A Blockchain and Attribute-Based Encryption Scheme for Hazardous Materials Circulation Data Sharing

With the increase in globalization and the complexity of supply chains, the circulation and management of hazardous chemicals face increasingly severe challenges. The improper use or accidental leakage of hazardous chemicals can lead to serious personal injury, environmental damage, and property loss. Therefore, ensuring effective regulation and safe management of hazardous chemicals has become crucial. However, current methods of hazardous chemical circulation data sharing and management have many problems. Traditional centralized data management systems may be prone to data tampering, information asymmetry, and security vulnerabilities. In addition, the lack of efficient data interchange and collaboration mechanisms between different institutions leads to information silos and process bottlenecks. Thus, establishing a secure, transparent, and efficient data sharing scheme for hazardous chemical circulation is imperative.

In recent years, blockchain technology has developed rapidly and is widely applied in the field of data sharing due to its decentralization, traceability [1], and secure and trustworthy information. Ge et al. [2] combined the medical system with blockchain and proposed a blockchain-based medical data secure access model to address the privacy and security issues that may be encountered in centralized storage. Franciscon et al. [3] discussed the feasibility of introducing blockchain into government organization management and data sharing from the perspectives of blockchain consensus and control. Wang et al. [4] use smart contracts and homomorphic encryption technology to protect users' privacy. Xu et al. [5] protect transaction privacy with zero-knowledge proof method. Wu and Du [6] introduced data desensitization technology and proposed a blockchain-based electronic medical record security sharing model. Cao et al. [7] established a blockchain-based steel traceability system to achieve real-time tracking and recording of product quality and other information. Zhuang et al. [8] combined blockchain with secret sharing schemes to propose an IP privacy protection and traceable identity management scheme. As a new encryption technology, attribute encryption provides technical support for data security access control and privacy protection with its high security and fine-grained access capabilities.

Blockchain avoids many problems existing in traditional centralized sharing due to its immutable nature, providing a secure and reliable environment for cross-departmental data sharing. At the same time, blockchain is somewhat limited in handling sensitive business and privacy data due to its public and transparent characteristics. In 2005, the concept of ABE was proposed by Sahai and Waters [9], which is mainly divided into Key Policy Attribute-Based Encryption (KP-ABE) and Ciphertext Policy Attribute-Based Encryption (CP-ABE) according to the different binding positions of ciphertext, key expression form, and access policy. KP-ABE [10], where the access policy is hidden in the key, is suitable for applications in systems such as video-on-demand and pay television, while CP-ABE, where the access policy is hidden in the ciphertext, is widely used in data security sharing schemes [11]. In CP-ABE, the encryption time of plaintext is linearly proportional to the number of attributes, thus it has a certain predictability. The Shamir secret sharing scheme is the basis of traditional CP-ABE algorithms. In 2007, Bethencourt et al. [12] provided the first construction of ABE based on ciphertext policy. In 2011, Waters [13] first proved the security of CP-ABE in the standard model. In 2016, Cui et al. [14] proposed a CP-ABE scheme to implement partially hidden access structures under prime-order groups, In 2018, Belguith et al. [15] proposed a revocable outsourcing CP-ABE scheme for the application scenarios of edge computing. In 2019, Xiong et al. [16] proposed a PHOABE scheme that alleviates the strong coupling between the computational cost of decryption and the complexity and number of attributes of the access policy.

In real application scenarios, shared data often contains multiple access structures with hierarchical relationships. Traditional CP-ABE does not consider the hierarchical relationship between attributes, requiring data owners to generate multiple ciphertexts to encrypt files, leading to a significant computational overhead. In 2013, Liu et al. [17] proposed Ciphertext Policy Weighted Attribute-Based Encryption (CP-WABE) to express attributes with hierarchical relationships. However, CP-WABE usually lacks flexibility in attribute comparison and is less efficient. In 2016, Wang et al. [18] proposed a scheme using weighted attributes to represent attribute levels, reducing the hierarchy and encryption overhead of the access tree. Since this scheme used a tree-like access structure, its efficiency was still low. Another issue to consider is that blockchain is immutable and undeletable. Once the CP-ABE access control policy specified by the data owner is stored on the blockchain, it cannot be updated by modifying the block content, leading to a lack of flexibility in data sharing.

