A Privacy-Preserving Data Transmission Scheme Based on Oblivious Transfer and Blockchain Technology in the Smart Healthcare - Hindawi.com

Hindawi
Security and Communication Networks
Volume 2021, Article ID 5781354, 12 pages
https://doi.org/10.1155/2021/5781354

Research Article
A Privacy-Preserving Data Transmission Scheme Based on
Oblivious Transfer and Blockchain Technology in the
Smart Healthcare

 Huijie Yang ,1 Jian Shen ,1,2 Junqing Lu ,1 Tianqi Zhou ,1 Xueya Xia ,1 and Sai Ji 1,3

 1
 School of Computer and Software, Nanjing University of Information Science and Technology, Nanjing, Jiangsu, China
 2
 Cyberspace Security Research Center, Peng Cheng Laboratory, Shenzhen, China
 3
 Suqian University, Suqian, Jiangsu, China

 Correspondence should be addressed to Jian Shen; s_shenjian@126.com

 Received 16 June 2021; Accepted 17 August 2021; Published 3 September 2021

 Academic Editor: Debiao He

 Copyright © 2021 Huijie Yang et al. This is an open access article distributed under the Creative Commons Attribution License,
 which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

 With the development of the Internet of Things and the demand for telemedicine, the smart healthcare system has attracted much
 attention in recent years. As a platform for medical data interaction, the smart healthcare system is demanded to ensure the
 privacy of both the receiver and the sender, as well as the security of data transmission. In this paper, we propose a privacy-
 preserving data transmission scheme where both secure ciphertext conversion and malicious users identification are supported. In
 particular, the (OT)nm protocol is introduced to guarantee the two-way privacy of communication parties. Meanwhile, we adopt
 proxy reencryption algorithm to support secure ciphertext conversion so as to ensure the confidentiality of data in many-to-many
 communication pattern. In addition, by taking advantage of the concept of blockchain technology, a novel (OT)nm protocol is
 proposed to prevent data from being tampered with and effectively identify malicious users. Theoretical and experimental analyses
 indicate that the proposed scheme is practical for smart healthcare with high security and efficiency.

1. Introduction and ensure the confidentiality and correctness of the data.
 During the research, scholars discovered that there were two
With the extension of average life expectancy and people’s security challenges in the process of medical data trans-
increasing demand for health, the demand for smart mission [13, 14]: The first is how to ensure the confidentiality
healthcare systems such as telemedicine and e-health system of medical data during the interaction; that is, malicious
is more and more urgent [1–3]. The smart healthcare system users cannot obtain or tamper with the data. The second is
is an IoT health system composed of cloud computing, smart how to realize the two-way privacy protection between the
wearable devices, an expert system based on artificial in- server and the client side. Therefore, we need to discuss and
telligence, and so on [4–6]. The deep learning technology solve the above two security challenges in this paper.
and data mining technology also promote the development Consider the following situation: the patient who suffers
of smart healthcare system [7, 8], which is convenient for from many diseases goes to different specialist hospitals for
doctors to quickly diagnose diseases and formulate medical treatment, and so many medical records are stored by
plans and to ensure that everyone can get adequate medical different servers of hospitals that are not connected in the
resources [9]. In addition, some scholars introduce block- same network. That is, it is difficult for doctors to obtain the
chain technology into the smart healthcare environment data across the different networks. To settle the mentioned
[10–12]. They utilize the characteristics of blockchain such as problem, we suppose that all the data are stored in the same
decentralization and antitampering to design the smart server. However, all data in this server are returned to the
healthcare schemes. Those schemes can realize data sharing doctor when he employs the oblivious transfer (OT)

2 Security and Communication Networks

protocol to request the data, which leads to the high Once a doctor requires u1 data, he needs to employ
communication overhead. Thus, we assume that all data are many private keys of servers to decrypt those ci-
stored in the distributed server, and the users, hospitals, and phertexts. In that way, the privacy of servers where
also servers are all in the smart healthcare system, where the the data is stored will be exposed. By applying this
patients’ records can be accessed by the departments’ novel (OT)nm protocol, a doctor can decrypt all the
doctors from the different hospitals. In fact, the stored data ciphertexts with only his key. In other words, this
are susceptible to collusion or tampering because of the protocol not only queries data quickly but also
semitrusted server. The confidentiality of stored data cannot protects the privacy of servers and doctors. In ad-
be ensured when users employ those data. Additionally, dition, the proposed (OT)nm protocol can efficiently
a user employs the amount of data to request it from the support the access control of users and many-to-
server, which can try to understand the corresponding re- many data transmission pattern.
lationship between the sequence number and the stored (2) A secure data transmission scheme supporting
data. Some researchers utilize the oblivious random access collusion resistance and to prevent data from being
memory (ORAM) protocol [15] to hide that relationship tampered with is proposed. Our scheme is a data
[16, 17]. Meanwhile, it is only applied to some simple secure transmission protocol based on blockchain
systems due to its complex ORAM structure and the great technology and OT technology. We utilize the
increase in cost overheads. Thus, how to ensure that the characteristics of blockchain structure to store the
server makes users know the data without knowing the serial user’s identity in blocks and then form three lists,
number is one of the main contents of our scheme. namely, patient identity list, doctor identity list, and
Moreover, the public keys of the distributed servers are revocation user list. Therefore, our protocol can
different for users owing to those servers which belonged to effectively verify revocation or malicious users and
different hospitals. In view of the above, the data in such resist their collusion attacks. Meanwhile, in terms of
servers can be comprehended by users, which exposes the the hash value in blockchain, malicious users cannot
privacy of stored data. Then, some data are attacked by modify the data.
malicious users to focus on, in accordance with that private
 (3) Data confidentiality is guaranteed and the compu-
information. What is more, the authorities of the user can be
 tation of our scheme is effectively reduced. We
faked or tampered with by the revoked or malicious users
 analyze and prove the security of the proposed
who can collude the data.
 scheme. We provide a performance comparison
 between (OT)nm protocol and other (OT)kn protocols
Motivation of This Paper. As is mentioned above, the existing
 through a theoretical performance analysis and an
data transmission schemes are not suitable for the smart
 experimental analysis.
healthcare environment. Therefore, our goals are to protect
user privacy and guarantee the security of data transmission
based on OT and blockchain technology under the smart 1.2. Related Work. Oblivious transfer (OT) has gradually
healthcare environment. To accomplish this goal, the three become an important research direction in the field of
following crucial issues should be considered for us. First, multiparty computation (MPC). At present, according to the
the confidentiality of data should be assured during the total amount of data and the number of choices, the research
process of data transmission. The medical data are related to of OT protocol is mainly divided into four categories:
the life safety of patients; once they are tampered with or classical oblivious transfer protocol [18], 1-out-of-2 oblivi-
faked, this will endanger the lives of patients and put the ous transfer (OT)12 protocol [19], 1-out-of-n oblivious
hospital in financial compensation. Second, while guaran- transfer (OT)1n protocol [20], and k-out-of-n oblivious
teeing that a piece of accessed data is not known by the transfer (OT)kn protocol [21].
server, the other data in it cannot be learned by the user. In (OT)1n protocol was proposed by Brassard et al. [20]
addition, the stored data in such servers cannot be figured firstly in 1986; they invoked (OT)12 protocol n times to
out. In case of reveal, the privacy of stored data may be implement (OT)1n protocol. On the basis of the above,
leaked out. Finally, the revoked or malicious users who try to Gertner et al. [22] firstly achieved a distributed version of
collude should be discerned by the group manager. They will (OT)1n protocol with information-theoretic security and
go beyond their authority to access data or modify medical sublinear communication complexity. In 2001, Naor et al.
data, leading to medical accidents in the hospital. [23] described a novel (OT)1n protocol, which improved the
 efficiency of multiple invocations of OT applications. In
 2004, Tzeng [24] designed a secure and efficient (OT)1n
1.1. Main Contributions. We design a privacy-preserving
 protocol under the assumption of the decisional Diffie-
scheme for data transmission based on oblivious transfer
 Hellman problem. After that, based on the above, an
and blockchain technology in the smart healthcare envi-
 adaptive k-out-of-n oblivious transfer scheme was proposed
ronment which is to resolve the above issues. The main
 by Chu and Tzeng [25], which allowed the receiver to choose
contributions are as follows:
 the messages one by one adaptively. In 2015, the simplest
 (1) A novel (OT)nm protocol supporting two-way pri- and most efficient protocol for (OT)1n protocol was pre-
 vacy-preserving and distributed servers is proposed. sented by Chou et al. [26] and it could resist some active
 Suppose that u1 data is stored in multiple servers. attacks. Then, in 2007, Hauck et al. [27] proposed an (OT)1n

