A Blockchain-Based Personal Health Record Sharing Scheme with Security and Privacy Preservation

Abstract

Personal health records (PHRs) have significant value for health management, accurate diagnosis, and disease research. However, PHR sharing may raise owners’ concerns about security deficiency and privacy leakage. The current mainstream PHR sharing models rely on centralized systems with risks including data loss and tampering, unauthorized access, etc. Fortunately, blockchain possesses outstanding features such as decentralization, tamper-proof, and traceability, which endow it with great potential to solve sensitive data sharing issues. Based on this, we propose a blockchain-based PHR sharing scheme with security and privacy preservation. It utilizes a secure distributed storage system based on InterPlanetary File System (IPFS) and blockchain to avoid data tampering and single points of failure. We also design a decentralized attribute-based access control (ABAC) mechanism to achieve fine-grained controllable PHR sharing. In addition, the blockchain-based proxy re-encryption method can protect the confidentiality of PHR and prevent privacy leakage. Security analysis shows that our scheme achieves the expected security goals. Besides, we evaluated the proposed scheme on Hyperledger Fabric, and the results demonstrate that the scheme is feasible and efficient.

Appendix

Our security model of indistinguishability under chosen ciphertext attacks (IND-CCA) is the same as [32]. We define a series of challenge games to prove the security of the BPRE under this security model. In the following games, each one differs slightly from the previous one. The behavior of the random oracle will be simulated by challenger C. Adversary \(\mathcal A\) needs to guess \(b \in \{0,1\}\) corresponding to the ciphertext \(C_{m_b}\) in each game. Therefore, we define the advantage of adversary \(\mathcal A\) as: \(Ad{{v}_{\mathcal A}}\text {=}\left| Pr\left[ {b}'=b \right] -\frac{1}{2} \right| \).

Game 0: In this game, challenger C first generates the public parameters \(pp=\{q,p,l, E, P, G,H_1,H_2,H_3\}\). Adversary \(\mathcal A\) can query for any process of KeyGen, ReKeyGen, and Decrypt, and challenger C will provide the corresponding correct output. \(\mathcal A\) can obtain key pair \((sk_i,pk_i)\), decryption parameter d, re-encryption key \(rk_{i \rightarrow j}\) and data ciphertext \(C_i\). According to this information, the advantage that he wins this game is: \(Adv_{\mathcal A}^{{{G}_{0}}}=Ad{{v}_{\mathcal A}}\).

Game 1: Challenger C plays the game with Game 0, except for the following content. When adversary \(\mathcal A\) inputs x to query \(H_i\text { }(i=1,2,3)\), C looks up the hash list for a matching y and returns it if found. Otherwise, C picks a random number y, and sets \({{H}_{i}}\left( x \right) =y\). When the challenger C receives the challenge of \(\mathcal A\), if \(\mathcal A\) inquires about \(H_1\) with any input, C terminates the game. Otherwise, C returns the decrypted result. Since the hash function is a random process, Game 1 and Game 0 are indistinguishable based on the randomness of the hash functions. The advantage that adversary \(\mathcal A\) wins this game is: \(Adv_{\mathcal A}^{{{G}_{1}}}=Adv_{\mathcal A}^{{{G}_{0}}}\).

Game 2: Challenger C plays the game with Game 1, except there is a difference when calling Decrypt. When the input is (\(C_{m_b}, d'\)), and \(d'\) is a fake decryption parameter, if \(\mathcal A\) does not inquire about \(H_1\) with \(d'\), C terminates the game. Since the decryption algorithm is deterministic and \(H_1\) is a random process, the success of \(\mathcal A\) means that he has cracked the hash function. Therefore, the advantage that \(\mathcal A\) wins this game is: \(Adv_{\mathcal A}^{{{G}_{2}}}=Adv_{\mathcal A}^{{{G}_{0}}}\).

Game 3: Challenger C plays the game with Game 2, except there is a difference when calling ReKeyGen and ReEnc. In calling ReKeyGen, the input is \(d'\). Challenger C queries the key list according to the input, and if the re-encryption key exists, returns it to adversary \(\mathcal A\). If it does not exist, C generates the corresponding \(rk'_{i \rightarrow j}\) for \(\mathcal A\). Then, C checks whether the user’s private key is leaked, and if so, terminates the game. In calling ReEnc, the input is (\(C_i, rk'_{i \rightarrow j}\)). C checks the key list, if \(rk'_{i \rightarrow j}\) does not exist in the key list, terminate the game. In addition, if \(\mathcal A\)’s public key \(pk_i\) is illegally generated, C terminates the game. Considering that both ReKeyGen and ReEnc algorithms are deterministic, The difference between Game3 and Game2 is the possibility of cracking d. Based on the ECCDHP assumption, the advantage of \(\mathcal A\) satisfies \(\left| Adv_{\mathcal A}^{{{G}_{3}}}-Adv_{\mathcal A}^{{{G}_{2}}} \right| \le Adv_{\mathcal A}^{ECCDH}\).

Game 4: Challenger C plays the game with Game 3, except for the following content. After receiving the challenge \(\{ m_0, m_1 \}\) from \(\mathcal A\), C computes the ciphertext \(C_{m_b} = (C_1, C_2, C_3, C_4)\), \(C_1 = rP\), \(C_2 = m_b \oplus t = m_b \oplus rpk_{C}^{enc}\), \(C_3 = H_2 \left( {{m}_{b}}\left\| t \right. \right. )\), \({{C}_{4}}={{H}_{3}}\left( {{m}_{b}}\left\| {{C}_{1}}\left\| {{C}_{3}} \right. \right. \right) \). Since r is a random number and \(H_1\) is a random process, the re-encrypted ciphertext \(C'_{m_b}\) generated by C for \(\mathcal A\) is indistinguishable from \(C_{m_b}\). Therefore, Game 4 and Game 3 are indistinguishable, i.e., \(Adv_{\mathcal A}^{{{G}_{4}}}=Adv_{\mathcal A}^{{{G}_{3}}}\). Moreover, in the case that r is not leaked, \(\mathcal A\) can only randomly guess the value of b. The probability that \(\mathcal A\) wins this game is equal to 1/2. Therefore, we have the advantage of \(\mathcal A\) is: \(Adv_{\mathcal A}^{{{G}_{4}}}=\left| \frac{1}{2}-\frac{1}{2} \right| =0\).

In summary, we can conclude that \(Ad{{v}_{\mathcal A}}\le Adv_{\mathcal A}^{ECCDH}\). If the ECCDHP assumption holds, the advantage of adversary \(\mathcal A\) is negligible, and our proposed BPRE algorithm is IND-CCA secure.