In response to these problems, this paper proposes a blockchain and attribute-based dynamic layered access scheme for hazardous chemical circulation data sharing. By designing a layered CP-ABE algorithm with an LSSS matrix storage structure, multiple access control structures of hazardous chemical circulation data files are integrated into one LSSS matrix. When the attributes of a hazardous chemical transport company or regulatory department match part of the access control structure, they can decrypt the data associated with that part, while allowing the access control policy to be updated, enabling hazardous chemical-related institutions to flexibly modify the access control policy. This scheme only requires one encryption/decryption operation to complete what traditional schemes require multiple encryption/decryption operations to achieve.

Let $q$ be a large prime number, and let $G_1$ and $G_2$ be two groups of order q, with their operations defined as addition and multiplication, respectively. A bilinear mapping from $G_1$ and $G_2$ is defined as $e$: $G_1 \times G_1 \rightarrow G_2$, the bilinear pairings satisfy the following conditions [19]:

(1) Bilinearity: for $\forall u, v \in G_1, a, b \in Z_p, e\left(u^a, v^b\right)=e(u, v)^{a b}$.

(2) Non-degeneracy: for $\exists g \in G_1, e(g, g) \neq 1$.

(3) Computability: for $\forall u, v \in G_1$, there exists an efficient algorithm to compute $e(u, v)$.

Scholar Beimel [20] proposed the definition of LSSS in his paper: A secret sharing scheme $\Pi$ over a set of participants $P$ is described as linear over $Z_p$, if:

(1) The shares of the secret for each participant form a vector over $Z_p$.

(2) For the secret sharing scheme $\Pi$, there exists an $l \times n$ matrix $M$, where the $i$-th row is identified by a participant $\rho(i)$, and a function $\rho$ satisfies $\{1,2, \ldots, l\} \rightarrow e$. Given a column vector $v=\left(s, r_2, \ldots r_n\right)$ where $s \in Z_p$ is the secret to be shared and $\left(r_2, \ldots r_n\right) \in Z_p$ are randomly chosen. $M \vec{v}$ represents $m$ shares of the secret $s$, where $\lambda_i= M \vec{v}_i$ is the share belonging to participant $\rho(i)$.

Steps for using an LSSS matrix to implement hierarchical access control is as follows: Let $T$ be an access control tree with its Boolean formula as $(A AND (B AND (C OR D)))$. By applying the Lewko-Waters algorithm, it is converted into a matrix $M$. During encryption, a vector $\vec{v}=\left( {{s}_{1}},{{s}_{2}},{{s}_{3}} \right)$ is randomly chosen, where $s_1, s_2, s_3$ are the keys assigned to a non-leaf node in the tree $T$, calculating $\lambda=M \cdot \vec{v}$.

According to the LSSS, it's known that $s_j=\sum_{i \in I} \omega_{i, j} \lambda_i$, $I=i: \rho(i) \epsilon S$, wherein $\rho(i)$ maps the $i$-th row of the matrix to an attribute, denoting the user's attribute set. When $\lambda_A=\left(\begin{array}{c}\lambda_1 \\ \vdots \\ \lambda_i \\ \vdots \\ \dot{\lambda}_l\end{array}\right)_{i \in I}$, $s_j=\omega_j^T \lambda_A$. When $M_A=\left(\begin{array}{c}M_1 \\ \vdots \\ M_i \\ \vdots \\ M_l\end{array}\right)_{i \in I}$, $s_j=s_j^T=\lambda_A^T \omega_j=\left(M_A \cdot \vec{v}^T\right)^T \omega_j=\vec{v} \cdot\left(M_A^T \omega_j\right)$, let $M_A^T \omega_j=\varepsilon_j$. At this time, $s_j=\vec{v} \cdot \varepsilon_j, \varepsilon_j$ is a row vector with the $j$-th element as 1 and all other elements as 0. During decryption, if only attributes $B$ and $C$ are satisfied, meaning only a part of the access structure is met, then through $M_A^T \omega_j, \omega_2, \omega_3$ can be solved. Subsequently, by solving $s_j=\omega_j^T \lambda_A, s_2, s_3$ can be obtained. If all attributes are satisfied, meaning the entire access structure is met, then through the steps mentioned above, all shared keys can be acquired.

In traditional CP-ABE schemes, a user's attributes either satisfy the access control structure to decrypt the plaintext or do not satisfy the access control structure to decrypt the plaintext. In hierarchical access control, multiple access structures with hierarchical relationships can be integrated into a single access structure. As shown in Figure 1, the access structures of $m 1$ and $m 2$ clearly have a hierarchical relationship, thus they can be integrated into a single access structure. When a data accessor's attributes match part of the access structure, they can decrypt data related to that part (User 2). Only when the entire access structure is satisfied can all data be decrypted (User 1).

