SPChain: Blockchain-based Medical Data Sharing and Privacy-preserving eHealth System
SSPChain: Blockchain-based Medical Data Sharing andPrivacy-preserving eHealth System
Renpeng Zou a , Xixiang Lv a, ∗ , Jingsong Zhao a a School of Cyber Engineering, Xidian University,Xian 710071, China
Abstract
The development of eHealth systems has brought great convenience to people’slife. Researchers have been combining new technologies to make eHealth systemswork better for patients. The Blockchain-based eHealth system becomes pop-ular because of its unique distributed tamper-resistant and privacy-preservingfeatures. However, due to the security issues of the blockchain system, thereare many security risks in eHealth systems utilizing the blockchain technology.i.e. 51% attacks can destroy blockchain-based systems. Besides, trivial trans-actions and frequent calls of smart contracts in the blockchain system bringadditional costs and security risks to blockchain-based eHealth systems. Worsestill, electronic medical records (EMRs) are controlled by medical institutionsrather than patients, which causes privacy leakage issues. In this paper, we pro-pose a medical data S haring and P rivacy-preserving eHealth system based onblock Chain technology (SPChain). We combine RepuCoin with the SNARKs-based chameleon hash function to resist underlying blockchain attacks, anddesign a new chain structure to make microblocks contribute to the weight ofblockchain. The system allows patients to share their EMRs among differentmedical institutions in a privacy-preserving way. Besides, authorized medicalinstitutions can label wrong EMRs with the patients’ permissions in the case ofmisdiagnosis. Security analysis and performance evaluation demonstrate thatthe proposed system can provide a strong security guarantee with a high effi- ∗ Corresponding author
Email address: [email protected] (Xixiang Lv)
Preprint submitted to Journal of L A TEX Templates September 22, 2020 a r X i v : . [ c s . CR ] S e p iency. Keywords:
Blockchain; Electronic Medical Record; Privacy; Data Sharing;
1. Introduction
The era of big data brings new opportunities and challenges to medicalfield. Researchers have found that the dissemination of medical data has beenperceived to be a breakthrough for the discovery of new techniques and therapiesfor curing diseases. Through the analysis of medical data, many diseases canbe effectively prevented and treated. i.e., artificial intelligence techniques areutilized on diagnostics in glaucoma [1], hyperactivity [2], and Parkinson’s disease[3] via medical data sharing and analysis.In order to provide a more efficient and flexible service for both patients andmedical institutions, eHealth systems are proposed to save, manage, transmitand reproduce digital patient medical records. Currently, eHealth systems aremainly divided into traditional central server-based eHealth systems and cloud-based eHealth systems. In traditional central server-based eHealth systems,EMRs are stored in a single server controlled by a medical institution. In thiscircumstance, medical data sharing is difficult and inefficient, and privacy leak-age problems arise frequently since patients lose control of their medical data.What’s worse, once the central server goes down, the medical data will be lost,and it will be difficult to retrieve the data.As for cloud-based eHealth systems, medical institutions outsource EMRsto cloud servers. The migration of medical records to cloud-based platforms[4] has facilitated the sharing of medical data between healthcare and researchinstitutions, enabling faster and more convenient exchange in a manner previ-ously not possible. However, guaranteeing the integrity and confidentiality ofthe outsourced medical data is a daunting task. Moreover, patients need toregister repeatedly in different medical institutions, which brings trivial recordsto patients. Worse still, the privacy of patients is still a blank check signedby medical institutions. In recent years, many accidents about medical records2eakages [5] [6] [7] have occurred frequently. Therefore, eHealth systems craveinnovations to assure the security and privacy of medical records.Blockchain, which is widely leveraged in cyptocurrency systems [8], [9], isa promising technology that can be used to maintain a transparent ledger andshare data among participants. With the tamper-resistant and distributed na-ture, the blockchain technology can provide integrity and restoration guaranteesfor medical records. Many countries have combined the blockchain technologywith eHealth systems and achieved great success. For instance, Estonia [10]makes use of the blockchain technology to provide patients with safer and moreconvenient medical services. An ample amount of solutions, i.e. [11], [12], [13],strive to leverage the latest technology, such as smart contracts and privacy pro-tection modules, to enhance the operability and confidentiality of eHealth sys-tems. Through the literature review, it would be an effective way for blockchainto serve as a decentralized storage and replace the central servers, but there stillremain some drawbacks.The most intractable issue is the underlying security of blockchain-basedeHealth systems. These systems treat the blockchain system as a secure andtrusted ledger in public networks. The hypothesis is unrealistic since manywell-known events about blockchain attacks in stealing blockchain properties,malicious manipulations, double spending and exploiting bugs in smart con-tracts [14] [15] [16] have occurred in succession. Some of these attacks targetat mining strategies and protocols, allowing attackers to obtain additional re-wards [17] [18]. But some other attacks may be more serious for the attackerscan totally control the consensus protocols or the issuance of cryptocurrencies,which would completely destroy the blockchain system. In order to build a ro-bust blockchain-based eHealth system, we need to take the underlying securityof the blockchain-based eHealth system into consideration.Trivial records are another obstacle to the development of eHealth systems.Existing blockchain-based eHealth systems regard medical records as transac-tions in a blockchain system. These systems utilize smart contracts and thescripting language to exchange medical data between medical institutions with3lockchain systems. Due to the data storage and exchange model, the medicaldata are scattered in blockchain system. In this case, consulting the medicalrecords of patients in a mass of block data is inefficient. And obtaining a pa-tient’s whole medical records in such systems consumes a lot of time. In addition,some mechanisms leverage extra interfaces to integrate the medical records. e.g., schemes in [19] and [11] utilized smart contracts to retrieve the whole medicalhistories of a patient. In this construct, users need to invoke smart contractsfrequently, which brings more gas cost for users. Worse still, attackers may ex-ploit loopholes in the smart contracts to steal the medical records. Therefore,we need an effective design which can integrate the medical records and makeit more convenient for patients to access their medical records.As for the privacy of patients, most schemes default that the medical data iscontrolled by medical institutions alone. Under the circumstance, patients losecontrol of their medical data. What’s worse, the medical institutions may trafficthe data to lawbreakers for illegal benefits, which would violate the patients’safety. Since the medical data is jointly generated by patients and medicalinstitutions, we believe that the data should be the common property of bothparticipants. Thus, a dual control scheme for patients and medical institutionsis desirable in the E-health time.In terms of the above problems, we combine RepuCoin [20], the first blockchainsystem that can resist 51% attacks, with the SNARKs-based chameleon hashfunction [21], and propose a medical records sharing and privacy-preservingsystems based on blockchain (SPChain). Specifically, the contributions of thispaper are as follows: • We propose a blockchain-based medical records sharing and privacy-preservingeHealth system (SPChain). Patients in SPChain can share their medicalrecords among different medical institutions without registering repeat-edly. In the case of misdiagnosis, SPChain provides special transactionsfor patients to label wrong medical records. Besides, we design a dualcontrol scheme for participants to protect the rights of both parties.4
We combine the SNARKs-based chameleon hash function and RepuCointo construct SPChain. Notably, we propose a new chain structure tomake microblocks contribute to the weight of blockchain. In addition, wedesign a reputation-based reward system to incentive medical institutionsto participate in the consensus mechanism. • We present security analysis to demonstrate that SPChain resists theblockchain underlying attacks such as flash attacks and selfish mining at-tacks. And the experiments prove that SPChain is practical and efficientin terms of throughput.
