Moreover, the challenging ciphertext is the semifunctional ciphertext, and all keys in Game q,2 are type-2 semifunctional keys. Game final: in this game, all keys are type-2 semifunctional keys, and the ciphertext is a semifunctional ciphertext of a random message. We can get that the adversary A has no advantage in winning the game.

Lemma 1. If there is a polynomial-time algorithm
A that can distinguish Game real and Game 0 at the nonnegligible advantage ε, another polynomial-time algorithm B will be constructed to break Assumption 1 with the advantage ε.
(1) User u has his/her global ID u � H(GI D).

Proof
GlobalSetup: challenger C runs the GlobalSetup algorithm. Simulator B receives the global parameter gp � (e, g 1 , h, p 1 , p 2 , p 3 , G, G T , H, H ′ ) from the challenger C and simulates Game real or Game 0 between the adversary A and B. A specifies a set of corrupted attribute authorities AA ∈ AA, where AA represents the set of all attribute authorities in the system. en, A develops an access structure A � (A, ρ) that he/she needs to challenge. AuthoritySetup: B executes the AuthoritySetup algorithm. For the corrupted attribute authorities, B sends their public and private keys to A, and for good attribute authorities, B only sends its public key to A. Key Query Phase 1: when A queries the key of (a j , GI D), B runs the KeyGen algorithm to generate the related keys. B selects a random shared number s ∈ Z N and sets A provides B with the random parameters g α j 1 , g β j 1 for the attribute a j contained in the access structure (A, ρ), which belongs to the corrupted attribute authorities. Here, B represents a subset of the relevant rows of attributes with good attribute authorities in A, while B represents a subset of the relevant rows with corrupted attribute authorities in A. For each A x in B, B randomly selects r x ∈ Z N and relatively selects r x ′ ∈ Z N for each A x in B, where r x � rr x ′ . We set the G p 1 part of T as g r 1 , the G p 2 part as g c 2 , and the G p 3 part as g d 3 , where r, c, d ∈ Z N are selected randomly.
For A x ∈ B, the ciphertexts are computed as follows: For A x ∈ B, the ciphertexts are computed as follows: A ciphertext is generated in two cases: A x ∈ B and A x ∈ B. If T ∈ G p 1 , it will be a normal ciphertext. When T ∈ G, it is a semifunctional ciphertext. Due to T ∈ G p 1 and T ∈ G are indistinguishable, the game Game real and Game 0 cannot be distinguished. e proof is shown as follows: (1) When T ∈ G p 1 , the G p 1 part of T is g r , because the first random value of the vector φ is 0, we make the ciphertext C 3,x a normal ciphertext. For each A x ∈ B, C 2,x and C 3,x are normal ciphertexts, because of T r x ′ � g and r x � rr x ′ . Finally, we can get that when T ∈ G p 1 , all ciphertexts are normal. When T ∈ G, we can know that T � g r 1 g c 2 g d 3 . If in the ciphertext C 3,x . In the semifunctional ciphertext, δ x � (A x · cφ) mod(p 2 ) and σ x � (A x · dφ)mod(p 3 ), so C 3,x can be seen as a semifunctional ciphertext. According to the remainder theorem, if A x ∈ B, (a)mod(p 1 ), (a)mod(p 2 ), and (a)mod(p 3 ) will be uncorrelated for a random value a. We can set exponents and t ρ(x) of g 2 and g 3 are all distributed randomly, C 2,x and C 3,x are semifunctional ciphertexts.
(2) In a semifunctional ciphertext, we can get δ x � A x u 2 and σ x � A x u 3 , where u 2 and u 3 are random vectors. In this game, the first element of φ is 0, and adversary A cannot distinguish whether the value is random or not.
When A x ∈ B, according to the monotone span program [36], we can know that φ � (0, φ 2 , . . . , φ m ) and φ ′ � (φ 1 , φ 2 , . . . , φ m ) can generate the same secret-sharing value, which means adversary A cannot figure out whether the first element is 0 or another φ 1 . When If (a x )mod(p 2 ) ≠ 0, the exponent δ x of g 2 will be represented by z ρ(x) . So, the secret-sharing value can be hidden, and the shared value δ x is appropriately distributed from the perspective of adversary A. e exponent σ x of g 3 is still appropriately distributed for the same reason. erefore, when T ∈ G p 1 , ciphertexts are normal and simulator B can simulate the Game real . When T ∈ G, ciphertexts are semifunctional and simulator B can simulate the Game 0 . B can use A to break Assumption 1 with advantage ε.