The system architecture, as shown in Figure 2, mainly includes the following four roles:

(1) Central Authorization Center: The central authorization agency can be appointed by a third party and is mainly responsible for generating system parameters, key management, and user attribute management.

(2) Hazardous Materials Related Institutions: Hazardous materials related institutions select n symmetric keys to encrypt data files containing hazardous materials information, generating an encrypted data file $D$. They encrypt their symmetric keys using an encryption algorithm to produce encrypted symmetric key ciphertext $CT$. Both the encrypted symmetric key ciphertext $CT$ and the encrypted data file $D$ are uploaded to the blockchain for storage. The encrypted symmetric key is divided into $C T_1$ and $C T_2$, with the ciphertext CT1 acting as a transaction block $TX$ and the ciphertext $C T_2$ acting as a policy block $A$.

(3) Blockchain: The encrypted data files and access policies are stored on the blockchain. Only data users who meet the access policy can obtain the encrypted data files from the blockchain. At the same time, the blockchain is used to prevent data tampering and allow flexible modification of access policies.

(4) Hazardous Materials Transport Companies or Regulatory Departments: Hazardous materials transport companies or regulatory departments submit their identity information and attribute sets to the central authorization agency, which then generates corresponding keys and returns them to the hazardous materials transport companies or regulatory departments. The blockchain first checks whether the attributes of the hazardous materials transport companies or regulatory departments match the partial or entire access control structure of these data files. If there is no match, the blockchain refuses the user request; otherwise, the blockchain sends the encrypted symmetric key ciphertext $CT$ and the encrypted data file $D$ to the user. Upon receiving the encrypted symmetric key ciphertext $CT$, the hazardous materials transport company or regulatory department uses the decryption algorithm to obtain the symmetric key, then uses this symmetric key to decrypt the data file containing hazardous materials information through the decryption algorithm, thereby gaining access to the hazardous materials circulation data.

The improved CP-ABE algorithm includes six types of algorithms: System Initialization, Private Key Generation, Encryption, Decryption, Ciphertext Policy Generation, and Ciphertext Policy Update. These algorithms cover scenarios where a data accessor can decrypt data associated with a part of the access control structure that matches their attributes, and when the entire access structure is satisfied, all data can be decrypted, allowing for the updating of access policies. Below are the details of these algorithms:

(1) $\operatorname{Setup}(k, U) \rightarrow(P K, M S K)$: The system initialization algorithm takes the system's attribute set and security parameters as input and generates the system master key and the system public key. Let $G_0$ and $G_1$ be two multiplicative cyclic groups of prime order $p$, with g being a generator of $G_0$, and define a bilinear mapping $e: G_0 \times G_0 \rightarrow G_1$. Randomly select elements $h_1, \ldots, h_u \in G_0$, which are associated with each attribute in U. Randomly select two elements $\alpha, \beta \in Z_p$. The system outputs the key pair $(PK,MSK)$.

$ \begin{gathered} P K=\left\{g, e(g, g)^\alpha, g^\beta, h_1, \ldots, h_u\right\} \\ M S K=g^\alpha \end{gathered} $

(2) $\operatorname{KeyGen}(P K, M S K, S) \rightarrow S K$: The private key generation algorithm outputs a private key related to the user's attributes by inputting the system public key, the system master private key, and the user's attribute set $S$.

Randomly select $t \in Z_p$, compute $K=g^\alpha g^{\beta t}, L=g^t, \forall x \in S: K_x=h_x^t$, the system outputs the user attribute private key $SK$ as follows:

$ S K=\left\{K, L, \forall x \in S: K_x\right\} $

(3) $\operatorname{Encrypt}\left(m_j, j \in(1, n), \sigma, P K,(M, \rho)\right) \rightarrow C T$: The encryption algorithm outputs ciphertext $CT$ by inputting a plaintext set $\left\{m_j, j \in(1, n)\right\}$, system public key $PK$, policy updater identity $\sigma$, and LSSS matrix structure $(M, \rho)$. During encryption, $M$ is an $l \times n$ access matrix, $M_i$ represents the $i$-th row of the matrix. The mapping function $\rho(i)$ assigns attributes to the rows of $M$.

