A Privacy-Preserving Data Transmission Scheme Based on Oblivious Transfer and Blockchain Technology in the Smart Healthcare - Hindawi.com
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Hindawi Security and Communication Networks Volume 2021, Article ID 5781354, 12 pages https://doi.org/10.1155/2021/5781354 Research Article A Privacy-Preserving Data Transmission Scheme Based on Oblivious Transfer and Blockchain Technology in the Smart Healthcare Huijie Yang ,1 Jian Shen ,1,2 Junqing Lu ,1 Tianqi Zhou ,1 Xueya Xia ,1 and Sai Ji 1,3 1 School of Computer and Software, Nanjing University of Information Science and Technology, Nanjing, Jiangsu, China 2 Cyberspace Security Research Center, Peng Cheng Laboratory, Shenzhen, China 3 Suqian University, Suqian, Jiangsu, China Correspondence should be addressed to Jian Shen; s_shenjian@126.com Received 16 June 2021; Accepted 17 August 2021; Published 3 September 2021 Academic Editor: Debiao He Copyright © 2021 Huijie Yang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. With the development of the Internet of Things and the demand for telemedicine, the smart healthcare system has attracted much attention in recent years. As a platform for medical data interaction, the smart healthcare system is demanded to ensure the privacy of both the receiver and the sender, as well as the security of data transmission. In this paper, we propose a privacy- preserving data transmission scheme where both secure ciphertext conversion and malicious users identification are supported. In particular, the (OT)nm protocol is introduced to guarantee the two-way privacy of communication parties. Meanwhile, we adopt proxy reencryption algorithm to support secure ciphertext conversion so as to ensure the confidentiality of data in many-to-many communication pattern. In addition, by taking advantage of the concept of blockchain technology, a novel (OT)nm protocol is proposed to prevent data from being tampered with and effectively identify malicious users. Theoretical and experimental analyses indicate that the proposed scheme is practical for smart healthcare with high security and efficiency. 1. Introduction and ensure the confidentiality and correctness of the data. During the research, scholars discovered that there were two With the extension of average life expectancy and people’s security challenges in the process of medical data trans- increasing demand for health, the demand for smart mission [13, 14]: The first is how to ensure the confidentiality healthcare systems such as telemedicine and e-health system of medical data during the interaction; that is, malicious is more and more urgent [1–3]. The smart healthcare system users cannot obtain or tamper with the data. The second is is an IoT health system composed of cloud computing, smart how to realize the two-way privacy protection between the wearable devices, an expert system based on artificial in- server and the client side. Therefore, we need to discuss and telligence, and so on [4–6]. The deep learning technology solve the above two security challenges in this paper. and data mining technology also promote the development Consider the following situation: the patient who suffers of smart healthcare system [7, 8], which is convenient for from many diseases goes to different specialist hospitals for doctors to quickly diagnose diseases and formulate medical treatment, and so many medical records are stored by plans and to ensure that everyone can get adequate medical different servers of hospitals that are not connected in the resources [9]. In addition, some scholars introduce block- same network. That is, it is difficult for doctors to obtain the chain technology into the smart healthcare environment data across the different networks. To settle the mentioned [10–12]. They utilize the characteristics of blockchain such as problem, we suppose that all the data are stored in the same decentralization and antitampering to design the smart server. However, all data in this server are returned to the healthcare schemes. Those schemes can realize data sharing doctor when he employs the oblivious transfer (OT)
2 Security and Communication Networks protocol to request the data, which leads to the high Once a doctor requires u1 data, he needs to employ communication overhead. Thus, we assume that all data are many private keys of servers to decrypt those ci- stored in the distributed server, and the users, hospitals, and phertexts. In that way, the privacy of servers where also servers are all in the smart healthcare system, where the the data is stored will be exposed. By applying this patients’ records can be accessed by the departments’ novel (OT)nm protocol, a doctor can decrypt all the doctors from the different hospitals. In fact, the stored data ciphertexts with only his key. In other words, this are susceptible to collusion or tampering because of the protocol not only queries data quickly but also semitrusted server. The confidentiality of stored data cannot protects the privacy of servers and doctors. In ad- be ensured when users employ those data. Additionally, dition, the proposed (OT)nm protocol can efficiently a user employs the amount of data to request it from the support the access control of users and many-to- server, which can try to understand the corresponding re- many data transmission pattern. lationship between the sequence number and the stored (2) A secure data transmission scheme supporting data. Some researchers utilize the oblivious random access collusion resistance and to prevent data from being memory (ORAM) protocol [15] to hide that relationship tampered with is proposed. Our scheme is a data [16, 17]. Meanwhile, it is only applied to some simple secure transmission protocol based on blockchain systems due to its complex ORAM structure and the great technology and OT technology. We utilize the increase in cost overheads. Thus, how to ensure that the characteristics of blockchain structure to store the server makes users know the data without knowing the serial user’s identity in blocks and then form three lists, number is one of the main contents of our scheme. namely, patient identity list, doctor identity list, and Moreover, the public keys of the distributed servers are revocation user list. Therefore, our protocol can different for users owing to those servers which belonged to effectively verify revocation or malicious users and different hospitals. In view of the above, the data in such resist their collusion attacks. Meanwhile, in terms of servers can be comprehended by users, which exposes the the hash value in blockchain, malicious users cannot privacy of stored data. Then, some data are attacked by modify the data. malicious users to focus on, in accordance with that private (3) Data confidentiality is guaranteed and the compu- information. What is more, the authorities of the user can be tation of our scheme is effectively reduced. We faked or tampered with by the revoked or malicious users analyze and prove the security of the proposed who can collude the data. scheme. We provide a performance comparison between (OT)nm protocol and other (OT)kn protocols Motivation of This Paper. As is mentioned above, the existing through a theoretical performance analysis and an data transmission schemes are not suitable for the smart experimental analysis. healthcare environment. Therefore, our goals are to protect user privacy and guarantee the security of data transmission based on OT and blockchain technology under the smart 1.2. Related Work. Oblivious transfer (OT) has gradually healthcare environment. To accomplish this goal, the three become an important research direction in the field of following crucial issues should be considered for us. First, multiparty computation (MPC). At present, according to the the confidentiality of data should be assured during the total amount of data and the number of choices, the research process of data transmission. The medical data are related to