A Blockchain-Based Secure Sharing Scheme for Electrical Impedance Tomography Data

Abstract

Real-time electrical impedance tomography (EIT) data sharing is becoming increasingly necessary, due to the extensive use of EIT technology in various sectors, including material analysis, biomedicine, and industrial process monitoring. The prevalence of portable EIT equipment and remote imaging technology has led to a predominance of centralized storage, Internet protocol transmission, and certificates from certificate authorities (CA) in telemedicine data. This has resulted in compromised data security, network communication delays, high CA maintenance costs, increased risks of medical data privacy breaches, and low security. Therefore, this paper offers a consortia blockchain-based method for exchanging EIT data that addresses security and integrity concerns during data storage and exchange, while maintaining transparency and traceability. Proprietary re-encryption techniques are employed to guarantee traceability when exchanging anonymous data, enabling precise control over data access. This scheme serves to protect both data and identity privacy, as well as to trace the actual identity of potential malicious users, while also thwarting any coordinated efforts between partially trusted parties and data requesters seeking unauthorized access to confidential information. Additionally, a combination of blockchain and InterPlanetary File System (IPFS) distributed storage technology is utilized to ease the burden of EIT data storage. The feasibility and effectiveness of the proposed solution were validated through a series of experiments, demonstrating its ability to effectively prevent data tampering and misuse, reduce data management costs, and enhance the efficiency and quality of data sharing.

1. Introduction

With the rapid advancement of medical detection technology, there is a growing demand for more sophisticated medical detection methods [1]. The evolution of detection methods has progressed from manual subjective assessment to a combination of subjective and objective approaches. The introduction of medical imaging technology has significantly enhanced the objectivity and accuracy of disease diagnosis. Electrical impedance tomography (EIT) technology is crucial for achieving this goal [2]. EIT is a novel non-destructive biomedical detection and imaging technique focusing on the distribution or variation in electrical impedance within living organisms [3]. This technology allows visualizing impedance distribution images of biological tissues, impedance change images across different frequencies, and impedance variation images during physiological activities of biological organs, such as respiration and heartbeats [4]. EIT offers the advantages of simplicity, non-invasiveness, affordability, and the potential for long-term and continuous patient monitoring [5]. It is important in early disease prevention, diagnosis, treatment, and medical screening [6]. Furthermore, the increasing digitization of the medical industry has led to a notable shift towards using electronic medical records (EMR) [7]. EMRs have gained widespread popularity due to their ability to offer convenient and superior electronic medical services. By sharing EMRs among medical institutions,  patients can provide real-time and long-term disease information to support in-depth analysis and personalized patient treatment [8].

Protecting sensitive health information within EMRs is paramount to safeguarding patient privacy [9]. Sharing EMR data is crucial for reducing medical costs and improving service quality. However, the scattered storage of EMRs across various medical institutions poses challenges for data sharing and increases the risk of patient privacy breaches [10]. Many hospitals and institutions still rely on traditional databases to store patient information, hindering inter-institutional data sharing and leading to information silos. Cloud storage solves these issues by providing accessibility, scalability, and by addressing privacy and security concerns [11]. Their centralized nature poses potential risks, such as unauthorized access compromising data privacy and security [12]. As the volume of medical data grows, ensuring medical record’s security, scalability, and interoperability has become a critical focus.

1.1. Our Contributions

In order to address the issue of secure storage and sharing of EIT data, this paper presents a secure sharing scheme for EIT data that is both anonymous and conditionally traceable. The scheme is built on the alliance blockchain, utilizing IPFS and blockchain technology. The key contributions of this study are outlined as follows:

• The EIT remote imaging system utilizes an anonymous and traceable authentication protocol. By employing pseudo-identity to safeguard user privacy, it has the capability to expose the identity of malicious nodes under certain circumstances and enhance verification efficiency through batch verification. Furthermore, this protocol enables easy implementation of the key recovery function.
• A decentralized architecture inspired by MedRec was developed to establish a trustworthy platform for sharing and collaborating on EIT data. This system integrates the consortium chain with the IPFS to enable both on-chain and off-chain collaborative storage of EIT data. The chain only stores the IPFS hash of the EIT data, while the complete dataset is transferred to IPFS. This approach helps alleviate storage constraints on the chain and ensures secure storage of EIT data.
• The EIT data sharing system employs proxy re-encryption (PRE) technology to enforce stringent access control measures, thereby enhancing data privacy and security, to mitigate the risks of unauthorized disclosure and exploitation. A verifiable random function (VRF) is employed to generate random numbers for selecting the leader (proxy node), with the design ensuring that the random numbers generated for encryption and data access requests thwart potential collusion between semi-trusted agents and data requesters, thus preventing unauthorized access to secret information.

1.2. Related Work

In the field of medical data secure retrieval, research has primarily focused on functionality, security, and retrieval efficiency. Amiri et al. proposed a method that combines permissioned blockchain and private blockchain to support electronic medical record sharing through keyword retrieval [13]. This approach involves storing encrypted electronic medical records on a cloud server, storing the ciphertext hash value on the private chain, and storing the keyword index on the alliance chain. These measures ensure the secure storage, retrieval, and sharing of electronic medical records. Chen et al. presented a method that combines blockchain technology with searchable encryption technology to enable medical image data sharing [14]. This scheme generates trapdoors by creating keywords related to specific medical imaging data and sending them to the cloud server to search for the corresponding ciphertext. This enables users to conveniently use the blockchain to verify the authenticity of medical record ciphertext. Furthermore, Ren et al. proposed a framework for sharing electronic medical records between different entities using cloud storage and blockchain [15]. In this framework, the cloud server stores electronic medical record ciphertext, the alliance blockchain saves the electronic medical record index, and keyword searchable encryption ensures the secure retrieval of ciphertext data in the chain. A  consortium chain network model, data structure, and consensus mechanism were all designed to ensure the efficient operation of the system [16]. However, it is worth noting that, while these methods leverage the decentralized characteristics of blockchain to address the issues of centralized secure retrieval in traditional cloud storage, most of them do not consider the controllability of user retrieval permissions.

Wang et al. proposed a solution utilizing searchable encryption technology to conceal the access structure, enabling data owners to manage user access rights as per their requirements [17]. Xu et al. proposed a cloud-chain collaborative data secure sharing scheme, employing attribute encryption to encrypt electronic medical records and allowing patients to independently set access policies to achieve precise access control [18,19]. Similarly, Ref. [20] presented a scheme for sharing K-anonymous and keyword-searchable encrypted medical data in an alliance blockchain environment. This scheme incorporates an attribute-based access control smart contract, empowering patients with complete control over their medical records. However, this approach also imposes an additional burden on the users. To address the issue of user inability to control the security of medical data and electronic medical record sharing, Ref. [21] proposed a blockchain-based electronic health system. This system employs a proxy re-encryption mechanism and embeds an attribute-based cryptographic system to ensure high security and fine-grained access control. Du et al. introduced a novel business process and blockchain-based platform for sharing medical information [22]. This innovative approach allows secure storage, sharing, and verification of information among multiple parties in a decentralized network. Additionally, the authors suggested a new consensus algorithm and a comprehensive anonymous sharing model, which enhance the efficiency and security of medical information exchange among users. Liu et al. proposed a conditional anonymous telemedicine data sharing scheme that leverages blockchain technology and cloud servers for secure storage and sharing of medical data [23]. It is important to note that, while the aforementioned research began to focus on empowering patients and giving them control over medical records, there is still a lack of research on how hospitals and patients can jointly control access to electronic medical records.

According to research [24], blockchains can be categorized into three types: public chains, private chains, and consortium chains. A public chain, accessible to everyone, is entirely decentralized, due to its immutable data. On the other hand, a consortium chain restricts participation to authorized members, setting rules for access and participation privileges. In contrast, a private chain is exclusive to private organizations, with limited participating nodes and strict permissions for reading, writing, and accounting [16].

