Blockchain Data Privacy Access Control Based on Searchable Attribute Encryption

Data privacy is important to the security of our society, and enabling authorized users to query this data efficiently is facing more challenge. Recently, blockchain has gained extensive attention with its prominent characteristics as public, distributed, decentration and chronological characteristics. However, the transaction information on the blockchain is open to all nodes, the transaction information update operation is even more transparent. And the leakage of transaction information will cause huge losses to the transaction party. In response to these problems, this paper combines hierarchical attribute encryption with linear secret sharing, and proposes a blockchain data privacy protection control scheme based on searchable attribute encryption, which solves the privacy exposure problem in traditional blockchain transactions. The user’s access control is implemented by the verification nodes, which avoids the security risks of submitting private keys and access structures to the blockchain network. Associating the private key component with the random identity of the user node in the blockchain can solve the collusion problem. In addition, authorized users can quickly search and supervise transaction information through searchable encryption. The improved algorithm ensures the security of keywords. Finally, based on the DBDH hypothesis, the security of the scheme is proved in the random prediction model.


Introduction
Blockchain technology, as an undisturbed, chronologically verifiable chain-like storage architecture, provides a new method for data security and privacy protection, and its application in power balance trading platforms has also received extensive attention. For example, Xia et al. [1] analyzed the trading mechanism of the electricity surplus market. In order to make information symmetrical and fair, they designed smart contracts for multi-party bidding of power resources based on blockchain technology, and realized decentralized transaction decisions. Literature [2] summarizes the related applications and research of existing blockchain technology, and focuses on the application of blockchain traceability technology in various fields. According to the above research and investigation, blockchain will help improve solutions in multiple areas such as the Internet of Things, smart cities and supply chains. However, the ledger that records and stores transaction information in blockchain technology is open to any node that joins the blockchain network. Through mathematical analysis of transaction records in the global ledger, attackers may pose a threat to users' transaction privacy and identity privacy [3]. Transaction privacy threats refer to certain threats that contain detailed information about transactions. For example, an attacker can obtain some valuable information through in-depth analysis of a series of transactions of a specific account, transaction details, related accounts, and capital flows. Identity privacy threat mainly refers to the potential threat of the identity of the trader. In addition, on the basis of analyzing the transaction data, the attacker can obtain the identity information of the trader by combining some background knowledge. Jordan [4] uses cluster analysis to analyze transaction data in the blockchain and determine different addresses belonging to the same user. This is a good example of the use of analyzing transaction data to obtain the identity of a trader. In addition, since all transactions performed by users are permanently recorded in the blockchain, once the transaction is implemented, all relevant transaction information will be leaked. In addition, as the blockchain is increasingly used in daily payments, attackers can use off-chain information [5] to infer the identity of the account in the blockchain.
In the traditional blockchain, the user's account transaction information is directly stored in the block without using encryption technology, so the user's account is completely open to all nodes. At the same time, when a user initiates a transaction, the transaction amount in the transaction information is completely disclosed. The verification node on the blockchain performs mathematical analysis on the user's transaction amount and account balance to verify whether the transaction is legal. Although this method realizes the decentralization of the blockchain and cannot be tampered with, the user's account privacy [6] will be completely exposed. In response to these problems, there are some blockchain privacy protection mechanisms. Therefore, Shen Tu et al. [7] proposed a more effective blind signature hybrid scheme based on elliptic curve encryption algorithm m in reference. This scheme is simple and easy to operate, and is usually suitable for various digital currencies, but it is a centralized currency scheme. After that, in the hybrid scheme, Gao et al. [8] uses cryptographic techniques such as blind signatures to protect privacy issues, but this scheme increases computational costs, and the implementation of token processing by a third party inevitably increases additional service overhead. Some scholars also use ring signatures to protect the privacy of the blockchain. For example, Noether et al. [9] proposed an improved ring-based secret transaction scheme, which can hide the amount in reference. In this scheme, a large number of ring signatures are placed in multiple layers of linkable spontaneous anonymous group signatures [10], and its solution can protect identity privacy and transaction privacy. Although ring signature provides strong anonymity, it has three limitations: 1. Its transaction event volume is huge, each transaction event is nearly several kilobytes, which increases the storage space of the entire blockchain record. 2. The inherent disadvantage of ring signatures is that the size of the signature is proportional to the number of participants. Therefore, in reality, each transaction has only a limited number of outputs (for example, by default, each transaction has 4 outputs). 3. The hidden amount increases the difficulty of review, that is, it not only verifies whether a secret cryptocurrency is generated during the transaction, but also determines the additional amount at a specific moment.
