Beruflich Dokumente
Kultur Dokumente
https://doi.org/10.1007/s10916-018-0996-4
Received: 1 March 2018 / Accepted: 12 June 2018 / Published online: 2 July 2018
© The Author(s) 2018
Abstract
Currently, blockchain technology, which is decentralized and may provide tamper-resistance to recorded data, is
experiencing exponential growth in industry and research. In this paper, we propose the MIStore, a blockchain-based medical
insurance storage system. Due to blockchain’s the property of tamper-resistance, MIStore may provide a high-credibility
to users. In a basic instance of the system, there are a hospital, patient, insurance company and n servers. Specifically, the
hospital performs a (t, n)-threshold MIStore protocol among the n servers. For the protocol, any node of the blockchain
may join the protocol to be a server if the node and the hospital wish. Patient’s spending data is stored by the hospital in the
blockchain and is protected by the n servers. Any t servers may help the insurance company to obtain a sum of a part of
the patient’s spending data, which servers can perform homomorphic computations on. However, the n servers cannot learn
anything from the patient’s spending data, which recorded in the blockchain, forever as long as more than n − t servers are
honest. Besides, because most of verifications are performed by record-nodes and all related data is stored at the blockchain,
thus the insurance company, servers and the hospital only need small memory and CPU. Finally, we deploy the MIStore on
the Ethererum blockchain and give the corresponding performance evaluation.
Recently, blockchain-based medical system is a hot topic. servers cannot learn anything from the data if more than
Yue et al. [18] proposed a APP of sharing healthcare data, n − t servers are honest. Thirdly, after the insurance
where patients control, send and own their data easily. company sends a query to the blockchain, if he can
Moreover, Qi et al. [30] proposed the MeDShare, a sys- collect t correct responses to the query, then he can
tem that can address the problem of medical data sharing obtain his desired result. Finally, anyone (including the
among medical big data servers in a trust-less environ- insurance company) cannot learn anything with less
ment. Besides, Ekblaw et al. [29] presented the MedRec, than t responses.
decentralized record management system to resolve elec- • Verifiable. Key data stored at the blockchain is
tronic health records by using blockchain. In the researches, verifiable. Specifically,
they did not provide the function of homomorphic comput-
– Anyone can verify whether the verification key
ing for data recorded at the blockchain, and they just utilized
is valid.
the blockchain as a storage tool. Therefore, in the systems,
– Any server can verify whether his core-share is
a node cannot help others to process encrypted data.
correctly computed by the corresponding hospital.
In an ideal and basic medical insurance business, there
– The insurance company can verify whether
are a hospital, a patient and an insurance company. The
responses are correctly computed by corre-
insurance company can to know a sum of the patient’s spec-
sponding servers, respectively.
ified spending records, however the company cannot learn
– Patient may verify whether his spending data is
the details of the spending records. Furthermore, servers can
correctly processed by corresponding hospital.
help the insurance company to process a patient’s spend-
ing records without learning anything about the spending • Efficient verification. Key data is recorded in the trans-
records. Otherwise, it will result in a risk of information action’s payload, and most of key data is publicly ver-
leakage. Moreover, once the insurance company attempt to ifiable. Therefore, record-nodes can help other nodes
know the patient’s sum of spending records, the insurance to verify payloads’ data before the transactions are
company can get his desired result without any help of hos- recorded in the blockchain. Consequently, once a trans-
pital and patient. Finally, the most important point is that all action has been recorded in the blockchain, the transac-
data must be verifiable and tamper-resistant. Otherwise, the tion’s publicly verifiable data is credible. After that, the
system could not be credible. transaction’s receiver needs not to perform the ver-
To address the problems, in the present paper, we propose ifications performed by record-nodes. Moreover, the
the MIStore, a blockchain-based medical insurance storage receiver just needs to perform very little verification
system. Features of MIStore can be summarized as follows: that can be performed only by him. In this way, it sig-
nificantly reduces users’ verifying computations, and
• Decentralization. There is no the third party authorities receivers just perform some simple and few computa-
to provide any authentication. Moreover, any node may tions, rather than complex and massive computations.
become some hospital’s server if the node and the • Efficient homomorphic computation. According to
hospital wish. Besides, data is stored at the blockchain, insurance company’s query, servers can perform homo-
rather than cloud servers. morphic multiplications and additions on their shares,
• Secure data storage. On the one hand, every trans- and then generate responses. Moreover, the homomor-
action’s publicly verifiable data must be verified by phic computations calculated by servers are efficient
all record-nodes before the transaction is included in additions and multiplications of finite field.
the blockchain. On the other hand, we suggest that
MIStore adopts the Practical Byzantine Fault-tolerance Organization In “Background”, background is introduced. In
(PBFT) to be the consensus scheme of the blockchain, “System setting and model”, we show the system setting
and all related data is stored at the blockchain. Due to and model. In “An overview of MIStore”, an overview of
PBFT’s property of tamper-resistance, data, which has MIStore is given. We introduce construction of the MIStore
been included by record-nodes in the blockchain, can- system in “MIStore”. In “Performance evaluation”, a
not be modified or deleted by anyone. Due to the above performance evaluation is given. Finally, a short conclusion
two points, it provides high credibility to all users. is given in “Conclusion”.
