Upload File

toward privacy-preserving shared storage in untrusted...

  • Home
  • Documents
  • Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E
14
Research Article Toward Privacy-Preserving Shared Storage in Untrusted Blockchain P2P Networks Sandi Rahmadika 1 and Kyung-Hyune Rhee 2 1 Interdisciplinary Program of Information Security, Graduate School, Pukyong National University, Republic of Korea 2 Department of IT Convergence and Application Engineering, Pukyong National University, Republic of Korea Correspondence should be addressed to Kyung-Hyune Rhee; [email protected] Received 18 January 2019; Revised 9 March 2019; Accepted 2 April 2019; Published 16 May 2019 Academic Editor: Ilsun You Copyright © 2019 Sandi Rahmadika and Kyung-Hyune Rhee. is is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. e shared storage is essential in the decentralized system. A straightforward storage model with guaranteed privacy protection on the peer-to-peer network is a challenge in the blockchain technology. e decentralized storage system should provide the privacy for the parties since it contains numerous data that are sensitive and dangerous if misused by maliciously. In this paper, we present a model for shared storage on a blockchain network which allows the authorized parties to access the data on storage without having to reveal their identity. Ring signatures combined with several protocols are implemented to disguise the signer identity thereby the observer is unlikely to determine the identity of the parties. We apply our proposed scheme in the healthcare domain, namely, decentralized personal health information (PHI). In addition, we present a dilemma to improve performance in a decentralized system. 1. Introduction Since being introduced to the public through the rise of Bitcoin, blockchain has attracted a lot of attention among researchers, especially the way it deals in a transaction with- out involving the third parties. e blockchain technology reduces the transaction costs and it improves the efficiency and reliability of the decentralized system in general [1]. Due to its merits, blockchain has been developed in various fields of study such as logistics, e-commerce, trading activity, and healthcare, to name a few. Blockchain in the healthcare area is growing rapidly [2] as a future trend of substantial impact [3]. It aims at improving the quality of service and maintaining the integrity of information. Blockchain must be mature enough in all aspects, especially in security matters before blockchain being applied to a sensitive system (healthcare domain) [4] since it consists of valuable data for patients, providers, and all parties involved. e shared storage between healthcare providers and the patients is one of the factors that must be considered when determining the scheme of the decentralized healthcare system. e surveys indicate that users oſten do not fully trust to store their data to third parties [5]. ere are decentralized storage providers that provide the alternative services to protect the user's privacy such as Freenet [6] and GNUnet [7]. However, those services still have some drawbacks such as free-rider problem. More precisely, the provider is less motivated to keep improving system reliability due to the fact that there is no significant benefit for the provider to preserve the users' data. Apart from the free-rider problem, the main issue in the decentralized shared storage is related to the privacy of users [8]. An observer may be able to see the contents of online activities or metadata of the user since the data is publicly available. To deal with the issues, we propose a model of the decentralized shared storage system on the blockchain that provides the privacy of the users without the involvement of third parties. Ring signature algorithm is applied to disguise the original identity of the signer. e parties involved use signatures on behalf of a group; hence, the original identity of the signer is unknown called signer ambiguous. In order Hindawi Wireless Communications and Mobile Computing Volume 2019, Article ID 6219868, 13 pages https://doi.org/10.1155/2019/6219868

Upload: others

Post on 15-Jul-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

Research ArticleToward Privacy-Preserving Shared Storage inUntrusted Blockchain P2P Networks

Sandi Rahmadika 1 and Kyung-Hyune Rhee 2

1 Interdisciplinary Program of Information Security Graduate School Pukyong National University Republic of Korea2Department of IT Convergence and Application Engineering Pukyong National University Republic of Korea

Correspondence should be addressed to Kyung-Hyune Rhee khrheepknuackr

Received 18 January 2019 Revised 9 March 2019 Accepted 2 April 2019 Published 16 May 2019

Academic Editor Ilsun You

Copyright copy 2019 Sandi Rahmadika and Kyung-Hyune Rhee This is an open access article distributed under the CreativeCommons Attribution License which permits unrestricted use distribution and reproduction in any medium provided theoriginal work is properly cited

The shared storage is essential in the decentralized system A straightforward storage model with guaranteed privacy protection onthe peer-to-peer network is a challenge in the blockchain technologyThe decentralized storage system should provide the privacyfor the parties since it contains numerous data that are sensitive and dangerous if misused bymaliciously In this paper we present amodel for shared storage on a blockchain network which allows the authorized parties to access the data on storage without havingto reveal their identity Ring signatures combined with several protocols are implemented to disguise the signer identity therebythe observer is unlikely to determine the identity of the parties We apply our proposed scheme in the healthcare domain namelydecentralized personal health information (PHI) In addition we present a dilemma to improve performance in a decentralizedsystem

1 Introduction

Since being introduced to the public through the rise ofBitcoin blockchain has attracted a lot of attention amongresearchers especially the way it deals in a transaction with-out involving the third parties The blockchain technologyreduces the transaction costs and it improves the efficiencyand reliability of the decentralized system in general [1] Dueto its merits blockchain has been developed in various fieldsof study such as logistics e-commerce trading activity andhealthcare to name a few Blockchain in the healthcare area isgrowing rapidly [2] as a future trend of substantial impact [3]It aims at improving the quality of service and maintainingthe integrity of information Blockchain must be matureenough in all aspects especially in security matters beforeblockchain being applied to a sensitive system (healthcaredomain) [4] since it consists of valuable data for patientsproviders and all parties involved

The shared storage between healthcare providers andthe patients is one of the factors that must be consideredwhen determining the scheme of the decentralized healthcare

systemThe surveys indicate that users often do not fully trustto store their data to third parties [5]There are decentralizedstorage providers that provide the alternative services toprotect the users privacy such as Freenet [6] and GNUnet[7] However those services still have some drawbacks suchas free-rider problem More precisely the provider is lessmotivated to keep improving system reliability due to thefact that there is no significant benefit for the provider topreserve the users data Apart from the free-rider problemthe main issue in the decentralized shared storage is relatedto the privacy of users [8] An observer may be able to see thecontents of online activities or metadata of the user since thedata is publicly available

To deal with the issues we propose a model of thedecentralized shared storage system on the blockchain thatprovides the privacy of the users without the involvement ofthird parties Ring signature algorithm is applied to disguisethe original identity of the signer The parties involved usesignatures on behalf of a group hence the original identityof the signer is unknown called signer ambiguous In order

HindawiWireless Communications and Mobile ComputingVolume 2019 Article ID 6219868 13 pageshttpsdoiorg10115520196219868

2 Wireless Communications and Mobile Computing

Parameter

Function HashData Flow

Repeat t times

GenerateProof

CrsquoC

Merkle Tree

rtLoop counter = i

Generate newchallenge

POST at i Output POST

Figure 1 The iterative proof of Filecoin adapted from [9]

to keep the identity of the parties to remain untraceable one-time use address (from the stealth address) is adapted sothat the observer cannot link the user address based on thetransaction that has been carried out in advance

The predecessor approaches to design the sharing storagesystem in the blockchain have been started by researcherslately such as Storj [10] storage with financial incentivesand Filecoin (see Figure 1) which generates a proof-of-spacetime (PoST) for the replica [11] This paper presentsthe key concepts in the decentralized sharing storage in thehealthcare system The personal health information of thepatient is propagated in the peer-to-peer blockchain networkand the data are stored in a storage provider The model ofdecentralized healthcare system comes from our previousresearch [12] The privacy-preserving for the user is beyondthe topic at the time This paper is ongoing research andinterrelated with our previous research

The structure of the paper is organized as followsSection 2 describes the background and core system compo-nent such as the ring signature CryptoNote and one-timeuse address (stealth address) Section 3 presents the systemmodel of decentralized PHI data as well as the concept of ringconfidential transaction Section 4 presents the system anal-ysis including the dilemma of reparameterizing propagationtime and block size in order to improve the performance ina transaction The limitations and future work are written inSection 5 Finally Section 6 concludes the paper

2 Background

In this section we briefly present the essential informationof ring signature algorithm CryptoNote protocol one-timeuse transaction address and stealth address which are basiccomponents for the privacy-preserving model in our system

21 The Essential of Ring Signature Ring signature is firstintroduced by Rivest et al [13] in 2001 through the paperentitled ldquoHow to Leak a Secretrdquo The idea of a ring signature

originates from the concept signature group proposed byChaum et al [14] which in the group signature each memberagrees to sign the message In short the data is signedon behalf of the group In the group signature there is amanager who organizes each activity in a group As opposedto the group signature the ring algorithm does not possess amanager in the process and neither have special requirementsfor creating groups as shown in Figure 2

In order to form a signature group the signer requirespublic keys 119875119896 knowledge from prospective members Theselected public keys are encrypted by using a trapdoorpermutation function (RSA Rabin and Diffie-Hellman)Due to the nature of the ring signature protocol there areno specific rules for the number of members in a groupThe standard procedure of the ring signature protocol can bedefined as follows

(i) 119878119894119892119899 120590(119898119904119892 119875119904119899 1198751198961 1198751198962 1198751198963 119875119896119899) The signatureconsists of the public keys (119875119904119899 1198751198961 1198751198962 1198751198963 119875119896119899)of the members for every message 119898119904119892 concatenatedwith the secret key 119875119904119899 of the signer to produce asignature 120590

(ii) Verify(119898119904119892120590) The verification process can be inter-preted as accepting a group signature120590 which consistsof public keys of all the possible signers along with themessage 119898119904119892 The final output is 119905119903119906119890 or 119891119886119897119904119890

Generating a ring signature can be used directly bythe signer without involving the group manager The initialstep is the signer computes the symmetric key 119878119910119898119896 as thehash value of the message 119898119904119892 to be signed as 119878119910119898119896 =ℎ(119898119904119892) The more complicated variant generates 119878119910119898119896 asℎ(119898119904119892 1198751198961 1198751198962 1198751198963 119875119903) However the simpler creationis also secure An initial random value 119877V (or ldquogluerdquo) ischosen by the signer uniformly at random form 0 1119887where 2119887 is some power of two which is larger than allmodulo 1198991198941015840119904 Furthermore the signer selects the numberof signatures 119909119894 from the ring members 1 lt 119894 lt119903 119894 = 119904 where 119903 is the ring members and 119904 is the order

Wireless Communications and Mobile Computing 3

yr = gr(xr)

Z = V

Ek

Ek

Ek

Ek

y3 = g3 (x3)

y2 = g2 (x2)

y1 = g1 (x1)

d

Figure 2 Ring signature algorithm which is defined by any member of a group of parties each having keys

Tx public key

The Amount

Destination Key

Transaction

Tx output Senderrsquosrandom data

ReceiverrsquosRandom data

r

(A B)

R = rG

P = HS (rA)G + B

Figure 3 The structure of CryptoNote standard transaction

of the member (119904-th member) who is the actual signerHence the signature gets a new value which is signifiedby 119910119894 = 119892(119909119894) Finally the signature of the message 119898119904119892can be defined as (1198751198961 1198751198962 1198751198963 119875119896119899 119877V 1199091 1199092 119909119903)The verification process is straightforward by describingthe message received from the sender via secure channel(1198751198961 1198751198962 1198751198963 119875119896119899 119877V 1199091 1199092 119909119903)

22 CryptoNote Protocol The use of the ring signature algo-rithm in blockchain transaction was first introduced in 2012which is part of the CryptoNote protocol [15] and updated in2013The CryptoNote constructs the ring signature using thepublic key of the random addresses and it provides privacyfor the patient by leveraging the stealth address protocol[16] By doing so the observer believes that the signer hasa secret key that corresponds to the cryptocurrencies butthe observer cannot determine the specific identity of thesender However the original ring signature protocol wouldallow double-spending attack in the blockchain transactionThe original ring signature protocol cannot determine theorigin of the coin due to the fact that there is no marker ifthe transaction has been sent to the recipient As a solutionCryptoNote provides one-time use ring signatures and keyimage as a marker

The key image acts as a unique marker for everytransaction The key image gives the information aboutthe transaction with a particular signature 120590n If the samesignature is used more than once the miners will reject thetransaction In other words any attempt to double-spend will

indicate the use of the same key image The destination ofeach CryptoNote output is a public key (1198751198961 1198751198962 1198751198963 119875119896119899)which is derived from the recipients address combined withthe senders random value In this regard the sender asks therecipients public key (119860 119861) via secure channel and the sendergenerates the one-time public key 119875 = 119867119904(119903119860)119866 + 119861 as canbe seen in Figure 3 Based on the key image that recipientbelongs to the recipient checks every passing transactionusing hisher secret key (119886 119887) and calculates 1198751015840 = 119867119904(119886119877)119866 +119861 where119867119904 is a cryptographic hash function 0 1lowast and 119866 isa base point Finally the recipient can define 119886119877 = 119886119903119866 =119903119860 and 1198751015840 = 119875 In addition the recipient can recover thecorresponding one-time secret key 119909 = 119867119904(119886119877) + 119887 119875 = 119909119866By signing 119909 transaction the recipient can spend this outputat any time The security from this protocol is an untraceabletransaction for the observer since the incoming messagereceived by a recipient associated with one-time public keys(unlinkable)