Security and Communication Networks 3

protocol under the CDH assumption, which was built on converts a ciphertext ma of ua to a ciphertext mb of ub . The
ideas from the CO protocol. In 2020, Wang et al. [28] specific design of this scheme is as follows.
presented an (OT)1n protocol and the Private Set Intersection
 (i) Step 1. Setup(1k ) ⟶ par: This is the initialization
(PSI) protocol to protect user privacy in the case of VANET
 phase for generating parameters. Input security
feature matching.
 parameter 1k and then the public parameters par are
 (OT)kn protocol was proposed by Bellare et al. [21] firstly
 output by this algorithm.
in 1989, where a receiver could select and receive multiple
ciphertexts at one time. Naor et al. [29] described a novel (ii) Step 2. KeyGen(par) ⟶ (pk, sk): This algorithm is
construction for (OT)kn protocol which is more efficient than applied to generate the public-private key pair for
k repetitions of (OT)1n protocol. Then, the classical and users. Public parameter par is input, and then the
universal (OT)kn protocol was designed by Naor et al. [23]. In key pair (pk, sk) is produced for users.
2005, an (OT)kn protocol with adaptive queries was proposed (iii) Step 3. Enc(par, pka , m) ⟶ ma : This algorithm is
by Naro et al. [30], and it was considerably more efficient employed to encrypt the message via a public key
than k repetitions of (OT)1n protocol. After that, Chu et al. pka from ua . pka and message m are input, and then
[31] proposed several two-round (OT)kn protocols under the an original ciphertext ma is produced by this
decisional Diffie-Hellman problem, in which a receiver sent algorithm.
O(k) data to a sender and he returned O(n) data. In 2010, (iv) Step 4. Re − KeyGen(par, ska , pkb ) ⟶ rka⟶b :
a secure and low-bandwidth-consumption (OT)kn scheme This algorithm generates the conversion key, which
based on bilinear pairings was proposed by Chen et al. [32]. realizes the transformation from ma to mb . A private
A novel (OT)kn protocol for private information retrieval key ska of ua and a public key pkb of ub (a ≠ b) are
which was more suitable for smart cities was presented by provided, and the conversion key rka⟶b is output.
Lou et al. [33]. In 2018, Lai el al. [34] proposed an (OT)kn This phase is crucial for reencryption data.
scheme with the least communication cost, which preserved
 (v) Step 5. Re − Enc(par, rka⟶b , ma ) ⟶ mb : To gain
a sender’s security and the privacy of a receiver’s choice.
 the transfer message mb , this algorithm utilizes the
 What is more, some researchers have integrated OT
 conversion key rka⟶b to reencrypt a message ma .
technology into blockchain scheme in order to solve the
 Input A reencryption key and an original ciphertext
problem of easy exposure of private data in the blockchain.
 are input, and then a reencryption ciphertext mb
In 2017, Hsiao et al. [35] combined the advantages and
 from a to b is output.
properties of blockchain and secret sharing scheme, Paillier’s
homomorphic encryption, and oblivious transfer to con- (vi) Step 6. Dec(par, ska , ma ) ⟶ m: Finally, a private
struct a decentralized e-voting system. This scheme could key ska and a ciphertext ma are provided; this al-
protect the anonymity of voter’s identity, the privacy of data gorithm can compute a plaintext m.
transmission, and verifiability of ballots during the billing
phase. In 2019, Tso et al. [36] proposed the decentralized
electronic voting and bidding systems based on a blockchain 2.2. Oblivious Transfer Protocols. The concept of OT was first
and smart contract, which uses cryptographic techniques proposed by Rabin [18] in 1981. In Rabin’s protocol, the
such as oblivious transfer and homomorphic encryptions to sender only wanted the receiver to get the message he
improve privacy protection. Then, in 2021, Li et al. [37] chooses, and the receiver did not want the sender to know
presented a fair scheme for big data exchanging that allows about other messages, which guaranteed the privacy of both
buyers and sellers to autonomously and fairly complete parties. Then, the 1-out-of-2 data transmission protocol
transactions, without involving any third-party middle under the semihonest model through three public key
person. This scheme employed OT technology to preserve cryptography operations was implemented by Naro and
the privacy of transactions. Pinkas [23]. The steps of (OT21 ) protocol are as follows:
 (i) Setup: The system generates two prime orders q and
 p, where q|p − 1 holds. Gp is a p-order subgroup of
1.3. Organization. The structure of the paper is organized as Z∗p ; and the system sets g as the generator of Z∗p .
follows. Some preliminaries in cryptographic are presented
in Section 2. The system model, design goals, and threat (ii) Input: The sender inputs (X0 , X1 ), and receiver
model are described in Section 3. The proposed scheme is inputs r.
introduced in detail in Section 4. The security and perfor- (iii) Output: The receiver outputs Xr .
mance analyses are provided in Sections 5 and 6, re-
 (a) Step 1. The sender generates a random number C
spectively. Section 7 concludes this paper and our work.
 and a, computes ga and Ca , and broadcasts C.
 (b) Step 2. The receiver generates a random number
2. Preliminaries k(1 ≤ k ≤ q); and two public keys pkr and pk1−r are
 generated, where pkr � gk and pk1−r � C/gk hold.
2.1. Proxy Reencryption Technology. We adopt the key-pri-
 Then, the number pk0 is sent to the sender.
vate proxy reencryption scheme which was proposed by
Ateniese et al. [38]. This algorithm applies proxy reen- (c) Step 3. The sender calculates (pka0 ) and
cryption technology to achieve ciphertext conversion, which (pka1 ) � Ca /pka0 . At the same time, he encrypts the