Therefore, once a transaction has been included in the
blockchain, all its publicly verifiable data is credible.
• Threshold. For instance, a hospital performs a (t, n)- Background
threshold MIStore protocol among a patient, an
insurance company and n servers. Firstly, the hospital Bitcoin [1] is a decentralized payment scheme in which
store confidential data in the blockchain. Secondly, the every participant maintains its own local copy of the whole
J Med Syst (2018) 42: 149 Page 3 of 17 149
transaction history, “chain” of “blocks” called blockchain. System setting and model
Blockchain is maintained by anonymous record-nodes,
called miners, via executing a consensus scheme that Blockchain network and cryptographic keys
extends the blockchain. The record-nodes are connected by
a reliable peer-to-peer network. Bitcoin consistency relies MIStore is comprised of record-nodes and light-nodes.
on the idea of computational puzzles—a.k.a. moderately Specifically, all record-nodes are connected by a reliable
proof-of-work put forth by Dwork and Naor [16]. In peer-to-peer network, and each light-node connects with
Bitcoin, payers broadcast transactions and miners collect a certain number of record-nodes. Record-nodes are
transactions into their local blocks. A block contains responsible to maintain the blockchain via Practical
two parts: block-body and block-header. Specifically, the Byzantine Fault-tolerance (PBFT) consensus and store the
block-body contains the transactions. The block-header entire blockchain list. Specifically, time is divided in to
contains the hash value of previous block, the current epoches. In an epoch, record-nodes collect and verify
Unix time, target value, a nonce and a merkle root of transactions sent to the blockchain network, and they record
transactions. In Bitcoin consensus, a block to be valid if valid transactions in their local blocks. By performing
the cryptographic hash of its header must be smaller than PBFT, some record-node’s block become the valid block of
a target value. Moreover, if some miner finds a solution of the epoch. After that, all record-nodes join in the next epoch
the cryptographic puzzle, then he immediately broadcasted to build the next block. While, light-nodes do not store the
his block including the solution to others. After that, upon entire blockchain, and they store all block-headers.
verifying the block, others will receive and add this block Moreover, in the system, there is no trusted public
as a new one in its local blockchain and then continue the key infrastructure. It means that any node can generate a
mining process on its updated blockchain. The creator of the arbitrary number of key-pairs by itself. In a blockchain
block is rewarded with bitcoins (coins in Bitcoin system) system, all users communicate with each other via
via the coinbase transaction which is the first transaction transactions of blockchain, and they only trust messages
in the block-body. Consequently, bitcoins are created and presented at blockchain. Additionally, each record-node can
distributed among miners. Moreover, this creator is also poll a random oracle [24] as a random bit source. Besides,
rewarded by transactions fees for all transactions included by mortgaging a certain amount of coins with an address,
in the block. Besides, Bitcoin assumes that a majority of a light-node can become a hospital or insurance company
computational power is controlled by honest players. with the address.
Smart contract is proposed by Ethereum [15] that is simi- A node is honest if it follows all protocol instructions and
lar as Bitcoin. Smart contracts represent the implementation is perfectly capable of sending and receiving information.
of a contractual agreement, whose legal provisions have Furthermore, a node is malicious if it can deviate arbitrarily
been formalized into source code. Contracting parties can from protocol instructions. Finally, in a blockchain system,
structure their relationships efficiently, in a self-executing all users communicate with each other via transactions
method and without the ambiguity of words. Reliance on of blockchain, and they only trust messages presented at
source code enables willing parties to simulate the agree- blockchain.
ment’s performance before execution and model contractual In the implementation of MIStore, we utilize ECDSA
performance. Moreover, smart contracts introduce new rela- [27] to be the signature schceme Sig(·), ECIES [28] to be the
tionships that are both automatically enforced and defined encryption scheme Enc(·) and SHA-256 [1] to be the hash
by code, but that are not linked to any underlying contractual function H(·).
rights or obligations. In the present paper, before hospi-
tal and servers work, they should mortgage coins in smart Assumptions
contracts, respectively. Besides, if someone does not work
honestly, then anyone can input the corresponding evidences According to Practical Byzantine Fault-tolerance [11]
to obtain a part of the “wrongdoer”’s guarantee deposit. consensus scheme, we assume that 23 of record-nodes are
In the paper, the security of Shamir’s (t, n)-secret sharing honest in the system. Therefore, the blockchain of the
(SSS) [21] is the security base of our system. We extend system does not fork. In other words, once a transaction has
SSS to obtain a threshold secure multi-parties computing appeared in the blockchain, then the transaction cannot be
protocol that will be described in the Appendix. Besides, we modified or deleted by anyone. Moreover, we assume that
use elliptic curve [22, 23] point multiplication to generate digital signature Sig(·), encryption scheme Enc(·) and hash
commitments of core data. Then we utilize bilinear map function H(·) used in MIStore are ideal such that no one
(pairing computations) [25] to verify the correctness of the can violate Sig(·), Enc(·) and H(·). Finally, we assume that
committed core data. hospital and servers are partially trusted. Therefore, data
Figures presented in the paper are created by using Visio. sent by them should be verified.
