Received January 26, 2019, accepted March 4, 2019, date of publication March 13, 2019, date of current version

April 12, 2019.

Digital Object Identifier 10.1109/ACCESS.2019.2904300

An Efficient Authentication Scheme for

Blockchain-Based Electronic
Health Records
FEI TANG1,2 , SHUAI MA 1, YONG XIANG3 , (Senior Member, IEEE), AND CHANGLU LIN 4
1 College of Computer Science and Technology, Chongqing University of Posts and Telecommunications, Chongqing 400065, China
2 School of Cyber Security and Information Law, Chongqing University of Posts and Telecommunications, Chongqing 400065, China
3 School of Information Technology, Deakin University, Melbourne, VIC 3125, Australia
4 Key Laboratory of Network Security and Cryptography, Fujian Normal University, Fujian 350007, China

Corresponding author: Fei Tang ([email protected])

This work was supported in part by the National Key Research and Development Program of China under Grant 2017YFB0802300, in part
by the National Natural Science Foundation of China under Grant 61702067, Grant 61572132, and Grant U1705264, in part by the Natural
Science Foundation of Chongqing under Grant cstc2017jcyjAX0201, in part by the Science and Technology Research Project of the
Chongqing Municipal Education Commission under Grant KJ1600445, and in part by the Venture & Innovation Support Program for
Chongqing Overseas Returnees under Grant CX2018122.

ABSTRACT In traditional electronic health records (EHRs), medical-related information is generally

separately controlled by different hospitals and thus it leads to the inconvenience of information sharing.
Cloud-based EHRs solve the problem of information sharing in the traditional EHRs. However, cloud-
based EHRs suffer the centralized problem, i.e., cloud service center and key-generation center. This paper
works on creating a new EHRs paradigm which can help in dealing with the centralized problem of cloud-
based EHRs. Our solution is to make use of the emerging technology of blockchain to EHRs (denoted
as blockchain-based EHRs for convenience). First, we formally define the system model of blockchain-
based EHRs in the setting of consortium blockchain. In addition, the authentication issue is very important
for EHRs. However, existing authentication schemes for blockchain-based EHRs have their own weak points.
Therefore, in this paper, we also propose an authentication scheme for blockchain-based EHRs. Our proposal
is an identity-based signature scheme with multiple authorities which can resist collusion attack out of N
from N −1 authorities. Furthermore, our scheme is provably secure in the random oracle model and has more
efficient signing and verification algorithms than existing authentication schemes of blockchain-based EHRs.

INDEX TERMS Electronic health records, blockchain, identity-based signatures, multiple authorities.

I. INTRODUCTION for information storage and retrieval. In EHRs, all medical-

Traditional paper-based health records apparently are incon- related data are digitized and stored in the server of hospital.
venient for information interchange or sharing. The technol- Then, when a patient goes back to the hospital, he or the hos-
ogy of Electronic Health Records (EHRs) [7], [8], [19], [20] pital can search previous information, including names of the
provides a novel way to collect and manage health-related patient and doctor, time, diagnosis, and so on. As an important
information. EHRs are an information system which main- application in the medical field, EHRs have attracted wide
tains medical records in the process of patients’ treatment or attention. Many standards have been proposed [19], [20] for
health management. It contains various kinds of health infor- EHRs. In addition, many papers considered the security and
mation and realizes the summary or integration of different privacy issues in EHRs systems [7], [8], [19].
electronic medical information and satisfy the management However, there exists many problems in traditional EHRs.
needs of hospitals and related research institutions. EHRs are First of all, generally, medical-related data are independently
more convenient than traditional paper-based health records stored in different hospitals or research institutions since
they have their own independent database. Therefore, when
The associate editor coordinating the review of this manuscript and a patient transfers from a hospital to another one, he needs to
approving it for publication was Kim-Kwang Raymond Choo. obtain medical examinations once again. This obviously will
2169-3536 2019 IEEE. Translations and content mining are permitted for academic research only.
41678 Personal use is also permitted, but republication/redistribution requires IEEE permission. VOLUME 7, 2019
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
F. Tang et al.: Efficient Authentication Scheme for Blockchain-Based EHRs
lead to waste of medical information resources and increase
patients’ body and financial burdens. Secondly, in EHRs
systems, only the authorities, such as hospitals, have data.
Hence, if there is a dispute between hospital and patient, then
the hospital will always win since it can tamper the medical
records or even delete them. It is not fair for patients.
FIGURE 1. Cloud-based EHRs.
In order to solve the problem of information sharing in the
traditional EHRs, researchers introduced the notion of could-
based EHRs [11]–[14], [16], [21], [25]. The cloud-based
EHRs can be seem as an application of the could computing
technology in EHRs. In cloud-based EHRs systems, there still
needs a cloud service provider who plays the role of authority.
As shown in Figure 1, all medical-related data, from doc-
tor, pharmacy, diagnostic laboratory, insurance center, and
so on, will be uploaded to the cloud server. Then, users
can search and download useful information from the could
server. If several organizations share a same cloud server,
then they can share the data with a convenient way. Next,
when patients transfer from a hospital to another one, the new
hospital can obtain patients’ medical-related data from the
cloud and thus they have no need to, once again, get medical
examinations. Therefore, cloud-based EHRs solve the prob-
lem of information sharing in the traditional EHRs. In addi-
tion, in cloud-based EHRs, all data are only maintained by the
authority, i.e., cloud service provider, and thus the hospitals
and other organizations could tamper the medical-related data
only when they collude with the authority.
Cloud-based EHRs solve the problem of information shar-
ing, and make hospitals and other organizations cannot
tamper the data by themselves. However, there also has
some problems in the cloud-based EHRs. Firstly, if there
has dispute between hospital and patient, then the hospi-
tal can collude with the cloud service provider to tamper
or even delete the data. Therefore, as in many other kinds
of cloud-based systems, we need to put our trust on the
cloud server. Whereas, if the cloud server is attacked or it
is malicious, then patients’ privacy is a big problem. Sec-
ondly, in identity-based and attribute-based cryptosystems for
cloud-based EHRs, e.g., [12], [21], [25], there is a key gen-
eration center (KGC) who is responsible for key generation
for all users. Actually, it is well known that KGC knows all
users’ secret keys.
VOLUME 7, 2019
This paper works on creating a new EHRs paradigm which
can help in dealing with the problems in cloud-based EHRs.
Our solution is to make use of the emerging technology of
blockchain which is derived from Bitcoin [15]. Generally
speaking, blockchain can be seem as a decentralized and
distributed database. There is authority in traditional net-
work architectures or application systems, such as KGC,
cloud service provider, and so on. The decentralized fea-
ture of blockchain gets rid of such dependence on author-
ity. Therefore, many people considered the applications of
blockchain in different types of real-world scenarios, includ-
ing EHRs, we call it blockchain-based EHRs. For example,
the works of [3], [4], and [24] designed a broad frame-
work for blockchain-based EHRs. Zhang et al. [23] and
Omar et al. [27] made use of encryption technology to protect
the confidentiality of the medical records. Xu et al. [22] focus
on the privacy issue of EHRs and designed a new framework
based on blockchain and homomorphic encryption.
Authentication is very important for blockchain-based
EHRs. It is different from the case of cryptocurrency which
is anonymous and thus there is no authentication mechanism
for users, the data in blockchain-based EHRs must be authen-
ticated, such as diagnosis from doctors. However, there are
few works about such issue. Sun et al. [26] designed a decen-
tralized attribute-based signature scheme for blockchain-
based EHRs. In their scheme, each authority agency is in
charge of one or more attributes. That is to say, the different
attributes of the user are issued by one or more authority
agencies. Therefore, the scheme of [26] is vulnerable to the
collusion attack of authorities. Guo et al. [6] also constructed
an attribute-based signature scheme with multiple authorities
for blockchain-based EHRs. Their scheme can resist col-
lusion attack out of N from N − 1 corrupted authorities.
However, in their scheme, each patient has a blockchain of
healthcare alone which is incompatible with the property of
blockchain.
A. OUR MOTIVATIONS AND CONTRIBUTIONS
There are few works considered the authentication issue
for blockchain-based EHRs where the scheme of [26] suf-
fers from the problem of collusion attack and the model
of [6] is incompatible with blockchain. In addition, both
of [26] and [6] have not thought about the roles of the orga-
nizations, such as hospitals, medical insurance companies,
scientific research institutions, pharmaceutical companies,
and so on, which is inappropriate in real-world applica-
tion. Furthermore, the signing and verification costs of
both schemes [6], [26] are high. However, as said before,
the authentication issue is very important for blockchain-
based EHRs. Therefore, in this work, we further consider this
problem for blockchain-based EHRs. The main contributions
of this work are as follows:
• Firstly, as the roles of organizations of EHRs have
not been considered in the models of [6] and [26],
we re-define the model of blockchain-based EHRs.
Our model is defined in the setting of consortium
41679

