Cross-Department Secures Data Sharing in Food Industry via Blockchain-Cloud Fusion Scheme

,e barriers of food enterprises and departments caused information asymmetry, which is the root cause of food safety incidents. Simultaneously, it is challenging to solve the information asymmetry by the existing cloud-based food supply-chain regulation system. Establishing a secure and reliable data sharing environment is an effective solution to the information island. Blockchain can construct a security network based on mathematical algorithms, eliminating the third party’s potential security risk, and realize transparently share data. In this paper, on the principle of metadata remaining in the food enterprises, we propose a blockchain-cloud fusion scheme based on Decentralized Attribute-Based Signature (DABS) to realize secure data sharing between departments. It constructs a decentralized and trusting environment for data owners to share data and achieves social cogovernance of food safety based on the smart contract. It can also preserve the existing system architecture and complement the performance disadvantage of blockchain and cloud storage. ,e result achieved from security analysis shows that our scheme supports unconditional full anonymity and can resist collusion attacks of N-1 out of N corrupted attribute authorities.


Introduction
In the age of big data, the data has a tremendous potential value, and different enterprises and regulators have collected data, such as farmers can only collect the data of crop growth (seeds, fertilizers, pesticides, environment, etc.). Food producers can get the processing data (product formulation, machine, process parameters, inputs, etc.), sellers collect sales data (location, price, customer, etc.), and regulators store the sampling inspection reports and monitoring data. e data owners would not share the data with the disclosure risk of user privacy and commercial secret. It is the primary cause of information asymmetry that has led to some negative market phenomena, like "good money after bad," "2013 horse meat scandal in the Europe," and "2017 multistate Salmonella outbreak in the US" [1]. More than 600 million people worldwide fall ill after consuming unsafe food each year [2]. Cross-departmental data sharing in the food industry is a promising solution to food safety incidents and promotes industry development [3]. e traditional cloud-based regulatory system (as Figure 1 shown) provides a solution to share the food data and protect the food quality [4]. According to the Cisco white paper, most companies in the food supply-chain deployed the regulatory system in cloud [5]. Cloud features of pay-on-demand and elastic extension can decrease the cost [6][7][8]. However, the customers and data in the cloud are not in the same trusted domain, resulting in a lack of trust between customers. Cloud security incidents are frequent. More than 10000 security incidents happened in Malaysia in 2013. According to the 2013 Norton report, the total cost of cybercrime in Australia amounts to AU$1.06 billion [9]. e privacy of 368000 students in Florida Virtual School was leaked in 2018. So, some common defects in the traditional regulatory system need to be addressed: (1) the tampering and hiding of wrong information in the centralization system. (2) the risk of privacy leakage and data loss if the servers are compromised or privileged users' rights are not adequately monitored. (3) It is difficult to verify the user's identity, which is hard to guarantee the authenticity of shared data and track down the person responsible for the product accident. (4) e data owners are reluctant to share data due to the lack of trust between the system and food enterprises, and the enterprises would not invest heavily to rebuild their system. More than 40% viewed that food fraud is difficult to monitor by the traditional methods [2].
With the characteristics of tamper-proofing, decentralization, and co-governance, blockchain happens to address the above issues by constructing a trusted network based on a mathematical algorithm. e data are shared transparently by enterprises and regulators. It is immutably for the data in block chain [10]. Smart contract is an intelligent and selfexecuting logic code without an intermediary, reducing transaction costs and transaction time [11]. Walmart has developed a blockchain-based system to monitor the product quality by sharing information in pork and mangos industries [12]. It helps to effectively track the pork products during serval minutes compared to serval days taken in the past. ere are several challenges: (1) the blockchain has the characteristic of pseudoanonymity that cannot protect the privacy information in the signature. e adversary can get the privacy information by analyzing the expenditure information of user account [13]. (2) Performance, cost, and security are the primary bottlenecks for implementing blockchain technology in the food industry.
To address the issues, we propose a blockchain-cloud fusion scheme to protect the security of shared data. e enterprises can preserve the existing system architecture and transparently share data in a trusted network without third parties. It adopts the characteristics of low cost, scalability, and high-performance in cloud computing technology to make up for blockchain's performance and cost bottleneck. e metadata remains in the existing enterprise system, and the data's signature is shared with the blockchain network. It can reduce the storage and performance load of the blockchain network. Besides, the analysis of the signature algorithm in Table 1 shows that the Attribute-Based Signature (ABS) is an effective solution to share data with finegrained control and protect the data owner's privacy. To address the information leakage risk and adapt to the decentralization feature of our scheme, we propose a Decentralized Attribute-Based Signature (DABS). e enterprises and regulators have equal rights to verify employees in their respective departments. e signature of shared data is entirely secure, which encourages users to monitor food quality actively. Simultaneously, it provides a solution for regulators to track down the person responsible for public safety incidents and rumors. It is meant to promote social co-governance in the food industry.