Randomly select a vector $\vec{v}=\left(s_1, s_2, \ldots, s_n\right) \in Z_p^n$ to generate ciphertext information

$C T_1=\left\{C_j=m_j e(g, g)^{\alpha s_j \sigma}, C_j^{\prime}=g^{s_j \sigma}, j \in(1, n)\right\},$

compute $\lambda_i=\vec{v} M_i, i \in(1, l)$ to represent the share of $\rho(i)$, randomly generate $r_1, r_2, \ldots, r_l \in Z_p$, compute $C T_2=\left\{C_i=g^{\beta \lambda_i \sigma} h_{\rho(i)}^{-r_i}, D_i=g^{r_i}, i \in(1, l)\right\}$, and the final generated ciphertext $CT$ is:

$ C T=\left\{C T_1, C T_2\right\}=\left\{C_j, C_j^{\prime}, C_i, D_i, j \in(1, n), i \in(1, l)\right\} $

After encryption, the attribute encryption algorithm encrypts $s_1$ using a secure encryption algorithm to obtain encrypted information $Enc(s_1)$ for dynamic access policy updates.

(4) $\operatorname{Decrypt}(C T, S K) \rightarrow m_j$: The decryption algorithm outputs the plaintext set $m_j$ by inputting the ciphertext $CT$ and the user attribute private key $S$.

In the decryrption algorithm, $M_A$ is a matrix composed of a set of row vectors from $M$, corresponding to the attribute set $S$ associated with the user attribute private key $SK$. $\varepsilon_j$ is a row vector of length n where the $j$-th element is 1 and all other elements are 0. Let the index set be $I=\{i: \rho(i) \in \mathrm{S}\}$. For each $j \in(1, n)$, according to $M_A^T \omega_j=\varepsilon_j$, it’s known that $\sum_{i \in I} \omega_{i, j} M_i^T=\varepsilon_j$, if $\omega_{i, j}$ can be successfully retrieved, the decryption formula is:

$ \begin{gathered} \frac{e\left(C_j^{\prime}, k\right)}{\Pi_{i \in I, j}\left(e\left(C_i, L\right) e\left(D_i, k_{p(i)}\right)\right)^{\omega_{i, j}}} \\ =\frac{e\left(g^{s_j \sigma}, g^\alpha g^{\beta t}\right)}{\Pi_{i \in I, j}\left(e\left(g^{\beta \lambda_i \sigma}, g^t\right) e\left(g^{\beta \lambda_i \sigma}, h_{\rho(i)}^{-r_i}\right) e\left(g^{\left.r_i, h_{\rho(i)}^t\right)}\right)^{\omega_{i, j}}\right.} \\ =\frac{e(g, g)^{\alpha s_j \sigma} e(g, g)^{\beta s_j t \sigma}}{\Pi_{i \in I, j} e(g, g)^{t \beta \lambda_i \omega_{i, j}}}=e(g, g)^{\alpha s_j \sigma} \end{gathered} $

Finally, the plaintext set is $m_j=\frac{C_j}{e(g, g)^{\alpha s_j \sigma}}$, if $\omega_{i, j}$ can not be retrieved, the decryption fails.

(5) $\operatorname{UpdatePolicy}\left(\operatorname{Enc}\left(s_1\right), \sigma,\left(M^{\prime}, \rho^{\prime}\right)\right) \rightarrow C T_2^{\prime}$: The ciphertext policy update algorithm outputs new ciphertext $C T_2^{\prime}$ for the access policy by inputting encrypted information $\operatorname{Enc}\left(s_1\right)$, the policy updater's identity $\sigma$, and the new access policy $\left(M^{\prime}, \rho^{\prime}\right)$). $M^{\prime}$ is an $l^{\prime} \times n^{\prime}$ access matrix, and $M_i^{\prime}$ represents the $i$-th row of the matrix. Randomly select a vector $\vec{v}^{\prime}=\left(s_1^{\prime}, s_2^{\prime}, \ldots, s_n^{\prime}\right) \in Z_p^{n^{\prime}}$, and compute $\lambda_i^{\prime}=\vec{v}^{\prime} M_i^{\prime}, i \in\left(1, l^{\prime}\right)$. Randomly generate $r_1^{\prime}, r_2^{\prime}, \ldots, r_l^{\prime} \in Z_p$, compute $C_j^{\prime \prime}=g^{s_j^{\prime} \sigma}, C_i^{\prime}=g^{\beta \lambda_i^{\prime} \sigma} h_{\rho^{\prime}(i)}^{-r_i^{\prime}} D_i^{\prime}=g^{r_i^{\prime}}$.