blockchain [9], [10], which corresponds to the real-
world of EHRs.
• Secondly, the authentication efficiency is very important
for blockchain-based EHRs, especially when the amount
of data is large. Therefore, in this paper, we design
an efficient authentication scheme for blockchain-
based EHRs. Our proposal is an identity-based signature
scheme with multiple authorities (MA-IBS) which has
both efficient signing and verification algorithms and
can resist collusion attack.
• Finally, we prove the security of the proposed scheme,
in the random oracle model, under the computational
Diffie-Hellman assumption. Meanwhile, we evaluate
the performance of the scheme and compare it with
the existing two authentication schemes [6], [26] in
blockchain-based EHRs.
B. PAPER ORGANIZATION
The rest of this paper is organized as follows. Section II
describes the formal definition of blockchain-based EHRs.
In Section III, we present some preliminaries including def-
inition of MA-IBS, security model, and the relationship
between MA-IBS and blockchain-based EHRs. The proposed
scheme is given in Section IV and security proof and perfor-
mance evaluation are given in Section V. Finally, Section VI
concludes this work.
II. MODEL OF BLOCKCHAIN-BASED EHR
We divide the users of blockchain-based EHRs into three
levels. The first level, denoted by Level 0, is the EHRs
server. The second level, denoted by Level 1, contains several
kinds of organizations, such as hospitals, medical insurance
companies, scientific research institutions, pharmaceutical
companies, and so on. The third level, denoted by Level 2
which corresponds to the employees of the Level 1 users,
consists of doctors, researchers, patients, insurance agents,
and so on. In blockchain-based EHRs systems, all medical-
related data will be distributed stored by all Level 1 users who
can reach a consensus, for the authenticity of the shared data,
based on a specific mechanism. The responsibility of Level 2
users are that generate medical-related information, such as
medical records from doctors, insurance policies from insur-
ance agent, and so on. The authenticity of such information
can be guaranteed by a proper authorization mechanism from
Level 1 users to their employees.
We define the model, as shown in Figure 2, of blockchain-
based EHRs in the setting of consortium blockchain.
• Level 0: is the EHRs server which is in charge of
the generation of system parameters. EHRs server in
blockchain-based EHRs is different from that in the
cloud-based EHRs. In cloud-based EHRs, the medical-
related data is stored only by the cloud service provider.
However, in blockchain-based EHRs, the only responsi-
bility of EHRs server is that choosing public parameters
for all users. The existence of such a server is reasonable
for blockchain systems, for example, Nakamoto [15] has
41680
F. Tang et al.: Efficient Authentication Scheme for Blockchain-Based EHRs
FIGURE 2. Blockchain-based EHRs.
chosen ECDSA and SHA-256 as the public parameters
for Bitcoin system. Moreover, the KGC in identity-
based and attribute-based cryptosystems of cloud-based
EHRs [11], [12], knows all users’ secret key. But the
server in blockchain-based EHRs does not having the
right to generate users’ secret keys.
• Level 1: contains hospitals and other organizations.
These users correspond to the authorities in consortium
blockchain. All data are uploaded and stored by all
authorities separately. In addition, Level 1 users also
play the roles of key generation authorities and to gener-
ate Level 2 users’ secret keys. However, for consortium
blockchain of EHRs, we require that no one can control
or obtain Level 2 users’ secret keys. This is very impor-
tant to understand the difference between cloud-based
EHRs and blockchain-based EHRs.
• Level 2: is composed of doctors, researchers, insurance
agents, and so on. These users correspond to the employ-
ees of Level 1 users, for example, doctor works for a
hospital. The responsibility of Level 2 users is to pro-
vide specific medical-related information. For example,
doctors give diagnosis, insurance agents sign insurance
policy, and so on.
Authentication is one of the most important problems
for EHRs because we need to ensure the authenticity of
medical records in consortium blockchain. Corresponding to
the system model, authentication of blockchain-based EHRs
contains the following two cases:
• Case 1 (Authentication of Level 2): It means that the data
given by Level 2 users need to authenticated by them.
For example, we need to ensure the authenticity of a
diagnosis from some doctor.
• Case 2 (Authentication of Level 1): This case is corre-
sponding to the authenticity of block data given by Level
1 users, i.e., authorities.
III. DEFINITIONS
In this section, we give several definitions for our work,
including the definition of MA-IBS, security model of
MA-IBS and relationship between MA-IBS and blockchain-
based EHRs.
VOLUME 7, 2019
F. Tang et al.: Efficient Authentication Scheme for Blockchain-Based EHRs
A. MA-IBS
The concept of identity-based signature (IBS) was intro-
duced by Shamir [18]. Generally, an IBS scheme consists
of four algorithms: System Setup algorithm produces public
parameters for the other three algorithms and master secret
key; Key Generation algorithm, which is executed by a
key generation center, produces users’ signing key; Sign and
Verify algorithms are responsible for signing and verification
of signatures, respectively.
As far as we know, there has no work considered IBS
scheme in the setting of multiple authorities. However, in fact,
it is very natural to define the notion of IBS with multiple
authorities (MA-IBS). In MA-IBS scheme, there has one
more algorithm, Authority Setup, to generate all authorities’
master secret keys. To satisfy the requirements of blockchain-
based EHRs, we further adjust the definition. Our MA-IBS
for blockchain-based EHRs contains the following seven
algorithms:
• System Setup: The system setup algorithm is run by
EHRs server who takes as input a security parameter λ.
Then it outputs system public parameters params.
• Authority Setup: The authority setup algorithm is
interactively executed by all authorities who take as
inputs public parameters params and their identities
ID1 , . . . , IDN . Then they output their master secret keys
SKID1 , . . . . . . , SKIDN .
• Key Generation: The key generation algorithm is also
interactively executed by all authorities who take as
inputs the public parameters params, their master secret
keys SKID1 , . . . . . . , SKIDN , and user’s identity idi . Then
they output user idi ’s secret key skidi .
• User-Sign: This sign algorithm is run by signer idi who
takes as inputs public parameters params, secret key skidi
and message m. Then he outputs a signature σi .
• User-Verify: This verification algorithm can be publicly
executed by all users who take as inputs the signer’s
identity idi , message m, and signature σi . Then it outputs
Accept if it is valid; Else, outputs Reject.
• Authority-Sign: This sign algorithm is run by an author-
ity IDi who takes as inputs public parameters params, its
master secret key SKIDi and message M . Then it outputs
a signature δi .
• Authority-Verify: This verification algorithm can be
publicly executed by anyone who takes as inputs iden-
tity IDi , message M , and a signature δi . Then it outputs
Accept if it is valid; Else, outputs Reject.
B. SECURITY MODEL OF MA-IBS
The security model of the adapted MA-IBS is defined by the
following game.
• System Setup: Challenger C chooses a security param-
eter λ and runs the system setup algorithm to generate
system public parameters params. Then, C gives params
to adversary A.
• Authority Setup: Challenger C runs the author-
ity setup algorithm to generate master secret keys
VOLUME 7, 2019
SKID1 , . . . , SKIDN for authorities whose identities are
ID1 , . . . , IDN , respectively.
• Queries: Adversary A can make the following four
kinds of queries to C:
– Master secret key queries: A issues a request for
some authorities IDi∈QM ⊂ {ID1 , . . . , IDN } for
their master secret key, where QM denotes the index
set of the identities of corrupted authorities. For
such a request, C transmits SKIDi∈QM to A.
– Key generation queries: upon receiving an iden-
tity idi , C then returns back a corresponding secret
key skidi to A. Let QK be the set of identities which
were given to the key generation queries.
– User-sign queries: upon receiving a message mi and
an identity idi , C then returns back a corresponding
signature σi to A. Let QUS be the set of (mi , idi )
which were given to the user-sign queries.
– Authority-sign queries: upon receiving a message
Mi and an identity IDi , C then returns back a cor-
responding signature δi to A. Let QAS be the set
of (Mi , IDi ) where were given to the authority-sign
queries.
• Forgery: Finally, adversary A outputs a tuple of forgery
(id ∗ , m∗ , σ ∗ ) or (ID∗ , M ∗ , δ ∗ ).
We say that the adversary A wins the game if one of the
following two cases holds:
• Case 1: If the forgery is (id ∗ , m∗ , σ ∗ ), then User-
V ∗ , m∗ , σ ) = Accept QM 6 = [1, N ] id 6∈
∗ ∗ ∗
V V ∗
Verify(id
QK (m , id ) 6 ∈ QUS .
• Case 2: If the forgery is (ID∗ , M ∗ , δ ∗ ), then Authority-
Verify(ID∗ , M ∗ , δ ∗ ) = Accept ID∗ 6 ∈ QM
V V
(M ∗ , ID∗ ) 6 ∈ QAS .
The advantage that A wins the above game is defined as
AdvUF−CMA
MA−IBS,A (λ).
Definition 1: We say that an MA-IBS scheme is (t, qH ,
qM , qK , qUS , qAS , )-unforgeable if, for any probabilistic
polynomial time (PPT) adversary A, it’s advantage  is neg-
ligible, where it runs the game at most t in time, and makes at
most qH hash function queries (in the random oracle model),
qM master secret key generation queries, qK key generation
queries, qUS user-signing queries, and qAS authority-signing
queries, respectively.
C. MA-IBS FOR BLOCKCHAIN-BASED EHR
We now describe the relationship between the concept of
adapted MA-IBS and the model of blockchain-based EHRs
described in Section II.
First, the Level 0 user, i.e., EHRs server, runs System
Setup algorithm to produce the system public parameters.
Then, Level 1 users, i.e., authorities, interactively execute the
Authority Setup algorithm to generate their master secret
keys. In this phase, we require that authorities can reach
a consensus on the authenticity of all master secret keys,
although there has no trusted center. Next, Level 2 users can
obtain their signing key from Level 1 users who distributed
41681