of OT protocol is mainly divided into four categories: the life safety of patients; once they are tampered with or classical oblivious transfer protocol [18], 1-out-of-2 oblivi- faked, this will endanger the lives of patients and put the ous transfer (OT)12 protocol [19], 1-out-of-n oblivious hospital in financial compensation. Second, while guaran- transfer (OT)1n protocol [20], and k-out-of-n oblivious teeing that a piece of accessed data is not known by the transfer (OT)kn protocol [21]. server, the other data in it cannot be learned by the user. In (OT)1n protocol was proposed by Brassard et al. [20] addition, the stored data in such servers cannot be figured firstly in 1986; they invoked (OT)12 protocol n times to out. In case of reveal, the privacy of stored data may be implement (OT)1n protocol. On the basis of the above, leaked out. Finally, the revoked or malicious users who try to Gertner et al. [22] firstly achieved a distributed version of collude should be discerned by the group manager. They will (OT)1n protocol with information-theoretic security and go beyond their authority to access data or modify medical sublinear communication complexity. In 2001, Naor et al. data, leading to medical accidents in the hospital. [23] described a novel (OT)1n protocol, which improved the efficiency of multiple invocations of OT applications. In 2004, Tzeng [24] designed a secure and efficient (OT)1n 1.1. Main Contributions. We design a privacy-preserving protocol under the assumption of the decisional Diffie- scheme for data transmission based on oblivious transfer Hellman problem. After that, based on the above, an and blockchain technology in the smart healthcare envi- adaptive k-out-of-n oblivious transfer scheme was proposed ronment which is to resolve the above issues. The main by Chu and Tzeng [25], which allowed the receiver to choose contributions are as follows: the messages one by one adaptively. In 2015, the simplest (1) A novel (OT)nm protocol supporting two-way pri- and most efficient protocol for (OT)1n protocol was pre- vacy-preserving and distributed servers is proposed. sented by Chou et al. [26] and it could resist some active Suppose that u1 data is stored in multiple servers. attacks. Then, in 2007, Hauck et al. [27] proposed an (OT)1n
Security and Communication Networks 3 protocol under the CDH assumption, which was built on converts a ciphertext ma of ua to a ciphertext mb of ub . The ideas from the CO protocol. In 2020, Wang et al. [28] specific design of this scheme is as follows. presented an (OT)1n protocol and the Private Set Intersection (i) Step 1. Setup(1k ) ⟶ par: This is the initialization (PSI) protocol to protect user privacy in the case of VANET phase for generating parameters. Input security feature matching. parameter 1k and then the public parameters par are (OT)kn protocol was proposed by Bellare et al. [21] firstly output by this algorithm. in 1989, where a receiver could select and receive multiple ciphertexts at one time. Naor et al. [29] described a novel (ii) Step 2. KeyGen(par) ⟶ (pk, sk): This algorithm is construction for (OT)kn protocol which is more efficient than applied to generate the public-private key pair for k repetitions of (OT)1n protocol. Then, the classical and users. Public parameter par is input, and then the universal (OT)kn protocol was designed by Naor et al. [23]. In key pair (pk, sk) is produced for users. 2005, an (OT)kn protocol with adaptive queries was proposed (iii) Step 3. Enc(par, pka , m) ⟶ ma : This algorithm is by Naro et al. [30], and it was considerably more efficient employed to encrypt the message via a public key than k repetitions of (OT)1n protocol. After that, Chu et al. pka from ua . pka and message m are input, and then [31] proposed several two-round (OT)kn protocols under the an original ciphertext ma is produced by this decisional Diffie-Hellman problem, in which a receiver sent algorithm. O(k) data to a sender and he returned O(n) data. In 2010, (iv) Step 4. Re − KeyGen(par, ska , pkb ) ⟶ rka⟶b : a secure and low-bandwidth-consumption (OT)kn scheme This algorithm generates the conversion key, which based on bilinear pairings was proposed by Chen et al. [32]. realizes the transformation from ma to mb . A private A novel (OT)kn protocol for private information retrieval key ska of ua and a public key pkb of ub (a ≠ b) are which was more suitable for smart cities was presented by provided, and the conversion key rka⟶b is output. Lou et al. [33]. In 2018, Lai el al. [34] proposed an (OT)kn This phase is crucial for reencryption data. scheme with the least communication cost, which preserved (v) Step 5. Re − Enc(par, rka⟶b , ma ) ⟶ mb : To gain a sender’s security and the privacy of a receiver’s choice. the transfer message mb , this algorithm utilizes the What is more, some researchers have integrated OT conversion key rka⟶b to reencrypt a message ma . technology into blockchain scheme in order to solve the Input A reencryption key and an original ciphertext problem of easy exposure of private data in the blockchain. are input, and then a reencryption ciphertext mb In 2017, Hsiao et al. [35] combined the advantages and from a to b is output. properties of blockchain and secret sharing scheme, Paillier’s homomorphic encryption, and oblivious transfer to con- (vi) Step 6. Dec(par, ska , ma ) ⟶ m: Finally, a private struct a decentralized e-voting system. This scheme could key ska and a ciphertext ma are provided; this al- protect the anonymity of voter’s identity, the privacy of data gorithm can compute a plaintext m. transmission, and verifiability of ballots during the billing phase. In 2019, Tso et al. [36] proposed the decentralized electronic voting and bidding systems based on a blockchain 2.2. Oblivious Transfer Protocols. The concept of OT was first and smart contract, which uses cryptographic techniques proposed by Rabin [18] in 1981. In Rabin’s protocol, the such as oblivious transfer and homomorphic encryptions to sender only wanted the receiver to get the message he improve privacy protection. Then, in 2021, Li et al. [37] chooses, and the receiver did not want the sender to know presented a fair scheme for big data exchanging that allows about other messages, which guaranteed the privacy of both buyers and sellers to autonomously and fairly complete parties. Then, the 1-out-of-2 data transmission protocol transactions, without involving any third-party middle under the semihonest model through three public key person. This scheme employed OT technology to preserve cryptography operations was implemented by Naro and the privacy of transactions. Pinkas [23]. The steps of (OT21 ) protocol are as follows: (i) Setup: The system generates two prime orders q and p, where q|p − 1 holds. Gp is a p-order subgroup of 1.3. Organization. The structure of the paper is organized as Z∗p ; and the system sets g as the generator of Z∗p . follows. Some preliminaries in cryptographic are presented in Section 2. The system model, design goals, and threat (ii) Input: The sender inputs (X0 , X1 ), and receiver model are described in Section 3. The proposed scheme is inputs r. introduced in detail in Section 4. The security and perfor- (iii) Output: The receiver outputs Xr . mance analyses are provided in Sections 5 and 6, re- (a) Step 1. The sender generates a random number C spectively. Section 7 concludes this paper and our work. and a, computes ga and Ca , and broadcasts C. (b) Step 2. The receiver generates a random number 2. Preliminaries k(1 ≤ k ≤ q); and two public keys pkr and pk1−r are generated, where pkr � gk and pk1−r � C/gk hold. 2.1. Proxy Reencryption Technology. We adopt the key-pri- Then, the number pk0 is sent to the sender. vate proxy reencryption scheme which was proposed by Ateniese et al. [38]. This algorithm applies proxy reen- (c) Step 3. The sender calculates (pka0 ) and cryption technology to achieve ciphertext conversion, which (pka1 ) � Ca /pka0 . At the same time, he encrypts the