The remaining part of the paper is organized as follows. We begin by in-troducing some related works in Section 2. The third section is concernedwith some preliminaries we used. In Section 4, we describe the system modeland the design goals. The detailed blockchain-based medical data sharing andprivacy-preserving eHealth system is given in Section 5. Section 6 illustrates theevaluation and security analysis of our scheme. Finally, we give the conclusionand future work.
2. Related Works
In this section, we first review some blockchain-based eHealth systems, thenwe list the drawbacks of these systems.In order to prompt patients to engage in the details of their healthcare andrestore agency over their medical data, Azaria et al. [11] proposed a decentral-ized record management system to handle EMRs. The system utilized smartcontracts to manage medical records of patients. With modular design, patientscan design access control rules and share their EMRs with different institutions.The authors also designed reward system to incentive researchers and publichealth authorities to participate in the network as blockchain miners.5o preserve patients’ privacy in the process of disseminating EMRs, Xiaet la. [12] designed a system that addresses the issue of medical data sharingamong medical big data custodians in a trust-less environment. The systememployed smart contracts and an access control mechanisms to effectively tracethe behavior on the data, and revoked access to violated rules and permissionson data. With a data custodian system, the system can monitor entities thataccess data for malicious behaviors.Cao et al. [22] proposed a secure cloud-assisted eHealth system to protectoutsourced EMRs from illegal modifications. The key idea of the system isthat the EHRs can only be outsourced by authenticated participants and eachoperation on outsourced EMRs is integrated into the public blockchain as atransaction. The system took into account the situations of a single doctor andmultiple doctors and utilized key exchange protocol to protect the privacy ofEMRs. The tamper-proofing property of blockchain guaranteed the correctnessand integrity of EMRs.Xia et al. [13] proposed a permissioned blockchain framework to achievemedical data sharing in cloud environments. In the scheme, the authors designedauthentication and verification protocols to set permissions and distribute keysfor users. The system permits users to request data from the shared pool aftertheir identities and cryptographic keys are verified.All existing blockchain-based eHealth systems have at least one of the fol-lowing drawbacks:
Can not resist blockchain underlying attacks.
All the blockchain-based eHealth systems do not take the blockchain underlying attacks into con-sideration. We hold the opinion that the security of blockchain is the basicguarantee in constructing blockchain-based eHealth systems. Natoli et al.[23]and Bonneau et al. [24] point out that some attacks can destroy the blockchain-based system. In this situation, the blockchain-based system no longer holdsthe nature of tamper-resistant and privacy-preserving. There is no essentialdifference between the blockchain system and the traditional medical system inthis way. 6 rivial records.
In the most blockchain-based eHealth systems, the recordsare growing horizontally, which means that the new records are attached inthe latest block. This structure leads to trivial patient records and it is notconvenient to integrate the history of patients’ records. In addition, patientsneed to register and be checked repeatedly in different medical institutions.
Invoking smart contracts frequently.
In some blockchain-based eHealthsystems such as [11] [25], the authors utilize smart contracts to manage med-ical data.This design is convenient for medical institutions but not friendly topatients, since patients need to invoke smart contracts frequently and the invo-cation of smart contracts consumes gas in Ethereum.
Medical data centralization.
Most schemes default that medical datais controlled by medical institutions alone. In this situation, patients can notprotect their privacy since they lose control of their EMRs. In this paper, weensure that EMRs should be the common property of patients and medicalinstitutions, and participants must be approved by each other before they canuse the data.
3. Preliminaries
In this section, we formally define the preliminaries used in SPChain, in-cluding the SNARKs-based chameleon hash function and RepuCoin.