Finally, generate new policy ciphertext information $C T_2^{\prime}$:

$ C T_2^{\prime}=\left\{C_j^{\prime \prime},\left(C_i^{\prime}, D_i^{\prime}\right)\right\} $

(6) $\operatorname{VerifyPolicy}\left(\sigma, C T_2^{\prime}\right) \rightarrow C T_2^{\prime \prime}$: The ciphertext policy verification algorithm inputs the policy updater's identity $\sigma$ and the new policy ciphertext $C T_2^{\prime}$. Blockchain consensus nodes first verify the policy updater's identity $\sigma$ and then determine whether $C_j^{\prime}$ and $C_j^{\prime \prime}$ are consistent. If consistent, the updated ciphertext is output $C T_2^{\prime \prime}=\left\{C_j, C_j^{\prime},\left(C_i^{\prime}, D_i^{\prime}\right)\right\}$.

The hazardous materials circulation data sharing scheme proposed in this paper consists of seven operations: System Initialization, Data File Encryption, Symmetric Key Encryption, User Authorization, Symmetric Key Decryption, Data File Decryption, and Dynamic Access Policy Update. The specific steps of the scheme are as follows:

(1) System Initialization: The central authorization agency specifies an attribute set $U$ and generates the system master key $MSK$ and system public key $PK$ through the system initialization algorithm.

(2) Data Encryption: Hazardous materials related institutions select $n$ symmetric keys $\left\{c k_1, \ldots, c k_n\right\}$ and encrypt their data files $\left\{d_1, \ldots, d_n\right\}$ using a symmetric encryption algorithm, resulting in encrypted data files $D=\left\{D_{c k_1}\left(f_1\right), \ldots, D_{c k_n}\left(f_n\right)\right\}$.

(3) Symmetric Key Encryption: Hazardous materials related institutions define access trees $\left\{T_1, \ldots, T_n\right\}$ for data files $\left\{d_1, \ldots, d_n\right\}$ containing hazardous materials information and integrate them into a single access tree $T$. They convert the access tree $T$ into a $LSSS$ matrix structure $(M, \rho)$ sing a labeling method. The symmetric keys $\left\{c k_1, \ldots, c k_n\right\}$ are encrypted using the encryption algorithm, producing encrypted symmetric key ciphertext $CT$. Both the encrypted symmetric key ciphertext $CT$ and the encrypted data file $EF$ are uploaded to the blockchain for storage. In the meantime, the encrypted symmetric key ciphertext $CT$ is divided into $C T_1$ and $C T_2$,with the ciphertext $C T_1$ acting as a transaction block and the ciphertext $C T_2$ acting as a policy block on the blockchain.

(4) User Authorization: For any hazardous materials transport company or regulatory department, the central authorization agency specifies a set of attributes $S$ and generates corresponding user attribute private key $SK$ using the private key generation algorithm.

(5) Symmetric Key Decryption: When a hazardous materials transport company or regulatory department wants to obtain data files with hazardous materials information from the blockchain, the blockchain first checks if the attributes of the hazardous materials transport company or regulatory department match the partial or entire access control structure of these data files. If there is no match, the blockchain refuses the user request; otherwise, the blockchain sends the encrypted symmetric key ciphertext $CT$ to the user. Upon receiving the encrypted symmetric key ciphertext $CT$, the hazardous materials transport company or regulatory department uses the decryption algorithm to obtain the symmetric key. They can decrypt the symmetric key associated with this part of the access tree when their attributes match part of the access tree. Only when their attributes match the entire access control structure can all symmetric keys be obtained.

(6) Data File Decryption: After obtaining $\left\{D_{c k_1}\left(d_1\right), \ldots, D_{c k_n}\left(d_n\right)\right\}$, the hazardous materials transport company or regulatory department uses $\left\{c k_1, \ldots, c k_n\right\}$ nd the decryption algorithm to decrypt the data file containing hazardous materials information, obtaining the data files $\left\{d_1, \ldots, d_n\right\}$.