Chen et al. [11] proposed an anti-quantum proxy blind signature scheme based on lattice cryptography, which provides user anonymity and non-traceability for distributed applications of BIoT. The proposed proxy blind signature scheme can completely solve the unforgeable problem without authorization to protect user privacy. Chiesa et al. [12] proposed the Zerocash scheme, which introduced zk-SNARK [13], a non-interactive zero-knowledge proof technology in cryptography that converts into digital currency, which can ensure the unlinkability of transactions And confidentiality, while it supports any amount of money. However, the disadvantage of this scheme is that if an attacker obtains the secret data introduced at the beginning, the token may be forged. Subsequently, in order to solve the privacy problem in the public chain off-chain payment protocol, many studies have constructed offline payment protocols, such as two-way micro-payment channels [14] Lightning Network and Spirtes [15]. However, in these schemes, both parties in the transaction must use the relay node to complete the transaction, and the transaction information is public to the relay node, so the privacy of both parties in the transaction will be exposed to the relay node. For offline payment privacy issues, there are some studies, such as the Tumble Bit solution proposed by Alshenibr et al. [16]. This solution can hide payment channel information from relay nodes. In addition, Tumble Bit solutions are generally suitable for compatible Bitcoin systems. But the time and efficiency costs are relatively high. Green et al. [17] proposed the Bolt scheme, which ensures that payments under the same channel are independent of each other, and the payment time does not require block confirmation to reach the second level. If someone pays through the payment channel provided by the payee, the payee will receive a notification. There are still many problems to be solved in the security of payment protocols.
A privacy protection mechanism for blockchain retrieval based on searchable keywords is proposed [18], which realizes the private search of authorized keywords without changing the retrieval order. But the keywords in this scheme are relatively short, they cannot resist collusion, and can communicate privately between nodes. Aiming at data sharing privacy, Do et al. [19] proposed a distributed data storage system using blockchain technology and a private keyword search scheme, which provides authorization for data owners and supports dedicated keyword search for encrypted data sets. However, this program has not yet implemented document revocation and Boolean search. The data storage incentive mechanism of wireless sensor network (WSN) [20], which uses double chains, one chain is used to store the data of each node, and the other chain is used to control data access. In addition, the reserved hash function is used to compare the stored data with the new data block. New data can be stored in the node closest to the existing data, and only different sub-blocks can be stored, which can greatly save the storage space of network nodes. However, the confidentiality of the data was not discussed. Using the DCOMB method, literature [21] proposed a blockchain-based IoT data query model. This model combines the IoT data stream with the timestamp of the blockchain to improve the interoperability of data and the versatility of the IoT database system. The data query model in this solution can quickly query the public key corresponding to the data stream. The query is in a fully encrypted environment, which can ensure the privacy and security of IoT data. However, the data prereading process will take extra time, and MySQL query performance will cost more.
In the above scheme, the data privacy problem has not been completely resolved. Therefore, it is urgent to solve its privacy problem. The contribution of this paper is as follows: 1. In this paper, the public key searchable encryption method is used to encrypt the transaction privacy data in the blockchain, which solves the privacy leakage problem caused by the disclosure of all data in the traditional public blockchain, meanwhile, realizes the privacy of protecting the sensitive information of the blockchain transaction. 2. The use of attribute encryption technology combined with secret sharing enables fine grained access control of transaction ciphertext in the blockchain. 3. In addition, the users who have access to transaction can quickly search ciphertext, which realizes the supervision of transaction information.
The Organization of the paper is structured as follows: In Section 1, we introduce the research on the privacy of blockchain; We introduce the basic cryptographic primitives in Section 2; In Section 3, the system model in general and the security model of security requirements are proposed; In Section 4, the specific construction of the scheme is described; In Section 5, we analyze the security of the scheme in detail; We compare the related work in Section 6; In Section 7, we summarize our scheme.