23 One-Time Use Transaction and Stealth Address We firstpresent the one-time use transaction in general and webriefly describe the drawbacks of one-time use address in theblockchain transaction To address the problem we use thestealth address to protect the recipient information in oursystem model

231 One-Time Use Transaction Using the same address foreach transaction on the blockchain network allows observersto track transactions to the original sender even though the

4 Wireless Communications and Mobile Computing

Alice sends 1 BTCon 240318 at 30257

pm to x

One time use address x

Charlie receives 1 BTCon 240318 at35503 pm from x

Figure 4 One-time use transaction

address is in the pseudonymous form Since the new addressdoes not have a track record in the blockchain metadata theobserver is unlikely to track information from a transactionHowever one-time use transaction address provides privacyfor the users by extending the address to the counter-partieswhich detail information of the transaction still publiclyavailable on the blockchain network Roughly speaking thesender enables the recipient to spend the funds that he justreceived even though the recipient identity remains hiddenas can be seen in Figure 4

For instance an address X is a one-time address but theobserver has knowledge that Alice sent 1BTC toX andCharliereceived from X It can be used by the observer to inferthat X corresponds to Alice and Charlie By gathering thedetails on where Charlies fund originated and where Alicesfunds were passed on to it could avail deanonymize the one-time use transaction This scheme is also called transactiongraph analysis Therefore in order to develop privacy on thedecentralized blockchain system a new protocol is necessarysuch as stealth address protocol In otherwords it is a securityprotocol that has become ubiquitous almost by stealth [17]

232 Stealth Address One-time use address for transactionmight be inconvenient to manage since the new address mustbe generated by the recipient for every transaction that willbe carried out Unlike the one-time use payment address thestealth addresses get rid of this requirement In short stealthaddresses can be generated as follows

(i) The recipient generates a parent key pair 119875119906119887(119860 119861)and publishes hisher public key (the published key iscalled stealth address)

(ii) The sender will be able to use the stealth address ofthe recipient to commit a new one-time use paymentaddress for a particular transaction

(iii) At this stage the recipient uses their parent privatekey 119875119904(119886 119887) which is generated in advance to spendthe funds received The generating process of stealthaddress can be seen in Figure 5

The addresses are generated using trapdoor permuta-tion such as Diffie-Hellman key exchange protocol [18] Byleveraging the stealth address protocol the system allowseliminating the possibility for observers to link a one-time address to another In this sense the observer cannotdetermine the recipients address and is unlikely to link thetransaction to the recipient due to the new address beinggenerated based on hisher stealth address for every trans-action Stealth address protocol is used in CryptoNote and

Zcash combined with various other techniques such as zk-SNARKs in order to provide the stronger privacy for the userin the decentralized blockchain network The cryptographicapproaches can prevent ad hoc networks against externalattackers using node authentication and data encryption[19]

3 Our System Model

In this section we elaborate the model of decentralized PHIdata (the model is from our prior work) the sequences of thestandard blockchain transaction the group of ring signatureand the ring confidential transaction of PHI

31 Decentralized PHI Data A decentralized personal healthinformation model originally came from our previousresearch [12] In our predecessor work blockchain tech-nology is used to manage the personal health information(PHI) data of the patient which obtain from several health-care providers as can be seen in Figure 6 Based on thedecentralized PHI model we conducted testing in order tofind out information about data communication in peer-to-peer networks (see Figure 7) The results obtained show thehigh level of success in sending data among the parties inthe blockchain network that reaches 100 and the averageof propagation message is 118ms for 100 bytes of InternetControl Message Protocol Echo By leveraging the modelof our previous research the patients and the healthcareproviders allow to collect effectively the PHI data ontoa single view with integrity guarantee Data integrity isessential for the patient in the blockchain network since itis a fundamental component of information security whichverifies that the data has remained unaltered in transit fromcreation and reception [20] By design blockchain is tamper-proof immutability (the data stored are unchanging overtime or unable to be changed) so it is suitable for managingsensitive data such as personal health information digitalmedical record and other similar data

In the decentralized healthcare system model the patientand the providers are on the same blockchain network Thehealthcare providers preserve a diagnosis from the patientand then store it into sharing storage right after the data isconfirmed by the miner The patient afterwards enables tofind the data stored by the provider in the storage by searchingone by one based on the patients public key 119875119906119887(119860 119861)attached into the transaction The patient whose public keyis attached to the transaction is the only party who knows thedata stored in the storage because heshe has knowledge ofthe secret key 119875119904(119886 119887) to access the PHI data

Wireless Communications and Mobile Computing 5

Parent Private Key

Parent Public Key(ldquoStealth Addressrdquo)

Recipient generates a Parent Key Pair

Ephemeral Key+

Sender generates an Ephemeral Key

Ephemeral Key

One-time AddSecret Key=

Ephemeral Key+One-time Addr

Secret Key=

Figure 5 Generating process of stealth address

Patient

National Provider

Health and Social care professionalChiropractor

Clinical Psychologist

Hospital Laboratories

National Provider

Health and Socialcare professionalChiropractor

Clinical Psychologist

Hospital Laboratories

Figure 6 The model of decentralized personal health information data

As with the security model in general every party inthe system has the unique parent keys The public keyis used to commit transactions which later will be usedto generate a stealth address for every transaction A pairof keys is obtained from trapdoor permutation functionssuch as RSA algorithm and Rabin [21] which are generated

beforehand The parent keys of the parties can be defined asfollows

(i) The patient (119875119906119887120572 119875119903120572) the pair of patients publickey to commit the transaction can be defined as(119860120572 119861120572) and the pair of secret keys (119886120572 119887120572)

6 Wireless Communications and Mobile Computing

Figure 7 Propagating the personal health information data to the entire nodes

(ii) Hospital (119875119906119887120573 119875119903120573) the pair of hospitals public key(119860120573 119861120573) and the pair of secret keys(119886120573 119887120573)

(iii) Chiropractor (119875119906119887120574 119875119903120574) Chiropractors public key(119860120574 119861120574) and the pair of secret keys(119886120574 119887120574)

(iv) Clinical psychologist (119875119906119887120575 119875119903120575) clinical psycholo-gists public key (119860120575 119861120575) and the pair of secret keys(119886120575 119887120575)

(v) National provider (11987511990611988713 11987511990313) the public key ofnational provider (11986013 11986113) and the pair of secret keys(11988613 11988713)

(vi) Health and social care provider (119875119906119887 119875119903) healthand social providers public key (119860 119861) and the pairof secret keys (119886 119887)

(vii) Laboratories(119875119906119887 119875119903) the pair of public keys oflaboratories can be defined (119860 119861) and the pair ofsecret keys (119886 119887)

119875 = 119867119904 (119903119860120572)119866 + 119861120572 (1)

1198751015840 = 119867119904 (119886120572119877)119866 + 119861120572 119905ℎ119890119899 (2)

119886120572119877 = 119886120572119903119866 = 119903119860120572

1198751015840 = 119875(3)

The sequence of a standard transaction in decentralizedPHI data starts from the provider who wants to store the

patientrsquos data in the storage where the patient has publishedhis address to the provider beforehandThe provider unpacksthe address and gets the patients public key (119860120572 119861120572) Theprovider picks a random 119903 isin [1 119897 minus 1] where 119897 is a primeorder of the base point 119866 The provider then generates a one-time public key based on the pair public key (1) of the patient(the process is signified by Figure 3)

The patient and the healthcare providers possess a pair ofpublic keys (119860119899 119861119899) for different purposes The first publickey 119860119899 is used to generate a one-time public key whilstthe public key 119861119899 is attached to the transaction as thetracking value used by the patient to find the data addressedto himher The provider uses 119875 as a destination key forthe output and attaches the new value 119877 = 119903119866 into thetransaction The PHI data with attachments to119875 and 119877 valuesare stored into shared storage after being validated by theminer The patient later checks every transaction using hisprivate key (119886120572 119887120572) and calculates the new value1198751015840 (2) Finallythe patient compares the value 119875 received with the value 1198751015840decrypted (3)

32 The Group of Ring Signature In the decentralized PHIsystem there is a group ring signature consisting of patientand several healthcare providers In order to generate a groupthe system does not demand special requirements and alsounlikely require a manager to manage the group All that isneeded to create a ring signature group is the public key ofeach party (119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887)

Wireless Communications and Mobile Computing 7

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

SH+1 = AH+1(RH+1)

Figure 8 The group of ring signature which is derived from the public keys of the member

Once a ring signature group has been generated all membersof the group are allowed to use the signature and combine itwith the private key of the sender It grants users fine-grainedcontrol over the level of anonymity associated with a certainsignature [22]

The signer enables to choose the number of signaturesthat they want to use in the transaction to provide anambiguous signer Later the public key is used for encryption119910119899 = 119892119899(119909119899) as shown in Figure 8 Intuitively 119892119899 is definedby the extended trapdoor permutation function such as RSAandRabin algorithm In practice for Rabins functions119892119899 (119909119899)extends to 119891119894(119909119894) = 1199091198942 mod 119899119894 over 0 1119887 where 2119887 is thepower of two which is larger than all modulo 1198991198941015840119904 The bucketconsists of b-bit numbers 119908 = 119902119894119899119894 + 119903119894 where 119903119894 isin Zlowast119899119894and (119902119894 + 1)119899119894 le 2119887 For any b-bit numbers 119908 is nonnegativeintegers 119902119894 and 119903119894 The bucket values are mapped by theextended Rabinmapping 119892119899 So the value of 119892119894(119908) is signifiedby (4)

119892119894 (119908) =

119902119894119899119894 + 119891119894119903119894 if (119902119894 + 1) 119899119894 le 2119887

119908 else(4)

Intuitively 119892119894(119908) is a permutation function over 0 1119887 whichis also a one-way trapdoor function because only a personknows the inverted value of 119891119894 for a given input Thereforewe can define the public keys for the prospective members asfollows

(i) The patientlarr997888 119910120572 = 119892120572(119909120572)(ii) Hospital larr997888 119910120573 = 119892120573(119909120573) Chiropractor larr997888 119910120574 =

119892120574(119909120574) whilst the clinical psychologist larr997888 119910120575 =119892120575(119909120575)

(iii) National providerlarr997888 11991013 = 11989213(11990913) health and socialcare providerlarr997888 119910 = 119892(119909) Laboratorieslarr997888 119910 =119892(119909)

(iv) For additional members of a group it can be gener-ated at any time as long as the public key of the newmember is known 119910119899+1 = 119892119899+1(119909119899+1)

119877119904119892 = 119910120572 oplus 119910120573 oplus 119910120574 oplus 119910120575 oplus 11991013 oplus 119910 oplus 119910 oplus oplus 119910119899+1 (5)

As can be seen in (5) a group of ring signature isconstructed based on encryption of the members public key

By design the sender signs the message for the individualtransaction using the signature of the group without asingle group manager involved Because the sender uses thesignature of the group the observer cannot judge the identityof the real sender for the corresponding transaction Thesender enables to choose the number of signatures that heshewants to use in the transaction The signature of a groupcan be used at any time in a transaction without havingpermission from the owner of the key For instance in aparticular transaction the provider 119910120573 uses the following keysto sign a message ℎ(119898119904119892 119910120574 119910120575 119910120572 and his key 119910120573)

33 Ring Confidential Transaction of PHI Ring confidentialtransaction (RingCT) is used in Monero cryptocurrency [16]in order to improve the privacy of the users Intuitively thering confidential transaction aims to hide the value of theactual amount in a transaction by combining the value ofthe current transaction with the value of the predecessortransactions By doing so the observer cannot tell the exactvalue of a transaction The value of the transaction canbe the number of coins sent or other data depending onthe type of system that applies RingCT [23] Unlike in theMonero transaction the value transaction in the Bitcoin ispublicly available in the plaintext The observer might beable to analyse the transaction values for certain purposes inthe particular period of time Therefore public data will bedangerous if misused maliciously

119877119862119879 = 119905119909119894119889 [(8) (2) (5) (11) (12) (15)] (6)

Suppose all outputs in Figure 9 exist whilst the transac-tion that provider enables to spend is highlighted in greenWhenever the provider creates a transaction he uses aRingCT to disguise which input is actually being spent Inthis regard the provider combines the current transactionwith the previous transactions (highlighted in gray) Theconfidential ring signature for the transaction is shown in(6) The provider allows using the RingCT directly withoutpermission and node manager involvement As well as thegroup signature the sender is free to use the value of previoustransactions in order to disguise the value of the currenttransaction By leveraging the model it is possible to createprivacy-preserving for users in the decentralized peer-to-peer shared storage in healthcare areawith the followingmainobjectives

