A bilinear map e:G1×G1→G2 has the following properties:

(1) Bilinear: For any a,b∈Zq∗, there is e(aP,bP)=e(P,P)ab.

(2) Nonregressive: e(P,P)≠1.

(3) Validity: There is an effective algorithm to calculate e(aP,bP).

(q,G1,G2,e,P) satisfying the above conditions is usually called a bilinear group [14].

Computational Diffie Hellman (CDH) problem: Given a tuple (P,aP,bP)∈G13, where a,b∈Zq∗, calculate abP.

Definition 1 The CDH hypothesis is said to be valid if there is no polynomial-time algorithm that can solve the CDH issue with a nonnegligible probability [8].

Discrete Logarithms (DL) Problem: Given a tuple (P~,P~z)∈G2 and calculate z∈Zp∗.

Definition 2 The DL hypothesis is said to be true if there is no polynomial-time algorithm that can solve the DL problem with a nonnegligible probability [11].

The central objective of our security model is to comprehensively address the security challenges related to carbon emission quotas in the electricity trading market. Specifically, the proposed model strives to prevent various types of malicious attacks, such as data falsification, tampering, forgery, and replay attacks.

To overcome the limitations imposed by traditional cryptography’s reliance on fundamental certification requirements and avoid critical custody issues based on identity-based cryptography, a certificate-free signature scheme has been proposed as a feasible solution. The proposed certificate-free signature scheme is highly secure and efficient, aimed at ensuring the validity and non-repudiation of all transactions involved in carbon emission quota trading. In addition, blockchain technology has been deployed to achieve the immutability and traceability of all power carbon quota transactions. This scheme provides conditional identity privacy protection, enhances defense against replay attacks, and has high computational and communication performance.

In response to the security vulnerabilities of Wang et al.’s scheme, we propose the security model for our scheme and divide the adversaries of the certificate-free signing scheme into two categories: 𝒜1 and A₂.

𝒜1: These are adversaries who launch forged attacks against malicious users. They can select a target user with a pseudonym PID1∗, obtain their secret value x1∗ and public key PK1∗=(X1∗,R1∗), and attempt to obtain a legal signature for any message of the target user through a series of forged attacks, as described in detail in the following text.

A₂: These are adversaries who launch forged attacks against malicious KGCs. As malicious KGCs, they not only know the main secret key of KGC and partial private key d2∗ of users but also can modify system parameters. They can first select a target user for the attack, obtain their pseudonym PID2∗ and public key PK2∗=(X2∗,R2∗), and then attempt to forge a legal signature for any message of the target user through a series of forged attacks, as described in detail in the following text.

The certificateless signature of Wang et al.’s scheme consists of the six methods listed below:

(1) System establishment: Given a security parameter ζ, the KGC generates system parameters and master keys using the following procedures.

① Select bilinear groups (q,G1,G2,e,P) and Q∈G1.

② Select random number s,k∈Zq∗ as the master key and then calculate Ppub=sP.

③ Select three hash functions H1:G1→Zq∗, H2:{0,1}∗×G1→Zq∗, and H3:{0,1}∗×{0,1}∗×G1× G1×G1→Zq∗.

④ Expose the system parameter params={q,G1,G2,e,P,Ppub,Q,H1,H2,H3}.

(2) Pseudonym generation: The user whose real identity is IDi selects a random number ti∈Zq∗, calculates Ti=tiP, and secretly sends (IDi,Ti) to the KGC.

After receiving (IDi,Ti), the KGC verifies the correctness of IDi, computes PIDi=IDi ⊕H1(kP+Ti) using the master key k, and finally sends the user the pseudonym PIDi.

(3) Generation of partial private keys: The KGC generates partial private keys for users with the alias PIDi using the following methods:

① Select a random number ri∈Zq∗ and then calculate Ri=riP.

② Calculate ki=H2(PIDi,Ri).

③ Calculate partial private key di=ri+kismodq.

④ Send (di,Ri) to the user through the secure channel.

(4) Public/private key generation: After receiving (di,Ri) from KGC, the user using pseudonym PIDi chooses a random number xi∈Zq∗, computes Xi=xiP, and establishes public key PKi=(Xi,Ri) and private key SKi=(xi,di).

(5) Signature generation: For message mi, the user with pseudonym PIDi generates the signature of mi.