FIGURE 3. Block of blockchain-based EHRs.
execute the Key Generation algorithm. Then, Level 2 users
will produce some medical-related information, e.g., diag-
nosis. To ensure the non-repudiation of such information,
we require that Level 2 users run User-Sign algorithm to
sign it. Finally, an authority collects the medical-related infor-
mation and signatures from Level 2 users to form a block.
To ensure the authenticity of block, we require the authority
signs it by running Authority-Sign algorithm. As shown
in Figure 3, the message M taken as input to this signing algo-
rithm consists of previous block hash, time stamp, Merkle
root of medical records, and identity of the authority.
Note that there are some differences between blockchain-
based EHRs and Bitcoin [15]. First of all, in Bitcoin system
which is based on public blockchain, to reach an agree-
ment on a block, it requires the node who uploads the
block to find a random number to satisfy a specific require-
ment of hash function, i.e., Proof of Work (PoW). However,
in the blockchain-based EHRs which are based on consor-
tium blockchain, authorities sign the block, and thus the
authenticity of the block is always guaranteed. Therefore,
in Bitcoin system, if someone wants to change or delete a
block, it only needs to change or delete the block in over
51% nodes’ blockchain, whereas it needs to change or delete
the block in all authorities’ blockchain in blockchain-based
EHRs systems. In addition, for the consistency of the data
of our consortium blockchain-based EHRs system, we can
make use of the Practical Byzantine Fault Tolerance (PBFT)
protocol.
IV. THE PROPOSED SCHEME
We now construct an efficient MA-IBS scheme without hav-
ing a trusted authority for blockchain-based EHRs systems.
In the beginning, we give the algebraic tool and complexity
assumption used in our scheme.
A. BILINEAR MAP AND COMPLEXITY ASSUMPTION
In the construction of our MA-IBS scheme, we will make
use of bilinear map as the basic tool. Therefore, we briefly
introduce the concept of bilinear map.
Let G and GT are two cyclic multiplicative groups, where
G is generated by an element g, i.e, G =< g >. Groups G
41682
F. Tang et al.: Efficient Authentication Scheme for Blockchain-Based EHRs
and GT have the same big prime order p. We say that e :
G × G → GT is an admissible bilinear map if it satisfies the
following three properties:
1) Bilinearity: for all a, b ∈ Zp , e(ga , gb ) = e(g, g)a·b .
2) Non-degeneracy: there exists gc , gd ∈ G, for c, d ∈ Zp ,
such that e(gc , gb ) 6 = 1GT , where 1GT is the identity
element of group GT .
3) Computability: there is an efficient algorithm to
compute e(ga , gb ) ∈ GT for all a, b ∈ Zp .
The security of our MA-IBS scheme is based on the com-
plexity assumption of Computational Diffie-Hellman (CDH)
problem which means that given g, ga , gb ∈ G, where a and b
are randomly and independently chosen from Z∗p , there has no
PPT algorithm can compute gab ∈ G.
B. CONSTRUCTION
In our MA-IBS scheme, N authorities have no need to be
honest. Therefore, it satisfies the requirements of blockchain-
based EHRs. In fact, the scheme can tolerate at most N − 1
corrupted authorities to launch collusion attack.
• System Setup: EHRs server takes as input a security
parameter λ to establish system public parameters for
all users. First of all, it chooses two multiplicative cyclic
groups G and GT with a big prime order p, and a bilinear
map e : G × G → GT . Let g be a generator of
the group G. Next, it chooses two cryptographic hash
functions H : {0, 1}∗ → G and H1 : {0, 1}∗ → Z∗p ,
respectively. System parameters of the EHRs system are
params = {G, GT , p, g, e, H , H1 , N }, where N is the
number of authorities.
• Authority Setup: In this algorithm, N authorities estab-
lish their master secret keys, SKID1 , . . . . . . , SKIDN .
It consists of the following three phases:
– Phase 1 (generation of parameter h ∈ G): All
authorities are working from the same system
parameters params and collaborating together to
generate a verification parameter h ∈ G.
1) Each authority IDi chooses a random (N − 1)-
degree polynomial Hi (z) over Z∗p :
Hi (z) = ci0 + ci1 z + · · · + ci(N −1) zN −1 .
Then, it computes and broadcasts Cik = gcik
(mod p) for k = 0, 1, . . . , N − 1. Next, it com-
putes some secret values tij = Hi (H1 (IDj ))
(mod p) for j = 1, . . . , N . Finally, it sends tij
to IDj for j 6 = i.
?
2) Each authority IDi verifies the equation gtji =
H1 (IDi )k holds or not. If it holds,
QN −1
k=0 (Cjk )
then IDj is considered to be honest. Otherwise,
authority IDj will receive a complaint from IDi .
Then, IDj needs to broadcast values tji so that it
passes the verification.
3) After the above interactions, a randomQparam-
N
eter h can be generated as h = i=1 Ci0
(mod p). Note that h = g 10 c +···+c N 0 and the
logarithm of g for h is unknown to everyone.
VOLUME 7, 2019
F. Tang et al.: Efficient Authentication Scheme for Blockchain-Based EHRs