4 Security and Communication Networks

 data (X0 , X1 ), respectively. The equations are as blockchain transaction. It includes the SOLO,
 follows: Kafka, PBFT, and SBFT.
 a
 E0 � ga , hash pk0 ⊕x0 ,
 a (1) 3. Problem Statement
 E1 � ga , hash pk1 ⊕x1 .
 3.1. System Model. Our proposed scheme can be utilized to
 (d) Step 4. The receiver computes securely transfer data and also realize the privacy-preserving
 hash(pkar ) � hash((ga )k ) and xr ; that is, of the clients and servers. On the one hand, the private
 a
 Er � hash pkr , r ⊕xr ⊕hash pkar , r . (2) information of client side is protected. That is, a user has
 permission in virtue of the data’s serial number to access
 data, yet he does not know which server the data is stored in.
 The concept of (OTnk ) protocol is presented as follows.
 On the other hand, the private information of servers is
The sender encrypts the n secret messages M0 , M1 , . . . , Mn−1
 protected. That is, a user only can obtain the requested data,
and sends them to the receiver; and the receiver can only
 and the other data are cannot be learned. This scheme is
recover k of them:
 mainly designed in accordance with the actual situation of
 M α1 , Mα1 , . . . , Mαk , (3) the smart healthcare environment. Both doctors and other
 healthcare workers look forward to acquiring treatment
where α1 , . . . , αk ∈ Z∗p holds. However, the receiver cannot records about a patient in all hospitals as soon as possible.
determine which M α1 , Mα1 , . . . , Mαk from Moreover, the confidentiality of data can be ensured in our
M0 , M1 , . . . , Mn−1 are required. scheme, in which a user employs his private key to decrypt
 the stored data in servers rather than private keys of servers.
 In addition, this scheme also resists collusion attacks by
2.3. Blockchain Technology. Blockchain is a kind of ledger revoked or malicious users. The system model contains three
technology that is jointly maintained by multiple parties, can entities, doctors/ patients (client side), a proxy (blockchain),
achieve consistent data storage, is difficult to tamper with, and and servers. Figure 1 shows a system model of the proposed
prevents denial [39, 40]. It has also become a distributed ledger scheme.
technology. The blockchain is classified into the permissioned A patient cures his diseases in different hospitals or in the
blockchain and the unlicensed blockchain according to same hospitals. In general, the data is stored in the nearest
whether the system has the node access mechanism. The fabric server, which is a server of the current hospital. This means
is employed in our paper, which belongs to the consortium that if a patient has seen a disease in different hospitals,
Blockchain and is also the first distributed system of blockchain multiple servers (different hospitals) store the patient’s data.
with an access mechanism [41]. Fabric is a modular, extensible, Our scheme implements a many-to-many model with users
general-purpose blockchain with an access mechanism that and servers. Firstly, doctors and patients register their
supports the execution of distributed applications written in identities with the blockchain. The blockchain generates
standard programming languages. The key components of a list of user identities and a list of revoked users so that it can
fabric are as follows [42]. verify their identities. Secondly, a doctor uses the private key
 (i) Peers: There are four kinds of peers in Fabric. of user to encrypt the medical records and then uploads
 them to a server of his hospital. When a patient goes to
 (a) Committing peer: Each peer in the channel is a hospital to treat his heart disease, his doctor of this de-
 the committing peer. It receives the generated partment can gain his past medical records in servers.
 transaction block, obtains the block structure, Thirdly, a doctor sends a request to blockchain for obtaining
 and verifies the legitimacy of the block structure. a patient’s records. The blockchain verifies and checks his
 (b) Endorsing peer: The client application must use identity. If yes, the ciphertext encrypted with the patient’s
 its smart contract to complete the verification of key needs to be converted into ciphertext which can be
 the transaction, simulate the operation of the decrypted by doctors. The patient and blockchain run the
 transaction, and generate a transaction response encryption phase to complete the transformation of ci-
 containing a digital signature. phertext. Fourthly, the blockchain transmits a request which
 (c) Leader peer: When the channel has multiple includes some serial numbers of data to servers. Only servers
 peers, the leader peer is responsible for dis- that store the corresponding data respond to that request.
 tributing transactions from the ordering peer to Finally, the OT protocol is implemented between the doctor
 other committing peers. and the server to transmit and decrypt the request data.
 (d) Anchor peer: It helps to communicate with
 peers in other organizations.
 (ii) Channel: The channel includes many authorized 3.2. Threat Model. In this section, the security goals and the
 users, and each user can belong to different security models for OTnm are provided.
 channels.
 (iii) Consensus mechanism: It is defined as the com- Definition 1. A secure and privacy-preserving (OT)nm pro-
 prehensive verification of the correctness of the tocol should satisfy the following requirements:

Security and Communication Networks 5

 hash value hash value hash value
 timestamp timestamp ... timestamp

 3 transform ciphertext data data data

 ...
 ...

 blockchain
 2 request pid ’s data

 patient pid doctor 1 server 1
 4 execute OT protocol

 pid ’s
 1 upload pid ’s data
 doctor 2 server 2

 ...

 1 upload pid ’s data

 doctor n
 server n

 Figure 1: The system model of our scheme.