Lemma 2. If there is a polynomial-time algorithm
A that can distinguish Game j−1,2 and Game j,1 at the nonnegligible advantage ε, then another polynomial-time algorithm B can be constructed to break Assumption 2 with the advantage ε.

Proof.
e proof of Lemma 2 is similar to that of Lemma 1, but challenger C needs to send the public parameter (g 1 , g 3 , X 1 X 2 , T) to simulator B.
GlobalSetup and AuthoritySetup: the same as in Lemma 1. According to the difference of T, A and B will simulate Game j−1,2 and Game j,1 . For each attribute a i belonging to a good attribute authority AA h , B generates its random parameters α i , β i ∈ Z N and sends the public key to A. Key Query Phase 1: assume that GID k indicates the identity of the k-th user queried by adversary A, which means A performs a key query (a i , GID k ). en, B needs to perform the following feedback: Challenge: A submits two messages M 0 and M 1 with the same length to B. B randomly chooses a bit b ∈ 0, 1 { } and sends the confidential message M b under the access structure A to A .B selects a random shared number s ∈ Z N and sets C 0 � Me(g 1 , g 1 ) s ; B selects three random where A x is the x-th row in the matrix A. e definitions of B and B are the same as in the proof of Lemma 1.
If A x ∈ B, B randomly selects r x ∈ Z N for each A x in B. en, ciphertexts can be computed as follows: If A x ∈ B, B randomly selects r x , φ x , φ x ′ ∈ Z N for each A x in B, where r x � rr x ′ , ω x � rω x ′ , then ciphertexts are as follows: (1) e proof method of the first aspect is the same as Lemma 1.
If , so we can set the exponent δ x � (A x · cφ)mod(p 2 ) and σ x � (A x · u)mod(p 3 ) of g 2 and g 3 , so C 3,x is semifunctional.
(2) e proof method of the second aspect is the same as Lemma 1 too.
In dual-system encryption, both the simulator B and the adversary A are required to be unable to determine whether the key is a semifunctional key. Even though the secret-sharing value of δ x is hidden from A, the secret-sharing value needs to be set to 0. By setting the secret-sharing value of δ x to 0, the ciphertext generated by B is a nominal semifunctional ciphertext. In this way, if B wants to test whether the j-th key is a semifunctional key or a normal key, it will generate challenge ciphertexts that this key can decrypt. However, the ciphertexts are all nominal semifunctional ciphertexts, and users can successfully decrypt them. In other words, B cannot tell whether the j-th key is a semifunctional key of type-1 or a normal key.
erefore, when T ∈ G p 1 , the keys are normal and simulator B can simulate the Game j−1,2 . When T ∈ G p 1 p 2 , keys are semifunctional keys of type-1 and simulator B can simulate the Game j,1 . B can use A to break Assumption 2 with advantage ε.

Lemma 3 and Its Proof
Lemma 3. If there is a polynomial-time algorithm A that can distinguish Game j,1 and Game j,2 at the nonnegligible advantage ε, another polynomial-time algorithm B will be constructed to break Assumption 3 with the advantage ε. 6.6.1. Proof e proof of Lemma 3 is similar to that of Lemma 3, but challenger C needs to send the public parameter GlobalSetup and AuthoritySetup: the same as in Lemma 2. According to the difference of T, A and B will simulate Game j,1 and Game j,2 . For each attribute a i belonging to a good attribute authority AA h , B generates its random parameters α i , β i ∈ Z N and sends the public key to A. Key Query Phase 1: assume that GID k indicates the identity of the k-th user queried by adversary A, which means A performs a key query (a i , GID k ). en, B needs to perform the following feedback: B randomly generates two vectors φ � (0, φ 2 , We define C 2,x as follows: where r x � −acA x v 1 + r x ′ , a x � φ x and b x � −dA x v 1 are the exponents of g 1 , g 2 , and g 3 . B randomly chooses η x ∈ Z N . en, C 3,x can be computed as follows: where η x and c ρ(x) ′ are uncorrelated under mod (p 2 ) and mod (p 3 ). So, we can get that δ erefore, ciphertexts are semifunctional.
If A x ∈ B, B will randomly choose r x ∈ Z N , and ciphertexts can be computed as follows: Because (η x )mod(p 2 ) and (η x )mod(p 3 ) are uncorrelated, these ciphertexts are normal.
If s � abc, ciphertexts will be semifunctional ciphertexts, which are properly distributed. If T � e(g 1 , g 1 ) abc is the semifunctional encryption of the message M b , the game B will simulate Game q,2 . In addition, if T is random, B will simulate Game final . erefore, B can use A to break Assumption 4 with advantage ε.
So, in the final attack game of Lemma 4, when the challenger C encrypts a random message, the adversary's attack advantage is negligible. As a result, according to the defined Assumptions 1-4, we can prove that real attack games and the above attack games are indistinguishable.
us, it proves that the adversary's advantage in winning the real attack game is negligible.