8 Wireless Communications and Mobile Computing

1 txid (dfa89ad90)

2 txid (uio38939a)

3 txid (890dfla8df)

4 txid (dfa89add0)

5 txid (fga89ad90)

6 txid (5fa89ad45)

7 txid (twa845d90)

8 txid (pklsdf8900)

9 txid (78sd9ad91)

10 txid (dfa89ad90)

11 txid (sd71vcjjp)

12 txid (dzzqemfsa)

13 txid sywi22zmv)

14 txid (p4z24fh3g)

15 txid (tpa1vh9wz)

16 txid (wj023kt3w)

17 txid (vq6oxop4)

18 txid (z9i5mcsdu)

Figure 9 Ring confidential transaction based on the prior transactions

(i) Untraceability with the goal to protect the sendersinformation in the form of the address (publickey) The observer cannot trace where the coin wasreceived and where the coin originated from

(ii) Unlinkability to preserve the recipients identityThiscan be achieved by using a stealth address where therecipient makes two public keys that are used to createa one-time address and the other as the view key

(iii) Confidential Values to disguise the value of a trans-action The value of the current transaction is com-bined with the values of the transactions that havebeen carried out previously so it becomes an obscuredtransaction

4 Systems Analysis and the Dilemma

The main protocols for building privacy-preserving forblockchain shared storage model have been discussed inprevious section In this section we present the relationbetween each protocol The combination of the protocolsprovides a system that enables protecting the privacy ofusers in the decentralized shared storage The proceduresare displayed gingerly starting from generating the membersof ring signature through to mechanism of storing data inthe blockchain shared storage At the end of this section weelaborate on some dilemmas

We demonstrate a case study in which one of theproviders (hospital) wants to store diagnostic data of thepatient into the decentralized shared storage The providerhas known the address (public key) of the patient beforehandIn this sense the hospital acts as the sender whilst the patientacts as the recipient of the PHImessageTheprovider attachesthe address of the patient in the form of a view key for eachtransaction so that only patients likely enable to track datastored in shared storage using hisher knowledgeTheminershave a duty to validate the data from the sender before beingsaved into shared storage yet they are responsible for addingblocks to the blockchain network The miner gets a reward

after successfully adding the new block aswith the blockchainsystem in general Algorithm 1 is a description of the wholesystem process starting with making public keys throughto data stored in shared storage The process sequence forprivacy-preserving shared storage in untrusted blockchainP2P networks as follows

(i) The party possesses a pair of parent keys (119875119906119887119896119890119910119875119903119896119890119910) that have been generated beforehand basedon trapdoor permutation function such as RSARabin or Diffie-Hellman algorithmThepatient is therecipient(119875119906119887120572 119875119903120572) whilst the hospital is the sender(119875119906119887120573 119875119903120573) in this case study

(ii) The hospital is the sender of the patients diagnosisdata (in this case) The hospital constructs a ringsignature group based on public key from providersand patient that has been known previously Thehospital also added its public key to the group

119877119904119892120573 = 119892120572 (119909120572) oplus 119892120572 (119909120573) oplus 119892120574 (119909120574) oplus 119892120575 (119909120575)

oplus 11989213 (11990913) oplus 119892 (119909) oplus 119892 (119909) oplus

oplus 119892119899+1 (119909119899+1)

(7)

(iii) When the group of ring signature 119877119904119892120573 is generatedthe sender enables to use the signature of each groupmember without having to get permission from theowner of public keys In this case study the hospitalchooses to use all signatures from group members asshown in (7) The hospital can add new members atany time as long as the public key is known

(iv) The patient as the recipient later makes the stealthaddress based on a pair of parent keys The patientcreates a pair of public keys 119875119906119887120572(119860120572 119861120572) and sendsit to the hospital via secure channel The hospitalgenerates a new one-time address based on stealth

Wireless Communications and Mobile Computing 9

1 Procedure 119878ℎ119886119903119890119889 1198781199051199001199031198861198921198902 Trapdoor Function (parent keys) lowasttrapdoor permutation function eg RSA Rabin3 119875119886119905119894119890119899119905 larr997888 ℎ119886119904ℎ(119875119906119887120572 119875119903120572)4 119867119900119904119901119894119905119886119897 larr997888 ℎ119886119904ℎ(119875119906119887120573 119875119903120573) lowastforallparty has parent keys5 119862ℎ119894119903119900119901119903119886119888119905119900119903 larr997888 ℎ119886119904ℎ(119875119906119887120574 119875119903120574)6 119862119897119888119875119904119910119888ℎ119900119897119900119892119894119904119905 larr997888 ℎ119886119904ℎ(119875119906119887120575 119875119903120575)7 119873119886119905119894119900119899119886119897119875119903119900V119894119889119890119903 larr997888 ℎ119886119904ℎ(11987511990611988713 11987511990313)8 119878119900119888119894119886119897 119888119886119903119890 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)9 119871119886119887119900119903119886119905119900119903119894119890119904 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)10The sender creates a group of ring signature11 Procedure 119880119904119890 119875119906119887119897119894119888 119870119890119910 forall 119901119886119903119905119894119890119904 isin 119901119886119903119890119899119905119896119890119910119904 lowastuse public key of the parties as an input12 Create RS13 119877119904119892119899 larr997888 119892120572(119909120572) oplus 119892120573(119909120573) oplus 119892120574(119909120574) oplus oplus 119892119899+1(119909119899+1)14 AddNewMembers lowastin case add new members15 119880119901119889119886119905119890 119877119904119892119899 larr997888 119866119890119905 119873119890119908119875119906119887119896119890119910 oplus 119875119906119887119870119890119910(119899+1)16 end procedure17 Procedure 119862119903119890119886119905119890 119878119905119890119886119897119905ℎ119860119889119889119903(119887119910119877119890119888119894119901119894119890119899119905) lowastthe recipient creates stealth address18 119875119886119903119890119899119905119870119890119910 119875119906119887119870119890119910119899 997888rarr 119875119906119887119870119890119910119899(119860119899 119861119899)19 119878119890119899119889(119860119899) 997888rarr 119905119900 119904119890119899119889119890119903 (V119894119886 119878119890119888119906119903119890119862ℎ119886119899119899119890119897)20 (119860119899 119861119899)119903119890119888119890119894V119890119889 997888rarr 119862119903119890119886119905119890 119873119890119908 119874119879119875 lowastsender creates new OTP for recipient21 end procedure22 Procedure 119862119900119899119891119894119889119890119899119905119894119886119897 119877119894119899119892 119878119894119892119899119886119905119906119903119890 lowastconfidential ring signature as an option23 119894119891 forall119905119909119904 119861119862 119906119904119890 119862119877119878 119905ℎ119890119899 119903119890119905119906119903119899 True24 119873119890119908119881119886119897119906119890 larr997888 119862119906119903119903119890119899119905119881119886119897119906119890 oplus 119875119903119890V11988111988611989711990611989025 119868119899119888119897119906119889119890 119905119900 119905ℎ119890 119899119890119908 119905119909 larr997888 11987311989011990811988111988611989711990611989026 119890119897119904119890119903119890119905119906119903119899 False27 end procedure28 Procedure 119878119894119892119899 119905ℎ119890 119875119867119868 119863119886119905119886(119872119904119892) lowastin this case the PHI data is from the hospital29 119866119890119905 119872119904119892 isin 119863119894119886119892119899119900119904119894119904 119863119886119905119886(119867119900119904119901119894119905119886119897)30 119878119894119892119899 120590 larr997888 119888ℎ119900119900119904119890 119904119894119892119899119890119903 isin 11987711990411989211989931 119877119894119899119892119862119879larr997888 119888ℎ119900119900119904119890 119901119903119890V 119905119909119904 isin 11986211987711987832 119872119904119892 larr997888 119886119905119905119886119888ℎ11989011988910158401198701198901199101198681198981198861198921198901015840 lowastKeyImage to prevent storing the same data33 119862119906119903119903119872119904119892 larr997888 119878119894119892119899 120590 119877119894119899119892119862119879 11987011989011991011986811989811988611989211989034 end procedure35 Procedure 119878119890119899119889 119905119900 119861119897119900119888119896119888ℎ119886119894119899 11987311989011990511990811990011990311989636 119866119890119905 119862119906119903119903119872119904119892 oplus 119874119879119875(119891119903119900119898 119878119905119890119886119897119905ℎ119860119889119889119903)37 119878119890119899119889 119905119900 119887119897119900119888119896119888ℎ119886119894119899 11989911989011990511990811990011990311989638 119882119886119894119905 1198981198941198991198901199031015840119904 11988811990011989911989111989411990311989811988611990511989411990011989939 119894119891 119862119906119903119903119872119904119892 119894119904 V119886119897119894119889 119905ℎ119890119899 119903119890119905119906119903119899 True lowasttransaction is success40 119860119889119889 119899119890119908119861119897119900119888119896 119905119900 119861119862 11989911989011990511990811990011990311989641 119860119889119889119862119906119903119903119872119904119892 997888rarr 119878ℎ119886119903119890119889 11987811990511990011990311988611989211989042 119890119897119904119890119903119890119905119906119903119899 False43 End

Algorithm 1 Shared Storage of PHI Data

address received Only patients can access data storedin shared storage by using his knowledge 119875119903120572(119886120572 119887120572)

119874119879119875 = 119867119904 (119903119860120572) 119866 + 119861120572 (8)

(v) The sender unpacks the address received which con-tains the public address of the recipient 119875119906119887120572(119860120572 119861120572)The sender picks the random value 119903 isin [1 119897 minus 1] togenerate one-time public key and attaches119861120572 as a viewaddress in the shared storage

(vi) For certain types of data the sender can use confiden-tial ring signatures (RingCT) to disguise informationof the data by adding value to transactions that have

occurred before such as 119877119862119879120573 = 119905119909119894119889(3) 119905119909119894119889(7) 119905119909119894119889(5) 119905119909119894119889(9) 119905119909119894119889(119899)

(vii) The hospital signs the diagnosis data 119898119904119892 usingthe member key from the ring signature asfollows 119878119894119892119899120590(119898119904119892 119910120572 119910120573 119910120574 119910120575 11991013 119910 119910 119910119899)which consists of the public keys of the members119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887

(viii) Key image is attached by the sender to prevent doublespending It can be interpreted as a scheme to preventthe same data stored twice in blockchain storageThe hospital sends the following series of data tothe blockchain network to be confirmed by miners119878119894119892119899 120590 119898119904119892 119874119879119875 119877119894119899119892119862119879 119896119890119910119894119898119886119892119890

10 Wireless Communications and Mobile Computing

(ix) The diagnosis data from the hospital along withattachments of the files are then sent to the blockchainnetwork to be verified by the miners before thedata are stored in a decentralized shared storageWhenever the data has been stored successfully thepatient traces one by one the transaction on theblockchain network until the patient finds hisherview keys 119861119899 which correspond to the patient

(x) The patient with hisher knowledge decrypts andcompares the value of the data received with thedecrypted value 119886120572119877 = 119886120572119903119866 = 119903119860120572 1198751015840 = 119875

The Algorithm 1 presents an overall model of the systemwhich starts with generating key pairs for the parties creatinga ring signature group and stealth addresses signing PHIdata until data are confirmed and stored in the decentralizedshared storage The observer is unlikely to track the senderrsquostransaction since the sender uses a signature on behalf ofa group in which the senders signature is obscured Fur-thermore the observer cannot associate one transaction withanother so it is indistinguishable whether the transactionwas sent by the same sender In other words the identityof the sender remains a secret Likewise the identity of therecipient cannot be tracked by the observer nor maliciousproviders because the recipient sends the stealth address tothe sender thereafter the sender creates a one-time addressto protect the privacy of the recipient The value of a PHI datais kept from being seen because it is combined with the valueof previous transactions through the RingCT The identityof the user along with the information of the transactionson the blockchain network is paramount therefore thedecentralized shared storage systems need to manage theconfidentiality as well as ensure the integrity of the PHI data

Apart from the model that has been described there isanother important factor which plays the role to a decen-tralized system called transaction propagation A numer-ous number of transactions are distributed to the entirenodes in the blockchain peer-to-peer network resulting inpropagation delay The structure of a P2P network allowsthe peer to disseminate information to the other nodesthat are connected to the sender [24] There are severalstudies conducted by researchers to measure how effectivethe block distribution in the peer-to-peer networks such asexperiments in which the goal is to find out the numberof successful connections and experiments to determine theeffect of the number of nodes against the block

