A secure and efficient multi-domain data sharing model on consortium chain

In a large-scale networking scenario with massive distribution of devices, data are independently generated and maintained by multiple domains. To solve the problem of isolated data islands in multi-domain, this paper designs a multi-domain data sharing model based on consortium chain. Aiming at the problems of low efficiency and lack of consideration of intra-domain consensus processes in traditional data sharing schemes, this paper optimizes the security and efficiency of data sharing from two parts: inter-domain chain and intra-domain chain. To ensure fine granularity, flexibility and security of the access control process in inter-domain chain, this model combines the Attribute-Based Access Control (ABAC) with smart contract, and a permission grading mechanism is designed to solve the problem of low retrieval efficiency in this access control model through reducing the retrieval range by grading and matching Policy set. Considering the problem of high delay of node consensus in the large-scale networking environment of intra-domain chain, a layered practical Byzantine fault tolerance optimization (LPBFT) algorithm with introducing a reputation model is designed, which greatly improves the efficiency and security of the intra-domain consensus. The consortium chain model is designed and implemented from the perspectives of inter-domain and intra-domain, which optimized the security and efficiency of the multi-domain data sharing model. Finally, a prototype system is implemented based on Hyperledger Fabric, and the validity of the model is verified from the aspects of inter-domain access control and intra-domain consensus algorithm.


Introduction
The interconnection between ubiquitous virtual/physical objects greatly accelerates the need for the collection, aggregation and sharing of data on the Internet [1,2]. In current large-scale intensive data sharing applications, nodes usually need to complete the data exchange within and between domains in the form of "centralized domains" to achieve information sharing. "Centralized domain" is a domain formed by the aggregation of nodes with the same functions, security requirements and access control boundaries, which is similar to the concept of security domain in computer networks, that is, a logical area composed of a group of systems with the same security protection requirements and mutual trust.
In the era of interconnected big data, data are no longer an island. The value of data lies in integration and mining, and enterprises have increasing demands for data exchange in the form of distributed centralized domain. However, considering that the network security situation is so complicated, how to ensure the security and efficient sharing of data between centralized domains has become the focus of current research. In traditional methods, a centralized data platform is used to integrate data resources of each centralized domain by applying a cryptography algorithm to solve this problem [3], but each centralized domain loses control over the data using this method, which may produce security risks such as leakage and tampering of private data, centralized attack and opaque authority [4]. At the same time, because each centralized domain formulates different access control policies according to its security requirements, when a terminal node or centralized domain needs to request the data resources in different domains (which is called requesting domain), it needs to make different requests for different domains, which is inconvenient for data access between domains. It is also very necessary for the accessed domain (which is called the resource ownership domain) to have autonomous authorization of their data resources. These issues make it very complicated to share data securely between centralized domains; this paper designs a secure and efficient sharing model for distributed centralized domain based on consortium chain to solve them.
At present, blockchains can be divided into public blockchains, private blockchains, and consortium blockchains depending on the participants. The public chain is open to everyone on the network, and anyone can become a node to participate in consensus and rewards according to the corresponding mining rules; the private chain usually runs in a controllable and trusted intranet environment, and the entry of the private chain is authorized and controlled by the organization where it is located; the degrees of openness and decentralization of a consortium blockchain are between those of a public blockchain and those of a private blockchain, with an efficient operation mechanism, strict confidentiality of corporate privacy, and flexible access rights. The data sharing between centralized domains has the characteristics of the consortium chain where participants join the network through authorization, so it is very reasonable to use the consortium chain to realize the secure sharing of data between domains. Aiming at the problem of how to safely and efficiently share the data in the centralized domain, this paper designs a network model structure that divides the intra-domain chain and the inter-domain chain based on the consortium chain and optimizes the sharing of the consortium chain from these two aspects.
The inter-domain chain needs to ensure that the data flow of each centralized domain is controllable and protects the security and privacy of data. This model is based on the Attribute-Based Access Control (ABAC), each domain uses the same attribute standard to describe and maintain its own access control policy, so as to realize the autonomous and controllable authorized sharing of data between domains. The centralized domain can also choose to use asymmetric encryption technology to process sensitive information, to facilitate system management and afford more secure access for users. Combining the alliance chain with access control, the access control policy is driven by smart contracts, which automates policy determination and makes policy execution completely authentic, transparent, and traceable. At the same time, the inter-domain access control model proposed in this paper narrows the access policy set through permission grading and combines with Bloom filter technology to speed up policy retrieval, which achieves efficient mutual access on the basis of ensuring the safe sharing of alliance chains.
The intra-domain chain needs to maintain the data flow and use in the centralized domain. To prove the effectiveness of the design, we consider the Internet of Things (IoT) environment as a typical large-scale networking environment with frequent data interaction. Although the use of blockchain technology brings solutions to the security problems of the IoT through tamper-proof distributed ledger and information exchange based on the encryption algorithm, it is difficult to meet the real-time consensus needs of the Internet of Things system. This is because the traditional blockchain consensus mechanism usually needs to consume a lot of computing resources or communication resources to complete the consensus process, while most IoT devices have small memory and storage capacity and limited computing power, which makes it difficult to carry out intensive computing. Therefore, in the face of a large number of data sharing transactions in a centralized domain, designing a low power consumption and high efficiency consensus mechanism is the key to applying blockchain technology to distributed IoT scenarios. In this paper, a LPBFT algorithm is proposed to reduce the cost of communication resources and the consumption of consensus time, and a behavior-based dynamic reputation model is introduced to select the trusted nodes for consensus.
In summary, this paper optimizes the consortium chain model from the two aspects of inter-domain access and intra-domain consensus to ensure the security and efficiency of the system. Our contributions are as follows: 1. For the centralized domain scenario of large data, a cross-domain data sharing model is designed based on the alliance chain, including the network model of intra-domain chain and inter-domain chain and the hierarchical structure of blockchain technology. Data storage structure and data transaction structure suitable for this model are designed. 2. Aiming at the problems of low efficiency and poor security of the traditional inter-domain data access model, attribute-based permission grading access con-trol model adapted to the data exchange between domains is proposed. The data access control policy is formulated by the provider and published on the blockchain, realizing the whole process monitoring of policy creation, update and cancelation. In addition, we designed Policy Enforcement Point Contract (PEC), Attribute Authority Point Contract (AAC), Policy Administration Point Contract (PAC), Policy Decision Point Contract (PDC), Policy Information Point Contract (PIC) and other contracts. This smart contract directly determines access rights, which can ensure that the decision-making process is fair and transparent, and the decision-making results are both authentic and credible. To reduce the scope of policy retrieval and improve retrieval efficiency, this scheme combines access control policy with smart contract and grades the policy in the contract. Data requestors can access the appropriate level of access control policy set based on their attribute level. 3. Aiming at the problems of dense distribution of nodes within intra-domain and high consensus delay, a layered practical Byzantine fault-tolerant algorithm with introducing a reputation model is proposed, which greatly optimizes the delay and communication overhead of the PBFT algorithm. This paper also compares this model with the PBFT algorithm in terms of throughput and consensus delay to verify the effectiveness of the model.
The structure of this paper is as follows: Section 2 introduces and analyzes modelrelated technologies and work; Sect. 3 introduces the model framework and data storage structure; Sect. 4 introduces the cross-domain access control model based on blockchain in detail; Sect. 5 introduces the LPBFT algorithm; Sect. 6 analyzes and performs performance experiments on the model proposed in this paper; finally, Sect. 7 gives the conclusion.