The concept of chameleon hashing was put forward by Krawczyk and Ra-bin [26], building on the notion of chameleon commitments. Up to now, thereare many chameleon hash function schemes which satisfy different properties,such as Ateniese and Medeiros [27], identity-based chameleon hash function[28] and labeled chameleon hash function [29]. However, as discussed in [30],they are non-applicable for constructing redactable blockchains. We choose aSNARKs-based chameleon hash function given in [21] to construct SPChain.A key-exposure-free SNARKs-based chameleon hash is specified by a tuple(
HGen , Hash ( m , hk ) , HVerify , Hcol ) of efficient algorithms as follows:7
HGen ( λ ). Run ( csr, τ ) ← SN . Setup ( pp ). Pick x R ←− Z p , h R ←− G , and set h = [ x ] and ˆ h = [ x ] . Set hk = ( h , ˆ h , h , crs ) and tk = ( x ). • Hash ( m , hk ). For message m , pick r randomly from Z p and compute h = h r h m and R = g r . Then give a proof π for the following relation by SN . Prove : L = (cid:26) ( h, h , ˆ h , h , m ) : ∃ ( R ) : e (cid:18) hh m , [1] (cid:19) = e ( R, ˆ h ) (cid:27) • HVerify ( m , hk , ( h , ζ )). Check SN . Verify ( crs , h , m , π ) and output 1 if this iscorrect, otherwise output 0. • Hcol ( tk , ( h , m , π ) , m (cid:48) ). First check the proof and if it is correct, then com-pute a collision as R (cid:48) = (cid:16) hh m (cid:48) (cid:17) x . Then give a proof for the followingrelation by SN . Prove : L = (cid:26) ( h, h , ˆ h , h , m ) : ∃ ( R (cid:48) ) : e (cid:18) hh m , [1] (cid:19) = e ( R (cid:48) , ˆ h ) (cid:27) The blockchain is a data structure and serves as a distributed ledger inwhich multiple transactions are maintained by trustless nodes in a P2P network.Information may include data records of different types, such as cryptocurrencytransactions, smart contracts and account balances.Typically, each block contains a hash pointer that points to its previousblock, a timestamp, and the transaction data. The block can be chained to theblockchain, only if the validity of its transaction data is verified by a majorityof nodes. The blockchain technique can be generally classified into two types:private (consortium) blockchain and public blockchain.
RepuCoin.
Yu et al. [20] proposed a system named RepuCoin which isthe first system to tolerate attacks compromising 51% of the network’s com-puting resources, even if such power stays maliciously seized for almost a wholeyear. RepuCoin can achieve a high throughput of 10000 transactions per second(TPS). 8he existing systems link computing power and voting rights to resist Sybilattacks and improve the throughput of the system. But these systems are stillunder some computing power-based attacks such as 51% attacks, selfish miningattacks and so on. RepuCoin separates computing power and voting rights,and uses a notion of reputation to define a miner’s power in terms of its workperformed over the lifetime of a blockchain. Even if the attacker has 99% of thecomputing power, it cannot attack the system successfully.RepuCoin adopts the block structure in bitcoin-NG [31] system which con-tains keyblocks and microblocks. The formats of a keyblock and a microblockare illustrated in Figure 1. RepuCoin proposes a weighted vote-based consensusto constitute the consensus group. In particular, each member of the consensuscommittee is given weight related to that member’s reputation. In order toreach an agreement, RepuCoin needs both a sufficient number of votes and acollective weight of a majority.
Figure 1: The formats of a keyblock and microblock in RepuCoin
4. System and threat model
In this section, we first present the architecture of SPChain, then list therequirements that SPChain should satisfy. Finally, we give out the threat model.
As shown in Figure 2, there are two participants in our system: patients andmedical institutions. The procedure that patients consult medical institutionsin SPChain is illustrated as follows. 9 igure 2: The architecture of SPChain
Firstly, a patient ˜ P i sends transactions to register with medical institutions˜ M i , and provides it with auxiliary information such that ˜ M i generates diagnos-ing records for ˜ P i . Then diagnosing records are encrypted with the symmetrickey of ˜ P i .After generating the diagnosing records, ˜ P i generates the correspondingtransactions and sends them to the blockchain network. Then ˜ M i participantsin mining to gain rights to commit transactions into blocks. In return, thewinner of mining process gains rewards.When the patient ˜ P i need to visit another meical institution ˜ M j , ˜ P i canaccess the medical information and medical history in SPChain, and do not needdouble registration. Besides, the record history in blockchain can be extended byissuing special type transactions. In the case of misdiagnosis, patients can sendtransactions to label the wrong records without influencing other transactionsin SPChain. SPChain consists of patient nodes and medical institution nodes. Here wedefine medical institution nodes working as miners which can build reputationsby participating in consensus mechanism and dealing with the transactions.Thus our system can adopt consortium blockchain. SPChain supports medical10ecords update, label and retrieval. Within the adversary, SPChain shouldsatisfy the following security requirements: • Confidentiality.
The contents of EMRs should not be recovered by unau-thorized medical institutions or attackers. • Label and correctness.
Wrong EMRs can be labeled by authorizedmedical institutions and patients should be able to verify the correctnessof the labeled EMRs. • Integrity.
The integrity of EMRs should be guaranteed. Any illegalmodifications by unauthorized medical institutions should be detected bythe system. • Privacy.
In SPChain, the privacy of patients’ EMRs should be preserved.In other words, without the permission of patients, other medical institu-tions can not access the contents of EMRs.
In the adversary model, miners in SPChain are similar to those in RepuCoin.We hold the assumption that the number of Byzantine nodes in the system doesnot exceed one third of the total number of nodes. They may behave maliciouslyto gain additional rewards. We will consider the attacks from two differentangles: one is in terms of blockchain system, the other is in the aspects of theSPChain system. As for the former, we consider the 51% attack, flash attackand selfish mining attack. For the latter, we take reputation fraud attacks andinhibition attacks into consideration.
Blockchain attacks:
51% attacks [32] and flash attacks [24]. An attacker can obtain a temporarymajority of computing power by renting enough mining capacity, which wouldbreak the security assumption of proof-of-work based systems.Selfish mining attacks (block withholding attack) [18]. In this case, an at-tacker controls a significant amount ( > SPChain attacks:
Reputation fraud attacks. A malicious medical institution creates ”zombie”patient nodes to increase its reputation.Inhibition attacks. When a medical institution becomes a leader successfully,it may only package its own transactions and ignore others’ transaction onpurpose.