Table 1. Comparison of different types of blockchain (consortium chain [26], public chain [27], private chain [28], hybrid chain [29]).

	Decentralization	Throughput	Cost	Scalability
Consortium Chain	medium	medium	medium	Great
Public chain	high	low	high	Poor
Private chain	low	high	low	Great
Hybrid chain	-	-	low	Great

provides a comparison of the various blockchain types [25].

1.3. Organization

The organization of this paper is as follows: Section 2 presents some preliminaries regarding Blockchain. Section 3 describes the EIT data security sharing model and its security requirements in detail. In Section 4, we first describe the framework of our propose scheme, and then present the its details. Section 5 analyzes its correctness and safety. Following that, Section 6 explores a theoretical comparison of the computational complexity of our scheme and offers a performance evaluation. Finally, Section 7 gives some conclusive remarks.

2. Preliminaries

2.1. Consortium Blockchain

A consortium blockchain is a hybrid form of blockchain technology that falls between a fully public blockchain and a fully private blockchain. In this model, a pre-selected group of entities or organizations form a federation to jointly control the nodes. Unlike public blockchains, consortium blockchains are restricted to members of the consortium, which typically consist of stakeholders from various industries like banks, supply chain companies, and government agencies. These members collaborate to manage and maintain the blockchain, leading to increased transaction speed and efficiency, due to the limited number of participants and the trust established among them. Key features of consortium blockchains include

(1)

Permission-based node management: Not everyone can participate in the maintenance of the blockchain. Only authorized nodes can perform transaction verification and other related operations.

(2)

Higher efficiency and scalability: due to the limited number of participants, the network is able to handle higher transaction volumes, while maintaining fast processing speeds.

(3)

Privacy: Although transaction data are open to alliance members, they are not public to the outside world, which provides the possibility for sensitive business operations and data protection.

(4)

Co-governance: all alliance members jointly determine the rules, protocols, and standards of the blockchain, making the governance of the entire system more democratic and transparent.

Consortium blockchains are often regarded as well suited for enterprise-level applications, due to their ability to merge the decentralization aspects of public blockchains with the control and security of private blockchains. For instance, in sectors like supply chain management, financial services, healthcare, and cross-border payments, consortium blockchains can offer an effective platform for collaboration and foster trust and data sharing among various organizations.

2.2. InterPlanetary File System

IPFS is a distributed file storage protocol aimed at enhancing the openness, efficiency, and durability of the Internet [30]. Utilizing peer-to-peer technology, every network user functions as both a client and a server, leading to a more decentralized and censorship-resistant file storage system [31]. IPFS operates by breaking files into small chunks and assigning a unique hash value to each chunk. These file blocks are then distributed across multiple nodes worldwide, and when a file needs to be retrieved, IPFS uses these hashes to locate and piece together the file blocks to reconstruct the original file [32]. This method significantly enhances data reliability, as even if some nodes are offline or data are partially lost, the file can still be reconstructed, as long as enough data blocks can be located [33]. Figure 1 presents the general architecture of IPFS.

2.3. Proxy Re-Encryption

Proxy re-encryption (PRE) is an encryption method that enables a third party (agent) to convert ciphertext from one secret key to another [34], without the agent having access to the plaintext content. This method is especially valuable in multi-user environments, where securely sharing encrypted data is necessary [35].

The proxy node acts as the leader, holding private key $Pr{K}_L$ and public key $Pu{K}_L$. Upon receiving $\left\{r_{i\to j},si{g}_r\right\}$, the proxy node initiates the F. SignVerif algorithm for signature verification. Successful validation grants access to the ciphertext $\left\{Dec,CEI{T}_1,CEI{T}_2,CEI{T}_3\right\}$ stored on IPFS, which is then confirmed using Equation (2). Following a positive verification, the proxy node proceeds to re-encrypting the ciphertext, as follows:

$\begin{array}{cc}& De{c}^{\prime }=E\left(p{k}_i,r{k}_2\right)\hfill \\ & {CEI{T}_1}^{\prime }={CEI{T}_1}^{r{k}_1}\hfill \\ & {CEI{T}_2}^{\prime }={g_1}^u\hfill \\ & CEI{T_3}^{\prime }=\left(u+Pr{K}_L{\mathrm{Hash}}_7\left(De{c}^{\prime }∥{CEI{T}_1}^{\prime }∥{CEI{T}_2}^{\prime }\right)\right)modq\hfill \end{array}$

subsequently creates the re-encrypted text $\left\{De{c}^{\prime },CEI{T_1}^{\prime },{CEI{T}_2}^{\prime },CEI{T_3}^{\prime }\right\}$, and sends it to $U_j$.

3. System Architecture and Security Requirements

3.1. Blockchain-Based Remote EIT System Architecture

Placing the electrode arrays developed by our team around the patient’s chest and applying a small current to them, we can safely measure the voltage difference across the lungs. By adjusting the current injection and measurement points, our system can gather sufficient data to map the entire chest. This method enables the creation of two-dimensional impedance images of the lungs, as different tissues like gas-filled alveoli and water-laden blood exhibit varying resistances to electrical current (comprising resistance and reactance).

In the context of EIT data exchange, individuals use the EIT data sharing system to provide their EMRs to authorized data requesters. However, due to the sensitive nature of EMRs, there are concerns regarding patient privacy, which may result in a reluctance to share personal data. To address this issue and ensure participant anonymity, we propose the implementation of a remote EIT data sharing method. As depicted in Figure 2, the EIT consortium blockchain facilitates the exchange of EIT data between patients and data requesters. The system framework consists of three main components: the EIT data collection module, the EIT consortium blockchain (EITCB), and the IPFS cloud server (IPFSCS).

(1) This chapter examines the use of EIT systems for remote non-invasive lung and brain imaging and diagnostic applications. The data collection system is compact and portable, making it suitable for emergency situations such as traffic accidents and natural disasters. It can measure voltage data from the human body, which are then transmitted wirelessly to the cloud. The cloud server reads the data and performs calculations and image reconstruction. The resulting images are then transferred to a mobile device for observation. To ensure a safe current for the human body (below 10 mA), a high-precision constant current source is required to generate the appropriate current signal. A signal generator is also needed to provide an input signal to the current source circuit. The STM 32 processor controls the electrode array, allowing the current signal to be applied to the object being measured according to specific rules. The voltage signal at the boundary is automatically measured in a cyclic manner. Since the voltage change corresponding to the conductivity change is very small, amplification of the voltage signal is necessary for observation and processing. However, amplifying the signal also amplifies the noise, so a filter is added after amplification to remove the noise. The filtered signal is then input into the phase-sensitive demodulation circuit to obtain the real part signal, and a filter is used to extract the DC component. Finally, the analog signal is converted into a digital signal through A/D conversion and uploaded to the cloud via the wireless module.

(2) EIT Consortium Blockchain: The following three categories of nodes make up the consortium blockchain network.

User Node (U): Users who request data and hold ownership are $U_{n}s$. Individuals with EMRs who are willing to give access to other system users, such as individuals receiving care, are considered data holders. Individuals looking to view EMRs must complete a formal request to the data holders, also referred to as data seekers. Usually, health insurers or researchers are the entities seeking data. Depending on the context, $U_n$ might function as either the requester or the owner of data. Each $M_n$ has the ability to access and synchronize blockchain information.

Consensus Node $\left(L_c\right)$: The nodes participating in the consensus procedure are referred to as $C_n$. They play a key role in generating and validating blocks and data. $C_n$ are primarily responsible for registering $U_n$ identities and monitoring conditions. These entities typically include respected institutions such as research centers, major healthcare facilities, and medical departments at universities. In the consensus algorithm, $C_n$ are divided into two functions: leader and follower.

