A Personal Privacy Data Protection Scheme for Encryption and Revocation of High-Dimensional Attribute Domains

With the frequent occurrence of private data breaches, it is now more necessary than ever to address how to protect private data. The combination of Ciphertext-Policy Attribute-Based Encryption (CP-ABE) and blockchain typically enables secure storage and sharing of data. However, in high-dimensional attribute domains, that is, the number of attributes is large, these schemes have issues such as low security of data protection, high computational overhead, and high cost of attribute revocation. This paper proposes a personal privacy data protection scheme for encryption and revocation of high-dimensional attribute domains to address these issues. The proposed scheme is made up of three components. Firstly, Fast High-dimensional Attribute Domain-based Message Encryption (HAD-FME) is proposed to improve data security and reduce computational cost. Secondly, an Attribute Revocation Mechanism Based on Sentry Mode (SM-ARM) is designed in combination with smart contracts. Lastly, a Blockchain-based Model for Personal Privacy Data Protection (BC-PPDP) is proposed by integrating HAD-FME with SM-ARM. The security analysis results show that HAD-FME proposed in this paper is secure under the DLIN assumption, and the attribute revocation satisfies both forward and backward security. Experiments show that HAD-FME has higher computational efficiency than existing schemes in the high-dimensional attribute domains, SM-ARM has lower revocation cost than existing attribute revocation mechanisms, and smart contracts and blockchain work well.


I. INTRODUCTION
The rapid development of technologies such as cloud computing and the Internet of Things (IoT) has led to the generation of a large amount of personal data worldwide. Enterprises continuously collect and analyze these personal data, providing them with professional services and generating significant economic benefits, enabling users and enterprises to gain huge profits from the information society. Unfortunately, in recent years, enterprises' lack of data protection measures, such as storing data in plaintext on their centralized servers, has led to an increasing number of personal data The associate editor coordinating the review of this manuscript and approving it for publication was Rahim Rahmani . leakage incidents. Therefore, sharing and storing private data in a secure manner is critical. Blockchain, as a decentralised ledger database, due to its characteristics of decentralization and difficulty in tampering with data, can provide a trustworthy data storage and sharing environment. Currently, many researchers have used blockchain in various fields, including data storage, the Internet of Things, healthcare, transactions, and payments [1], [2], [3], [4], [5]. At the same time, many scholars have done a lot of research on tamper-resistance ledger databases [6], [7], [8].
However, if the data owner explicitly stores information related to private data on the blockchain, any user can access the data information. This may result in the data owner losing control over personal data. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) [9] was proposed as a solution by Bethencourt. In CP-ABE, the data owner can choose the ciphertext access method, in which the access policy is included in the ciphertext and the user attribute set is embedded in the key. The decryption process can only be completed when the user attribute set meets the access policy. In this paper, the set of attributes and the number of attributes is referred to as the attribute domain and attribute domain dimension, respectively. The Fast Attribute-based Message Encryption (FAME) [10] and other CP-ABE algorithms were subsequently proposed [11], [12]. Compared with the scheme in [9], FAME is constructed using asymmetric prime-order bilinear groups, which have stronger security requirements.
In order to achieve secure storage, distribution, and control of personal data, several data protection schemes have been proposed by combining blockchain and CP-ABE. In order to provide access control for IoT data, Zhang et al. [13] proposed a blockchain-based access control list and paired it with CP-ABE. In order to provide users with a safe storage environment, Sharma et al. [14] proposed a decentralized cloud storage architecture based on blockchain, which uses CP-ABE to encrypt data. Assuring data security by hybrid encryption of CP-ABE and AES, Lu and Fu [15] proposed a data access control mechanism based on attributebased encryption and blockchain. The CP-ABE schemes used in [13], [14], and [15] are based on symmetric primeorder bilinear groups. If they are directly transformed into an even more secure scheme based on asymmetric prime-order bilinear groups, the computational cost will be significantly greater than that of the present schemes. Therefore, they are not suitable for data sharing in high-dimensional attribute domains.
The information in the attribute domain of the data owner usually changes dynamically, when the attributes change, the access rights for data users also fluctuate dynamically. Therefore, the issue of attribute revocation is another highly concerning research topic. Attribute revocation can be divided into three types based on the influence range of attribute revocation: system attribute revocation, user revocation, and user attribute revocation. Yang et al. [16] proposed a blockchainbased crowdsourced data storage and sharing scheme. In this scheme, the CP-ABE algorithm is improved to determine whether the user has access rights by using the matching mechanism of version key and ciphertext. Therefore, when the attribute is revoked, the key and ciphertext must be updated simultaneously, which also leads to a large revocation cost. Liu et al. [17] proposed a CP-ABE scheme that supports outsourcing decryption and attribute revocation. In this paper, when the attribute is revoked, the user's upgrade ciphertext and conversion key will be modified based on the attribute version number. Zheng et al. [18] proposed a cloud-assisted CP-ABE framework, where user revocation is accomplished by developing a time-based conversion key and embedding a revocation list in the ciphertext. Therefore, a low-cost and fine-grained user attribute revocation mechanism urgently needs to be designed.
In summary, to address these issues, such as low security of data protection, high computational overhead, and high cost of attribute revocation, we propose a personal privacy data protection scheme for encryption and revocation of highdimensional attribute domains. The main contributions of the paper are as follows:

1) A Blockchain-based Model for Personal Privacy Data
Protection (BC-PPDP) is proposed, which is combined with cryptographic algorithms. The model can ensure that data users retain control over information related to their private data in the blockchain, and use smart contracts to determine the access rights of data users. 2) Based on FAME and SM4 [19], we present the Fast High-dimensional Attribute Domain-based Message Encryption (HAD-FME) algorithm. This algorithm has stronger security and better data-sharing performance than existing algorithms in high-dimensional attribute domains.

3) We propose an Attribute Revocation Mechanism Based
on Sentry Mode (SM-ARM) based on HAD-FME. When generating secret keys for data users, HAD-FME adds a fixed timestamp element and provides a passing attribute for the version key. When a data user accesses data, smart contracts can automatically determine the validity of the pass. This access method is referred to as sentinel mode in this paper. Since SM-ARM only needs to update the key when revoking a data user's attributes, the cost of attribute revocation is reduced. 4) To evaluate the effectiveness of our scheme, we conduct security analysis and extensive experiments. The scheme proposed in this paper is secure under the DLIN assumption and satisfies tamper resistance. Compared with existing algorithms, HAD-FME has faster processing performance, while SM-ARM provides forward and backward security and achieves low-cost attribute revocation.

II. RELATED WORK
This paper focuses on the current data protection schemes based on blockchain and CP-ABE. Data protection schemes, CP-ABE-based attribute revocation and verifiable ledger databases as related work of this paper will be introduced in the following.

A. DATA PROTECTION SCHEMES
Many privacy data security schemes have been promoted to more expansive fields like medical care and scientific research [20], [21], as user privacy data is gathered and used in an increasing number of companies. Chen et al. [22] presented an efficient CP-ABE scheme in cloud storage with shared decryption. Instead of simply one specified user, this scheme uses numerous alternate users to decrypt the ciphertext. By utilising an integrated access tree, this decryption approach improves the scheme's security while also reducing the computational cost. Technologies like CP-ABE and symmetrical encryption were used by Lee et al. [23] to protect the privacy and secrecy of blockchain. Wang et al. [24] proposed the RCP-ABE personal privacy data protection system, which substituted conventional third parties with smart contracts to accomplish access control of user data. Kang et al. [25] proposed a traceable and forward-secure attribute-based signature scheme with constant size, it solves the issues of abusing signature and key exposure in existing Attribute-Based Signature (ABS) schemes. Zhang et al. [26] proposed an agricultural products supply chain traceability system based on blockchain and CP-ABE. However, once the security of these schemes in the [23], [24], [26] is enhanced, they will suffer from high computing overhead during the encryption, decryption and key generation phase when used in high dimensional attribute domains.

B. CP-ABE-BASED ATTRIBUTE REVOCATION
One of the main research points of CP-ABE is attribute revocation, Qian et al. [27] proposed a privacy-preserving personal health record using multi-authority attribute-based encryption with revocation, which supports efficient revocation at both the user and attribute levels. An attributerevocation-compliant cloud storage system was designed by Chen et al. [28], which refreshed the data user's right to access the private data only if their attribute was nonrevoking. The ciphertext was updated by randomly creating a one-time re-encryption key that was connected with the data user's attributes. Lian et al. [29] proposed a CP-ABE scheme with user attribute revocation. They divided the master key into a delegation key and a secret key and updated the ciphertext and the delegation key by setting the data reencryption algorithm. Li et al. [30] presented user collusion avoidance CP-ABE with efficient attribute revocation for cloud storage, which makes use of attribute groups and binds users' private keys with group keys. It solves the issue of a user's single attribute revocation affecting other users in the system who have the same attributes. A method for using CP-ABE in resource-constrained IoT devices was presented by Fischer et al. [31], which called for an attribute delegation centre to carry out a user key update algorithm and a proxy server to carry out a ciphertext update algorithm. In the attribute revocation schemes [28], [29], [31], the proxy server performs a second encryption on the relevant ciphertexts and updates the user keys, the computational cost of these schemes needs to be reduced.