Related Work
1.1.1. ABS. ABS originated from fuzzy identifies encryption that was firstly proposed by Sahai and Waters [14]. It could hide user identity information and provide a solution for data owners to share with fine-grained access control. In the ABS, the users received a private key from the Attribute Authority (AA) based on their attributes and defined a shared community for sharing data with a signing predicate. Only if the users' attributes satisfy with the signing predicate, they could get the share data, such as farmers share a file with an access control strategy of signing predicate ((manager with Level 7 in Food Processing FP1) or regulator), which means that only the manager with Level 7 in Food Processing FP1 and regulators can access the shared file. ABS scheme has a bright application prospect, such as directional broadcast and cloud storage. It has attracted many scholars and presented a lot of research results [15]. Li et al. proposed an Attribute-Based Encryption (ABE) system based on a ring signature scheme [16]. Anyone can select a set of public keys of random signers to hide its public key [17]. However, the above schemes manage the entire system attribute set by a single AA. It quickly causes performance bottlenecks and cannot satisfy the actual needs of multiple departments' cooperation [18]. So, Chase et al. let numerous authorities manage the attribute set, but the scheme has disclosure risk of Centralized Attribute Authority (CA) because the CA could calculate any user's private key [19]. Yang et al. proposed an efficient multiauthority CP-ABE scheme based on LSSS access structure without global authority and security under the random oracle model [20]. Liu et al. proposed a security scheme only if the number of colluding users is less than (m+1) [21].
1.1.2. Blockchain. Nakamoto firstly proposed the blockchain architecture [10]. It provided a solution to a trust and equality among different participators by a mathematical algorithm. In addition, it is an effective way to solve the single point validation based on decentralization [22]. Macrinici et al. [11] designed the smart contract to protect users' privacy and automatic information processing. Blockchain technology has achieved great success in the financial industry [23], like Bitcoin and Ethereum. It demonstrated the application feasibility of blockchain technology. Some promising blockchain applications are being developed to address industry concerns such as medical, agriculture, energy, and food safety. In [24][25][26][27][28], a security data management scheme was proposed with privacy-preserving to share the medical data by encapsulating EHRs based on attribute-based encryption into the blockchain; there is no detailed application. Even in [28], it cannot resist the collusion attack between uses. In [29], it is proposed that blockchain is a solution to optimize the energy industry structure and facilitate sustainable development. Walmart developed a blockchain-based system to monitor pork and mangos from South America to the US [1], where the managers could trace down the product during several minutes compared to several days taken in the past.

Supply Chain and Blockchain.
Data-shared barriers among the food enterprises caused information delay and asymmetry, which affected the quality of shared information [30]. Supply chain management is an important application for blockchain technology [31]. Blockchain could record entire life cycle of each product with immutable and shared information between consumers and producers. e ICT electronic agriculture system via blockchain infrastructure guaranteed the integrity of agricultural environment data, conducive to improving sustainable agrarian development [32]. In [33], it is proposed that blockchain applied in the food supply-chain not only could reduce food losses by optimizing product logistics, but it also benefits to improve regulatory efficiency. Saberi et al. explored how blockchain could help supply-chain sustainability and guide industry transformation. Clauson and Breeden discussed the supply-chain management in healthcare, and most blockchain schemes are still in the

Video conference
Group signature e anonymous signature is used for group sharing, and the receiver can verify the signature but cannot get the signer's information.
Electronic bidding e group administrator creates the group with key distribution, which has the risk of identity escrow leakage and signature forging. Digital copyright protection Attribute-based signature (ABS) Signature and user private key associated with attributes. Fine-grained access control; group key management Fine-grained noninteractive access control and 1 : n communication mode; it reduces the network bandwidth for shared data and the processing overhead for nodes.

Privacy protection
Resist to collusive attacks, anonymous.

Security and Communication Networks 3
proof-of-concept or pilot stag [34]. Security and privacy are barriers to the integration of IoT and blockchain. Jangirala et al. proposed a LBRAPS protocol in mobile edge computing to protect the transmit data security [35]. In [36,37], a AgriBlockIoT system is proposed for food supply-chain management. But, it lacks an effective solution to protect the data security.