4 Security and Communication Networks data (X0 , X1 ), respectively. The equations are as blockchain transaction. It includes the SOLO, follows: Kafka, PBFT, and SBFT. a E0 � ga , hash pk0 ⊕x0 , a (1) 3. Problem Statement E1 � ga , hash pk1 ⊕x1 . 3.1. System Model. Our proposed scheme can be utilized to (d) Step 4. The receiver computes securely transfer data and also realize the privacy-preserving hash(pkar ) � hash((ga )k ) and xr ; that is, of the clients and servers. On the one hand, the private a Er � hash pkr , r ⊕xr ⊕hash pkar , r . (2) information of client side is protected. That is, a user has permission in virtue of the data’s serial number to access data, yet he does not know which server the data is stored in. The concept of (OTnk ) protocol is presented as follows. On the other hand, the private information of servers is The sender encrypts the n secret messages M0 , M1 , . . . , Mn−1 protected. That is, a user only can obtain the requested data, and sends them to the receiver; and the receiver can only and the other data are cannot be learned. This scheme is recover k of them: mainly designed in accordance with the actual situation of M α1 , Mα1 , . . . , Mαk , (3) the smart healthcare environment. Both doctors and other healthcare workers look forward to acquiring treatment where α1 , . . . , αk ∈ Z∗p holds. However, the receiver cannot records about a patient in all hospitals as soon as possible. determine which M α1 , Mα1 , . . . , Mαk from Moreover, the confidentiality of data can be ensured in our M0 , M1 , . . . , Mn−1 are required. scheme, in which a user employs his private key to decrypt the stored data in servers rather than private keys of servers. In addition, this scheme also resists collusion attacks by 2.3. Blockchain Technology. Blockchain is a kind of ledger revoked or malicious users. The system model contains three technology that is jointly maintained by multiple parties, can entities, doctors/ patients (client side), a proxy (blockchain), achieve consistent data storage, is difficult to tamper with, and and servers. Figure 1 shows a system model of the proposed prevents denial [39, 40]. It has also become a distributed ledger scheme. technology. The blockchain is classified into the permissioned A patient cures his diseases in different hospitals or in the blockchain and the unlicensed blockchain according to same hospitals. In general, the data is stored in the nearest whether the system has the node access mechanism. The fabric server, which is a server of the current hospital. This means is employed in our paper, which belongs to the consortium that if a patient has seen a disease in different hospitals, Blockchain and is also the first distributed system of blockchain multiple servers (different hospitals) store the patient’s data. with an access mechanism [41]. Fabric is a modular, extensible, Our scheme implements a many-to-many model with users general-purpose blockchain with an access mechanism that and servers. Firstly, doctors and patients register their supports the execution of distributed applications written in identities with the blockchain. The blockchain generates standard programming languages. The key components of a list of user identities and a list of revoked users so that it can fabric are as follows [42]. verify their identities. Secondly, a doctor uses the private key (i) Peers: There are four kinds of peers in Fabric. of user to encrypt the medical records and then uploads them to a server of his hospital. When a patient goes to (a) Committing peer: Each peer in the channel is a hospital to treat his heart disease, his doctor of this de- the committing peer. It receives the generated partment can gain his past medical records in servers. transaction block, obtains the block structure, Thirdly, a doctor sends a request to blockchain for obtaining and verifies the legitimacy of the block structure. a patient’s records. The blockchain verifies and checks his (b) Endorsing peer: The client application must use identity. If yes, the ciphertext encrypted with the patient’s its smart contract to complete the verification of key needs to be converted into ciphertext which can be the transaction, simulate the operation of the decrypted by doctors. The patient and blockchain run the transaction, and generate a transaction response encryption phase to complete the transformation of ci- containing a digital signature. phertext. Fourthly, the blockchain transmits a request which (c) Leader peer: When the channel has multiple includes some serial numbers of data to servers. Only servers peers, the leader peer is responsible for dis- that store the corresponding data respond to that request. tributing transactions from the ordering peer to Finally, the OT protocol is implemented between the doctor other committing peers. and the server to transmit and decrypt the request data. (d) Anchor peer: It helps to communicate with peers in other organizations. (ii) Channel: The channel includes many authorized 3.2. Threat Model. In this section, the security goals and the users, and each user can belong to different security models for OTnm are provided. channels. (iii) Consensus mechanism: It is defined as the com- Definition 1. A secure and privacy-preserving (OT)nm pro- prehensive verification of the correctness of the tocol should satisfy the following requirements:
Security and Communication Networks 5 hash value hash value hash value timestamp timestamp ... timestamp 3 transform ciphertext data data data ... ... blockchain 2 request pid ’s data patient pid doctor 1 server 1 4 execute OT protocol pid ’s 1 upload pid ’s data doctor 2 server 2 ... 1 upload pid ’s data doctor n server n Figure 1: The system model of our scheme. (1) The (OT)nm protocol should protect the privacy of (iv) Decrypt: Adversary A outputs plaintext mt . If mt is servers; namely, the users cannot obtain data from right, adversary A breaks the server privacy of the the server other than what they requested. OTnm protocol. (2) The (OT)nm protocol should protect the privacy of The security model for user privacy of the OTnm protocol users; namely, the servers cannot figure out what is described as follows. In this model, adversary A plays the data the users access. role of servers and the challenger plays the role of users (the The security model for server privacy of the OTnm pro- users are trusted). The advantage of A to break the server tocol is described as follows. In this model, adversary A privacy is defined as follows: plays the role of users and challenger C plays the role of 1 servers (the servers are trusted). The advantage of A to break AdvA � Pr[A wins] − . (5) the server privacy is defined as follows: 2 AdvA � Pr[A wins]. (4) (i) Setup: The system generates system parameters and sends the private keys to the blockchain. Then (i) Setup: The system generates system parameters and the blockchain generates several necessary pa- sends the private keys to the blockchain. Then the rameters for adversary A. The users choose j data blockchain generates several necessary parameters that they can access and choose corresponding aj for servers. Adversary A chooses j data that it can from Z∗p . Then, the blockchain sends corre- access and chooses the corresponding aj from Z∗p . sponding Dj to the users and the servers sends all Adversary A outputs its target t(t ∉ j ). Then, the ciphertexts ci . Adversary A outputs its target blockchain sends corresponding Dj to adversary A t0 , t1 (t0 , t1 ∈ j ). and the servers send all ciphertexts ci . (ii) Hash Query: Adversary A can query the hash value (ii) Hash Query: Adversary A can query the hash value via this oracle. It takes as input information and via this oracle. It takes as input information and outputs hash value. R outputs hash value. (iii) Challenge: The user selects b←{0, 1} and outputs Atb (iii) Decrypt Query: Adversary A can query plaintext mi and Dtb . of ciphertext ci but not ciphertext ct . (iv) Guess: Adversary A outputs b∗ . If b � b∗ , A wins.