① Randomly select ui∈Zq∗, and calculate Ui=uiP and Vi=uiQ.

② Select a timestamp TSi and calculate hi=H3(mi∥TSi,PIDi,Ui,Vi,PKi).

③ Calculate Wi=(di+hixi)Q+Vi.

④ Output a signature σi=(Ui,Vi,Wi) of mi∥TSi.

(6) Signature verification: The verifier goes through the following motions to ensure that mi∥TSi’s signature on σi=(Ui,Vi,Wi) is legitimate.

① Check the freshness of TSi. If TSi is within the effective time, perform the following operation ②; otherwise, terminate the operation.

② Calculate ki=H2(PIDi,Ri) and hi=H3(mi∥TSi,PIDi,Ui,Vi,PKi).

③ Verify equation e(Wi,P)=e(Ri+kiPpub+hiXi+Ui,Q).

The verifier accepts the signature if the aforementioned equation is true; otherwise, σi is rejected.

The relevant process of the Wang et al.’s scheme is shown in Fig. 2.

Here are the specific steps for the two forgery attacks that Wang et al.’s scheme cannot resist.

(1) Forgery attack by malicious users: Let 𝒜1 be the first type of attacker targeting Wang et al.’s scheme. 𝒜1 selects a target user with pseudonym PID1∗ and obtains its secret value x1∗ and public key PK1∗=(X1∗,R1∗). Through the subsequent attack methods, 𝒜1 can falsify the target user’s actual signature on any message.

① Calculate k1∗=H2(PID1∗,R1∗).

② Select z1∗∈Zq∗ at random and compute U1∗=z1∗P−k1∗Ppub−R1∗ and V1∗=z1∗Q.

③ Select message m1∗ and timestamp TS1∗ at random and calculate h1∗=H3(m1∗∥TS1∗,PID1∗,U1∗,V1∗,PK1∗).

④ Calculate W1∗=(z1∗+h1∗x1∗)Q.

⑤ Output m1∗∥TS1∗ to forge signature σ1∗=(U1∗,V1∗,W1∗).

The following verifies the legitimacy of 𝒜1’s forged signature σ1∗:

e(W1∗,P)=e((z1∗+h1∗x1∗)Q,P)=e((z1∗+h1∗x1∗)P,Q)=e(z1∗P+h1∗(x1∗P),Q)=e((U1∗+k1∗Ppub+R1∗)+h1∗X1∗,Q)=e(R1∗+k1∗Ppub+h1∗X1∗+U1∗,Q)

The given reasoning demonstrates that σ1∗ satisfies Wang et al.’s signature verification equation. In the above attack, 𝒜1 does not know the master key of the KGC. Therefore, 𝒜1’s assault based on forgery is successful. Wang et al.’s scheme is not secure against the first type of forgery attacker 𝒜1.

(2) Forgery attack of malicious KGC: Let A₂ be the second type of attacker against Wang et al.’s scheme. A₂ selects a target user and obtains its pseudonym PID2∗ and public key PK2∗=(X2∗,R2∗). Because A₂ is a malicious KGC, it not only knows the KGC’s master key and part of the user’s private key d2∗ but can also modify system parameters. A₂ can fake the valid signature of the target user for any information via the following attack techniques:

① Select a random number z2∗∈Zq∗, calculate Q∗=z2∗P, and make parameter params= {q,G1,G2,e,P,Ppub,Q∗,H1,H2,H3} public.

② Select u2∗∈Zq∗ at random and calculate U2∗=u2∗P and V2∗=u2∗Q∗.

③ Select message m2∗ and timestamp TS2∗ at random and calculate h2∗=H3(m2∗∥TS2∗,PID2∗,U2∗,V2∗,PK2∗).

④ Calculate W2∗=d2∗Q∗+h2∗(z2∗X2∗)+V2∗.

⑤ Output m2∗∥TS2∗ to forge signature σ2∗=(U2∗,V2∗,W2∗).

The following verifies the legitimacy of the signature forged by A₂:

e(W2∗,P)=e(d2∗Q∗+h2∗(z2∗X2∗)+V2∗,P)=e(d2∗Q∗+h2∗z2∗(x2∗P)+V2∗,P)=e(d2∗Q∗+h2∗x2∗(z2∗P)+V2∗,P)=e(d2∗Q∗+h2∗x2∗Q∗+V2∗,P)=e((d2∗+h2∗x2∗)Q∗+V2∗,P)=e(R2∗+k2∗Ppub+h2∗X2∗+U2∗,Q∗)

The given reasoning demonstrates that σ2∗ satisfies Wang et al.’s signature verification equation. However, A₂ does not know the target user’s secret value x2∗ in the above attack. Therefore, A₂’s forgery attack is successful. Wang et al.’s scheme is also unsafe for the second type of forgery attacker A₂.

