A traceable and revocable multi-authority attribute-based access control scheme for mineral industry data secure storage in blockchain

With the rapid advancements of the mineral industry, the data generated by this industry chain have increased dramatically. To reduce the growing pressure of data storage and security risks, we design a credible on-chain and off-chain collaborative dual storage system that integrates blockchain technology and Interplanetary file system (IPFS), also construct a traceable and revocable multi-authority ciphertext-policy attributed-based encryption (CP-ABE) algorithm to meet the demand of privacy protection and dynamic fine-grained access control. Furthermore, the multi-authority layered authorization with a central authority model distributes system overhead while enabling the platform can be regulated. More importantly, our scheme achieves accurate trace of the malicious users by white-box traceability and capable of implementing indirect immediate user and attribute revocation without requiring key or ciphertext updates. Finally, the proposed scheme is indistinguishably secure under chosen-plaintext attack (IND-CPA) in the standard model. And the performance analysis demonstrates that our scheme is feature-rich, practical and efficient.


Introduction
Over the past decade, non-ferrous metals have increasingly prominent economic value as indispensable functional raw materials for cutting-edge technology products [1]. Hence the increasing total investment and transaction market scale of the nonferrous metal industry accelerate the growth of the amount of full lifecycle data for mineral resource supply chain. In addition, due to the sensitivity of mineral resource information and the protection of enterprises' own interests, much information in the mineral resource supply chain is not public, and illegal incidents such as private mining and smuggling of mineral resources occur from time to time. As a result, there is an urgent need for a secure data storage and sharing platform to improve transparency, speed of sharing and circulation of mineral resource information and management review efficiency of mining rights. However, the traditional data sharing platforms have many disadvantages such as low data volume and incomplete categories, low update speed, difficulty in guaranteeing data authenticity, integrity and privacy security, susceptibility to centralized attacks and difficulty in confirming data rights [2]. Therefore, it is necessary to promote the digital intelligent innovation management and government oversight of mineral industry with the help of emerging information technologies [3]. Driven by the Internet of Things, artificial intelligence, big data, 5G communication and other technologies, mine information construction is developing toward intelligent application services [4].
Different from traditional centralized database system and the cloud service providers, which have to bear the risk of single point of failure, malicious tampering and subject to trust threat [5,6], the emerging blockchain technology provides a decentralized, persistent, immutable, auditable manner to record transactions and information interactions [7][8][9] by leveraging cryptology and consensus mechanism. Thus, it is an effective approach for tackling the issue of trust and traceability [10,11]. However, with the tremendous increase in stored data, the performance and capacity of the blockchain gradually decline and the expense of storing large files is high [5]. In response to these challenges, we pay attention to the peer-to-peer distributed file system Interplanetary file system (IPFS) which has the ability to store massive data with high throughput [12][13][14], while on the blockchain only the digital fingerprint of the file returned by IPFS is stored [6]. Nevertheless, any user who knows the addressing cryptographic hash of the file can download and disseminate it in IPFS without constrictions, which makes it prone to user privacy information leakage or data misuse [9]. Moreover, leakage of confidential information due to lack of access control mechanism is a pain point for existing decentralized data storage systems [5]. Consequently, it is essential to encrypt the sensitive data before uploading to IPFS and realize fine-grained access control for the ciphertext. Currently, attributebased encryption (ABE) is a promising solution to the above problems [13].
The prototype of attribute-based encryption was first presented in 2005 [15], where the user's public key is some role-based descriptive attributes that characterize the identity and user's private key and ciphertext are also related to attributes. The object of decryption is no longer a single user, but a group, which implements a one-to-many encryption mechanism and expressive access control.
According to whether the access policy is bound to the decryption key or the ciphertext, ABE can be divided into key-policy attribute base encryption scheme (KP-ABE) [16] and ciphertext-policy attribute base encryption scheme (CP-ABE) [17]. The CP-ABE mechanism supports data owners to formulate access control policies consisting of attributes with logical operators or threshold value for ciphertext, and the attributes associated with the decryption key are used to describe a user's credential, which is suitable for access control. While in the KP-ABE scheme, the access policies built into the decryption key are specified by the message receiver, and the attributes depend upon the ciphertext.
There is only one trusted authority in the previous ABE schemes, which are called single-authority attribute-based encryption (SA-ABE) schemes. SA-ABE centralizes the computational and communication pressure of the system into one entity and is unsuitable for large-scale distributed application scenarios where a user may have attributes granted by different authorities or a data owner has shared data supervised by multiple authorities [18]. In order to deal with the above problems, multi-authority attribute-based encryption (MA-ABE) is raised [19]. MA-ABE can be classified into centralized and decentralized by whether the key is distributed by a central authority. From the perspective of intelligent management of mining industry data, we focus on two practical challenges of MA-CPABE: trace and revocation. Due to the nature of CP-ABE, it is hard to trace the user with the secret key when he intentionally exposes his decryption key to a third party for personal benefit. A number of solutions to this issue including black-box traceable CP-ABE and white-box traceable CP-ABE [20] have been proposed. While white-box traceability means any user who leaks his decryption key to a third user will be identified. Black-box traceability is a relatively stronger concept means the leakage of the user is the decryption device hiding the decryption key or decryption algorithm in it. As for the user revocation problem that accompanies traitor tracing, approaches supporting user or attribute revocation also emerged. Revocation comes in two flavors named direct revocation and indirect revocation [21]. The former means that data owners directly formulate the revocation list and do not need to negotiate with the trusted authority. The latter means that the trusted authority is responsible for controlling the revocation list, updating the ciphertext, distributing keys of the unrevoked users, also needs to communicate with users [20].
In this paper, we design an on-chain and off-chain dual storage platform for mining industry data with the integration of blockchain technology and IPFS. System security and access control are implemented by the traceable and revocable multi-authority ciphertext-policy attribute-based encryption (TR-MA-CPABE). The main contributions of this paper are shown below: 1. Secure storage and access control: This paper achieves secure storage, finegrained access control and effective government regulation for mineral industry chain data. It also promotes digital intelligent management, transformation and upgrading of the mining industry. 2. Flexible hierarchical encryption: This paper utilizes a hierarchical access structure [22] to achieve simultaneous encryption of files with hierarchical access relation-ships. And we take advantage of the method proposed in the literature [23] to convert the hierarchical threshold-gate access tree into the more efficient access control linear secret sharing scheme (LSSS) matrix [24]. 3. Traceability: The scheme in this paper leverages the white-box traceability to trace the malicious user's identity through his public key or the leaked private key. The main idea is binds user's real identity with the public key, and embed the public key in the user's attribute secret key. 4. Revocation: The solution in this paper realizes revocation at both the attribute level and user level, Additionally, there is no need to update the attribute secret key of non-revoked users and ciphertexts due to the design of attribute verification step in the decryption phase. 5. Security: The TR-MA-CPABE scheme in this paper is proven to be indistinguishability under chosen plaintext attack (IND-CPA) secure based on the decisional Bilinear Diffie-Hellman (d-BDH) assumption.
The rest of this paper is organized as follows. Section 2 summarizes related research work on data storage platforms and attribute-based encryption algorithms. Section 3 briefly overviews the relevant cryptography and mathematics fundamentals on which our scheme relies. Section 4 presents the concrete system architecture and workflow. Section 5 implements a traceable and revocable multi-authority ciphertext-policy attribute-based encryption algorithm. Section 6 provides the security analysis of our algorithm. Section 7 comparatively evaluates the performance of the proposed algorithms. Finally, conclusions and future research directions are drawn in Sect. 8.
2 Work related to mining data security storage platform and attribute-based encryption algorithm