 (1) The (OT)nm protocol should protect the privacy of (iv) Decrypt: Adversary A outputs plaintext mt . If mt is
 servers; namely, the users cannot obtain data from right, adversary A breaks the server privacy of the
 the server other than what they requested. OTnm protocol.
 (2) The (OT)nm protocol should protect the privacy of The security model for user privacy of the OTnm protocol
 users; namely, the servers cannot figure out what is described as follows. In this model, adversary A plays the
 data the users access. role of servers and the challenger plays the role of users (the
 The security model for server privacy of the OTnm pro- users are trusted). The advantage of A to break the server
tocol is described as follows. In this model, adversary A privacy is defined as follows:
plays the role of users and challenger C plays the role of 1
servers (the servers are trusted). The advantage of A to break AdvA � Pr[A wins] − . (5)
the server privacy is defined as follows: 2

 AdvA � Pr[A wins]. (4) (i) Setup: The system generates system parameters
 and sends the private keys to the blockchain. Then
 (i) Setup: The system generates system parameters and the blockchain generates several necessary pa-
 sends the private keys to the blockchain. Then the rameters for adversary A. The users choose j data
 blockchain generates several necessary parameters that they can access and choose corresponding aj
 for servers. Adversary A chooses j data that it can from Z∗p . Then, the blockchain sends corre-
 access and chooses the corresponding aj from Z∗p . sponding Dj to the users and the servers sends all
 Adversary A outputs its target t(t ∉ j ). Then, the ciphertexts ci . Adversary A outputs its target
 blockchain sends corresponding Dj to adversary A t0 , t1 (t0 , t1 ∈ j ).
 and the servers send all ciphertexts ci . (ii) Hash Query: Adversary A can query the hash value
 (ii) Hash Query: Adversary A can query the hash value via this oracle. It takes as input information and
 via this oracle. It takes as input information and outputs hash value.
 R
 outputs hash value. (iii) Challenge: The user selects b←{0, 1} and outputs Atb
 (iii) Decrypt Query: Adversary A can query plaintext mi and Dtb .
 of ciphertext ci but not ciphertext ct . (iv) Guess: Adversary A outputs b∗ . If b � b∗ , A wins.

6 Security and Communication Networks

4. The Proposed Scheme Table 1: Correspondence between symbols and definitions.
 Symbols Definition
The proposed scheme is presented in detail in this section.
Our scheme can be divided into four parts, in which the n The serial number of data
 pi d , di d The identity of the patients and doctors
initialization phase is introduced in Section 4.1, the user
 Data with serial number m requested by the
registration phase is described in Section 4.2, the encryption δm
 user
phase is stated in Section 4.3, and the data access phase and ky The employed key of server in OT protocol
(OT)nm protocol phase among three roles are illustrated in The stored server subkey of proxy in OT
Sections 4.4 and 4.5, respectively. ky′
 protocol
 In the smart healthcare system, in the face of complex wn The hash value of the serial number
diseases, the attending doctor will conduct multidepartment (skp , pkp ) The public-private key pairs of patients
consultations or cross-hospital consultations, which are (skd , pkd ) The public-private key pairs of doctors
more common. In addition, a patient can treat diseases in rkp⟶d The transform key from patient to doctor
different hospitals, a hospital has its own servers, and the β The attribute sets of all the users
users who have access permission can request the data of un � an , bn , . . . , zn The set of each attribute of the user
servers in the smart healthcare system. In our scheme, to tagmi The tag for each piece of data
protect the two-way privacy of the server and user, the data
are allocated to the nearest server randomly, which obeys the h1 : {0, 1}n ⟶ G and h2 : {0, 1}n ⟶ {0, 1}l , where l is the
principle of proximity; that is, the user with permission can fixed value.
store the data in which the server is near. We show the main We initialize the device of proxy based on the block-
idea of the system by giving an example. A patient suffers chain. The security parameter s is input; the blockchain
from high blood pressure, heart disease, and toothache. computes the formulas f � gκ and wi � h1 (i), where i
When he goes to the dental clinic, the doctor not only needs represents the label of the patient’s medical data. Then, the
 k′ k′
to diagnose his teeth but also prescribes medicine or pre- blockchain computes R1i � wi 1, . . . , Ryi � wi y and the fol-
pares for surgery based on his other medical history. At this lowing finite sets are satisfied, where 0 < i < n + 1 and i ∈ Z∗p
moment, an attending doctor verifies his permission to hold. f is sent to the user. Then R1 , R2 , . . . , Ry are sent to
request all the data about that patient. The requests can be servers S1 , S2 , . . . , Sy orderly.
sent to the determined server which has stored the data of
 k′ k′ ′
that patient. Then, to protect the privacy information, only S1 : R1 � w11, w21, . . . , wkn1 ,
the determined server delivers all its data to the requester by
using the designed (OT)nm protocol. This protocol guaran- ⋮ (6)
tees that the server does not have idea about the accessed k′ k′ k′
data, and the user cannot obtain the extra data and figure out Sy : Ry � w1y, w2y, . . . , wny .
the source of data. For instance, if the sequence number 5 is
requested from the user, he sends the requirement to all the The symbols and the corresponding meanings are shown
servers in the smart healthcare system. Only sever Sy that has in Table 1.
the data about that patient responds to the request. More
comprehensively, assume that the sequence number d is
accessed; the user sends the requests to servers S1 , S2 , . . . , Sy 4.2. User Registration Phase. We integrate blockchain
(the needed data are in servers Sa and Sb ). At last, servers Sa technology into user registration phase to maintain the
and Sb have the opportunity to communicate with the user. identity lists about users. The data is requested via proxy,
In the meantime, blockchain technology is merged into our while the blockchain inquires and verifies the user’s identity
scheme, which maintains the attributes list and stops user in accordance with his tag. Only through the verification can
attributes from being tampered with. Correspondence be- the (OT)nm protocol be executed to transmit the data. There
tween symbols and definitions is shown in Table 1. are five functions of blockchain in our scheme; they are
 described briefly as follows:
 (i) The committing peer generates and maintains
4.1. Initialization Phase. We hypothesize that there are y blocks for users.
distributed servers, and the users with permission to ma- (ii) The identity of required users is verified.
nipulate data (e.g., the doctor, nurse, and healthcare worker)
 (iii) The endorsing peer verifies the legality of updated
have n data, and each piece of data has the same bits.
 identities; if the transaction is legal, the peer sim-
 Input the security parameter s, and then the system
 ulates to perform the smart contract. Then, it sends
randomly selects the number
 the updated lists to users.
 k1 , k2 , . . . , ky , k1′, k2′, . . . , ky′ ∈ Z∗p , where the formal k1 +
k1′ � κ (κ ∈ Z∗p ) holds, server Si possesses ki , and (iv) The attributes are prevented from being faked
 κ, k1′, . . . ky′ is stored in the blockchain. Set G � < g > , GT through utilizing the structural characteristics of the
as the multiplicative cyclic groups, with bilinear mapping block.
e: G × G ⟶ GT , randomly choose generator g1 ∈ G, and (v) The revoked and malicious users are distinguished
compute α � e(g, g1 ). Set the hash functions to preclude them from colluding the data.

