A Privacy-Preserving Blockchain Supervision Framework in the Multiparty Setting

Data supervision is an e ﬀ ective method to ensure the legality of user data on blockchain. However, the massive growth of data makes it di ﬃ cult to achieve data supervision in existing blockchain applications. Also, data supervision often leads to problems such as disclosure of transaction data and user privacy information. To address these issues, this paper proposes a privacy-preserving blockchain supervision system (BSS) in the multiparty setting, where a supervision chain is introduced to realize data supervision on blockchain. All sensitive information such as user information in the supervising data is encrypted by the attribute-based encryption (ABE) technology, so that both privacy protection and access control on user data can be achieved. Theoretical analysis and comparison show that the proposed BSS scheme is e ﬃ cient, and experimental analysis indicates the practicality of our BSS scheme.


Introduction
Blockchain is featured with the characteristics of decentralization, autonomy, and immutability [1]. As the key technology in the construction of trust systems, it is envisioned as an effective technology to address security issues faced in finance, property rights, smart cities, government affairs, supply chain, and other fields [2]. With the rapid development and wide application of blockchain, due to its open and transparent characteristics, more and more transaction data, user information, network node address, and other information face the risk of privacy leakage [3]. Unlike the traditional centralized architecture, blockchain does not rely on a central node; thus, it can effectively avoid the single point of failure. However, in order to reach consensus by all blockchain nodes, the data has to be disclosed to all of them, which also brings the risk of privacy leakage.
The lack of centralized entities makes it difficult for relevant government regulators to supervise the blockchain. Lack of regulation will seriously restrict the healthy and sustainable development of the entire blockchain industry. However, there remain some problems in the existing supervision methods on blockchain [4]. Due to the autonomous and decentralized features of blockchain, it is difficult to guarantee the legality of data on blockchain; that is, the data on blockchain cannot be well supervised. Moreover, supervision may bring the issue of privacy protection [5,6]. Due to the significant difference between the blockchain technology and traditional system architecture, many traditional privacy protection methods are not applicable to blockchain. Therefore, it is necessary to design an effective supervision mechanism with privacy protection on user data in blockchain.
The multilayer structure has been used to achieve supervision on blockchain. Yang et al. [7] realized the monitoring of user behavior and the verification of blocks by employing the multilayer structure. The block verification is executed by the system supervisor, which improves the performance and security of the system. Li et al. [8] designed a twolayer adaptive blockchain-based supervision framework (TABS) to address the supervision issues in off-site modular housing production, where the first layer contains the adaptive private sidechains of participants, and the second layer is the main blockchain for communication and transactions. TABS can effectively prevent the main blockchain from tampering with records, and it can also prompt users to quickly publish their transaction records without revealing their privacy. Note that a single supervisor is easily corrupted by an adversary, which can cause irreparable losses. The problem of single point of failure can be effectively avoided by setting multisupervision in the supervision process. Yang et al. [7] and Li et al. [8] put forward their schemes in the agricultural machinery scheduling and off-site modular housing production scenarios, respectively. However, there was no universal blockchain supervision framework for the application scenarios that need to be regulated. In addition, there is no blockchain supervision framework that allows multiple parties to participate in a multilayer blockchain structure.
1.1. Our Contributions. To address the above mentioned issues, this paper proposes a multiparty blockchain supervision system (BSS) framework. In BSS, a dual-chain architecture is introduced, which contains two types of blockchains, namely, business chain (BC) and supervision chain (SC). SC consists of the regulatory authorities and supervisors, which provides the supervision service for the data on BC. By deploying transaction information and supervision information separately, the scalability of the BSS can be improved.