Blockchain technology and related work
There are two key technologies in the blockchain system: A smart contract is a set of digitally defined agreements that contract participants can execute on the blockchain; consensus algorithms eliminate the dependence of blockchain on distributed scenarios and solve the problem of mutual distrust between nodes. This section will introduce the blockchain-based access control technology and the consensus algorithm technology in large-scale networking and explore a safe and efficient crossdomain data sharing model based on this.

Blockchain-based access control method
As an important means to protect data resources, access control has always been the focus of data security research. Traditional access control models include Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC) [5]. They all play corresponding roles in different scenarios, which is shown in Table 1: With the continuous development of cloud computing, Internet of Things, mobile Internet and other new computing modes [6], some characteristics of these new computing modes have brought considerable challenges to traditional access control technology.
• Massive In the new computing mode, the number of terminals and users presents the characteristics of a large scale. Take the IoT as an example, the number of terminal nodes will become very large with the development of the IoT, and there are various types and data formats of terminal nodes. Faced with massive terminals and permissions, traditional access control technologies manage users and permissions statically. With the increase in data, it is often necessary to build and maintain a huge access control list, which not only greatly increases the system overhead, but also reduces efficiency. • Dynamic In the new computing mode, nodes, users and data present dynamic characteristics, terminal nodes and users are constantly moving, and data objects change in real time. Traditional static access control technology cannot predict user information, cannot understand users and their permissions accurately, and cannot set the corresponding relationship between users and permissions in advance. At the same time, the dynamism makes the update of static access control policies complicated and sensitive. • Distributed In the new computing mode, the demand for resource sharing and information exchange between different centralized domains increases, but different domains are independent of each other and have their own access control policies. The permissions of users in one domain are often invalid in another domain. However, traditional access control technology is more applied in a closed environment. Facing the distributed characteristics of the new computing environment, the traditional access control technology cannot support the unified access control policy standard for all domains.
Based on the above analysis, traditional access control technology is difficult to meet the requirements of the new computing environment for access control. Therefore, the Attribute-Based Access Control (ABAC) [7] technology proposed based on subject, resource, operation and environment came into being. ABAC takes the attributes of subject and object as the elements of basic decision-making, uses finergrained attributes or sets of attributes to describe entities from multiple perspectives, and adds environmental entities as constraints so that policies can be changed according to actual situations and have certain flexibility. In the ABAC model, the policy increases linearly with the increase in users and resources. In the face of massive users and data, the system cost is small and the dynamic problem can be effectively solved. ABAC is an ideal access control model because of its fine granularity, low complexity and rich content policy description language, which has good scalability in a large-scale distributed environments. Applying blockchain technology to access control has the following four advantages: decentralization, data encryption, scalability and immutability [8]. Blockchain has been developed to version 3.0 [9], as the core technology of it, the smart contract is stored on each node in the system. When the trigger condition is met, it can automatically execute the corresponding program [10], which builds a safe and reliable operating environment for applications and gives blockchain more powerful functions. Therefore, many scholars have proposed a variety of data access control methods combined with smart contract technology in blockchain.
Deploying access control policies to smart contracts can ensure that the access control process is transparent, and the judgment results are fair and credible. The literature [11] formulates a security access control framework SBAC for Information-Centric Networking (ICN) based on blockchain, designs an access control model based on matching for hierarchical access, and uses an access token mechanism for a content access operation. The literature [12] proposes the MedChain model, which implements access control through smart contracts. Meanwhile, MedChain adds an incentive mechanism and gives a method to calculate the quality of electronic healthcare records (EHR). Ding et al. [13] proposed an Attribute-Based Access Control scheme for the Internet of Things system to solve the problem that the traditional access control technology is not suitable for the complex and large-scale network structure of the IoT, which uses blockchain technology to record the distribution of attributes to avoid single point of failure and data tampering, in which the blockchain system is also maintained by a third-party authority. Ren et al. [14] use blockchain technology to build an identity management and access control mechanism to protect the data security of the industrial Internet of Things, use an Attribute-Based Access Control mechanism to define the attribute list of access rights, and list the network devices that can access specific resources. H. Liu et al. [15] proposed an IoT access control system named Fabric-IoT, which is based on the Hyperledger Fabric blockchain framework and Attribute-Based Access Control (ABAC). The system includes three kinds of smart contracts, namely Device Contract (DC), Strategy Contract (PC) and Access Contract (AC), and uses smart contracts to achieve data access control. H. Li et al. [16] proposed a scheme called EduRSS, which uses Ethereum to store and share educational records. In the context of cloud computing, Alansari et al. [17,18] store access control policies and user attributes using blockchain, which acts as a third party only to prevent data tampering. This decentralized service architecture with blockchain as a third party can effectively avoid the risks brought by centralized management, but for a multi-centralized domain environment, there are still problems such as malicious node cheating and poor user autonomy. It can be seen that the data sharing model based on blockchain for interdomain access control still has problems to be studied and solved.

Optimization of consensus algorithm
The consensus algorithm [19] is used to guarantee the consistency between untrusted nodes in the blockchain network. Currently, common consensus mechanisms in blockchain include Proof of Work (PoW) [20], Proof of Stack, PoS, Delegated Proof of Stake (DPoS) [21], Practical Byzantine Fault Tolerant algorithm

3
A secure and efficient multi-domain data sharing model on… (PBFT) [22], and most of the remaining consensus mechanisms are derived from these four mechanisms. The four algorithms will be compared in terms of communication overhead, computing overhead, fault tolerance, throughput, response time, degree of decentralization and application platform, as shown in Table 2.
The consensus algorithm in the large-scale networking environment is the focus of current research, so the Internet of Things environment in the new computing modes is taken as an example for analysis. PoW makes the system have a 50% fault tolerance rate through computing power competition, but it will consume a lot of computing power and resources and take a long time to confirm transactions in the mining process. However, there are a large number of low-power devices that are difficult to carry out intensive computing in the Internet of Things system, so PoW is not suitable for the IoT system. Although PoS alleviates the problem of high energy consumption of PoW, it also brings the problems of coin age accumulation attacks and bribery attacks. In addition, due to the uncertainty of PoW and PoS block-producing nodes, the blockchain will produce bifurcation, which will reduce the system performance, so it is also difficult to apply to the IoT system. Compared with PoW and PoS, DpoS improves the throughput, but the degree of decentralization is insufficient. In the face of widely distributed IoT devices, it is difficult to select representative nodes. Compared with proof algorithms such as PoW, the throughput of the PBFT algorithm can reach thousands of TPS and the response time is in seconds, which is considered to be a consensus algorithm suitable for IoT systems [23]. However, in a network with N nodes, PBFT requires N nodes to broadcast messages to the entire network twice for completing a round of consensus. When the number of nodes in the system increases, the communication volume between nodes will increase sharply, which will bring huge pressure on the network bandwidth and lead to a rapid decline in system performance. Therefore, PBFT is difficult to apply to large-scale network environments in intra-domain chains.
PBFT is both a classical Byzantine fault tolerance state machine replication algorithm and a mainstream vote-based algorithm. The algorithm can not only ensure the safety and activity of the system but also has (n − 1)∕3 fault tolerance, where n represents the total number of nodes. Considering the inconsistent dominance of node members in real scenes, Kai Lei et al. design a reputation model to evaluate the operation and behavior of each node in the consensus process. When the malicious behavior of the node is detected, the reputation value of the node will be reduced. By reducing the voice of malicious nodes and faulty nodes and designing an unfixed view rotation mechanism to ensure the safe operation of the system, the threat of malicious attacks is mitigated to a certain extent [24]. Yu et al. proposed a trust-based dynamic grouping Byzantine fault-tolerant algorithm, which is based on the idea of grouping, dividing nodes into groups based on trust values and assigning consensus tasks to each group, thus reducing the amount of communication in the network and improving consensus efficiency [25]. Hu et al. [26] introduced a reward and punishment mechanism in the consensus algorithm to encourage edge servers with low reputation values to actively participate in the resource allocation and consensus process. If valid blocks are generated, they will be rewarded. On the contrary, if malicious behavior occurs, the "deposit" submitted to the smart contract will be deducted. Wang Al.
[2728] similarly designed a reputation-based consensus protocol to promote honest behavior of user groups. At present, the optimization research of PBFT usually uses a small number of nodes to replace the whole network nodes in controlling the node scale, which reduces the communication volume to a certain extent and improves the efficiency of the algorithm. However, in a large-scale network environment, if only some nodes are selected to participate in the consensus, the system will have the risk of centralization. Therefore, this paper will design a consensus mechanism based on layering to improve the efficiency of consensus.
3 Overview of the cross-domain data sharing model