To address the security flaws of Wang et al.’s scheme, we provide an enhanced certificateless signing scheme below. The cyclic group of the elliptic curve is chosen to improve the communication performance of the updated scheme. The specific description is as follows:

(1) System establishment: The KGC performs the following actions to produce system parameters and master keys based on security parameter ζ:

① Select an elliptic curve cyclic group G of prime p and a generator P of G.

② Select a random number s,k∈Zp∗ as the master key and then calculate Ppub=sP.

③ Select four hash functions: H1:G1→Zq∗, H2:{0,1}∗×G1×G1→Zq∗, H3:{0,1}∗×{0,1}∗×G1×G1 →Zq∗, H4:Zq∗×G1→Zq∗.

④ Expose system parameter params={q,G1,G2,e,P,Ppub,H1,H2,H3,H4}.

(2) Kana generation: This algorithm is the same as Wang et al.’s scheme.

(3) Partial private key generation: This algorithm is the same as Wang et al.’s scheme, but the only difference is that the value of ki is ki=H2(PIDi,Ri,Ppub).

(4) Public/private key generation: This algorithm is the same as Wang et al.’s scheme.

(5) Signature generation: For message mi, the user with pseudonym PIDi generates mi’s signature.

① Randomly select ui∈Zp∗ and then calculate Ui=uiP.

② Select a timestamp TSi and calculate hi=H3(mi∥TSi,PIDi,Ui,PKi), li=H4(hi,Ppub).

③ Calculate wi=ui+hixi+lidimodp.

④ Output signature σi=(Ui,wi) of mi∥TSi.

(6) Signature verification: The verifier performs the following steps to check the validity of mi∥TSi’s signature σi=(Ui,wi).

① Check the freshness of TSi. If TSi is within the valid time, perform the following operation ②; otherwise, terminate the operation.

② Calculate ki=H2(PIDi,Ri,Ppub),

hi=H3(mi∥TSi,PIDi,Ui,PKi),

li=H4(hi,Ppub).

③ Verify equation wiP=Ui+hiXi+li(Ri+kiPpub).

If the above formula is true, the verifier accepts the signature; otherwise, it rejects σi.

The related process of the Improved certificateless signature scheme is shown in Fig. 3.

In the hash value hi=H3(mi∥TSi,PIDi,Ui,PKi), (Ui,PKi) is the input value of hi; in ki=H2 (PIDi,Ri,Ppub), (Ri,Ppub) is the input value of ki; and in li=H4(hi,Ppub), (hi,Ppub) is the input value of li. In addition, wi binds the hash function to the secret value and partial private key. Based on the unidirectional and anti-collision properties of the hash function, the attacker cannot forge valid signatures by modifying system parameters and replacing public keys. Consequently, the modified scheme is resistant to the two types of forgery attacks outlined in Section 3.2.

The carbon quota trading model proposed in this paper is shown in Fig. 4, including six participants: the environmental protection management department (EPMD), quota seller enterprise (QSE), blockchain network (BN), quota buyer enterprise (QBE), audit department (AD), and distributed storage hash table (DSHT).

(1) EPMD: Mainly responsible for system initialization, maintenance of the blockchain network, and distribution of some private keys and initial carbon quotas of power enterprises.

(2) QSE: Power enterprises with surplus carbon quotas sign the carbon quota to be sold and then publish it to the blockchain network for trading.

(3) BN: This network is mainly accountable for processing the storage and transaction requests of power carbon quota transactions and validating transaction legitimacy.

(4) QBE: Power enterprises with insufficient carbon quotas purchase carbon quotas through the blockchain network and pay transaction costs to the seller enterprises.

(5) AD: Mainly audits electric power enterprise carbon emission quotas and actual carbon emissions and assists the environmental protection management department in resolving transaction disputes.

(6) DSHT: Mainly stores relevant data on electric power enterprises and carbon quota transactions. Essentially, it is a distributed storage space that divides the data into several small pieces, gives them to different clients for storage, and then uses the storage address to read the data.