Blockchain + Interplanetary file system
Blockchain debuted as the underlying supporting technology of Bitcoin in 2008 [25]. It integrates a variety of information security technologies such as encryption algorithms, digital signatures, and consensus mechanisms, and is called "the machine for making trust". However, blockchain faces latency, scalability, storage and throughput challenges [11], and storing large files on the blockchain is inefficient and costly [6]. In order to overcome these deficiencies of blockchain-based solutions, many researchers leverage IPFS as the off-chain file storage system. The "blockchain + IPFS" model has been applied to many fields, such as data sharing [5], document version control [6], supply chain [9], medical health [12], etc. while only the addressing hash of the file generated by IPFS is stored in the blockchain. This integrated technical solution greatly reduces the storage pressure and data redundancy of the blockchain, and can better protect personal data from privacy leakage.

3
A traceable and revocable multi-authority attribute-based…

Traceable and revocable multi-authority attribute-based encryption
With the first proposal of the ABE in the form of a fuzzy identity-based encryption in 2005 [15], two variants of ABE named CP-ABE and KP-ABE have also been put forward to achieve better expressivity, efficiency and flexibility [16,17]. The above single-authority ABE schemes did not satisfy the demand of a practical distributed storage environment because users can only share data in the management domain of the authority [18]. Subsequently, Lewko A [19] provided a scheme that allows any number of authorities to manage attributes and issue secret keys to users independently with the use of a global identifier and the central authority. Nevertheless, it did not protect user privacy well. Zhong et al. [26] proposed a decentralized MA-ABE access control scheme supporting policy hidden and user revocation, but its computational and storage overhead were high. Banerjee et al. [27] presented a highly scalable multi-authority CP-ABE-based access control scheme with constant-size key and ciphertext which saved storage space, yet the expressiveness of access policies was limited. Guo et al. [28] constructed a hierarchal CP-ABE scheme with multiple authorities that can solve the key escrow problem, but the traitor tracking wasn't implemented.
In primitive CP-ABE schemes, users are anonymous and only described by some attributes, there is no connection between users' decryption keys and their exact identity. Thus, malicious users who intentionally revealed their keys for profits cannot be traced and the problem of key leakage and the difficulty of holding users accountable is prominent. To fix these issues, Zhang et al. [29] offered an efficient traceable large universe multi-authority CP-ABE scheme supporting any monotone access structure and did not require an identity table for tracing. Liu et al. [30] proposed a black-box accountable CP-ABE which can identify the owner of the faked decryption device and the malicious activity of the authority, so the traitor tracking problem is completely solved. Sethi et al. [31] designed a new multi-authority CP-ABE scheme that supports white-box traceability along with policy updating, outsourcing decryption and space efficiency.
Even with the trace mechanism embedded in these ABE schemes, the traitors cannot be revoked from the system. Indeed, it will be more difficult to perform attribute revocation in ABE systems, since the attribute sets of different users can overlap. Wang et al. [20] devised an attribute level user revocation for malicious users and fine-grained access control for ABE in which the trust authority can trace defectors and send the identity of a defector to the attribute manager. Imine et al. [32] proposed a scalable revocable decentralized ABE which realized immediate uses or attributes revocation and did not require the key update. Liu et al. [33] presented an efficient traceable-then-revocable CP-ABE, which solely needed to update the ciphertext components related to the revocation list after revocation and the updated ciphertext could provide forward security. However, its traceability is not as strong as the black-box traceability. Xu et al. [34] introduced a new cryptographic primitive named re-randomizable ABE reaching decryption key exposure resistance and ciphertext delegation. Ge et al. [35] introduced a practical revocable attribute-based encryption with data confidentiality and integrity protection. Han et al. [21] proposed a traceable and revocable 1 3 CP-ABE scheme based on privacy protection, but the system has a limit on the number of times an attribute name can appear.

Cryptography and mathematical foundations required
for the proposed scheme

The main parameters and definitions
In order to facilitate the reader's understanding, Table 1 shows the main parameters involved in the specific scheme of this paper and their definitions.

Bilinear maps
Let G 1 , G 2 and G T be three multiplicative cyclic groups of the prime order p, and g 1 , g 2 be the generators of G 1 and G 2 , a map e ∶ G 1 × G 2 → G T be the bilinear map which has the following properties:

AA k
The kth attribute authority, k ∈ (1, … , N) , where N denotes the number of attribute authorities.

aa x
The xth secondary authority which is a subsidiary of AA k , x ∈ (1, … , X) , X denotes the number of secondary authorities.

S
The number of attributes in the universe of the system.  Access structure expressed by LSSS, where M is a l × d matrix and is a mapping function.
The attribute set of the user issued by CA, AA k and aa x respectively. T A threshold-tree-string in efficient generation of LSSS matrix.
A (t, n) threshold group signature which means that t signatures are required out of n signatories.
F A pseudorandom function.