5. The SPChain system
In this section, we present details describing the different concepts and mod-ules underlying SPChain. We first introduce basic definitions about transac-tions, blocks and chain structures. Then we detail consensus mechanism inSection 5.2 and SPChain in Section 5.3.
As shown in Figure 3, there are three types of transactions in our system,register transactions, medical transactions and label transactions. Transactionsin SPChain are presented as triplets (
T ype, Data, sig ), where
T ype denotes thetype of transaction,
Data identifies the contents in different types of transac-tions, and sig specifies the signature of the transaction sender.
Register transaction.
This transaction is send to the medical institutionwhich the patient wants to be treated at the first time. We denote a registertransaction as T R = ( Register, H ( ID || Age || . . . ) , sig P ), where Register speci-fies a register transaction, H ( ID || Age || . . . ) denotes the hash value of a patient’sidentity, age and other auxiliary information, and sig P is the signature of thepatient. Every patient should send this transaction to register in SPChain. Medical transaction.
This transaction is send by patients to uploadrecords to the blockchain. We define an update transaction T M = ( M edical, CH E M E P ( EM Rs )) || π || P ointer, sig P ), where M edical indicates that this is amedical transaction, CH ( E M E P ( EM Rs )) identifies the chameleon hash valueof the encrypted EMRs while
P ointer represents the pointer to the encryptedEMRs, π denotes the proof of generated by SN . Prove and sig P is the signatureof the patient. Label transaction.
When medical errors occurs, patients send this trans-action to label the wrong records. We define a label transaction T M = ( Label,Hash T M , CH ( E M E P ( EM Rs (cid:48) )) || π (cid:48) || P ointer, sig P ), where Label indicates thetransaction is a label transaction,
Hash T M is the transaction hash value of themedical transaction to be labeled. CH ( E M E P ( EM Rs (cid:48) )), π (cid:48) , P ointer and sig P are the same as the above definitions.In our system, register transactions are packed into keyblocks while medicaltransactions and label transactions are attached to the microblocks bound tothe patients. Figure 3: The structure of transactions in SPChain
Block.
Similar to RepuCoin, there are two kinds of blocks in our system,keyblock and microblock. Figure 4 shows the structure of a keyblock and amicroblock. Unlike RepuCoin, keyblocks contain register transactions in oursystem. We use
P rev keyblock hash and last microblock hash to mine key-blocks and we will detail mining strategy in the following part.13 igure 4: The structure of blocks in SPChain
In our system we regard a microblock as a patient block. From Figure 4we can see that every patient holds one and only one microblock which storesthe whole medical records of the patient in different medical institutions. Inorder to facilitate the retrieval of records, we use merkle tree structure to con-struct the institution hash root. To achieve modification in a patient block,we use SNARKs-based chameleon hash function instead of SHA-256 to calcu-late
M edical institution hash root . The leaf nodes of the tree are the basicinformation (for example, the public key which is certified by authority) of med-ical institutions. Figure 5 details the calculation of hash root. There are twocases in the calculation, an even number n and an odd number n . Medicaltransactions and label transactions are attached behind the basic informationin chronological order. Chain structure.
Miners in RepuCoin and bitcoin-NG system solve bitcoin-like puzzles to create keyblocks. The puzzle is defined as follows: H ( prev keyblock hash || N once || P K ) < target ,where H ( · ) is a cryptographically secure hash function, prev keyblock hash is14 igure 5: The calculation of hash root the hash value of the previous keyblock, P K is the miner’s public key and target is a target value defined by the system.In such systems, there is no transaction data contained in keyblocks and themicroblocks do not contribute to the weight of the chain. To increase the weightsof microblocks, we design a new chain structure given in Figure 6. The inputsof mining keyblocks include not only the hash of the last keyblock, but also thehash of the last microblock appended to the penultimate keyblock. Thus, weredefine the mining strategy as follows: H ( prev keyblock hash || penu microblock hash || N once || P K ) < target ,where penu microblock hash is the hash value of the last microblock of thepenultimate keyblock.We call a round r is a process where a keyblock and the correspondingmicroblocks are generated. In each round keyblocks are the sorting index ofthe following microblocks, which means the microblocks are mined in the orderof the register transactions packed in the keyblocks. When sending medical orlabel transactions, patients should append rounds number to transactions to15 igure 6: The chain structure in SPChain. From the blue arrow we can see that the input ofthe keyblock i is coming from two parts, the hash value of the microblock M i − and the hashvalue of the keyblock i −
1. The genesis part is set by the system management. shard them in the consensus group.To mitigate the fork problem, we use the pinned blocks mentioned in Repu-Coin. A pinned keyblock is a keyblock that is agreed upon and signed by theconsensus group. A pinned keyblock is final and canonical, and all keyblocksthat conflict with a pinned keyblock are considered invalid. Based on this def-inition, we also define the pinned transactions. Each time the transactions aregenerated by patients, the medical institutions collect the transactions sent tothemselves, and propose them to the consensus group. The group verifies thereceived transactions and signs to the valid transaction. Then the medical in-stitutions append the pinned transactions to the corresponding microblocks.Figure 7 details the formats of a pinned keyblock and pinned transaction.
Figure 7: The formats of a pinned keyblock and a pinned transaction .2. Consensus Mechanism and Reward System Consensus mechanism.