Security of the Anonymous Key
Generation Protocol e security proof of the anonymous key generation protocol is divided into two parts, namely, leak-freeness and selective-failure blindness, which are used for legitimate and malicious attribute authorities.

Leak-freeness.
We assume that a malicious user U interacts with a legitimate attribute authority AA i and runs this anonymous key generation protocol in a real security game. In an ideal security game, there is a simulator S that can execute the KeyGen algorithm with a trusted party. Nevertheless, there is no distinguisher D that can distinguish an ideal game from a real one. e interaction between U and D can be simulated by the simulator S, and S can perform the following steps.
(1) S sends the public keys of AA i to U.
(2) U sends (P, Q) to S, then uses zero-knowledge proof to prove he/she does own (u, ρ). (3) S sends the element u to the trusted attribute authority AA i , then AA i generates user attribute secret keys K 1 and K 2 to S.
en, S returns K 1 ′ and K 2 ′ to U.
If K 1 and K 2 are correct keys generated from a trusted attribute authority AA i in the ideal game, K 1 ′ and K 2 ′ will be considered to be the right keys of AA i in the real game. Hence, D cannot distinguish whether the game is real or ideal.

Selective-Failure Blindness.
We assume that a malicious attribute authority AA i generates its public key PK i and two global user identifiers u 0 and u 1 . AA i produces a random bit b ∈ 0, 1 { } and then it accesses two oracles in a black-box manner, namely, O(gp, u b , A u b , PK i ) and O(gp, u 1−b , A u 1−b , PK i ), which are adopted to play the role of legitimate users. O and AA i execute the anonymous key generation protocol and then O can get two kinds of keys SK u b and SK u 1−b . If there are some errors during the execution of the anonymous key generation protocol, the returned key will be considered meaningless and return SK u � ⊥. If In the anonymous key generation protocol, O provides (P, Q) to AA i and computes PoK (u b , ρ): P � g en, AA i performs two oracles, which are regarded incalculable distinguished. Otherwise, the indistinguishability of the zero-knowledge proof and the hidden policy of the commitment scheme will be broken. If AA i can use any of the calculation strategies to output the key of the first oracle (K 1 ′ , K 2 ′ , K 1 ″ , K 2 ″ ), it will predict the key SK u b without interacting with the two oracles.
(1) AA i verifies PoK (α j , β j , η): If the proof is a fault, AA i will output SK u b � ⊥.
(2) AA i generates a pair of different keys (K 1 , K 2 ) for the second oracle and verifies PoK (α j , β j , η): If the proof is a fault, AA i will output SK u 1−b � ⊥. (3) If the verification fails, that is, if SK u b � ⊥ and SK u 1−b ≠ ⊥, AA i will output (⊥, SK u 1−b ). If SK u b ≠ ⊥ and SK u 1−b � ⊥, AA i will output (SK u b , ⊥), and if SK u b � ⊥ and SK u 1−b � ⊥, AA i will output (⊥, ⊥). (4) If the verification is successful, AA i will execute the anonymous key generation protocol by itself using the inputs When AA i is verified like a trusted O, the two predictions will have the same distribution. So, AA i can predict the output of the two predictions and has the same advantages in distinguishing O(gp, u b , A u b , PK i ) and O(gp, u 1−b , A? u 1−b , PK i ) as the same final output. erefore, the advantage of AA i in distinguishing two predictions comes from the received (K 1 ′ , K 2 ′ , K 1 ″ , K 2 ″ ) and authentication PoK (α j , β j , η): K 1 ′ � P α j h β j /η ∧K 2 ′ � Q 1/η . However, because of the witness indistinguishability of zero-knowledge proof and the strategic hiddenness of the commitment mechanism, we can infer that the advantage of AA i in distinguishing between the two predictions is negligible.

Performance Analysis
In this section, we have the comparisons between our scheme with other schemes in Qin et al. [22], Liang et al. [37], and Malluhi et al. [38] from the view of property and efficiency to reflect the feasibility as well as the practicality of our work. Table 1, we can find comparisons in scheme properties, such as attribute revocable, policy hiding, user identity hiding, and anonymous key generation, which reflects the comprehensiveness of our scheme in those compared schemes. Considering the actual application scenarios, more comprehensive features are of greater significance for protecting system data security and user privacy.