ABE is employed to realize flexible access control on data; that is, the regulatory authority can set access control policies, so that different supervisors have different permissions. Regulatory authority can encrypt data for multiple supervisors at the same time and build communication channels without obtaining each supervisor's public key in advance. This process can reduce the computing overhead caused by encrypting data for each recipient. Data information will go through two rounds of supervision by regulatory authorities and supervisors. Smart contract in BSS can realize verification and upload supervision information to the blockchain. Thus, BSS supports the management and control on data in BC and also protects the data privacy, which offers trade-off between supervision and privacy protection. Through security and theoretical analysis, it is shown that the proposed BSS framework is suitable for different ABE and application scenarios.
1.2. Related Works. Yong et al. [9] designed a blockchain supervision system to supervise the supply of vaccines through smart contracts and machine learning. Their scheme not only supports the query on individual vaccination records and tracking the vaccine operation records through the smart contract but also allows the regulatory agencies to manage expired vaccines. Meng et al. [10] proposed a security mechanism to build trust-based filtering. This mechanism processes and reduces malicious traffic by using traffic fusion and aggregation. Yin et al. [11] provided an approach using supervised machine learning to implement system supervision, where the gradient enhancement algorithm was used to predict the type of entity. A classifier was established to distinguish 12 categories by using 957 entities as sample data for authentication. The gradient boosting algorithm with default parameters was used to improve the accuracy of average cross validation. Ma et al. [12] proposed a traceable blockchain scheme, SkyEye, which enables the regulatory authority to track the identity of users. In [13], Ma et al. designed a blockchain traceable scheme with oversight function based on SkyEye, from a distributed multikey generation protocol and some other cryptographic primitives. Note that the supervisor must obtain the consent of committees when tracing some users. Meng et al. [14] proposed a blockchain-enabled single character frequency-based exclusive signature matching scheme to secure the security of smart IoT environment.
In terms of privacy protection, many information hiding mechanisms have been proposed for transaction contents, including Monero and Zrash. Monero is mainly based on the Cryptonote protocol, which uses one-time random address and ring signature to randomize the sender and other node information so as to realize the sender's anonymity. Encryption is used to realize the anonymity of the receiver; that is, only the receiver has the private key of the ciphertext. In Monero coin, the anonymity of the sender is determined by the size of the anonymous set. The stronger the anonymity is, the larger the anonymous set is, but the time complexity of encryption and decryption will also increase. Zrash [15] is a cryptocurrency embedded with noninteractive zero-knowledge proof, which divides the address into transparent address and hidden address. The hidden address is used to realize anonymity for users. Unlike Monero, Zrash can authenticate transactions without disclosing transaction data. However, users may not make transparent transactions due to the computational cost of zero-knowledge proof. Blockchain platforms such as Monax and Multichain [16] provide multichain solutions that enable privacy protection of transaction data through interchain isolation.
As a kind of computer protocol, smart contract [17] can realize automatic verification, programmable execution, irreversible, and other functions. The security and privacy of smart contract can be guaranteed by formal verification [18], decompilation [19], etc. Cheng et al. [20] introduced Ekiden, which combines blockchain with trusted hardware. The Ekiden system separates consensus and execution, which offers the high system performance and scalability. In the initialization phase, the smart contract is encrypted and stored on the blockchain after verification. The corresponding public key and private key should be provided when the smart contract is called and acquired. The privacy protection for smart contract is realized by storing encrypted contract.
ABE is developed on the basis of identity-based encryption (IBE) proposed by Boldyreva et al. [21]. Compared with the previous encryption methods, ABE realizes a one-tomany encryption mode, provides fine-grained access control 2 Wireless Communications and Mobile Computing on data, and also supports certain fault tolerance [22]. Goyal et al. [23] designed a key policy attribute-based encryption scheme, where the access policy and attribute set are embedded in the key and ciphertext, respectively. Bethencourt et al. [24] proposed a ciphertext policy attribute-based encryption scheme, where the access policy and user attributes are, respectively, embedded in ciphertext and key, which can be used in access control applications such as private data sharing [25].
1.3. Organization. The remainder of this paper is organized as follows. Section 2 describes the system model, dual-chain architecture, and security requirements. Section 3 introduces the preliminaries for the proposed BSS scheme. A description of our BSS scheme is presented in Section 4. In Section 5, the security and performance of our BSS scheme are evaluated and compared. Section 6 concludes the paper.