We combine proof-of-work with Byzantine agree-ment protocol to form the consensus mechanism. Medical institutions createkeyblocks and validate transactions to gain reputation score, which decideswhether the medical institutions can join the consensus group. We choose the X miners with the top reputations to constitute the consensus members. Re- Table 1: The notations of reputation calculating
Symbol Description L the length of the current blockchain; c the size of a block chunk, i.e., the number of keyblocks contained in achunk, pre-defined by the system; l l = (cid:100) Lc (cid:101) is the number of keyblocks contained in a blockchain withlength L ; N the total number of the current microblocks; T total transactions in blockchain; T ML i the number of medical transactions and label transactions whose re-ceiptor is miner in chunk i ; T R i the number of register transactions whose receiptor is miner in chunk i ; H a binary presenting whether the miner is honest (”1”) or not (”0”); mean i the mean value of medical transactions and label transactions (if i = T ML ) or register transactions (if i = T R ) created by a miner or aleader across all epochs in the blockchain, respectively; s i the standard deviation corresponding to mean i , for i ∈ { T ML, T R } ; R reputation score defined in RepuCoin;( a, λ ) reputation system parameters. puCoin gives a method to calculate the reputation score R by evaluating thefrequency of miners creating keyblocks and microblocks. In our system, we pro-pose another method to calculate the reputation score R . In our reputationalgorithm, we assess the number of patients and The notions are defined inTable 1 and R is calculated in Algorithm 1. The final reputation score of a17edical institution is defined as R = ( R + R ). Algorithm 1
The reputation algorithm
Input:
L, c, l, T R i , T M L i , R , a and λ Output:
The miners’ reputation R ∈ [0 , mean T R = (cid:80) li =1 T R i N mean T ML = (cid:80) li =1 T ML i T s T R = (cid:113) l · (cid:80) li =1 ( T Rc − (cid:80) li =1 T R i N ) s T ML = (cid:113) l · (cid:80) li =1 ( T MLc − (cid:80) li =1 T ML i T ) q = mean TR s TR q = mean TML s TML x = q · q · L f ( x ) = (1 + x − aλ + | x − a | ) R = min (1 , H · f ( x )) R = ( R + R ) Reward system.
In SPChain there are two types of rewards, transactionfees and mining rewards. Medical institution can define the determined amountof different type transactions. After mining a pinned keyblock successfully, theminer can get a reward contained the predefined mining rewards and the registertransaction fees in the keyblock. The same as keyblock rewards, microblock re-wards also contain mining rewards and transaction fees, which are shared amongthe reputable miners who creat the microblocks and verify the transactions.
By utilizing the transactions, blocks, chain structure and consensus mech-anism given above, we propose the blockchain-based medical data sharing andprivacy-preserving system, we call it SPChain. Figure 8 details the orchestrationof SPChain. The system consists of the following algorithms,
Setup , Register , U pload , Label and
Share . Setup.
This algorithm takes public parameters as inputs, and outputs sym-metric encryption key pair K , bitcoin public-private key pair ( P K, SK ) and18ddress address P K for patients and medical institutions. In addition, the al-gorithm also initializes the SNARKs-based chameleon hash function parametersfor medical institutions. • Patients: K ← AES ( seed ), { ( P K, SK ) || address P K } ← Bitcoin ( rand ). • Medical institutions: K ← AES ( seed ), { ( P K, SK ) || address P K } ← Bitcoin ( rand ), { hk = ( h , ˆ h , h , crs ) , tk = ( x ) } ← HGen (1 λ ). Figure 8: The orchestration of SPChain
Register.
In this algorithm, patients send register transactions to the medicalinstitutions to register in our system.(1) Patient ˜ i sends register transaction T R to medical institution ˜ C . Thetransaction contains the proper register fees to ˜ C .192) Medical institutions (miners) collect register transactions and pack theminto keyblocks. Then Medical institutions propose keyblocks to consensus group.(3) The consensus group verifies the validity of the keyblocks, and runsByzantine agreement protocol to decide which keyblock is the final pinned key-block (if multiple conflicting keyblocks are proposed). Then the reputable mineris selected to commit microblocks according to the register transactions in thekeyblock. U pload.
The serial number (4)-(6) given in Figure ?? illustrate the process ofa patient uploading the medical records. There are three cases in this algorithm,patient ˜ j is diagnosed in medical institution ˜ A for the first time; patient ˜ j updates EMRs in the same medical institution ˜ A ; or patient ˜ j is diagnosed inanother department of medical institution ˜ B . We describe the three cases indetail in Figure 9. Figure 9: The three cases in
Upload
Case 1: Patient ˜ j is diagnosed in medical institution ˜ A for the first time.(4 (cid:48) ) Patient ˜ j registers in the system and is diagnosed in medical institution20 . Then A generates EMR for ˜ j and the EMR is successively encrypted in thefollowing formulas, E K ˜ j ( EM R ) K ˜ j ←−− EM R , CH ( E K ˜ A ( E K ˜ j ( EM R )) K ˜ A ←−− E K ˜ j ( EM R ),( CH ( E K ˜ A ( E K ˜ j ( EM R )) || π ) h , ˆ h ,h ,crs ←−−−−−−−− E K ˜ A ( E K ˜ j ( EM R )).After that, the patients ˜ j generates transaction T M ˜ j and send it to themedical institution ˜ A . Note that the ciphertext E K ˜ A ( E K ˜ j ( EM R ) is stored inthe database of medical institution ˜ A .(5 (cid:48) ) The consensus group classifies these transactions in several rounds ac-cording to the round numbers, and verifies the transactions proportionally ac-cording to the reputation score.(6 (cid:48) ) The consensus group verifies the validity of the transactions and signs tothem. To become pinned transactions, the transactions should not only get two-thirds of signatures, but also get more than two-thirds of the reputation. Herewe can use aggregate signature to reduce the cost. Then the medical institution˜ A appends the pinned transaction to the microblock P ˜ j .Case 2: Patient ˜ j updates EMRs in the same medical institution ˜ A .In this case, patient ˜ j goes to the medical institution ˜ A for treatment againand updates the EM R s on the basis of Case 1.(4 (cid:48)(cid:48) ) ˜ A generates EM R ∗ for ˜ j and invoke algorithms in U pload to get E K ˜ A ( E K ˜ j ( EM R ∗ )), CH ( E K ˜ A ( E K ˜ j ( EM R ∗ ))) and π ∗ .(5 (cid:48)(cid:48) ) Patient ˜ j generates transaction T ∗ M ˜ j and sends it to medical institution˜ A . Then the consensus group validates T ∗ M ˜ j and signs it.(6 (cid:48)(cid:48) ) After the transaction T ∗ M ˜ j is pinned, medical institution ˜ A appends thetransaction to the microblock P ˜ j .Case 3: Patient ˜ j is diagnosed in another department of medical institution˜ B . (4 (cid:48)(cid:48)(cid:48) ) ˜ B generates EM R (cid:48) for ˜ j and invoke algorithms in U pload to get E K ˜ B ( E K ˜ j ( EM R (cid:48) )), CH ( E K ˜ B ( E K ˜ j ( EM R (cid:48) ))) and π (cid:48) .(5 (cid:48)(cid:48)(cid:48) ) Patient ˜ j generates transaction T (cid:48) M ˜ j and sends it to medical institution21 B . Then the consensus group validates T (cid:48) M ˜ j and signs it.(6 (cid:48)(cid:48)(cid:48) ) After the transaction T (cid:48) M ˜ j is pinned, medical institution ˜ B appends thetransaction to the microblock P ˜ j . Label.