C. VERIFIABLE LEDGER DATABASES
Regarding the ledger databases, Fekete and Kiss [32] point out they can be divided into two categories. The first is permission blockchain technology-based Decentralised Ledger Technology (DLT). Centralised Ledger Databases (CLD)based Centralised Ledger Technology (CLT) is the second of them. Gorbunova et al. [33] stated that one of the vital DLT aspects is the capacity to offer an immutable and widely verifiable ledger for larger-scale and highly complex systems.
However, DLT has low performance and transaction throughput. To address the problem of low throughput, high latency, and large storage overhead in systems, Yang et al. [7] proposed LedgerDB, a centralised ledger database with tamperevidence and non-repudiation features similar to blockchain. Based on [7], Yang et al. [34] proposed ubiquitous verification in centralised ledger databases to address the shortcoming of high verification cost. In addition, researchers have begun to consider how to construct distributed ledger data with high performance and throughput. Three current types of verifiable ledger databases, such as blockchain, a certificate transparency log, and Amazon's Quantum Ledger Database (QLDB) [35], suffer from a lack of transaction support and inefficiency. To address these issues, Yue et al. [8] design a distributed database system GlassDB, an efficient verifiable ledger database system through transparency. However, how to construct a blockchain-based decentralised highperformance and throughput ledger database remains a challenge in current blockchain and CP-ABE-based decentralised privacy data protection systems.

A. BILINEAR MAPPING
Suppose G 1 , G 2 and G T are finite multiplicative cyclic groups of prime order p respectively. The bilinear mapping e : G 1 × G 2 → G T is established then: 1) Bilinear: ∀g 1 ∈ G 1 , g 2 ∈ G 2 and ∀a, b ∈ Z p satisfy e g a 1 , g b 2 = e (g 1 , g 2 ) ab . 2) Non-degeneration: ∃g 1 ∈ G 1 , g 2 ∈ G 2 such that e (g 1 , g 2 ) ̸ = 1 G T , where 1 G T represents the identity element in group G T .
3) Computability: There exists an algorithm ∀g 1 ∈ G 1 , g 2 ∈ G 2 that can get e (g 1 , g 2 ) through calculation. If G 1 = G 2 the above bilinear mapping is symmetric, otherwise it is asymmetric.

B. LINEAR SECRET-SHARING SCHEMES (LSSS)
A secret-sharing scheme over a set of parties P is called liner (over Z p ) if 1) The shares for each party from a vector over Z p .
2) There exists a matrix an M with l row and n columns called the share-generating matrix for . For all i = 1, . . . , l, the i-th row of M , we let the function ρ defined the party labelling row i as ρ(i). When we consider the column vector v = (s, r 2 , . . . , r n ), where s ∈ Z p is the secret to be shared, and r 2 , . . . , r n ∈ Z p are randomly chosen, then Mv is the vector of l shares of the secret s according to . The share (Mv) i belongs to party ρ(i).
(1) VOLUME 11, 2023 where (M ) i denotes the i-th row of the matrix M . Thus, for any valid sharing {λ i ∈ Mv i } i∈I of the secret s, there is i∈I y i λ i = s. In this paper, (M , ρ) is used to denote the access structure.

C. FAST ATTRIBUTE-BASED MESSAGE ENCRYPTION
The FAME [10] employs an asymmetric prime order bilinear group, which is more secure than the CP-ABE method of the [9]. The computational cost is decreased by only needing six pairing operations to finish the decryption. The following four methods provide the message space's msg.
• Setup 1 λ → (pk, msk) : Outputs a public key and a master key with the security field 1 λ as input.
• KeyGen (msk, S) → sk: Input the master key msk and the set of attributes S, and output the secret key sk.
• Encrypt (pk, A, msg) → CT FAME : Input pk, access structure A and plaintext msg, output ciphertext CT FAME .

D. DECISIONAL LINEAR ASSUMPTION (DLIN)
An asymmetric pairing group generator GroupGen satisfies the decisional linear (DLIN) assumption if for all Probabilistic Polynomial-Time (PPT) adversaries,

IV. SCHEME DEFINITION A. MODEL DEFINITION
A personal privacy data protection scheme for encryption and revocation of high-dimensional attribute domains, including BC-PPDP, HAD-FME, and SM-ARM, is proposed in this paper. The BC-PPDP is shown in Figure 1 1) DO. DO is trustworthy and is mostly in charge of symmetric key encryption, private data uploading to IPFS, and data list uploading to HF.
2) DU. After registering, DU will acquire the version secret key linked to its attribute domain, calculate its hash value as a pass, and only the DU secret key will be decrypted to obtain the symmetric key once the AccessDecision contract determines that it is current and complies with the access policy, and then obtain the privacy data. 3) STSS. Semi-trusted STSS mainly performs two parts: the first is initialization and creation of DU's secret key, and the second is decryption to obtain a symmetric key. Semi-trustworthy is the assumption that the attacker will illegally tamper with the DU secret key data within the STSS. The attribute is revoked for the DU based on the access right decision made in this document using STSS as a sentinel in conjunction with the pass. 4) HF. The blockchain makes use of the Hyperleger Fabric. The main goal of HF is to enable smart contractbased storage, query, and updating of private data and symmetric key index data, as well as access decisionmaking based on version keys. The specific content of the smart contracts are shown in Figure 1. 5) IPFS. IPFS is mainly responsible for storing personal privacy data ciphertext.