– Phase 2 (generation of master secret key): This – Phase 3 (generation of secret key): After receiving
phase contains the following steps. all partial secret keys. User idi computes his secret
1) Each authority IDi , for i = 1, . . . , N , randomly key as
chooses two (N − 1)-degree polynomials on Z∗p :
N
Y N
Y
Fi (x) = ai0 + ai1 x + · · · + ai(N −1) x N −1
, skidi = pskidi ,j = H (0||idi )aj0 = H (0||idi )s .
j=1 j=1
Fi0 (x) = bi0 + bi1 x + · · · + bi(N −1) x N −1 .
• User-Sign: To sign a message m ∈ {0, 1}∗ , user idi does
Then, it computes and broadcasts Bik =
the following three phases:
gaik hbik , for k = 0, 1, . . . , N − 1. In addition,
it also computes secret values sij = Fi (H1 (IDj )) – Phase 1: randomly choose an integer r ∈ Z∗p and
(mod p) and s0ij = Fi0 (H1 (IDj )) (mod p), for computes u = H (0||idi )r ∈ G.
j = 1, . . . , N . Finally, it sends sij and s0ij to IDj – Phase 2: compute t = H1 (m||u) ∈ Z∗p .
r+t
for j 6 = i. – Phase 3: compute v = skid i
∈ G.
2) Each authority IDi checks the equation gsji hsji =
0 ?
The signature on message m is σ = (u, v).
QN −1 k
H1 (IDi ) (mod p) holds or not. If it • User-Verify: One can verify the validity of a signature
k=0 (Bjk ) σ = (u, v) on a message m from signer idi .
holds, the secret sharing from IDj is valid; Oth-
erwise, IDi broadcasts a complaint against IDj . – Phase 1: compute t = H1 (m||u) ∈ Z∗p .
3) If authority IDj is complained, then it needs to – Phase 2: check the following equation holds or not
broadcast values (sij , s0ij ) that satisfy equation. ?
If the disclosed (sij , s0ij ) still does not match, IDj e(v, g) = e(u, y) · e(H (0||idi )t , y).
has to keep proving itself to be honest until the
If it holds, accept the signature; Else reject it.
equation is true.
4) Note that the master secret key that interactively • Authority-Sign: Before upload a block, denoted by M ,
established by N authorities is s =
PN to the chain, authority IDi needs to sign it as follows.
i=1 ai0 .
If there has less than N authorities are corrupted, – Compute δ = H (1||M )ai0 ∈ G.
then they cannot recover the value s. The master The signature on block data M is δ.
secret key of authority IDi is • Authority-Verify: Anyone can check the validity of a
signature δ on block data M from an authority IDi .
SKIDi = ai0 . – Check the following equation holds or not
– Phase 3 (generation of master public key): Accord- ?
e(δ, g) = e(H (1||M ), Ai0 ).
ing to the above two phases, each authority has
broadcasted values {Ai0 = gai0 }i∈[1,N ] which can be
If it holds, accept the signature; Else reject it.
verified publicly. Therefore, the master public key
can be computed as
C. CORRECTNESS
N N
Y Y PN 1) CORRECTNESS OF USERS’ SIGNATURES
y= Ai0 = gai0 = g i=1 ai0 = gs ∈ G. The correctness of the users’ signatures can be easily verified
i=1 i=1
by the following equation:
After the above three phases, each authority adds param-
eters y and {(IDi , Ai0 )}N
r+t
e(v, g) = e(skid , g)
i=1 to params. i

params := {G, GT , p, g, y, e, H , H1 , {(IDi , Ai0 )}N = e(H (0||idi )s·(r+t) , g)

i=1 }.
= e(H (0||idi )(r+t) , gs )
• Key Generation: When a user registers to the EHRs
system, it can obtain a secret key skidi from authorities. = e(H (0||idi )r , y) · e(H (idi )t , y)
– Phase 1 (generation of partial secret key): Each = e(u, y) · e(H (0||idi )t , y).
authority IDj computes a value pskidi ,j =
H (0||idi )aj0 and secretly transmits it to idi . 2) CORRECTNESS OF AUTHORITIES’ SIGNATURES
– Phase 2 (verification of partial secret key): After The correctness of the authorities’ signatures can be easily
receiving the partial secret key pskidi ,j from author- verified by the following equation:
ity IDj , user idi can verify its validity by check-
?
ing the equation e(pskidi ,j , g) = e(H (0||idi ), Aj0 ) e(δ, g) = e(H (1||M )ai0 , g)
holds or not. If it holds, then the partial secret key
= e(H (1||M ), gai0 )
is correct. Otherwise, the authority IDj needs to
retransmit the value that satisfies the equation. = e(H (1||M ), Ai0 ).