Our Contributions.
In summary, main contributions of this work are as follows: (1) is work proposes a food supply-chain regulation system based on a blockchain-cloud fusion scheme. It supports secure data sharing across departments, intelligent regulation, and social co-governance with a smart contract. (2) is work proposes a DABS scheme by combining the characteristics of ABS and ring signature. It helps to improve the safety of the food supply-chain regulation system. Besides, it provides a solution for regulators to trace down the illegal users, which is useful to prevent the spread of rumors and establish a harmonious network environment. (3) is work performs a comprehensive security analysis shows that our scheme supports unconditional full anonymity and noncollusion with strong (N-1) (resist collusion attacks of N-1 out of N corrupted Attribute Authorities). e performance evaluation shows our scheme's performance advantage. Compared with time complexity nO(·) in traditional schemes, it supports batch-verification with O(·) + n.

Organization.
e remainder of this work is as follows: Section 2 introduces the definitions of the bilinear map, computational assumption, access structure and LSSS, syntax, and security model of DABS. Section 3 details the blockchain-cloud fusion scheme. Section 4 describes security analysis, and Section 5 presents the performance analysis, while the conclusion is presented in Section 6.

Preliminaries
is section introduces the definitions of bilinear map, computational assumption and linear secret-sharing schemes. en, we describe the framework definition of the DABS scheme and security definitions.

Bilinear Map.
Let G 1 , G 2 , and G T be three multiplicative groups of prime order p. A bilinear map is a map e: G 1 × G 2 ⟶ G T with the following properties: (1) Bilinearity: e(f a , h b ) � e(f, h) ab for ∀a, b ∈ Z p ∀f ∈ G 1 , ∀h ∈ G 2 (2) Nondegeneracy: e(f, h) ≠ 1 (3) Computability: there is an efficient algorithm to If ∀f ∈ G 1 , ∀h ∈ G 2 , then e(f, h) ∈ G T . e bilinear pairing applied in our proposed scheme is symmetric, where G 1 � G 2 � G.

Computational Assumption
Definition 1. Computational Diffie-Hellman problem, CDH: assume G 1 is a bilinear group of prime order p. g is a generator of G 1 , bilinear map e: G 1 * G 1 ⟶ G T . Giving (g, g a , g b ) for unknown a, b ∈ Z p to compute g ab . We say that the (t, ε)-CDH problem holds if there exists no poly(t)time algorithm can solve the CDH problem with nonnegligible advantagesε.

Access Structure and Linear Secret-Sharing Schemes (LSSS) Definition
2. Access structure [38]: let U � U 1 , U 2 , U 3 , . . . , U n be a set of parties, and a collection e set in A is called authorized set, and others is an unauthorized set.
where v 1 � s ∈ Z p is the secret to be shared, and v 2 , . . . , v m ∈ Z p are chosen randomly; then M v → is the vector which shares the secret s by function . e shared secret λ i � M i · v belongs to the party ρ(i).
Suppose that is an LSSS for the access control strategy c. Let A ∈ c is an authorized set, and In [38], it is shown that these constants ω i i∈I can be found in polynomial time.

Syntax of Decentralized Attribute-Based Signature Scheme (DABS).
According to [40], we construct the DABS scheme that consists of five algorithms: Setup, Keygen, Sign, Verify, and Trace. Select a random security parameter λ; our scheme works as follows: e algorithm takes a random secure parameter λ as input, and it outputs a master key MSK, public key PK, and trace key TK, where TK is used to trace the user identity. Assume that the PK contains the universe of attributes set U, and the default attributes set W. (ii) Keygen (U ID k , MSK, PK). In this algorithm, all attribute authorities AA i share a pseudorandom function PRF(·). It takes the user's attribute set U ID k ⊆U, MSK, and PK as input; each AA computes the attribute private key SK as output. (iii) Sign(c (S,ρ)∪W (·), M, PK, SK, ID k ).
e algorithm takes input signing predicate c (S,ρ)∪W and shared message M, PK, SK, and ID k , where (S, ρ) is generated according to the access control strategy of the data owner, S is a share generating matrix, ρ is a map function as shown in Definition 3, and W is a default attribute set. e algorithm outputs a signature δ. (iv) Verify (δ, PK). e algorithm takes δ and PK as input and outputs a Boolean value.
(v) Trace (δ, PK). e algorithm takes input the signature δ and trace key TK and outputs the signer identity ID k . Batch Processing. (Definition 4 [41]): giving

Security Definitions.
is part introduces the security definitions.
e ABS scheme supports characters of anonymity and noncollusion. In terms of anonymity, it usually includes computational anonymity and unconditional full anonymity. [16] supports computational anonymity, where the adversary can access the user identity with unlimited computing power. While to the characteristic of unconditional full anonymity, giving a sufficient signature with an access control strategy; adversaryÅ has unlimited computing power and accesses any users' attribute key. Still, there is no poly(t)-time algorithm Λ to reveal the signer's attributes information from the signing predicate. Noncollusion means no poly(t)-time for adversaries to forge the legitimate signature with a set of complementary attributes.