B. ALGORITHM DEFINITION
This section proposes HAD-FME based on the FAME. Using SM4 to encrypt private data and FAME to encrypt the symmetric key, BC-PPDP uses HAD-FME as a key technology to ensure the secure storage and sharing of private data. In order to accomplish low-cost attribute revocation, HAD-FME further adds a fixed timestamp attribute to DU. Then, we use the SM3 algorithm [37] to obtain the DU key hash and use it as a pass to evaluate whether the DU has access rights. HAD-FME is mainly composed of the following eight algorithms.
• Setup 1 λ → (pk, msk): Output a public key and a master key with the security field 1 λ as input.
• KeyGen FAME (msk, S) → sk: Input the master key msk and the attribute domain S, and output the secret key sk.
Where the attribute domain contains the fixed timestamp attribute field y time. .
• SM3 (sk) → Hash sk : Input the sk, output the hash value of the sk Hash sk .
• Enc SM4 → (Data, key) CT : Input personal privacy data Data and symmetric key key, output ciphertext CT .
• Enc FAME (pk, A, key) → Ckey : Input pk, access structure A and key, output symmetric key cipher Ckey.
• Dec FAME (pk, Ckey, sk) → key : Input the pk, the Ckey and the sk, and output the key.

C. SELECTIVE MODEL
In our system, DO is honest, and DU is honest but curious. STSS are semi-trusted system servers. We assume that STSS can securely generate a private key for DU and that attackers cannot obtain complete DU private key information. However, attackers may tamper with some private key information within STSS. All parameters in this paper are transmitted using TLS. The blockchain adopts Hyperledger Fabric. Essentially, all entities will perform according to the rules set by the scheme. We consider the chosen plaintext attack (CPA), which can be represented as a game between the adversaryand challenger. Initialization Phase: Adversary A declares an accepted access policy A * for the challenge and sends A * to the challenger C.
Setup Phase: Challenger C runs the initialization Setup 1 λ algorithm to obtain the public key pk and master key msk, and then sends the public key pk to adversary A.
Query Phase 1: Adversary A sends attribute domain S, which includes a timestamp attribute and S does not satisfy the adversary's access policy A * . Then, challenger C runs the key generation algorithm KeyGen FAME (msk, S ) to obtain the private key sk and sends it to adversary A. In addition, challenger C runs SM3 (sk) to obtain the hash value of sk Hash sk and sends it to adversary A. This step will be repeated multiple times according to the needs of adversary A.
Challenge Phase: Adversary A submits two equal-length messages M 0 and M 1 , and then sends these two messages to challenger C. Challenger C randomly chooses b ∈ {0, 1}, runs the encryption algorithm Enc FAME (pk, A * , M b ) → CT * . Finally, challenger C sends and CT * to adversary A.
Query Phase 2: Adversary A requests keys as in Phase 1.
Guessing Phase: If adversary A can win the game with non-negligible advantage, we consider HAD-ABE is secure. The advantage is defined as: The definitions of some of the parameters involved in the scheme of this paper are shown in Table 1.
A. SCHEME PROCESS The curriculum described here is divided into five main stages. They include initialization, DU identity registration, data encryption and upload, access decision and decryption, and attribute revocation based on sentinel mode.

1) INITIALIZATION
① Initialization of HAD-FME. STSS generates the master key msk and the public key pk during the Setup procedure. Namely, Setup 1 λ → (pk, msk). Take security field 1 λ as input and output (p, where Then STSS calculates msk.
is a hash function. Function mainly maps any string into members in group G, which is used in the key generation and encryption stage.
② Initialization of HF. It is mainly used to generate smart contracts and then publish them on the HF network.
③ Initialization of DO. The STSS generates a special ID for the DO called DOid. STSS uses Transport Layer Security (TLS) to communicate the DOid and pk to the DO.

2) DU IDENTITY REGISTRATION
DU identity registration consists of six stages, the steps are shown in Figure 2.
① DU offers identifying details. DU gives STSS attribute domain S(y 1 , y 2 , · · · , y time ) and STSS creates a special ID for the DU: DUid. The timestamp field y time , a specific field in the collection of characteristics, is used to determine whether the secret key is the most recent DU key.
② The DU's secret key sk is generated via STSS. In accordance with the attribute domain S, STSS creates sk for DU and runs KeyGen FAME (msk, S) → sk. To begin, KeyGen FAME randomly chooses r 1 , r 2 ∈ Z p , h, b 1 , b 2 ∈ msk, and then computes sk 0 . Where sk 0,1 = h b 1 r 1 , sk 0,2 = h b 2 r 2 , sk 0,3 = h r 1 +r 2 . Next KeyGen FAME calculates sk y,t . where In the above and following steps y ∈ S, t = 1, 2. Then, KeyGen FAME chooses σ y ∈ Z p at random, and sets up sk y = sk y,1 , sk y,2 , sk y, 3 . KeyGen FAME calculates sk ′ t next. where Lastly, KeyGen FAME obtains sk 1 .
STSS outputs (sk 0 , sk 1 ) as DU's secret key sk. ③ STSS obtains the hash value of sk. The SM3 algorithm is used by STSS to obtain the hash value of sk Hash sk . If sk has been tampered with or whether DU qualifies for decryption, will be decided later.
④ STSS managements sk. After storing the DUid and its associated attributes for the secret key sk 1 , STSS transmits sk 0 to the DU through the TLS secure channel.
⑤ The attribute list is uploaded to HF by STSS. As seen in Table 2, when STSS wants to upload the list of the DU's attributes to HF for storage, it executes the CreateAttr contract. Figure 3 illustrates the six stages involved in encrypting and uploading personal private data.