Security and Communication Networks 7

 The user registration phase contains the four following 4.4. Data Access Phase
steps to accomplish the registration:
 (i) Step 1. When doctor did sees a patient pid , he sends
 (i) Step 1. The key generation center (KGC) chooses pid and pkd to the blockchain, along with the proof
 R
 xp,1 , xp,2 ←Z∗p as the patient’s private key Πdid � (Committ1 , Committ2 , c, R1 , R2 ), where
 skp � (xp,1 , xp,2 ) and computes the patient’s public Committ1 � αr1 , Committ � �
 2 � gr2 , �
 R � � �
 key pkp � (pkp,1 � αxp,1 , pkp,2 � gxp,2 ). Then, it r1 , r2 ←Z∗p , c � h0 (did ��pkd ��Committ1 ��Committ2 ),
 sends (skp , pkp ) to the patient through the secure R1 � r1 + c × xd,1 , and R2 � r2 + c × xd,2 .
 channel. (ii) Step 2.�
 � �� The blockchain
 �� computes
 (ii) Step 2. The key generation center (KGC) chooses
 R
 c � h0 (did ��pkd ��Committ1 ��Committ2 ) and checks
 ?
 xd,1 , xd,2 ←Z∗p as the doctor’s private key whether αR1 � Committ1 · pkcd,1 and
 ?
 skd � (xd,1 , xd,2 ) and computes the doctor’s public key gR2 � Committ2 · pkcd,2 . If the above equation holds,
 pkd � (pkd,1 � αxd,1 , pkd,2 � gxd,2 ). Then, it sends the blockchain checks whether the tuple (did , pkd )
 (skd , pkd ) to the doctor through the secure channel. belongs to the doctors list. If yes, the blockchain
 (iii) Step 3. KGC inserts (pkp , pid ) into the patient list executes the next step.
 and inserts (pkd , did ) into the doctor list. Then KGC (iii) Step 3. The blockchain sends pkd to patient pid . The
 sends the above lists to the blockchain via the smart patient computes transform key tkp⟶d via Re −
 contract. KeyGen(skp , pkd ) in the KP − PRE scheme and
 sends it to the blockchain.
 (iv) Step 4. The blockchain sends tkp⟶d and pid to all
4.3. Encryption Phase. After the doctor diagnoses the servers. The servers transform ciphertext m of pa-
patient, he records the medical data on the computer. tient pid , namely, compute
Subsequently, the encryption algorithm will be executed ctd ←KP − PRE.ReEnc(tkp⟶d , ctp ).
on the data.
 (i) Step 1. Verify(did , pkd , skd ): The doctor chooses
 R
 r1 , r2 ←Z∗p , computes Committ r 4.5. (OT)nm Protocol Phase. Assume that doctor did treats pid ’s
 �� 1 ��� α 1 and�
 � heart disease; he sends a data request which includes all the
 Committ2 � g , r2
 c � h0 (did �pkd �Committ1 ��
 � �
 Committ2 ), and computes responses R1 � r1 + c × serial numbers of data from different hospitals about this
 xd,1 and R2 � r2 + c × xd,2 . Then, the doctor sends patient’s heart treatment records to servers. Suppose that the
 Πproof � (Committ1 , Committ2 , c, R1 , R2 ) and doctor needs to require the data with the serial number
 (did , pkd ) to the blockchain. Once the blockchain sn � δ1 , δ2 , . . . , δm , and those data are stored in servers
 obtains (Πproof , did , pkd ), it computes S1 , . . ., Si , . . . , Sn . The steps of the (OT)nm algorithm are shown
 �� �� �� in Figure 2.
 c � h0 (did ��pkd ��Committ1 ��Committ2 ) and checks
 ?
 whether αR1 � Committ1 · pkcd,1 and (i) Step 1. The doctor (client side) transmits request sn
 R2 ? c to the blockchain side. Then, server Si responds and
 g � Committ2 · pkd,2 . If the above equation holds,
 the blockchain checks whether the tuple (did , pkd ) executes the following steps.
 belongs to the doctors list. If yes, the verification (ii) Step 2. The client side selects parameters aj ∈ Z∗p
 process is completed. Then, the doctor can upload randomly and computes all parameters Aj of serial
 data. number of data; that is, Aj � wj gaj , where
 (ii) Step 2. GenTag(mkw , pid , dep): In order to facilitate 0 < j < m + 1(j ∈ Z∗p ) holds and parameters
 users to accurately access data, the data needs to be w1 , . . . , wm are calculated previously. Then, (Aj , ga )
 classified in the light of departments and patients. is sent to the blockchain.
 Generate a tag tagmi � GenTag(mkw , pid , dep) cor- (iii) Step 3. The blockchain side computes Dj � (Aj )κ
 responding to the departments dep and patients pid , ′
 and ϵ′ � gak′1, gak′2, . . . , gaky and sends ϵ′i to server
 and add it to m. The advantage of this is that the
 doctor can accurately acquire all the data about Si . Then, it delivers Dj and f to the client side.
 a certain department of this patient, and some in- (iv) Step 4. The server side computes �� all the ciphertexts
 k
 valid data are automatically removed, where the of its ci � ctd,i ⊕h2 (wi y Ryy′i���gaky ϵy′) and transmits ci
 communication overhead of gained data by the OT to the client side.
 protocol is reduced. (v) Step 5. Only if δi ∈ sn meets, the formulas Yj �
 ��
 (iii) Step 3. Encrypt(m, pkp , tagmi ) � ctp : The doctor (Dj /faj )��fa and ctd,j � cj ⊕h2 (Yj ) can be com-
 encrypts data m of patient, which employs the puted. After that, the ciphertexts of requested data
 patent’s public key pkp and encryption (Enc) al- sn are calculated.
 gorithm from KP − PRE scheme [38]. Then, upload (vi) Step 6. Decrypt(ctd,j , skd ) � mj . The doctor em-
 the ciphertext to the server. ploys his key skd to decrypt the above ciphertext.