6 Security and Communication Networks 4. The Proposed Scheme Table 1: Correspondence between symbols and definitions. Symbols Definition The proposed scheme is presented in detail in this section. Our scheme can be divided into four parts, in which the n The serial number of data pi d , di d The identity of the patients and doctors initialization phase is introduced in Section 4.1, the user Data with serial number m requested by the registration phase is described in Section 4.2, the encryption δm user phase is stated in Section 4.3, and the data access phase and ky The employed key of server in OT protocol (OT)nm protocol phase among three roles are illustrated in The stored server subkey of proxy in OT Sections 4.4 and 4.5, respectively. ky′ protocol In the smart healthcare system, in the face of complex wn The hash value of the serial number diseases, the attending doctor will conduct multidepartment (skp , pkp ) The public-private key pairs of patients consultations or cross-hospital consultations, which are (skd , pkd ) The public-private key pairs of doctors more common. In addition, a patient can treat diseases in rkp⟶d The transform key from patient to doctor different hospitals, a hospital has its own servers, and the β The attribute sets of all the users users who have access permission can request the data of un � an , bn , . . . , zn The set of each attribute of the user servers in the smart healthcare system. In our scheme, to tagmi The tag for each piece of data protect the two-way privacy of the server and user, the data are allocated to the nearest server randomly, which obeys the h1 : {0, 1}n ⟶ G and h2 : {0, 1}n ⟶ {0, 1}l , where l is the principle of proximity; that is, the user with permission can fixed value. store the data in which the server is near. We show the main We initialize the device of proxy based on the block- idea of the system by giving an example. A patient suffers chain. The security parameter s is input; the blockchain from high blood pressure, heart disease, and toothache. computes the formulas f � gκ and wi � h1 (i), where i When he goes to the dental clinic, the doctor not only needs represents the label of the patient’s medical data. Then, the k′ k′ to diagnose his teeth but also prescribes medicine or pre- blockchain computes R1i � wi 1, . . . , Ryi � wi y and the fol- pares for surgery based on his other medical history. At this lowing finite sets are satisfied, where 0 < i < n + 1 and i ∈ Z∗p moment, an attending doctor verifies his permission to hold. f is sent to the user. Then R1 , R2 , . . . , Ry are sent to request all the data about that patient. The requests can be servers S1 , S2 , . . . , Sy orderly. sent to the determined server which has stored the data of k′ k′ ′ that patient. Then, to protect the privacy information, only S1 : R1 � w11, w21, . . . , wkn1 , the determined server delivers all its data to the requester by using the designed (OT)nm protocol. This protocol guaran- ⋮ (6) tees that the server does not have idea about the accessed k′ k′ k′ data, and the user cannot obtain the extra data and figure out Sy : Ry � w1y, w2y, . . . , wny . the source of data. For instance, if the sequence number 5 is requested from the user, he sends the requirement to all the The symbols and the corresponding meanings are shown servers in the smart healthcare system. Only sever Sy that has in Table 1. the data about that patient responds to the request. More comprehensively, assume that the sequence number d is accessed; the user sends the requests to servers S1 , S2 , . . . , Sy 4.2. User Registration Phase. We integrate blockchain (the needed data are in servers Sa and Sb ). At last, servers Sa technology into user registration phase to maintain the and Sb have the opportunity to communicate with the user. identity lists about users. The data is requested via proxy, In the meantime, blockchain technology is merged into our while the blockchain inquires and verifies the user’s identity scheme, which maintains the attributes list and stops user in accordance with his tag. Only through the verification can attributes from being tampered with. Correspondence be- the (OT)nm protocol be executed to transmit the data. There tween symbols and definitions is shown in Table 1. are five functions of blockchain in our scheme; they are described briefly as follows: (i) The committing peer generates and maintains 4.1. Initialization Phase. We hypothesize that there are y blocks for users. distributed servers, and the users with permission to ma- (ii) The identity of required users is verified. nipulate data (e.g., the doctor, nurse, and healthcare worker) (iii) The endorsing peer verifies the legality of updated have n data, and each piece of data has the same bits. identities; if the transaction is legal, the peer sim- Input the security parameter s, and then the system ulates to perform the smart contract. Then, it sends randomly selects the number the updated lists to users. k1 , k2 , . . . , ky , k1′, k2′, . . . , ky′ ∈ Z∗p , where the formal k1 + k1′ � κ (κ ∈ Z∗p ) holds, server Si possesses ki , and (iv) The attributes are prevented from being faked κ, k1′, . . . ky′ is stored in the blockchain. Set G � < g > , GT through utilizing the structural characteristics of the as the multiplicative cyclic groups, with bilinear mapping block. e: G × G ⟶ GT , randomly choose generator g1 ∈ G, and (v) The revoked and malicious users are distinguished compute α � e(g, g1 ). Set the hash functions to preclude them from colluding the data.