UID
The secret identifier of the user associated with his real identity.

I t
The identity association table kept by authorities that records the association between user's UID and public key.

A t
The attribute tag table maintained by authority records each attribute it manages and the flag value which reflects whether the attribute has been revoked.

Access structure
Let P = P 1 , P 2 , … , P n be a set of attributes. A set A ⊆ 2 {P1,P2,…,Pn} is monotone for ∀B, C ∶ if B ∈ A and B ⊆ C then C ∈ A . A (monotone) access structure is a (monotone) set A which is non-empty subsets of P 1 , P 2 , … , P n , i.e., A ⊆ 2 {P1,P2,…,Pn} �{∅} . The sets in A are called the authorized sets, and the sets outside A are named as the unauthorized sets.

Linear secret sharing scheme (LSSS)
We suppose an attribute universe P and a prime r. Call a secret sharing scheme Π over P is linear if: 1. For each attribute, the shares of a secret s ∈ Z r form a vector over Z r . 2. For each access structure on P , there is a matrix M with l rows and d columns known as the share-generating matrix for Π . Suppose a mapping function ∶ (i) = a, i ∈ [1, l], a ∈ which associates each row i of the matrix with an attribute a in and a column vector ⃗ v = (s, x 2 , … , x n ) ∈ Z r , in which s denotes the shared secret and x 2 , x 3 , … , x n are some random numbers, M⃗ v is the vector of l shares of the secret s. Each share (M⃗ v) i corresponds to an attribute (i).
According to the definition of LSSS [24], each LSSS Π for enjoys the linear reconstruction property described as follows: Let O ∈ be an authorized set, and I ⊂ {i ∶ (i) ∈ O} be a set representing the row of Π , where the rows can be mapped to the attributes in O. There exist constants i ∈ Z r i∈I satisfying ∑ i∈I i M i = (1, 0, … , 0) , if i = (M⃗ v) i i∈I are valid shares of any secret s, then s can be reconstructed by computing ∑ i∈I i i = s. It is worth noting that there is a convention that the vector (1, 0, … , 0) is the "target" vector for any LSSS. Furthermore, these constants i can be found in time polynomial in the size of the share-generating matrix M, but for any unauthorized set, no such constants exist. The LSSS is denoted as (M, ) , and its size is the number of rows of M.

Hierarchical access tree
Access policies in most existing CP-ABE schemes are single and independent, which leads to repetitive and cumbersome calculations. In order to address this issue, it is a good idea to combine the access policies that have hierarchical access control relationships and perform the encryption simultaneously [22]. For instance, if we want to encrypt a series of data m 1 , m 2 , m 3 , m 4 with different access policies, we will encrypt them separately in a typical way. Yet, if these access policies have hierarchical relationships, as shown in Fig. 1, we can integrate them into a single one and encrypt that data simultaneously.

Efficient generation of LSSS matrix from threshold-gate access tree string
This efficient generation method of LSSS matrix from threshold-gate access tree is proposed by literature [23]. For instance, for a subset of the set of system attributes C 1 = {c 1 , c 2 , c 3 , c 4 , c 5 , c 6 , c 7 , c 8 } and its corresponding attribute value is C 1 ={'primary', 'mineral', 'products', 'transaction', 'contract', 'leader', 'manager', 'engineer'}. Now, the data owner gives a threshold-tree-string T = ((c 1 , c 2 , c 3 , 2), (c 4 , c 5 , 1), (c 6 , c 7 , c 8 , 1), 3) as access policy for decryption. T denotes there must be at least two attributes in the (c 1 , c 2 , c 3 ) and one attribute in the (c 4 , c 5 ) and one attribute in the (c 6 , c 7 , c 8 ) in the user attributes set A u . The algorithm to convert T into an LSSS matrix firstly initializes the LSSS matrix M = (1) 1×1 and vector L = (T) , the specific conversion process is as follows: Fig. 1 Formation of hierarchical access tree structure [22] 3. M = According to the properties of LSSS, for the authorization set  Figure 2 illustrates the process of encrypting and decrypting messages using CP-ABE and the above conversion method.

Cryptographic security assumptions
Definition 1 (Decisional Bilinear Diffie-Hellman Assumption (d-BDH)) Choose a bilinear group G of prime order r, g be a generator of G, and randomly pick a, b, s ∈ Z * r , R ∈ G T . If an adversary is given It is hard to distinguish e(g, g) abs ∈ G T from R. An algorithm B that outputs z ∈ {0, 1} has an advantage in solving d-BDH in G if

3
A traceable and revocable multi-authority attribute-based… 4 System architecture and workflow of this paper

System architecture
The system architecture of the TR-MA-CPABE scheme with seven entities included is illustrated in Fig. 3, and the entities are as below: a. Central authority (CA): Due to the highly sensitive mineral resource information in many countries, the mineral trading market is chaotic, the information flow in the supply chain is not smooth, and violations of laws and regulations occur from time to time. Therefore, it is necessary to set up a Central authority served by a government department to carry out supervision and facilitate the flow and sharing of information. CA takes on a founder and supervisory role in our system, it initializes the TR-MA-CPABE scheme, generates secret keys for the attribute authorities and can track and revoke malicious users. In this paper, it is assumed that the Ministry of land and resources assumes the role of CA. Furthermore, it needs to be emphasized that CA does not have other privileges such as modifying the data in the blockchain or IPFS and changing system security settings, and the data stored in the blockchain and IPFS still cannot be modified, deleted, hidden and denied. b. Attribute authorities (AAs/aas): AAs are independent trusted nodes with secondary authority in this proposed system and held by the mineral resources corporate groups. aas are the next level institutions or corporate subsidiaries of AA. The function of AAs is entitling and generating secret keys for aas or the users who work for them. Furthermore, they also have the right to track users and revoke attributes in their domain. c. User: can be an employee of authorities or a temporary system visitor. Each user has a private global identifier UID associated with a real identity, a public key UPK assigned by the CA and an attribute secret key USK distributed by the authority he belongs to. d. Administrators: Each authority has one administrators group composed of multiple managers (middle and senior leaders of the enterprise) who play the role of authorized representative nodes. Any administrator of the can process general attribute requests and user's attribute secret key requests. e. Blockchain: There are two blockchains in our system, they are product transaction traceability public blockchain (PTTPB) and information security regulatory consortium blockchain (ISRCB) respectively. There are no central authority and authorized access mechanism in PTTPB. Yet, In ISRCB there are only CA and AAs/aas certified and authorized by CA and their employees, and the users and information in the ISRCB are regulated. f. Interplanetary file system: IPFS clusters are categorized into public clusters and private clusters. A public IPFS cluster is an open and transparent distributed network that allows any computer called node to connect and obtain files. Nodes in a private IPFS cluster will only be connected to nodes with a shared secret, and these nodes will not respond to external access.