Centralized domain network structure
As shown in Fig. 1, the alliance chain is jointly maintained by each centralized domain, including the inter-domain chain and the intra-domain chain. The interdomain chain records the data interaction between institutions and all member attributes, and the intra-domain chain records the original data summary, access policy and data interaction between internal members.

Fig. 1 Centralized domain network structure
Intra-domain chain It ensures that data within a centralized domain are secure, traceable, and tamper-proof. When a node updates data in the centralized domain, it will store it in the off-chain database and upload the data summary and the corresponding access control policy to the intra-domain chain. After receiving this message, the consensus node verifies its validity and records it in the current block after verification.
Inter-domain chain It shares all member attributes within the entire system and places each centralized domain under supervision. The attribute information of all members in the system is recorded on this kind of chain to facilitate the formulation of Attribute-Based Access Control policies for data resources in a centralized domain. In addition, the sharing of data resources between domains will also be recorded by the inter-domain chain, so that regulators can trace and manage the source of the problem data.
The network structure contains three types of nodes: intra-domain nodes, interdomain nodes and intermediate nodes. The intra-domain nodes interact with other centralized domains through intermediate nodes.
Intra-domain nodes Maintain the intra-domain chain. The intra-domain nodes store the data resource in the off-chain database after asymmetric encryption, obtain the data digest by hash operation, and finally put the data digest, Merkle tree and the corresponding access control policy on the chain for query and verification.
Inter-domain nodes It only participates in the construction of inter-domain chains and is used to record the data interaction between domains and the attribute information of all nodes in the domain. The inter-domain node only maintains the interdomain chain and does not belong to any intra-domain chain. Its main function is to facilitate regulators or industry associations to supervise the inter-domain chain, control the flow of data, and trace the responsibility when disputes occur.
Intermediate node It is used to connect the inter-domain chain and the intradomain chain for data transmission. It has various functions of the intra-domain node and the inter-domain node. The intra-domain node obtains the attribute information of other members in the system through it, and the inter-domain node obtains the data resources of its organization through it. Sharing data in a centralized domain require the use of intermediate nodes, which will be described in Sect. 4.

Hierarchical design of blockchain model
As shown in Fig. 2, the blockchain-based data sharing model includes the following five layers: • Network Layer Provide P2P network, data broadcast and data verification mechanism services for data interaction. Data resource requests or responses, and operations such as creation, update, and revocation of attributes and policies are broadcast between domains through the blockchain network. Each node on the chain is responsible for verifying the legality of these messages and continues to spread them legally; otherwise, it stops. • Consensus Layer The system adopts the LPBFT consensus algorithm to ensure the scalability of the system, reduce the delay and improve the throughput performance. At the same time, a reputation model is introduced to dynamically measure the credibility of the node, which ensures the security and reliability of the system. The algorithm design will be described in detail in Sect. 5. • Contract Layer Including PIC, PEC, PAC, PDC, AAC and other contracts, PIC is used to query the entity attributes and attribute relationships, PEC is used to analyze the original access request sent by the node, PAC is used to manage the access policy formulated by the node, and PDC is to make a decision on the access request. The role of AAC is to manage the attribute information of nodes. • Application Layer It mainly provides various functional applications, such as query operation, request data resource, response request operation, attribute and attribute relationship, release, update and revocation of access control policy.

Data storage service
All kinds of data are stored in blocks in the form of transactions. The blockchain classifies all kinds of transactions into transaction data sets and packages them into blocks for storage. The block format is shown in Fig. 3, and the data block is composed of a block header and a block body: The block header encapsulates information such as the hash, Merkle root, and timestamp of the previous block; the block body includes the number of transactions of the current block and all the verified transaction data generated in the block creation process, mainly including smart contracts, attributes and attribute relationships, access control policies, and requests/ responses. These transactions are hashed by the Merkle tree to generate a unique Merkle root and are included in the block header. Merkle root can quickly summarize and verify the existence and integrity of block data, greatly improving the operational efficiency and scalability of the blockchain.

Blockchain network workflow
• All kinds of data are encapsulated into transactions by the publisher according to the above data format and then broadcast to the whole network nodes through the blockchain network. • The on-chain nodes verify that transaction: if it is legitimate, it continues to broadcast to nearby nodes; otherwise, it stops propagating. • After receiving the transaction, a network node serving as a consensus node in the network puts the transaction into a transaction waiting queue, various transactions in the queue are classified and sorted according to types, and after each type of data reaches a certain amount, the transaction is encapsulated into a block. • The consensus node broadcasts the block in the whole network, and other network nodes verify the validity of the block: If it is legal, the block is added to the tail of the local blockchain; otherwise, the propagation is stopped.
Through the above process, the data encapsulated into transactions are stored in the blockchain network, so as to achieve the purpose of transparency, credibility, traceability and verification of the data sharing process.