VOLUME 7, 2019 41683

 F. Tang et al.: Efficient Authentication Scheme for Blockchain-Based EHRs

D. BATCH VERIFICATION A. SECURITY PROOF

Based on the EHRs system architecture as presented in The proof is given in the random oracle model. As said
Section II, once a user receives a health related message from in Subsection III-B, adversary’s forgery has two possible
another user, for example, patient receives diagnostic report cases: User-Sign signatures and Authority-Sign signatures.
from a doctor, he needs to verify the signature to ensure the Challenger C needs to have different strategies to interact with
validity of the message. In addition, when authorities upload the adversary. C cannot know the adversary’s choice until the
EHRs information into the blockchain, they also need to game ends. Therefore, it randomly guesses adversary’s choice
verify the validity of all messages. We can make use of the in the beginning with a probability of 1/2.
technique of batch verification [1] to improve the efficiency
of verification. 1) CASE OF USER-SIGN SIGNATURE FORGERY
For the case of User-Sign signature forgery, the core tech-
1) VERIFY n SIGNATURES FROM A SAME SIGNER nique of our proposal is that taking distributed key genera-
In some cases in EHRs system, we need to verify many tion technique [5] to a centralized IBS scheme [2]. It seems
signatures from a same signer at once. For example, system that the security of our scheme directly holds based on the
server wants to verify the validity of insurance policies from securities of the two schemes. However, this statement is not
an agent during some time range. true. In the scheme of [2] which is based on the assumption of
Given n signatures on n messages, (mj , σj = (uj , vj )), CDH problem, the key of security proof is that the challenger
for j = 1, . . . , n, which were signed by a same signer idi , sets one element ga of the CDH instance as the master public
to verify their validity, we only need to check that the equation key y := ga . Then, it sets the another element gb of the
Yn ? Yn Pn CDH instance as H (idi∗ ) := gb . Finally, if the adversary
e( vj , g) = e( uj , y) · e(H (0||idi ) j=1 tj , y),
j=1 j=1 chooses idi∗ as his challenge identity and outputs a valid
where tj = H1 (mj ||uj ), holds or not. Correctness of the batch forgery, then the challenger can rewind the tape of random
verification is as follows: oracle H and recover gab which means that solving the CDH
Yn Yn r +t problem. However, in our proposed scheme, the master pub-
e( vj , g) = e( skidj i j , g)
j=1 j=1 lic key is y := gs , where s is randomly generated by N
Pn
= e(H (0||idi )s· j=1 (rj +tj ) , g) authorities and no one know it. Hence, in security proof,
Pn the challenger cannot set the master public key as y := ga ,
= e(H (0||idi ) j=1 (rj +tj ) , gs )
Pn Pn and thus cannot take advantage of the adversary’s forgery to
j=1 rj
, y) · e(H (0||idi ) j=1 tj , y)
= e(H (0||idi ) compute gab .
Yn Pn
= e( uj , y) · e(H (idi ) j=1 tj , y). To resolve the dilemma, we make use of the approach of
j=1 hybrid proof. We first define three games as follows:
• Game G0 : This game corresponds to the honest execu-
2) VERIFY n SIGNATURES FROM n SIGNERS
tion of the security game defined in Definition 1.
In some other cases of EHRs system, we need to verify many
• Game G1 : In this game, we set the master secret key as
signatures from many different signer at once. For example,
y := gas where a is the exponent of the CDH instance
some patient wants to verify the validity of diagnostic reports
and s is the master secret key randomly generated by all
from n different doctors.
authorities, respectively. No one knows a and s.
Given n signatures (σj = (uj , vj ) on n messages mj ,
• Game G2 : In this game, the master secret key also is
for j = 1, . . . , n, from n signers id1 , . . . , idnQ , respectively.
n y := gas where a is the exponent of the CDH instance.
These
Qn signatures are
Qn valid if and only if e( j=1 vj , g) = However, it is different than that in G1 , in this game,
e( j=1 uj , y) · e( j=1 H (idj ) , y), where tj = H1 (mj ||uj ).
t j
the challenger plays the role of all authorities and thus it
Correctness of the batch verification is as follows:
Yn knows the value s.
e( vj , g) Then we prove that the advantages of any PPT adversary
j=1
Yn r +t to attack our scheme in three games are identical and its
= e( sk j j , g) advantage in G2 is negligible. We have the following three
j=1 idj
Yn lemmas:
= e( H (0||idj )s·(rj +tj ) , g)
j=1 Lemma 1: There has no PPT adversary can distinguish G0
Yn
= e( H (0||idj )(rj +tj ) , gs ) and G1 if the distributed key generation technique is secure.
j=1 Lemma 2: There has no PPT adversary can distinguish
Yn Yn
= e( H (0||idj )rj , y) · e( H (0||idj )tj , y) G1 and G2 .
j=1 j=1
Yn Yn Lemma 3: The advantage of any PPT adversary A in game
= e( uj , y) · e( H (0||idj )tj , y). G2 is negligible.
j=1 j=1
The proofs of the above three lemmas are presented in
V. SECURITY AND PERFORMANCE Appendix. Finally, we can easily observe that the advantage
In this section, we prove the security of our MA-IBS scheme of the adversary A in game G0 is also negligible which is our
and evaluate its performance. expected result.

41684 VOLUME 7, 2019

F. Tang et al.: Efficient Authentication Scheme for Blockchain-Based EHRs

Theorem 1: The MA-IBS scheme for blockchain-based TABLE 1. Comparison of three authentication schemes for
blockchain-based EHRs.
EHRs is (t, qH , qH1 , qM , qK , qUS , qAS , )-unforgeable, for
the case of User-Sign signature forgery in the random oracle
model, assuming the CDH problem is hard.
The proof of this theorem is presented in Appendix.

2) CASE OF AUTHORITY-SIGN SIGNATURE FORGERY

If the adversary’s forgery is the case of Authority-Sign sig-
nature, then the proof is simpler than the case of User-Sign
signature. Firstly, challenger randomly guesses adversary’s
challenge point IDi∗ and sets its public key as ga . Then, in the
random oracle queries, challenger randomly chooses a point
Mi∗ as the adversary’s challenge and set it as gb . Finally, if the
adversary chooses IDi∗ and Mi∗ as his challenge and outputs
a valid forgery, then the challenger can rewind the tape of
random oracle H and recover gab which means that solving
the CDH problem.
Theorem 2: The MA-IBS scheme for blockchain-based
EHRs is (t, qH , qH1 , qM , qK , qUS , qAS , )-unforgeable, for
the case of Authority-Sign signature forgery in the random TABLE 2. Efficiency comparison between one-by-one verification
(denoted by 1-by-1 verification) and batch verification.
oracle model, assuming the CDH problem is hard.
The proof of this theorem is given in Appendix.

B. PERFORMANCE EVALUATION
We denote Tpar as the time to perform paring operations,
Tmtp as the map-to-point hash operations, Tmul as the mul-
tiplication operations in group GT , and Texp as the expo-
nentiation operations in group G, respectively. Because
these operations dominate the costs of signing and ver-
ification algorithms, we only consider these four opera-
tions and neglect the other operations such as hash function
H1 : {0, 1}∗ → Z∗p . Java Pairing-Based Cryptography
Library (JPBC) is used to measure the run times of the
above operations. We obtain the results: Tpar is 5.796 ms,
Tmtp is 1.293 ms, Tmul is 0.031 ms and Texp is 5.786 ms
within hardware platform of an Intel i7-8550U processor with
2.0 GHz clock frequency, 8 gigabytes memory and executed
in Windows 10 operating system.
We compare our scheme to the only two exiting two
authentication schemes [6], [26] for blockchain-based EHRs
with respect to signing cost, verification cost, communication
FIGURE 4. Time comparison of three types of verification.
cost, and whether the scheme can resist collusion attack.
The results are listed in Table 1, where t is the number
of users attributes and N is the number of the authori- of singer privacy based on attribute-based signatures. How-
ties and we assume that t = N = 5 in both schemes ever, this property is not mandatory for blockchain-based
schemes [6] and [26]. In addition, since the sizes of elements EHRs because, at most time, we need to know who will
in the chosen groups G and GT are 40 and 128 bytes, respec- be responsible for the medical-related data. For example,
tively. As shown in Table 1, our proposed authentication apparently, patients need to know the identity who gives him
scheme for blockchain-based EHRs has lower computation the diagnosis.
and communication costs compared to the only two existing As described in Subsection IV-D, our scheme supports
authentication schemes for blockchain-based EHRs. batch verification which can reduce the verification cost.
In Table 1, the signing cost of our scheme is refer to the We divide the batch verification into two cases, verify n signa-
User-Sign algorithm. In addition, our scheme also defines tures from a same signer (denoted by (1, n)-to-1 verification)
that authorities sign the block data, i.e., Authority-Sign algo- and verify n signatures from n signers (denoted by (n, n)-to-1
rithm, which needs Tmtp + Texp ≈ 7.079 ms each time. verification). Table 2 shows the comparison of efficiency
Furthermore, schemes of [6] and [26] have the property between the three types of verification.