Management Node ($M_n$): The medical alliance organization or government agency responsible for healthcare often owns $M_n$. It is in charge of managing the identification data of $U_n$ and carrying out supervisory responsibilities.

(3) EIT Data Server (EITDS): Acting as a semi-trusted third party, EITDS is primarily responsible for the storage of EMRs.

In this approach, the $M_n$ initially generates the public system parameters. The $M_n$, along with the $C_n$s and CS (Cloud Server), independently chooses their private keys and computes their corresponding public keys. When a $U_n$ joins the system, it must select a random number to mask its true identity, creating identity protection data. Subsequently, the $U_n$ shares this random number with all $C_n$s, utilizing the Shamir secret sharing scheme. Each $C_n$ must verify the shared number it receives. Upon successful verification, the $C_n$ sends a confirmation message to the $M_n$. After collecting all confirmations, the $M_n$ calculates and sends the pseudo identity back to the $U_n$. Simultaneously, the $M_n$ links the $U_n$’s identity protection data to the pseudonym as tracking data and records them on the blockchain.

3.2. Security Requirements

In order to ensure the privacy of EIT data holders and maintain secure data sharing between data holders and requesters, a secure EIT data sharing solution must fulfill the following requirements:

(1)

Protection of identity privacy: EIT data often contain sensitive personal information, and users prefer to keep their identities confidential. Hence, the solution should safeguard the privacy of users’ identities.

(2)

Conditional identity tracking: In case of security incidents like unauthorized access, the system may need to track and identify the culprits to prevent further threats. Hence, the proposed solution should incorporate a method for selectively monitoring the genuine identities of malicious users.

(3)

Collusion attack prevention: As a proxy node, the consensus group leader is a semi-trusted entity who can collaborate with data requesters and potentially access EIT data without authorization. As a result, any solution implemented should be specifically crafted to prevent collusion between proxy nodes and requesters.

(4)

Recovery of user keys: User key recovery is a crucial aspect of EITDS, as the loss of private keys can occur for diverse reasons, such as a lost device, malware, or a forgotten password. In emergency situations where keys are lost, users should have mechanisms in place to promptly recover their keys through trusted channels, to minimize the impact on imaging. Furthermore, the finite storage capacity of blockchain systems presents a challenge as the EIT data volume grows. Insufficient storage capacity may lead to incomplete or lost data, jeopardizing data security. To tackle this issue and ensure secure storage of EIT data, it is essential to address the limitations of blockchain storage capacity.

4. EIT Data Storage and Sharing Solution

4.1. EIT Hardware Design

In order to accurately detect boundary voltages, such as in the lungs, it is crucial to consider the signal-to-noise ratio of the data acquisition circuit in the EIT system. This ratio is influenced by various factors, including random and nonlinear errors in electronic equipment, measured objects, and the environment, directly impacting the imaging sensitivity. Nonlinear errors, caused by the distributed capacitance between electrodes and ground, and excitation current shunt due to common mode voltage, can significantly affect EIT image quality. Therefore, minimizing the shunting of distributed capacitance and nonlinearity from common-mode voltage is essential for improving brain EIT accuracy. To address this, a bioelectrical impedance data acquisition system was designed, to reduce the impact of distributed capacitance and accurately measure excitation current. This system includes a programmable current source to compensate for distributed capacitance effects and a differential acquisition circuit to enhance common-mode voltage suppression. The system comprises an excitation constant current source for precise frequency and amplitude control, an electrode interface subsystem to minimize distributed capacitance and measure excitation return current through intracranial tissue accurately, and a differential voltage acquisition circuit to further enhance CMRR. The overall structure of the electrical impedance imaging detection platform is illustrated in Figure 3.

The MCU controls the DDS chip to generate a sinusoidal signal with adjustable frequency. The signal then goes through various circuits such as the amplitude pre-adjustment circuit and spurious frequency filter circuit to output a stable sine wave signal with a set amplitude for driving the mirror voltage. The constant current source is controlled to produce a human body safe excitation current signal that stimulates human tissue, to create a measurable electric field. Simultaneously, the mirror image voltage size is collected to adjust the output excitation current and ensure it reaches the target area at the desired level. The boundary voltage between electrodes is collected, converted to a digital signal through ADC, preprocessed by the main controller, and sent to a PC for numerical calculations and image reconstruction using inverse problem algorithms.

4.2. Initialization

(1)

Initialization

We denote k as a system security parameter. And then, the management node $M_n$ chooses a cyclic group $G_1$ with a prime number order q. The generators $g_1$ and $g_1$ are represented in $G_1$, with a bilinear map denoted as $E:G_1\times G_1\to G_n$. Furthermore, $M_n$ picks 8 hash functions that resist collisions.

$$\left\{\begin{array}{c}{\mathrm{Hash}}_1:G_1\to {\{0,1\}}^{*}\hfill \\ {\mathrm{Hash}}_2:{\{0,1\}}^{*}\to {\mathbb{R}}_q^{*}\hfill \\ {\mathrm{Hash}}_3:G_1\to {\mathbb{R}}_q^{*}\hfill \\ {\mathrm{Hash}}_4:G_1\to G_1\hfill \\ {\mathrm{Hash}}_5:R_q^{*}\to G_1\hfill \\ {\mathrm{Hash}}_6:G_1\times G_1\to {\mathbb{R}}_q^{*}\hfill \\ {\mathrm{Hash}}_7:G_T\times {\{0,1\}}^{*}\times {\mathbb{R}}_q^{*}\to {\mathbb{R}}_q^{*}\hfill \\ {\mathrm{Hash}}_8:G_1\times G_1\times G_1\times G_1\times G_1\times G_1\to {\mathbb{R}}_q^{*}\hfill \end{array}\right.$$

(1)

$M_n$ randomly chooses the private key $Pr{K}_{mn}\in {\mathbb{R}}_q^{*}$ and computes the corresponding public key $Pub{K}_{mn}=g_1^{Pr{K}_{mn}}$. The $L_c$ randomly selects private key $Pr{K}_c\in {\mathbb{R}}_q^{*}$ and calculates public key $Pub{K}_c={g_1}^{Pr{K}_c}$, $1⩽c⩽n$, with a specified threshold of $\tau$. If $L_d$ denotes the leader in the consensus group, $Pr{K}_d$ is the leader’s private key, and the public key is $Pub{K}_d$. User U chooses a strong signature scheme $F=$ (SigGen, Verify) [36].

Eventually, the system parameters $\left\{\kappa ,G_1,G_2,g_1,g_2,q,e,{\mathrm{Hash}}_1,\dots ,{\mathrm{Hash}}_8,Pub{K}_{mn},n\right\}$ are revealed by $M_n$. Then, $M_n$ randomly picks $p_{1,i}\in {\mathbb{R}}_q^{*}$ to compute $P_{1,i}=g_1^{P_{1,i}}$ and derive the protected identity data ${\pi }_i=Has{h}_1\left(P_{1,i}\right)\oplus Inf{o}_i$ for $U_i$. Following this, $M_n$ randomly chooses a pair of numbers ${\alpha }_i,{\beta }_i$ from ${\mathbb{R}}_q^{*}$, to calculate the pseudo-identity $Pse{u}_i$ and generate the signature ${\sigma }_i$ for $U_i$ using the equations below.

$$\left\{\begin{array}{c}{z}_i={\alpha }_i\left({\beta }_i+{Hash}_2\left({\pi }_i\right)\right)modq\hfill \\ {Pse}_i=g_1{z}_i\hfill \\ {\delta }_i={Hash}_3\left({\mathrm{Pse}}_i\right)\hfill \\ {\sigma }_i=\left(z_i+{\delta }_{i}Pr{K}_{mn}\right)modq\hfill \end{array}\right.$$

(2)

Upon reception of the identity details $\left\{Pse{u}_i,{\sigma }_i\right\}$ from $M_n$, user $U_i$ calculates ${\delta }^{*}=Has{h}_3\left(Pse{u}_i\right)$ to authenticate the validity of the given equation. If the authentication process is successful, $U_i$ adopts $\left\{Pse{u}_i,{\sigma }_i\right\}$ as his pseudo-identity.

$$g_1^{{\sigma }_i}={\left(Pub{K}_{mn}\right)}^{{\delta }^{*}}\times Pse{u}_i$$

(3)

$U_i$ randomly selects a number $a_i$ from the set ${\mathbb{R}}_q^{*}$, then calculates $s_{2,i}$ as $P_{1,i}$ minus $a_i$. Next, $S_{2,i}$ is generated as $g_1^{s_{2,i}}$ to derive both the private key $Pr{K}_i=Has{h}_3\left(S_{2,i}\right)$ and the public key $Pub{K}_i=Has{h}_4{\left(Pse{u}_i\right)}^{Pr{K}_i}$. Subsequently, $U_i$ computes $A_i$ as ${g_1}^{a_i}$, produces the signature ${sig}_{A,i}$ using the F.Sign signature algorithm, and stores $\left\{a_i,A_i,si{g}_{A,i}\right\}$.