System Model and Requirements
2.1. System Model. As shown in Figure 1, a BSS system consists of five types of entities, namely, regulatory authority, supervisor, key generation center (KGC), business chain (BC), and supervision chain (SC).
(i) Regulatory Authority. For the data to be supervised, they can be judged by the regulatory authority according to some rules. The supervision results are encrypted by the regulatory authority and broadcasted to supervisors.
(ii) Supervisor. The supervisors with decryption permission are able to decrypt the information sent by the regulatory authority and supervise the related data.
(iii) KGC. The KGC is responsible for generating system public parameters and registering the attributes of supervisor.
(iv) BC. BC is mainly used to maintain the business data information.
(v) SC. SC mainly manages the supervision information. The supervision information processed by the regulatory authority and the supervisor is transmitted to SC.
The data to be supervised in the BSS system is first delivered to the regulatory authority. They are supervised according to the supervision rules by the regulatory authority and then encrypted by employing the hybrid encryption technology, where the access policy can be set during hybrid encryption. Only the supervisor satisfying the access policy has relevant authority to conduct supervision. The supervisors need to perform the second round of supervision on data. If the supervision results of two rounds are consistent, then the smart contract uploads the supervision information to SC.

Dual-Chain
Architecture. In order to realize data supervision, this paper introduces a dual-chain architecture composed of BC and SC and uses the ABE method to protect the privacy of user data. The dual-chain architecture is shown in Figure 2.
(i) SC. SC consists of the regulatory authority nodes (RAN) and the supervisor nodes (SUN). In real world applications, RAN can be the regulatory authority, while SUN may comprise legal departments. RAN is able to perform supervision and encryption on data. Data submitted to the RAN for supervision is reviewed in the first round to detect illegal information. SUN can complete the decryption and supervision on data, so that the supervisor can further supervise the relevant data after decryption. The supervision results in the two rounds of supervision can be confirmed and uploaded to SC through smart contract.
(ii) BC. Different types of data are stored on BC, which should have been delivered to SC for supervision before being written to BC. Also, when the data is retrieved from BC, it should be first delivered to SC for supervision. In addition, the data in BC may also be taken out for supervising whenever necessary.
2.3. Security Requirements. A secure BSS system in the multiparty setting has to satisfy the following requirements.
(i) Anticollusion Attack. Even when the keys of multiple supervisors are combined, these supervisors cannot obtain the valid ciphertext. Supervisors cannot obtain plaintext data that exceeds their regulatory capability.
(ii) Multiparty Supervision. Data on the BC can be supervised by multiple parties. It avoids the problem of excessive concentration of power under the supervision of an individual or separate agency and reduces the security risk caused by the breach of one party.
(iii) Privacy Protection. Sensitive data submitted to the SC should be encrypted to guarantee their privacy.
(iv) Access Control. The supervisors are not allowed to access data that is not authorized. Different supervisors have their own permission and have different decryption capabilities for the data sent from the regulatory authority.

Preliminaries
(ii) Nondegeneracy. There exists r, s ∈ G 1 such that where 1 G T is the identity of G T .
(iii) Computability. For r, s∈ R G 1 , there is an efficient algorithm to compute eðr, sÞ.

BSS Construction
Our BSS framework consists of five procedures, namely, system setup, registration, regulatory authority supervision, supervisor   Table 1, and the process of supervision is shown in Figure 3.

System
Setup. KGC selects a secure symmetric encryption scheme F = ðKeyGen, Enc, DecÞ and a ciphertext-policy attribute-based encryption scheme A = ðSetup, KeyGen, Enc, DecÞ. With input the security parameter d, KGC runs the algorithm A:SetupðdÞ to generate the public parameter PK and the master key MK. Then, KGC uploads the encryption scheme F and the public parameter PK to the blockchain, while MK is kept secret and not allowed to be accessed by other users.

4.2.
Registration. The supervisor submits its own attribute set U to KGC for registration. KGC first searches the database; if the supervisor has already registered, the registration request is rejected. Otherwise, the attribute set U is added to the local database of KGC. Then, KGC generates a registration record as follows: which contains the user's attribute set U, identity document of supervisor id S , KGC's signature N, and registration time t Reg . The registration record R is written to the blockchain. Then, KGC runs the A:KeyGen algorithm with the master key MK and user attribute U to generate the private key SK, which is sent to the corresponding supervisor to complete the registration process. The registration process is shown in Algorithm 1.