Unconditional Full Anonymity.
Our scheme supports unconditional full anonymity if no adversaryÅ can win the following games with non-negligible advantagesε.
(i) Setup. An adversaryÅ selects a random signing predicate c (S,ρ)∪W (·). e simulator C calls the algorithm Setup(.) and returns the public key PK and master key MSK toÅ.Å can construct a key for any AA i . (ii) Challenge. In this phase, theÅ chooses a random message M ′ and two attribute sets U ID i i�1,2 , where U ID i i�1,2 satisfies the signature predicate c (S,ρ) ′ . e A sends two tuples (M ′ , U ID 1 ) and (M ′ , U ID 2 ) to C. e C calls the algorithm Keygen(.) and returns private keys SK ID 1 and SK ID 2 . en C chooses a bit, b∈{0, 1}, signs the message (M ′ , U ID b ) as signature δ ID b , and sends it to theÅ.

Noncollusion.
Our scheme can defend against collusive attack under adaptive selective message and predicate attacks if there is no adversaryÅ (capable of unlimited computing power) can win the following games with the non-negligible advantages ε.
(ix) e adversaryÅ requires to query private key of

Cross-Department Secures Data Sharing in the Food Industry via Blockchain-Cloud Fusion Scheme
3.1. System Model. Assume the enterprises, regulators, and neutral institutions (such as food commonweal organization) in the whole food supply-chain hope to share data to promote supervision of food quality and public safety incidents. ey provide a cloud server as an Attribute Authority server (AA) Security and Communication Networks 5 to store the transmitted data and verify them. Regulators and enterprise legal persons are registered with the regulator AA server, and employees register with the enterprise AA server. Assume neutral institutions' servers are semicredible that would not eavesdrop or backup users' registration information. e common consumers, including food enterprise employees, can enter the system by registering with any neutral institution, release supervision information anonymously based on the DABS algorithm (detailed in Section 3.3), and realize social co-governance of all links in the food supply chain. Food enterprises own the AAs, regulators, and neutral institutions independently. To standardize terms, we use data owners as the data providers in the following, including enterprises, regulators, and neutral institutions. As Figure 2 shown that our system consists of four modules: cloud network, DABS, blockchain network, and application group. e system details are as follows: group to support user identity verification, user management, and data storage. Each AA server is selected from the existing system architecture in the food supply chain. AA server is operated and maintained independently by data owners, which also is used as shared data services to support food quality supervision and traceability. Likely, farms can share data in the cultivation server; storage enterprise shares data with the warehouse server, etc. Processing enterprise shares data with the process server; regulators share sampling inspection reports and monitoring data with the regulator server. It uploads the shared data signature and index from food enterprises and regulators to the blockchain network. And, it shares consumers' report data with DABS signature to the blockchain. (ii) DABS Module. It has the security characteristics of unconditional full anonymity and noncollusion (as shown in Section 4). It supports user authentication, secret key assignment, digital signature, and traceability. e AA server generates an anonymous private key for the user with the fuzzy attribute set if the registration information is authenticated. Data owners share data with access control strategy and private key (sign algorithm is detailed in Section 3.3). Furthermore, it provides a way for regulators to trace down the person responsible for rumors and incidents in the food industry (trace algorithm, as shown in Section 3.3), which is helpful to purify the system network. e DABS module is deployed in the AA servers, which works together to maintain the system's stability and security. (iii) Blockchain Network Module. It receives the data from data owners' server, consensus validation with PBFT [39] that more than 2/3 of the servers acknowledge the validity of data, and store the data block into the blockchain (the block structure as shown in Figure 2). Besides, it supports co-governance and traceability of food safety via smart contract (detailed in Section 3.4). If the report is useful, it will give a reward in return, conducive to motivating consumers to participate actively. With the robustness feature of PBFT, the blockchain network can resist no more than 1/3 of the server's failure attack. is module can be deployed in AA servers to save the system development cost. (iv) Application Group Module. It composes of consumers and regulators. Any system user should register firstly by AA server. Consumers can query any quality information of food supply-chain as needed from the blockchain network. e system will then get and return the data from the data owner's server by the data index in the data block. Besides, consumers can take part in food safety supervision. Regulators have the power of supervision to monitor the whole food supply-chain and hold responsible people, including timely warning and accountability of food safety incidents.

reat Model and Design
Goal. e adversaries can eavesdrop on the public channel's information, including signature and signing predicate. Besides, there are dishonest server groups that are allowed to collude to infer the signature's user identity.
Based on the above threat model, the food supply-chain regulation system hopes to achieve the following goals.
(1) Privacy Protection. System user privacy information can be deduced by statistical analysis [13]. So, the system should have the characteristic of unconditional full anonymity. It can resist the adversary's statistical analysis and is secure when no more than N 1/N of the collusion servers. (2) System Availability. In this work, the system availability includes two aspects. (a) System robustness: on the one hand, it works only if no more than 1/3 servers in the blockchain network fail; on the other hand, it is Strong (N-1) for AA servers that it works as long as more than one server is honest. (b) Traceability: it provides a solution to track the person responsible for rumors and food safety incidents.