One among parameters that affect transaction propa-gation is block size Block size can be understood as themaximum limit of a block to be filled up with varioustransactions on it It also can be thought of as a bundleof transactions with each block needing to get verificationbefore it can be accepted by the network Each block hasits own size depending on the type of transaction called theblock sizeThemaximum block size in Bitcoin stands at 1MBMiners enable to choose the number of transactions to beprocessed in a block If Bitcoin miners commit a transactionthat exceeds the maximum limit then the block will berejected by the network The motivation of block size is toprevent the attack such as denial-of-service attacks The size

of a block also affects the length of confirmation time Whena node receives a new transaction the recipient confirms thevalidity of the block before accepting it The duration of theconfirmation process depends on the size of the block Bydesign the larger the size of a block is the longer it takesto confirm Therefore the size of a block plays an importantrole in the blockchain in general because it directly affects thedelay time

Propagation delay is inseparable from the size of a blockThere is a correlation between block size and the propagationdelay until the node receives the blockThe larger the size of ablock themore transactions that can be done yet it affects thepropagation time and sacrifice the security The influence ofa block size to the propagation time can be seen in Figure 10[25] The block size in the transaction is varied up to 350 KBin order to find out how long it takes for the node to receivethe block To reach 25 of total transaction is visualized witha red line 50 for the green line and 75 for the blue lineThe results are in line with the theory which states the largerthe size of a block the greater the propagation time

We take measurements for orphaned blocks by followingthe withholding attack (selfish mining) strategy that was firstdiscovered in 2014 In this study we do not elaborate onthe details of withholding attack strategy we recommendthat readers refer to the references [26ndash28] The intuitionof this attack is to keep the finding block secret untilthe attackers network becomes the longest chain in theblockchain network For a particular condition this attackdoes not possess any benefit because the block is stored inthe attackers network which is only known by the attacker(nonprofit) The attackers get the reward if only the blockfound is propagated to the public and get confirmed by otherminers

The simulation is carried out in order to know theperformance of dishonest miners which follow the selfishmining protocol The aims of this strategy are to discoverthe new block till becoming the longest chain and gainingthe revenue after publishing the block to the public network[29] In our setting we arrange the selfish miners to competewith honest miners in 14 days to solve the proof-of-workand discover the new block The maximum of mining powerof selfish miner is 04 and it is running randomly from00 through 04 within 14 days in the simulation as shownin Figure 11 There are 12 nodes of dishonest miners withdifferent mining power from 00 to 04 We set the maximumnumber of mining power at 04 of total mining power inthe network Based on the simulation result we concludethat whenever the dishonest miner has 0322 mining powerit is enough to get the unfair revenue and allows gainingthe revenue larger than it should be In general there are51 new blocks successfully added as well as 4 orphanedblocks recorded The average of block generation time is 772minutes

To the extent we obtained the information related to theparameters that affect the propagation time in the blockchainpeer-to-peer network based on our findings and the priorworks of literatureThere are numerous articles proposing theimprovement of propagation delays by changing the networktopology minimizing the verification time of a transaction

Wireless Communications and Mobile Computing 11

50

45

40

35

30

25

20

15

10

5

00 50 100 150 200 250 300 350

Block size (KB)

Tim

e (se

c)

25

50

75

Figure 10 Relationship between block size and the time

50

40

30

20

10

0

Bloc

k H

eigh

t

0 200000 400000 600000 800000 1000000 1200000

Time (s)

08

06

04

02

00

Rew

ard

000 005 010 015 020 025 030 035 040Mining Power

Figure 11 Block height against time in the P2P network (left) the performance of selfish mining attack (right)

and reconstructing the message exchange protocol in theblockchain network Generally speaking the presence ofhaving the propagation of delays can cause a lot of damagein the blockchain network [30 31]

There are many considerations to increase the effective-ness of the blockchainTherefore we select block propagationand block size parameters to be discussed as follows

(i) Speeding up the block generation In theory it would beremarkably beneficial if the block generation time isresetting as fast as possible for each transaction so thateach user will get faster payments The propagationtime includes the length of time for the distributionof transactions in the peer-to-peer network and thetime for verification of a block But the problem isthat if the block generation time is speeding up there

will be a lot of orphaned blocks It can be understoodbecause each node will receive many new blocks thatare spread through peer-to-peer networks The tie-breaking protocol causes each node to only acceptone valid block for the same type of transaction sothat it will reject transactions from other nodes thatcause the orphaned block to appear Due to manynew orphaned blocks that will emerge it will motivaterational miners to adopt the selfish mining strategythat rivals the main network and causes the forkedchain [32]

(ii) Decrease block generation Slowing down the blockgeneration time for each transaction will reduce thespeed of transactions on the peer-to-peer networkPositively it gives some merits such as providing a

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 2: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

2 Wireless Communications and Mobile Computing

Parameter

Function HashData Flow

Repeat t times

GenerateProof

CrsquoC

Merkle Tree

rtLoop counter = i

Generate newchallenge

POST at i Output POST

Figure 1 The iterative proof of Filecoin adapted from [9]

to keep the identity of the parties to remain untraceable one-time use address (from the stealth address) is adapted sothat the observer cannot link the user address based on thetransaction that has been carried out in advance

The predecessor approaches to design the sharing storagesystem in the blockchain have been started by researcherslately such as Storj [10] storage with financial incentivesand Filecoin (see Figure 1) which generates a proof-of-spacetime (PoST) for the replica [11] This paper presentsthe key concepts in the decentralized sharing storage in thehealthcare system The personal health information of thepatient is propagated in the peer-to-peer blockchain networkand the data are stored in a storage provider The model ofdecentralized healthcare system comes from our previousresearch [12] The privacy-preserving for the user is beyondthe topic at the time This paper is ongoing research andinterrelated with our previous research

The structure of the paper is organized as followsSection 2 describes the background and core system compo-nent such as the ring signature CryptoNote and one-timeuse address (stealth address) Section 3 presents the systemmodel of decentralized PHI data as well as the concept of ringconfidential transaction Section 4 presents the system anal-ysis including the dilemma of reparameterizing propagationtime and block size in order to improve the performance ina transaction The limitations and future work are written inSection 5 Finally Section 6 concludes the paper

2 Background

In this section we briefly present the essential informationof ring signature algorithm CryptoNote protocol one-timeuse transaction address and stealth address which are basiccomponents for the privacy-preserving model in our system

21 The Essential of Ring Signature Ring signature is firstintroduced by Rivest et al [13] in 2001 through the paperentitled ldquoHow to Leak a Secretrdquo The idea of a ring signature

originates from the concept signature group proposed byChaum et al [14] which in the group signature each memberagrees to sign the message In short the data is signedon behalf of the group In the group signature there is amanager who organizes each activity in a group As opposedto the group signature the ring algorithm does not possess amanager in the process and neither have special requirementsfor creating groups as shown in Figure 2

In order to form a signature group the signer requirespublic keys 119875119896 knowledge from prospective members Theselected public keys are encrypted by using a trapdoorpermutation function (RSA Rabin and Diffie-Hellman)Due to the nature of the ring signature protocol there areno specific rules for the number of members in a groupThe standard procedure of the ring signature protocol can bedefined as follows

(i) 119878119894119892119899 120590(119898119904119892 119875119904119899 1198751198961 1198751198962 1198751198963 119875119896119899) The signatureconsists of the public keys (119875119904119899 1198751198961 1198751198962 1198751198963 119875119896119899)of the members for every message 119898119904119892 concatenatedwith the secret key 119875119904119899 of the signer to produce asignature 120590

(ii) Verify(119898119904119892120590) The verification process can be inter-preted as accepting a group signature120590 which consistsof public keys of all the possible signers along with themessage 119898119904119892 The final output is 119905119903119906119890 or 119891119886119897119904119890

Generating a ring signature can be used directly bythe signer without involving the group manager The initialstep is the signer computes the symmetric key 119878119910119898119896 as thehash value of the message 119898119904119892 to be signed as 119878119910119898119896 =ℎ(119898119904119892) The more complicated variant generates 119878119910119898119896 asℎ(119898119904119892 1198751198961 1198751198962 1198751198963 119875119903) However the simpler creationis also secure An initial random value 119877V (or ldquogluerdquo) ischosen by the signer uniformly at random form 0 1119887where 2119887 is some power of two which is larger than allmodulo 1198991198941015840119904 Furthermore the signer selects the numberof signatures 119909119894 from the ring members 1 lt 119894 lt119903 119894 = 119904 where 119903 is the ring members and 119904 is the order

Wireless Communications and Mobile Computing 3

yr = gr(xr)

Z = V

Ek

Ek

Ek

Ek

y3 = g3 (x3)

y2 = g2 (x2)

y1 = g1 (x1)

d

Figure 2 Ring signature algorithm which is defined by any member of a group of parties each having keys

Tx public key

The Amount

Destination Key

Transaction

Tx output Senderrsquosrandom data

ReceiverrsquosRandom data

r

(A B)

R = rG

P = HS (rA)G + B

Figure 3 The structure of CryptoNote standard transaction

of the member (119904-th member) who is the actual signerHence the signature gets a new value which is signifiedby 119910119894 = 119892(119909119894) Finally the signature of the message 119898119904119892can be defined as (1198751198961 1198751198962 1198751198963 119875119896119899 119877V 1199091 1199092 119909119903)The verification process is straightforward by describingthe message received from the sender via secure channel(1198751198961 1198751198962 1198751198963 119875119896119899 119877V 1199091 1199092 119909119903)

22 CryptoNote Protocol The use of the ring signature algo-rithm in blockchain transaction was first introduced in 2012which is part of the CryptoNote protocol [15] and updated in2013The CryptoNote constructs the ring signature using thepublic key of the random addresses and it provides privacyfor the patient by leveraging the stealth address protocol[16] By doing so the observer believes that the signer hasa secret key that corresponds to the cryptocurrencies butthe observer cannot determine the specific identity of thesender However the original ring signature protocol wouldallow double-spending attack in the blockchain transactionThe original ring signature protocol cannot determine theorigin of the coin due to the fact that there is no marker ifthe transaction has been sent to the recipient As a solutionCryptoNote provides one-time use ring signatures and keyimage as a marker

The key image acts as a unique marker for everytransaction The key image gives the information aboutthe transaction with a particular signature 120590n If the samesignature is used more than once the miners will reject thetransaction In other words any attempt to double-spend will

indicate the use of the same key image The destination ofeach CryptoNote output is a public key (1198751198961 1198751198962 1198751198963 119875119896119899)which is derived from the recipients address combined withthe senders random value In this regard the sender asks therecipients public key (119860 119861) via secure channel and the sendergenerates the one-time public key 119875 = 119867119904(119903119860)119866 + 119861 as canbe seen in Figure 3 Based on the key image that recipientbelongs to the recipient checks every passing transactionusing hisher secret key (119886 119887) and calculates 1198751015840 = 119867119904(119886119877)119866 +119861 where119867119904 is a cryptographic hash function 0 1lowast and 119866 isa base point Finally the recipient can define 119886119877 = 119886119903119866 =119903119860 and 1198751015840 = 119875 In addition the recipient can recover thecorresponding one-time secret key 119909 = 119867119904(119886119877) + 119887 119875 = 119909119866By signing 119909 transaction the recipient can spend this outputat any time The security from this protocol is an untraceabletransaction for the observer since the incoming messagereceived by a recipient associated with one-time public keys(unlinkable)

23 One-Time Use Transaction and Stealth Address We firstpresent the one-time use transaction in general and webriefly describe the drawbacks of one-time use address in theblockchain transaction To address the problem we use thestealth address to protect the recipient information in oursystem model

231 One-Time Use Transaction Using the same address foreach transaction on the blockchain network allows observersto track transactions to the original sender even though the

4 Wireless Communications and Mobile Computing

Alice sends 1 BTCon 240318 at 30257

pm to x

One time use address x

Charlie receives 1 BTCon 240318 at35503 pm from x

Figure 4 One-time use transaction

address is in the pseudonymous form Since the new addressdoes not have a track record in the blockchain metadata theobserver is unlikely to track information from a transactionHowever one-time use transaction address provides privacyfor the users by extending the address to the counter-partieswhich detail information of the transaction still publiclyavailable on the blockchain network Roughly speaking thesender enables the recipient to spend the funds that he justreceived even though the recipient identity remains hiddenas can be seen in Figure 4

For instance an address X is a one-time address but theobserver has knowledge that Alice sent 1BTC toX andCharliereceived from X It can be used by the observer to inferthat X corresponds to Alice and Charlie By gathering thedetails on where Charlies fund originated and where Alicesfunds were passed on to it could avail deanonymize the one-time use transaction This scheme is also called transactiongraph analysis Therefore in order to develop privacy on thedecentralized blockchain system a new protocol is necessarysuch as stealth address protocol In otherwords it is a securityprotocol that has become ubiquitous almost by stealth [17]