In this algorithm, patient ˜ j labels the wrong EM R s in the case ofmisdiagnosis.(7) In this case, the transaction which contains the wrong
EM R should belabeled by a label transaction. ˜ B generates the correct EM R (cid:48)(cid:48) for ˜ j and invokealgorithms in U pload to get E K ˜ B ( E K ˜ j ( EM R (cid:48)(cid:48) )), CH ( E K ˜ B ( E K ˜ j ( EM R (cid:48)(cid:48) ))) and π (cid:48)(cid:48) . (8) Patient ˜ j generates transaction T L ˜ j and sends it to medical institution˜ B . Then the consensus group validates T L ˜ j and signs it.(9) Finally the pinned transaction T L ˜ j labels the wrong transaction in mi-croblock P ˜ j . And patients can verify the new transaction through the new proof π (cid:48)(cid:48) . Share.
This algorithm is illustrated as follows:(10) Patient ˜ j wants to go to medical institution ˜ D for diagnosis. ˜ j canaccess the corresponding transaction records he/she wants to share to ˜ D , i.e. ˜ j wants to share his/her medical records of medical institution ˜ A with ˜ D to get abetter diagnosis. ˜ j asks ˜ A to decrypt the cipher text with the key K ˜ A . Then ˜ j decrypts the result with K ˜ j and obtain the EM R . Thus ˜ j can obtain the entirehistory of diagnosis.
6. Evaluation and security analysis.
In this section, we first evaluate the performance of SPChain, then we discusswhether SPChain can fulfill the requirements and prevent attacks proposed inSection 4.
We evaluate the performance of SPChain in terms of throughput. We testour system on a computer with windows 10 system, an intel(R) core(TM) i5-6500 CPU, and 16 GB DDR 4 of RAM.22 igure 10: The throughput of SPChain (keyblocks)
Throughput.
In this part we analyze the maximum throughput of our sys-tem. We assume the consensus group controls 90% computing power. Sincekeyblocks in SPChain contain register transactions, so we analyze the through-put in terms of keyblocks and microblocks. From Figure 10 we can see that thekeyblock throughput is similar to that of bitcoin systems since they are underthe same mining strategy. And when fix the block size to 4MB, the systemhas higher throughput than that of 1MB and 2MB. As for microblocks, ourresults in Figure 11 show that when the block size is fixed, as the number ofconsensus nodes increases, throughput decreases gradually. For example, withthe block size 1MB, the through decreases from 145 TPS to 116 TPS. Besides,from Figure 11 we can see that when fix the block size to 2MB, the systemhas higher throughput than that of 1MB and 4MB. In particular, when theconsensus group consists of 4 nodes, the through can reach 218 TPS.
Reputation score and consensus time.
We simulate the reputation coresof medical institutions by choosing the top 15 mining pools given in [20]. We23 igure 11: The throughput of SPChain (microblocks) set the parameter a = 5000 and λ = 20000. Figure 12 describes the distributionof miners with different reputation scores over time. With the operation ofSPChain, the reputation score of miners increase gradually, and ehe highercomputing power the miner holds, the higher the reputation score it receives.We now compare the performance of our system with other blockchain-basedeHealth systems. From Table 2 we can see that BBDS, MeDshare and MedReccan not label wrong EMRs in the case of misdiagnosis. And these systems arevulnerable to blockchain underlying attacks such as flash attacks and selfish min-ing attacks. From the table we can conclude that SPChain can resist blockchainunderlying attacks while achieving medical data sharing and privacy-preserving. In this section, we first discuss whether SPChain can fulfill the requirementsproposed in Section 4.2. Then we describe in details how SPChain preventsattacks proposed in Section 4.3. 24 igure 12: The throughput of SPChain (keyblocks)Table 2: Comparison between existing blockchain-based eHealth systems and SPChain
Scheme Share Privacy Label wrong records Flash attacks Selfish mining attacksBBDS (cid:88) (cid:88) × × ×
MeDshare (cid:88) (cid:88) × × ×
MedRec (cid:88) × × × ×
SPChain (cid:88) (cid:88) (cid:88) (cid:88) (cid:88)
SPChain focuses primarily on four properties: confidentiality, privacy, mod-ification, correctness and integrity .
Confidentiality and privacy.