Security and Communication Networks 7 The user registration phase contains the four following 4.4. Data Access Phase steps to accomplish the registration: (i) Step 1. When doctor did sees a patient pid , he sends (i) Step 1. The key generation center (KGC) chooses pid and pkd to the blockchain, along with the proof R xp,1 , xp,2 ←Z∗p as the patient’s private key Πdid � (Committ1 , Committ2 , c, R1 , R2 ), where skp � (xp,1 , xp,2 ) and computes the patient’s public Committ1 � αr1 , Committ � � 2 � gr2 , � R � � � key pkp � (pkp,1 � αxp,1 , pkp,2 � gxp,2 ). Then, it r1 , r2 ←Z∗p , c � h0 (did ��pkd ��Committ1 ��Committ2 ), sends (skp , pkp ) to the patient through the secure R1 � r1 + c × xd,1 , and R2 � r2 + c × xd,2 . channel. (ii) Step 2.� � �� The blockchain �� computes (ii) Step 2. The key generation center (KGC) chooses R c � h0 (did ��pkd ��Committ1 ��Committ2 ) and checks ? xd,1 , xd,2 ←Z∗p as the doctor’s private key whether αR1 � Committ1 · pkcd,1 and ? skd � (xd,1 , xd,2 ) and computes the doctor’s public key gR2 � Committ2 · pkcd,2 . If the above equation holds, pkd � (pkd,1 � αxd,1 , pkd,2 � gxd,2 ). Then, it sends the blockchain checks whether the tuple (did , pkd ) (skd , pkd ) to the doctor through the secure channel. belongs to the doctors list. If yes, the blockchain (iii) Step 3. KGC inserts (pkp , pid ) into the patient list executes the next step. and inserts (pkd , did ) into the doctor list. Then KGC (iii) Step 3. The blockchain sends pkd to patient pid . The sends the above lists to the blockchain via the smart patient computes transform key tkp⟶d via Re − contract. KeyGen(skp , pkd ) in the KP − PRE scheme and sends it to the blockchain. (iv) Step 4. The blockchain sends tkp⟶d and pid to all 4.3. Encryption Phase. After the doctor diagnoses the servers. The servers transform ciphertext m of pa- patient, he records the medical data on the computer. tient pid , namely, compute Subsequently, the encryption algorithm will be executed ctd ←KP − PRE.ReEnc(tkp⟶d , ctp ). on the data. (i) Step 1. Verify(did , pkd , skd ): The doctor chooses R r1 , r2 ←Z∗p , computes Committ r 4.5. (OT)nm Protocol Phase. Assume that doctor did treats pid ’s �� 1 ��� α 1 and� � heart disease; he sends a data request which includes all the Committ2 � g , r2 c � h0 (did �pkd �Committ1 �� � � Committ2 ), and computes responses R1 � r1 + c × serial numbers of data from different hospitals about this xd,1 and R2 � r2 + c × xd,2 . Then, the doctor sends patient’s heart treatment records to servers. Suppose that the Πproof � (Committ1 , Committ2 , c, R1 , R2 ) and doctor needs to require the data with the serial number (did , pkd ) to the blockchain. Once the blockchain sn � δ1 , δ2 , . . . , δm , and those data are stored in servers obtains (Πproof , did , pkd ), it computes S1 , . . ., Si , . . . , Sn . The steps of the (OT)nm algorithm are shown �� �� �� in Figure 2. c � h0 (did ��pkd ��Committ1 ��Committ2 ) and checks ? whether αR1 � Committ1 · pkcd,1 and (i) Step 1. The doctor (client side) transmits request sn R2 ? c to the blockchain side. Then, server Si responds and g � Committ2 · pkd,2 . If the above equation holds, the blockchain checks whether the tuple (did , pkd ) executes the following steps. belongs to the doctors list. If yes, the verification (ii) Step 2. The client side selects parameters aj ∈ Z∗p process is completed. Then, the doctor can upload randomly and computes all parameters Aj of serial data. number of data; that is, Aj � wj gaj , where (ii) Step 2. GenTag(mkw , pid , dep): In order to facilitate 0 < j < m + 1(j ∈ Z∗p ) holds and parameters users to accurately access data, the data needs to be w1 , . . . , wm are calculated previously. Then, (Aj , ga ) classified in the light of departments and patients. is sent to the blockchain. Generate a tag tagmi � GenTag(mkw , pid , dep) cor- (iii) Step 3. The blockchain side computes Dj � (Aj )κ responding to the departments dep and patients pid , ′ and ϵ′ � gak′1, gak′2, . . . , gaky and sends ϵ′i to server and add it to m. The advantage of this is that the doctor can accurately acquire all the data about Si . Then, it delivers Dj and f to the client side. a certain department of this patient, and some in- (iv) Step 4. The server side computes �� all the ciphertexts k valid data are automatically removed, where the of its ci � ctd,i ⊕h2 (wi y Ryy′i���gaky ϵy′) and transmits ci communication overhead of gained data by the OT to the client side. protocol is reduced. (v) Step 5. Only if δi ∈ sn meets, the formulas Yj � �� (iii) Step 3. Encrypt(m, pkp , tagmi ) � ctp : The doctor (Dj /faj )��fa and ctd,j � cj ⊕h2 (Yj ) can be com- encrypts data m of patient, which employs the puted. After that, the ciphertexts of requested data patent’s public key pkp and encryption (Enc) al- sn are calculated. gorithm from KP − PRE scheme [38]. Then, upload (vi) Step 6. Decrypt(ctd,j , skd ) � mj . The doctor em- the ciphertext to the server. ploys his key skd to decrypt the above ciphertext.