Regulatory Authority Supervision.
The data m to be supervised is first uploaded to RAN, so that the regulatory authority can perform supervision based on its own rules. The regulatory authority generates supervision record where m is the supervised data, I is the user information, t RA is the regulatory authority supervision time, and id RA is the identity document of regulatory authority. Also, J 1 ⟵ ðid m kid BC kVkλ RA Þ denotes the supervision result of the regulatory authority, where id m is the identity document of m, id BC is the identity document of BC, V is the rule that m violates, and λ RA is the judgment of regulatory authority.
The regulatory authority generates a symmetric key k ⟵ F:KeyGenðdÞ and calculates C 1 = A:Enc PK, k, T ð Þ , where PK and T are the public parameters and access structure in ABE, respectively. The RAN outputs the corresponding ciphertext hC 1 , C 2 i and broadcasts it to supervisors.

Supervisor Second-Round Supervision.
For the received ciphertext tuple hC 1 , C 2 i, the supervisor executes A:Dec ðC 1 , SK, PKÞ with its private key SK. If SK satisfies the access policy T in C 1 , then the supervisor is allowed to get the symmetric key k through decryption. Moreover, the supervisor runs the algorithm F:DecðC 2 , kÞ to get the corresponding plaintext tuple β RA , which contains data m on BC. The supervisor is then able to run a second round of supervision on data m and outputs the corresponding supervision record where t S is the supervisor supervision time. Here, J 2 ⟵ ðid m kid BC kVkλ S Þ is the supervision result of the supervisor, where λ S is the judgment of supervisor.

Data
Processing. The smart contract will compare the supervision results generated in two rounds of supervision by the regulatory authority and the supervisor, respectively. If they are consistent, then the smart contract generates the following supervision information and adds it to SC, which consists of data information β ⟵ ðβ RA kβ S Þ and data processing time t Pro . If the two supervision results are inconsistent, a new round of supervision should be performed by RAN. The procedure of data processing is shown in Algorithm 2.

Security Analysis
Theorem 1. If the symmetric encryption scheme F and ABE scheme A are secure, then the proposed BSS framework can resist collusion attacks.
Proof. In ABE schemes, SK is associated with a random polynomial qðxÞ or a random number r. Different random polynomial qðxÞ or random number r will be selected when generating private key SK for different users. The Lagrange interpolation method requires that only when all values come from the same polynomial, the value of the target point can be solved. Therefore, when the keys of multiple users are combined, different random numbers and random polynomials cannot be combined to obtain the corresponding plaintext information. Thus, the private keys of different users cannot be combined, which means the proposed BSS framework can resist collusion attacks of multiple users.☐☐ Theorem 2. The proposed BSS framework can support the multiparty supervision of data on BC.
Proof. In the proposed BSS framework, SC is used to implement review and supervision on data m, including the data uploaded to the BC, retrieved from the BC, and remain existed in the BC. Users are only allowed to upload and retrieve data that meets certain rules and conditions. Multiple parties are allowed to participate in the supervision process, where only the authorized supervisors are able to jointly supervise certain data. Only when the supervision results J 1 and J 2 are consistent, the supervision information L will be uploaded to SC, which can reduce the risk of privacy leakage caused by the concentration of power in the single supervision authority setting.☐☐ Theorem 3. If the symmetric encryption scheme F and ABE scheme A are secure, then the proposed BSS framework can provide privacy protection of data on BC.
Proof. In the proposed BSS framework, the user information I, timestamp t, and data on BC m are encrypted by the hybrid encryption technology. Data information can only be decrypted and viewed by the user who has the corresponding private key, which can reduce the risk of privacy leakage caused by supervision. In addition, SC in the proposed scheme is realized by the consortium chain, so that only the licensed users can join SC. Compared to the public chain, the management of the consortium chain can provide better protection for data privacy and the accountability after privacy leakage.☐☐  Proof. In the proposed BSS framework, the ABE scheme A is used to control the permissions. By embedding access policy T in the encryption process, the specific supervisor is assigned to decrypt and access the data. That is, when the attribute set U of the supervisor satisfies the access policy T, the supervisor has the permission to supervise data m; otherwise, it does not have the permission to decrypt the data. Thus, different supervisors have different supervision permissions for different data.☐☐ Table 2, the performance of our BSS framework is theoretical compared with existing supervision schemes. Yong et al.'s scheme [9] and Yin et al.'s scheme [11] mainly use the machine learning method to achieve supervision. Sun et al.'s scheme [26] introduces a multichain structure to complete supervision. Peng et al.'s scheme [27] achieves the supervising through a double-layer blockchain. In our BSS framework, the supervision of data in the blockchain is realized by designing a dual-chain architecture.