ABAC general framework and access process
The access control framework based on blockchain and permission grading proposed in this paper combines the smart contract technology of blockchain based on the ABAC model and controls the access of data resources on the premise of user's permission grading and policy grading. The core parts of the ABAC model correspond to PEC, AAC, PIC, PAC and PDC, respectively, and the specific access control judgment process is shown in Fig. 4. The access control model deployed on the blockchain can be divided into two stages: policy formulation and policy execution. Strategy formulation stage: It is used to collect and integrate attributes, attribute relationships and strategy information. The specific process is described as follows: • The intermediate node sends the attribute of the internal node of the affiliated domain to which it belongs and the corresponding attribute relationship to the inter-domain chain, and all the intra-domain nodes in the system can obtain the data through the intermediate node. The AAC on the chain in the respective domain collects such information in advance and then integrates and combs it for the node to formulate the PAC. • The access control policy is issued by the data owner to the intra-domain chain, and the PAC describes and integrates the policy in combination with the attribute information for the PDC to judge the access request.
Execution stage complete the response to the original data request and make a decision to generate the corresponding access result. The specific process is described as follows: • When the PEC receives a request to execute an operation on a resource, it analyzes the original data request to obtain the subject, object information and the operation semantics expected to be executed. Then, accessing the AAC generates an Attribute-based Access Request (AAR) and transmits that request to the PDC. • After receiving the AAC, the PDC requests the PAC to query the policy information and determine whether the user of the resource requester is legal. If it is illegal, the access request is terminated. • If it is legal, the permission grade of the user is obtained, which is used as a request for obtaining the attribute of the resource requester to the PIC, and a request for obtaining the resource access control policy to the PAC. According to that user grade, if the strategy set of the same grade cannot be matched successfully, the strategy set of the next grade is obtained for strategy matching. • The PDC compares and judges the access control strategy attribute of the resource with the attribute information of the resource requester and sends the judgment result to the PEC. • The resource requester performs a relevant authorization (permission or rejection) operation on the data resource that the subject requests to access according to the judgment result of the PEC.
Simply speaking, the PEC receives the original access request NAR and then constructs an attribute-based access request AAR according to the attribute information in the attribute authority (AA). The AAR describes the subject, resource, operation, and environmental attributes. If it is desired not to disclose the request, the PEC will seal the AAR with the public key of the domain to which the resource belongs as a request transaction and then broadcast it through the blockchain network. The nodes in the blockchain network are responsible for verifying the legitimacy of the transaction and continuing to spread it. After receiving the transaction, the resource domain invokes PDP, which invokes PAP and PIP to obtain the policy set and attribute information to determine the AAR, and encrypts the result and the resource access address with the public key of the resource requesting domain into the corresponding transaction, which is broadcasted through the blockchain network. After receiving the response transaction, the PEP executes the access and determines the result. The format design of various non-contract transaction data in the blockchain is shown in Fig. 5, where ID represents the transaction number; Transactionp − Type represents the transaction type, specifically including attribute transaction type A, access control policy transaction type P, and data request/response transaction type R; Publisherp − PK represents the public key address of the publisher and is used for encryption in the data request/response transaction; Operationp − Type represents the operation type, specifically including creation operation C, update operation U, revocation operation D, and data request/response transaction type jumping into creation operation C in the operation domain; Transactionp − Data represents the specific information of the transaction. Different transaction data types have different formats in the Transactionp − Data field. Timestamp represents the transaction creation timestamp. Signature represents the signature of the publisher.
Various non-contract transaction types are packed into blocks for storage in the data format shown in Fig. 5. Once these transactions are packed into blocks, they cannot be changed or deleted, so they can be audited later. A transaction has three operation types, where a create operation C can only be performed once, an update operation U can be performed several times until that transaction is undone, and an undo operation D can only be performed once. The operation type of the transaction is used as the basis for the system to judge whether the transaction is legal. The judgment method is as follows: • Check whether the data format of the transaction is correct. If yes, proceed to the next step; • Check whether the transaction signature is valid by using the public key of the publisher (Publisherp − PK), and proceed to the next step if it is valid; The access control policy is stored in the blockchain to prevent the centralized policy judgment from being opaque and ensure that the policy is judged according to the intention of the domain to which the resource belongs, that is, the policy information and the policy execution result are open, transparent, verifiable, traceable and tamper-proof for each centralized domain in the blockchain. If encryption is not performed, all centralized domains that maintain the blockchain can publicly verify the policy information and the results of policy execution. If the AAR is encrypted, the resource request domain can publicly verify the policy information and policy execution results to ensure the credibility of the access control process and results.
The blockchain network is used as a transmission mode of various affairs, the blockchain service processing process is completely transparent for the resource request domain, and the resource request domain can encrypt the request by using the public key of the domain to which the resource belongs, thereby effectively preventing the privacy disclosure of the resource request region while making full use of the characteristics of the blockchain network. Ensure privacy security in the open interdomain blockchain network.

Design of policy grading
Each policy has different trustworthiness values for different entity attributes, and the trustworthiness values are affected by access requests and system interactions.
When the access request accesses the object resource normally or maliciously, the credibility value of the corresponding policy will be increased or decreased. When the credibility value of a policy increases or decreases to a certain value, it will be mapped to different credibility levels. The final credibility value of each strategy is obtained according to the initial credibility value and the historical credibility value, which is used as the mapping basis of the credibility level of the strategy.

Initial and historical credibility value
Whenever a policy owner releases an access control policy, the system performs weighted calculation according to the association degree R(s,e) between the subject attribute and the environmental security, the association degree R(o,e) between the object attribute and the environmental security, and the association degree R(a,e) of the operation behavior and the environment safety of the policy, wherein , , are the weight ratios of the attribute weighted values, to obtain the initial credibility value of the policy.
When the access control policy is authorized for the first time, the first historical credibility value will be generated. With the increase in access authorization times of the latter policy, the historical credibility value of the policy needs to change according to the change of time slices.
where W T i represents the weighted value of the interaction behavior at the time slice t i authorized by the policy. The t i represents the time slice from the access request matching the policy to the completion of the authorization. If the access request is the first access, that is, when n = 0, there is no history credibility value, History T(u) = 0.

Final credibility value and mapping
The final credibility value is obtained from the initial credibility value and the historical credibility value: where a represents the weight of the initial credibility value, b represents the weight of the historical credibility value, and both satisfy the relationship of a + b = 1 . In the calculation of the final credible value, Current T(u) has more reference value than History T(u) , so a > b . According to the final credibility value of the policy Final T(u) , the corresponding credibility level of the policy can be obtained through mapping. The final trust value and credibility level mapping are shown in Table 3.
In the scheme, the trust value is divided into five intervals, the corresponding policy level is divided into five credibility levels, the access control policy can be classified into the above five categories according to the calculation of the trust value, (2) and different credibility levels comprise different policy sets. The resource visitor can obtain the access authorization by matching the corresponding policy according to the resource level. The user grade evaluation of the resource visitor is consistent with the calculation of the policy credibility value and will not be repeated.

Design of smart contract
Traditional access control mostly uses the centralized structure to grant and manage the data, which will lead to some problems, such as the central node is easy to be attacked, the single decision point cannot be monitored, and so on. Blockchain can establish a trust relationship between nodes that do not trust each other, and the data stored on the chain cannot be tampered with and traceable on the basis of cryptographic support and distributed networking, so the access control policies deployed on the chain are reliable information that can be verified and traced. The use of smart contracts ensures that the process of policy enforcement is free from third-party control, fair and transparent, and automated, so the use of smart contracts to describe access control policies can solve the shortcomings of traditional access control models, such as limited credibility of judgment results and opaque judgment process. Trusted data access control with open policy, visible process and complete decentralization is realized. In this model, the smart contract is used as the agent, and the microsystem provides the query or decision service of relevant attributes and policies, in which the PIC provides the attribute query service, the PAC provides the policy query service, and the PDC provides the policy decision service. At the same time, after the data are stored in the blockchain, because the number of blocks is increasing, the data query efficiency of the blockchain system is an important issue facing the current blockchain. This model also designs the permission grading mechanism, which improves retrieval efficiency by reducing the range of policy sets and attribute sets to be found, as briefly described below for smart contracts.

• PIP Contract
In the ABAC model, the Policy Information Point (PIP) is used to provide various attributes and attribute relationships of entities. In the model described in this paper, attributes and attribute relationships are stored in the blockchain to ensure trustworthiness of attributes and attribute relationships. The main function of PIC is to provide an attribute query function for PEC and PDC. For ease of presentation, the following definitions are made: Definition 1 An attribute (Attr) is a variable with a specified data type and range. In this paper, Attrp − Set, x ∈ {s, r, a, e} are used to represent the attribute sets of subject, resource, operation and environment, respectively. With x AttrVp =< x Attr ∝ attrValue >, x ∈ {s, r, a, e}, ∝∈ {>, <=, ≥, ≤, ≠ , in, not in, between} the relationship between the attribute name and the attribute value is called the attribute name-value pair. Let xAttrVpp − Set, x ∈ {s, r, a, e} denote the sets of subject, resource, operation, and environment attribute name-value pairs, respectively.