8.2.
eoretical Analysis. We compare our scheme with other schemes for blockchain-based access control in terms of attribute authority (AA)'s secret key size, user secret key size, ciphertext size, and decryption overhead. We define that N is the total number of attributes. K is the number of attribute authorities. A is the access structure. |Z * p | � 60byte, |G| � 124byte, and |G T | � 124byte are the lengths of the group Z * p , G, and G T in the paring group. |A u | and |AA i | are the attribute number of user u and authority i. P is the cost of performing a bilinear operation. E is the cost of performing an exponential operation. It is worth noting that there is not the concept of attribute authority in [38], but a special key user can realize the function of generating secret keys for other users in the whole system. When comparing the schemes in this paper, we considered the special key users as attribute authorities. Table 2, the size of the attribute authority secret key of our work is smaller than the other works. For the size of user secret, our work is the same as [37] and [38]. When 2 K is smaller than |A u |, it will also be smaller than [22]. In terms of ciphertext, our work is slightly higher than [22,38]. Because the exponential operation cost is much higher than the bilinear operation cost in the paired group, our work is most efficient when decrypting. In conclusion, our work has advantages in storage, communication, and computing.

Experiment Analysis.
We use a 64 bit Windows 10 laptop with an eight-core 2.40 GHz Intel Core(TM) i5-1135G7 processor and 16 GB memory for experiments. Moreover, we implemented the above scheme in Java by using IntelliJ IDEA 2019.3. e JPBC (Java Pairing-Based Cryptography) Library [39] and a Type-A1 curve y 2 � x 3 + x with 160 bits are respectively used to deal with the pairing computations and provide test parameters.
In order to compare the actual running time cost of the Encryption and Decryption phase under different access control structures, we designed two kinds of experiments. In Experiment 1, the number of total attributes increases while the number of access attributes is fixed. It simulates the impact on the running cost of data owners and data users when attribute authorities continuously add new attributes. In Experiment 2, the number of access attributes increases while the number of total attributes is fixed. It simulates the impact on the running cost of data owners and data users when the data owner changes the access structure. In each experiment, we simulate five attribute authorities that manage the same number of different attributes. An access structure specifies that each data user needs a given number of attributes to decrypt the ciphertext properly. We repeated each group of experiments 5 times and computed the average running time of the encryption and decryption phase. Note that each message consists of 124 random integers in these experiments. e running time is shown in Table 3. It should be noted that, according to the actual model of each scheme, we used all attribute keys to encrypt the ciphertext in the process of encryption and stored the access structure in the ciphertext. Moreover, we simulated a legal user only with access attributes to decrypt the ciphertext. erefore, the encryption algorithm generally needs more attributes, which makes the running time cost of the encryption algorithm much higher.
For a more intuitive comparison, the comparison charts in running time of encryption, decryption, and total are shown in Figures 4 and 5. For the running time cost in encryption, our scheme is more efficient than the other scheme in [22,38] but slightly higher than [37]. Meanwhile, the running time cost of our work has obvious advantages compared with other schemes in the decryption phase. Our scheme has obvious advantages compared with the schemes in [22,38] for the total running time comparison. It shows that our scheme is more suitable for application in the supply chain information sharing system where many data users need to access user data frequently.  [22] × × ✓ × Liang et al. [37] × ✓ ✓ ✓ Malluhi et al. [38] ✓ ✓ ✓ × Table 2: Scheme performance comparison.

Conclusion and Future Works
is paper aims to provide an effective access control scheme for a blockchain-based supply chain information sharing system to protect data privacy. erefore, we propose a new privacy-preserving multiauthority attribute-based access control scheme. Our scheme ensures the confidentiality of blockchain data and provides fine-grained access control for data sharing. Taking into account the actual needs of the system, the scheme also supports user attribute key updates and ciphertext updates to cope with the dynamic change of user attribute authority. Furthermore, the scheme adopts LSSS as the access structure, which improves computational efficiency. In addition, the scheme is proven to be fully secure under the assumption of dual-system encryption. Finally, we prove that our work is feasible and effective through analysis and experimental comparison.
In order to test the safety and efficiency of our plan, we are working on implementing our scheme under a real blockchain-based supply chain information sharing system. In addition, our future research focuses on antiquantum attacks and lightweight encryption algorithms.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.