3) DATA ENCRYPTION AND UPLOAD
① The private data are encrypted using HAD-FME. DO runs KeyGen SM4 → key, which chooses the symmetric key key at random. Afterwards, DO runs Enc SM4 (key, Data) → CT, which employs the key to encrypt the user's private data in order to produce the ciphertext CT.
② DO uploads CT to IPFS. DO uploads the CT to IPFS for storage and returns the Address CT .
③ The symmetric key is encrypted using HAD-FME. DO formulates an access policy A, and executes Enc FAME (pk, A, key) → Ckey to encrypt the key.
The LSSS matrix M is created during the encryption procedure from the Boolean formula used to describe the A, n 1 rows and n 2 columns make up the matrix M, as stated in Section III. The LSSS imagines a Boolean formula as an access tree, where the leaf nodes represent characteristics and the inside nodes represent with or gates. Then, the LSSS establishes the global counter variable c to 1 and declares the access tree's root node as a vector (1). After that, it traverses the tree hierarchy breadth-first while setting the vector that identifies its parent node by that vector. The vector of marked leaf nodes then form M by row after marking the whole access number node.
Enc FAME firstly selects s 1 , s 2 ∈ Z p at random and calculates ct 0 .
④ DO provides the data list to HF. As seen in Table 3, DO creates the data list and sends it via the CreateData contract to HF for storage.

4) ACCESS DECISION AND DECRYPTION
The access decision and decryption process consists of twelve phases, and Figure 4 depicts their precise order.
① Smart Contract Queries. To retrieve the IPFS address Address CT of the CT and the encrypted symmetric key information Ckey, DU invokes the QueryData contract.
② DU asks for admission. The DU transmits to STSS a decryption request that includes its DUid and sk 0 .
③ Access choice with STSS first decryption. After computing the hash value of sk twice, STSS runs SM3(sk) → Hash ′ sk and transmits Hash ′ sk to HF, which activates the QueryAttr contract and gets the Hash sk from the attribute list. In the following step, the AccessDecision contract will automatically compare if the two values are the same. If they match, STSS performs the first decryption operation, Dec FAME (pk, Ckey, sk) → key to obtain the key.
If the attributes of the DU fulfil the access policy, as determined by LSSS in Section III then the DU has the value indicated by the attribute. The matrix M s rows that fulfil the set of qualities S are referred to as the set I. According to Eq. 1, there is y i ∈ Z p i∈I . The detailed calculation process is as follows. Finally, Dec FAME gets the key.
④ STSS sends the key securely. Over the secure channel TLS, STSS transmits the key to the DU.
⑤ DU receives the CT. Using Address CT from IPFS, DU retrieves CT.
⑥ DU second decryption. To access the user's personal information, DU uses Dec SM4 (CT, key) and decrypts using key.

5) ATTRIBUTE REVOCATION BASED ON SENTINEL MODE
In this part, the idea of a sentinel and pass is introduced. STSS, which is primarily in charge of outsourcing decryption, serves as the sentinel, while the most recent iteration of DU's Hash sk serves as the pass. The automated DU identification verification is completed through the AccessDecision contract.
SM-ARM only updates sk to generate attribute revocation effect, which reduces the cost of revocation. The precise flow of this SM-ARM is given in Figure 5 when the attribute of DU is altered. When the attributes of DU are revoked or the private key information of DU is tampered with, the system performs the following steps.
③ The hash of the Newsk is determined by STSS. The hash for Newsk is calculated by STSS using the SM3 algorithm by running SM3 (Newsk) → Hash Newsk .
④ The attribute list is updated by HF. The attribute domain in the DU's attribute list is changed by STSS to S ′ , and the hash value is changed to Hash Newsk .