3
A secure and efficient multi-domain data sharing model on… The PIC pseudocode is as follows: In the ABAC model, the Policy Administration Point (PAP) is used to manage and integrate access control policies. The PAP queries the access control policies that meet the requirements according to the provided AAR and integrates these access control policies into a policy set and sends it back to the PDP for a policy decision. In the model described in this paper, the access control policy is described by each centralized domain according to its security requirements, using standardized and unified fine-grained attribute information, encapsulated according to the transaction data format of the access control policy, released to the blockchain, and stored by the blockchain, to ensure the openness and credibility of the policy. PAC provides a policy query function for PDC. For ease of description, the following definitions are made: Definition 2 Attribute access request (AAR) consists of a set of attribute name and value pairs of subject, resource, operation and environment, which are represented by quadruples as follows: AAR =< sAttrVp − Set, rAttrVp − Set, aAttrVpp − Set, eAttrVpp − Set >. sAttrV p − Set represents the set of subject attribute name-value pairs, rAttrVp − Set represents the set of resource attribute name-value pairs, aAttrVpp − Set represent the set of operation attribute name-values pairs, and eAttrVpp − Set represent the set of environment attribute name-value pairs. The meaning of AAR is "the subject whose attribute is sAttrVp − Set performs the operation request of aAttrVpp − Set on the resource rAttrVp − Set under the condition of the environment attribute eAttrVpp − Set." Definition 3 An access control Policy defines the set of attributes required to perform a specific operation on a resource, which is represented by a triple as follows: Policy ←< pAttr Set , Rule, CombiningAlgorithm >. In the triple, pAttrp − Set represents the attribute set of the policy, Rule represents the rule set, and CombiningAlgorithm represents the combination algorithm. pAttrp − Set is represented by a quadruple as follows: pAttrp − Set =< sAttrp − Set,rAttrp − Set, aAttrp − Set, eAttrp − Set >. sAttrp − Set represents the subject attribute set; rAttrp − Set represents the resource attribute set; aAttrp − Set represents the operation attribute set; and eAttrp − Set represents a combination of environmental attributes, which is used to determine whether the policy meets the request.
Rule represents the set of rules: Rule = { rule 1 , rule 2 , … , rule n } , where rule n denotes the n-th rule. rule is represented by a quadruple as follows: rule = Result ←< sAttrVpp − Setr, AttrVpp − Set, aAttrVpp − et, eAttrVpp − Set >. sAt-trVpp − Set represents the set of subject attribute name-value pairs, rAttrVpp − Set represents the set of resource attribute name-value pairs, aAttrVpp − Set represent the set of operation attribute name-values pairs, and eAttrVpp − Set represent the set of environment attribute name-value pairs. Result represents the decision result of the rule, and Result ∈ (Permit, Deny).
CombiningAlgorithm is a combination algorithm used to solve policy conflict, which solves the problem of rule set decision conflict.
The PAC pseudocode is as follows: • PDP Contract The policy determination point PDP is used to determine the access control policy, and the final result is Permit or Deny. When the attribute and attribute value in the AAR, respectively, satisfy the predicates and constraints of the attribute and attribute value in a certain policy, the access request is said to satisfy the policy, that is, the attributes are the same and the attribute values conform to the policy predicates or constraints, and the final judgment result is Permit or Deny according to the policy. Otherwise, the final result is unknown when the attribute information provided in the AAR is insufficient or does not satisfy the attribute predicates and constraints in the policy. In the policy result determination in this paper, the request determined to be Unknown is finally authorized by Deny. The PDC is used for access control decisions.

Bloom filter
The application of Bloom filter [29] to attribute management and policy management in the authority classification model has obvious advantages and practical value, which can significantly improve the retrieval efficiency of relevant information and give the determination result of whether the corresponding element exists in the current set relatively quickly. Bloom filter's achievements in retrieval efficiency are achieved by sacrificing part of the accuracy. There is a certain error rate in the retrieval results, but this error can be tolerated, because it will not produce missed judgments, that is, if the set contains the elements that need to be found, it will be found. The form of its errors is that there is a certain probability that the information that does not exist is judged to exist. But the chance of mistakes is very small. The great advantage of storage space is worth the small error cost, so the Bloom filter can be used to manage the data such as access policy and attribute information on the basis of permission grading access control. The following is a brief introduction to its principle: There exists a set S = x 1 , x 2 , … , If m and n are given, when k = m n ln 2 , the minimum misjudgment rate is: The algorithm pseudocode for the Bloom filter is as follows:

Scenario description of intra-domain
The centralized domain is regarded as a large-scale wireless intensive network scenario, which is composed of N full nodes and several light nodes randomly distributed in the plane. Each node is connected to the nearest wireless access point through a wireless channel, and N full nodes form a fully connected wireless network. The network topology of this scenario is shown in Fig. 6.
• Full node Full nodes are the better performing nodes with the full functionality of the blockchain, processing transactions in the network, participating in the consensus process of blocks, and synchronizing the complete blockchain locally. • Transaction node The transaction node can be regarded as a traditional lowpower IoT device, which is equivalent to a lightweight client. It sends transaction requests to all nodes according to the functional requirements of the system and stores some data related to itself.
Transaction nodes submit transactions to full nodes according to different applications, such as sensing data from the environment and location information of devices. Transactions are received by as many full nodes as possible, and the full nodes cache the received transaction information locally; the out-block nodes pack the transactions in the network for a period of time and organize them into new blocks, and the full nodes verify and share the new blocks based on information exchange. If a valid block is generated at the end of each round of consensus, the full node deletes the transaction information in the block from the local cache pool and synchronizes the new block to the local, and if an invalid block is generated, the block is discarded. Once a consensus is reached in the blockchain network, the transaction is permanently recorded in the blockchain. For the above network scenario, the following conditions are assumed in this paper: • The system perceives the joining and leaving of nodes by configuring a trusted Certificate Authority (CA), that is, the system supports the dynamic change of the number of nodes. • Digital signature technology is used to ensure the safe and reliable transmission of information between nodes, and Byzantine nodes cannot crack the hash function and forge signatures. • Within the coverage of the wireless network, the faulty node will not interfere with the information transmission of other nodes.

Overview of the algorithm
In this paper, we propose a layered practical Byzantine fault tolerance (LPBFT) optimization algorithm for the above large-scale dense wireless network scenarios. The process of the LPBFT consensus algorithm is divided into three stages, and its flow is shown in Fig. 7: • Preparation phase. Complete the initialization work such as distributing the key and setting the initial reputation value for the nodes, cluster the nodes participating in the consensus according to the reputation value, and divide them into k node clusters. • Consensus implementation phase. The consensus node verifies and votes the new block based on the information exchange within the cluster and between the clusters, respectively, and synchronizes the verified and voted blocks to the local. • Reputation update phase. Update the reputation value according to the behavior of the node in the consensus process.
A consensus round is completed or consensus timeout is performed to switch the view to enter a new round of consensus, and after k rounds of consensus, the next cycle is performed to re-cluster the nodes.

Preparation phase
In the preparation phase, we first complete a series of initialization work such as assigning keys to nodes and setting initial reputation values and then cluster the nodes to form multiple node clusters. The formation process of node clusters is as follows.
After the nodes are clustered, k node clusters are formed, which are called sub-clusters. The node with the highest reputation value in each sub-cluster is the primary node of the sub-cluster, and the primary node forms the main cluster. The network composed of sub-clusters is called the bottom network, and the network composed of main clusters is called the upper network, thus forming a multi-center hierarchical network structure. The network structure after clustering is shown in Fig. 8.