Subsequently, user $U_i$ obtains the public random number $\lambda$ in ${\mathbb{R}}_q^{*}$ given by the present leader via the VRF mechanism and autonomously produces a random number $K_i$ in ${\mathbb{R}}_q^{*}$ for computation.

$$\left\{\begin{array}{c}{K}_i=g_1^{k_i}\hfill \\ {\lambda }_i={Hash}_5{\left(\lambda \right)}^{{PrK}_i}\hfill \\ {\delta }_{\lambda ,i}={Hash}_2\left(({Pse}_i∥K_i)∥{\lambda }_i\right)\hfill \\ {\sigma }_{\lambda ,i}=\left(\lambda +{\delta }_{\lambda ,i}{PrK}_i\right)modq\hfill \end{array}\right.$$

(4)

Generate basic information about the current self $\left\{Pse{u}_i,{\sigma }_i,K_i,{\lambda }_i,{\sigma }_{\lambda ,i}\right\}$.

(2)

Encryption

The randomly selected $\phi \in {\{0,1\}}^{*}$ is encrypted by the user $U_i$ to protect the EIT data $M_n$.

$$\left\{\begin{array}{c}\mathrm{Dec}=E\left({\mathrm{Hash}}_4\left(Ps{e}_i\right),{Hash}_5{\left(\lambda \right)}^{a_i}\right)\hfill \\ {\mathrm{CEIT}}_1=(m\parallel \phi )\oplus De{c}^{{\mathrm{Hash}}_6\left(Ps{e}_i\parallel Pub{K}_i\right)}\hfill \\ {\mathrm{CEIT}}_2={\mathrm{Hash}}_4{\left({\mathrm{Pse}}_i\right)}^u\hfill \\ {\mathrm{CEIT}}_3=\left(\lambda +{\mathrm{PrK}}_i{Hash}_7\left((Dec∥CEI{T}_1)∥CEI{T}_2\right)\right)modq\hfill \end{array}\right.$$

(5)

Then, the user sends the encrypted data $\left\{Dec,CEI{T}_1,CEI{T}_2,CEI{T}_3\right\}$ to the IPFS.

(3)

Storage Phase

Upon receiving $\left\{Dec,CEI{T}_1,CEI{T}_2,CEI{T}_3\right\}$ from user $U_i$, the IPFS first conducts verification.

$$Has{h}_4{\left(Pse{u}_i\right)}^{CEI{T}_3}=CEI{T}_2\times Pub{K}_i^{Has{h}_7\left((Dec∥CEI{T}_1)∥CEI{T}_2\right)}$$

(6)

If the successful validation demonstrates that the confidentiality, integrity, and source of the encrypted data remain intact, the IPFS will store $\left\{Dec,CEI{T}_1,CEI{T}_2,CEI{T}_3\right\}$ and generate the download link for ciphertext of $U_i$.

In order to minimize the storage burden on the blockchain, $U_i$ submits a request to upload its metadata onto the blockchain. The metadata contains the $URL$, the hash value $h_m$ of message data $M_n$, and the $Pse{u}_i$ of $U_i$.

After completing the block upload, the subsequent leader $L_d$ is determined using a randomly generated number through the verifiable random function VRF, following $L=(\theta modN)+1$. The process for this procedure are elaborated below. The current leader creates a random $\theta$ and proof p using its private key $PrK$ and the current timestamp x. These parameters $\{\theta ,p\}$ are then publicly disclosed by the leader. The authenticity of $\theta$ can be confirmed by the other follower nodes through validation using the public key $vk$ of the leader, the current timestamp x, the pseudo-random string $\theta$, and the proof p.

The consensus group determines $L=(\theta modN)+1$ and designates $L_d$ as the leader after all nodes have been verified. This selection is predicated on the VRF function’s arbitrary output value, which ensures impartiality and unpredictability in the voting process.

(4)

Requests, authorizations, and visits

If $U_i$ wants to access $U_j$’s data information $M_n$, $U_i$ must obtain permission from $U_j$.

$U_i$ requests access to $U_j$’s data and transmits essential details $\left\{PI{D}_i,{\sigma }_i,K_i,u_i,{\sigma }_{u,i}\right\}$. $U_j$ validates the identity of $U_i$ using Equation (1) and subsequently authenticates the parameters of $U_i$.

$$Has{h}_4{\left(PI{D}_j\right)}^{{\sigma }_{u,j}}={\left(Pub{K}_j\right)}^{Has{h}_2\left((PI{D}_j∥K_j)∥u_j\right)}\times Has{h}_4{\left(PI{D}_j\right)}^u$$

(7)

If the equation mentioned above is satisfied, the authentication will be successful. $U_j$ is permitted by $U_i$ to retrieve the required information.

$$\left\{\begin{array}{c}\left.d_j=PI{D}_j\times {\left({\mathrm{PubK}}_{mn}\right)}^{{\mathrm{Hash}}_3\left(PI{D}_j\right)}\right)\hfill \\ r{k}_1={\mathrm{Hash}}_8\left((d_j{k}_i∥K_j^{{\sigma }_i})∥(PI{D}_i∥PI{D}_j)∥(Pub{K}_i\parallel Pub{K}_j)\right)\hfill \\ r{k}_2={\left(u_j\right)}^{\frac{a_i}{P_r{K}_i}}\hfill \\ r_{i\to j}=\left\{r{k}_1,r{k}_2\right\}\hfill \end{array}\right.$$

(8)

The re-encryption key $r_{i\to j}$ is created by user $U_i$, who then uses F.Sign to generate the signature $si{g}_r$ on $r_{i\to j}$ before sending $\left\{r_{i\to j},si{g}_r\right\}$ to the agent node.

(5)

Proxy Re-encryption

The agent node holds a private key $Pr{K}_L$ and a public key $Pub{K}_L$ as the leader. When $\left\{r_{i\to j},si{g}_r\right\}$ is received, the agent node uses the F.SignVerif algorithm for verification. Upon signature verification, the node agent retrieves the encrypted data $\left\{Dec,CEI{T}_1,CEI{T}_2,CEI{T}_3\right\}$ from the IPFS and authenticates it utilizing Equation (6). In the event of a successful validation, the encrypted data undergo re-encryption via a predefined algorithm.

$$\left\{\begin{array}{c}{Dec}^{\prime }=E\left({\mathrm{PubK}}_i,r{k}_2\right)\hfill \\ {{\mathrm{CEIT}}_1}^{\prime }={{\mathrm{CEIT}}_1}^{r{k}_1}\hfill \\ {{\mathrm{CEIT}}_2}^{\prime }={g_1}^u\hfill \\ {{\mathrm{CEIT}}_3}^{\prime }=\left(u+{PrK}_L{Hash}_7\left(({Dec}^{\prime }∥{{\mathrm{CEIT}}_1}^{\prime })∥{{\mathrm{CEIT}}_2}^{\prime }\right)\right)modq\hfill \end{array}\right.$$

(9)

The newly encrypted ciphertext $\left\{De{c}^{\prime },{CEI{T}_1}^{\prime },{CEI{T}_2}^{\prime },{CEI{T}_3}^{\prime }\right\}$, can be acquired and sent to $U_j$.

