In a traditional cloud storage system, users benefit from the convenience it provides but also take the risk of certain security and privacy issues. To ensure confidentiality while maintaining data sharing capabilities, the Ciphertext-Policy Attribute-based Encryption (CP-ABE) scheme can be used to achieve fine-grained access control in cloud services. However, existing approaches are impaired by three critical concerns: illegal authorization, key disclosure, and privacy leakage. To address these, we propose a blockchain-based data governance system that employs blockchain technology and attribute-based encryption to prevent privacy leakage and credential misuse. First, our ABE encryption system can handle multi-authority use cases while protecting identity privacy and hiding access policy, which also protects data sharing against corrupt authorities. Second, applying the Advanced Encryption Standard (AES) for data encryption makes the whole system efficient and responsive to real-world conditions. Furthermore, the encrypted data is stored in a decentralized storage system such as IPFS, which does not rely on any centralized service provider and is, therefore, resilient against single-point failures. Third, illegal authorization activity can be readily identified through the logged on-chain data. Besides the system design, we also provide security proofs to demonstrate the robustness of the proposed system.

翻译：在传统的云存储系统中，用户在享受其便利性的同时，也面临着某些安全与隐私风险。为确保机密性并维持数据共享能力，可采用密文策略属性基加密（CP-ABE）方案在云服务中实现细粒度访问控制。然而，现有方法存在三大关键问题：非法授权、密钥泄露及隐私泄露。为解决这些问题，我们提出了一种基于区块链的数据治理系统，该系统结合区块链技术与属性基加密以防止隐私泄露和凭证滥用。首先，我们设计的ABE加密系统可处理多权威机构场景，同时保护身份隐私并隐藏访问策略，从而在对抗腐败权威机构时保护数据共享安全性。其次，采用高级加密标准（AES）对数据进行加密，使整个系统具备高效性并能响应实际需求。此外，加密数据存储于IPFS等去中心化存储系统中，该系统不依赖任何中心化服务提供商，因此可抵御单点故障。第三，通过记录在链上的数据可快速识别非法授权行为。除系统设计外，我们还提供了安全证明以证明所提系统的鲁棒性。