Consensus implementation phase
The nodes are divided into k sub-clusters by clustering, the node with the highest reputation value in each cluster is the primary node, and the rest nodes are slave nodes. The k primary nodes form a master cluster, the nodes in the master cluster pack the transactions in the network in turn, and the node responsible for packing the transaction organization block is called an out-block node. The whole consensus process is divided into three stages: intra-cluster consensus, inter-cluster consensus and block synchronization.
• The out-block node packages the transactions in the network for some time and then sends them to the primary nodes of the remaining clusters for PBFT consensus within each cluster. • After the consensus in the cluster is completed, the primary node of each subcluster performs the PBFT consensus, and each primary node returns the intercluster consensus result to the slave node in the sub-cluster. • And update that local data by each node according to the return result.
For the convenience of expression, the relevant symbols in the consensus process are shown in Table 4, and the communication process between nodes is shown in Fig. 9.
The consensus process is as follows: The out-block node packs the transactions in the network for some time, organizes them into blocks, assembles a prepared message and sends it to the primary node of each cluster. The message format is  • Intra-cluster consensus phase. After receiving the message from the out-block node, each master node verifies it. If the verification is passed, it initiates the PBFT consensus in the local sub-cluster. The consensus is divided into three steps: pre-prepare, prepare, and commit.
Step 1 The primary node of sub-cluster sends << L− PRE − PREPARE, v, h, T, D(b) > i , b > to the slave node in the cluster.
Step 2 The slave node in the cluster validates the prepared message received from the primary node. If the verification is passed, a preparation message is broadcasted to other nodes in the cluster, the message format is ≪ L − PRE− PREPARE, v, h, T, D(b) > i , b > , and the node will receive preparation messages from other slave nodes in the cluster. If the number of confirmation messages exceeds 2f t + 1 , the node passes the verification and enters the commit phase.
Step 3 The slave node sends << L − COMMIT, v, h, D(b), i > i > to other nodes in the cluster. At the same time, the node will receive confirmation messages from other slave nodes in the cluster. If 2f t + 1 confirmation messages are received and verified, and the consensus node in the sub-cluster is completed. • Inter-cluster consensus phase. After the primary node in the sub-cluster performs local consensus, it performs inter-cluster consensus on behalf of all Fig. 9 Communication process of the LPBFT algorithm nodes in the local cluster. The consensus process is divided into two steps: prepare and commit.
Step 1 The primary node of each sub-cluster sends a prepare message to the primary nodes of other sub-clusters. The message format At the same time, each primary node receives preparation messages from other primary nodes and enters the commit phase if 2f t + 1 preparation messages are received and the verification is passed.
Step 2 The primary node of each sub-cluster sends a confirmation message to the primary nodes of other sub-clusters, and the message format is When each node receives 2f t + 1 valid acknowledgment messages, it indicates that the inter-cluster consensus phase is completed. • Block synchronization phase. After the inter-cluster consensus is completed, each primary node sends an execution message to the slave node of the sub-cluster where the primary node is located, and the nodes in each cluster synchronize the blocks to realize the final consistency of the data in the distributed system. After the out-block node sends the prepared message to the primary node and the primary node sends the prepared message to the slave node, the node receiving the prepared message needs to verify the following points: If the verification is passed, the message is considered to be valid, and the node executes the block and caches the execution result. Since the validity of the block and transaction is already verified after receiving the prepared message, only (1)-(3) need to be verified during the prepare and commit phases of the intra-cluster and inter-cluster consensus.

Reputation update phase
After a round of consensus is completed, the reputation value R is updated according to the dynamic reputation model. The reputation value is a way to represent the credibility of the node. The larger the reputation value is, the higher the credibility of the node is. For the initial consensus node, the reputation value is uniformly set to r, and the reputation value is between [0,1]. In LPBFT, the dynamic reputation model includes three parts: reputation reward and punishment, reputation status setting, and reputation reset and recovery. Firstly, the reputation value of a node is increased or decreased according to the behavior of the node; secondly, the reputation state of the node is set according to the reputation value; and finally, a node with an excessively high reputation value is reset, and a node with an excessively low reputation value is recovered. As will be described in more detail below.
• Reputation reward and punishment refer to the dynamic increase or decrease of the reputation value of a node according to its behavior in the consensus process. Let R i (t) be the reputation value of node i in the t-th round of consensus, then the calculation formula of the reputation value R i (t + 1) of node i in the t+1 round of consensus is as follows: If the out-block node packs the valid blocks in round t+1 and leads the nodes of the whole network to complete the consensus, the primary node leads the slave nodes to complete a round of consensus successfully, and the slave nodes participate in the consensus and the final synchronization result is consistent with that of most nodes, then R i (t + 1) = R i (t) + 1 − R i (t) . The coefficient ∈ (0, 1) is used to control the growth rate of the reputation value, and its value is set according to the specific application requirements of the system. When α is fixed, the larger the value of R i (t) is, the slower the growth rate of R i (t + 1) is, and finally tends to 1.
If the out-block node packs invalid blocks in round t+1 or fails to lead the whole network nodes to complete consensus, the primary node fails to lead other slave nodes to complete a round of consensus, and the final synchronization results of the slave nodes are inconsistent with those of most nodes, the reputation values of these nodes decrease linearly. R i (t + 1) = R t (t) , where ∈ (0, 1) is a penalty coefficient, which is used to control the decline speed of the reputation value, and the specific value is set according to the application requirements of the system.
If the node is offline for a long time and does not participate in the consensus, the reputation value will gradually decay over time. is the attenuation factor, and Δb is the difference between the block height when the node last participated in the consensus and the current block height. • The reputation state RS of a node is determined by the reputation value R, which is the basis for granting different permissions to the node. As shown in Table 5, four reputation states are defined here, a, r and b are the thresholds of state change, and their values are set according to the distribution of reputation values of nodes in the network and the security requirements of the system.
Node behavior is normal R t (t) Node behavior is abnormal R t (t)e − Δb Node is offline 0 Byzantine node • The reputation reset and recovery refer to the credit reset of the node with high credit value and the credit recovery of the node with low credit value. When the node reputation value is higher than m, the node reputation value is reset to r at the beginning of the next cycle to prevent the node from centralizing due to high reputation value, where m ∈ (a, 1) , its value is determined according to the specific application requirements of the system. When the node reputation value is lower than b and is prohibited from participating in the consensus, the node reputation value will be restored to b in the next cycle. The resetting and recovery of credit value can not only prevent the power centralization of high credit value nodes, but also ensure the enthusiasm of low credit value nodes.

Access control model
In this paper, we implement a prototype system based on Hyperledger Fabric [30].
Fabric is a commercial blockchain framework, which has the characteristics of high modularity, smart contract supporting multiple programming languages, and pluggable consensus mechanism, making its application scenarios more extensive. Each centralized domain is set through the configuration file provided by Fabric and joins the same channel in the form of organization to collectively maintain a consortium chain, which is very consistent with the premise of the model application in this paper. After each centralized domain participates in the maintenance of the blockchain in the form of an alliance, it provides attribute, policy query or policy decision services for the access control of each domain through the chain code (smart contract).