(6)

Decryption

The ciphertext $\left\{Dec,CEI{T}_1,CEI{T}_2,CEI{T}_3\right\}$ derived from the IPFS by user $U_i$ is verified using Equation (2). Once successfully verified, the ciphertext will be decrypted by the equations, as follows:

$$\left\{\begin{array}{c}\mathrm{Dec}=E\left({\mathrm{Hash}}_4\left({\mathrm{Pse}}_i\right),{Hash}_5{\left(u\right)}^{a_i}\right)\hfill \\ m\parallel \phi =CEI{T}_1\oplus D^{{\mathrm{Hash}}_6\left({\mathrm{Pse}}_i\parallel Pub{K}_i\right)}\hfill \end{array}\right.$$

(10)

After receipt of the re-encrypted ciphertext $\left\{De{c}^{\prime },{CEI{T}_1}^{\prime },{CEI{T}_2}^{\prime },{CEI{T}_3}^{\prime }\right\}$, $U_j$ proceeds to verify it using the equation below:

$${g_1}^{{CEI{T}_3}^{\prime }}={CEI{T}_2}^{\prime }\times {Pub{K}_L}^{Has{h}_7\left((De{c}^{\prime }∥{CEI{T}_1}^{\prime })∥{CEI{T}_2}^{\prime }\right)}$$

(11)

Upon successful verification, $U_j$ uses the formulas below to decrypt the re-encrypted ciphertext:

$$\left\{\begin{array}{c}{d}_i={Pse}_i\times {\left({\mathrm{PubK}}_{mn}\right)}^{{\mathrm{Hash}}_3\left({\mathrm{Pse}}_i\right)}\hfill \\ r{k}_1={Hash}_8\left((K_i^{{\sigma }_j}∥{d_i}^{k_j})∥PI{D}_i∥PI{D}_j∥Pub{K}_i\parallel Pub{K}_j\right)\hfill \\ CEI{T}_1={\left(CEI{T}_1\right)}^{\frac{1}{r{k}_1}}=(m\parallel \phi )\oplus {Dec}^{{\mathrm{Hash}}_6\left({\mathrm{Pse}}_i\parallel Pub{K}_i\right)}\hfill \\ {Dec}^{\prime }={\left({\mathrm{Dec}}^{\prime }\right)}^{\frac{1}{{\mathrm{PrK}}_j}}\hfill \\ m\parallel \phi =CEI{T}_1\oplus {Dec}^{{\mathrm{Hash}}_6\left({\mathrm{Pse}}_i\parallel Pub{K}_i\right)}\hfill \end{array}\right.$$

(12)

(7)

Traceability

Utilizing a clandestine method of distribution, this research employs $\tau -1$ random numbers $a_{1,i},\dots ,a_{\tau -1,i}$ chosen by M from the set $R_q^{*}$ to achieve the trackability of fictitious identities. This allows the sharing of $P_{1,i}$ and the generation of a polynomial with a degree of $(\tau -1)$:

$$F_i\left(x\right)=a_{0,i}+a_{1,i}x+a_{2,i}{x}^2+\cdots +a_{\tau -1,i}{x}^{\tau -1}modq$$

(13)

The polynomial shares $\left\{F_i\left(1\right),F_i\left(2\right),\cdots ,F_i\left(n\right)\right\}$ and polynomial commitments shares ${〈{\mathrm{\Lambda }}_c〉}_{c=1\sim n}$ are calculated by $a_{0,i}=s_{i,1}$:

$${\mathrm{\Lambda }}_c={Pub{K}_c}^{F_i\left(c\right)},1⩽c⩽n$$

(14)

In order to confirm the polynomial share distribution in the subsequent steps, M must calculate the polynomial parameters commitments ${〈C_{\delta }〉}_{\delta =0\sim \tau -1}$:

$$C_{\delta }={g_2}^{a_{l,i}},0⩽\delta <\tau -1$$

(15)

for all polynomials commitments ${〈{\mathrm{\Phi }}_c〉}_{c=1\sim n}$:

$${\mathrm{\Phi }}_c={g_2}^{F_i\left(c\right)},1⩽c⩽n$$

(16)

Then, we begin to verify whether $F_i\left(c\right)$ in ${\mathrm{\Phi }}_c$ is the result of polynomial $F_i\left(x\right)$ created by M, and $L_c$ needs to confirm the validity of the following equation [37]:

$${\mathrm{\Phi }}_c=\prod _{\delta =0}^{\tau -1}{\left(C_{\delta }\right)}^{c^{\delta }}$$

(17)

Next, $L_c$ calculates: $R_c=E\left({\mathrm{\Phi }}_c,Pub{K}_c\right),1⩽c⩽n$ and utilizes the subsequent method for bulk verification:

$$\prod _{c=1}^n{\mathrm{\Gamma }}_c=E\left(g_2,\prod _{c=1}^n{\mathrm{\Lambda }}_c\right)$$

(18)

If the equation stated above is valid, $L_c$ affirms the accuracy of all polynomial commitments ${〈{\mathrm{\Lambda }}_c〉}_{c=1\sim n}$ that have been received and retains the associated $\left\{{\pi }_i,{\mathrm{\Lambda }}_c\right\}$. Every $L_c$ then employs its individual private key $Pr{K}_c$ to retrieve $Sh{r}_c$ from ${\mathrm{\Lambda }}_c$.

$${\mathrm{Shr}}_c={\left({\mathrm{\Lambda }}_c\right)}^{\frac{1}{Pr{K}_c}}$$

(19)

In order to verify the authenticity of the $Sh{r}_c$ transmitted by $N_c$, proof information must be provided by $L_c$ to ensure that recipients are indeed receiving $Sh{r}_c$ from the corresponding ${\mathrm{\Lambda }}_c$. To begin, $L_c$ randomly chooses a number $r_c$ from the set $R_q^{*}$ and computes $B_{c,1}={\left(Sh{r}_c\right)}^{r_c}$ along with $B_{c,2}={\left(g_1\right)}^{r_c}$. Subsequently, $L_c$ performs the following calculations:

$$e_c=Has{h}_2\left({Shr}_c∥g_1∥{\mathrm{\Lambda }}_c∥Pub{K}_c∥B_{1,c}\parallel B_{2,c}\right),b_c=r_c+e_{c}Pr{K}_c$$

(20)

and ultimately produces shared information $\left\{Sh{r}_c,e_c,b_c\right\}$ that can be employed for identifying traces and regaining keys.

The user $\left\{{\pi }_i,Pse{u}_i\right\}$ has traceability information logged by M by initiating an on-chain request, which allows the consensus group to track down any dishonest users. A smart contract is used to automatically track down the rogue node. When a user exhibits malicious conduct, the tracing procedure is initiated automatically when the threshold $\tau$ is exceeded by the number of $L_c$ that deems the user malicious. The precise steps for tracking are as follows:

Every $L_c$ sends its tracing $\left\{Sh{r}_c,e_c,b_c\right\}$ to the smart contract. When $\tau$ is reached in the quantity of tracing $Shr$ given to the contract, the smart contract will retrieve the user’s $P_{1,i}$ by executing the tracing technique described in Algorithm 1. Finally, the group consensus will reveal the true identity information ${Info}_i$ of user $U_i$ using the following equation:

$$Inf{o}_c={\pi }_c\oplus Has{h}_1\left(P_{1,c}\right)$$

(21)

Algorithm 1 The algorithm for tracking the malicious nodes.