149 Page 4 of 17 J Med Syst (2018) 42: 149
The basic instance In the paper, we mainly introduce the to the blockchain network. After that, active servers will
basic instance that contains a patient, a hospital and insur- generate and send responses to the blockchain network by
ance company. For the patient, a more complex instance can sending respond-transactions. Finally, if I collects at least
be combined by the basic instance. Moreover, we assume t correct responses, then he can recover the real result.
that medical payments recorded in the blockchain belong to However, it must be pointed that anyone (including I )
the range of the corresponding medical insurance. cannot learn anything about the correct result with less than
t responses. The protocol is secure as long as more than
n−t servers are honest. An overview of MIStore is shown in
An overview of MIStore Fig. 1.
In the MIStore, most data is verifiable. For instance,
In this paper, we propose a blockchain-based medical anyone can verify the validation of the initialize-transaction
insurance storage system, called MIStore. The system sent by the hospital, a server may verify the correctness of
may help an insurance company to obtain the sum of his core share sent by the hospital, an insurance company
patient’s medical medical spending records. Moreover, the can verify whether responses are correctly computed by
medical spending data recorded at the blockchain are always corresponding servers, and a patient can verify whether his
confidential to servers as long as a certain number of spending data is correctly processed by the corresponding
servers are honest. In this system, there are four parties that hospital. Moreover, because MIStore is decentralized, so
are patients, hospitals, servers and insurance companies. there is no centralized node to punish the “bumblers”. To
All related data is recorded at the blockchain. Due to the punish the bumblers’ mistake, we adopt the smart contract.
property of tamper-resistance of blockchain, all users may Specifically, before hospitals and servers perform a MIStore
trust data recorded at the blockchain. protocol, they should a certain amount of mortgage coins in
To introduce MIStore’s working process, we take smart contracts, respectively. If someone of them publishes
the basic instance as a example, which contains a some invalid data in the blockchain, then anyone can input
hospital H , a patient P , an insurance company I and n the evidences in the corresponding smart contract to obtain
servers Sr1 , Sr2 , · · · Srn . Specifically, H performs a (t, n)- a part of the bumbler’s guarantee deposit.
threshold MIStore protocol among the n servers by sending
an initialize-transaction to the blockchain network. After
that, H may send P ’s confidential medical spending data MIStore
to the blockchain network by sending record-transactions.
At some later time, if I wants to know the sum of some In this section, we introduce how MIStore works. We will
P ’s spending records, then I may send a query-transaction describe transaction and block used in the system at first.
Fig. 1 An overview of MIStore. Step 1: Hospital sends a initialize- record-transactions from blockchain. Step 5: After locally computing,
transaction to blockchain networl. Step 2: Hospital sends record- servers generate their responses and then send respond-transactions
transactions to blockchain network. Step 2.5: The patient can verify to blockchain network. Step 6: Insurance company collects respond-
whether his spending records are correctly computed by hospi- transactions and obtains t correct responses. Step 7: Insurance com-
tal. Step 3: Insurance company sends a query-transaction to query pany recovers the result with the t correct responses
some result. Step 4: Servers read the query-transaction and related
J Med Syst (2018) 42: 149 Page 5 of 17 149
instance can be constructed with the basic instance. The where score,1 , score,2 , a1 , · · · , at−1 , d1 , · · · , dt−1 ∈
symbols used in the paper are shown in Table 3. Fp , at−1 = 0 and dt−1 = 0. Let
At first, the hospital and n servers should have published
f1 (x) = at−1 x t−1 + at−2 x t−2 + · · · + a1 x,
smart contracts to mortgage a certain amount of guarantee
coins at the blockchain, respectively. If someone publishes f2 (x) = dt−1 x t−1 + dt−2 x t−2 + · · · + d1 x.
some incorrect data that is verifiable, then the discoverer Then, we have F1 (x) = f1 (x) + score,1 and F2 (x) =
can send the corresponding evidences to the bumbler’s smart f2 (x) + score,2 . Hospital computes
contract to prove that the bumbler sent an incorrect data.
f1 (x)f2 (x) = q2t−2 x 2t−2 + q2t−3 x 2t−3 + · · · + q2 x 2 .
Then, the discoverer can automatically obtain a amount of
reward from the bumbler’s smart contract. After that, hospital randomly samples l(x) of degree
After mortgaging guarantee coins, the MIStore system t − 1 from Fp [x] as follow:
can be performed as follows: l(x) = ct−1 x t−1 + ct−2 x t−2 + · · · + c1 x.
• Step 1: Initialization. Hospital randomly samples two Let
polynomials F1 (x) and F2 (x) of degree t − 1 over Fp h(x) = f1 (x)f2 (x)−l(x) = b2t−2 x 2t−2 +b2t−3 x 2t−3 +· · ·+b1 x.
as the following polynomials:
Then hospital generates a verification key VK as
F1 (x) = at−1 x t−1 + at−2 x t−2 + · · · + a1 x + score,1 , follow:
initialize
Compute
Transaction Header t−1
CF ∗i,1 = (g at−1 )Sri · · · (g a1 )Sri (g score,1 )
Payload
t−1
CF ∗i,2 = (g dt−1 )Sri · · · (g d1 )Sri (g score,2 )
2t−2
Ch∗i = (g b2t−2 )Sri · · · (g b1 )Sri
If
After that, the hospital sends the Tinitialize to blockchain CF ∗i,1 = CMCFi,1 , CF ∗i,2 = CMCFi,2 and Ch∗i = CMChi ,
network.