8 Security and Communication Networks Finally, the doctor obtains all the heart disease and outputs wi to adversary A. records about that patient. R (iii) Challenge: Challenger C chooses b←{0, 1} and sets α Atb � g and Dtb � Z. 5. Security Analysis (iv) Guess: Adversary A outputs b∗ . If b∗ � b, challenger C outputs p � 1 (i.e., Z � gαβ ). Otherwise, C outputs Theorem 1. The proposed OT nm is server privacy, if the R p � 0 (i.e., Z←G). CDH assumption holds. Assume that any probability polynomial time adversary A can break the server privacy of the scheme; it can be utilized to solve CDH problem. The Proof:. We assume that the probability of challenger C definition of CDH problem is that, given a tuple obtaining Z � gαβ is 1/2 and the probability of obtaining R R (G, g, gα , gβ ) where α, β←Z∗p , the adversary should com- Z←G is also 1/2. We assume that the advantage of A pute gαβ . winning is ϵ and denote by E challenger C solving the DDH problem. It is easily deduced that Pr[p � 1|Z � gαβ ] � 1/2 + (i) Setup: In this phase, after challenger C obtains the R R ϵ and Pr[p � 0|Z←G] � 1/2Pr. Therefore, we can get CDH tuple (G, g, gα , gβ ) where α, β←Z∗p , it sets k � AdvD D H � Pr[C wins] − 1/2 � Pr[p � 1|Z � gαβ ] × 1/2 + α and f � gα . Then, it generates other system pa- R Pr[p � 0|Z←G] × 1/2 − 1/2 � (1/2 + ϵ)× rameters to complete the setup of the whole scheme. 1/2 + 1/2 × 1/2 − 1/2 � ϵ/2. So, ϵ � 2 × AdvD D H . Since the (ii) Query: In the hash query phase, adversary A queries DDH assumption holds, it is difficult for A to decide the value of wi . Challenger C sets ? whether Z� gαβ . Therefore, adversary A’s advantage to ⎪ ⎧ β R ∗ break the user privacy is negligible. □ ⎨ g i βi ←Zp , i ≠ t, wi � ⎪ (7) ⎩ β Theorem 3. Any revoked user cannot tamper with the data g , i � t. or his identity. Malicious or revoked users cannot get through and outputs wi to adversary A. In the Decrypt query the verification at our scheme. Meanwhile, if they attempt to phase, adversary A cannot query the plaintext of request data, then they would be identified via the scheme. ciphertext ct . Therefore, the malicious or revoked users do not obtain the permission to request the data. (iii) Decrypt: Adversary A outputs plaintext m′t. If m′t � mt , A wins this game. Proof:. Firstly, the user needs to get through the identity authentication at the data access phase. Whether this for- ? Proof:. � If mt is right, it means that A can compute mula Committui · pkcd,ui , gR � Committur · pkcd,ur is satisfied � Yt � wkt ��fa , where wkt � gαβ . Therefore, challenger C can is checked. In general, a malicious user’s commitment value utilize the adversary to output the solution wkt � gαβ of the cannot meet the calculation formula, and he would be CDH problem. In conclusion, if A wins, challenger C can judged as an invalid user by scheme. Secondly, even if output gαβ to solve the CDH problem. We can obtain that a malicious user tries to modify his identity, the list of user server privacy AdvA ≤ AdvCDH A . □ identities is stored in the blockchain. That is, the modified identity cannot satisfy the formula Theorem 2. The proposed OT nm is user privacy, if the DDH Hash256 (dui ) � Hash256 (dur ). Then, that malicious user assumption holds. Assume that any probability polynomial time would be judged as an invalid user. adversary A can break the user privacy of the scheme; it can be (OT)m m ensures the two-way privacy of communication utilized to solve DDH problem. The definition of DDH problem parties, and the proxy reencryption algorithm is secure. R Therefore, the confidentiality of data can be protected by our is that, given a tuple (G, g, gα , gβ , Z) where α, β←Z∗p , Z � gαβ , R or Z←G, the adversary should decide whether Z � gαβ . proposed scheme. □ (i) Setup: In this phase, after challenger C obtains the 6. Performance R DDH tuple (G, g, gα , gβ , Z) where α, β←Z∗p and R αβ β Z←G or Z � g , it sets k � β and f � g . Then, it In this section, we first analyze the proposed scheme and generates other system parameters to complete the provide a simplified comparison in Table 2. Then, an ex- setup of the whole scheme. perimental evaluation of the proposed scheme is presented. (ii) Query: In this phase, adversary A queries the value of wi , and challenger C guesses the targets of adversary 6.1. Performance Analysis. In our scheme, most of com- A, t0 and t1 . Then, it sets putation cost comes from the XOR operation, hash oper- ⎪ ⎧ R ation, Weil operation, power operation in G1 , and power ⎪ ⎨g ⎪ − at +α b � g− atb · gα , ∗ atb ←Zp , i � t0 ∨i � t1 , operation in GT , which are denoted as Tx , Th , Te , TE1 , and wi � ⎪ ⎪ ⎪ R ∗ TET . In Table 2, nd presents the number of doctors registered, ⎩ g ai , ai ←Zp , i ≠ t0 ∧i ≠ t1 , np describes the number of patients registered, nc is the (8) number of patient ciphertexts, ny illustrates the number of servers, and nj states the number of j.
Security and Communication Networks 9 Input: the series number sn = {δ 1,δ2,..., δm} Output: the requested data mj (0 < j < m + 1) The client side The blockchain side The server side Si choose t,aj *p computer gt, Aj = wj gja w1 =h1( δ1),...,wm =h1( δm) (Aj,ga) computer Dj = (Aj)κ ∈′ = {gak1’ ,gak2’ ,...,gaky’ } Dj ∈′i computer ci Ryn = wnky′ ci = ctd,i h2 (wiky R yyi’ || gaky)∈y′ computer Yj = (Dj / f aj)|| f a ctd,j = cj h2 (Yj) decrypt Decrypt(ctd,j,skd) = mj obtain mj Figure 2: The steps of the (OT)nm algorithm. Table 2: Computational cost comparison. Entities Registration phase Encryption phase Data access phase (OT)nm phase KGC (nd + np )(TE1 + TET ) — — — Client — 2TE1 + 3TET + Th 4TE1 + 3TET + Th + Tp nj (3TE1 + TET + Th ) Blockchain — 2TE1 + 2TET + Th 2TE1 + 2TET + Th TE1 (nj + ny ) Servers — — nc (2Tp + 2TET ) nc (2TE1 + Th ) Tx : XOR operation; Te : Weil operation; Th : hash operation; TE1 : power operation in G1 ; and TET : power operation in GT . nd : the number of doctors registered; np : the number of patients registered; nc : the number of patient ciphertexts; ny : the number of servers; nj : the number of j. In registration phase, KGC generates the public-private Core(TM) i5-9500 CPU @ 3.00 GHz 3.00 GHz; (2) random key pairs for doctors and patients, and it costs computation access memory: 8.0 GB; (3) OS: Ubuntu 14.04 over VMware overhead (nd + np )(TE1 + TET ). In encryption phase, workstation full 12.5.2; (4) system type: 64-bit. blockchain verifies and checks the identities of client via lists We provide the computation