Some assumptions and details for this proposed system
1. There are N secondary attribute authorities AAs and X third-tier authorities aas in our scheme. Let be the system security parameter. We require that the numbers N, X, S, the number of attributes n k generated by AA k and the number of attributes n x generated by aa x are upper bounded by a number which is polynomial in . 2. The system attribute set is composed of the attributes created by all authorities.
CA obtains all attribute sets from the ISRCB, then announces the integral system attribute set to the ISRCB for all authorities to view and monitor. Besides, CA also maintains a system attribute revocation list (SARL) used to revoke system attributes. And SARL is composed by the attribute revocation lists (ARLs) generated by all AAs. 3. When an enterprise group or organization joins the system, it needs to be authorized. Authorization is categorized as direct authorization and indirect authorization. Direct authorization means that CA issues the key and authorization for the authorities or users, and indirect authorization means that the rights are given to AAs or aas. 4. In order to prevent collusion between different users with the same attributes, every user entering the system needs to use their own real identity information such as an identification number marked as UID to register with the CA and acquire the public key UPK. UID is kept secret by the user himself except when the user applies for the attribute certificate and attribute secret key for system authentication. When a user logs into the system, he needs to enter his UID and UPK for identity authentication. 5. If a user wants to get an attribute, he needs to use his own UID and UPK to send an application for the attribute certificate to the authority he belongs to. The content of an attribute certificate contains certificate version, serial number, UPK of certificate holder, attribute information, certificate validity period, signature information, and signature algorithm. Application rules vary depending on the category and confidentiality level of the attributes requested. For the application of common attribute certificate, only one group administrator needs to agree to sign before issuing, but the issuance of secret-level attribute certificates requires t (preset by authorities) threshold group signatures k . 6. When uploading a file, the users first need to select some keywords as the classification attributes of the file, which directly determines whether the file needs to be encrypted. In the case of secret file, the data owner needs to specify a string consisting of some identity attribute and threshold values as the access control policy when encrypting. 7. In the context of our application, the mining enterprise or institution encrypt private data such as internal confidential information, account and transaction information through TR-MA-CPABE scheme and store them in a private IPFS cluster, and then upload the returned file hash to ISRCB to ensure data security and facilitate government supervision. On the other hand, publishable information such as enterprise qualification information, product price or packaging information, mineral mining and logistics information or general secret files encrypted by TR-MA-CPABE scheme are stored in the public IPFS cluster. And it is up to the data owner to choose whether to store the file addressing hash in PTTPB or ISRCB. 8. After the data are uploaded to the blockchain, the digital fingerprint, keyword and corresponding block identifier (ID) of the file are stored in ISRCB as a piece of data, and the block ID ′ is obtained. Then this set of data and the corresponding block ID ′ are broadcast in the system and stored in the local database as system announcements. 9. When the users want to obtain data, they first enter the keywords in the system announcement to query the terms corresponding to the required data (digital fingerprint of the file, keywords and corresponding block ID, block ID ′ ), in which the content in the block ID ′ can be used to verify the authenticity of this data. Then the data requesters obtain the corresponding file through the digital fingerprint to IPFS, and verify that the file has not been tampered by looking at the contents of the block ID ′ . If it is an encrypted file, the message ciphertext CT, user's identifier UID, public key UPK and attribute private key USK are used to apply to the authority's administrators for decryption, and the original information m is obtained if the application is successful. 10. The authorities dynamically maintain an identity association table [1,U] } and an attribute tag table A t = {(u i ∈ A u , p i ) i∈n u } to facilitate subsequent identity tracking and user's attribute revocation, where U is the number of users in the management domain of the authority, u i is an attribute of a user UPK, p i is a flag value marks whether the attribute is revoked and n u is the number of attributes of user UPK. In addition, the CA records a global revocation list about revoked user's identifier UID and corresponding UPK in the form of an array (UID, UPK). 11. Since in this proposed system, different attribute authorities operate independently, the user only has the attributes and attribute certificate granted by the authority to which he belongs, so there is no key collusion between users from different attribute authorities. 12. Traceability of mineral products: Users can use hash function SHA256 and digital signature to ensure security of mineral resources transactions. Adding the contract number to the comments field of the invoice information to make connection between transaction contract and invoice. The buyer (payer) uses the seller's (payee) public key to hash the invoice together with the contract, later uses its own private key to generate a digital signature of the transaction order.

Formal definition of TR-MA-CPABE
The TR-MA-CPABE scheme consists of the following ten probabilistic polynomialtime algorithms: 1. GlobalSetup(1 ) → (PK, MK) : A randomized algorithm which must be performed by the CA. It takes the security parameter as input and outputs a system public key PK and a system master key MK which will act as the public/ secret key pair for CA. 2. Tiered authorization: a. Direct authorization (MK, PK, A k ) → s k : CA runs the algorithm and inputs system public key PK and system master key MK and attribute set A k of AA k , outputs the secret keys k of AA k . b. Indirect authorization (ASK, APK, x ) → s x : AA k runs the algorithm and inputs public/private key pair (ASK, APK) and attribute set x of AA k 's subsidiaries aa x , outputs the private key s x for aa x .
3. Ureg(UID) → UPK : A deterministic algorithm executed by the authorities that inputs the user's secret identity information UID and outputs the user's public key UPK. 4. AASetup(s k ors x ) → (ASK k , APK k )or(aSK x , aPK x ) : A randomized algorithm performed by AA k or aa x takes its authority private key s k or s x as input, and outputs public-private key pair (ASK k , APK k ) or (aSK x , aPK x ) for itself. 5. UACertGen(UID, UPK, AI, t, { i } i∈ [1,t] ) → AC : The user's attribute certificate generation algorithm performed by the authorities takes as input UID and UPK of the applicant, application information AI containing the requested attribute name and the attribute value and at least t group administrators' signatures.
Output an attribute certificate AC.