• (1)
Step 2: Record-nodes verify Tinitialize . Honest record-
nodes will verify all new initialize-transactions before then the record-node accepts that
appending them at the blockchain. For instance, when CMCFi,1 , CMCFi,2 and CMChi are
an honest record-node receives the Tinitialize , he will correctly computed by the hospital,
verify its verification key (V K) at first, and then otherwise he rejects the Tinitialize and
verify other data with the V K. If Tinitialize passes the stop his verifications.
verifications, then the record-node accepts the Tinitialize
and writes it in his local block, otherwise, he will If any data cannot pass corresponding verification, then
reject the Tinitialize . The verifications are described as the record-node rejects the Tinitialize .
follows:
Remark 1 Because the record-node randomly samples the
– First, verify the verification key V K. The number x0 , so the Eq. 1 is enough to prove the validation of
record-node verifies whether polynomials the verification key.
f1 (x), f2 (x), h(x) and l(x), committed in ver-
ification key, are well-formed. Specifically, the • Step 3: Servers verify core-shares. i from 1 to n,
record-node does as follows: when the Serveri sees the Tinitialize at the blockchain, the
Randomly sample a number x0 ∈ Fp . server may perform the following computations:
Compute – Decrypt CCFi,1 , CCFi,2 and CChi . Then he
obtains CFi,1 , CFi,2 and Chi .
t−1
g1 = (g at−1 )x0 (g at−2 )x0
t−2
· · · (g a1 )x0 – If
at−1 x0t−1 +at−2 x0t−2 +···+a1 x0
= g CMCFi,1 = g CFi,1 , CMCFi,2 = g CFi,2 and CMChi = g Chi ,
dt−1 x0t−1 dt−2 x0t−2
g2 = (g ) (g ) · · · (g d1 )x0
dt−1 x0t−1 +dt−2 x0t−2 +···+d1 x0
then the server accepts that the Tinitialize is
= g
2t−2 2t−3
valid, otherwise he can send his evidences
g3 = (g b2t−2 )x0 (g b2t−3 )x0 · · · (g b1 )x0 IDTinitialize , CFi and Chi to the hospital’s smart
b2t−2 x02t−2 +b2t−3 x02t−3 +···+b1 x0 contract. After that, the server can obtain a
= g
t−1 t−2 amount of reward.
g4 = (g ct−1 )x0 (g ct−2 )x0 · · · (g c1 )x0
= g ct−1 x0t−1 +ct−2 x0t−2 +···+c1 x0 • Step 4: Record. After seeing the Tinitialize at
the blockchain, the hospital may generate record-
If transactions. Moreover, let da1 , da2 , · · · , dam denote
the patient’s spending records. The each spending
e(g1 , g2 ) = e(g3 g4 , g), record has a unique invoice number, IDiinvoice . How-
ever, they belong to the same initialize-transaction
then the record-node accepts that Tinitialize . Without loss of generality, we assume that
f1 (x), f2 (x), h(x) and l(x) satisfy the hospital generates two record-transactions (T1 and
relationships and forms mentioned T2 ), and the patient’s spending records are da1 , da2 ,
at Step 1. Otherwise he rejects the da3 , da4 . Then, i from 1 to 4, hospital randomly divides
Tinitialize and stops his verifications. dai into dai = ddi,1 ddi,2 . Then, the hospital computes
– Second, verify commitments CMCFi,1 , si,1 = ddi,1 − score,1 , si,2 = ddi,2 − score,2 .
CMCFi,2 , CMChi , i from 1 to n. Specifically,
the record-node computes as follows: Then, it generates transactions T1 , T2 as follows:
149 Page 8 of 17 J Med Syst (2018) 42: 149
correctness of the commitments. Specifically, e(g a , g b ) = key, three servers’ IDs, 9 encrypted messages and 9
e(g ab , g). For instance, if we want to verify ab = c and commitments. Moreover, according to “Prototype system
we do not want to reveal a, b and c, then we may use the setting”, the data recorded in the Tinitialize ’s payload is of
following equation to verify ab = c. 1504 bytes. However, the payload of a transaction, in the
Ethererum blockchain, can include at most 1014 bytes. In
e(g a , g b ) = e(g c , g). other words, one transaction cannot contain 1504 bytes.
Therefore, in the prototype system, we divide the Tinitialize
Processing time of cryptographic schemes 1
into Tinitialize 2
, Tinitialize 3
and Tinitialize in order to record all its
data. Specifically, the both transactions can be described as
Generally, the time cost of performing cryptographic follows:
schemes will have a certain degree of influence on the
time of processing transactions, and then it may influence 1
initialize
2
initialize
the efficiency of the system. Therefore, in the sub-section, Transaction Header Transaction Header
we discuss the processing time cost of cryptographic and Payload Payload
mathematic components.