SPChain guarantees the confidentiality ofpatients’ EMRs. Note that the EMRs are encrypted sequentially by the pa-tients and medical institutions with their symmetric keys. And the inputs ofchameleon hash function are the ciphertext of EMRs. In this circumstance, themedical institution which generates the EMRs can not share the records withother medical institutions since they don’t have the symmetric keys of patients.25hen verifying the accuracy of the chameleon hash value, the verifier receivesthe ciphertext of the EMRs, which won’t leak the privacy of patients either. Sowe claim that SPChain guarantees the confidentiality of the EMRs and preservesthe privacy of patients.
Label and correctness.
SPChain permits medical institutions to labelwrong EMRs and allows patients to verify the correctness of the modifiedrecords. In the case of misdiagnosis, patients can ask authorized medical in-stitutions to label the wrong EMRs with the label transaction and to generatethe correct EMRs corresponding to the label transaction. With the proof π ,patients can invoke HV erif y to check whether the modification is correct.
Integrity.
SPChain provides integrity guarantee of patients’ EMRs. Themedical institutions that hold the trapdoor x can tamper the contents of theEMRs without changing the corresponding chameleon hash value. But with theproof π , the patients can verify the correctness and integrity of the EMRs. Thusany modifications on the EMRs can be detected by the patients, so we concludethat SPChain guarantees the integrity of the EMRs. This section discusses defences of the attacks mentioned in Section 4.3.
51% attacks and flash attacks.
SPChain is resilient to flash attacks.Although an attacker can gain temporary majority of computing power, theattack also need a very long period of time to gain reputation to harm the sys-tem. According to RepuCoin, an attacker that joins after 1.5 years of systemoperation would need to have more than 90% of the system’s computing powerfor 6 months to successfully attack the system. And even the attacker success-fully attacks the system, he/she will lose all reputation he/she has gained sincehe/she joined the system.
Selfish mining attacks (block withholding attacks).
SPChain pinseach keyblock, and the pinned keyblocks can not be roll back. Every newcreated keyblock is chained behind the pinned keyblocks. So if an attackerpublishes a keyblock which is conflict with the pinned keyblock, he/she can not26et advantage of gaining rewards over the honest miners because the keyblockhe/she publishes would not be admitted by the system. When mining a newkeyblock, the miners need to take the hash value of the previous keyblock andthe last microblock of the penultimate keyblock as inputs. Since there is noconflict when generating microblocks, we do not need to consider the microblockwithholding attacks. In summary, SPChain can resist selfish mining attacks.
Reputation fraud attacks.
A malicious medical institution controls agroup of ”zombie” patients to generate fake transactions to cheat the system.In this way, the malicious medical institutions can gain extra reputation. InSPChain, we stipulate that every transaction contains a fixed service fee andtransaction fee. The stipulation can crease the cost of reputation fraud attacks.If necessary, we advice that patients can register with their ID card.
Inhibition attacks.
A medical institution in consensus group may inten-tionally ignore the transactions of other medical institutions. In this case, theconsensus group always verify their own transactions first, which can increasetheir reputation in an unfair way. We stipulate that the transactions of medicalinstitutions are verified proportionally according to the reputation. We illus-trate the notations of reputation calculating in Table 3 and detail the transactionprocessing algorithm to resist inhibition attacks in Algorithm 2.
Table 3: The notations of reputation calculating
Symbol Description m i the i-th medical institution; T i the transaction set of m i ; G the consensus group; n the total number of the medical institutions; R i the reputation score of m i ;∆ the time interval; k a nonce; T m the maximum number of transactions processed by consensus group ata time; lgorithm 2 Transaction processing algorithm
Input: m i , R i , T i , k , p = (cid:80) ki =1 | T i | , P = (cid:80) ki =1 T i , ∆ and G . Output:
The pinned transaction set T . m i sends T i within ∆ to G G collects T i and forms a table B = [ T , . . . , T n ] G selects t i ∈ T i according to reputation ranking , where t i = 10 (cid:98) R i (cid:99) Case 1: k ≤ NG picks T i from B until p = (cid:80) ki =1 | T i | Case 2: k > NG picks transactions from the beginning medical institution until p = (cid:80) ki =1 | T i | P is the final verified set T
7. Conclusion and future work