VOLUME 7, 2019 41685


Combining with the run times of basic operations obtained
above, we show the time cost of verification algorithm in
Figure 4. According to the figure, we can easily observe that
the batch verification can significantly reduce the verification
delay, especially verifying a large number of signatures.
VI. CONCLUSION
In order to realize the authentication scheme of EHRs system
based on blockchain. We first formally define the EHRs
system model in the setting of consortium blockchain. Then
we design an identity-based signature scheme with multi-
ple authorities for the blockchain-based EHRs system. The
scheme has efficient signing and verification algorithms.
APPENDIX
PROOF OF LEMMA 1
The proof of lemma 1 is based on the security of the dis-
tributed key generation technique [5] which requires that no
information on s can be learned by the adversary except for
that is implied by the group element y = gs ∈ G. The formal
definition is as follows which is a variant of the original
definition.
Definition 2: For any PPT adversary A, there exists a PPT
simulator S, such that on input a random element y ∈ G
generated by g, produces an output distribution which is
polynomially indistinguishable from A’s view of a run of the
distributed key generation that ends with y as its public key
output, and even if A corrupts up to N − 1 authorities.
In G0 , master public key is y := gs produced by the securely
distributed key generation. According to the above definition,
even if a PPT adversary A can corrupt N − 1 authorities
which correspond to the participants in the distributed key
generation, it also cannot distinguish between a real key and a
random value in the group G. Specifically, any PPT adversary
cannot distinguish between y := gs ∈ G and y := gas ∈ G,
where s is the real key produced by the distributed key
generation and a, which is independent of s, is the exponent
of ga from a CDH instance even we cannot recover the two
exponents s and a. In other words, for any PPT adversary A,
its advantages in G0 and G1 to break the MA-IBS scheme are
G
identical, i.e., AdvA0 (λ) = AdvG 1 in the list L, then C gives h0i to A; Else, C randomly
A (λ).
PROOF OF LEMMA 2
The proof of this lemma is fairly straightforward. In both
games G0 and G1 , the master public key is y := gas , where
a is the exponent of the element ga from the CDH instance
and s is produced by the distributed key generation. Note
that the two values a and s are independently and randomly
generated. Therefore, this thing that whether the challenger
knows s or not does not affect adversary’s view. That is to say,
in two games, challenger knows s in G2 and does not know s
in G1 , adversary’s advantages to break our MA-IBS scheme
are identical, i.e., AdvG1 G2
A (λ) = AdvA (λ).
41686
F. Tang et al.: Efficient Authentication Scheme for Blockchain-Based EHRs
PROOF OF LEMMA 3
In G2 , challenger plays the role of all authorities and thus it
knows the value s. However, the challenger, in this game,
sets the master public key as y := gas rather than gs that is
in the real world. Nevertheless, as proved in Lemma 2, this
cannot affect adversary’s advantage. We prove that if there
exists a PPT adversary A can break the security of our scheme
with a non-negligible advantage (λ), then we can construct
an efficient algorithm, i.e., challenger C, to solve the CDH
problem with a non-negligible probability  0 (λ).
Firstly, challenger C is given an instance (G, GT , p, g, e,
ga , gb ) of CDH problem. The goal of C is to compute gab ∈ G.
Then, C plays the following game with the adversary A.
• System Setup: Given a security parameter λ, C executes
the system setup algorithm on the behalf of the EHR
server as in the real world. The output of this phase is
the public parameters params. Then, C gives it to A.
• Authority Setup: C honestly runs the authority
setup algorithm on the behalf of all authorities
ID1 , . . . , IDN . The output of this phase is the master
secret key SKID1 , . . . , SKIDN . A can obtain identities
ID1 , . . . , IDN . Note that, in such setting, C plays the
roles of all authorities, and hence it knows the secret
value s ∈ Z∗p . Then, C sets y := gas which means that
the implied master secret key is as. Note that this is
different from that in the real scheme, but according to
Lemma 2, it is indistinguishable to A. Finally, C adds
parameters y and {Ai0 }i∈[1,N ] into params and gives
params := {G, GT , p, g, y, e, H , H1 , {(IDi , Ai0 )}Ni=1 }
to A, where H and H1 will be seem as the random oracles
in the following proof.
• Queries: A makes the following queries to C:
– H random oracle: challenger C maintains a list L :=
{(i, idi , h0i ∈ G)} where
(
0 gb , if i = i∗
hi = k
g i , if i 6 = i∗
and i∗ is randomly selected by C which denotes
its guessing point that A will attack and ki is also
randomly selected by C from Z∗p . If A’s query idi
selects an integer ki ∈ Z∗p , then gives h0i = gki ∈ G
to A and adds the item (i, idi , h0i ) into the list L.
– H1 random oracle: challenger C also maintains
another list L1 := {(i, mi ||ui , h01i )} where h01i ∈ Z∗p
is randomly chosen by C. If A’s query mi ||ui in the
list L1 , then C gives h01i to A; Else, C randomly
selects an integer h01i ∈ Z∗p , then gives h01i to A and
adds the item (i, mi ||ui , h01i ) into the list L1 .
– Master secret key generation oracle: A issues a
request for some corrupted authorities IDi∈QM ⊂
{ID1 , . . . , IDN } for their master secret key, where
QM denotes the index set of the identities of cor-
rupted authorities. For such a request, C transmits
VOLUME 7, 2019
F. Tang et al.: Efficient Authentication Scheme for Blockchain-Based EHRs
SKIDi∈QM to A. As described above, the master
secret keys were honestly generated by C alone,
therefore it can answer such queries.
– Key generation oracle: A submits an identity idi to
C for its secret key skidi . If idi = idi∗ , then C cannot
answer this query and thus has to abort the game.
Else, C returns back skidi = (ga )s·ki ∈ G, where ki
is from the list L, to A.
– User-Signing oracle: A submits a tuple (idi , mi ) to
C for a signature σi . The request of A can be divided
into two cases:
1) idi 6 = idi∗ : in such case, C firstly obtains a valid
secret key skidi from the key generation oracle.
Then, it can compute the signature for the query
(idi , mi ) as the real signer did in the real world.
2) idi = idi∗ : in such case, C cannot obtain a
valid secret key skidi∗ from the key genera-
tion oracle and thus it cannot directly compute
the signature as above. However, C also can
answer A’s request as follow: σi := (ui , vi ) =
0
(gei /(gb )h1i , (ga )ei ·s ) where h01i is from the H1
random oracle and ei is randomly selected
from Z∗p . The correctness of the signature can
be verified as follows:
e(ui , y) · e(H (idi )tj , y)
0 0
= e(gei /(gb )h1i , gas ) · e((gb )h1i , gas )
= e(gei , gas )
= e(gei ·as , g)
= e(vi , g).
• Forgery: A outputs a forgery (m∗ , σ ∗ = (u∗ , v∗ )) with
identity id ∗ . We assume that A wins the game, that is to
say, the forgery satisfies all of the following conditions:
1) QM 6 = [1, N ];
2) Verify(id ∗ , m∗ , σ ∗ ) = Accept;
3) A does not make query for identity id ∗ in the key
generation queries phase;
4) A does not make query for message m∗ and iden-
tity id ∗ in the signing queries phase.
In addition, we assume that the advantage of A to win
the above game is .
After the end of the game, C checks that id ∗ =
? ID1 , . . . , IDN with the exception of SKIDi∗ := a even
idi∗ . If the equation does not holds, then C aborts the
game and outputs ⊥. Otherwise, according to the forking
lemma [17], based on the valid signature (id ∗ , m∗ , u∗ , h∗1 ←
H1 (m∗ ||u∗ ), v∗ ), C also can obtain another valid signature
0 0 −1
(id ∗ , m∗ , u∗ , h∗1 ← H1 (m∗ ||u∗ ), v∗ ) with probability 1−e
qH ,
0
1 – H random oracle: challenger C maintains a list L :=
where h∗1 6 = h∗1 , by rewind the random oracle with the same
input m∗ ||u∗ but different choices of H1 .
Finally, according to the assumption that C obtains two
valid signatures from A, it can compute
v∗ s−1 ·(h∗ −h∗0 )−1
gab = ( 0)
1i 1i (mod p)
.
v∗
VOLUME 7, 2019
which is the desired solution of the given instance of CDH
problem.
According to the above proof, a successful simulation,
denoted by E, from C consists of three events:
• E1 : in key generation oracle, A does not query idi∗ ’s
secret key.
• E2 : adversary A’s challenge identity is idi∗ .
• E3 : challenger C successfully rewinds the random oracle
H1 for the forking lemma.
A successful simulation means that C can use A’s forgery to
solve the CDH problem. In other words, the advantage of C
is AdvCDH
A = Pr[E] = Pr[E1 ] · Pr[E2 ] · Pr[E3 ] since the three
events are mutually independent. Therefore, the advantage of
C to solve the CDH problem is
YqK qH − i 1 1 − e−1
AdvCDHC = 0 > · · · .
i=1 qH qH qH1
PROOF OF THEOREM 1
According to the three lemmas, we can see that the advan-
tages in three games G0 , G1 and G2 of a PPT adversary to break
G
the scheme are identical, i.e., AdvA0 = AdvG 1 G2
A = AdvA .
In addition, its advantage in G2 is negligible. Therefore,
G
its advantage in G0 , AdvA0 (λ), which corresponds to the
real world of when using our MA-IBS scheme into the
blockchain-based EHRs system, is also negligible.
Let Texp be the time to perform exponentiation opera-
tions in group G. Assume that a (t, qH , qH1 , qM , qK , qS , )-
adversary successfully breaks this MA-IBS scheme.
According to the proof of Lemma 3, then there exists efficient
algorithm C to solve the CDH problem with time t 0 ≈ t +
qH Texp + qK Texp + 2qS Texp + Tdkg , where Tdkg denotes the
time of C to simulate the distributed key generation algorithm.
PROOF OF THEOREM 2
Challenger C is given an instance, (G, GT , p, g, e, ga , gb ),
of CDH problem and its target is to compute gab ∈ G. C plays
the following game with adversary A.
• System Setup: C randomly chooses a security parame-
ter λ and executes the system setup algorithm. Then it
outputs the public system parameters to A.
• Authority Setup: Next, C honestly executes the author-
ity setup algorithm on the behalf of all authorities
C does not know it, where i∗ is randomly chosen by
C which denotes its guess of A’s challenge authority.
Finally, C adds parameters y and {Ai0 }i∈[1,N ] , where
Ai∗ 0 := ga , into params and gives it to A.
• Queries: A makes the following queries to C:
{(i, Mi , h0i ∈ G)} where
( 0
0 gb , if i = i∗
hi = k 0
g i , if i 6 = i∗
0
and i∗ is randomly selected by C which denotes
its guessing point that A will attack and ki is also
41687