For each of encryption, decryption, point multiplication,
point addition, signing, verifying signatures, pairing,
field addition and field multiplication, we perform 1000
3
experiments to obtain their average time cost. Their average initialize
Table 5 Payloads of
transactions used in our Payload Content Size
prototype system
1
Payload of Tinitialize A verification key 512 bytes
2
Payload of Tinitialize 3 IDs, 9 encrypted messages 960 bytes
3
Payload of Tinitialize 9 commitments 576 bytes
Payload of Trecord 1 to 7 arrays of spending data 128-896 bytes
Payload of Tquery 1 ID 32 bytes
Payload of Trespond A hospital’s ID, a encrypted response, a commitment 192 bytes
149 Page 12 of 17 J Med Syst (2018) 42: 149
1
Hospital generates a Tinitialize 1S+7PM 212.209 ms
2
Hospital generates a Tinitialize 1S+9E 83.931 ms
3
Hospital generates a Tinitialize 1S+9PM 271.347 ms
Hospital generates a Trecord 1S+14FA 5.226 ms
Insurance company generates a Tquery 1S 5.226 ms
Server generates a Trespond 1S+5FM+12FA+1E+1PM 43.543 ms
1
Record-node verifies a Tinitialize 1V+5PM+2PA 157.454 ms
2
Record-node verifies a Tinitialize 1V 9.137 ms
3
Record-node verifies a Tinitialize 1V+15PM+9PA 454.796 ms
Record-node verifies a Trecord 1V 9.137 ms
Record-node verifies a Tquery 1V 9.137 ms
Record-node verifies a Trespond 1V+2PM+10PA+5Pairing 494.361 ms
2
Server verifies a Tinitialize 3D++3PM 101.807 ms
Insurance company verifies a Trespond 1D+1PM 33.936 ms
In the table, S is a signing computation, V denotes a signature verification, P M describes a point multiplication on the ECC, P A is a point
addition on the ECC, P airing means a pairing computation, E is a encryption, D denotes a decryption, F M describes a field multiplication and
FA is a field addition. For instance, “2PM+3PA+1V+6Pairing” denotes that the corresponding computations contain 2 point multiplications, 3
point additions, 1 signature verification and 6 pairing computations
data since other data has been verified by record-nodes. tends to be stable. That is, generating 1000 blocks takes
Comparisons between the pure system and the blockchain- about 4.3 h. In other words, generating a block takes about
based system are shown in Table 7. According to the 15.2 s on average. Furthermore, in the Ethereum blockchain,
Table 7, if the system is not based on the blockchain, then a block can record transactions of at most 62,360 bytes, a
the insurance company and servers all need a certain amount transaction with an empty payload is of 308 bytes and a
of verifying computations. However, if the system is based transaction’s payload can record data of at most 1014 bytes.
on the blockchain, then most computations can be done by Therefore, a transaction’s size should be from 308 bytes to
record-nodes, then the insurance company and servers just 308 + 1014 = 1322 bytes.
need to perform very few verifying computations. According to Table 5 and above contents, in our
implementation, any transaction’s size can be calculated.
Blockchain performance evaluation Transactions’ sizes are shown in Table 8. A block can
record transactions of at most 62360 bytes. Therefore, if a
We run our MIStore on the Ethereum blockchain. After block only record identical transactions, then the number of
generating a certain number of blocks, the block interval recorded transactions has a limit.
Comparative item Time cost of pure MIStore Time cost of blockchain-based MIStore
1
Verifying Tinitialize 0 ms 157.4 ms 157.4 ms 0 ms 0 ms 0 ms 157.4 ms
2
Verifying Tinitialize 0 ms 110.9 ms 9.1 ms 0 ms 101.8 ms 0 ms 9.1 ms
3
Verifying Tinitialize 0 ms 454.7 ms 454.7 ms 0 ms 0 ms 0 ms 454.7 ms
Verifying Trecord 0 ms 9.1 ms 9.1 ms 0 ms 0 ms 0 ms 9.1 ms
Verifying Tquery 0 ms 0 ms 9.1 ms 0 ms 0 ms 0 ms 9.1 ms
Verifying Trespond 0 ms 0 ms 528.2 ms 0 ms 0 ms 33.9 ms 494.3 ms
Table 8 Transactions’ sizes in our prototype system respond-transactions are recorded by record-nodes earlier
than record-transactions since it has larger transaction fee.
Transaction Size
Finally, the insurance company can recover his desired data.
1
Tinitialize 820 bytes The whole process only takes about 24 s.
2
Tinitialize 1268 bytes MIStore’s efficiency mainly depends on the blockchain
3
Tinitialize 884 bytes platform. For instance, in the paper, we use the Ethererum
Trecord 436-1204 bytes blockchain as the platform. Specifically, Ethereum’s block
Tquery 340 bytes can contains transactions of at most 62,360 bytes, its
Trespond 500 bytes average block interval is about 15 s and its transaction’s
payload contains at most 1014-byte data, so the MIStore’s
efficiency is significantly limited by the blockchain
In our experiments, because different transactions have platform. Therefore, if we use some other more suitable
different significance, so the more significant transaction blockchain platform, then it might get a better throughput.