Security model
The security model of the proposed scheme is an indistinguishability game under chosen access policy and chosen plaintext attack (IND-SAP-CPA). The game contains a challenger ℂ and an adversary . ℂ simulates the game and answers queries of and is shown as below.
Setup: Suppose that the adversary belongs to the attribute authority AA k and declares a challenge to access structure (M * , * ) . The challenger ℂ generates the system master key MK, system public key PK and public/secret key pair (ASK k , APK k ) of AA k by running the GlobalSetup algorithm and the AASetup algorithm mentioned in section 4.3 and sends PK and APK k to the adversary.
Key Queries1: sends a polynomial bounded number of attribute sets A k 1 , A k 2 , ⋯ , A k n which cannot satisfy the access structure (M * , * ) with his global identifier UID to ℂ for querying corresponding attribute secret key USK 1 , USK 2 , ⋯ , USK n . ℂ runs the KeyGen algorithm to generate the attribute secret key USK i corresponding to the attribute set A k i and sends them to . Challenge: submits two distinct messages m 0 , m 1 with the same length and an access structure (M * , * ) on the condition that none of USK i on A k i satisfies this access structure. ℂ picks a random bit ∈ {0, 1} and returns CT = Encrypt(m , (M * , * ), APK k ) to .
Key Queries2: can still perform polynomial bounded number of attribute secret key queries on different attribute sets with the restriction that none of the queried attribute secret keys satisfies (M * , * ) in CT.

3
A traceable and revocable multi-authority attribute-based…

Guess:
outputs a guess � ∈ {0, 1} for . The winning advantage is Pr[ � = ] − 1 2 . The advantage of an adversary in this game is defined to be Pr[ = � ] − 1 2 . We note that the model can easily be extended to handle chosen-ciphertext attacks by allowing for decryption queries in Key Queries1 and Key Queries2.

The concrete construction of TR-MA-CPABE algorithm
A concrete construction of TR-MA-CPABE algorithm is presented in this section, and the workflow of this scheme is described as shown in Fig. 4.
Step 1 Global setup: On input of an implicit security parameter allowing to determine the size of the finite group, the GlobalSetup algorithm run by CA firstly selects two cyclic groups G 1 , G T with prime order r, a generator g ∈ G 1 , a bilinear map e ∶ G 1 × G 1 → G T and h 1 , h 2 , … , h S ∈ G 1 are chosen at random. Then the algorithm generates a pseudorandom function F, a strong collision-resistant hash functions H ∶ {0, 1} * → G 1 and random numbers , ∈ Z r . Furthermore, CA uploads public parameters to the ISRCB. And the public/ secret key pair of CA is (CSK = MK, CPK = PK).
Step 2 Tiered authorization:Direct authorization: CA directly authorizes each Attribute Authority AA k and distributes seed s k to it as its secret key. Indirect authorization: AA k indirectly authorizes its subsidiaries or agencies aa x associated with it and distributes seed s x to it as its secret key.
Step 3 Attribute authority setup: Each AA k and aa x run the AASetup algorithm to generate an authority attribute set. The public/private key pairs of AA k and aa x are: Step 4 User registration: The user sends his secret global identifier UID to the authority he works for to obtain the system identity. A visitor who does not belong to any authority can request public key from CA. This algorithm picks a random exponent c ∈ Z * r and generates the public key for the user by using the private key of authority and pseudorandom function F as below: Besides, the authorities will record the user's identity connection information (UID, UPK) to the identity link table for supervising system users and tracking the identity of malicious users.
Step 5 User's attribute certificate generation: When a group administrator receives a user's attribute request form, he first authenticates the applicant's identity through UID and UPK, then generates a (t, n) threshold signature if agrees to this application. When the number of signatures reaches the preset threshold t, the UACertGen algorithm will issue the attribute certificate AC to the certificate applicant UPK.
Step 6 User's attribute secret key generation: To prevent user collusion, we embed the user's public key into the attribute secret key so that the user's private key has identity characteristics for identity tracking while maintaining the anonymity of the user. Besides, the generation of user's attribute secret key is divided into direct generation and indirect generation to spread the computational load of authorities. Direct generation: If the user works for CA or is a system visitor, he can directly (1) PK ={G 1 , G T , e, r, g, H, e(g, g) , g }.
, if UPK ∈ CA or is a visitor F s k (UID) = g (s k ∕(c+UID)) , if UPK ∈ AA k F s x (UID) = g (s x ∕(c+UID)) , ifUPK ∈ aa x apply for attributes from CA and obtain the attribute secret key. The algorithm run by CA is executed as follows: Indirect generation: If the user is engaged in AA k or its subsidiaries aa x , he must obtain the attribute certificate and attribute secret key from the AA k ∕aax he belongs to. The algorithm run by AA k ∕aax creats attribute secret key for user UPK as: AA k ∕aa x enters public parameters PK∕APK k and computes p i = 1 for each attribute u i ∈ A C u ∕u i ∈ A k u . p i is used to record whether u i is revoked.
Step 7 Data encryption: The encryption algorithm is run by the data owner and takes as input a message m, the system public parameters PK and an access policy = (M, ) . The access policy consists of a l × d matrix and a mapping function , where associates rows of M with attributes selected by the data owner, which means each row of M corresponds to an attribute. And M is a linear secret share scheme matrix generated from a hierarchical threshold-gate access tree. The algorithm first selects a random vector ⃗ v = (s, x 2 , … , x n ) ∈ Z n r . These values will be used to share the encryption exponent s. For each i ∈ [1, l] , it calculates where M i is the vector corresponding to the ith row of M. The algorithm computes the ciphertext component: The data owner uploads the final ciphertext CT = {C, C � , C i , h, SARL, M} to the IPFS. Since there is no in , the IPFS and users cannot know attributes corresponding to the access matrix, thus achieving the purpose of hiding the access policy. The data owner can then choose to upload CT to PTTPB or ISRCB.
Step 8 Data decryption: Decryption is a deterministic algorithm which is performed by the administrators of the authorities.
1. The algorithm firstly queries the identity association table I t = {(UID, UPK) i,i∈ [1,U] } to confirm that the identity information provided by the user is correct, and determines whether the decryption key holder himself requests decryption by calculating the user's private key component K. 2. Secondly, the algorithm checks whether there are revoked system attributes in the user's attribute set A u by querying SARL, if so, removes the revoked (5) USK = (K = g g UPK, H(c j ) ∀c j ∈A C u ).
. attribute from the user attribute set, otherwise continue to the next step. Next the algorithm uses the mapping tables (UID, UPK) and (u i ∈ A u , p i ) to compute the following equation to check whether there is any attribute u i ∈ A u of the data requester has been revoked.
3. Suppose that I = {i ∶ (i) ∈ A u } . The target vector is (1, 0, … , 0) . According to the LSSS, if the attribute set A u of the user satisfies the threshold-treestring corresponding to the access policy, then we can find a set of constants { i ∈ Z r } i∈I that make the equation Finally, the data requester can divide out this value from C and obtain the original message by the following formula m = C∕D.
Step 9 Identity tracing: The algorithm is performed by the authorities when a malicious user is discovered and his identity needs to be traced.
1. If we know his public key, the administrators can query the identity map table to find his corresponding UID and get his real identity.
continue to the next operation, y ≠ 0 remove u i from A u , y = 0 = e(g s , g s k g UPK)∕ ∏ i∈I (e(g i h −s (i) , g)e(g s , h (i) )) i e(g s , UPK) = e(g, g) s k s e(g, g) s ∕ ∏ i∈I e(g, g) i i = e(g, g) s k s (11) Step 10 User or attribute revocation: 1. User global revocation: CA checks whether the user's identity-key pair (UID, UPK) is in the GRL, and if in it, he will not be allowed to enter the system. All permissions of the user can be revoked immediately by adding the user's identity-key pair (UID, UPK) to the GRL by CA. 2. System attribute revocation: CA adds the system attributes c i that need to be revoked to the SARL to achieve the revocation purpose. 3. User attribute revocation: When an attribute u i of the user UPK needs to be revoked, the authority he belongs to calculates p � i = p i * UPK and updates the attribute linkage table