Bilinear Mapping
Definition 1: Let G 1 and G 2 are multiplicative cyclic groups whose order q is prime. For a random generator p of a group, there exists a bilinear pair mapping that satisfies the following properties: (1) Bilinear: for 8ðP; QÞ 2 G 1 and 8ða; bÞ 2 Z q Ã are true.

Determining the Bilinear Diffie-Hellman Assumption (DBDH)
Select a generator g 2 G 1 and choose a; b; c; r 2 Z Ã q , for g a ; g b ; g c 2 G 1 , e g; g ð Þ abc and e g; g ð Þ r 2 G 2 , determine if the relationship between e g; g ð Þ abc and e g; g ð Þ r 2 G 2 is equal.
Definition 2: For the arbitrary polynomial probability time algorithm adversary A, the advantage of solving the decision bilinear Diffie-Hellman (DBDH) hypothesis [i] is defined as: If the determined value Adv DBDH A is negligible, then the decision bilinear Diffie-Hellman hypothesis will be established.

Lsss Linear Secret Sharing Scheme
A linear secret sharing scheme [22] will be called linear on a group of participants P if the following conditions are satisfied: (1) The share of the participants for each party comes from a matrix Z P above.
There is a matrix M with c rows and d columns called the shared generation matrix Π. For all i ¼ 1; 2; …; l, the function q defines the participant marking of the i-th row of M as qðiÞ. When we consider the row vector v ¼ s; v 2 ; …; v c ð Þ T 2 Z n P , which s is the secret that is shared, and v 2 ; …; v c 2 Z P is randomly chosen. Mv is the secret share according to the vector Å. The share M m i belongs to qðiÞ.
(2) Assume that Π is an LSSS for the access structure. Let S u 2 A be an arbitrary subset of authorizations, and I & 1; …; l f g. If i f g is the valid share of any secret S according to Π, there will be a constant w i 2 Z P f g i2I that makes P i2I w i i ¼ S at this time. Furthermore, these constants w i f g can be found in the time polynomial of the shared generator matrix M.

System Model
The block chain data privacy access control system model based on searchable attribute encryption is shown in Fig. 1, which includes four types of participating entities: Data owner, verification nodes, user and miner node, Trading generates is shown in Fig. 2.
Data Owner: Firstly, initializing generates the index key and the trapdoor key, extracts the keywords of the transaction, then uses the index key to encrypt the index and form the index ciphertext; Secondly, encrypt the trapdoor key to form the trapdoor key ciphertext and share the data. Finally, using the secure signature algorithm signs the transaction and encrypts, meanwhile, data owners appends the indexes keyword to the ciphertext file of the transaction ciphertext. Above all the data owner can be a user on the blockchain for Bitcoin transactions or a miner. User: The registration system generates an identity identifier RID corresponding to the real identity and a private key corresponding to the user attribute. In addition, user decrypts the trapdoor key ciphertext and gains the user key to generate a trapdoor, and sends the blockchain to request the transaction ciphertext.
Verification Nodes: Verify the correctness of the user's identity and permissions, and calculate the user's attribute and private key parameters and permission parameters in the attribute collection to distribute the trapdoor key ciphertext, and distribute the user key UK to the legitimate user.
Miner Node: The miner node broadcasts all the transaction information during this period, and each node performs verification and joins the blockchain after verification. The trapdoor and the index sent by the data owner are calculated and matched, then the transaction ciphertext will be sent to the data consumer after the matching is successful.

Threat Model
The solution proposed in this paper only the Verification Node is completely credible, the private key can be generated and distributed honestly for the user. Most miner nodes are honest but curious. In addition, users may collude to decrypt data that they do not have access to.

