Blockchain is a type of distributed ledger technology (DLT) that operates as a decentralized, jointly maintained database where network participants contribute to and manage records. The blockchain system uses digital signatures and encryption algorithms to generate blocks containing data and relies on a consensus mechanism to ensure the majority approval of the participating nodes, making the data secure, safe, and unforgeable. Depending on node access permissions, blockchains are categorized as public, consortium, or private. Constrained by their architectural design, single blockchain systems cannot efficiently exchange data and value with other chains, leading to the so-called “data-island” effect. In order to solve this problem, cross-chain technology has emerged, providing a chain-to-chain communication protocol to enable secure, trustworthy, and efficient data and asset interaction across different chains.

CP-ABE, embeds an access policy directly into the ciphertext, allowing data owners to define flexible access control rules. Unlike traditional identity-based encryption, CP-ABE determines decryption eligibility by matching a user’s attribute set against the embedded policy, plaintext can only be successfully restored when the user attributes meet the policy. This scheme typically comprises four fundamental algorithms:

Setup(λ)→(PP,MK): A trusted authority defines the λ and generates the PP and MK.

Define G1, G2 and GT as multiplicative cyclic groups, they are all prime order p, g1∈G1,g2∈G2 are the generators. We define: e:G1×G2→GT, which satisfies the following properties:

Assume that an access structure Λ converts an l×n matrix M∈Zpl×n and a mapping function ρ:{1,2,…,l}→𝒫, where each row of the M is mapped to an attribute, ρ(i)∈𝒫. A random vector v→=(s,r2,…,rn)∈Zpn is chosen, s represents the value of the shared secret. The share of row i is computed as λi=Mi⋅v→,i∈{1,…,l}. During decryption, if the user’s attribute set S⊆𝒫 satisfies Λ, a set of reconstruction coefficients {ωi∈Zp}i∈I exists, making ∑i∈Iωi⋅Mi=(1,0,…,0) where I={i:ρ(i)∈S}. Thus, the user can recover the secret by computing ∑i∈Iωi⋅λi=s.

Define G1, G2, GT as multiplicative cyclic groups, they are all prime order P. g1∈G1, g2∈G2 be the generators. e:G1×G2→GT is bilinear mapping. Define X→=(g2s,g2as,…,g2aqs), a,s∈Zp, Y→=(g1,g1a,…,g1aq,g1aq+2,…,g1a2q). The challenge is to distinguish whether Z=e(g1,g2)αq+1s or Z←GT. The advantage of an adversary 𝒜 is given by: (1)Adv𝒜q−PBDHE=|Pr[𝒜(Y→,X→,Z)=1|Z=e(g1,g2)aq+1s]−Pr[𝒜(Y→,X→,Z)=1|Z←GT]|

If for all probabilistic polynomial-time (PPT) Adv𝒜q−BDHE≤ε and ε is negligible, then the q-PBDHE is said to hold in group (G1,G2,GT).

To enable dynamic access control for data sharing and regulatory auditing, we propose an integrated architecture that combines on-chain and off-chain collaboration with dynamic attribute-based encryption, as shown in Fig. 2. The architecture is composed of the Hyperledger Fabric business chain, the FISCO BCOS regulatory chain, IPFS, and an off-chain encryption module. These components provide secure data storage, flexible authorization, auditable record-keeping, and fine-grained access control. The system model involves six core participant categories:

Central Authority (CA): Initializes the system and generates global public parameters.

The algorithms of this system operate between different participants and collaborate to achieve key generation, data encryption and decryption, access control and audit operations. The notation used is listed in Table 1. The core algorithms are defined as follows:

Setup(λ)→(PP,MK): Executed by the CA, initializes with λ, outputs PP, MK.

Confidentiality: Unauthorized users, even if they possess partial attributes and key information, cannot recover the original plaintext from the ciphertext, thereby ensuring the confidentiality of the data.

To formally describe the confidentiality security of this scheme under the off-chain pre-decryption structure, we define a game-based security model to simulate the interaction between an attacker 𝒜 and a challenger 𝒞 under the selective indistinguishability under chosen-plaintext attack (sIND-CPA):

Initialization. 𝒜 commits to a target access policy Λ∗ to be challenged. The goal of A is to gather sufficient information via adaptive queries to obtain a non-negligible advantage in distinguishing which of two challenge ciphertexts is encrypted.

For any probabilistic polynomial time (PPT) 𝒜, if its advantage over the security parameter λ is a negligible function, then the scheme is considered secure under sIND-CPA.

To support fine-grained access control in a blockchain environment, this study designs a set of on-chain operable dynamic attribute management mechanisms that do not require the ciphertext re-encryption. Specifically, it includes three steps: attribute revocation, attribute granting, and on-chain audit records.