randomly selected by C from Z∗p . If A’s query Mi
in the list L, then C gives h0i to A; Else, C randomly
selects an integer ki ∈ Z∗p , then gives h0i = gki ∈ G
to A and adds (i, Mi , h0i ) into the list L.
– H1 random oracle: challenger C also maintains
another list L1 := {(i, mi ||ui , h01i )}. If A’s query in
the list L1 , then C gives h01i to A; Else, C randomly
selects an integer h01i ∈ Z∗p , then gives it to A and
adds the item (i, mi ||ui , h01i ) into the list L1 .
– Master secret key generation oracle:A submits an
authorities IDi to C for its master secret key SKIDi .
If IDi = IDi∗ , then C cannot answer this query and
thus has to abort the game. Else, C returns back the
real SKIDi to A.
– Key generation oracle: C knows the value of aj0 for
j = 1, · · · , N and j 6 = i∗ and thus can compute
pskidi ,j = H (0||idi )aj0 . For pskidi ,i∗ , C does not know
a, but it can retrieval the exponent of H (0||idi ) =
gki from the H random oracles and thus it also can
a ki
compute pskidQ i ,i = (g ) . Finally, C sends skidi =
∗
N
H (0||idi ) = i=1 pskidi ,j , for j = 1, · · · , N .
s Facilitating the transition to patient-driven interoperability,’’ Comput.
– Authority-Signing oracle: A submits a message Mi
to C for a signature σi . The request of A can be
divided into two cases:
1) IDi 6 = IDi∗ : in such case, C firstly obtains a
valid secret key SKIDi from the master secret
key generation oracle. Then, it can compute
the signature for the query (IDi , Mi ) as the real
signer did in the real world.
2) IDi = IDi∗ : in such case, if A’s query Mi 6 =
Mi∗0 , it can compute the signature for the query
(IDi∗ , Mi ) as δi = (ga )ki . If Mi = Mi∗0 , then C
cannot answer this query and thus has to abort
the game.
• Forgery: A outputs a forgery (M ∗ , σ ∗ ) with identity
ID∗ . We assume that A wins the game, that is to say,
the forgery satisfies all of the following conditions:
1) Verify(ID∗ , M ∗ , σ ∗ ) = Accept;
2) i∗ 6 ∈ QM ;
3) A does not make query for message Mi∗0 and iden-
tity IDi∗ in the signing queries phase.
In addition, we assume that the advantage of A to win
the above game is AdvUF−CMA MA−IBS,A (λ) = . According to
the above proof, a successful simulation, denoted by E,
from C consists of three events:
– E1 : in master secret key generation oracle, A does
not query IDi∗ ’s master secret key.
– E2 : in signing oracle, A does not query (IDi∗ , Mi∗0 )’s
signature.
– E3 : adversary A’s challenge identity is IDi∗ and
message is Mi∗0 .
A successful simulation, apparently, means that C can use
A’s forgery to solve the CDH problem. In other words,
the advantage of C to solve the CDH problem is AdvCDH A =
Pr[E] = Pr[E1 ]·Pr[E2 ]·Pr[E3 ] since the three events are
mutually independent. Therefore, the advantage of C to solve
41688
F. Tang et al.: Efficient Authentication Scheme for Blockchain-Based EHRs
the CDH problem is
YqM N −i YqAS N −i YqAS qH − i
AdvCDH
C = 0 > ·( +
i=1 N i=1 N i=1 qH
YqAS (N − i)(qH − i) 1 1
− )· · · .
i=1 N · qH N qH
According to the above, there exists efficient algorithm C to
solve the CDH problem with time t 0 ≈ t +qH Texp +qK Texp +
qS Texp + Tdkg .
REFERENCES
[1] M. Bellare, J. A. Garay, and T. Rabin, ‘‘Fast batch verification for modu-
lar exponentiation and digital signatures,’’ in Advances in Cryptology—
EUROCRYPT (Lecture Notes in Computer Science), vol. 1403. 1998,
pp. 236–250.
[2] J. C. Cha and J. H. Cheon, ‘‘An identity-based signature from gap
Diffie-Hellman groups,’’ in Public Key Cryptography—PKC, vol. 2567.
2003, pp. 18–30.
[3] G. G. Dagher, J. Mohler, M. Milojkovic, and P. B. Marella, ‘‘Ancile:
Privacy-preserving framework for access control and interoperability of
electronic health records using blockchain technology,’’ Sustain. Cities
Soc., vol. 39, pp. 283–297, May 2018.
[4] W. J. Gordon and C. Catalini, ‘‘Blockchain technology for healthcare:
Structural Biotechnol. J., vol. 16, pp. 224–230, 2018.
[5] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, ‘‘Secure dis-
tributed key generation for discrete-log based cryptosystems,’’ in Advances
in Cryptology—EUROCRYPT (Lecture Notes in Computer Science),
vol. 1592. 1999, pp. 295–310.
[6] R. Guo, H. Shi, Q. Zhao, and D. Zheng, ‘‘Secure attribute-based signa-
ture scheme with multiple authorities for blockchain in electronic health
records systems,’’ IEEE Access, vol. 6, pp. 11676–11686, 2018.
[7] H. Li, Y. Dai, and X. Lin, ‘‘Efficient e-health data release with consistency
guarantee under differential privacy,’’ in Proc. 17th Int. Conf. E-Health
Netw., Appl. Services (HealthCom), 2016, pp. 602–608.
[8] H. van der Linden, D. Kalra, A. Hasman, and J. Talmon, ‘‘Inter-
organizational future proof EHR systems: A review of the security and
privacy related issues,’’ Int. J. Med. Inform., vol. 78, no. 3, pp. 141–160,
2009.
[9] J. Kang, R. Yu, X. Huang, S. Maharjan, Y. Zhang, and E. Hossain,
‘‘Enabling localized peer-to-peer electricity trading among plug-in hybrid
electric vehicles using consortium blockchains,’’ IEEE Trans. Ind. Infor-
mat., vol. 13, no. 6, pp. 3154–3164, Dec. 2017.
[10] I. C. Lin and T. C. Liao, ‘‘A survey of blockchain security issues and
challenges,’’ Int. J. Netw. Secur., vol. 19, no. 5, pp. 653–659, 2017.