Security Model
The security model refers to the game between the opponent and the challenger. The game is described as follows:

IND-CPA security model
Initialization: Challenger A runs the initialization algorithm to generate the public parameters and master key, and sends the public parameters to the adversary. Phase 1: The adversary C continually repeats the corresponding set of attributes S 1 ; …; S q , where none of the attributes satisfy the access structure.
Challenge: The enemy C picks two messages M 0 ; M 1 and sends them to the challenger A. The challenger A randomly picks a byte b 2 0; 1 f gand encrypts the message M of the access structure, then the challenger A sends the ciphertext to the rival C.
Phase 2: Phase 1 is repeated guess: The guess of the enemy C input b, if the opponent guesses b 0 ¼ b, the enemy C will win the game. The advantage of rival C in this game is defined as Adv ¼ jPrðb ¼ b 0 Þ À 1=2j.  Hash Ask: The adversary can ask the random oracle H.
Trapdoor request: The adversary can request any keyword trapping.
Challenge: The adversary submits two keywords and gives the challenger C, the limit is that the enemy can't ask for the keyword.
Guess: The opponent A outputs the guess b 0 of b, if the opponent guesses b 0 ¼ b, the enemy C will win the Game. The advantage of rival C in this game is defined as Adv ¼ jPrðb ¼ b 0 Þ À 1=2j.
Definition 2: If the advantage of the above game is negligible at the time of the polynomial, the proposed scheme can be IND-CKA security.

Specific Construction
In this part, we present the specific implementation process of the blockchain data privacy protection access control method algorithm based on searchable attribute encryption.

a) Registration
The user submits a registration application to the system, obtains the identity RID and the user attribute set corresponding to the real identity information, and the data owners (transaction users) register to obtain the key and the identity identifier.

b) Initialization
Data owner initialization: Select a group G 0 with the prime number p as the order, generate the group with the element g, select N elements in the limit field, and use the system attribute to form the system attribute set S, and the attributes in S according to the correlation between the attributes. S is divided into x trees, H i set to the depth of the i-th tree, H ¼ max H i f g i2 1; x ½ defined as the maximum depth in the tree; randomly select vector U ¼ u y À Á 1 y x and U 0 ¼ u 0 y 0 À Á 1 y 0 x , u y represents the public parameter corresponding to the y attribute tree, data owner selects a sequence of prime p, and generates a group of G 1 , H 1 : 0; 1 f g Ã ! G 1 is a hash function. Data owner chooses two random numbers g, l, calculates the public key PK ¼ g; g l f g,and the private key SK ¼ g represents the trapdoor key.
The verification node initialization: Z p Ã expresses a set of elements in the finite field with p-primitives, from which two random numbers a, b of different sizes are selected, the verification node calculates

c) Transaction generation and signature
Transaction user A generates transaction information, encrypts its own identity, runs the wallet signature algorithm and signs it with the private key corresponding to the wallet address, then sends it to transaction user B. The user signature is calculated as follows: The trader extracts the keyword from the transaction plaintext information, and encrypts the keyword with the index key g l and the random number s, l. The keywords of the transaction information are calculated as follows: e) Encrypt ðM ; TK; PKÞ ! C M ; C TK ; VR The n 0 user attribute a n 0 in the ciphertext policy attribute set H is located in the m 0 attribute tree, and its depth h 0 , its path is R n 0 ¼ a n 0 0 ; a n 0 1 ; …; a n 0 k ; …; a n 0 h ð Þ , where k 0 2 0; h ½ , a n 0 k 0 is the corresponding attribute of the user attribute a n 0 in the path R n 0 the layer k 0 1 , and for the policy attribute a n 0 , according to the mapping p selects its corresponding secret share w i . The calculation of attribute ciphertext C n 0 and policy parameters C 0 n 0 are as follows: The public parameter u 0 m 0 corresponding to the m 0 attribute tree, u k 0 indicates the public parameter of the k 0 layer, the ciphertexts are as follows: M is the transaction plaintext information, S is a secret value, and E 1 is a partial ciphertext containing the transaction plaintext information M. f) Trapdoor generation W 0 ; TK; UK; ð Þ!T W 0 : In this algorithm, select a random number and calculate the trapdoor: If the user's search keyword is the same as the search keyword contained in the index, the equation will establish. The blockchain returns the result to the user, otherwise it returns an empty set to the user.