Implementation of blockchain and IPFS collaborative storage system
In this paper, Hyperledger Fabric is selected as the blockchain technology framework, and the Golang language implements the chain code of our information storage and sharing platform. The blockchain network is deployed in the virtual machine VMware workstation 15 player and Ubuntu16.04 operating system, and the SpringBoot+Vue-based Java framework with front-end and back-end separation is used to develop mineral data storage and traceability systems. Table 2 shows the main software versions of the blockchain and IPFS collaborative storage system.
Firstly, we use Docker to pull the Hyperledger Fabric 1.2 image and deploy the blockchain network, then start the node service as the middleware to connect the front end and the blockchain network. The front-end uses Vue.js, Element UI and other technologies, and the back-end chooses Springboot and Mybatis frameworks as platform storage function modules. Besides, IPFS is used for distributed storage, synchronization and access to files to solve the problems of large-capacity storage Node.js v12.9.0 and load balancing, Redis and MySQL databases are used to undertake the basic data storage background of the system, and Nginx server is used to deploy the traceability platform environment. Figure 5 shows the home page of mineral resource data storage system based on blockchain and IPFS, which makes mineral resource information intuitive, visual, immutable and persistent. Figure 6 shows the menu management interface, and we can see that the system has rich management functions.

The relationship between TR-MA-CPABE scheme and our storage system
The TR-MA-CPABE scheme in this paper is closely related to the blockchain and IPFS collaborative storage system, and both are indispensable in the system Menu management interface of our storage system architecture of this paper. The private data will be encrypted by the TR-MA-CPABE algorithm, and the ciphertext is then uploaded to IPFS for off-chain storage. The addressing hash of the file generated by IPFS is uploaded to the blockchain. TR-MA-CPABE achieves safe information access and flexible fine-grained access control, and the on-chain and off-chain collaborative storage system consisting of blockchain and IPFS extends the system storage capacity, improves information storage and access efficiency and system throughput while reducing operational costs. If there is no TR-MA-CPABE algorithm, the storage system will not have features of privacy protection and customized access control, and the confidentiality and security of information will not be guaranteed. On the contrary, if there is only an encryption algorithm but no storage system, the sharing and dissemination of information will become inefficient, slow and expensive.

Correctness analysis
Proof Assuming that the user's attribute set A C u satisfies the access policy in the ciphertext, then we can find a set of vectors i , make the equation ∑ i∈I i M i = (1, 0, … , 0) hold, and i = vM i , so Therefore, the following equations can be obtained: The above proves that our scheme is correct. ◻

Security proof
In this section, we prove that the proposed scheme is safe under the selective access policy and chosen-plaintext attack by the following IND-SAP-CPA game.

Theorem 1 If the d-BDH hardness assumption holds, then there are no polynomialtime adversaries that can break the TR-MA-CPABE scheme with the non-negligible advantage under the selective access policy and chosen plaintext attacks.
Proof Suppose we have a PPT adversary with non-negligible advantage = Adv in the selective security game breaking our construction. We show how to build a simulator B that plays the IND-SAP-CPA game. B flips a fair coin . Given y = (g, g a , g b , g s ) , if = 1 , the simulator sets W = e(g, g) abs ; otherwise, the simulator sets W = R , where R is a random element in G T . Setup. chooses a challenge access structure (M * , * ) . Then B randomly picks � ∈ Z * r and sets = � + ab implicitly by letting e(g, g) = e(g a , g b ) ⋅ e(g, g) � .
For each x ∈ [1, S] , S is the number of system attributes, choose a random value z x ∈ Z * r . If there exits an i satisfying * (i) = x , set: In the above equation, i is the number of rows of M * , j means the number of columns of M * . Else, let h x = g z x . gives the algorithm the challenge access structure * = (M * , * ) with column n * in it. Phase I. In this phase B answers attribute secret key queries from . queries a key by submitting a pair (A C u , UID) in which A C u does not satisfy M * . Let c = −UID − 1, = a , the term g ab we don't know how to simulate in the K cancels. B can compute: Challenge.This phase describes the construction of the challenge ciphertext. gives two messages m 0 , m 1 to B . B flips a coin ∈ {0, 1} and computes C = m ⋅ W ⋅ e g s , g � , C � = g s . B selects random numbers x � 2 , … , x � n * and uses the vector ⃗ v = s, s + x � 2 , s + x � 3 , … , s + x � n * ∈ Z n * r to share the secret. Therefore, the term g as we cannot simulate will cancel out. The challenge ciphertext components are then generated as: Phase II. Same as phase I. Guess. will eventually output a guess ′ of . B then outputs 0 to guess that W = e(g, g) a q+1 s if = � ; otherwise, it outputs 1 to indicate that it believes W is a random group element in G 1 . When W is a tuple and m gives a perfect simulation, so it follows that When W is a random group element and the message m is completely hidden from , we can obtain Pr[B(y, W = R) = 0] = 1 2 . Hence, B can play the IND-SAP-CPA game with a non-negligible advantage.
In summary, the advantage of any polynomial-time adversary to win the IND-SAP-CPA game is negligible. ◻