should be processed earlier. In the Ethererum blockchain,
record-nodes (miners) earlier process a transaction with
more transaction fee. Therefore, we set different transac- Conclusion
tions with different transaction fees. When transactions are
pending in a record-node’s transaction pool, transactions In this paper, we propose a blockchain-based threshold
with more fees will be recorded earlier. In the MIStore medical insurance storage system, called MIStore. Because
system, the initialize-transaction is the base of later transac- of combining with blockchain, the system obtains some
tions. Therefore, it should has the first priority. For quickly special advantages, e.g., decentralization, tamper-resistance
responding insurance company’s query, we set that query- and record-nodes help users to verify publicly verifiable
transaction has the second priority and respond-transaction data. Firstly, the blockchain’s property of tamper-resistance
has the third priority. Finally, record-transaction has the low- gives users high-credibility. Moreover, due to the decentral-
est priority. In this way, the system’s responding rate will ization, users can communicate with each other without the
be obviously increased. In our experiments, their transaction third-parties. Secondly, the system supports the property of
fees are shown in Table 9. threshold. That is, patient’s data is confidentially controlled
In our experiments, after an initialize-transaction has by servers specified by the hospital, and the stored data is
appeared at the blockchain, the hospital continually send always confidential for the servers as long as a certain num-
record-transactions to the blockchain network. The record- ber of the servers are honest. Furthermore, according to the
transactions are same as mentioned at “Construction of insurance company’s query, the specified servers can per-
MIStore”. The data of record-transactions’ payloads is form homomorphic computations on the data and then get
called as “spending-data”. Every block can contain at most responses. If the insurance company can collect a threshold
51 record-transactions with the most arrays of spending number of correct responses, then he can recover the cor-
data. Then, a block can store spending-data of at most 45696 rect patient’s spending data. Thirdly, all important data is
bytes. Because the blockchain generates a block per about verifiable. In particular, most of data is publicly verifiable.
15 s on average, so the system can record spending-data of Therefore, record-nodes of blockchain can help users to
at most 3046.4 bytes per second on average. At some later perform the public verifications. Consequently, this signif-
time, the insurance company sends a query-transaction to icantly reduces users computations. Finally, a performance
the blockchain network. Consequently, in the next block, evaluation about the system is given.
the insurance company can get 3 response-transactions. The
Acknowledgments This work was supported by the National Key
Table 9 Transaction fee R&D Program of China (Grant No. 2016YFB0800602), the National
Natural Science Foundation of China (NSFC) (Grant No. 61502048),
Transaction Transaction fee and Shandong provincial Key R&D Program of China (Grant No.
2018CXGC0701).
1
Tinitialize 0.0001 ETH
2
Tinitialize 0.0001 ETH Compliance with Ethical Standards
3
Tinitialize 0.0001 ETH
Trecord 0.00001 ETH This article does not contain any studies with human participants
performed by any of the authors.
Tquery 0.00006 ETH
Trespond 0.00003 ETH
Conflict of interests Lijing Zhou declares that he has no conflict of
interest. Licheng Wang declares that he has no conflict of interest. Yiru
ETH denotes the unit of Ethererum coin Sun declares that she has no conflict of interest.
149 Page 14 of 17 J Med Syst (2018) 42: 149
Open Access This article is distributed under the terms of the – d1 , d2 , · · · , dm describe the plaintext messages that will
Creative Commons Attribution 4.0 International License (http:// be protected by n servers in ciphertext.
creativecommons.org/licenses/by/4.0/), which permits unrestricted
– Sahreiasr is the i-the server’s answer.
use, distribution, and reproduction in any medium, provided you give
appropriate credit to the original author(s) and the source, provide a The TVHCSS can be described as follows:
link to the Creative Commons license, and indicate if changes were
made. • Initialize. Let Fp be a finite field with character p. D
randomly samples a polynomial F (x) of degree t − 1
over Fp as the following polynomial.
Appendix: (t, n)-threshold verifiable
F (x) = at−1 x t−1 + at−2 x t−2 + · · · + a1 x + score ,
homomorphic confidential storage scheme
where score , a1 , · · · , at−1 ∈ Fp and at−1 = 0. We
(t, n)-threshold verifiable homomorphic confidential stor- denote that score is the core secret in the system. Let
age scheme (TVHCSS) contains three parties (a distributor,
f (x) = at−1 x t−1 + at−2 x t−2 + · · · + a1 x.
n servers and a querier). Specifically, in TVHCSS, the dis-
tributor’s messages are protected and controlled by the n Then we have F (x) = f (x) + a0 . D computes
servers, and in each server’s hands, messages are cipher- f (x)2 = q2t−2 x 2t−2 + q2t−3 x 2t−3 + · · · + q2 x 2 .
text. When a querier sends a query to the n servers, if at
least t servers return correct answers to the querier, then the After that, D randomly samples l(x) of degree t − 1
querier can obtain what he wants. While if less than t servers from Fp [x] as follow:
return answers to the querier, then the querier cannot obtain l(x) = ct−1 x t−1 + ct−2 x t−2 + · · · + c1 x.
anything.
Let
A.1 Construction of TVHCSS h(x) = f (x)2 −l(x) = b2t−2 x 2t−2 +b2t−3 x 2t−3 +· · ·+b1 x.