8 Security and Communication Networks

 Finally, the doctor obtains all the heart disease and outputs wi to adversary A.
 records about that patient. R
 (iii) Challenge: Challenger C chooses b←{0, 1} and sets
 α
 Atb � g and Dtb � Z.
5. Security Analysis (iv) Guess: Adversary A outputs b∗ . If b∗ � b, challenger
 C outputs p � 1 (i.e., Z � gαβ ). Otherwise, C outputs
Theorem 1. The proposed OT nm is server privacy, if the R
 p � 0 (i.e., Z←G).
CDH assumption holds. Assume that any probability
polynomial time adversary A can break the server privacy
of the scheme; it can be utilized to solve CDH problem. The Proof:. We assume that the probability of challenger C
definition of CDH problem is that, given a tuple obtaining Z � gαβ is 1/2 and the probability of obtaining
 R R
(G, g, gα , gβ ) where α, β←Z∗p , the adversary should com- Z←G is also 1/2. We assume that the advantage of A
pute gαβ . winning is ϵ and denote by E challenger C solving the DDH
 problem. It is easily deduced that Pr[p � 1|Z � gαβ ] � 1/2 +
 (i) Setup: In this phase, after challenger C obtains the R
 R ϵ and Pr[p � 0|Z←G] � 1/2Pr. Therefore, we can get
 CDH tuple (G, g, gα , gβ ) where α, β←Z∗p , it sets k �
 AdvD D H � Pr[C wins] − 1/2 � Pr[p � 1|Z � gαβ ] × 1/2 +
 α and f � gα . Then, it generates other system pa- R
 Pr[p � 0|Z←G] × 1/2 − 1/2 � (1/2 + ϵ)×
 rameters to complete the setup of the whole scheme.
 1/2 + 1/2 × 1/2 − 1/2 � ϵ/2. So, ϵ � 2 × AdvD D H . Since the
 (ii) Query: In the hash query phase, adversary A queries DDH assumption holds, it is difficult for A to decide
 the value of wi . Challenger C sets ?
 whether Z� gαβ . Therefore, adversary A’s advantage to
 ⎪
 ⎧ β R ∗ break the user privacy is negligible. □
 ⎨ g i βi ←Zp , i ≠ t,
 wi � ⎪ (7)
 ⎩ β Theorem 3. Any revoked user cannot tamper with the data
 g , i � t.
 or his identity. Malicious or revoked users cannot get through
 and outputs wi to adversary A. In the Decrypt query the verification at our scheme. Meanwhile, if they attempt to
 phase, adversary A cannot query the plaintext of request data, then they would be identified via the scheme.
 ciphertext ct . Therefore, the malicious or revoked users do not obtain the
 permission to request the data.
 (iii) Decrypt: Adversary A outputs plaintext m′t. If
 m′t � mt , A wins this game.
 Proof:. Firstly, the user needs to get through the identity
 authentication at the data access phase. Whether this for-
 ?
Proof:. � If mt is right, it means that A can compute mula Committui · pkcd,ui , gR � Committur · pkcd,ur is satisfied
 �
Yt � wkt ��fa , where wkt � gαβ . Therefore, challenger C can is checked. In general, a malicious user’s commitment value
utilize the adversary to output the solution wkt � gαβ of the cannot meet the calculation formula, and he would be
CDH problem. In conclusion, if A wins, challenger C can judged as an invalid user by scheme. Secondly, even if
output gαβ to solve the CDH problem. We can obtain that a malicious user tries to modify his identity, the list of user
 server privacy
AdvA ≤ AdvCDH
 A . □ identities is stored in the blockchain. That is, the modified
 identity cannot satisfy the formula
Theorem 2. The proposed OT nm is user privacy, if the DDH Hash256 (dui ) � Hash256 (dur ). Then, that malicious user
assumption holds. Assume that any probability polynomial time would be judged as an invalid user.
adversary A can break the user privacy of the scheme; it can be (OT)m m ensures the two-way privacy of communication
utilized to solve DDH problem. The definition of DDH problem parties, and the proxy reencryption algorithm is secure.
 R Therefore, the confidentiality of data can be protected by our
is that, given a tuple (G, g, gα , gβ , Z) where α, β←Z∗p , Z � gαβ ,
 R
or Z←G, the adversary should decide whether Z � gαβ . proposed scheme. □
 (i) Setup: In this phase, after challenger C obtains the 6. Performance
 R
 DDH tuple (G, g, gα , gβ , Z) where α, β←Z∗p and
 R αβ β
 Z←G or Z � g , it sets k � β and f � g . Then, it In this section, we first analyze the proposed scheme and
 generates other system parameters to complete the provide a simplified comparison in Table 2. Then, an ex-
 setup of the whole scheme. perimental evaluation of the proposed scheme is presented.
 (ii) Query: In this phase, adversary A queries the value of
 wi , and challenger C guesses the targets of adversary
 6.1. Performance Analysis. In our scheme, most of com-
 A, t0 and t1 . Then, it sets putation cost comes from the XOR operation, hash oper-
 ⎪
 ⎧ R ation, Weil operation, power operation in G1 , and power
 ⎪
 ⎨g
 ⎪
 − at +α
 b � g− atb · gα , ∗
 atb ←Zp , i � t0 ∨i � t1 ,
 operation in GT , which are denoted as Tx , Th , Te , TE1 , and
 wi � ⎪
 ⎪
 ⎪ R ∗ TET . In Table 2, nd presents the number of doctors registered,
 ⎩ g ai , ai ←Zp , i ≠ t0 ∧i ≠ t1 , np describes the number of patients registered, nc is the
 (8) number of patient ciphertexts, ny illustrates the number of
 servers, and nj states the number of j.

Security and Communication Networks 9

 Input: the series number sn = {δ 1,δ2,..., δm}

 Output: the requested data mj (0 < j < m + 1)

 The client side The blockchain side The server side Si

 choose t,aj *p
 computer gt, Aj = wj gja
 w1 =h1( δ1),...,wm =h1( δm)
 (Aj,ga)

 computer Dj = (Aj)κ
 ∈′ = {gak1’ ,gak2’ ,...,gaky’ }
 Dj ∈′i

 computer

 ci Ryn = wnky′
 ci = ctd,i h2 (wiky R yyi’ || gaky)∈y′
 computer Yj = (Dj / f aj)|| f a
 ctd,j = cj h2 (Yj)

 decrypt Decrypt(ctd,j,skd) = mj
 obtain mj

 Figure 2: The steps of the (OT)nm algorithm.

 Table 2: Computational cost comparison.
Entities Registration phase Encryption phase Data access phase (OT)nm phase
KGC (nd + np )(TE1 + TET ) — — —
Client — 2TE1 + 3TET + Th 4TE1 + 3TET + Th + Tp nj (3TE1 + TET + Th )
Blockchain — 2TE1 + 2TET + Th 2TE1 + 2TET + Th TE1 (nj + ny )
Servers — — nc (2Tp + 2TET ) nc (2TE1 + Th )
Tx : XOR operation; Te : Weil operation; Th : hash operation; TE1 : power operation in G1 ; and TET : power operation in GT . nd : the number of doctors registered;
np : the number of patients registered; nc : the number of patient ciphertexts; ny : the number of servers; nj : the number of j.