Theorem 2
Our solution provides hierarchical encryption and collusion resistant, and only provides decryption for users matching the identity of the decryption key holder and not revoked by the system.
Proof Suppose that the colluders combine their attributes into one attribute set S, such that ∑ i∈S i M i = (1, 0, … , 0) . However, they have different UPK, so the owner of the attribute certificates does not belong to the same person, and collusion will be discovered when the attribute certificates are verified before decryption. And when a user requests to decrypt a ciphertext, he needs to enter its UID, UPK, USK and the three variables are in one-to-one correspondence, so it can be determined whether the decryption request is initiated by the person who holds the secret key. In summary, there is no collusion among multiple users.  Table 3.
(1) The feature comparison: We compare and discuss the functionality of our scheme and other schemes of ref. [20,21,27,28] in Table 4. The scheme [20] achieves attribute-level user revocation and attribute revocation, but the computational and storage cost of key and ciphertext update will increase accordingly when the revocation occurs. The scheme [21] realizes the partially hidden policy and revocation of malicious users, but it doesn't sustain individual attribute revocation and hierarchical encryption. The scheme [27] exploits decentralized multiauthority CP-ABE and implements user revocation and hidden policy, but it also doesn't implement attribute revocation. A hierarchical access tree structure with l access levels and multiple authority model is adopted to by the scheme (17) Pr B y, W = e(g, g) a q+1 s = 0 = 1 2 + Adv .
[28], which enables users to share and encrypt different hierarchical files. However, it ignores features about privacy protection of the access policy and user revocation. Our scheme adopts a multi-authority with central authority model and utilizes the efficient generation method of LSSS matrix from hierarchical threshold access trees to achieve higher algorithm execution efficiency. In addition, the user identity tracking function is convenient to track malicious users and is helpful to clarify the responsible subjects of violations. At the same time, this proposed scheme can support not only user revocation, but also system attribute and user attribute revocation, which is more conducive to the government to play a regulatory function. Besides, our scheme sustains resistance to collusion attacks of users since the user identifier is embedded in the user private key. In brief, the proposed scheme realizes more comprehensive functionality and has a wider range of application scenarios. 2. The computational cost: Table 5 illustrates the computational cost of the proposed scheme against relevant schemes. In order to focus on the efficiency of the schemes itself, we omit the computational cost of hash functions in the schemes  q The number of attributes that satisfies the access policy in the user's attribute set. c The length of the minimum cover set associated with the revocation list. |m| The number of encrypted files in encryption phase.
n The number of transport nodes which has at least one threshold gate child node in the threshold access tree.
n k The number of attributes managed by AA k .
h Access levels in the access tree. v The number of child nodes of a transport node.

E
The computational cost of an exponentiation operation in G 1 , G T .

P
The computational cost of a paring operation.

M
The computational cost of a multiplication operation in G 1 , G T .
since the choice of the relevant algorithms is different and the cost is much less than the cost of other operations. From Table 5, we can see that the computational overhead of KeyGen algorithm in this proposed scheme is independent of the attributes, because this paper only hashes the user attributes in the KeyGen stage. Thus, our scheme is the most efficient in KeyGen phase among the compared schemes. Moreover, it can be observed that the computational overhead of encryption and decryption in the schemes increase following a linear relationship with the number of attributes involved in access policy and the number of attributes satisfy the access policy respectively. As shown in Table 5, the computational cost of Encrypt and Decrypt algorithms of this proposed scheme is the smallest among schemes [20,21,27,28] since we reduce unnecessary parameters and operations. In addition, the time overhead of Trace algorithm of our scheme is smaller than the scheme [20,21] since the approach adopted in our scheme uses the identitypublic key mapping table and embedding the public key in the user's private key, which makes user's identity and the public-private key pair are correspondingly associated. It is worth mentioning that attribute revocation in our scheme does not affect the validity of the secret key of users whose attributes have not been Ref. [27] (2 + u)E + M (l + 1)P + (1+ 4l)E + 2lM revoked and security of ciphertexts, due to the decryption algorithm will check user's attributes one by one whether the attributes are revoked and removing the revoked attributes from the user attribute set. As a result, compared with schemes [20,21,27] that also support attribute revocation, the computational overhead of our scheme is greatly reduced. 3. The communication cost: The space overhead of PK, MK, USK, CT in our scheme and other four relevant schemes are analyzed and compared in Table 6. As illustrated in Table 6, the size of public parameters of our scheme is much smaller than schemes [20,21,27], but is slightly larger than the scheme [28] and the size of system master key of our scheme is shorter than scheme [21,27,28], but is longer than the scheme [20]. As for the space cost of the user's private key, our scheme is slightly greater than the scheme [27] and [28].Yet our scheme has the shortest size of ciphertext among the five schemes when the amount of encrypted data and the number of attributes in access policy increases. Therefore, our solution does not have the lowest communication overhead, but it improves computational efficiency and saves computational costs with a small difference in space occupied compared to other solutions.