Proposed DABS Scheme
Setup (λ). Let G and G T be two cyclic multiplication groups of composite order Ν � pq and the bilinear map e: G * G ⟶ G T , where p and q are two large prime numbers. e construction also enables to work on asymmetric pairing groups, where e: G 1 * G 2 ⟶ G T , and G 1 ≠ G 2 . Denote G q is the subgroup of order q in G.
e universal set of attributes U � U 1 , U 2 , U 3 , . . . , U n are managed by the distribution Attribute Authorities Group AA i | i�1,2,...,n . Each AA i monitors an attribute subset U i � a i,1 , a i,2 , . . . , a i Security and Communication Networks resistant cryptographic hash function H,H 2 : 0, 1 * ⟶ G. Select random generator g ∈ G, exponent τ∈Z * P , and compute T � g τ . Select random exponent x i ∈ Z * P for each AA i and compute P i � g x i . Select random parameter t i,j ∈ Z * P for each attribute. Select generator u ′ , u 1 , u 2 , . . . , u k ∈ G and h ∈ G q . So, it generates the public key PK, the master key MSK for AA Group, and the trace key TK as follows: Keygen (U ID k , MSK, PK). In this algorithm, all attribute authorities AA i share a pseudorandom function PRF(·). Assume the user I D possesses an attribute set U I D . e AA i calculates Γ ID i|i�1,...,n � PRF(I D), D 0,i|i∈Group � g Γ ID i , and D 1,i|i∈Group � g − x i . For attribute j ∈ (U I D ∪ W i ), it computes D 2,i,j|i∈Group � H(j) t i,j D 0,i . So, the anonymous private key of the user ID k is Sign(c (S,ρ)∪W (·), M, PK, SK, I D). In this algorithm, the signer ID k sets an access control strategy U ID k ′ ≠ NUll to message M. e access control strategy is c (S,ρ)∪W (·) � U I D ′ ∪ W. e algorithm constructs an LSSS access matrix S l * m with an injective functionρ that maps each row of the matrix S to an attribute of U I D ′ .
(i) e algorithm randomly chooses a parameter ε i ∈ Z * P for every bit of (3) e c i and π i can prove that Cis well-formed.
(ii) Choose a random parameter s ∈ Z * P and a random vector v � s, v 1 ∀ attribute x ∈ c (S,ρ)∪W and select random parameter   Figure 2: e food supply-chain regulation system model based on blockchain-cloud fusion scheme. It remains the existing system architecture and industry metadata owned by data owners. Besides, it enables consumers to know the food quality information throughout the whole supply chain. It provides a safe way for any consumer to social co-governance of food safety without fear of cyber-violence. Furthermore, the regulators can track rumor-mongers.
(vi) So, the signature is Verify (δ, PK). e algorithm takes the signature δ and PK as input and outputs the result. According to the equation result (e(g, δ 2 ) * δ 3 )/( i∈Group ( x∈W e (g, δ 1 ))) � δ 4 , if the equation is correct, this scheme accepts the signature δ andoutput true, or reject δ and output ⊥. Trace (δ, TK, PK). e algorithm takes input the signature δ, trace key TK, and PK and then outputs the signer identity ID. e algorithm describes as follows: (i) Call algorithm verifies (δ, PK) and checks the signature δ is true or not. (ii) If δ is true, ∀c i it will check e c i , c i g − 1 � e h q , π q − 1 i , e h q , g � e h, g q . e effectiveness of algorithm Trace (.) has been proved in detail in [42], and the security of algorithm Trace (.) has been proved in [43], so we would not detail and analysis the algorithm in the paper.

Correctness.
is scheme outputs the signature δ � 〈 δ 1 x∈W , δ 2 , δ 3 , δ 4 , c i i�1,...,k , π i i�1,...,k 〉for the message M. We can prove the correctness of the scheme as follows: Batch-Verification Processing. According to the scheme [13], we propose a batch-verification processing algorithm to improve the effectiveness of nO(·) to O(·) + n. It takes inputs the public key PK and a large number of signatures δ ID 1 δ ID 2 , . . . , δ ID n , and works as follows: i∈Group x∈W e g, δ

Social Co-Governance of Food Safety Based on Smart
Contract. e smart contract enables to automatic execution of the agreement between the parties without an intermediary. It is helpful to improve the efficiency of information processing and social co-governance of food safety.
(2) Social Co-Governance of Food Safety. If the quality problem happens in the food supply-chain, any consumer can report it anonymously by the blockchain network. On one hand, smart contract helps regulators timely deal with the potential risk of food safety incidents and investigates the legal liability of the enterprises involved; on the other hand, it will warn someone who spreads rumors. e smart contracts are constructed as shown in Algorithm 2 and 3.