Input:

${\pi }_i,$ $[Sh{r}_1$, $Sh{r}_2,\dots$, $\left.Sh{r}_t\right],\left[e_1,e_2,\dots ,e_t\right],\left[b_1,b_2,\dots ,b_t\right]$

Output:

${\pi }_i\oplus Has{h}_1\left(P_{1,i}\right)$

1: for $c=1$ to $\tau$ do   2:     Calculate:

temporary = $(Sh{r}_c∥g_1)∥({\mathrm{\Lambda }}_c∥p{k}_c)∥{\left({\mathrm{Shr}}_c\right)}^{b_c}{\left({\mathrm{\Lambda }}_c\right)}^{-e_c}\parallel {g_1}^{b_c}{\left({\mathrm{\Lambda }}_c\right)}^{-e_c}$

${e_c}^{*}=Has{h}_2\left(temp\right)$

3:     if ${e_c}^{*}\ne e_c$ then   4:            fail   5:     end if   6: end for   7: $P_{1,c}=1$   8: for $c=1$ to $\tau$ do   9:       ${\prod }_{j=1,j\ne c}^t\frac{j}{j-c}=1$ 10:       for $j\in [1,t]$ do 11:             if $j\ne c$ then 12:                   ${\prod }_{j=1,j\ne c}^{\tau }\frac{j}{j-c}={\prod }_{j=1,j\ne c}^{\tau }\frac{j}{j-c}\times \frac{j}{j-c}$ 13:             end if 14:       end for 15:       $P_{1,c}=P_{1,c}\times pow$ (Shrc, ${\prod }_{j=1,j\ne c}^{\tau }\frac{j}{j-c})$ 16: end for

5. Theoretical Analysis

5.1. Correctness Analysis of the Scheme

Theorem 1.

This paper’s proposed EITDS scheme is accurate.

Proof. 

Demonstrating the proposed EITDS scheme’s correctness requires showing that equations in (3)–(6) are satisfied.

(1) In the case of the identity data $\left\{Pse{u}_i,{\sigma }_i\right\}$, if the calculated value of ${\delta }^{*}$ is the same as ${\tau }_i$, then the following holds:

$${g_1}^{{\sigma }_i}=g_1^{\left(z_i+{\tau }_i\tau k_{mn}\right)}={\left(Pub{K}_{mn}\right)}^{{\tau }^{*}}\times Pse{u}_i$$

(22)

Therefore, Equation (3) holds.

(2) The ciphertext $\left\{Dec,CEI{T}_1,CEI{T}_2,CEI{T}_3\right\}$ satisfies Equation (6).

$$\begin{array}{cc}\hfill Has{h}_4{\left(PI{D}_1\right)}^{CEI{T}_3}& =Has{h}_4{\left(Pse{u}_i\right)}^{\left(u+Pr{K}_{1}Has{h}_7\left(Dec,CEI{T}_1,CEI{T}_2\right)\right)}\hfill \\ \hfill & =CEI{T}_2\times Pub{K}_i^{Has{h}_7\left(Dec,CEI{T}_1,CEI{T}_2\right)}\hfill \end{array}$$

(23)

(3) The $r{k}_1=Has{h}_8\left(d_j^{k_i}∥K_j^{{\sigma }_i}∥Pse{u}_i∥PI{D}_j∥Pub{K}_i\parallel Pub{K}_j\right)$ used by $U_i$ for encryption satisfies Equation (8).

$$\begin{array}{cc}\hfill r{k}_1& =Has{h}_8\left(d_j^{k_i}∥K_j^{{\sigma }_i}∥Pse{u}_i∥PI{D}_j∥Pub{K}_i\parallel Pub{K}_j\right)\hfill \\ \hfill & =H_s\left({\left(PI{D}_j\times {\left(Pub{K}_{mn}\right)}^{Has{h}_3\left(PI{D}_j\right)}\right)}^{k_i}\parallel \left(g_1^{k_j}{\sigma }^{{\sigma }_i}∥Pse{u}_i∥PI{D}_j∥Pub{K}_i∥Pub{K}_j\right)\right.\hfill \\ \hfill & =Has{h}_8\left(K_i^{2+Pr{K}_{\infty n}Has{h}_3\left(PI{D}_j\right)}∥g_1^{k_i\left(x_i+Pr{K}_{mn}{H}_s\left.〈Pse{u}_i\right)\right\}}∥Pse{u}_i∥PI{D}_j∥Pub{K}_i\parallel Pub{K}_j\right)\hfill \\ \hfill & =Has{h}_8\left(K_i^{{\sigma }_j}∥d_i^{k_j}∥Pse{u}_i∥PI{D}_j∥Pub{K}_i\parallel Pub{K}_j\right)\hfill \end{array}$$

(24)

(4) The commitments ${\left.〈C_{\delta }\right)}_{i=0,-1-1}$ published by $U_i$ can be expressed as follows if the polynomial $f_1\left(x\right)$ generates $F_i\left(c\right)$ concealed in ${\mathrm{\Phi }}_c$.

$$\prod _{l=0}^{\tau -1}{\left(C_{\delta }\right)}^{{\mathrm{t}}^{\mathrm{t}}}=\prod _{\delta =0}^{\tau -1}{\left(g_2\right)}^{n_1,c^{\delta }}=g_2\sum ^{{\sum }_{j=0}^{\tau -1}{a}_{\delta }+c^{\delta }}={g_2}^{F_i\left(c\right)}={\mathrm{\Phi }}_c$$

(25)

Therefore, Equation (17) holds.

(5) When the $\left\{{\left({\mathrm{\Phi }}_c\right.〉}_{c=1\sim n},{〈{\mathrm{\Gamma }}_c〉}_{c=1\sim n}\right\}$ is made available to the public, and assuming the ${〈{\mathrm{\Lambda }}_c〉}_{c=1\sim n}$ are accurate, we can conclude the following:

$$\begin{array}{cc}\hfill \prod _{c=1}^n{\mathrm{\Gamma }}_c& =\prod _{c=1}^{n}e\left({\mathrm{\Phi }}_c,Pub{K}_c\right)=\prod _{c=1}^{n}e\left({g_2}^f\left(c\right),Pub{K}_c\right)=\prod _{c=1}^{n}e\left(g_2,Y_i\right)\hfill \\ \hfill & =e\left(g_2,Y_1·Y_2\cdots Y_n\right)=e\left(g_2,\prod _{c=1}^n{\mathrm{\Lambda }}_c\right)\hfill \end{array}$$

(26)

Therefore, Equation (18) holds.

$$\begin{array}{cc}\hfill \prod _{c=1}^{\tau }{\left({\mathrm{Shr}}_c\right)}^{L_c}& =\prod _{c=1}^{\tau }{\left({\left({\mathrm{\Lambda }}_c\right)}^{\frac{1}{s{k}_c}}\right)}^{L_c}=\prod _{c=1}^{\tau }{\left({g_1}^{f_i\left(c\right)}\right)}^{L_c}\hfill \end{array}$$

(27)

Then, let $\xi ={\sum }_{c=1}^{\tau }\left(f_i\left(c\right){\prod }_{j=1,j\ne c}^{\tau }\frac{j}{j-c}\right)$.

So, we can obtain

$$\begin{array}{c}\hfill \prod _{c=1}^{\tau }{\left({\mathrm{Shr}}_c\right)}^{L_c}={g_1}^{\xi }={g_1}^{f_i\left(0\right)}=P_{1,i}\end{array}$$

(28)

$\tau$ or more correctly ${Shr}_c$ with $P_{1,i}$ satisfy the equation above. □

5.2. Security Analysis of the Scheme

Theorem 2.

A secure method for maintaining identity privacy with anonymity and traceability in a distributed setting is guaranteed if the DL and CDH assumptions are met.

Proof. 