In this paper, we consider misdiagnosis and data sharing in medical sce-narios. Based on RepuCoin and SNARKs-based chameleon hash function, wehave proposed a medical data sharing and privacy-preserving system. In oursystem, patients can share their EMRs among different medical institutions inprivacy-preserving way. Besides, in the case of misdiagnosis, patients can askthe authorized medical institutions to amend the wrong records. We designreputation-based consensus mechanism and reward system to guarantee thatSPChian can resist the blockchain underlying attacks. We have conducted acomprehensive performance and security analysis of our system, which provesthat SPChain is practical and efficient in terms of throughput.For the future work, we intend to reduce the patients’ communication over-head and to future improve the throughput of our system.28 eferencesReferences [1] U. R. Acharya, S. Bhat, J. E. Koh, S. V. Bhandary, H. Adeli, A novel algo-rithm to detect glaucoma risk using texton and local configuration patternfeatures extracted from fundus images, Computers in biology and medicine88 (2017) 72–83.[2] C. Sridhar, S. Bhat, U. R. Acharya, H. Adeli, G. M. Bairy, Diagnosis ofattention deficit hyperactivity disorder using imaging and signal processingtechniques, Computers in biology and medicine 88 (2017) 93–99.[3] T. J. Hirschauer, H. Adeli, J. A. Buford, Computer-aided diagnosis ofparkinsons disease using enhanced probabilistic neural network, Journalof medical systems 39 (11) (2015) 179.[4] H.YuanandX.ChenandJ.LiandT.JiangandJ.WangandR.Deng,Secureclouddatadeduplicationwithefficientre-encryption, IEEETrans-actionsonServicesComputing (2019) 1–1 doi:10.1109/TSC.2019.2948007 .[5] K. Caine, R. Hanania, Patients want granular privacy control over healthinformation in electronic medical records, Journal of the American MedicalInformatics Association 20 (1) (2012) 7–15.[6] S. Kumar, K. Aldrich, Overcoming barriers to electronic medical record(emr) implementation in the us healthcare system: A comparative study,Health informatics journal 16 (4) (2010) 306–318.[7] Y. Liu, G. Liu, C. Cheng, Z. Xia, J. Shen, A privacy-preserving healthdata aggregation scheme, KSII Transactions on Internet and InformationSystems (TIIS) 10 (8) (2016) 3852–3864.[8] S. Nakamoto, Bitcoin: A peer-to-peer electronic cash system, Tech. rep.,Manubot (2019). 299] G. Wood, et al., Ethereum: A secure decentralised generalised transactionledger, Ethereum project yellow paper 151 (2014) (2014) 1–32.[10] C. Sullivan, E. Burger, E-residency and blockchain, Computer Law & Se-curity Review 33 (4) (2017) 470–481.[11] A. Azaria, A. Ekblaw, T. Vieira, A. Lippman, Medrec: Using blockchainfor medical data access and permission management, in: 2016 2nd Interna-tional Conference on Open and Big Data (OBD), IEEE, 2016, pp. 25–30.[12] Q. Xia, E. B. Sifah, K. O. Asamoah, J. Gao, X. Du, M. Guizani, Med-share: Trust-less medical data sharing among cloud service providers viablockchain, IEEE Access 5 (2017) 14757–14767.[13] Q. Xia, E. B. Sifah, A. Smahi, S. Amofa, X. Zhang, Bbds: Blockchain-based data sharing for electronic medical records in cloud environments,Information 8 (2) (2017) 44.[14] M. I. Mehar, C. L. Shier, A. Giambattista, E. Gong, G. Fletcher, R. Sanay-hie, H. M. Kim, M. Laskowski, Understanding a revolutionary and flawedgrand experiment in blockchain: the dao attack, Journal of Cases on Infor-mation Technology (JCIT) 21 (1) (2019) 19–32.[15] D. Gerard, Attack of the 50 foot blockchain: Bitcoin, blockchain, Ethereum& smart contracts, David Gerard, 2017.[16] G. Destefanis, M. Marchesi, M. Ortu, R. Tonelli, A. Bracciali, R. Hierons,Smart contracts vulnerabilities: a call for blockchain software engineer-ing?, in: 2018 International Workshop on Blockchain Oriented SoftwareEngineering (IWBOSE), IEEE, 2018, pp. 19–25.[17] I. Eyal, E. G. Sirer, Majority is not enough: Bitcoin mining is vulnerable,in: International conference on financial cryptography and data security,Springer, 2014, pp. 436–454. 3018] A. Sapirshtein, Y. Sompolinsky, A. Zohar, Optimal selfish mining strategiesin bitcoin, in: International Conference on Financial Cryptography andData Security, Springer, 2016, pp. 515–532.[19] T.-T. Kuo, H.-E. Kim, L. Ohno-Machado, Blockchain distributed ledgertechnologies for biomedical and health care applications, Journal of theAmerican Medical Informatics Association 24 (6) (2017) 1211–1220.[20] J. Yu, D. Kozhaya, J. Decouchant, P. Esteves-Verissimo, Repucoin: Yourreputation is your power, IEEE Transactions on Computers 68 (8) (2019)1225–1237.[21] M. Khalili, M. Dakhilalian, W. Susilo, Efficient chameleon hash functionsin the enhanced collision resistant model, Information Sciences 510 (2020)155–164.[22] S. Cao, G. Zhang, P. Liu, X. Zhang, F. Neri, Cloud-assisted secure ehealthsystems for tamper-proofing ehr via blockchain, Information Sciences 485(2019) 427–440.[23] C. Natoli, V. Gramoli, The balance attack or why forkable blockchains areill-suited for consortium, in: 2017 47th Annual IEEE/IFIP InternationalConference on Dependable Systems and Networks (DSN), IEEE, 2017, pp.579–590.[24] J. Bonneau, E. W. Felten, S. Goldfeder, J. A. Kroll, A. Narayanan, Whybuy when you can rent? bribery attacks on bitcoin consensus.[25] P. Zhang, J. White, D. C. Schmidt, G. Lenz, S. T. Rosenbloom, Fhirchain:applying blockchain to securely and scalably share clinical data, Computa-tional and structural biotechnology journal 16 (2018) 267–278.[26] H. Krawczyk, T. Rabin, Chameleon hashing and signatures.[27] G. Ateniese, B. De Medeiros, On the key exposure problem in chameleonhashes, in: International Conference on Security in Communication Net-works, Springer, 2004, pp. 165–179.3128] X. Chen, F. Zhang, W. Susilo, H. Tian, J. Li, K. Kim, Identity-basedchameleon hash scheme without key exposure, in: Australasian Conferenceon Information Security and Privacy, Springer, 2010, pp. 200–215.[29] G. Ateniese, B. De Medeiros, Identity-based chameleon hash and applica-tions, in: International Conference on Financial Cryptography, Springer,2004, pp. 164–180.[30] G. Ateniese, B. Magri, D. Venturi, E. Andrade, Redactable blockchain–or–rewriting history in bitcoin and friends, in: 2017 IEEE European Sympo-sium on Security and Privacy (EuroS&P), IEEE, 2017, pp. 111–126.[31] I. Eyal, A. E. Gencer, E. G. Sirer, R. Van Renesse, Bitcoin-ng: A scalableblockchain protocol, in: 13th { USENIX } symposium on networked systemsdesign and implementation ( { NSDI }}