Food Supply-Chain Regulation System Based on Blockchain-Cloud Fusion Scheme.
With the blockchain-cloud fusion scheme, the food supply-chain regulation system overcomes the pain points of data sharing in the food industry. It is conductive to optimize the processes of information collection, quality inspection and supervision, and supply and marketing management.
is part mainly introduces the system workflow.
We will describe the system workflow from two aspects of data sharing and data consumption. e shared data consist of consumer reports and food industry shared data.

Industry Data Sharing.
On receiving the shared data from enterprises and regulators in the food supply-chain, the system workflow is as shown in Figure 3.
We will take the food enterprise data sharing as an example to detail the system workflow as follows: (1) Any system user should authenticate and register by the AA server first; then, the AA server would verify its identity and generate an anonymous private key. Each workflow needs this step so that we would not detail it again in other workflows. (2) After authentication is completed, the enterprise manager can share data by defining a signing predicate on demand and then sending it to the enterprise AA server. (3) e AA server generates an anonymity signature and sends the signature and the index of shared data to the blockchain network. (4) Blockchain server firstly determines the validity of data via smart contract and generates a data block. Validate and then broadcast the block to make a consensus decision with PBFT algorithm. (5) If more than 2/3 of the servers agree, the new data block will be stored in the blockchain.

Consumer Report.
To promote social co-governance in food safety, the system provides an anonymous supervision report function for consumers and gives a reward in return. e system workflow of consumer reports is similar to the front workflow-the workflow is shown in Figure 4.
(1) Consumers in the system report the food quality problems anonymously. ey can define a signing predicate to generate an anonymous signature. (2) e AA server would share the report content and signature to the blockchain. en, verify and generate a new data block with a signal tag. Make a consensus decision and store the block into the block chain. (3) e blockchain network will send an alert message to regulators to make a decision. e system will give a reward to the consumer in return if the alarm is validated for regulators.
In addition, data consumption consists of consumers inquiring about food quality on-demand and accountability.

Inquire Food Quality on Demand.
e system consumers inquire about food information, as shown in Figure 5.
(1) Consumers can inquire about the quality information (including quality inspection report, source, process, and transport) of each link's raw material in the food supply-chain from a blockchain network. (2) It analyzes the data source index from the data block and gets the target data from the data owner's server and then shows it to the consumer as a basis for food quality evaluation.

Accountability.
Due to blockchain's tamper-proofing feature, the system provides traceability for regulators to track the person responsible for rumors and food quality incidents. We take tracking a rumor-monger as an example to detail the system workflow as follows (as shown in Figure 6).
(1) e regulator chooses a rumor to track the monger from the blockchain network. e system will authenticate the regulator and record the action. (2) en, the system analyzes the rumor record, generates the rumor-monger's ID, and returns it to the regulator, which can serve as a basis for the regulator to law enforcement [44].

Security Analysis
Blockchain-cloud fusion scheme inherits some essential characteristics of blockchain and cloud service to protect the system's data. e tamper-proof feature of blockchain ensures data reliability. PBFT-based consensus mechanism can improve the system robustness, and DABS algorithms protect the system's safety and stability. In this work, system security mainly prevents the leakage of user privacy. Since the data interaction in the scheme is based on the DABS algorithm, and user privacy information is processed and generated by DABS, the DABS algorithm's security is the most critical factor for the protection of the scheme. We will mainly analyze the security of the DABS algorithm in this section.

eorem 1: Unconditional Full Anonymity
Proof. is scheme can construct a sufficient signature if the signature attributes satisfy the signature predicate c (S,ρ)∪W (·). With the predicate subset and default attributes mixed in the signature, the adversaryÅ cannot get signer attributes from the signature predicate. So, our scheme supports unconditional full anonymity if the adversaryÅ cannot get user identification information. According to the schemes [45], we construct the simulation as follows.
(1) Setup: An adversaryÅ challenges the access control predicate c (S,ρ)∪W (·). e simulator C calls algorithm Setup() and outputs the PK, MSK, and TK. en, it public the PK and MSK toÅ. e adversaryÅ can construct any private key.
(3) Guess: e adversary submits a guess b ′ of b. If b ′ � b,Å wins the game, which means the scheme cannot support the unconditional full anonymity security. Next, we discuss why theÅ cannot win the game. Assume the simulator C selects b � 1, signature predicatec (S,ρ) ID 1 ∪ W ID 1 (·), and random α 1 and s 1 .
en, it signs a message with (M ′ , SK ID 1 ) and