232 Stealth Address One-time use address for transactionmight be inconvenient to manage since the new address mustbe generated by the recipient for every transaction that willbe carried out Unlike the one-time use payment address thestealth addresses get rid of this requirement In short stealthaddresses can be generated as follows

(i) The recipient generates a parent key pair 119875119906119887(119860 119861)and publishes hisher public key (the published key iscalled stealth address)

(ii) The sender will be able to use the stealth address ofthe recipient to commit a new one-time use paymentaddress for a particular transaction

(iii) At this stage the recipient uses their parent privatekey 119875119904(119886 119887) which is generated in advance to spendthe funds received The generating process of stealthaddress can be seen in Figure 5

The addresses are generated using trapdoor permuta-tion such as Diffie-Hellman key exchange protocol [18] Byleveraging the stealth address protocol the system allowseliminating the possibility for observers to link a one-time address to another In this sense the observer cannotdetermine the recipients address and is unlikely to link thetransaction to the recipient due to the new address beinggenerated based on hisher stealth address for every trans-action Stealth address protocol is used in CryptoNote and

Zcash combined with various other techniques such as zk-SNARKs in order to provide the stronger privacy for the userin the decentralized blockchain network The cryptographicapproaches can prevent ad hoc networks against externalattackers using node authentication and data encryption[19]

3 Our System Model

In this section we elaborate the model of decentralized PHIdata (the model is from our prior work) the sequences of thestandard blockchain transaction the group of ring signatureand the ring confidential transaction of PHI

31 Decentralized PHI Data A decentralized personal healthinformation model originally came from our previousresearch [12] In our predecessor work blockchain tech-nology is used to manage the personal health information(PHI) data of the patient which obtain from several health-care providers as can be seen in Figure 6 Based on thedecentralized PHI model we conducted testing in order tofind out information about data communication in peer-to-peer networks (see Figure 7) The results obtained show thehigh level of success in sending data among the parties inthe blockchain network that reaches 100 and the averageof propagation message is 118ms for 100 bytes of InternetControl Message Protocol Echo By leveraging the modelof our previous research the patients and the healthcareproviders allow to collect effectively the PHI data ontoa single view with integrity guarantee Data integrity isessential for the patient in the blockchain network since itis a fundamental component of information security whichverifies that the data has remained unaltered in transit fromcreation and reception [20] By design blockchain is tamper-proof immutability (the data stored are unchanging overtime or unable to be changed) so it is suitable for managingsensitive data such as personal health information digitalmedical record and other similar data

In the decentralized healthcare system model the patientand the providers are on the same blockchain network Thehealthcare providers preserve a diagnosis from the patientand then store it into sharing storage right after the data isconfirmed by the miner The patient afterwards enables tofind the data stored by the provider in the storage by searchingone by one based on the patients public key 119875119906119887(119860 119861)attached into the transaction The patient whose public keyis attached to the transaction is the only party who knows thedata stored in the storage because heshe has knowledge ofthe secret key 119875119904(119886 119887) to access the PHI data

Wireless Communications and Mobile Computing 5

Parent Private Key

Parent Public Key(ldquoStealth Addressrdquo)

Recipient generates a Parent Key Pair

Ephemeral Key+

Sender generates an Ephemeral Key

Ephemeral Key

One-time AddSecret Key=

Ephemeral Key+One-time Addr

Secret Key=

Figure 5 Generating process of stealth address

Patient

National Provider

Health and Social care professionalChiropractor

Clinical Psychologist

Hospital Laboratories

National Provider

Health and Socialcare professionalChiropractor

Clinical Psychologist

Hospital Laboratories

Figure 6 The model of decentralized personal health information data

As with the security model in general every party inthe system has the unique parent keys The public keyis used to commit transactions which later will be usedto generate a stealth address for every transaction A pairof keys is obtained from trapdoor permutation functionssuch as RSA algorithm and Rabin [21] which are generated

beforehand The parent keys of the parties can be defined asfollows

(i) The patient (119875119906119887120572 119875119903120572) the pair of patients publickey to commit the transaction can be defined as(119860120572 119861120572) and the pair of secret keys (119886120572 119887120572)

6 Wireless Communications and Mobile Computing

Figure 7 Propagating the personal health information data to the entire nodes

(ii) Hospital (119875119906119887120573 119875119903120573) the pair of hospitals public key(119860120573 119861120573) and the pair of secret keys(119886120573 119887120573)

(iii) Chiropractor (119875119906119887120574 119875119903120574) Chiropractors public key(119860120574 119861120574) and the pair of secret keys(119886120574 119887120574)

(iv) Clinical psychologist (119875119906119887120575 119875119903120575) clinical psycholo-gists public key (119860120575 119861120575) and the pair of secret keys(119886120575 119887120575)

(v) National provider (11987511990611988713 11987511990313) the public key ofnational provider (11986013 11986113) and the pair of secret keys(11988613 11988713)

(vi) Health and social care provider (119875119906119887 119875119903) healthand social providers public key (119860 119861) and the pairof secret keys (119886 119887)

(vii) Laboratories(119875119906119887 119875119903) the pair of public keys oflaboratories can be defined (119860 119861) and the pair ofsecret keys (119886 119887)

119875 = 119867119904 (119903119860120572)119866 + 119861120572 (1)

1198751015840 = 119867119904 (119886120572119877)119866 + 119861120572 119905ℎ119890119899 (2)

119886120572119877 = 119886120572119903119866 = 119903119860120572

1198751015840 = 119875(3)

The sequence of a standard transaction in decentralizedPHI data starts from the provider who wants to store the

patientrsquos data in the storage where the patient has publishedhis address to the provider beforehandThe provider unpacksthe address and gets the patients public key (119860120572 119861120572) Theprovider picks a random 119903 isin [1 119897 minus 1] where 119897 is a primeorder of the base point 119866 The provider then generates a one-time public key based on the pair public key (1) of the patient(the process is signified by Figure 3)

The patient and the healthcare providers possess a pair ofpublic keys (119860119899 119861119899) for different purposes The first publickey 119860119899 is used to generate a one-time public key whilstthe public key 119861119899 is attached to the transaction as thetracking value used by the patient to find the data addressedto himher The provider uses 119875 as a destination key forthe output and attaches the new value 119877 = 119903119866 into thetransaction The PHI data with attachments to119875 and 119877 valuesare stored into shared storage after being validated by theminer The patient later checks every transaction using hisprivate key (119886120572 119887120572) and calculates the new value1198751015840 (2) Finallythe patient compares the value 119875 received with the value 1198751015840decrypted (3)

32 The Group of Ring Signature In the decentralized PHIsystem there is a group ring signature consisting of patientand several healthcare providers In order to generate a groupthe system does not demand special requirements and alsounlikely require a manager to manage the group All that isneeded to create a ring signature group is the public key ofeach party (119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887)

Wireless Communications and Mobile Computing 7

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

SH+1 = AH+1(RH+1)

Figure 8 The group of ring signature which is derived from the public keys of the member

Once a ring signature group has been generated all membersof the group are allowed to use the signature and combine itwith the private key of the sender It grants users fine-grainedcontrol over the level of anonymity associated with a certainsignature [22]

The signer enables to choose the number of signaturesthat they want to use in the transaction to provide anambiguous signer Later the public key is used for encryption119910119899 = 119892119899(119909119899) as shown in Figure 8 Intuitively 119892119899 is definedby the extended trapdoor permutation function such as RSAandRabin algorithm In practice for Rabins functions119892119899 (119909119899)extends to 119891119894(119909119894) = 1199091198942 mod 119899119894 over 0 1119887 where 2119887 is thepower of two which is larger than all modulo 1198991198941015840119904 The bucketconsists of b-bit numbers 119908 = 119902119894119899119894 + 119903119894 where 119903119894 isin Zlowast119899119894and (119902119894 + 1)119899119894 le 2119887 For any b-bit numbers 119908 is nonnegativeintegers 119902119894 and 119903119894 The bucket values are mapped by theextended Rabinmapping 119892119899 So the value of 119892119894(119908) is signifiedby (4)

119892119894 (119908) =

119902119894119899119894 + 119891119894119903119894 if (119902119894 + 1) 119899119894 le 2119887

119908 else(4)

Intuitively 119892119894(119908) is a permutation function over 0 1119887 whichis also a one-way trapdoor function because only a personknows the inverted value of 119891119894 for a given input Thereforewe can define the public keys for the prospective members asfollows

(i) The patientlarr997888 119910120572 = 119892120572(119909120572)(ii) Hospital larr997888 119910120573 = 119892120573(119909120573) Chiropractor larr997888 119910120574 =

119892120574(119909120574) whilst the clinical psychologist larr997888 119910120575 =119892120575(119909120575)

(iii) National providerlarr997888 11991013 = 11989213(11990913) health and socialcare providerlarr997888 119910 = 119892(119909) Laboratorieslarr997888 119910 =119892(119909)

(iv) For additional members of a group it can be gener-ated at any time as long as the public key of the newmember is known 119910119899+1 = 119892119899+1(119909119899+1)

119877119904119892 = 119910120572 oplus 119910120573 oplus 119910120574 oplus 119910120575 oplus 11991013 oplus 119910 oplus 119910 oplus oplus 119910119899+1 (5)

As can be seen in (5) a group of ring signature isconstructed based on encryption of the members public key

By design the sender signs the message for the individualtransaction using the signature of the group without asingle group manager involved Because the sender uses thesignature of the group the observer cannot judge the identityof the real sender for the corresponding transaction Thesender enables to choose the number of signatures that heshewants to use in the transaction The signature of a groupcan be used at any time in a transaction without havingpermission from the owner of the key For instance in aparticular transaction the provider 119910120573 uses the following keysto sign a message ℎ(119898119904119892 119910120574 119910120575 119910120572 and his key 119910120573)

33 Ring Confidential Transaction of PHI Ring confidentialtransaction (RingCT) is used in Monero cryptocurrency [16]in order to improve the privacy of the users Intuitively thering confidential transaction aims to hide the value of theactual amount in a transaction by combining the value ofthe current transaction with the value of the predecessortransactions By doing so the observer cannot tell the exactvalue of a transaction The value of the transaction canbe the number of coins sent or other data depending onthe type of system that applies RingCT [23] Unlike in theMonero transaction the value transaction in the Bitcoin ispublicly available in the plaintext The observer might beable to analyse the transaction values for certain purposes inthe particular period of time Therefore public data will bedangerous if misused maliciously

119877119862119879 = 119905119909119894119889 [(8) (2) (5) (11) (12) (15)] (6)

Suppose all outputs in Figure 9 exist whilst the transac-tion that provider enables to spend is highlighted in greenWhenever the provider creates a transaction he uses aRingCT to disguise which input is actually being spent Inthis regard the provider combines the current transactionwith the previous transactions (highlighted in gray) Theconfidential ring signature for the transaction is shown in(6) The provider allows using the RingCT directly withoutpermission and node manager involvement As well as thegroup signature the sender is free to use the value of previoustransactions in order to disguise the value of the currenttransaction By leveraging the model it is possible to createprivacy-preserving for users in the decentralized peer-to-peer shared storage in healthcare areawith the followingmainobjectives

8 Wireless Communications and Mobile Computing

1 txid (dfa89ad90)

2 txid (uio38939a)

3 txid (890dfla8df)

4 txid (dfa89add0)

5 txid (fga89ad90)

6 txid (5fa89ad45)

7 txid (twa845d90)

8 txid (pklsdf8900)

9 txid (78sd9ad91)

10 txid (dfa89ad90)

11 txid (sd71vcjjp)

12 txid (dzzqemfsa)

13 txid sywi22zmv)

14 txid (p4z24fh3g)

15 txid (tpa1vh9wz)

16 txid (wj023kt3w)

17 txid (vq6oxop4)

18 txid (z9i5mcsdu)

Figure 9 Ring confidential transaction based on the prior transactions

(i) Untraceability with the goal to protect the sendersinformation in the form of the address (publickey) The observer cannot trace where the coin wasreceived and where the coin originated from

(ii) Unlinkability to preserve the recipients identityThiscan be achieved by using a stealth address where therecipient makes two public keys that are used to createa one-time address and the other as the view key

(iii) Confidential Values to disguise the value of a trans-action The value of the current transaction is com-bined with the values of the transactions that havebeen carried out previously so it becomes an obscuredtransaction

4 Systems Analysis and the Dilemma

The main protocols for building privacy-preserving forblockchain shared storage model have been discussed inprevious section In this section we present the relationbetween each protocol The combination of the protocolsprovides a system that enables protecting the privacy ofusers in the decentralized shared storage The proceduresare displayed gingerly starting from generating the membersof ring signature through to mechanism of storing data inthe blockchain shared storage At the end of this section weelaborate on some dilemmas