Experimental simulation
Software and hardware environment: To carry out the performance evaluation of our scheme, we take use of the Java Pairing Cryptography (JPBC) library and set the parameters based on Type A curve with a 512 bits group order and a 160 bits order of Z r . The hardware environment is Intel(R) Core (TM) i5-8250U CPU @ 1.60GHz 1.80 GHz, 8.00 GB RAM, based on Ubuntu 16.04 LTS system. The software runtime environment is JDK11.0.10, IntelliJ IDEA 2020.3.1 and JPBC2.0.0. Experimental simulation strategy: We select the Type A curve in the JPBC library for experimental simulation. Type A pairings are constructed on the curve y 2 = x 3 + x over the field F q for some prime q = 3 mod 4. And the pairing is symmetric. Meanwhile, we tested the primitive group operation used in above compared schemes 1000 times implemented by the JPBC library, and the average results are displayed in Table 6.  Fig. 7d depicts the time consumption comparison of Trace algorithm, the proposed scheme is only one multiplication time on group, while the computational overhead of schemes [20,21] increases linearly with the number of user attributes. When u = 50, the time cost of our scheme and the schemes [20,21] is equal to 1.43, 653.083, 883.094ms. Our scheme saves 99.78%, 99.84% of computation overhead compared with the schemes [20,21] .
According to the parameter setting of Type A curve in JPBC library, the length of elements in |G 1 |, |G T |and|Z r | are 1024 bits, 1024 bits and 160 bits respectively.  Figure 6 describes the comparison of storage cost of system public parameters, master key, user secret key and ciphertext respectively. For the convenience of comparative analysis, it is assumed that c = 1, n = 2, h = 3, N = 6 .
Apparently, our encryption and decryption algorithm greatly reduce the computational cost due to we take advantage of the more flexible LSSS structure and less bilinear pairing operation and exponentiation operation. Furthermore, it can be seen from Fig. 7b and c. that the time consumption of data encryption and decryption in our scheme is the smallest. Figure 9 presents the time cost of the main steps of the classic decentralized CPABE algorithm [19] and our algorithm when the number of attributes is 5. It is obviously that our algorithm has less time cost than the DCPABE scheme, especially in the encryption and decryption phase. The above analysis and experiments show that in comparison among this proposed scheme and other previously published schemes, this proposed scheme is significantly efficient and multifunctional, reduces the time overhead of data encryption, decryption and user identity tracing, which greatly improved user experience and program practicability. It is worth noting that our scheme eliminates the computational overhead of the ciphertext update and key update phases caused by attribute revocation and saves the storage space occupied by the updated ciphertext and key.

Comparative analysis of the blockchain and IPFS collaborative storage system
This section introduces the advantages of the blockchain and IPFS collaborative storage system in this paper and a comparative analysis with existing mineral resource data storage and sharing solutions, as well as a comparison with other similar blockchain and IPFS storage platforms in different application backgrounds.
1. The advantages of our blockchain and IPFS collaborative storage system a. Authorization and authentication: Our system adopts the consortium blockchain, a central authority and many attribute authorities to implement hierarchical authorization and authentication mechanism, which can effectively guarantee the reliability and stable operation of the authorities in the system. b. Security: Blockchain and IPFS are both distributed storage systems which avoid problems such as accidental data loss, single point of failure, and can effectively fight against centralized attack and DDoS attack. c. Integrity: The hash function used by blockchain and IPFS are one-way and anti-collision, so that the data stored in our system cannot be modified or deleted, thus guaranteeing the integrity and persistent storage of information. d. Privacy: Users in this system are anonymous and are only identified by public keys. Only the central authority and the attribute authority in the consortium blockchain can track the user's identity. In addition, the confidential data uploaded by users will be encrypted through the TR-MA-CPABE algorithm proposed in this paper. e. Access control: The smart contract in the blockchain and the TR-MA-CPABE algorithm proposed in this paper can realize information access control. When uploading confidential data, users can formulate an access policy for encryption and limit the access rights of other users. Table 8 compares the functional characteristics and core parameters of our blockchain and IPFS collaborative storage system, other mining data storage systems and similar blockchain and IPFS storage systems in different application backgrounds. It can be seen from Table 8 that our system achieves more functional features and a higher level of security than other mineral resource data storage platforms or shared solutions. Compared with other similar blockchain combined with IPFS off-chain storage schemes in different application backgrounds, our scheme chooses Hyperledger Fabric's consortium blockchain technology framework, which is more suitable for enterprise-level data storage and sharing cooperation than Ethereum's public chain platform, and the authorization and authentication mechanism of this system increases security guarantees. Furthermore, the smart contracts written according to encryption algorithms protect user privacy and realize flexible access control of confidential information.

Conclusions
In this paper, we demonstrate a mining data storage and sharing platform that incorporates blockchain and IPFS which achieves scalability and cost reduction. Blockchain ensures tamper-proof, auditable of data, while IPFS extends data storage space and improves system throughput. In order to protect privacy and make data storage more secure, we discuss a more efficient revocable and traceable multiauthority CPABE scheme supporting dynamic access control. First of all, we adopt the LSSS access structure with high expressiveness and execution efficiency, which greatly improves the efficiency of encryption and decryption of our scheme. Moreover, we make use of the user's unique identity information to generate the user's public key, and subtly embed the user's public key into the user's attribute private key. Thus, we realized one-to-one correspondence with the user's identifier, public key and private keys, which can quickly authenticate the user and trace the user's identity when necessary. Meanwhile, our solution has better and plentiful functionalities compared with other schemes, such as user attribute revocation, user global revocation, etc. The revocation work in this paper is completed based on the user revocation list and attribute revocation list, as well as the user identity-public key mapping table and attribute-value link table. This design consumes a certain amount of storage space, but realizes immediate revocation of users and attributes, and does not require updating keys and ciphertexts involving revoked attributes, which saves computational overhead and storage space from this perspective. Compared with the novel and advanced schemes, our solution saves over 98% of computational costs during the key generation phase, 14-77% of encryption computing overhead, 29-57% of decryption computational cost and over 99% of trace overhead. As future work, we will aim at improving the security of the algorithm to indistinguishability under chosen-ciphertext attack (IND-CCA) security and implementing keyword search function which can be applied to mineral resources supply chain traceability scenarios. Besides, it is worth mentioning that the data secure storage sharing and access control scheme proposed in this paper can be migrated to many other areas, such as agriculture, food industry, pastoral industry, medical industry, luxury industry, intelligent transportation and copyright protection, etc.