Inquire food quality
Get the data index from data block Get data from data owner's server Show the information � e(g, T) s ID b � e(g, g) τs 1 .
As δ ID 1 shows that only δ ID 1 2 and δ ID 1 3 involve the user identification information, if there exists 1 , the simulator C can generate the same signature δ ID 1 � δ ID 2 whatever a bit b chose. So, our scheme satisfies absolute full anonymity and does achieve perfect privacy. Proof. We describe our DABS scheme's security model by the next game between simulator C and adversaryÅ. e security model allows the adversary to query for any private keys that cannot be used to sign the challenge Message M [18]. Assume the adversaries can corrupt authorities statically, and the key queries are adaptively [46].
Assume there is a poly(t)-time algorithm Λ for the adversaryÅ can break our scheme with non-negligible advantages ε under the adaptive selection message and collusive attack. Define parameters q PRF , q H ,q H 2 , q k , and q s used to label the query number of random oracles PRF, H, and H 2 , generate the SK and signature, respectively. So, there is a poly(t)-time algorithm Λ that can deal with the CDH problem with a non-negligible advantageε ′ � ε/ e security simulation proceeds as follows: (1) Initial: Assume predicatec (S′,ρ) ∪ W (·) is a mini-subset of c (S,ρ)∪W (·) and c (S,ρ)∪W (S ′ , ρ) � 1, where the attributes in c (S′,ρ) ∪ W (·)are managed by AA i i�1,...,t . Letρ(S ′ ) � t i�1 ρ(S i ′ ), and define the attribute set of users ID k is U ID k .Assume the corrupted AA group is SA � AA 1 , AA 2 , . . . , AA t−1 . e adversaryÅ can forge the signature only if another AA t is corrupted. So, the collusive attack effect of our scheme can be reducible to attack a signal node AA t . Define q t as the node AA t attacked probability and q t � 1/(n − t + 1). e simulator C chooses a default attributes set W t for AA t .
(3) Query: e adversaryÅ can query by random oracle H,H 2 , SK, and signature. e simulator C maintains the empty list L PRF , L H , L H 2 , and L key ; the processes is as follows: (i) PRF query: the simulator C maintains the list L PRF to store the result (ID i , AA t , PRF t (ID k ), Υ k ).
When receiving a query request (ID i , AA t ) from A, C checks L PRF and returns the result if the request had been received. Otherwise, C chooses random parametersa k,t , ϱ k ∈ Z * P , set PRF t (ID k ) � a k,t ,Υ k � g ϱ k and publishes toÅ and then adds (ID i , AA t , PRF t (ID k ), Υ k ) into L PRF . (ii) H Query: the simulator C maintains the list L H to store the result (j t , H t,j ). When receiving a query request (j t ) fromÅ, C checks L H and returns the result if the request had been received. Otherwise, C processes as follows: parameter φ t,j ∈Z * P , set H(j t ) � g φ t,j , publishes toÅ and then adds (j t , H t,j ) into L PRF . If t ≠ ε, it chooses φ t ′ , η t ∈Z * P and publishes H 2,t � g η t g φ t ′ toÅ. en, it adds (M t , H 2,t ) into L H 2 . (iv) SK query: the simulator C maintains the list L key to store the result (U ID k ∩ U t ), ID k , SK k , P t . When receiving a query request (U ID k ∩ U t , ID k ) fromÅ, C checks L key and returns the result if the same value has been queried. Otherwise, C processes as follows: en, adds , it stops and defines the process event as E 1 .
(v) Signature query: on receiving a signature query of (U ID k , ID k , M t ) fromÅ, C processes it as follows: calls the algorithm Sign(.), and returns δ ID k toÅ. (b) Else, it stops and defines the process event as E 2 .
(7) Challenge: (vi) e adversaryÅ challenges the security under a collusive attack. It chooses any two users (ID 0 , ID 1 ) with the attribute sets U ID 0 and U ID 1 , respectively, wherec (S′,ρ) (vii) e adversaryÅ requires to query (ID 0 , AA t ) and (ID 1 , AA t ), and C checks L PRF and returns a 0,t , a 1,t respectively. (viii) e adversaryÅ requires to query (U ID 0 ∩ U t , ID 0 ) and (U ID 1 ∩ U t , ID 0 ), and C checks L key and processes as follows: So, the private key of the user ID 1 can be reconstructed as ID 1 ′ : e adversaryÅ can get the private key is SK ID 0 ,t ∪ SK ID 1 ′ ,t , P t j∈(U ID 0 ∪ U ID 1 ′ ∪ W′) . (8) Forgery: A constructs a signature and C verifies correctness as follows: i∈SA∪t x∈W′ e g, g r i,j * e g, Security and Communication Networks So, we can get g τs′ � δ 2 ′ δ 3 ′ /( i∈SA∪t x∈W t ′ (δ 1,x ′ )). It means the CDH problem can be solved, and the where the probability of H(j t ) � g φ t,j is 1/q H , H 2,t � g η t is 1/q H 2 and q i � 1/(n − i + 1).