comparison between to discern malicious or revoked users, which costs 4TE1 + doctors and patients in the (OT)nm protocol in Figure 3. The 2TET + Th computation overhead. Also, this phase is applied X-axis describes the number of j requested by doctors. The to encrypt the plaintext by using private key of patients, Y-axis represents the time cost to perform the (OT)nm which defends the data confidentiality and costs 2TE1 + TET protocol in doctor side and patient side. As shown in Fig- computation overhead. In data access phase, the ciphertext ure 3, the time cost of doctors is higher than that of patients. encrypted with the user’s key should be converted into the The patient only needs to assist the blockchain to complete ciphertext encrypted with the doctor’s key, which costs the transformation of the ciphertext. However, doctors need 3TE1 + TET + Tp computation overhead. Moreover, this to participate in all the (OT)nm protocols and calculate the phase is also not involved in the general OT protocol, mainly transmission ciphertext of j data. Meanwhile, if the length of to hide the access path of the server. In the (OT)nm phase, it the ciphertext is fixed, the cost of transforming the ciphertext realizes the privacy-preserving of clients and servers. is roughly the same. Therefore, the patient’s expenditure at this phase is approximately straight. We provide the computation comparison of client side, 6.2. Performance Evaluation. We simulate our proposed blockchain, and servers in Figure 4. In order to make the scheme employing the C language with PBC library (pbc- comparison more obvious, the three entities are put in 0.5.14) and GMP library (GMP-6.1.2) to evaluate the (OT)nm Figures 4 and 5. The computational overhead of the client protocol. All simulations are implemented on a desktop side and blockchain is described in Figure 4; the X-axis computer with the following features: (1) CPU: Intel(R) represents the number of j and assumes that the number of
10 Security and Communication Networks 0.6 meantime, this protocol uses the many-to-many data transmission pattern. 0.5 0.4 7. Conclusion Time (s) 0.3 In this paper, a privacy-preserving data transmission scheme 0.2 based on the oblivious transfer and blockchain technology in 0.1 the smart healthcare system is proposed. Based on the proxy reencryption technology, the proposed (OT)nm protocol can 0 implement the ciphertext conversion to ensure the privacy of 1 5 10 15 20 25 30 servers. Meantime, the two-way privacy between the client The number of j side and servers is guaranteed via the proposed (OT)nm Doctors protocol, which also ensures the security and efficiency of Patients data transmission. By taking advantage of blockchain Figure 3: The computation comparison between doctors and technology, the proposed scheme can prevent data from patients in (OT)nm . being tampered with and effectively identify malicious users. After analyzing the protocol security, the confidentiality of data and security of our scheme are proved. Finally, the results of performance evaluation and experimental com- parison can be considered as a validation of our protocol, 1.6 making it substantially more convincing. 1.4 1.2 1 Data Availability Time (s) 0.8 The data used to support the findings of this study are 0.6 available from the corresponding author upon request. 0.4 0.2 Conflicts of Interest 0 5 15 25 35 45 55 65 75 Numbers The authors declare that they have no conflicts of interest. Client-side Blockchain Acknowledgments Figure 4: The computation comparison of the client side and This work was supported by the National Natural Science blockchain in (OT)nm . Foundation of China under Grant nos. U1836115, 61672295, 61922045, and 61672290; the Peng Cheng Laboratory Project of Guangdong Province PCL2018KP004; the Postgraduate Research and Practice Innovation Program of Jiangsu 1.6 Province (KYCX21_1003, KYCX21_0998, and 1.4 KYCX21_1002); the CICAEET fund; and the PAPD fund. Servers 1.2 1 References Times (s) 0.8 [1] G. Manogaran, R. Varatharajan, D. Lopez, P. M. Kumar, 0.6 R. Sundarasekar, and C. Thota, “A new architecture of In- 0.4 ternet of Things and big data ecosystem for secured smart 0.2 healthcare monitoring and alerting system,” Future Genera- 0 tion Computer Systems, vol. 82, pp. 375–387, 2018. 5 15 25 35 45 55 65 75 [2] M. Mettler, “Blockchain technology in healthcare: the revo- Numbers lution starts here,” in Proceedings of the 2016 IEEE 18th In- ternational Conference on E-Health Networking, Applications Figure 5: The computation comparison of the servers in (OT)nm . and Services (Healthcom), pp. 1–3, IEEE, Munich, Germany, September 2016. servers is 10. For the server side, the X-axis represents the [3] J. Liang, Z. Qin, S. Xiao, L. Ou, and X. Lin, “Efficient and secure decision tree classification for cloud-assisted online number of patient ciphertexts in Figure 5. As shown in the diagnosis services,” IEEE Transactions on Dependable and figures, we find that the overhead of the client is much higher Secure Computing, vol. 18, no. 4, pp. 1632–1644, 2021. than that of other entities. The proposed (OT)nm protocol is [4] L. Catarinucci, D. De Donno, L. Mainetti et al., “An IoT-aware an interactive protocol, which requires interaction between architecture for smart healthcare systems,” IEEE Internet of client side and servers to complete data transmission. At the Things Journal, vol. 2, no. 6, pp. 515–526, 2015.
Security and Communication Networks 11 [5] M. M. Baig and H. Gholamhosseini, “Smart health monitoring Journal of Computer and System Sciences, vol. 60, no. 3, systems: an overview of design and modeling,” Journal of pp. 592–629, 2000. Medical Systems, vol. 37, pp. 9898–9914, 2013. [23] M. Naor and B. Pinkas, “Efficient oblivious transfer pro- [6] A. Solanas, C. Patsakis, M. Conti et al., “Smart health: tocols,” in Proceedings of the twelfth annual ACM-SIAM a context-aware health paradigm within smart cities,” IEEE symposium on Discrete algorithms SODA, vol. 1, pp. 448–457, Communications Magazine, vol. 52, no. 8, pp. 74–81, 2014. Washington, DC, USA, January 2001. [7] Y. S. Su, T. J. Ding, and M. Y. Chen, “Deep learning methods [24] W.G. Tzeng, “Efficient 1-out-of-n oblivious transfer schemes in Internet of medical things for valvular heart disease with universally usable parameters,” IEEE Transactions on screening system,” IEEE Internet of Things Journal, p. 1, 2021. Computers, vol. 53, no. 2, pp. 232–240, 2004. [8] Y. S. Su