Performance analysis
• Comparative analysis This model is compared with the traditional access control model in terms of the massive, dynamic and distributed characteristics of the new computing model, as shown in Table 6. It can be seen that this model has certain advantages in the face of the characteristics brought by the new computing mode. • The model described in this paper has the following advantages in the multidomain environment: -Fine-grained Fine-grained ABAC access control can control dynamic data in time. At the same time, this paper proposes to establish standardized attributes to describe access control policies. The combination of attribute unification and policy customization can not only accurately describe access control policies in various domains, but also facilitate user access and system management. -Security The model in this paper implements access control by improving the ABAC model; the blockchain maintained by each domain makes the data more credible, the dynamic growth of blockchain data and the increasing difficulty of attack effectively prevent malicious node attacks and tampering; if the centralized domain does not wish to disclose specific access information, privacy information can be encrypted using asymmetric encryption techniques, thus securing privacy. -Easy access for users If you need to request multiple centralized domain resources, the requesting domain only needs to send one original request according to the demand. If the specific request is not encrypted, the PEP is encapsulated into a request transaction to be sent out; if the request domain does not disclose a specific request, only one original request is needed to be constructed according to the standard attribute information, and then, the PEP is encapsulated into a plurality of request transactions after being encrypted by using the public keys of a plurality of resource ownership domains and does not need to send different original requests according to the access control policies of different centralized domains. -Autonomous authorization The access control policy is formulated and maintained by the centralized domain according to its own needs; the resource ownership domain decides whether to grant access to the resource url according to the automatic authorization results of the smart contract, so that the resource ownership domain has stronger autonomy. -Transparent judgment the attribute information is stored by the blockchain to ensure the authenticity and credibility of the attribute; the strategy information, including the strategy execution process and results, is also stored in the blockchain to ensure the authenticity and credibility of the information and effectively prevent the occurrence of opaque judgment or ultra vires behavior existing in the centralized judgment.

Experiment
Hyperledger Fabric [30] is used as the basic platform to build the prototype system. For the efficiency of policy retrieval and the timeliness and accuracy of policy response, the simulation test is carried out through the XACML standard test set to evaluate the related performance. The experimental environment is Intel i7-4702mq CPU 2.20GHz and 16G RAM. Under different strategy scales, the traditional retrieval method and the authority classification retrieval method in this paper are tested, respectively. The test scales are 1000, 2000, 3000, 4000, 5000, 6000, totally 6 groups of test samples. Each level of strategy scale experiments 10 times and takes the average of the 10 experiments. In the experimental results, the less the average time of successful policy search is, the higher the query efficiency is. The two curves in Fig. 10 represent the query efficiency of the two retrieval methods under different policy scales. It can be seen that as the number of policies increases, the query efficiency of the two methods decreases. Under the condition of the same number of strategies, the query efficiency of the method is improved compared with the traditional method obviously.
The following will compare the query methods of permission grading policy using Bloom filter and not using Bloom filter. According to the relevant content above, it can be seen that when m/n is larger, the misjudgment rate is lower, and the influence of the number of hash functions on the misjudgment rate will decrease with the increase in hash functions. Figure 11 shows the relationship between the number of hash functions k and the false positive rate.
It can be seen that when k > 5 , the misjudgment rate decreases very slowly and is within the acceptable range, so this paper uses k=6 to test the efficiency of the strategy. The test scale is 1000, 2000, 3000, 4000, 5000 and 6000, a total of 6 groups of test set samples. Each level of strategy scale experiments 10 times and takes the average of the 10 experiments. The experimental results are shown in Fig. 12, and the strategy search efficiency using the Bloom filter is significantly improved.

• Correctness
The correctness of the blockchain system depends on the two indicators of security and activity. As long as these two conditions are met at the same time, it means that the system is correct. In the blockchain, security refers to the fact that all honest nodes will eventually produce a consensus, that is, they can reach a consensus, and liveness refers to the correct response to requests submitted by users. In LPBFT, if there are malicious slave nodes, a consensus can also be reached when there are no less than 2f+1 honest nodes in the consensus group; LPBFT is similar to PBFT. If the primary node fails, the consensus is timed out, or the slave node is determined to be a malicious node during execution, the timeout mechanism of the slave node will trigger the view con-  When the view changes, the node that reaches the high reputation state becomes the new candidate primary node. Through the continuous detection of the node behavior by the reputation model, the node with a higher reputation value can always be retained to participate in the consensus. The introduction of the reputation model can motivate the city nodes in time, increase the cost of evil nodes, and then ensure the safe operation of the system. To sum up, LPBFT can meet the safety and activity requirements of the system. • Communication overhead analysis PBFT is based on information exchange, and information exchange will consume communication resources, so communication overhead is a key indicator related to the efficiency of the algorithm. To verify whether the improved algorithm reduces the communication overhead, the communication times required for the PBFT and LPBFT algorithms to complete a consensus can be compared. The communication times required for the PBFT and LPBFT consensus processes are listed in Table 7.
The total number of nodes participating in the consensus in the system is N. In the PBFT algorithm, the nodes need to broadcast in the whole network during the prepare and commit phases, and the number of communications required by each node is N-1. The number of communications required to complete a round of PBFT consensus is X, we get: If N nodes are divided into k sub-clusters, the number of nodes in each subset group is set as N/k, and the analysis of the required communication times of running the LPBFT algorithm is as follows.
In the intra-cluster consensus phase, the primary node in the sub-cluster sends a preliminary message to the slave node, and the number of communications in this process is (N/k)−1. The slave node receives the prepared message and verifies it. If the verification result is true, the slave node sends the prepared message to all nodes in the cluster except itself. The communication times of this process is (N∕k − 1) 2 . The slave node receives messages from other nodes in the cluster and verifies them. If the verification result is true, it sends confirmation messages to all nodes in the cluster except itself. The communication times of this process is N∕k(N∕k − 1) 2 . Since there are k sub- clusters in the consensus network, the number of communications W in the network during the consensus phase within the cluster is: In the inter-cluster consensus phase, K primary nodes perform PBFT consensus, and the number of communications required for the inter-cluster consensus phase is 2k(k−1) based on the fact that the number of communications required for the PBFT consensus is 2N (N−1). The number of consensus times required by the LPBFT consensus algorithm to complete a round of consensus is the sum of the number of communication times required by the two stages, denoted as Y, which can be obtained as follows: From formula 7 and formula 9, the specific value Z of single consensus communication times of the two algorithms is: The surface plot of the ratio of the number of communications for the PBFT and C-PBFT algorithms is shown in Fig. 13, when the number of nodes N is constant and k is equal to 1, the communication process of PBFT and LPBFT is the same, and Z is 1; with the increase of the value of k, the value of Z increases, because the number of sub-clusters increases and the number of nodes in each cluster decreases, which effectively reduces the communication times required for consensus. When k increases to the extreme point, Z reaches the maximum value and then begins to decrease. At this time, because k is too large and there are too many sub-clusters, the number of communications required for consensus in the cluster increases significantly. When k is equal to N, LPBFT is again the same as the PBFT communication process, and the value of Z is 1 again. Although the value of k will affect the specific value of the number of communications, the overall number of communications required by LPBFT is much less than that of PBFT. The number of communications required by PBFT algorithm to complete a round of consensus is 2N(N-1), and its time complexity is O N 2 . The number of communications required by LPBFT to complete a consensus round is Y=2N(N/k−1)+2k(k−1), and its time complexity is O m 2 , where m = max{N∕ √ k, k} . When k is 1 or N, the time complexity of PBFT is the same as that of LPBFT; when 1 < k < N , although the event complexity of LPBFT is still maintained at the square level, because m is far less than N, O m 2 < O N 2 . To sum up, the time complexity of LPBFT is less than that of PBFT. • Scalability In the blockchain, most of the traditional PBFT algorithms have very low scalability. When the number of nodes in the algorithm reaches a large scale, the performance will drop sharply. In LPBFT, the consensus process is designed by grouping and layering, and the consensus tasks are assigned to each group or layer, thus reducing the communication volume of the consensus algorithm and improving the scalability of the traditional PBFT algorithm. This makes the LPBFT algorithm more suitable for the large-scale network environment • Reputation model The reputation model can adapt to different environments and dynamically adjust the weight. For example, in a network environment with a higher security level, a higher penalty coefficient can be set so that the reputation value of a node is quickly reduced when malicious behavior occurs.