Performance Analysis
To evaluate the performance of the schemes, we present theoretical analysis of storage complexity and experimental simulation of computation efficiency. Assume the group order in our scheme has the same length with the group order of G in comparison schemes. e parameter notation description is shown in Table 2.

Storage Complexity.
e storage complexity is one of the most evaluation indexes of the food supply-chain regulation system. Compared with a traditional cloud-based system, our system's storage cost mainly focuses on the blockchain and DABS algorithm. Since the blockchain network data primarily comes from DABS, we will mainly analyze the DABS algorithm's storage complexity.
As shown in Table 3, we analyze the performance of the DABS scheme by comparing it with GSZ18's scheme [26], LW10's scheme [40], SZW18's scheme [27], YJ13's scheme [47], and RW13's scheme [48]. ese schemes adopt LSSS access control strategy except for [GSZ18] scheme with tree access control strategy. e AA storage overhead, which is used to store the master key and AA's secret key, is (U i + 1)|p| in our scheme. It is significantly less than [LW10], [SZW18], and [GSZ18]. Since the AA in [YJ13] stores all users' private keys to re-encrypt the ciphertext and update information during the revocation, the AA storage overhead will be less in our scheme if the number of users more than half of |U i |. Besides, compared with the normally anonymity for private keys in other schemes, we improve the security of users' private keys to unconditional full anonymity.
User storage overhead used to store the users' private key is (U ID i + d + 2)|G| in our scheme, that is, better than (2U ID i + 2)|G| + U ID i |p| in  Table 4. It uses the Java Pairing-Based Cryptography (PBC) library version 2.0 to implement the access control schemes. We choose an asymmetric elliptic curve where the order p is a 160 bit length prime. Define the size of plaintext, G generator, and GT generator is 128 Byte. We take the average value of 20 experiments as the final experimental result.
It mainly compares the time efficiency of setup, private key generation, signature, and verification. Figure 7(a) describes the comparison of setup time. Our scheme's performance is much better than [LW10] scheme and [SUN18] scheme, because they spend too much time calculating the complex pairing operations. Figure 3(b) describes the comparison of key generation time where the number of default attributes is 5. Our scheme's key generation time is less than [BSW07] scheme and [RW13] scheme. Figure 7(d) describes the comparison of verification time. It shows that our scheme incurs less verification time than others. Besides, our scheme support batch-verification with time complexity O(·) + n compared nO(·) in other schemes. So, if batch signatures are verified, our system's advantage will be more significant. Figure 7(c) describes the performance comparison of signature algorithms, where the number of default attributes is 5. When the size of user attribute set is less than 25, the advantage of our scheme is not obvious compared with other

Notations
Description UA e universe AA set U i|i∈UA e attribute set managed by AA i U ID i e attribute set of users ID i U ID i,j e attribute set of U ID i ∩ U j |p| e length of the element in Z p |ID i | e size of the user ID i |G| e element size in group G |GT| e element size in the group G T n e total number of registered users in the scheme S l * k e access control strategy matrix and l is the number of attributes d e default attribute set N e number of AA server  schemes. But, once the user attributes size exceeds 25, the advantages of our scheme will gradually emerge. Because, our scheme takes some computational cost in terms of user attributes anonymity and identity tracking, including calculate 2|ID i |bilinear operation to establish traceable evidence of user identity, which helps government regulators track down the malicious user. So, our scheme is more suitable for large and complex industry network.

Conclusion
We have proposed a food supply-chain regulation system based on a blockchain-cloud fusion scheme. It did not let the source data not out of data owners to protect enterprises' benefit and reserves the original system architecture to reduce the cost. en, we presented a security DABS scheme and proved the scheme with unconditional full anonymity and non-collusion. Our scheme will be more effective in complex industry networks. Besides, the system can promote the social co-governance of food safety, which is essential to the food industry's sustainable development. e blockchain-cloud fusion scheme is a promising technique applied in democratic elections systems, online social networks, social co-governance in other industries, etc. [43,[50][51][52][53][54][55][56]

Data Availability
No data were used in this study.    16 Security and Communication Networks