(1) System initialization: The environmental management department runs the system establishment algorithm of the improved certificateless signature scheme described in Section 3.3 and sets s,k∈Zp∗ as the master secret key and public parameter params={q,G1,G2,e,P,Ppub,H1,H2,H3,H4}.

(2) Enterprise registration: The power enterprise whose real identity is IDi selects a random number ti∈Zp∗, calculates Ti=tiP, and secretly sends (IDi,Ti) to the environmental protection management department.

After receiving (IDi,Ti), the environmental protection management department performs the following operations:

① Verify the identity information of IDi and then calculate the corresponding power enterprise pseudonym PIDi=IDi⊕H1(kP+Ti).

② Save (IDi,PIDi,Ti) in power enterprise information table LID.

③ Select a random number ri∈Zq∗ and then calculate Ri=riP.

④ Calculate ki=H2(PIDi,Ri,Ppub).

⑤ Calculate the partial private key di=ri+kismodq.

⑥ Allocate the initial carbon emission quota mi of power enterprises.

⑦ Send (PIDi,di,Ri,mi) to the enterprise through the secure channel.

⑧ Publish a correctly registered transaction TID={PIDi,mi,AddrIDi} of the power enterprise on the blockchain network, where AddrIDi is the address of the distributed storage hash table used for storage. Create the enterprise credit pool KC in the common storage area and save (PIDi,ci,mi) in KC. ci represents the enterprise credit degree, and the initial value is 0. If ci=0, the enterprise credit rating is good; if ci=1, the enterprise credit rating is poor.

After receiving (PIDi,di,Ri,mi) from the department of environmental protection management, the power enterprise chooses a random number xi∈Zq∗ and generates the private key SKi=(xi,di) and the public key PKi=(Xi=xiP,Ri).

(3) Quota sale: For the surplus electric power carbon emission quota mi,1, the power enterprise with the pseudonym PIDi performs the following sales operations.

① Execute the signature generation process outlined in Section 3.3 of the enhanced certificateless signature scheme and generate the signature σi=(Ui,wi) of mi,1∥TSi.

② Publish on the blockchain a transaction Ti={PIDi,PKi,mi,1,Addri,σi} for the sale of energy carbon quotas, where Addri is the address where (PIDi,PKi,mi,1,TSi,σi) is stored in the distributed storage hash table.

(4) Quota purchase: When the enterprise with the pseudonym PIDj purchases the electricity carbon quota mi,1, the purchase transaction Tj={PIDj,PKj,Addri,θj} is broadcast in the blockchain network, where PIDj and PKj are the pseudonym and public key of the buyer’s enterprise, and θj is the prepayment amount. The blockchain node takes (PIDi,PKi=(Xi,Ri),mi,1,TSi,σi) from address Addri of the distributed storage hash table and then performs the following operations.

① Check the freshness of TSi. If |TSi−TS0|>λ, terminate the operation; otherwise, perform step ②, where TS0 and λ represent the maximum values of the current timestamp and the effective time, respectively.

② Find the cred KC value of the buyer’s enterprise and the seller’s enterprise in the enterprise credit pool KC. If ci=1 or cj=1 indicates that the credit degree of the buying and selling enterprises does not match and the electricity carbon quota transaction is risky, terminate the operation.

③ Perform the signature verification procedure described in Section 3.3 of the improved certificateless signature scheme. If σi is a legal signature, perform step ④; otherwise, terminate the operation.

④ If θj is less than the market selling price of mi,1, terminate the operation; otherwise, transfer to the quota seller according to θj to pay the purchase cost of the electricity carbon quota.

⑤ Send (PIDi,PKi,mi,1,TSi,σi) to the buyer’s enterprise.

⑥ In enterprise credit pool KC, modify the actual carbon quota of the seller’s enterprise to mi−mi,1 and the actual carbon quota of the buyer’s enterprise to mj+mi,1.

⑦ The enterprises of both parties shall go through the relevant carbon quota transfer filing formalities in the environmental protection management department and terminate the carbon quota transaction.