We demonstrate a case study in which one of theproviders (hospital) wants to store diagnostic data of thepatient into the decentralized shared storage The providerhas known the address (public key) of the patient beforehandIn this sense the hospital acts as the sender whilst the patientacts as the recipient of the PHImessageTheprovider attachesthe address of the patient in the form of a view key for eachtransaction so that only patients likely enable to track datastored in shared storage using hisher knowledgeTheminershave a duty to validate the data from the sender before beingsaved into shared storage yet they are responsible for addingblocks to the blockchain network The miner gets a reward

after successfully adding the new block aswith the blockchainsystem in general Algorithm 1 is a description of the wholesystem process starting with making public keys throughto data stored in shared storage The process sequence forprivacy-preserving shared storage in untrusted blockchainP2P networks as follows

(i) The party possesses a pair of parent keys (119875119906119887119896119890119910119875119903119896119890119910) that have been generated beforehand basedon trapdoor permutation function such as RSARabin or Diffie-Hellman algorithmThepatient is therecipient(119875119906119887120572 119875119903120572) whilst the hospital is the sender(119875119906119887120573 119875119903120573) in this case study

(ii) The hospital is the sender of the patients diagnosisdata (in this case) The hospital constructs a ringsignature group based on public key from providersand patient that has been known previously Thehospital also added its public key to the group

119877119904119892120573 = 119892120572 (119909120572) oplus 119892120572 (119909120573) oplus 119892120574 (119909120574) oplus 119892120575 (119909120575)

oplus 11989213 (11990913) oplus 119892 (119909) oplus 119892 (119909) oplus

oplus 119892119899+1 (119909119899+1)

(7)

(iii) When the group of ring signature 119877119904119892120573 is generatedthe sender enables to use the signature of each groupmember without having to get permission from theowner of public keys In this case study the hospitalchooses to use all signatures from group members asshown in (7) The hospital can add new members atany time as long as the public key is known

(iv) The patient as the recipient later makes the stealthaddress based on a pair of parent keys The patientcreates a pair of public keys 119875119906119887120572(119860120572 119861120572) and sendsit to the hospital via secure channel The hospitalgenerates a new one-time address based on stealth

Wireless Communications and Mobile Computing 9

1 Procedure 119878ℎ119886119903119890119889 1198781199051199001199031198861198921198902 Trapdoor Function (parent keys) lowasttrapdoor permutation function eg RSA Rabin3 119875119886119905119894119890119899119905 larr997888 ℎ119886119904ℎ(119875119906119887120572 119875119903120572)4 119867119900119904119901119894119905119886119897 larr997888 ℎ119886119904ℎ(119875119906119887120573 119875119903120573) lowastforallparty has parent keys5 119862ℎ119894119903119900119901119903119886119888119905119900119903 larr997888 ℎ119886119904ℎ(119875119906119887120574 119875119903120574)6 119862119897119888119875119904119910119888ℎ119900119897119900119892119894119904119905 larr997888 ℎ119886119904ℎ(119875119906119887120575 119875119903120575)7 119873119886119905119894119900119899119886119897119875119903119900V119894119889119890119903 larr997888 ℎ119886119904ℎ(11987511990611988713 11987511990313)8 119878119900119888119894119886119897 119888119886119903119890 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)9 119871119886119887119900119903119886119905119900119903119894119890119904 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)10The sender creates a group of ring signature11 Procedure 119880119904119890 119875119906119887119897119894119888 119870119890119910 forall 119901119886119903119905119894119890119904 isin 119901119886119903119890119899119905119896119890119910119904 lowastuse public key of the parties as an input12 Create RS13 119877119904119892119899 larr997888 119892120572(119909120572) oplus 119892120573(119909120573) oplus 119892120574(119909120574) oplus oplus 119892119899+1(119909119899+1)14 AddNewMembers lowastin case add new members15 119880119901119889119886119905119890 119877119904119892119899 larr997888 119866119890119905 119873119890119908119875119906119887119896119890119910 oplus 119875119906119887119870119890119910(119899+1)16 end procedure17 Procedure 119862119903119890119886119905119890 119878119905119890119886119897119905ℎ119860119889119889119903(119887119910119877119890119888119894119901119894119890119899119905) lowastthe recipient creates stealth address18 119875119886119903119890119899119905119870119890119910 119875119906119887119870119890119910119899 997888rarr 119875119906119887119870119890119910119899(119860119899 119861119899)19 119878119890119899119889(119860119899) 997888rarr 119905119900 119904119890119899119889119890119903 (V119894119886 119878119890119888119906119903119890119862ℎ119886119899119899119890119897)20 (119860119899 119861119899)119903119890119888119890119894V119890119889 997888rarr 119862119903119890119886119905119890 119873119890119908 119874119879119875 lowastsender creates new OTP for recipient21 end procedure22 Procedure 119862119900119899119891119894119889119890119899119905119894119886119897 119877119894119899119892 119878119894119892119899119886119905119906119903119890 lowastconfidential ring signature as an option23 119894119891 forall119905119909119904 119861119862 119906119904119890 119862119877119878 119905ℎ119890119899 119903119890119905119906119903119899 True24 119873119890119908119881119886119897119906119890 larr997888 119862119906119903119903119890119899119905119881119886119897119906119890 oplus 119875119903119890V11988111988611989711990611989025 119868119899119888119897119906119889119890 119905119900 119905ℎ119890 119899119890119908 119905119909 larr997888 11987311989011990811988111988611989711990611989026 119890119897119904119890119903119890119905119906119903119899 False27 end procedure28 Procedure 119878119894119892119899 119905ℎ119890 119875119867119868 119863119886119905119886(119872119904119892) lowastin this case the PHI data is from the hospital29 119866119890119905 119872119904119892 isin 119863119894119886119892119899119900119904119894119904 119863119886119905119886(119867119900119904119901119894119905119886119897)30 119878119894119892119899 120590 larr997888 119888ℎ119900119900119904119890 119904119894119892119899119890119903 isin 11987711990411989211989931 119877119894119899119892119862119879larr997888 119888ℎ119900119900119904119890 119901119903119890V 119905119909119904 isin 11986211987711987832 119872119904119892 larr997888 119886119905119905119886119888ℎ11989011988910158401198701198901199101198681198981198861198921198901015840 lowastKeyImage to prevent storing the same data33 119862119906119903119903119872119904119892 larr997888 119878119894119892119899 120590 119877119894119899119892119862119879 11987011989011991011986811989811988611989211989034 end procedure35 Procedure 119878119890119899119889 119905119900 119861119897119900119888119896119888ℎ119886119894119899 11987311989011990511990811990011990311989636 119866119890119905 119862119906119903119903119872119904119892 oplus 119874119879119875(119891119903119900119898 119878119905119890119886119897119905ℎ119860119889119889119903)37 119878119890119899119889 119905119900 119887119897119900119888119896119888ℎ119886119894119899 11989911989011990511990811990011990311989638 119882119886119894119905 1198981198941198991198901199031015840119904 11988811990011989911989111989411990311989811988611990511989411990011989939 119894119891 119862119906119903119903119872119904119892 119894119904 V119886119897119894119889 119905ℎ119890119899 119903119890119905119906119903119899 True lowasttransaction is success40 119860119889119889 119899119890119908119861119897119900119888119896 119905119900 119861119862 11989911989011990511990811990011990311989641 119860119889119889119862119906119903119903119872119904119892 997888rarr 119878ℎ119886119903119890119889 11987811990511990011990311988611989211989042 119890119897119904119890119903119890119905119906119903119899 False43 End

Algorithm 1 Shared Storage of PHI Data

address received Only patients can access data storedin shared storage by using his knowledge 119875119903120572(119886120572 119887120572)

119874119879119875 = 119867119904 (119903119860120572) 119866 + 119861120572 (8)

(v) The sender unpacks the address received which con-tains the public address of the recipient 119875119906119887120572(119860120572 119861120572)The sender picks the random value 119903 isin [1 119897 minus 1] togenerate one-time public key and attaches119861120572 as a viewaddress in the shared storage

(vi) For certain types of data the sender can use confiden-tial ring signatures (RingCT) to disguise informationof the data by adding value to transactions that have

occurred before such as 119877119862119879120573 = 119905119909119894119889(3) 119905119909119894119889(7) 119905119909119894119889(5) 119905119909119894119889(9) 119905119909119894119889(119899)

(vii) The hospital signs the diagnosis data 119898119904119892 usingthe member key from the ring signature asfollows 119878119894119892119899120590(119898119904119892 119910120572 119910120573 119910120574 119910120575 11991013 119910 119910 119910119899)which consists of the public keys of the members119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887

(viii) Key image is attached by the sender to prevent doublespending It can be interpreted as a scheme to preventthe same data stored twice in blockchain storageThe hospital sends the following series of data tothe blockchain network to be confirmed by miners119878119894119892119899 120590 119898119904119892 119874119879119875 119877119894119899119892119862119879 119896119890119910119894119898119886119892119890

10 Wireless Communications and Mobile Computing

(ix) The diagnosis data from the hospital along withattachments of the files are then sent to the blockchainnetwork to be verified by the miners before thedata are stored in a decentralized shared storageWhenever the data has been stored successfully thepatient traces one by one the transaction on theblockchain network until the patient finds hisherview keys 119861119899 which correspond to the patient

(x) The patient with hisher knowledge decrypts andcompares the value of the data received with thedecrypted value 119886120572119877 = 119886120572119903119866 = 119903119860120572 1198751015840 = 119875

The Algorithm 1 presents an overall model of the systemwhich starts with generating key pairs for the parties creatinga ring signature group and stealth addresses signing PHIdata until data are confirmed and stored in the decentralizedshared storage The observer is unlikely to track the senderrsquostransaction since the sender uses a signature on behalf ofa group in which the senders signature is obscured Fur-thermore the observer cannot associate one transaction withanother so it is indistinguishable whether the transactionwas sent by the same sender In other words the identityof the sender remains a secret Likewise the identity of therecipient cannot be tracked by the observer nor maliciousproviders because the recipient sends the stealth address tothe sender thereafter the sender creates a one-time addressto protect the privacy of the recipient The value of a PHI datais kept from being seen because it is combined with the valueof previous transactions through the RingCT The identityof the user along with the information of the transactionson the blockchain network is paramount therefore thedecentralized shared storage systems need to manage theconfidentiality as well as ensure the integrity of the PHI data

Apart from the model that has been described there isanother important factor which plays the role to a decen-tralized system called transaction propagation A numer-ous number of transactions are distributed to the entirenodes in the blockchain peer-to-peer network resulting inpropagation delay The structure of a P2P network allowsthe peer to disseminate information to the other nodesthat are connected to the sender [24] There are severalstudies conducted by researchers to measure how effectivethe block distribution in the peer-to-peer networks such asexperiments in which the goal is to find out the numberof successful connections and experiments to determine theeffect of the number of nodes against the block

One among parameters that affect transaction propa-gation is block size Block size can be understood as themaximum limit of a block to be filled up with varioustransactions on it It also can be thought of as a bundleof transactions with each block needing to get verificationbefore it can be accepted by the network Each block hasits own size depending on the type of transaction called theblock sizeThemaximum block size in Bitcoin stands at 1MBMiners enable to choose the number of transactions to beprocessed in a block If Bitcoin miners commit a transactionthat exceeds the maximum limit then the block will berejected by the network The motivation of block size is toprevent the attack such as denial-of-service attacks The size

of a block also affects the length of confirmation time Whena node receives a new transaction the recipient confirms thevalidity of the block before accepting it The duration of theconfirmation process depends on the size of the block Bydesign the larger the size of a block is the longer it takesto confirm Therefore the size of a block plays an importantrole in the blockchain in general because it directly affects thedelay time

Propagation delay is inseparable from the size of a blockThere is a correlation between block size and the propagationdelay until the node receives the blockThe larger the size of ablock themore transactions that can be done yet it affects thepropagation time and sacrifice the security The influence ofa block size to the propagation time can be seen in Figure 10[25] The block size in the transaction is varied up to 350 KBin order to find out how long it takes for the node to receivethe block To reach 25 of total transaction is visualized witha red line 50 for the green line and 75 for the blue lineThe results are in line with the theory which states the largerthe size of a block the greater the propagation time

We take measurements for orphaned blocks by followingthe withholding attack (selfish mining) strategy that was firstdiscovered in 2014 In this study we do not elaborate onthe details of withholding attack strategy we recommendthat readers refer to the references [26ndash28] The intuitionof this attack is to keep the finding block secret untilthe attackers network becomes the longest chain in theblockchain network For a particular condition this attackdoes not possess any benefit because the block is stored inthe attackers network which is only known by the attacker(nonprofit) The attackers get the reward if only the blockfound is propagated to the public and get confirmed by otherminers