B. SECURITY ANALYSIS 1) SECURITY OF HAD-FME
Theorem: If the DLIN assumption holds, then the adversary will break the proposed scheme with a negligible advantage Adv A .
Proof: At first, the challenger C generates three groups G, H, G T . At the same time, a bilinear map e : G × H → G T is also created. Then C selects a generate g for G and a generate h for H. C randomly chooses a 1 , a 2 ∈ Z * p , s 1 , s 2 , s ∈ Z p and randomly chooses U ∈ G, V ∈ H. Then C gets group elements U = g s , V = h s , S 1 = g s 1 , gets par = (p, G, H, G T , e, g, h), D = (g a 1 , g a 2 , h a 1 ,  h a 2 , g a 1 s 1 , g a 2 s 2 , h a 1 s 1 , h a 2 s 2 ). A polynomial-time algorithm B can be constructed with advantage Adv B to break the DLIN assumption. C flips a fair coin b ∈ {0, 1}. If, C sets T = (U , V ), else it sets T = S 1 S 2 , S ′ 1 S ′ 2 . C sends to 1 λ , par, D, T to B. B outputs his/her guess b ′ on b. 82996 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
Initialization Phase: Adversary A declares an accepted access matrix (M , ρ) * for the challenge and sends (M , ρ) * to B.
Setup: B randomly selects a 1 , Then B also computes e(g, h) as the public key of A.
Query Phase 1: A Chooses the attribute domain S, including a timestamp attribute that does not satisfy the access matrix (M , ρ) * . B randomly selects b 1 , b 2 ∈ Z * p and generates the secret key for each S as follows. B sets h r 1 = h s 1 , h r 2 = h s 2 and computes sk 0 . Then B randomly selects σ ′ y ∈ Z p and sets σ y = σ ′ y (s 1 + s 2 ), the secret key parameter sk y,t is computed by B as follows: where y ∈ S, t = 1, 2. B sets sk y = (sk y,1 , sk y,2 , (S 1 S 2 ) −σ ′ y ). Then B randomly selects σ ′ ∈ Z p and sets σ ′ = s 1 + s 2 . B computes: Then B supposes M has n 1 rows and n 2 columns. For i = 1, . . . , n 1 and, B computes: Finally, B computes: B delivers CT * = ct 0 , ct 1 , . . . , ct n 1 , ct ′ to A. Query Phase 2: This phase is similar to phase 1.
The advantage of adversary A break scheme is Adv CPA Then the probability of B breaking the DLIN assumption is: Since the DLIN assumption is a hard problem, the advantage Adv B of B to break it is negligible. In the proposed scheme, SM3 is used to obtain the hash value of the secret key, which is used as a passport for DU to access private data. The adversary A can make queries to the B to obtain the hash value Hash x . According to [38], SM3 has strong collision resistance, the adversary has a negligible advantage in distinguishing the outputs Hash x and Hash x ′ . So, the advantage Adv A of A to break the proposed scheme is also negligible.

2) USER ATTRIBUTE REVOCATION
The attribute revocation mechanism proposed in this paper satisfies both forward security and backward security. When the attribute domain of DU does not comply with the access policy, the previous sk cannot be used to decrypt the later ciphertext, which is called forward security. The scheme ensures forward security even when DU or part of the attributes are revoked. When the attributes of an object do not match the access policy, SM-ARM will generate a new version of sk for DU. If DU attempts to decode subsequent ciphertext using outdated versions of sk, or fails to decrypt or retrieve ciphertext, the AccessDecision contract will not be fulfilled. As a result, the SM-ARM guarantees the forward security of personal data.
When the newly registered DU attribute domain satisfies the access policy, they can use their own new key to decrypt the previously encrypted ciphertext, which is called backward security. The most recent version of sk is generated for a new DU when they register in the scheme or when more characteristics are added to an existing DU. If the attribute domain of DU satisfies the access policy, and the Access Decision contract judges that the user's private key sk is the latest version, then DU can access the private data. As a result, the scheme proposed in this paper guarantees the backward security of personal data.

3) ANTI-TAMPERING
The tamper-proof solution mainly consists of two elements: ① The anti-tampering property of blockchain and smart contracts. The data list and attribute list are stored on the blockchain. The blockchain's data can only be altered when 51% or more of the nodes are compromised, which is extremely unlikely.
② The anti-tampering property of DU secret key sk. SM3 calculates the hash value of the DU sk, and Hash sk is stored in HF. In order to establish if sk is the most recent state and whether it has been altered, STSS will recalculate the hash value of sk whenever DU accesses confidential data. The decryption procedure is impossible to complete if some keys stored in STSS have been altered.

VI. SCHEME ANALYSIS
This section mainly demonstrates the scheme of the paper from three aspects: function comparison, theoretical analysis of scheme efficiency, and various performance tests compared with other schemes.

A. FUNCTION COMPARISON
We compare the features of HAD-FME with the schemes in [13], [15], [16], [18], [24], and [29]. As shown in Table 4, the schemes in [13], [15], [16], [18], [24], and [29] are all constructed under the symmetric prime group, but the HAD-FME is constructed under the asymmetric prime group, which is more secure. The schemes of [15], [16], and [24] are based on the Access Tree structure, compared with the LSSS, which is not flexible. Most of the solutions in Table 4 utilize blockchain technology to improve the reliability of access control management. In addition, only [29] follows the standard assumption, as well as HAD-FME. The most regrettable thing is that [13], [15], [18] did not consider user attribute revocation. However, the cost of attribute revocation schemes for [16], [24], and [29] needs to be reduced.