 In registration phase, KGC generates the public-private Core(TM) i5-9500 CPU @ 3.00 GHz 3.00 GHz; (2) random
key pairs for doctors and patients, and it costs computation access memory: 8.0 GB; (3) OS: Ubuntu 14.04 over VMware
overhead (nd + np )(TE1 + TET ). In encryption phase, workstation full 12.5.2; (4) system type: 64-bit.
blockchain verifies and checks the identities of client via lists We provide the computation comparison between
to discern malicious or revoked users, which costs 4TE1 + doctors and patients in the (OT)nm protocol in Figure 3. The
2TET + Th computation overhead. Also, this phase is applied X-axis describes the number of j requested by doctors. The
to encrypt the plaintext by using private key of patients, Y-axis represents the time cost to perform the (OT)nm
which defends the data confidentiality and costs 2TE1 + TET protocol in doctor side and patient side. As shown in Fig-
computation overhead. In data access phase, the ciphertext ure 3, the time cost of doctors is higher than that of patients.
encrypted with the user’s key should be converted into the The patient only needs to assist the blockchain to complete
ciphertext encrypted with the doctor’s key, which costs the transformation of the ciphertext. However, doctors need
3TE1 + TET + Tp computation overhead. Moreover, this to participate in all the (OT)nm protocols and calculate the
phase is also not involved in the general OT protocol, mainly transmission ciphertext of j data. Meanwhile, if the length of
to hide the access path of the server. In the (OT)nm phase, it the ciphertext is fixed, the cost of transforming the ciphertext
realizes the privacy-preserving of clients and servers. is roughly the same. Therefore, the patient’s expenditure at
 this phase is approximately straight.
 We provide the computation comparison of client side,
6.2. Performance Evaluation. We simulate our proposed blockchain, and servers in Figure 4. In order to make the
scheme employing the C language with PBC library (pbc- comparison more obvious, the three entities are put in
0.5.14) and GMP library (GMP-6.1.2) to evaluate the (OT)nm Figures 4 and 5. The computational overhead of the client
protocol. All simulations are implemented on a desktop side and blockchain is described in Figure 4; the X-axis
computer with the following features: (1) CPU: Intel(R) represents the number of j and assumes that the number of

10 Security and Communication Networks

 0.6 meantime, this protocol uses the many-to-many data
 transmission pattern.
 0.5

 0.4
 7. Conclusion
 Time (s)

 0.3
 In this paper, a privacy-preserving data transmission scheme
 0.2 based on the oblivious transfer and blockchain technology in
 0.1 the smart healthcare system is proposed. Based on the proxy
 reencryption technology, the proposed (OT)nm protocol can
 0 implement the ciphertext conversion to ensure the privacy of
 1 5 10 15 20 25 30
 servers. Meantime, the two-way privacy between the client
 The number of j side and servers is guaranteed via the proposed (OT)nm
 Doctors protocol, which also ensures the security and efficiency of
 Patients data transmission. By taking advantage of blockchain
Figure 3: The computation comparison between doctors and
 technology, the proposed scheme can prevent data from
patients in (OT)nm . being tampered with and effectively identify malicious users.
 After analyzing the protocol security, the confidentiality of
 data and security of our scheme are proved. Finally, the
 results of performance evaluation and experimental com-
 parison can be considered as a validation of our protocol,
 1.6
 making it substantially more convincing.
 1.4
 1.2
 1 Data Availability
 Time (s)

 0.8
 The data used to support the findings of this study are
 0.6 available from the corresponding author upon request.
 0.4
 0.2
 Conflicts of Interest
 0
 5 15 25 35 45 55 65 75
 Numbers
 The authors declare that they have no conflicts of interest.

 Client-side
 Blockchain
 Acknowledgments
Figure 4: The computation comparison of the client side and This work was supported by the National Natural Science
blockchain in (OT)nm . Foundation of China under Grant nos. U1836115, 61672295,
 61922045, and 61672290; the Peng Cheng Laboratory Project
 of Guangdong Province PCL2018KP004; the Postgraduate
 Research and Practice Innovation Program of Jiangsu
 1.6 Province (KYCX21_1003, KYCX21_0998, and
 1.4 KYCX21_1002); the CICAEET fund; and the PAPD fund.
 Servers
 1.2
 1 References
 Times (s)

 0.8
 [1] G. Manogaran, R. Varatharajan, D. Lopez, P. M. Kumar,
 0.6 R. Sundarasekar, and C. Thota, “A new architecture of In-
 0.4 ternet of Things and big data ecosystem for secured smart
 0.2 healthcare monitoring and alerting system,” Future Genera-
 0 tion Computer Systems, vol. 82, pp. 375–387, 2018.
 5 15 25 35 45 55 65 75 [2] M. Mettler, “Blockchain technology in healthcare: the revo-
 Numbers lution starts here,” in Proceedings of the 2016 IEEE 18th In-
 ternational Conference on E-Health Networking, Applications
Figure 5: The computation comparison of the servers in (OT)nm . and Services (Healthcom), pp. 1–3, IEEE, Munich, Germany,
 September 2016.
servers is 10. For the server side, the X-axis represents the [3] J. Liang, Z. Qin, S. Xiao, L. Ou, and X. Lin, “Efficient and
 secure decision tree classification for cloud-assisted online
number of patient ciphertexts in Figure 5. As shown in the
 diagnosis services,” IEEE Transactions on Dependable and
figures, we find that the overhead of the client is much higher Secure Computing, vol. 18, no. 4, pp. 1632–1644, 2021.
than that of other entities. The proposed (OT)nm protocol is [4] L. Catarinucci, D. De Donno, L. Mainetti et al., “An IoT-aware
an interactive protocol, which requires interaction between architecture for smart healthcare systems,” IEEE Internet of
client side and servers to complete data transmission. At the Things Journal, vol. 2, no. 6, pp. 515–526, 2015.