The simulation is carried out in order to know theperformance of dishonest miners which follow the selfishmining protocol The aims of this strategy are to discoverthe new block till becoming the longest chain and gainingthe revenue after publishing the block to the public network[29] In our setting we arrange the selfish miners to competewith honest miners in 14 days to solve the proof-of-workand discover the new block The maximum of mining powerof selfish miner is 04 and it is running randomly from00 through 04 within 14 days in the simulation as shownin Figure 11 There are 12 nodes of dishonest miners withdifferent mining power from 00 to 04 We set the maximumnumber of mining power at 04 of total mining power inthe network Based on the simulation result we concludethat whenever the dishonest miner has 0322 mining powerit is enough to get the unfair revenue and allows gainingthe revenue larger than it should be In general there are51 new blocks successfully added as well as 4 orphanedblocks recorded The average of block generation time is 772minutes

To the extent we obtained the information related to theparameters that affect the propagation time in the blockchainpeer-to-peer network based on our findings and the priorworks of literatureThere are numerous articles proposing theimprovement of propagation delays by changing the networktopology minimizing the verification time of a transaction

Wireless Communications and Mobile Computing 11

50

45

40

35

30

25

20

15

10

5

00 50 100 150 200 250 300 350

Block size (KB)

Tim

e (se

c)

25

50

75

Figure 10 Relationship between block size and the time

50

40

30

20

10

0

Bloc

k H

eigh

t

0 200000 400000 600000 800000 1000000 1200000

Time (s)

08

06

04

02

00

Rew

ard

000 005 010 015 020 025 030 035 040Mining Power

Figure 11 Block height against time in the P2P network (left) the performance of selfish mining attack (right)

and reconstructing the message exchange protocol in theblockchain network Generally speaking the presence ofhaving the propagation of delays can cause a lot of damagein the blockchain network [30 31]

There are many considerations to increase the effective-ness of the blockchainTherefore we select block propagationand block size parameters to be discussed as follows

(i) Speeding up the block generation In theory it would beremarkably beneficial if the block generation time isresetting as fast as possible for each transaction so thateach user will get faster payments The propagationtime includes the length of time for the distributionof transactions in the peer-to-peer network and thetime for verification of a block But the problem isthat if the block generation time is speeding up there

will be a lot of orphaned blocks It can be understoodbecause each node will receive many new blocks thatare spread through peer-to-peer networks The tie-breaking protocol causes each node to only acceptone valid block for the same type of transaction sothat it will reject transactions from other nodes thatcause the orphaned block to appear Due to manynew orphaned blocks that will emerge it will motivaterational miners to adopt the selfish mining strategythat rivals the main network and causes the forkedchain [32]

(ii) Decrease block generation Slowing down the blockgeneration time for each transaction will reduce thespeed of transactions on the peer-to-peer networkPositively it gives some merits such as providing a

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 3: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

Wireless Communications and Mobile Computing 3

yr = gr(xr)

Z = V

Ek

Ek

Ek

Ek

y3 = g3 (x3)

y2 = g2 (x2)

y1 = g1 (x1)

d

Figure 2 Ring signature algorithm which is defined by any member of a group of parties each having keys

Tx public key

The Amount

Destination Key

Transaction

Tx output Senderrsquosrandom data

ReceiverrsquosRandom data

r

(A B)

R = rG

P = HS (rA)G + B

Figure 3 The structure of CryptoNote standard transaction

of the member (119904-th member) who is the actual signerHence the signature gets a new value which is signifiedby 119910119894 = 119892(119909119894) Finally the signature of the message 119898119904119892can be defined as (1198751198961 1198751198962 1198751198963 119875119896119899 119877V 1199091 1199092 119909119903)The verification process is straightforward by describingthe message received from the sender via secure channel(1198751198961 1198751198962 1198751198963 119875119896119899 119877V 1199091 1199092 119909119903)

22 CryptoNote Protocol The use of the ring signature algo-rithm in blockchain transaction was first introduced in 2012which is part of the CryptoNote protocol [15] and updated in2013The CryptoNote constructs the ring signature using thepublic key of the random addresses and it provides privacyfor the patient by leveraging the stealth address protocol[16] By doing so the observer believes that the signer hasa secret key that corresponds to the cryptocurrencies butthe observer cannot determine the specific identity of thesender However the original ring signature protocol wouldallow double-spending attack in the blockchain transactionThe original ring signature protocol cannot determine theorigin of the coin due to the fact that there is no marker ifthe transaction has been sent to the recipient As a solutionCryptoNote provides one-time use ring signatures and keyimage as a marker

The key image acts as a unique marker for everytransaction The key image gives the information aboutthe transaction with a particular signature 120590n If the samesignature is used more than once the miners will reject thetransaction In other words any attempt to double-spend will

indicate the use of the same key image The destination ofeach CryptoNote output is a public key (1198751198961 1198751198962 1198751198963 119875119896119899)which is derived from the recipients address combined withthe senders random value In this regard the sender asks therecipients public key (119860 119861) via secure channel and the sendergenerates the one-time public key 119875 = 119867119904(119903119860)119866 + 119861 as canbe seen in Figure 3 Based on the key image that recipientbelongs to the recipient checks every passing transactionusing hisher secret key (119886 119887) and calculates 1198751015840 = 119867119904(119886119877)119866 +119861 where119867119904 is a cryptographic hash function 0 1lowast and 119866 isa base point Finally the recipient can define 119886119877 = 119886119903119866 =119903119860 and 1198751015840 = 119875 In addition the recipient can recover thecorresponding one-time secret key 119909 = 119867119904(119886119877) + 119887 119875 = 119909119866By signing 119909 transaction the recipient can spend this outputat any time The security from this protocol is an untraceabletransaction for the observer since the incoming messagereceived by a recipient associated with one-time public keys(unlinkable)

23 One-Time Use Transaction and Stealth Address We firstpresent the one-time use transaction in general and webriefly describe the drawbacks of one-time use address in theblockchain transaction To address the problem we use thestealth address to protect the recipient information in oursystem model

231 One-Time Use Transaction Using the same address foreach transaction on the blockchain network allows observersto track transactions to the original sender even though the

4 Wireless Communications and Mobile Computing

Alice sends 1 BTCon 240318 at 30257

pm to x

One time use address x

Charlie receives 1 BTCon 240318 at35503 pm from x

Figure 4 One-time use transaction

address is in the pseudonymous form Since the new addressdoes not have a track record in the blockchain metadata theobserver is unlikely to track information from a transactionHowever one-time use transaction address provides privacyfor the users by extending the address to the counter-partieswhich detail information of the transaction still publiclyavailable on the blockchain network Roughly speaking thesender enables the recipient to spend the funds that he justreceived even though the recipient identity remains hiddenas can be seen in Figure 4

For instance an address X is a one-time address but theobserver has knowledge that Alice sent 1BTC toX andCharliereceived from X It can be used by the observer to inferthat X corresponds to Alice and Charlie By gathering thedetails on where Charlies fund originated and where Alicesfunds were passed on to it could avail deanonymize the one-time use transaction This scheme is also called transactiongraph analysis Therefore in order to develop privacy on thedecentralized blockchain system a new protocol is necessarysuch as stealth address protocol In otherwords it is a securityprotocol that has become ubiquitous almost by stealth [17]

232 Stealth Address One-time use address for transactionmight be inconvenient to manage since the new address mustbe generated by the recipient for every transaction that willbe carried out Unlike the one-time use payment address thestealth addresses get rid of this requirement In short stealthaddresses can be generated as follows

(i) The recipient generates a parent key pair 119875119906119887(119860 119861)and publishes hisher public key (the published key iscalled stealth address)

(ii) The sender will be able to use the stealth address ofthe recipient to commit a new one-time use paymentaddress for a particular transaction

(iii) At this stage the recipient uses their parent privatekey 119875119904(119886 119887) which is generated in advance to spendthe funds received The generating process of stealthaddress can be seen in Figure 5

The addresses are generated using trapdoor permuta-tion such as Diffie-Hellman key exchange protocol [18] Byleveraging the stealth address protocol the system allowseliminating the possibility for observers to link a one-time address to another In this sense the observer cannotdetermine the recipients address and is unlikely to link thetransaction to the recipient due to the new address beinggenerated based on hisher stealth address for every trans-action Stealth address protocol is used in CryptoNote and

Zcash combined with various other techniques such as zk-SNARKs in order to provide the stronger privacy for the userin the decentralized blockchain network The cryptographicapproaches can prevent ad hoc networks against externalattackers using node authentication and data encryption[19]

3 Our System Model

In this section we elaborate the model of decentralized PHIdata (the model is from our prior work) the sequences of thestandard blockchain transaction the group of ring signatureand the ring confidential transaction of PHI

31 Decentralized PHI Data A decentralized personal healthinformation model originally came from our previousresearch [12] In our predecessor work blockchain tech-nology is used to manage the personal health information(PHI) data of the patient which obtain from several health-care providers as can be seen in Figure 6 Based on thedecentralized PHI model we conducted testing in order tofind out information about data communication in peer-to-peer networks (see Figure 7) The results obtained show thehigh level of success in sending data among the parties inthe blockchain network that reaches 100 and the averageof propagation message is 118ms for 100 bytes of InternetControl Message Protocol Echo By leveraging the modelof our previous research the patients and the healthcareproviders allow to collect effectively the PHI data ontoa single view with integrity guarantee Data integrity isessential for the patient in the blockchain network since itis a fundamental component of information security whichverifies that the data has remained unaltered in transit fromcreation and reception [20] By design blockchain is tamper-proof immutability (the data stored are unchanging overtime or unable to be changed) so it is suitable for managingsensitive data such as personal health information digitalmedical record and other similar data

In the decentralized healthcare system model the patientand the providers are on the same blockchain network Thehealthcare providers preserve a diagnosis from the patientand then store it into sharing storage right after the data isconfirmed by the miner The patient afterwards enables tofind the data stored by the provider in the storage by searchingone by one based on the patients public key 119875119906119887(119860 119861)attached into the transaction The patient whose public keyis attached to the transaction is the only party who knows thedata stored in the storage because heshe has knowledge ofthe secret key 119875119904(119886 119887) to access the PHI data

Wireless Communications and Mobile Computing 5

Parent Private Key

Parent Public Key(ldquoStealth Addressrdquo)

Recipient generates a Parent Key Pair

Ephemeral Key+

Sender generates an Ephemeral Key

Ephemeral Key

One-time AddSecret Key=

Ephemeral Key+One-time Addr

Secret Key=

Figure 5 Generating process of stealth address

Patient

National Provider

Health and Social care professionalChiropractor

Clinical Psychologist

Hospital Laboratories

National Provider

Health and Socialcare professionalChiropractor

Clinical Psychologist

Hospital Laboratories

Figure 6 The model of decentralized personal health information data

As with the security model in general every party inthe system has the unique parent keys The public keyis used to commit transactions which later will be usedto generate a stealth address for every transaction A pairof keys is obtained from trapdoor permutation functionssuch as RSA algorithm and Rabin [21] which are generated

beforehand The parent keys of the parties can be defined asfollows

(i) The patient (119875119906119887120572 119875119903120572) the pair of patients publickey to commit the transaction can be defined as(119860120572 119861120572) and the pair of secret keys (119886120572 119887120572)

6 Wireless Communications and Mobile Computing

Figure 7 Propagating the personal health information data to the entire nodes

(ii) Hospital (119875119906119887120573 119875119903120573) the pair of hospitals public key(119860120573 119861120573) and the pair of secret keys(119886120573 119887120573)

(iii) Chiropractor (119875119906119887120574 119875119903120574) Chiropractors public key(119860120574 119861120574) and the pair of secret keys(119886120574 119887120574)

(iv) Clinical psychologist (119875119906119887120575 119875119903120575) clinical psycholo-gists public key (119860120575 119861120575) and the pair of secret keys(119886120575 119887120575)

(v) National provider (11987511990611988713 11987511990313) the public key ofnational provider (11986013 11986113) and the pair of secret keys(11988613 11988713)

(vi) Health and social care provider (119875119906119887 119875119903) healthand social providers public key (119860 119861) and the pairof secret keys (119886 119887)

(vii) Laboratories(119875119906119887 119875119903) the pair of public keys oflaboratories can be defined (119860 119861) and the pair ofsecret keys (119886 119887)

119875 = 119867119904 (119903119860120572)119866 + 119861120572 (1)

1198751015840 = 119867119904 (119886120572119877)119866 + 119861120572 119905ℎ119890119899 (2)

119886120572119877 = 119886120572119903119866 = 119903119860120572

1198751015840 = 119875(3)

The sequence of a standard transaction in decentralizedPHI data starts from the provider who wants to store the

patientrsquos data in the storage where the patient has publishedhis address to the provider beforehandThe provider unpacksthe address and gets the patients public key (119860120572 119861120572) Theprovider picks a random 119903 isin [1 119897 minus 1] where 119897 is a primeorder of the base point 119866 The provider then generates a one-time public key based on the pair public key (1) of the patient(the process is signified by Figure 3)