[11] H. Lin, J. Shao, C. Zhang, and Y. Fang, ‘‘CAM: Cloud-assisted privacy
preserving mobile health monitoring,’’ IEEE Trans. Inf. Forensics Security,
vol. 8, no. 6, pp. 985–997, Jun. 2013.
[12] M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou, ‘‘Scalable and secure
sharing of personal health records in cloud computing using attribute-
based encryption,’’ IEEE Trans. Parallel Distrib. Syst., vol. 24, no. 1,
pp. 131–143, Jan. 2013.
[13] H. Li, Y. Yang, Y. Dai, S. Yu, and Y. Xiang, ‘‘Achieving secure and efficient
dynamic searchable symmetric encryption over medical cloud data,’’ IEEE
Trans. Cloud Comput., to be published.
[14] A. Mehmood, I. Natgunanathan, Y. Xiang, H. Poston, and Y. Zhang,
‘‘Anonymous authentication scheme for smart cloud based healthcare
applications,’’ IEEE Access, vol. 6, pp. 33552–33567, 2018.
[15] S. Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System. Accessed:
2008. [Online]. Available: https://bitcoin.org/bitcoin.pdf
[16] U. Premarathne et al., ‘‘Hybrid cryptographic access control for cloud-
based EHR systems,’’ IEEE Cloud Comput., vol. 3, no. 4, pp. 58–64,
Aug. 2016.
[17] D. Pointcheval and J. Stern, ‘‘Security arguments for digital signatures and
blind signatures,’’ J. Cryptol., vol. 13, no. 3, pp. 361–396, 2000.
[18] A. Shamir, ‘‘Identity-based cryptosystems and signature schemes,’’ in
Advances in Cryptology, vol. 1984. Springe, 1985, pp. 47–53.
[19] Standards for Privacy of Individually Identifiable Health Information:
Final Rule, Standard 45 CFR Parts 160 and 164, Dec. 2000.
[20] Standard Specification for Continuity of Care Record (CCR), Standard
ASTM E2369, 2005.
VOLUME 7, 2019
F. Tang et al.: Efficient Authentication Scheme for Blockchain-Based EHRs
[21] H. Wang and Y. Song, ‘‘Secure cloud-based EHR system using attribute-
based cryptosystem and blockchain,’’ J. Med. Syst., vol. 42, no. 8, p. 152,
2018.
[22] W. Xu, L. Wu, and Y. Yan, ‘‘Privacy-preserving scheme of electronic health
records based on blockchain and homomorphic encryption,’’ J. Comput.
Res. Develop., vol. 55, no. 10, pp. 2233–2243, 2018.
[23] P. Zhang, J. White, D. C. Schmidt, G. Lenz, and S. T. Rosenboloom,
‘‘FHIRChain: Applying blockchain to securely and scalably share clinical
data,’’ Comput. Structural Biotechnol. J., vol. 16, pp. 267–278, 2018.
[24] A. Roehrs, C. A. da Costa, and R. da Rosa Righi, ‘‘OmniPHR:
A distributed architecture model to integrate personal health records,’’
J. Biomed. Inform., vol. 71, pp. 70–81, Jul. 2017.
[25] K. Seol, Y.-G. Kim, E. Lee, Y.-D. Seo, and D.-K. Baik, ‘‘Privacy-
preserving attribute-based access control model for XML-based electronic
health record system,’’ IEEE Access, vol. 6, pp. 9114–9128, 2018.
[26] Y. Sun, R. Zhang, X. Wang, K. Gao, and L. Liu, ‘‘A decentralizing attribute-
based signature for healthcare blockchain,’’ in Proc. IEEE 27th Int. Conf.
Comput. Commun. Netw. (ICCCN), Jul./Aug. 2018, pp. 1–9.
[27] A. A. Omar, M. S. Rahman, A. Basu, and S. Kiyomoto, ‘‘MediBchain:
A blockchain based privacy preserving platform for healthcare data,’’
in Proc. Int. Conf. Secur., Privacy Anonymity Comput., Commun. Storage.
Cham, Switzerland: Springer, 2017, pp. 534–543.
FEI TANG received the Ph.D. degree in infor-
mation security from the Institute of Informa-
tion Engineering, Chinese Academy of Sciences,
in 2015. He is currently an Associate Profes-
sor with the Chongqing University of Posts
and Telecommunications. His research interests
include public-key cryptography, and blockchain
technology and their applications.
VOLUME 7, 2019
SHUAI MA received the B.S. degree from the
Hunan University of Technology, in 2016. He is
currently pursuing the master’s degree with the
Chongqing University of Posts and Telecommu-
nications. His present research interest includes
blockchain technology and its applications.
YONG XIANG (SM’12) received the Ph.D. degree
in electrical and electronic engineering from The
University of Melbourne, Australia. He is cur-
rently a Professor with the School of Informa-
tion Technology, Deakin University, Australia. His
research interests include information security and
privacy, signal and image processing, data ana-
lytics and machine intelligence, the Internet of
Things, and blockchain. He has published four
monographs, over 110 refereed journal articles,
and numerous conference papers in these areas. He has served as the Pro-
gram Chair, TPC Chair, Symposium Chair, and Session Chair for a number
of international conferences. He is an Associate Editor of the IEEE SIGNAL
PROCESSING LETTERS and the IEEE ACCESS.
CHANGLU LIN received the B.S. and M.S.
degrees in mathematics from Fujian Normal Uni-
versity, China, in 2002 and 2005, respectively,
and the Ph.D. degree in information security from
the State Key Laboratory of Information Secu-
rity, Graduate University of Chinese Academy of
Sciences, China, in 2010. He is currently with
the College of Mathematics and Informatics, and
the Fujian Provincial Key Laboratory of Network
Security and Cryptology, Fujian Normal Univer-
sity. He is interested in cryptography and network security, and has conducted
research in diverse areas, including secret sharing, multi-party computation,
and public key cryptography and their applications.
41689