and S. Y. Wu, “Applying data mining techniques to [25] C. K. Chu and W. G. Tzeng, “Efficient k-out-of-n oblivious explore user behaviors and watching video patterns in con- transfer schemes with adaptive and non-adaptive queries,” in verged it environments,” Journal of Ambient Intelligence and Proceedings of the International Workshop on Public Key Humanized Computing, pp. 1–8, 2021. Cryptography, pp. 172–183, Springer, Les Diablerets, Swit- [9] M. Hartmann, U. S. Hashmi, and A. Imran, “Edge computing zerland, January 2005. in smart health care systems: review, challenges, and research [26] T. Chou and C. Orlandi, “The simplest protocol for oblivious directions,” Transactions on Emerging Telecommunications transfer,” in Proceedings of the International Conference on Technologies, Article ID e3710, 2019. Cryptology and Information Security in Latin America, [10] J. Qiu, X. Liang, S. Shetty, and D. Bowden, “Towards secure and pp. 40–58, Springer, Guadalajara, Mexico, August 2015. smart healthcare in smart cities using blockchain,” in Pro- [27] E. Hauck and J. Loss, “Efficient and universally composable ceedings of the 2018 IEEE International Smart Cities Conference protocols for oblivious transfer from the CDH assumption,” (ISC2), pp. 1–4, Kansas City, MO, USA, September 2018. IACR Cryptology ePrint Archive, Report 2017/1011, 2017. [11] N. Tariq, A. Qamar, M. Asim, and F. A. Khan, “Blockchain [28] X. Wang, X. Kuang, J. Li, J. Li, X. Chen, and Z. Liu, “Oblivious and smart healthcare security: a survey,” Procedia Computer transfer for privacy-preserving in VANET’s feature match- Science, vol. 175, pp. 615–620, 2020. ing,” IEEE Transactions on Intelligent Transportation Systems, [12] J. Alghazo, G. Rathee, S. Gupta et al., “A secure multimedia vol. 22, no. 7, pp. 4359–4366, 2021. processing through blockchain in smart healthcare systems,” [29] M. Naor and B. Pinkas, “Oblivious transfer and polynomial ACM Transactions on Multimedia Computing, Communica- evaluation,” in Proceedings of the Thirty-First Annual ACM tions, and Applications, 2020. Symposium on Theory of Computing, pp. 245–254, Atlanta, [13] J. Shen, Z. Gui, X. Chen, J. Zhang, and Y. Xiang, “Lightweight Georgia, May 1999. and certificateless multi-receiver secure data transmission [30] M. Naor and B. Pinkas, “Computationally secure oblivious protocol for wireless body area networks,” IEEE Transactions transfer,” Journal of Cryptology, vol. 18, no. 1, pp. 1–35, 2005. on Dependable and Secure Computing, p. 1, 2020. [31] C. K. Chu and W. G. Tzeng, “Efficient k-out-of-n oblivious [14] J. Shen, T. Zhou, X. Chen, J. Li, and W. Susilo, “Anonymous transfer schemes,” Jouranal of Universal Computer Science, and traceable group data sharing in cloud computing,” IEEE vol. 14, pp. 397–415, 2008. Transactions on Information Forensics and Security, vol. 13, [32] Y. Chen, J. S. Chou, and X. W. Hou, “A novel k-out-of-n pp. 912–925, 2017. oblivious transfer protocols based on bilinear pairings,” IACR [15] E. Stefanov, M. V. Dijk, E. Shi et al., “Path ORAM: an ex- Cryptology ePrint Archive, vol. 2010, 2010. tremely simple oblivious ram protocol,” in Proceedings of the [33] D. C. Lou and H. F. Huang, “An efficient-out-of-noblivious 2013 ACM SIGSAC Conference on Computer and Commu- transfer for information security and privacy protection,” nications Security, pp. 299–310, Berlin, Germany, November International Journal of Communication Systems, vol. 27, 2013. no. 12, pp. 3759–3767, 2014. [16] J. Shen, H. Yang, P. Vijayakumar, and N. Kumar, “A privacy- [34] J. Lai, Y. Mu, F. Guo, R. Chen, and S. Ma, “Efficient k-out-of-n preserving and untraceable group data sharing scheme in oblivious transfer scheme with the ideal communication cloud computing,” IEEE Transactions on Dependable and cost,” Theoretical Computer Science, vol. 714, pp. 15–26, 2018. Secure Computing, p. 1, 2021. [35] J. H. Hsiao, R. Tso, C. M. Chen, and M. E. Wu, “Decentralized [17] B. Pinkas and T. Reinman, “Oblivious RAM revisited,” in e-voting systems based on the blockchain technology,” in Annual Cryptology Conference, pp. 502–519, Springer, New Advances in Computer Science and Ubiquitous Computing, York, NY, USA, 2010. pp. 305–309, Springer, New York, NY, USA, 2017. [18] M. O. Rabin, “How to exchange secrets with oblivious [36] R. Tso, Z.-Y. Liu, and J.-H. Hsiao, “Distributed e-voting and e- transfer,” IACR Cryptology ePrint Archive, vol. 2005, no. 187, bidding systems based on smart contract,” Electronics, vol. 8, pp. 22–25, 2005. no. 4, p. 422, 2019. [19] S. Even, O. Goldreich, and A. Lempel, “A randomized pro- [37] T. Li, W. Ren, Y. Xiang et al., “FAPS: a fair, autonomous and tocol for signing contracts,” Communications of the ACM, privacy-preserving scheme for big data exchange based on vol. 28, no. 6, pp. 637–647, 1985. oblivious transfer, ether cheque and smart contracts,” In- [20] G. Brassard, C. Crépeau, and J. M. Robert, “All-or-nothing formation Sciences, vol. 544, pp. 469–484, 2021. disclosure of secrets,” in Proceedings of the Conference on the [38] G. Ateniese, K. Benson, and S. Hohenberger, “Key-private Theory and Application of Cryptographic Techniques, proxy re-encryption,” in Proceedings of the Cryptographers’ pp. 234–238, Springer, Kyoto, Japan, December 2000. Track at the RSA Conference, pp. 279–294, Springer, San [21] M. Bellare and S. Micali, “Non-interactive oblivious transfer Francisco, CA, USA, April 2009. and applications,” in Proceedings of the Conference on the [39] D. Yaga, P. Mell, N. Roby, and K. Scarfone, “Blockchain Theory and Application of Cryptology, pp. 547–557, Springer, technology overview,” 2019, https://arxiv.org/abs/1906.11078. Houthalen, Belgium, April 1989. [40] M. Pilkington, “Blockchain technology: principles and ap- [22] Y. Gertner, Y. Ishai, E. Kushilevitz, and T. Malkin, “Protecting plications,” in Research Handbook on Digital Trans- data privacy in private information retrieval schemes,” formationsEdward Elgar Publishing, Cheltenham, UK, 2016.
12 Security and Communication Networks [41] C. Cachin, “Architecture of the hyperledger blockchain fab- ric,” in Proceedings of the Workshop on Distributed Crypto- currencies and Consensus Ledgers,, Chicago, IL, July 2016. [42] M. Vukolić, “The quest for scalable blockchain fabric: proof- of-work vs. BFT replication,” in Proceedings of the In- ternational Workshop on Open Problems in Network Security, pp. 112–125, Springer, Zurich, Switzerland, October 2015.
You can also read