D samples a generator g that can generate a cyclic
Symbols, used in the scheme, are summarized at Table 10. group G. Then D publishes a verification key V K as
– g is a generator of a cyclic group G. follow:
– e is a bilinear map, e: G × G → G. For instance,
e(g a , g b ) = e(g, g)ab . V K = {g, g at−1 , · · · , g a1 , g score , g b2t−2 , g b2t−3 ,
– D is the distributor’s ID. · · · , g b1 , g ct−1 , g ct−2 , · · · , g c1 }
– Sr1 , Sr2 , · · · , Srn denote n servers’ IDs. • Verify committed polynomials. Anyone can verify
– Q describes the querier’s ID. whether polynomials f (x), h(x), l(x), committed in
– {pki , ski } denotes the i-th server’s key pair, for i from verification key, are well-formed and sound. Specifi-
1 to n. cally, he can do as follows:
– {pkQ , skQ } is Q’s key pair.
– Randomly sample t different numbers
Table 10 Symbols of TVHCSS x0 , x1 , · · · , xt−1 ∈ Fp .
– j from 0 to t − 1, compute
Symbol Description t−1 t−2
f
gj = (g at−1 )xj (g at−2 )xj · · · (g a1 )xj
g The generator of a cyclic group G t−1
+at−2 xjt−2 +···+at−1 xj
e The bilinear map, e: G × G → G = g at−1 xj
Fp The finite field with character p 2t−2 2t−3
D The distributor’s ID gjh = (g b2t−2 )xj (g b2t−3 )xj · · · (g b1 )xj
Sri The i-th servers’ IDs 2t−2
+b2t−3 xj2t−3 +···+b1 xj
= g b2t−2 xj
Q The querier’s ID
VK The verification key t−1 t−2
gjl = (g ct−1 )xj (g ct−2 )xj · · · (g c1 )xj
{pkD , skD } The D’s key pair
t−1
{pki , ski } +ct−2 xjt−2 +···+c1 xj
The i-th server’s key pair, for i from 1 to n = g ct−1 xj
{pkQ , skQ } The insurance company I ’s key pair f f
di The i-th plaintext message protected by n servers
– If e(gj , gj ) = e(gjh gjl , g), for all j from
0 to t − 1, then the verifier accepts that the
CMFi CMFi = g Fi
polynomials, committed by verification key,
CMhi CMhi = g hi
are well-formed and sound. Otherwise, he
Sahrei The i-th server’s answer-share
rejects and return to step Inilialize.
J Med Syst (2018) 42: 149 Page 15 of 17 149
After that, Sri encrypts Sharei as Cishare = 6. King, S., and Nadal, S., Ppcoin: Peer-to-peer crypto-currency with
EncpkQ (Sharei ) with Q’s public key. Then, Sri sends proof-of-stake[J]. Self-published paper, August, 2012, 19.
7. Kwon, J., Tendermint: Consensus without mining. 2014[J]. https://
Cishare to Q. tendermint.com/static/docs/tendermint.pdf, 2014.
• Recover. If Q collects at least t correct and different 8. Dziembowski, S., Faust, S., Kolmogorov, V., et al., Proofs
shares, he can recover the data as described in Eq. 2. of space[C]. In: Annual Cryptology Conference, pp. 585–605.
Without loss of generality, we assume the t shares Heidelberg: Springer, Berlin, 2015.
9. Bentov, I., Lee, C., Mizrahi, A., and Rosenfeld, M., Proof of
come from Sr1 , Sr2 , · · · , Srt . First, Q should verify the activity Extending bitcoin’s proof of work via proof of stake.
validations of Share1 , Share2 and Sharet . Specifically, i In: Proceedings of the ACM SIGMETRICS 2014 Workshop on
from 1 to t, Q computes Economics of Networked Systems, NetEcon. 2, 2014.
10. Blocki, J., and Zhou, H. S., Designing proof of human-
t−1 t−1 work puzzles for cryptocurrency and beyond[C]. In: Theory of
+···+a1 Sri +score
g Fi = (g at−1 )Sri · · · (g a1 )Sri (g a0 ) = g at−1 Sri Cryptography Conference, pp. 517–546. Berlin: Springer, 2016.
11. Castro, M., and Liskov, B., Practical Byzantine fault tolerance[C].
OSDI 99:173–186, 1999.
2t−2 2t−2
+···+b1 Sri
g hi = (g b2t−2 )Sri · · · (g b1 )Sri = g b2t−2 Sri 12. King, S., and Nadal, S., Ppcoin: Peer-to-peer crypto-currency with
proof-of-stake. https://peercoin.net/assets/paper/peercoin-paper.
After that, with si1 , si2 , · · · , sim and bilinear map e, Q pdf, 2012.
further computes 13. CryptoManiac, Proof of stake. NovaCoin wiki. https://github.com/
novacoin-project/novacoin/wiki/Proof-of-stake, 2014.
Ei1 = e(g Fi g si1 , g Fi g si2 )e(g Fi g si3 , g Fi g si4 ) 14. Bentov, I., Lee, C., Mizrahi, A., and Rosenfeld, M., Proof of
sik sik activity Extending bitcoin’s proof of work via proof of stake
· · · e(g Fi g 1 −1 , g Fi g 1 ) [extended abstract]. SIGMETRICS Perform. Eval. Rev. 42(3):34–
s s sik
Ei2 = e(giFi g ik1 +1 giFi g ik1 +2 · · · giFi g 1 +k2 , g) 37, 2014.