(7) Dynamic Access Policy Update: Hazardous materials related institutions generate new policy ciphertext $C T_2^{\prime}$ by inputting the policy updater's identity $\sigma$ and the new access policy $\left(M^{\prime}, \rho^{\prime}\right)$ through the access policy update algorithm. They send their identity and the new policy ciphertext to the blockchain consensus nodes, which verify the policy updater's identity $\sigma$ and the new policy ciphertext $C T_2^{\prime}$ using the ciphertext policy verification algorithm. Once verified, a new policy ciphertext $C T_2^{\prime \prime}$' is generated and appended as a new policy block $A^{\prime}$ to the transaction block $TX$.

Theorem: If the decisional $q$-parallel BDHE assumption holds, then no polynomial-time adversary can break the improved CP-ABE scheme proposed in this paper by choosing a challenge access structure $\left(M^*, \rho^*\right)$.

Proof: If there exists a polynomial-time adversary $\mathcal{A}$ who can break our scheme with a non-negligible advantage $\varepsilon$, then there exists another adversary $\mathcal{B}$ who can solve the q-parallel BDHE assumption with the non-negligible advantage $\varepsilon$.

The setup of the challenger is as follows: Choose a bilinear group ${ }^G$ of prime order $p$(including a generator $g$), randomly select $\beta, s, b_1, \ldots, b_p \in Z_p$, and publicly disclose:

$ \vec{y}=\left\{\begin{array}{c} g, g^s, g^\beta, \ldots, g^{(\beta q)},, g^{(\beta q+2)}, \ldots, g^{(\beta 2 q)} \\ \forall_{1 \leq j \leq q} g^{s \cdot b_j}, g^{\left(\beta / b_j\right)}, \ldots, g^{\left(\beta^q / b_j\right)},, g^{\left(\beta^{q+2} / b_j\right)}, \ldots, g^{\left(\beta^{2 q} / b_j\right)} \\ \forall_{1 \leq j \leq q, k \leq q, k \neq j} g^{\beta s b_k / b_j}, \ldots, g^{\beta^q s b_k / b_j} \end{array}\right. $

Randomly select $\theta \in\{0,1\}$, if $\theta=0$, let $Z=e(g, g)^{\beta q+1_s}$, set $T=(y, Z)$. Before starting the game, the adversary $\mathcal{B}$ first gets the old $\left(M^*, \rho^*\right)$ and the new $\left(M^{* *}, \rho^{* *}\right)$ access policies that $\mathcal{A}$ wishes to challenge.

(1) Initialization: The adversary $\mathcal{B}$ randomly selects $\alpha=\alpha^{\prime}+\beta^{q+1}$, making the system public key $e(g, g)^\alpha=e(g, g)^{\alpha^{\prime}+\beta^{q+1}}=e\left(g^\beta, g\right)^{\beta^q} e(g, g)^{\alpha^{\prime}}$. For $h_1, \ldots, h_u$, each $x \in U$ selects a random parameter $z_x \in Z_p$, setting the index set $X=\left\{i: \rho^*(i)=x\right\}$, performing the following computation: if $x \in U$, then $h_x=g^{z_x} \prod_{i \in X} g^{\beta M_{i, 1}^* / b_i}, g^{\beta^2 M_{i, 2}^* / b_i} \ldots g^{\beta^n M_{i, n}^* / b_i}$; otherwise $h_x=g^{z_x}$.

(2) Phase 1: The adversary $\mathcal{A}$ submits an attribute set $S$ that does not satisfy the access policies $\left(M^{\prime}, \rho^{\prime}\right)$ and $\left(M^*, \rho^*\right)$.The adversary $\mathcal{B}$ generates the corresponding attribute private keys through the private key generation algorithm, as follows: Based on the linear reconstruction property, there exists a set of vectors $\omega=\left(\omega_1, \omega_2, \ldots, \omega_{n^*}\right) \in Z_p^{n^*}$ such that $\omega_1=-1$, for any $i: \rho^*(i) \in S, \omega \cdot M_i^*=0$, set $t=$ $k+\omega_1 \beta^q+\omega_2 \beta^{q-1}+\cdots+\omega_{n^*} \beta^{q-n^*+1}, k \in Z_p$, solve $L=g^t=g^k \prod_{i=1, \ldots, n^*}\left(g^{\beta^{q-n^*+1}}\right)^{\omega_i}$

Through the settings of $t$, include term $g^{\beta^{q+1}}$ when constructing $K$, during initialization, $\alpha=\alpha^{\prime}+$ $\beta^{q+1}$ can be eliminated through exponentiation operation. The adversary $\mathcal{B}$ calculates $K$ as follows:

$ K=g^\alpha g^{\beta t}=g^{\alpha^{\prime}+\beta^{q+1}} g^{\beta t}=g^{\alpha^{\prime}} g^{\beta k} \prod_{i=1, \ldots, n^*}\left(g^{\beta^{q+2-i}}\right)^{\omega_i} $

For $\forall x \in S$, compute $K_x$. When $x \in S$, there is no $i$ such that $\rho^*(i) \in S$, set $K_x=L^{Z_x}$, when $x \in$ $S$, there exists $i$ such that $\rho^*(i) \in S$, due to $\omega \cdot M_i^*=0$, eliminate the term $g^{\beta^{q+1}} / b_i$ contained in $K_x$ based on this property. Let $S_1=\{x: \rho(i) \in S \cap U\}$ be the set of elements of the user-submitted attribute set that satisfy the system attribute $U$, and $S_2=\{x: \rho(i) \in S, \rho(i) \notin U\}$ otherwise, the computation method is as follows:

$ \begin{gathered} K_x=h_x^t=L^{Z_x} \prod_{i \in X} \prod_{j=1, \ldots, n}\left(g^{\left(\beta^j / b_i\right) k} \prod_{\substack{m=1, \ldots, n^* \\ m \neq j}}\left(g^{\beta^{q+1+j-m}}\right)^{\omega_m}\right)^{M_{i j}^*}, x \in S_1 \\ K_x=h_x^t=g^{Z_x t}=L^{Z_x}, x \in S_2 \end{gathered} $

(3) Challenge: The adversary $\mathcal{A}$ sends two equal-length messages $m_0$ and $m_1$. The adversary $\mathcal{B}$ randomly chooses $c \in\{0,1\}$, computes the components of the ciphertext of $m_c$ using the old access policy, $C_j=m_c Z e(g, g)^{a s_j \sigma}$ and $C_j^{\prime}=g^{s_j \sigma}$, randomly select $y_2^{\prime}, y_3^{\prime}, \ldots, y_{n^*}^{\prime}$, and share the key through $v=s_1, s_2 \beta+y_2^{\prime}, s_3 \beta^2+y_3^{\prime}, \ldots, s_n \beta^{n-1}+y_{n^*}^{\prime} \in Z_p^{n^*}$, then select random numbers $r_1^{\prime}, r_2^{\prime}, \ldots, r_l^{\prime} \in Z_p$, for $i=1, \ldots, n^*$, define $Q_i$ as the set of all $p$ that makes $\rho^*(i)=\rho^*(p)$. The challenge ciphertext is:

$ \begin{gathered} C_i^*=h_{\rho^*(i)}^{r_i^{\prime}}\left(\prod_{j=2, \ldots, n^*}\left(g^{\beta \sigma}\right)^{M_{i, j}^* y_j^{\prime}}\right)\left(g^{b_i s}\right)^{-Z}{ }_{\rho^*(i)}\left(\prod_{p \in Q_i} \prod_{j=1, \ldots, n^*}\left(g^{\beta^j s\left(b_i / b_p\right)}\right)^{M_{p, j}^*}\right) \\ D_i^*=g^{-r_i^{\prime}} g^{-s b_i} \end{gathered} $

The adversary $\mathcal{B}$ performs following calculations according to the new access policy $\left(M^{* *}, \rho^{* *}\right)$ provided by $\mathcal{A}$ and each encrypted shared key. Randomly select $v=s_1^{\prime}, s_2^{\prime} \beta+y_2^{\prime}, s_3^{\prime} \beta^2+$ $y_3^{\prime}, \ldots, s_n^{\prime} \beta^{n-1}+y_{n^{* *}}^{\prime} \in Z_p^{n^*}$ and select random numbers $r_{1^*}^{\prime}, r_{2^*}^{\prime}, \ldots, r_{l^*}^{\prime} \in Z_p$, for $i=1, \ldots, n^{* *}$, define $Q_i$ as the set of all $p$ that makes $\rho^{* *}(i)=\rho^{* *}(p)$ when $p \neq i$. Then, the new challenge ciphertext is:

$ \begin{gathered} C_i^{* *}=h_{\rho^{* *}(i)}^{r_i^{\prime}}\left(\prod_{j=2, \ldots, n^{* *}}\left(g^{\beta \sigma}\right)^{M_{i, j}^{* *} y_j^{\prime}}\right)\left(g^{b_i s}\right)^{-Z_{\rho^{* *}(i)}} \cdot\left(\prod_{p \in Q_i} \prod_{j=1, \ldots, n^{* *}}\left(g^{\beta^j s\left(b_i / b_p\right)}\right)^{M_{p, j}^{* *}}\right) \\ D_i^{* *}=g^{-r_i^{\prime}} g^{-s b_i} \end{gathered} $

Adversary $\mathcal{B}$ sends the ciphertext $C T=\left\{C_j, C_j^{\prime}, C_i^{* *}, D_i^{* *}\right\}$ to $\mathcal{A}$.