B. THEORETICAL ANALYSIS
In this section, two schemes are selected for comparison. Scheme 1 is the data protection scheme of [15] and [16], and scheme 2 is the mixed encryption scheme of CP-ABE [12] and AES. To highlight the proposed scheme, the schemes are all based on the LSSS structure.
We use t m , t e , t h , t p to represent the computational cost for multiplication, exponentiation, hashing and bilinear pairing operations respectively, n 1 and n 2 are the dimensions of the MSP. The subscripts G, H, G T respectively indicate that these operations are performed in the groups G, H, and G T . Table 5 and Table 6 list the number of various group operations involved in implementations of these schemes.
As shown in Table 5, the number of elements in G and H list the sizes of the ciphertext and the key, with one element in H being three times of G. Therefore, the key size of HAD-FME is smaller than both Scheme 1 and Scheme 2, the ciphertext size is comparable to Scheme 2, but smaller than Scheme 1. Regarding key generation, T denotes the attribute domain dimensions input to KeyGen, we can see that HAD-FME consumes more multiplications, exponentiations, and hash operations, compared to Scheme 1 and Scheme 2. However, most of the calculations are performed in group G. Operations in group G are faster than those in group H.
As shown in Table 6, during the encryption phase, HAD-FME needs to perform 3 exponentiations in group H. However, the computational cost of Scheme 1 will increase with the increase of MSP dimensions. At the same time, in group G, Scheme 2 requires 6n 1 + 9n 2 exponentiations in each encryption process, resulting in higher computational cost. In the decryption phase, I is the number of attributes used in Dec FAME , HAD-FME uses a constant 6 bilinear operations, while the number of bilinear operations in Scheme 1 increases with the increase of I . In addition, compared to Scheme 2, most of the calculations in HAD-FME are performed in the faster group G. Overall, considering the key and ciphertext sizes, key generation, encryption, and decryption, HAD-FME outperforms Scheme 1 and Scheme 2.

C. PERFORMANCE TEST
The experiments in this section cover two main aspects: cryptographic algorithm performance and blockchain performance test. Performance test schemes are three schemes in theoretical analysis.
The maximum attribute domain dimension selected for the experimental part of the literature [15], [16] is 20. In order to highlight the performance advantages of our scheme in high-dimensional attribute domains, the maximum attribute domain dimension selected for the experiment is 100.

1) EXPERIMENTAL ENVIRONMENT
The environment for running the experiment is Intel Core i7-11700 processor, 16GB RAM, and 64-bit version of Ubuntu 20.04. In our development, the encryption library used charm-crypto0.50, the elliptic curve type used MNT224, the attribute-based encryption algorithm implemented in Python, and the symmetric encryption algorithm implemented in GO. Blockchain uses Hyperledger Fabric 2.3. The blockchain network consists of two organizations, each containing two peer nodes and a sorting node Order. For this scheme, a federated chain is created, and interaction with IPFS and Hyperledger Fabric is developed using tools like go-ipfs, Fabric's Fabric SDK, and Docker.

2) ENCRYPTION ALGORITHM PERFORMANCE TEST
To test the effect of attribute domain dimension on HAD-FME, attribute domains with 4 to 100 attributes each are developed in this experiment. Figure 6 shows the relationship between the dimension of the attribute domain and the time required for various encryption algorithms when the data size is 500 KB. According to the experimental results, all schemes' encryption times grow linearly as the attribute domain dimension rises. In the experiment, the encryption time of HAD-FME is less than that of other schemes when the attribute domain dimension is greater than 20, and the higher the attribute domain dimension, the bigger the difference between the encryption times of these two schemes.
To evaluate the impact of data size on data encryption, we constructed 20 personal privacy data samples with data sizes ranging from 500 KB to 1000 KB and attribute domain dimensions ranging from 50 to 100. Figure 7 shows that HAD-FME performs better than others when the attribute domain dimension is 50 and the data volume is less than 4000 KB. The encryption time of the HAD-FME is minimum. when the attribute domain volume is less than 8500 KB. Therefore, our scheme is more suitable for small-scale data encryption in high-dimensional attribute domains.

3) DECRYPTION ALGORITHM PERFORMANCE TEST
To test the impact of attribute domain dimension on data decryption, we created user attributes with attribute domain dimensions ranging from 4 to 100. When the data size is 500 KB, Figure 8 shows the relationship between the decryption time and the attribute domain dimension for different schemes. The experimental results show that as the   dimension of the attribute domain increases, the decryption time of HAD-FME is significantly faster than scheme 1 and only slightly slower than scheme 2.
In order to investigate the impact of data volume on data decryption, we created 20 pieces of personal privacy data during the experiment, with data sizes ranging from 500 KB  to 10000 KB and attribute domain dimensions of 50 and 100, respectively. The experimental results are displayed in Figure 9. Scheme 1 performs worse than other schemes and takes much longer to decrypt data as the size of the data increases. When the attribute domain dimension is between 50 and 100, the difference in decryption times between the schemes presented in this study and Scheme 2 widens.