(5) Dispute arbitration: If there is a dispute regarding the electric carbon emission quota mi,1 sold by the seller’s enterprise, the audit department shall investigate the power enterprise’s actual carbon emissions and carbon quota. If there is any violation in the power enterprise, the audit department will set the credit value of the power enterprise to 1 in the enterprise credit pool KC and submit it to the environmental protection management department for corresponding punishment. The specific interaction between QSE, QBE, EPMD and blockchain is shown in Fig. 5.

Based on the methods in [10,14], Theorem 1 and Theorem 2 prove that our proposed scheme can resist signature forgery attacks from malicious users and malicious KGCs.

Theorem 1 If the DL hypothesis is true, our scheme is unfakable for the first type of attacker.

Proof: If the first type of attacker C forges a valid signature of our scheme, then the DL problem can be solved by constructing an Algorithm C as the challenger. Given an instance of a DL problem (P,aP), C aims to calculate a∈Zp∗.

(1) System initialization: C sets Ppub=aP and then runs the system establishment algorithm to send the generated parameter paramsto𝒜1.

(2) Query: C creates 5 blank initialized tables {L1,L2,L3,L4,Lu} in response to 𝒜1′s request. Let PID∗ indicate the pseudonym of the target user.

① H1 query. When 𝒜1 queries H1(kP+Ti), if (kP+Ti,hti) exists in L1, C sends hit to 𝒜1; Otherwise, select hit∈Zp∗, store (kP+Ti,hti) in L1 and return hit to 𝒜1.

② H2 query. When 𝒜1 queries H2(PIDi,Ri,Ppub), if (PIDi,Ri,Ppub,ki) exists in L2, C sends ki to 𝒜1; Otherwise, select ki∈Zp∗, store (PIDi,Ri,Ppub,ki) in L2 and return ki to 𝒜1.

③ H3 query. When 𝒜1 queries H3(mi∥TSi,PIDi,Ui,PKi), if (mi∥TSi,PIDi,Ui,PKi,hi) exists in L3, C sends hi to 𝒜1; Otherwise, select hi∈Zp∗, return hi to 𝒜1 and store (mi∥TSi,PIDi,Ui,PKi,hi) in L3.

④ H4 query. When 𝒜1 queries H4(hi,Ppub), if (hi,Ppub,li) exists in L4, C sends li to 𝒜1; Otherwise, select li∈Zp∗, store (hi,Ppub,li) in L4 and return li to 𝒜1.

⑤ Public key query: When 𝒜1 queries PIDiʼs public key, if (PIDi,di,Ri,xi,Xi) exists in Lu, C sends (Xi,Ri) to 𝒜1; Otherwise, C performs the following operations:

• If PIDi≠PID∗, C randomly select xi,di,ki∈Zp∗, calculate Xi=xiP and Ri=diP−kiPpub, and there are (PIDi,di,Ri,xi,Xi) and (PIDi,Ri,Ppub,ki) respectively in Lu and L2, send (Xi,Ri) to 𝒜1.

• If PIDi=PID∗, C randomly select x∗,r∗∈Zp∗, calculate X∗=x∗P and R∗=r∗P. If (PID∗,⊥,R∗,x∗,X∗) exists in Lu, send (X∗,R∗) to 𝒜1.

⑥ Secret value query: When 𝒜1 queries the secret value of PIDi, C looks up (PIDi,di,Ri,xi,Xi) in Lu and returns xi to 𝒜1.

⑦ Partial private key query: When 𝒜1 queries PIDi’s partial private key, C looks up (PIDi,di,Ri,xi,Xi) in Lu and returns di to 𝒜1.

⑧ Public key replacement query: When 𝒜1 submits (PIDi,Xi′,Ri′), C replaces PIDi’s public key in Lu and sets Xi=Xi′ and Ri=Ri′.

⑨ Signature query: When 𝒜1 queries (mi∥TSi,PIDi)’s signature, C randomly selects wi,hi,li ∈Zp∗, looks up ki in L2, calculates Ui=wiP−hiXi−li(Ri+kiPpub) and returns (Ui,wi) to 𝒜1.

(3) Forgery: After a finite number of the above queries, 𝒜1 outputs the signature σ∗=(U∗,w∗) of m∗∥TS∗ under PID∗ and public key (X∗,R∗). According to forking lemma [17], C obtains another valid signature σ~=(U∗,w~) by using different output values k~ of the same random values U∗ and H2. Because w∗P=U∗+h∗X∗+l∗(R∗+k∗(aP)), w~P=U∗+h∗X∗+l∗(R∗+k~(aP)).