(4) Phase 2: Similar to Phase 1.

(5) Guess: $\mathcal{A}$ outputs a guess $c^{\prime}$ for $c$. If $c^{\prime}=c$, then adversary $\mathcal{B}$ outputs $\theta=0$, indicating $T \epsilon P_{\mathrm{q}-\text { parallel BDHE }}$, at this time, the advantage of the adversary is $\operatorname{Pr}\left[c=c^{\prime} \mid \theta=0\right]=\frac{1}{2}+\varepsilon$; if $c^{\prime} \neq c$, then output $\theta=1$, indicating $T \epsilon P_{\mathrm{q}-\text { parallel BDHE }}$, at this time, the advantage of the adversary is $\operatorname{Pr}\left[c=c^{\prime} \mid \theta=0\right]=\frac{1}{2}$. Therefore, the advantage of $\mathcal{B}$ attacking the q-parallel BDHE assumption is

$ \frac{1}{2} \operatorname{Pr}\left[c=c^{\prime} \mid \theta=0\right]+\frac{1}{2} \operatorname{Pr}\left[c=c^{\prime} \mid \theta=1\right]-\frac{1}{2}=\frac{\varepsilon}{2} $

Thus, the advantage of any polynomial-time adversary in winning the IND-SAS-CPA game is negligible.

Proof complete.

This paper compares our scheme with the ones in the studies [8] and [10] from five aspects, as shown in Table 1. The schemes in literatures [8], [10], and our proposed scheme all support fine-grained access control and resistance to collusion attacks. Our scheme supports hierarchical access control and dynamic update of access policies, which are not supported by the schemes in literatures [8] and [10]. Table 2 compares the computational overheads of private key generation, encryption, and decryption between our scheme and those in literatures [8] and [10]. Table 3 evaluates the storage overhead based on the key length and ciphertext length during the encryption process.

The computations involved in the tables are as follows: $n$ denotes the number of attributes included in the user's private key, $s$ represents the number of attributes contained in the access structure, c represents the hierarchy of the access structure, E represents an exponentiation operation on group $G$, $P$ denotes a bilinear pair operation, $M$ represents a multiplication operation on $G$, $l$ indicates the length of group element $G_0$, and $l_1$ represents the length of elements in group $G_T$.

The experiments were conducted on a computer running the Windows operating system, with hardware configuration of AMD Ryzen 5 5600U with Radeon Graphics, 2.30GHz, and 16GB of RAM, using Python as the primary programming language to simulate the implementation of the CP-ABE algorithm and our proposed scheme.

Setting the number of attributes to vary from 10 to 50, the relationship between the number of attributes and the private key generation time is illustrated in the graphs below. As shown in Figure 3, with an increase in the number of attributes, our scheme shows a certain advantage in private key generation compared to the traditional CP-ABE scheme. As illustrated in Figure 4 and Figure 5, when the size of the encrypted/decrypted data file is set to 512B and the number of attributes gradually increases, our scheme outperforms the traditional CP-ABE scheme in terms of encryption/decryption time.

This paper proposes a hazardous materials circulation data sharing scheme based on blockchain and attribute encryption, featuring hierarchical data access control and dynamic updates. Through an integrated access structure, hazardous materials related institutions can encrypt multiple data files with hierarchical access relationships simultaneously. When the attributes of a hazardous materials transport company or regulatory department match part of the access control structure, they can obtain the data associated with that part through a single decryption. Additionally, by using blockchain to store access policies, dynamic updates to access policies after data sharing are enabled. Comparative analysis with other schemes through simulation experiments demonstrates that our scheme has lower computational and storage overhead. The model presented in this paper has a broad application prospect and can provide an effective solution for the application of blockchain and attribute encryption in the field of hazardous materials circulation data sharing.