Experiment
The experimental environment is Intel i7-4702mq CPU 2.20GHz and 16G RAM. The delay and throughput of the two algorithms are tested when the total number of nodes is 40, 50, 60, 70, 80, 90, 100, and k is 4, 7, 10. In order to reduce the error, each experiment was repeated 20 times, and the average was taken as the final result.

• Time delay
The time delay of consensus refers to the time from transaction submission to completion, which is an important indicator to measure the performance of the blockchain. The shorter the delay, the faster the transaction confirmation and the higher the efficiency of consensus. This paper compares the efficiency of the two algorithms through the consensus delay. The time delay in the experiment refers to the time between the transaction being submitted and the client receiving enough replies.
The delay of the PBFT algorithm increases sharply with the increase in the number of nodes, which is caused by its O N 2 time complexity. In the prepare and commit phases, all nodes broadcast messages to all of the other nodes in the network, which takes a lot of time. In contrast, LPBFT divides the consensus in the whole network into the consensus within and between k sub-clusters, which greatly reduces the number of communications, and the delay of the LPBFT algorithm increases slowly with the increase of the number of nodes. The delay test result is shown in Fig. 14. When the number of nodes is the same and k=4,7,10, the delay decreases gradually. Combined with the surface chart of the ratio of communication times, it can be seen that the larger the value of k, the fewer the number of communications required for the whole consensus process before k reaches the extreme point, and the larger the value of k, the shorter the corresponding time delay. • Throughput The throughput of the blockchain system refers to the number of transactions processed per unit of time. The throughput reflects the ability of the system to process transactions. The calculation formula is: TPS = Trade Δt ∕Δt . Where Trade Δt is the number of transactions processed by the system within Δt time, and t is the response time.
The throughput of the PBFT algorithm is greatly affected by the number of nodes. The throughput test results are shown in Fig 15. When the number of nodes is greater than 70, the throughput decreases significantly. This is because the sharp increase in communication volume during consensus puts pressure on the network bandwidth and increases the time required for consensus. The throughput of LPBFT is s • table with the increase of the number of nodes basically, which is due to the fact that the nodes of the whole network are divided into several sub-clusters.
Firstly, a small-scale consensus is carried out in the sub-cluster, and then, only k primary nodes are required to participate in the inter-cluster consensus, so that the communication and computing overhead are greatly reduced, and the LPBFT can maintain high throughput in the case of a large number of nodes. When the number of nodes is constant, k=4, 7, 10, the throughput of LPBFT increases gradually. Combined with the surface chart of the ratio of communication times, it can be seen that before k reaches the extreme point, the number of communication times required by the consensus process decreases with the increase of the value of k. The greater the value of k, the greater the corresponding throughput.

Security analysis
To meet complex inter-domain data sharing requirements, the six main forms of security of interest to us are: • Decentralization Our scheme uses a decentralized blockchain-based distributed storage architecture that avoids the threat of centralized attacks and single points of failure. • Integrity of transaction data We define it as the maximum number of malicious nodes that the protocol can tolerate. Our solution uses an optimized practical Byzantine fault-tolerant algorithm with some malicious node fault-tolerance identification performance. • Security of original data The local information stored at nodes should not reveal any transaction original data. We design a mechanism for off-chain storage and a corresponding data storage structure to store the original data in the local database and use asymmetric encryption and digital hashing to store the corresponding data abstraction on the chain to provide protection for the local data. • Access control We designed attribute sets, policy sets and ABAC-based optimization algorithms to provide a mechanism for making decisions about visitor permissions for the data sharing process. • Evaluation of nodes In the LPBFT algorithm, we introduce a reputation evaluation mechanism of nodes to secure the consensus process by weakening the discourse of malicious nodes in the consensus. • Fairness and Transparency Smart contract is a fully automated computer protocol designed to disseminate, validate or enforce contracts in an informational manner. The use of smart contracts to implement mechanisms such as access control, consensus algorithms and node evaluation can ensure the fairness and transparency of the system. Table 8, our model is compared with the existing studies for the following aspects.

Characteristics of the model
To meet the sharing requirements of multi-domain data scenarios, we design our model based on federated chains from the data layer, network layer, consensus layer, contract layer and application layer. In particular, this paper decomposes the multi-domain problem into two problems of intra-domain consensus and interdomain access, solving the two most important problems of security and efficiency in practical applications that exist during intra-domain decision making and interdomain communication in the sharing process, and our model has the following main features.
• Fine granularity fine-grained ABAC access control can be for dynamic data for timely control, while this paper proposes the use of unified standard attributes to describe the access control policy, a combination of unified attributes and policy customization, not only can accurately describe the domain access control policy and user-friendly access, while easy to system management. • Easy access for users If you need to request resources from multiple security domains, the requesting domain only needs to send one original request according to the demand, no need to send different original requests according to the access control policy of different security domains. • Autonomous authorization Access control policies are developed and maintained by the security domain according to its own needs, and the resource-owning domain decides whether to authorize access to the resource url based on the automated authorization results of the smart contract, giving the resource-owning domain greater autonomy. • Judgment transparency The attribute information and policy information including the process and result of policy execution are stored in the blockchain, which guarantees the authenticity and trustworthiness of information and effectively prevents the occurrence of opaque judgment or ultra vires behavior of centralized judgment. • Efficiency optimization By designing an access control model with a attributebased permission grading access control model and a layered practical Byzantine fault tolerance optimization algorithm, our paper optimizes both intra-domain consensus and inter-domain access policy retrieval, reducing the latency and increasing the throughput during data sharing, which is applicable to the efficiency requirements of new types of computing. • Consensus incentive We have designed a behavior-based nodes reputation assessment mechanism that can encourage honest nodes to dominate the consensus process and resist malicious nodes from participating in consensus, ensuring the vitality of the blockchain.
As shown in Table 9, our model is compared with the existing studies for the above aspects.

Conclusion
This paper constructs a centralized domain data sharing model based on the consortium chain for large-scale networking. The blockchain is combined with Attribute-Based Access Control to ensure the transparency and justice of the access process. Meanwhile, a unified access policy standard and a policy retrieval mechanism based on permission grading are designed to improve the flexibility, autonomy and access efficiency of inter-domain access. To solve the problem of low consensus efficiency of blockchain in intra-domain in large-scale networking scenarios, a layered PBFT optimization algorithm is designed, and a reputation model is introduced to promote the safe and active operation of the blockchain system by encouraging the honest behavior of nodes. Finally, we build the model through Hyperledger Fabric platform and evaluate the performance of the inter-domain access control based on permission grading and the intra-domain layered consensus algorithm based on the reputation model, which proves the effectiveness of the model in the data sharing scenario of distributed centralized domain.
Author contributions WZ contributed to conceptualization and methodology; XH was involved in formal analysis and investigation and writing -original draft preparation; ZB contributed to writing -review and editing and Supervision.
Funding This work was supported by National Key R &D Program of China (No.2017YFC0803300).

Data availability
The data sets supporting the results of this article are included within the article.

Code availability
The code supporting the results of this article IS included within the article.

Conflict of interest
The authors declare that they do not have any commercial or associative interest that represents a conflict of interest in-connection with the manuscript.

Consent to participate Not applicable.
Consent for publication All the authors agreed to publish the manuscript.
Ethical approval Not applicable.