4) KEY GENERATION ALGORITHM PERFORMANCE TEST
In this section, the attribute domain dimension is increased from 10 to 100, and the average value is used as the result of the experiment. Figure 10 shows that Scheme 2 performs poorly in terms of key generation and its key generation time rises the quickest when the attribute domain dimension is raised. Even with an attribute field size of 100, the key generation time of HAD-FME is just significantly slower than that of Scheme 1 (457 ms) and is somewhat longer than that of Scheme 2.

5) PHASES AND OVERALL TIME OVERHEAD
In this section, we summarize the performance test time of the previous three sections. Table 7 shows the various stages and overall time cost of different schemes with an attribute domain dimension of 50 and a data volume of 500 KB. The encryption time of Scheme 1 is slightly higher than that of HAD-FME, while the encryption time overhead of Scheme 2 is twice that of HAD-FME. In addition, the key generation time of the HAD-FME is slightly higher than that of Scheme 1, and the key generation overhead of Scheme 2 is much higher than the HAD-FME. Finally, the decryption overheads of the HAD-FME and Scheme 2 are only slightly different, but the decryption overhead of Scheme 1 is 10 times higher than the HAD-FME. In terms of overall overhead, the performance of the HAD-FME is better than other schemes, and it is better in the scenario of the highdimensional attribute domain and small data volume.

6) BLOCKCHAIN PERFORMANCE TEST
Transaction latency and transaction throughput are key metrics for blockchain system performance evaluation, where transaction latency is the time from issuance to final confirmation of a transaction on the chain, and transaction throughput is the number of transactions per second.
In this experiment, we have used the Hyperledger Caliper testing tool to test the invoke and query transactions of smart contracts. Among them, the query transactions include QueryAttr contract, QueryData contract, and AccessDecision contract. The invoke transactions include the CreateAttr contract, ChangeAttr and CreateData contract. Figure 11 displays the latency and throughput of query and invoke transactions for transaction volumes ranging from 100 to 1000. According to the experimental results, the throughput is around 8 TPS, and the average latency of invoke transactions grow from 797 ms to 1208 ms with an increase in transaction volume. The throughput improves from 88 TPS to 541 TPS, with query transactions having a maximum latency of roughly 18 ms and an average delay of about 1 ms. Because query transactions only involve one Peer node while invoke transactions perform data uplink operations involving multiple Peer nodes and require Order nodes to participate in transaction sorting and packaging, the invoke transaction  latency is higher and throughput is lower under different transaction volumes.
This experiment continues to examine the transaction latency and throughput of invoke transactions with a concurrency of 10 TPS to 40 TPS to research the throughput of invoke transactions with tolerable transaction latency. Figure 12 illustrates that the highest average transaction latency and throughput for invoke transactions, both within acceptable bounds, are 7386 ms and 17 transactions per second, respectively.

7) PROPERTY REVOCATION OVERHEAD TEST
When compared to key update time, the SM-ARM requires the SM3 algorithm to compute and get the key hash value as a single pass, which is insignificant.
Contrary to the attribute revocation mechanism designed in Scheme 1, SM-ARM determines the user's access right by checking the key version through a smart contract, rather than confirming the key and ciphertext version. SM-ARM achieves attribute revocation by simply updating the key, without updating the ciphertext. The AccessDecision contract time is negligible, according to the results of the blockchain VOLUME 11, 2023 performance test. Therefore, the SM-ARM is superior to Scheme 1 in terms of ciphertext updates. Our scheme has a slightly higher key update overhead than Scheme 1. As shown in Figure 13, the overall cost of SM-ARM is lower than that of Scheme 1, which includes the computational cost when DU performs attribute deletion, update, and addition. In addition, our proposed attribute revocation mechanism based on sentinel mode is also superior to Scheme 1.

VII. CONCLUSION
We have proposed a personal privacy data protection scheme for encryption and revocation of high-dimensional attribute domains, which addresses the issues of low security, significant computational overhead, and high attribute revocation cost of current schemes in high-dimensional attribute domains. Compared with existing data protection schemes, HAD-FME is based on FAME and SM4 with high security, which can reduce the computing overhead and meet the requirements of secure storage and sharing of data in highdimensional attribute domains. We also designed an Attribute Revocation Mechanism Based on Sentry Mode (SM-ARM) to reduce the cost of attribute revocation by updating only the user version key. We have assumed in this paper that STSS is unable to obtain a complete DU private key, and the blockchain system exhibits performance limitations. In the future, we will plan to research multi-authority-based key generation schemes that ensure DU security, while exploring privacy data protection schemes based on high-performance tamper-proof systems to improve the throughput and performance of the schemes.
PEI CAO received the B.Eng. degree in software engineering from Shandong University, in 2016, and the Ph.D. degree from the University of Science and Technology of China, in 2022. She is currently a Lecturer with Hefei University. Her research interests include the cross-application of AI in engineering and multimodal application technology.
ZIJIAN ZHOU received the B.S. degree from Hefei University, in 2023. His research interests include information security, decentralizing systems, and cloud computing.
QILUE WEN was born in Anhui, China. She is currently pursuing the master's degree with the School of Artificial Intelligence and Big Data, Hefei University, China. Her research interest includes cloud storage security.