h) Key generation
For the user's attribute set S n , the n-th user attribute a n is located in the i-th attribute tree, and its depth is h, its path R n ¼ a n0 ; a n1 ; …; a nk ; …; a nh ð Þ , where k 2 0; h ½ is the corresponding attribute of the k-th layer in the user attribute a n path R n , and the verification node selects the random number r 2 Z Ã P used to resist the collusion attack. For the attribute a n of the user, select the random number r n 2 Z P , calculate the attribute private key d n , the private key parameter D n and the permission parameter set D n 0 , these calculations are as follows: u k a n k r n , D n ¼ g r n , D n 0 ¼ u r n hþ1 ; u r n hþ2 ; …; u r n H i n o . Combining the private key component, the user can get the private key as: i) Decryption In the attribute authorization set S u 0 , the user attribute a n is in the m-th attribute tree, the policy attribute a n 0 is in the m 0 attribute tree, and m ¼ m 0 is satisfied; the depth h of the user attribute a n is satisfied with the depth h 0 of the policy attribute a n 0 , The relationship between the path of the attribute is h h 0 ; The path R n ¼ a n0 ; a n1 ; …; a nk ; …; a nh ð Þ of the user's attribute and attribute path R n 0 ¼ a n 0 0 ; a n 0 1 ; …; a n 0 k 0 ; …; a n 0 h 0 ð Þ 878 CMC, 2021, vol.66, no.1 are satisfied: k ¼ k 0 , a nk ¼a n 0 k 0 , k 2 ½0; h, k 0 2 ½0; h 0 ; For the consumer attribute a n 0 of the override policy attribute, the decryption permission value d n 0 is calculated as follows: À Á a n 0 hþ1 : u r n hþ2 À Á a n 0 hþ2 … u r n h 0 Decrypt the bilinear map A ni and calculate the user's permissions VR 0 as follows: If the user's permissions satisfy the structure, they can decrypt the trapdoor key as: The transaction message can be restored to:

Security Certificate
In this part, the proposed scheme is proved to be security under the random oracle model.
Lemma 5.1 Based on the DBDH hypothesis, our solution can resist selected plaintext attacks in the random Oracle model, then our solution is CPA-security.
Proof: Assuming a probabilistic polynomial time, an adversary can exploit advantage @ to attack our solution. We prove that the following DBDH games can be attacked by a advantage @=2 of enemy C. e : G 0 Â G 0 ¼ G 1 is a bilinear map, where G is a cyclic group with a generator element g order of p. The challenger is randomly selected a; b; c; z 2 Z p , h 2 0; 1 f g and if h ¼ 0, set ðg; A; B; C; ZÞ ¼ À g; g a ; g b ; g c ; eðg; gÞ abc Á , if h ¼ 1, set g; A; B; C; Z ð Þ¼ g; g a ; g b ; g c ; e g; g ð Þ z À Á .
Initialization: The adversary controls a set of authorized permissions, at least two of which are controlled by the adversary, and the remaining permissions are controlled by the challenger. The adversary affirmed the challenge of the LSSS access structure.
The challenger randomly selected a ¼ r; b ¼ a; c ¼ s 0 , and r; a; s 0 2 Z p were all randomly selected. Set and send Y :¼ e A; B ð Þ ¼ e g; g ð Þ ab public parameters to the adversary.