15. Buterin, V., A next-generation smart contract and decentralized
application platform, 2014[J] https://github.com/ethereum/wiki/
wiki/White-Paper (visited on 10/09/2016), 2014.
If 16. Dwork, C., and Naor, M., Pricing via processing or combatting
k junk mail. In: CRYPTO’92, pp. 139–147, 1992.
Ei1 Ei2 /e(g hi , g 2 ) = e(g Sharei , g), 17. Abramaowicz, M., Cryptocurrency-based Law[J]. Ariz. L. Rev.
58:359, 2016.
then Q considers that Sharei is correctly computed 18. Yue, X., Wang, H., Jin, D., Li, M., and Jiang, W., Healthcare data
by Sri . If all Share1 , Share2 and Sharet are correctly gateways: Found healthcare intelligence on blockchain with novel
computed by senders, then Q can recover the data privacy risk control. J. Med. Syst. 40(10):218, 2016.
with Share1 , Share2 and Sharet . Specifically, Q can 19. Ferrer, E. C., The blockchain: A new framework for robotic swarm
systems. arXiv:1608.00695, 2016.
reconstruct a polynomial of degree t − 1 by Lagrange
20. Brambilla, G., Amoretti, M., and Zanichelli, F., Using block chain
interpolating as follow: for peer-to-peer proof-of-location. arXiv:1607.00174, 2016.
21. Shamir, A., How to share a secret. ACM 22:612,613, 1979.
22. Joux, A., A one round protocol for tripartite Die-Hellman. J.
t
t
Srj − x
(x) =
F Sharei
Cryptol. 17:263–276, 2004.
Srj − Sri 23. Joux, A., and Nguyen, K., Separating decision Die-Hellman from
i=1 j =1,j =i computational Die-Hellman in cryptographic groups. J. Cryptol.
16:239–247, 2003.
(0) equals to data.
Finally, F 24. Bellare, M., and Rogaway, P., Random oracles are practical: A
paradigm for designing efficient protocols[C]. In: Proceedings
of the 1st ACM Conference on Computer and Communications
Security, pp. 62–73: ACM, 1993.
References 25. Barreto, P. S. L. M., and Naehrig, M., Pairing-friendly elliptic
curves of prime order. In: Selected Areas in Cryptography (SAC),
1. Nakamoto, S., Bitcoin: A peer-to-peer electronic cash system, 2006.
Available: http://bitcoin.org/bitcoin.pdf, 2008. 26. Bernstein, D. J., and Lange, T., Safecurves: Choosing safe curves
2. Litecoin. https://litecoin.org. for elliptic-curve cryptography. http://safecurves.cr.yo.to, 2013.
3. Schwartz, D., Youngs, N., and Britto, A., The Ripple Protocol 27. Johnson, D., Menezes, A., and Vanstone, S., The elliptic curve
Consensus Algorithm. Technical Report. https://ripple.com/files/ digital signature algorithm (ECDSA)[J]. Int. J. Inf. Secur. 1(1):36–
ripple consensus whitepaper.pdf, 2014. 63, 2001.
4. Wood, G., Ethereum: A secure decentralised generalised transac- 28. Smart, N. P., The exact security of ECIES in the generic group
tion ledger[J]. Ethereum project yellow paper 151:1–32, 2014. model[C]. In: IMA International Conference on Cryptography and
5. Dwork, C., and Naor, M., Pricing via processing or combatting Coding, pp. 73–84. Berlin: Springer, 2001.
junk mail[C]. In: Annual International Cryptology Conference, 29. Ekblaw, A., Azaria, A., Halamka, J. D., et al., A Case Study
pp. 139–147. Berlin: Springer, 1992. for Blockchain in Healthcare: “MedRec” prototype for electronic
J Med Syst (2018) 42: 149 Page 17 of 17 149
health records and medical research data[C]. In: Proceedings 32. Chang, S., Zhu, H., Dong, M., Ota, K., Liu, X., and Shen, X.,
of IEEE Open and Big Data Conference, Vol. 13, p. 13, Private and flexible urban message delivery. IEEE Trans. Veh.
2016. Technol. 65(7):4900–4910, 2016.
30. Xia, Q., Sifah, E. B., Asamoah, K. O., et al., MeDShare: Trust- 33. Yan, J., Wang, L., Dong, M., Yang, Y., and Yao, W., Identity-based
less medical data sharing among cloud service providers via signcryption from lattices. Security and Communication Networks
blockchain[J]. IEEE Access 5:14757–14767, 2017. 8(18):3751–3770, 2015.
31. Liu, X., Dong, M., Ota, K., Hung, P., and Liu, A., Service pricing 34. Parno, B., Howell, J., Gentry, C., et al., Pinocchio: Nearly practical
decision in cyber-physical systems: insights from game theory. verifiable computation[C]. In: 2013 IEEE Symposium on Security
IEEE Trans. Serv. Comput. 9(2):186–198, 2016. and Privacy (SP), pp. 238–252: IEEE, 2013.