Theoretical Analysis. As shown in
In addition, the schemes [9,11,26,27] cannot control the permission of supervisors during the supervision process, whereas our BSS realizes the control on the supervisor's permission through the ABE technology. In terms of application scenarios, Yong et al.'s scheme [9] and Peng et al.'s scheme [27] are suitable to the supervision in the supply and production of vaccine, respectively, while Sun et al.'s supervision scheme [26] can be applied to the central bank digital currency. Our BSS framework is suitable for financial trade information supervision, industrial equipment maintenance information supervision, etc. In different application scenarios, regulatory authorities and supervisors use different rules to supervise different data. Our BSS framework is also suitable to other application scenarios that require multiparty supervision.  The machine is with an AMD Ryzen 5 4600H at 3.00 GHz and 16 GB in memory. FISCO BCOS 2.0 was adopted as the underlying framework of consortium blockchain. In the Setup phase, 256-bit AES-CBC was chosen as the symmetric encryption algorithm F, which is implemented by the Crypto library. For ABE scheme, both Bethencourt, Sahai and Waters scheme [24] and Agrawal and Chase's scheme [28] were employed to process the data on the same chain. A 224-bit asymmetric elliptic curve MNT224 was chosen to realize bilinear mapping.
The performance of our BSS framework is compared by two instantiations from two ABE schemes [24] and [28], respectively. The number of supervisor attributes is a key factor for the timing of registration phase. Figure 4 shows the effect of the registration time when the number of supervisor attributes changes from 10 to 50. It can be seen from Figure 4 that the time in the registration phase enjoys a linear relationship with the number of attributes of the supervisor. When the number of attributes is 10, both instantiations take roughly the same registration time. Although the registration time grows as the number of attributes increases, the overall time increase of Agrawal and Chase's scheme [28] is lower than that of Bethencourt, Sahai and Waters scheme [24].
In the phases of regulatory authority supervision and supervisor second-round supervision, different access policies would affect the efficiency of encryption and decryption of data by regulatory authority and supervisors. Figures 5  and 6, respectively, show the encryption and decryption time of schemes [24] and [28] under different policy sizes. It can be seen from Figure 5 that the increase of the strategy will lead to the increase of encryption time of the system. While the encryption time of Agrawal and Chase's scheme [28] is lower than that of Bethencourt, Sahai and Waters scheme [24]. As shown in Figure 6, in the decryption phase, with the increase of policy size, the decryption time of Agrawal and Chase's scheme [28] does not have significant changes, while the scheme of Bethencourt, Sahai and Waters [24] changes greatly.
In the data processing phase, the smart contract will compare the supervision results J 1 and J 2 generated by the regulatory authority and supervisor, respectively. Then, the smart contract uploads the supervision information L to the SC. The system will output the transaction information when the supervision information L is uploaded successfully. Part of the transaction information in the data processing phase is shown in Figure 7, which includes block hash, transaction hash, contract address, and other information. Here, the block hash is the hash value with regard to the current block, the transaction hash is the hash value generated at the end of supervision, and the contract address shows the address of the invoked contract.

Conclusion
This paper studied the problems of difficult supervision in BC, privacy leakage during supervision, and overconcentration of rights. To address these issues, a supervision system architecture BSS for data in BC is proposed. Through SC and the ABE technology, both data supervision and privacy protection can be realized. The supervisor is granted certain permission, and only the supervisor satisfying the relevant authority permission can supervise the data on BC. The proposed BSS framework also supports access control on supervisors and allows multiple supervisors to participate in supervision at the same time. The designed dual-chain architecture can effectively improve the scalability of the BSS system. Theoretical and experimental analysis shows that the BSS instantiations with different ABE schemes are suitable for real world applications.

Data Availability
No data were used to support this study.

Conflicts of Interest
The authors declare that they have no conflicts of interest.