Therefore, w∗P−w~P=l∗k∗aP−l∗k~aP, so we can calculate a=(w∗−w~)(k∗−k~)−1(l∗)−1modp.

Nevertheless, the DL problem is difficult to solve in polynomial time, indicating that 𝒜1’s proposed attack is not feasible. Therefore, our scheme can resist signature forging attacks from malicious users.

Theorem 2 If the LD hypothesis is valid, our scheme is unforgeable for the second type of attacker.

The proving procedure for Theorem 2 is comparable to that of Theorem 1. Because the second sort of attacker has access to the KGC’s master key, partial private key queries and public key replacement queries are no longer conducted.

(1) Anonymity: The real identity IDi of the power enterprise and the master key k of the environmental protection management department generate the pseudonym PIDi=IDi ⊕H1(kP+Ti) of the power enterprise. If the attacker cannot know k and Ti, he cannot calculate IDi from PIDi. The master key k is kept secret by the environmental protection management department, but deriving ti from Ti=tiP is equivalent to solving the DL problem. Therefore, our scheme satisfies the anonymity of power enterprise identity.

(2) Traceability: When there is a dispute in an enterprise-issued energy carbon quota transaction, the environmental protection management department looks up (IDi,PIDi,Ti) in the information table LID of the power enterprise through PIDi in the transaction and calculates IDi′=PIDi⊕H1(kP+Ti). If IDi′=IDi, the environmental protection management department can determine the real identity IDi of the power enterprise participating in the transaction. Therefore, our scheme satisfies the traceability of power enterprise identity.

(3) Integrity, authenticity, and nonrepudiation: The power carbon quota transaction issued by the enterprise of the seller must be appended with signature σi=(Ui,wi), and the transaction information Ti must be maintained in the blockchain. Theorems 1 and 2 demonstrate that adversaries cannot fabricate valid signatures of our scheme, and blockchain ensures the traceability and tamper-proofness of transaction data. Consequently, our scheme satisfies the integrity, authenticity, and nonrepudiation requirements of electrical carbon quota trading and is capable of withstanding attacks such as forgery, impersonation, and tampering.

(4) Resist replay attack: When the buyer’s enterprise purchases the electricity carbon quota, it checks the freshness of the transaction through timestamp TSi. Since TSi is the input value of hash values hi and li, if the attacker attempts to modify TSi, the signature cannot be verified. Therefore, our scheme can resist replay attacks.

Tables 1 and 2 exhibit the performance and function comparisons between our scheme and published schemes [10,11,14]. Reference [18] evaluated the operation time of cryptographic operations, where TM=1.9456 ms, TH=2.3366 ms, and TP=15.0738 ms. To achieve the same level of security in schemes based on the bilinear group and elliptic curve group, 512-bit prime numbers q and 160-bit prime numbers p are selected, respectively. Table 1 only considers the operations with high computational overhead. TM, TH, and TP are used to represent a dot product operation, hash operation mapped to point and bilinear pair operation, respectively; |p|, |G| and |G1| represent the length of an element in Zp, G, and G1, respectively. Our scheme is based on a cyclic group of an elliptic curve. and the signature verification phase does not involve time-consuming bilinear pair operations.

As seen in Tables 1 and 2, Figs. 6, and 7, compared with other schemes [10,11,14], our scheme has the minimum time cost in generating and verifying signatures and the shortest signature length. Our scheme introduces the use of blockchain technology to eliminate intermediaries and improve the efficiency, transparency, and traceability of carbon quota trading in the electricity industry.

The experimental environment for building the blockchain is Intel(R) Xeon(R) Gold 6133 2.50 GHz with Ubuntu Server 22.04 LTS 64-bit operating system, and the underlying platform for the blockchain is Hyperledger Fabric. The experiment simulated the generation of 1,000 to 5,000 user data entries, and tested the time it takes to upload the user data to the blockchain and the time it takes to retrieve the data from the blockchain. The specific test results are shown in Figs. 8 and 9.

The test results show that as the amount of user data increases, the upload time slightly increases and the efficiency decreases slightly, but this decrease is within an acceptable range compared to the significant increase in data volume. When retrieving user data, the blockchain needs to run a consensus algorithm to disclose data to the nodes, and the degree of impact on time varies depending on the consensus algorithm used, so the retrieval time is slightly lower than the upload time.