Simulator answers the keyword index
The simulator then randomly selects the parameters s; E 2 Z P , and the keyword index is calculated as follows: Þ , and the trapdoor and keyword index are sent to the adversary.
The opponent outputs the guess b 0 value of the keyword b. If the adversary wins in the game, the simulator will output b 0 ¼ 0. If b 0 6 ¼ b, output b 0 ¼ 1.
Possibility Analysis: The adversary A performs the most trapping q and indexing queries. The probability Pr½b that the simulator is not aborted in the game, the probability Pr½b is not negligible. Under the premise that the simulator does not suspend the game, if A successfully guesses the keyword, then the value m can be known. The probability that an enemy wins the game is j jis the advantage of winning the adversary. Based on the DBDH assumption, no adversary can break our algorithm, and our solution is security.

Lemma 5.3
If the DBDH assumption is true, our scheme will be security under the random oracle model.
Proof directly from Lemma 5.1 and Lemma 5.2.

Privacy Protection Analysis
Content privacy: This paper uses the ciphertext policy-based attribute encryption mechanism algorithm to encrypt trapdoor key information, which is more secure than symmetric encryption algorithms. By encrypting trapdoor key information with the LSSS linear secret sharing structure and encrypting transaction information with searchable encryption, we can ensure the privacy of both parties' content. In the process of generating the private key, the random number and the identifier RID of the user interaction are introduced. Even if different users collude with each other, they cannot obtain the private key without permission. Therefore, even if there is collusion, illegal users cannot obtain the transaction information and the secret of sharing.
Identity privacy: Use the verification node in the blockchain data privacy protection access control method based on searchable attribute encryption. The verification node stores the trapdoor key ciphertext. The transaction user A does not need to be online at any time, and randomly generates key UK and identity RID for each user. In the process of interaction, the RID sequence represents the identity of the user, which protects the identity privacy of the user.
Searching privacy: Our scheme's search mechanism is against multiple attacks. In the process of index generation, the transaction party A uses the random number l to encrypt the indexed keyword, and the node on the blockchain cannot perform the internal keyword guessing attack by matching the candidate keyword with the trapdoor. In the trapdoor generation phase, we use random numbers to hide the search keywords, which prevents malicious nodes from performing keyword replay attacks after trapdoor cracking. Therefore, blockchain network nodes and attackers cannot obtain useful information about keywords. Therefore, our solution guarantees the privacy of the keyword without reducing the security of the previous algorithm.
Attribute privacy: The verification node implements fine-grained access control, and the verification node authorizes the user of the blockchain by verifying the VR, which avoids the risk of submitting the access structure to the blockchain network. This mechanism protects the attributes of the linear access structure developed by the counterparty.

Scheme Comparison
The literature [7] applied the elliptic curve encryption algorithm to propose a more efficient blind signature hybrid scheme, which protects the privacy of transaction information. In literature [9], the transaction amount is hidden by the ring signature, and a secret transaction scheme based on ring signature is proposed, thus protecting transaction privacy and identity privacy. Literature [12] presented a zero cash scheme using public key encryption to protect transaction privacy. In Literature [18], public key cryptography is used to propose a blockchain retrieval privacy protection mechanism based on searchable keywords. Literature [19] proposed a distributed data storage system using blockchain technology and a privacy keyword search scheme. It can be seen from Tab. 1 that this paper adopts the access control method of searchable hierarchical attribute encryption, which not only hides the transaction amount for the nodes without access rights on the blockchain, but also the permission of the blockchain user node can quickly and efficiently query valid information of the transactions through trapdoor keywords.

Performance Comparison
In this section, we analyze the performance of the solution. We use E for exponential operation and P for linear operation. H represents a hash operation, and m represents the number of users. In Tab. 2, we present the performance calculations for our scheme and Reference [18][19].

Conclusion
Since the global ledger that uses blockchain technology to store transaction information is open to any node joining the blockchain network, it is necessary to further strengthen and improve the data privacy of the blockchain. A blockchain data privacy protection access control scheme based on searchable attribute encryption is proposed. This scheme uses attribute encryption based on ciphertext strategy to encrypt trapdoor keys, and then uses searchable encryption to encrypt transactions on the blockchain. User authorization allows authorized users to access transaction information. It not only realizes the privacy protection of transaction information on the blockchain, but also enables authorized users to efficiently access transaction information. Under the random oracle model, the safety and effectiveness of the scheme are proved.