(12)CTmid=e(K1,C2)∏i=1le(g1c,C3[i])ωi=e(g1α/k⋅g1c,g2s)∏i=1le(g1c,g2λi)ωi=e(g1,g2)αs/k⋅e(g1,g2)cs∏i=1le(g1,g2)cλiωi=e(g1,g2)αs/k⋅e(g1,g2)cse(g1,g2)c∑i=1lλiωi=e(g1,g2)αs/k⋅e(g1,g2)cse(g1,g2)cs=e(g1,g2)αs/k

The user finally restores the symmetric key: (13)Ksym=C1CTmidk=Ksym⋅e(g1,g2)αs(e(g1,g2)αs/k)k

This section proves the confidentiality of the proposed scheme under the selective IND-CPA model defined in Section 4.4.

Theorem. If the q-PBDHE assumption in Section 3.5 holds for the group (G1,G2,GT) for any PPT adversary the advantage in the sIND-CPA game, Adv𝒜sIND–CPA(λ), is negligible in λ hence the scheme is secure in the sIND-CPA model.

Proof. We constructed a PPT simulator β that interacts with 𝒜 to solve the q-PBDHE problem. The group setting and notation are described in Section 3.5. Throughout the interaction, β perfectly simulates the 𝒞 in the game described in Section 4.4.

Initialization. 𝒜 first outputs a target access policy Λ∗, β receives a q-PBDHE instance. (14)(Y→,X→,Z)=(g1,g1a,…,g1a2q,g2s,g2as,…,g2aqs,Z)

Setup. β embeds the components of Y→ into public parameters and publishes PP to 𝒜, MK is implicitly kept for simulation. H:attr→G1 is programmed as a random oracle: on the first query for an attribute attr, pick tattr←Zp and set H(attr)=g1tattr∈G1.

Step 1: Attribute private key query. 𝒜 can adaptively request attribute private key queries for any attribute set S that does not satisfy Λ∗, let I={i:ρ(i)∈S}. By the LSSS property there exist zero-reconstruction coefficients {γi}i∈I⊆Zp, such that ∑i∈IγiMi=(0,η2,…,ηn) and define a polynomial PS(x) of degree at most 2q whose coefficient of xq+1 is zero. Then β can compute g1PS(a) using only {g1aj}j≠q+1, without knowing g1aq+1, return a secret key with the same distribution as in the real system: (15)K1=(g1PS(a))1/k⋅g1τ,K2[attr]=H(attr)τ

Challenge phase. 𝒜 submits two equal-length symmetric keys (Ksym0,Ksym1), β randomly selects b∈{0,1}, constructs the challenge ciphertext CT∗ as follows and returns 𝒜. (16)C1=Ksym⁢b⋅Z,C2=X→⁡[0]=g2s,C3⁡[i]=g2λi

Distribution claim. If Z=e(g1,g2)aq+1s, CT∗ is distributed identically to the real encryption Encrypt(PP,Λ∗,Ksymb). If Z←RGT, C1 is independent of the message and leaks no information about b.

Stage 2: Pre-decryption query. 𝒜 continues to query the attribute set S that does not satisfy Λ∗:

attribute private key queries, answered as in Phase 1.

Conclusion. If 𝒜 can distinguish challenge ciphertexts with a non-negligible advantage ε, then β would determine the q-PBDHE instance with an advantage of at least ε, contradicting the q-PBDHE assumption in Section 3.5. Therefore Adv𝒜sIND-CPA(λ) is negligible, and the scheme is secure under sIND-CPA.□

In this scheme, each user’s attribute private key is bound to a unified dynamic factor τ. When an attribute is revoked, a new dynamic factor τ′∈Zp∗ is generated for the user, and the new attribute private key is recomputed. If the user does not update the corresponding SK, the pairing check will fail to match the ciphertext, resulting in a decryption failure. Therefore, the system ensures that users with revoked attributes cannot successfully decrypt the ciphertext without updating their keys, thus satisfying the forward security requirement.

In this scheme, the user’s attribute private key components, K1=g1α⋅K⋅g1τ including the user’s local public key K and dynamic factor τ, are private parameters. Even if multiple users exchange the attribute keys they hold, the different dynamic factors for each user prevent the pairing check in the decryption process from correctly canceling out the exponent terms. As a result, even if multiple users hold the complete set of attributes, their private keys being non-homogeneous ensures that they cannot successfully decrypt the ciphertext. This satisfies the anti-collusion requirement.

To enhance the security and robustness of the proposed cross-chain architecture, we expand on the theoretical security model by incorporating practical threat models such as cross-chain replay attacks and man-in-the-middle (MITM) attacks.

In this chapter, we compare the proposed scheme with other similar schemes and analyze their performance in detail. As shown in Table 2, we evaluate various aspects such as the granularity of encryption, attribute granting, ciphertext re-encryption, free-key management, multi-authority attributes, blockchain structure, encryption for external/public requests, and anti-collusion.

We define NU as the number of attributes held by the user, NP as the number of rows of attributes in access policy, |G| as the size of elements in the source group, |GT| as the size of elements in the target group, EG is an exponential operation on |G|, EGT is an exponential operation on |GT|, P is a linear pairing operation, and H is a hash-to-group operation.