Within this system for safeguarding identity privacy, three methods exist for an intruder to access the individual’s actual identity details:

If the adversary successfully uncovers exposed shared $e_c$ through the utilization of the disclosed data $\left\{g_1,g_2,{\mathrm{\Phi }}_c,{\mathrm{\Lambda }}_c,Pub{K}_c\right\}$, upon securing $\tau$ instances of share, the adversary will then proceed to regain $S_{1,}$ and determine info through ${\pi }_i$.

To make the proof simpler, let $g_1={g_2}^{\alpha }$, ${\mathrm{\Phi }}_c={g_2}^{F_i\left(c\right)}={g_2}^{\beta }$, $Pub{K}_c={g_1}^{Pr{K}_c}={g_2}^{\alpha Pr{K}_c}=g_2^{\gamma }$, and consequently we obtain ${\mathrm{\Lambda }}_c=Pub{K_c}^{fi\left(c\right)}={g_2}^{{\beta }_{\gamma }}$. The adversary’s goal is to acquire share $c_c={g_1}^{F_i\left(c\right)}={g_2}^{\alpha F_i\left(c\right)}={g_2}^{\alpha \beta }$. Therefore, the task changes to calculating ${g_2}^{\beta \alpha }$, with ${g_2}^{\beta },{g_2}^{\gamma }$, and ${g_2}^{\beta }\gamma$ given, for any $\alpha ,\beta ,\gamma \in R_q^{*}$. A potential attacker, armed with all available public information, could attempt to compute ${g_2}^{\alpha \beta }$ using two distinct approaches:

(1) The attacker may try to calculate ${g_2}^{\alpha \beta }$ directly using ${g_2}^{\alpha }$ and ${g_2}^{\beta }$. Based on the assumption of $CDH$, it is impossible for any probabilistic polynomial-time attacker to efficiently calculate ${g_2}^{\alpha \beta }$ given $g_2,{g_2}^{\alpha }$, and ${g_2}^{\beta }$, where $\alpha ,\beta \in R_q^{*}$. Consequently, this approach contradicts the $CDH$ assumption.

The adversary might attempt to compute $\beta$ from ${g_2}^{\gamma }$ and ${g_2}^{\beta \gamma }$. Nonetheless, according to the $DL$ hypothesis, in the presence of $g_2^{\gamma }$ and ${g_2}^{\beta \gamma }$, for any $\gamma \in R_q^{*}$, there is no chance of a computational adversary working in polynomial time determining $\beta$ with a significant advantage. Hence, without access to $\beta$, it is not feasible to proceed with the computation of ${g_2}^{\alpha \beta }$.

To summarize, with the assumptions of $DL$ and $CDH$, the attacker is prevented from acquiring share $c_c$ solely through the public information. This means that the attacker is incapable of gathering sufficient shares to retrieve $P_{1,i}$ and subsequently calculate information.

The adversary has the ability to eliminate up to $\tau -1N_c$. From there, they can access the ${〈Pr{K}_c〉}_{c=1\sim \tau -1}$ and ${〈{\mathrm{share}}_c〉}_{c=1\sim \tau -1}$. An attempt may be made by the adversary to retrieve the $P_{1,i}$ and $Inf{o}_i$ of $U_i$ using $\left\{{〈Pr{K}_c〉}_{c=1\sim \tau -1}\right.$, $\left.{\langle \mathrm{Shr}\rangle }_{c=1\sim \tau -1}\right\}$ along with other publicly available details $\left\{{〈{\mathrm{\Phi }}_c〉}_{c=1\sim n},{〈{\mathrm{\Lambda }}_c〉}_{c=1\sim n},{〈Pub{K}_c〉}_{c=1\sim n},{〈C_{\delta }〉}_{\delta =0\sim \tau -1}\right\}$.

If $g_1=g_2^{\alpha }$ and $C_0={g_2}^{{\alpha }_{0,i}}={g_2}^{P_{1,i}}={g_2}^{\beta }$, then the opponent’s objective is to determine $\beta$ or ${g_2}^{\alpha \beta }$. Using the available information, the adversary could aim to compute either $\beta$ or ${g_2}^{\beta \alpha }$ from three different perspectives:

(2) The adversary could explore the calculation of $\beta$ from $C_0={g_2}^{\beta }$, which is tantamount to addressing the issue of $DL$. Consequently, this challenges the DL assumption.

The adversary might attempt to calculate ${g_2}^{\alpha \beta }$ using ${g_2}^{\alpha }$ and $C_0={g_2}^{\beta }$. Yet, this approach is analogous to addressing the $CDH$ dilemma, thus conflicting with the $\mathrm{CDH}$ hypothesis.

(3) Potential adversary strategy: ${〈{\mathrm{Shr}}_c〉}_{c=1\sim \tau -1}$ could be used to extract $g_2^{\alpha \beta }$. Nevertheless, if at least $\tau$ shares or more of quantity c are gathered, the opponent can only obtain ${g_2}^{\alpha \beta }$, according to the interpolation Lagrange theorem.

$$\prod _{c=1}^{\tau }{\left({\mathrm{Shr}}_c\right)}^{f_c}=\prod _{c=1}^{\tau }{\left(g_1{F}_i\left(c\right)\right)}^{L_0}={g_1}^{{\sum }_{c=1}^e{F}_i\left(c\right)L_o}=g_1{F}_i\left(0\right)={g_2}^{s_{1,i}}={g_2}^{\alpha \beta }$$

(29)

$$f_c=\prod _{j=1,j\ne c}^{\tau }\frac{j}{j-c}$$

(30)

However, the adversary only has a maximum of $\tau -1$ duplicates of share c, making it impossible to retrieve $P_{1,i}$ or $P_{1,i}$ from them. Furthermore, the opponent and the compromised $L_c$ can try to use their existing data to decrypt the remaining ${〈{\mathrm{Shr}}_c〉}_{c=t\sim n}$ to meet the threshold $\tau$. However, based on the assumptions of $DL$ and $CDH$, we have shown that an adversary cannot obtain shares of the pure $L_c$ using publicly available information.

In conclusion, the attacker cannot reassemble $P_{1,i}$ and $Inf{o}_i$ with the corruption of $\tau -1$ or less $L_c$, as long as the $DL$ and $CDH$ assumptions are satisfied.

The attacker makes a determined effort to decipher the secret data in $Inf{o}_i$ using public identity protection information ${\pi }_i$.

$$\prod _{c=1}^t{\left({\mathrm{Shr}}_c\right)}^{L_c}=P_{1,c},{\mathrm{Info}}_c={\pi }_c\oplus Has{h}_1\left(P_{1,c}\right)$$

(31)

In order to safeguard the true identity of $U_i$, M creates identity protection data ${\pi }_i=Has{h}_1\left(P_{1,i}\right)\oplus Inf{o}_i$ specifically for $U_i$. Based on the preceding context, it is infeasible for any attacker to retrieve $P_{1,i}$. Furthermore, with a sufficiently robust security parameter $\kappa$, it becomes challenging to illicitly decipher the genuine identity data info from the protection data ${\pi }_i$. Hence, given a reasonable level of security strength, the adversary is unable to expose info from ${\pi }_i″$.

Overall, the suggested mechanism for safeguarding identity privacy with anonymity and traceability is reliable. Only when $\tau$ or more consensus nodes detect malicious actions by the user will their true identity be exposed. □

Theorem 3.

The data’s confidentiality is guaranteed by this scheme.

Proof. 

The core of the EITDS data-sharing mechanism is the proposed privacy-preserving encryption (PRE) technique, which guarantees the confidentiality of data during transport. Once authorized by the data owner, a new re-encryption key is generated for the receiver and transmitted to the intermediary node $L_c$. Subsequently, the intermediary node $L_c$ utilizes the re-encryption key to modify the encrypted data, enabling the recipient to decrypt the altered data with their corresponding key. Importantly, throughout this process, the intermediary node strictly manages the re-encryption key from $U_i$ and manipulates the encrypted data without accessing any sensitive information from the original or modified data. Ultimately, this approach effectively safeguards data confidentiality. □

Theorem 4.