Security and Communication Networks 11

 [5] M. M. Baig and H. Gholamhosseini, “Smart health monitoring Journal of Computer and System Sciences, vol. 60, no. 3,
 systems: an overview of design and modeling,” Journal of pp. 592–629, 2000.
 Medical Systems, vol. 37, pp. 9898–9914, 2013. [23] M. Naor and B. Pinkas, “Efficient oblivious transfer pro-
 [6] A. Solanas, C. Patsakis, M. Conti et al., “Smart health: tocols,” in Proceedings of the twelfth annual ACM-SIAM
 a context-aware health paradigm within smart cities,” IEEE symposium on Discrete algorithms SODA, vol. 1, pp. 448–457,
 Communications Magazine, vol. 52, no. 8, pp. 74–81, 2014. Washington, DC, USA, January 2001.
 [7] Y. S. Su, T. J. Ding, and M. Y. Chen, “Deep learning methods [24] W.G. Tzeng, “Efficient 1-out-of-n oblivious transfer schemes
 in Internet of medical things for valvular heart disease with universally usable parameters,” IEEE Transactions on
 screening system,” IEEE Internet of Things Journal, p. 1, 2021. Computers, vol. 53, no. 2, pp. 232–240, 2004.
 [8] Y. S. Su and S. Y. Wu, “Applying data mining techniques to [25] C. K. Chu and W. G. Tzeng, “Efficient k-out-of-n oblivious
 explore user behaviors and watching video patterns in con- transfer schemes with adaptive and non-adaptive queries,” in
 verged it environments,” Journal of Ambient Intelligence and Proceedings of the International Workshop on Public Key
 Humanized Computing, pp. 1–8, 2021. Cryptography, pp. 172–183, Springer, Les Diablerets, Swit-
 [9] M. Hartmann, U. S. Hashmi, and A. Imran, “Edge computing zerland, January 2005.
 in smart health care systems: review, challenges, and research [26] T. Chou and C. Orlandi, “The simplest protocol for oblivious
 directions,” Transactions on Emerging Telecommunications transfer,” in Proceedings of the International Conference on
 Technologies, Article ID e3710, 2019. Cryptology and Information Security in Latin America,
[10] J. Qiu, X. Liang, S. Shetty, and D. Bowden, “Towards secure and pp. 40–58, Springer, Guadalajara, Mexico, August 2015.
 smart healthcare in smart cities using blockchain,” in Pro- [27] E. Hauck and J. Loss, “Efficient and universally composable
 ceedings of the 2018 IEEE International Smart Cities Conference protocols for oblivious transfer from the CDH assumption,”
 (ISC2), pp. 1–4, Kansas City, MO, USA, September 2018. IACR Cryptology ePrint Archive, Report 2017/1011, 2017.
[11] N. Tariq, A. Qamar, M. Asim, and F. A. Khan, “Blockchain [28] X. Wang, X. Kuang, J. Li, J. Li, X. Chen, and Z. Liu, “Oblivious
 and smart healthcare security: a survey,” Procedia Computer transfer for privacy-preserving in VANET’s feature match-
 Science, vol. 175, pp. 615–620, 2020. ing,” IEEE Transactions on Intelligent Transportation Systems,
[12] J. Alghazo, G. Rathee, S. Gupta et al., “A secure multimedia vol. 22, no. 7, pp. 4359–4366, 2021.
 processing through blockchain in smart healthcare systems,” [29] M. Naor and B. Pinkas, “Oblivious transfer and polynomial
 ACM Transactions on Multimedia Computing, Communica- evaluation,” in Proceedings of the Thirty-First Annual ACM
 tions, and Applications, 2020. Symposium on Theory of Computing, pp. 245–254, Atlanta,
[13] J. Shen, Z. Gui, X. Chen, J. Zhang, and Y. Xiang, “Lightweight Georgia, May 1999.
 and certificateless multi-receiver secure data transmission [30] M. Naor and B. Pinkas, “Computationally secure oblivious
 protocol for wireless body area networks,” IEEE Transactions transfer,” Journal of Cryptology, vol. 18, no. 1, pp. 1–35, 2005.
 on Dependable and Secure Computing, p. 1, 2020. [31] C. K. Chu and W. G. Tzeng, “Efficient k-out-of-n oblivious
[14] J. Shen, T. Zhou, X. Chen, J. Li, and W. Susilo, “Anonymous transfer schemes,” Jouranal of Universal Computer Science,
 and traceable group data sharing in cloud computing,” IEEE vol. 14, pp. 397–415, 2008.
 Transactions on Information Forensics and Security, vol. 13, [32] Y. Chen, J. S. Chou, and X. W. Hou, “A novel k-out-of-n
 pp. 912–925, 2017. oblivious transfer protocols based on bilinear pairings,” IACR
[15] E. Stefanov, M. V. Dijk, E. Shi et al., “Path ORAM: an ex- Cryptology ePrint Archive, vol. 2010, 2010.
 tremely simple oblivious ram protocol,” in Proceedings of the [33] D. C. Lou and H. F. Huang, “An efficient-out-of-noblivious
 2013 ACM SIGSAC Conference on Computer and Commu- transfer for information security and privacy protection,”
 nications Security, pp. 299–310, Berlin, Germany, November International Journal of Communication Systems, vol. 27,
 2013. no. 12, pp. 3759–3767, 2014.
[16] J. Shen, H. Yang, P. Vijayakumar, and N. Kumar, “A privacy- [34] J. Lai, Y. Mu, F. Guo, R. Chen, and S. Ma, “Efficient k-out-of-n
 preserving and untraceable group data sharing scheme in oblivious transfer scheme with the ideal communication
 cloud computing,” IEEE Transactions on Dependable and cost,” Theoretical Computer Science, vol. 714, pp. 15–26, 2018.
 Secure Computing, p. 1, 2021. [35] J. H. Hsiao, R. Tso, C. M. Chen, and M. E. Wu, “Decentralized
[17] B. Pinkas and T. Reinman, “Oblivious RAM revisited,” in e-voting systems based on the blockchain technology,” in
 Annual Cryptology Conference, pp. 502–519, Springer, New Advances in Computer Science and Ubiquitous Computing,
 York, NY, USA, 2010. pp. 305–309, Springer, New York, NY, USA, 2017.
[18] M. O. Rabin, “How to exchange secrets with oblivious [36] R. Tso, Z.-Y. Liu, and J.-H. Hsiao, “Distributed e-voting and e-
 transfer,” IACR Cryptology ePrint Archive, vol. 2005, no. 187, bidding systems based on smart contract,” Electronics, vol. 8,
 pp. 22–25, 2005. no. 4, p. 422, 2019.
[19] S. Even, O. Goldreich, and A. Lempel, “A randomized pro- [37] T. Li, W. Ren, Y. Xiang et al., “FAPS: a fair, autonomous and
 tocol for signing contracts,” Communications of the ACM, privacy-preserving scheme for big data exchange based on
 vol. 28, no. 6, pp. 637–647, 1985. oblivious transfer, ether cheque and smart contracts,” In-
[20] G. Brassard, C. Crépeau, and J. M. Robert, “All-or-nothing formation Sciences, vol. 544, pp. 469–484, 2021.
 disclosure of secrets,” in Proceedings of the Conference on the [38] G. Ateniese, K. Benson, and S. Hohenberger, “Key-private
 Theory and Application of Cryptographic Techniques, proxy re-encryption,” in Proceedings of the Cryptographers’
 pp. 234–238, Springer, Kyoto, Japan, December 2000. Track at the RSA Conference, pp. 279–294, Springer, San
[21] M. Bellare and S. Micali, “Non-interactive oblivious transfer Francisco, CA, USA, April 2009.
 and applications,” in Proceedings of the Conference on the [39] D. Yaga, P. Mell, N. Roby, and K. Scarfone, “Blockchain
 Theory and Application of Cryptology, pp. 547–557, Springer, technology overview,” 2019, https://arxiv.org/abs/1906.11078.
 Houthalen, Belgium, April 1989. [40] M. Pilkington, “Blockchain technology: principles and ap-
[22] Y. Gertner, Y. Ishai, E. Kushilevitz, and T. Malkin, “Protecting plications,” in Research Handbook on Digital Trans-
 data privacy in private information retrieval schemes,” formationsEdward Elgar Publishing, Cheltenham, UK, 2016.

12 Security and Communication Networks

[41] C. Cachin, “Architecture of the hyperledger blockchain fab-
 ric,” in Proceedings of the Workshop on Distributed Crypto-
 currencies and Consensus Ledgers,, Chicago, IL, July 2016.
[42] M. Vukolić, “The quest for scalable blockchain fabric: proof-
 of-work vs. BFT replication,” in Proceedings of the In-
 ternational Workshop on Open Problems in Network Security,
 pp. 112–125, Springer, Zurich, Switzerland, October 2015.