From the storage comparison results shown in Table 3, it can be seen that the proposed scheme reduces the storage overhead effectively, with fewer elements to store. The ciphertext size is only (NP+1)|G|+|GT|, and the attribute private key size is only (NU+1)|G|, which is significantly smaller than the other four schemes.

We focus on evaluating the computational overhead of the schemes involved in terms of key generation, encryption, and decryption processes in Table 4. In the key generation phase, the proposed scheme requires only (NU+2)EG exponentiation operations, resulting in lower computational overhead compared to other schemes. Regarding encryption costs, the encryption complexity of schemes [11,23] is relatively high, especially in scheme [14], which involves a large number of attribute-level pairing operations. In contrast, the proposed scheme only requires one bilinear pairing operation, significantly reducing encryption computational overhead. For decryption, the proposed scheme adopts a separated architecture with off-chain pre-decryption by regulatory nodes and final decryption by the user. The off-chain regulatory node needs to perform (NU+1)P+NUEGT computational operations, which is still much lower than the scheme [21]. The user’s side has a very low computational burden, requiring only one EGT operation, significantly lower than other schemes.

This section presents the experimental environment used to evaluate the proposed scheme. The experimental platform is built on an Intel Core (TM) i9-12900H processor, with 16 GB of RAM and a 512 GB SSD, running on Ubuntu operating system. The cryptographic environment utilizes the Charm-Crypto library, combined with GNU Multiple Precision Arithmetic (GMP) and Pairing-Based Cryptography (PBC), running in a Conda environment. Bilinear pairings are implemented using the SS512 elliptic curve over a 160-bit prime order, ensuring the security and efficiency of the cryptographic operations. The detailed configuration is as Table 5:

In addition to the cryptographic environment, the experiment also simulates a realistic cross-chain regulatory framework, with Hyperledger Fabric deployed as the business chain and FISCO BCOS as the regulatory chain. Specifically, the Fabric network consists of 4 orderer nodes and 2 peer nodes, while FISCO BCOS is deployed with 4 nodes, ensuring high availability and scalability of the network. The cross-chain routing and communication mechanism established through the WeCross platform guarantees secure and real-time data interaction between the two blockchain networks. The detailed configuration of the blockchain network is shown in the Table 6:

To validate the cross-chain transaction performance of our scheme, we conducted a comparative analysis of the cross-chain transaction latency with Dong et al. [31] their paper proposes a hierarchical attribute-based encryption algorithm (MSC-CP-ABE) based on the main-sidechain architecture, where the sidechain stores the addresses and keys of encrypted data, while the mainchain is responsible for storing the data indices of the sidechain. Cross-chain data transmission is achieved through the P-TL smart contract, ensuring data interaction between the mainchain and sidechain. In our experiment, we used the JMeter performance testing tool to evaluate the maximum latency, minimum latency, and average latency of cross-chain transactions under different transaction volumes (ranging from 50 to 250 transactions), as shown in the Fig. 3. The experimental results demonstrate that under high concurrency, our scheme maintains relatively low latency, showing a performance advantage, especially under higher transaction volumes, where the latency increases at a slower rate, indicating good scalability.

In the cryptographic scheme comparison, to enhance the consistency and reliability of the experiment, all ciphertexts uniformly adopt the ‘AND’ access strategy, and each attribute-scale scenario is repeated 30 times, with the average value calculated. Since other schemes do not involve pre-decryption algorithms, this experiment selects only Scheme [14] and Scheme [21] for comparison. It is important to note that the experimental data for the comparison schemes are based on Java Pairing-Based Cryptography (JPBC) 2.0.0, while this paper uses Charm-Crypto with GMP/PBC. However, both use Type-A and SS512 parameter sets, which are symmetric supersingular pairings (Embedding degree k = 2, subgroup order 160-bit), with consistent security strength (80-bit), making their comparison valid in terms of algorithm complexity and growth trend with attribute size.

Fig. 4a,b shows the comparative results of different schemes in terms of key generation and encryption overheads with respect to the number of attributes. As the number of attributes increases, the overheads of the proposed scheme in both encryption and key generation are significantly lower than those of the compared schemes. Especially in the encryption phase, it remains almost at a very low level, due to the scheme requiring only one bilinear pairing operation. In the comparison of decryption overhead (as shown in Fig. 4c), the scheme [21] transfers a large amount of pre-decryption computation to cloud servers with the help of outsourced decryption technology, which is better than this scheme in terms of pre-decryption. However, it is worth noting that our scheme only requires one exponential operation for final decryption, greatly reducing the computational burden. This makes our scheme especially suitable for devices with constrained computing resources, such as mobile terminals. Additionally, we analyzed the overhead of each phase of our scheme with varying attribute sizes. As shown in Fig. 4d, the costs increased approximately linearly with the number of attributes. Encryption remained consistently low, while key generation and granting increased moderately. Revocation required more time due to the need to generate and disseminate update information to affected attributes, an inherent cost of policy updates. However, even with 100 attributes, all operations remained sub-second, indicating good scalability.