This scheme can withstand collusion attempts.

Proof. 

The leader selected from the group $N_c$ is referred to as $L_N$. This leader is chosen using the equation $L=(\mathrm{num}modn)+1$. Subsequently, $L_N$ issues a randomly generated encryption key u to ensure data security. If $L_1$ stores the random value $u^{\left(1\right)}$ in a block at height $Has{h}_1$ and logs containing information $m_1$ in the same block, a data requester $U_j$ must combine $u^{\left(1\right)}$ with their personal key $Pr{K}_j$ to calculate $u_j=Has{h}_5{\left(u\right)}^{Pr{K}_j}$ in order to access data linked to said block. Once $u_j$ is calculated, $U_j$ forwards an access request to $U_i$ with the derived data $u_j$. If $U_i$ approves the retrieval of $m_1,U_j$ needs to create a new encrypted key $r{k}_{i\to j}={\left(u_j^{\left(1\right)}\right)}^{a_i/Pr{K}_i}$ using $u_j$ and their private key $Pr{K}_i$, and then send it to the intermediary node.

The group in agreement will vote for Leader $L_c$, the new leader, in accordance with the rules, after the current agreement expires. Additionally, at $Has{h}_2$, the metadata of $m_2$ and the random number $u^{\left(2\right)}$ generated by Leader₂ are both recorded in a block. During the encryption step, the following equations are utilized by $U_i$ to encrypt $m_2$:

$$\left\{\begin{array}{c}{Dec}^{\left(2\right)}=E\left({Hash}_4\left({\mathrm{Pse}}_i\right),{\left(u_i^{\left(2\right)}\right)}^{a_4}\right)\hfill \\ {{CEIT}_1}^{\left(2\right)}=\left(m_2\parallel \phi \right)\oplus {\left({Dec}^{\left(2\right)}\right)}^{{\mathrm{Hash}}_6\left(P_{se}{e}_i\parallel Pub{K}_i\right)}\hfill \\ {CEIT}_2^{\left(2\right)}={Hash}_4{\left({\mathrm{Pse}}_i\right)}^{\left(u^{\left(2\right)}\right)}\hfill \\ {{CEIT}_3}^{\left(2\right)}=\left(u^{\left(2\right)}+{PrK}_i{Hash}_7\left({Dec}^{\left(2\right)}∥CEI{T}_1^{\left(2\right)}∥CEI{T}_2^{\left(2\right)}\right)\right)modq\hfill \end{array}\right.$$

(32)

The proxy node can only obtain ${\left(Has{h}_5\left(u^{\left(1\right)}\right)\right)}^{a_i/Pr{K}_i}$ in relation to the previous random number $u^{\left(1\right)}$ if it conspires with $U_j$ to gain unauthorized access to $m_2$. They can then compute $E\left(p{k}_i,{\left(Has{h}_5\left(u^{\left(1\right)}\right)\right)}^{a_i/Pr{K}_i}\right)=E{\left(Has{h}_4\left(PI{D}_i\right),Has{h}_5\left(u^{\left(1\right)}\right)\right)}^{a_i}$. This is ineffective for accessing $m_2$, though, in contrast to $De{c}^{\left(2\right)}=e{\left(Has{h}_4\left(PI{D}_i\right),Has{h}_5\left(u^{\left(2\right)}\right)\right)}^{a_i}$. This is also true for other types of data. As a result, this method successfully prevents the proxy node and data requesters from cooperating. □

6. Complexity and Experimental Analysis

6.1. Complexity Analysis

In

Table 2. Comparison of different types of blockchains.

Scheme	[38]	[39]	[40]	[41]	Ours
Encrypt	2Exp + 2Pair	8Exp	4Exp	3Exp + 1Pair	3Exp + 1Pair
ReKeyGen	2Exp	2Exp	2Exp	5Exp	4Exp
ReEncrypt	1Exp + 1Pair	2Exp + 5Pair	1Exp + 2Pair	2Exp + 4Pair	4Exp + 1Pair
Self-Decrypt	1Pair	3Exp + 3Pair	–	–	4Exp + 1Pair
ReDecrypt	1Exp + 2Pair	2Exp + 2Pair	1Exp + 3Pair	2Exp + 4Pair	8Exp

, we analyzed the computation costs of encryption, generation of re-encryption keys, re-encryption, self-decryption, and re-decryption within our approach compared to the existing literature. Our emphasis was on examining the most time-intensive tasks in these stages, including exponentiations within group $G_1$ and bilinear pairing e. The time taken for an exponentiation in $G_1$ and a bilinear pairing operation is denoted as Exp and Pair, respectively.

Our technique showed great computational efficiency throughout the re-encryption and re-decryption operations, based on the computational complexity data presented in Table 2. Moderate computing performance was achieved during the encryption and self-decryption stages. Although re-encryption key creation might not provide a significant benefit, the difference was not great.

6.2. Performance Analysis

A thorough performance simulation and quantitative analysis of the EITDS are given in this section. The evaluation took into account the average number of attempts required for each step: initialization, encryption, re-encryption, self-decryption, and re-decryption in proxy re-encryption. The Go language-based PBC library was used to simulate the system in order to replicate real-world conditions. The experiments were carried out with 64 GB of RAM and a quad-core Xeon processor running Ubuntu 20.04.

According to the data presented in Figure 4, the average time spent on initiation, encoding, re-encoding for essential creation, re-encoding, self-decrypting, and re-decrypting was $7.232\mathrm{ms}$, $4.631\mathrm{ms}$, $5.118\mathrm{ms}$, $5.923\mathrm{ms}$, $3.072\mathrm{ms}$, and $10.367\mathrm{ms}$, respectively. The efficiency of encoding, re-encoding, and self-decrypting in the intermediate re-encryption system seems adequate when considering the time allotted to each step. The marginally increased costs associated with essential re-encryption formation and re-decrypt were mostly attributable to the exponential operations, the execution of which was contingent upon the volume and intricacy of the input data. Based on Figure 5a, our technique performed at a medium level during the encryption stage. However, in the re-encryption stages, our scheme’s computational overhead was lowest, as seen in Figure 5b. Based on the comparison above, our technique performed exceptionally well during the encryption and re-encryption phases. All EIT data only needed to be encrypted and saved once, despite our scheme’s medium-level performance during the encryption stage. All things considered, this system’s computational cost stayed within an acceptable and controllable range.

7. Conclusions

This paper proposed an EITDS based on consortium blockchain. The EITDS utilizes a portable EIT data collector to enhance data comprehensiveness and timeliness within the system. To address concerns about malicious user identification, while safeguarding data and identity privacy, the EITDS employs PRE data sharing technology, balancing data anonymity and traceability of identity to enable precise data access control. This technology is designed to withstand collusion attacks, preventing semi-trusted agents from collaborating with data requesters to access unauthorized EIT data. Furthermore, the EITDS integrates blockchain and IPFS distributed storage technology to establish a secure collaborative data storage model, both on and off the chain, addressing the challenge of secure storage for large-scale data. The computational complexity and operational performance of the scheme were analyzed through numerical experiments. Proxy re-encryption excelled in the efficiency of encryption, re-encryption, and self-decryption stages when considering the average time consumption. Through safety comparisons, experimental analysis, and exploration of related technologies, the EITDS was demonstrated to be a secure and efficient medical data sharing system suitable for practical applications.

The solution proposed in this article has some shortcomings, including a slightly cumbersome request and authorization process. Future work will focus on streamlining the user operation steps to enhance the user experience, while maintaining safety. Improvements will be made to the encryption and retrieval algorithms to reduce the data request time.