The patient and the healthcare providers possess a pair ofpublic keys (119860119899 119861119899) for different purposes The first publickey 119860119899 is used to generate a one-time public key whilstthe public key 119861119899 is attached to the transaction as thetracking value used by the patient to find the data addressedto himher The provider uses 119875 as a destination key forthe output and attaches the new value 119877 = 119903119866 into thetransaction The PHI data with attachments to119875 and 119877 valuesare stored into shared storage after being validated by theminer The patient later checks every transaction using hisprivate key (119886120572 119887120572) and calculates the new value1198751015840 (2) Finallythe patient compares the value 119875 received with the value 1198751015840decrypted (3)

32 The Group of Ring Signature In the decentralized PHIsystem there is a group ring signature consisting of patientand several healthcare providers In order to generate a groupthe system does not demand special requirements and alsounlikely require a manager to manage the group All that isneeded to create a ring signature group is the public key ofeach party (119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887)

Wireless Communications and Mobile Computing 7

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

SH+1 = AH+1(RH+1)

Figure 8 The group of ring signature which is derived from the public keys of the member

Once a ring signature group has been generated all membersof the group are allowed to use the signature and combine itwith the private key of the sender It grants users fine-grainedcontrol over the level of anonymity associated with a certainsignature [22]

The signer enables to choose the number of signaturesthat they want to use in the transaction to provide anambiguous signer Later the public key is used for encryption119910119899 = 119892119899(119909119899) as shown in Figure 8 Intuitively 119892119899 is definedby the extended trapdoor permutation function such as RSAandRabin algorithm In practice for Rabins functions119892119899 (119909119899)extends to 119891119894(119909119894) = 1199091198942 mod 119899119894 over 0 1119887 where 2119887 is thepower of two which is larger than all modulo 1198991198941015840119904 The bucketconsists of b-bit numbers 119908 = 119902119894119899119894 + 119903119894 where 119903119894 isin Zlowast119899119894and (119902119894 + 1)119899119894 le 2119887 For any b-bit numbers 119908 is nonnegativeintegers 119902119894 and 119903119894 The bucket values are mapped by theextended Rabinmapping 119892119899 So the value of 119892119894(119908) is signifiedby (4)

119892119894 (119908) =

119902119894119899119894 + 119891119894119903119894 if (119902119894 + 1) 119899119894 le 2119887

119908 else(4)

Intuitively 119892119894(119908) is a permutation function over 0 1119887 whichis also a one-way trapdoor function because only a personknows the inverted value of 119891119894 for a given input Thereforewe can define the public keys for the prospective members asfollows

(i) The patientlarr997888 119910120572 = 119892120572(119909120572)(ii) Hospital larr997888 119910120573 = 119892120573(119909120573) Chiropractor larr997888 119910120574 =

119892120574(119909120574) whilst the clinical psychologist larr997888 119910120575 =119892120575(119909120575)

(iii) National providerlarr997888 11991013 = 11989213(11990913) health and socialcare providerlarr997888 119910 = 119892(119909) Laboratorieslarr997888 119910 =119892(119909)

(iv) For additional members of a group it can be gener-ated at any time as long as the public key of the newmember is known 119910119899+1 = 119892119899+1(119909119899+1)

119877119904119892 = 119910120572 oplus 119910120573 oplus 119910120574 oplus 119910120575 oplus 11991013 oplus 119910 oplus 119910 oplus oplus 119910119899+1 (5)

As can be seen in (5) a group of ring signature isconstructed based on encryption of the members public key

By design the sender signs the message for the individualtransaction using the signature of the group without asingle group manager involved Because the sender uses thesignature of the group the observer cannot judge the identityof the real sender for the corresponding transaction Thesender enables to choose the number of signatures that heshewants to use in the transaction The signature of a groupcan be used at any time in a transaction without havingpermission from the owner of the key For instance in aparticular transaction the provider 119910120573 uses the following keysto sign a message ℎ(119898119904119892 119910120574 119910120575 119910120572 and his key 119910120573)

33 Ring Confidential Transaction of PHI Ring confidentialtransaction (RingCT) is used in Monero cryptocurrency [16]in order to improve the privacy of the users Intuitively thering confidential transaction aims to hide the value of theactual amount in a transaction by combining the value ofthe current transaction with the value of the predecessortransactions By doing so the observer cannot tell the exactvalue of a transaction The value of the transaction canbe the number of coins sent or other data depending onthe type of system that applies RingCT [23] Unlike in theMonero transaction the value transaction in the Bitcoin ispublicly available in the plaintext The observer might beable to analyse the transaction values for certain purposes inthe particular period of time Therefore public data will bedangerous if misused maliciously

119877119862119879 = 119905119909119894119889 [(8) (2) (5) (11) (12) (15)] (6)

Suppose all outputs in Figure 9 exist whilst the transac-tion that provider enables to spend is highlighted in greenWhenever the provider creates a transaction he uses aRingCT to disguise which input is actually being spent Inthis regard the provider combines the current transactionwith the previous transactions (highlighted in gray) Theconfidential ring signature for the transaction is shown in(6) The provider allows using the RingCT directly withoutpermission and node manager involvement As well as thegroup signature the sender is free to use the value of previoustransactions in order to disguise the value of the currenttransaction By leveraging the model it is possible to createprivacy-preserving for users in the decentralized peer-to-peer shared storage in healthcare areawith the followingmainobjectives

8 Wireless Communications and Mobile Computing

1 txid (dfa89ad90)

2 txid (uio38939a)

3 txid (890dfla8df)

4 txid (dfa89add0)

5 txid (fga89ad90)

6 txid (5fa89ad45)

7 txid (twa845d90)

8 txid (pklsdf8900)

9 txid (78sd9ad91)

10 txid (dfa89ad90)

11 txid (sd71vcjjp)

12 txid (dzzqemfsa)

13 txid sywi22zmv)

14 txid (p4z24fh3g)

15 txid (tpa1vh9wz)

16 txid (wj023kt3w)

17 txid (vq6oxop4)

18 txid (z9i5mcsdu)

Figure 9 Ring confidential transaction based on the prior transactions

(i) Untraceability with the goal to protect the sendersinformation in the form of the address (publickey) The observer cannot trace where the coin wasreceived and where the coin originated from

(ii) Unlinkability to preserve the recipients identityThiscan be achieved by using a stealth address where therecipient makes two public keys that are used to createa one-time address and the other as the view key

(iii) Confidential Values to disguise the value of a trans-action The value of the current transaction is com-bined with the values of the transactions that havebeen carried out previously so it becomes an obscuredtransaction

4 Systems Analysis and the Dilemma

The main protocols for building privacy-preserving forblockchain shared storage model have been discussed inprevious section In this section we present the relationbetween each protocol The combination of the protocolsprovides a system that enables protecting the privacy ofusers in the decentralized shared storage The proceduresare displayed gingerly starting from generating the membersof ring signature through to mechanism of storing data inthe blockchain shared storage At the end of this section weelaborate on some dilemmas

We demonstrate a case study in which one of theproviders (hospital) wants to store diagnostic data of thepatient into the decentralized shared storage The providerhas known the address (public key) of the patient beforehandIn this sense the hospital acts as the sender whilst the patientacts as the recipient of the PHImessageTheprovider attachesthe address of the patient in the form of a view key for eachtransaction so that only patients likely enable to track datastored in shared storage using hisher knowledgeTheminershave a duty to validate the data from the sender before beingsaved into shared storage yet they are responsible for addingblocks to the blockchain network The miner gets a reward

after successfully adding the new block aswith the blockchainsystem in general Algorithm 1 is a description of the wholesystem process starting with making public keys throughto data stored in shared storage The process sequence forprivacy-preserving shared storage in untrusted blockchainP2P networks as follows

(i) The party possesses a pair of parent keys (119875119906119887119896119890119910119875119903119896119890119910) that have been generated beforehand basedon trapdoor permutation function such as RSARabin or Diffie-Hellman algorithmThepatient is therecipient(119875119906119887120572 119875119903120572) whilst the hospital is the sender(119875119906119887120573 119875119903120573) in this case study

(ii) The hospital is the sender of the patients diagnosisdata (in this case) The hospital constructs a ringsignature group based on public key from providersand patient that has been known previously Thehospital also added its public key to the group

119877119904119892120573 = 119892120572 (119909120572) oplus 119892120572 (119909120573) oplus 119892120574 (119909120574) oplus 119892120575 (119909120575)

oplus 11989213 (11990913) oplus 119892 (119909) oplus 119892 (119909) oplus

oplus 119892119899+1 (119909119899+1)

(7)

(iii) When the group of ring signature 119877119904119892120573 is generatedthe sender enables to use the signature of each groupmember without having to get permission from theowner of public keys In this case study the hospitalchooses to use all signatures from group members asshown in (7) The hospital can add new members atany time as long as the public key is known

(iv) The patient as the recipient later makes the stealthaddress based on a pair of parent keys The patientcreates a pair of public keys 119875119906119887120572(119860120572 119861120572) and sendsit to the hospital via secure channel The hospitalgenerates a new one-time address based on stealth

Wireless Communications and Mobile Computing 9

1 Procedure 119878ℎ119886119903119890119889 1198781199051199001199031198861198921198902 Trapdoor Function (parent keys) lowasttrapdoor permutation function eg RSA Rabin3 119875119886119905119894119890119899119905 larr997888 ℎ119886119904ℎ(119875119906119887120572 119875119903120572)4 119867119900119904119901119894119905119886119897 larr997888 ℎ119886119904ℎ(119875119906119887120573 119875119903120573) lowastforallparty has parent keys5 119862ℎ119894119903119900119901119903119886119888119905119900119903 larr997888 ℎ119886119904ℎ(119875119906119887120574 119875119903120574)6 119862119897119888119875119904119910119888ℎ119900119897119900119892119894119904119905 larr997888 ℎ119886119904ℎ(119875119906119887120575 119875119903120575)7 119873119886119905119894119900119899119886119897119875119903119900V119894119889119890119903 larr997888 ℎ119886119904ℎ(11987511990611988713 11987511990313)8 119878119900119888119894119886119897 119888119886119903119890 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)9 119871119886119887119900119903119886119905119900119903119894119890119904 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)10The sender creates a group of ring signature11 Procedure 119880119904119890 119875119906119887119897119894119888 119870119890119910 forall 119901119886119903119905119894119890119904 isin 119901119886119903119890119899119905119896119890119910119904 lowastuse public key of the parties as an input12 Create RS13 119877119904119892119899 larr997888 119892120572(119909120572) oplus 119892120573(119909120573) oplus 119892120574(119909120574) oplus oplus 119892119899+1(119909119899+1)14 AddNewMembers lowastin case add new members15 119880119901119889119886119905119890 119877119904119892119899 larr997888 119866119890119905 119873119890119908119875119906119887119896119890119910 oplus 119875119906119887119870119890119910(119899+1)16 end procedure17 Procedure 119862119903119890119886119905119890 119878119905119890119886119897119905ℎ119860119889119889119903(119887119910119877119890119888119894119901119894119890119899119905) lowastthe recipient creates stealth address18 119875119886119903119890119899119905119870119890119910 119875119906119887119870119890119910119899 997888rarr 119875119906119887119870119890119910119899(119860119899 119861119899)19 119878119890119899119889(119860119899) 997888rarr 119905119900 119904119890119899119889119890119903 (V119894119886 119878119890119888119906119903119890119862ℎ119886119899119899119890119897)20 (119860119899 119861119899)119903119890119888119890119894V119890119889 997888rarr 119862119903119890119886119905119890 119873119890119908 119874119879119875 lowastsender creates new OTP for recipient21 end procedure22 Procedure 119862119900119899119891119894119889119890119899119905119894119886119897 119877119894119899119892 119878119894119892119899119886119905119906119903119890 lowastconfidential ring signature as an option23 119894119891 forall119905119909119904 119861119862 119906119904119890 119862119877119878 119905ℎ119890119899 119903119890119905119906119903119899 True24 119873119890119908119881119886119897119906119890 larr997888 119862119906119903119903119890119899119905119881119886119897119906119890 oplus 119875119903119890V11988111988611989711990611989025 119868119899119888119897119906119889119890 119905119900 119905ℎ119890 119899119890119908 119905119909 larr997888 11987311989011990811988111988611989711990611989026 119890119897119904119890119903119890119905119906119903119899 False27 end procedure28 Procedure 119878119894119892119899 119905ℎ119890 119875119867119868 119863119886119905119886(119872119904119892) lowastin this case the PHI data is from the hospital29 119866119890119905 119872119904119892 isin 119863119894119886119892119899119900119904119894119904 119863119886119905119886(119867119900119904119901119894119905119886119897)30 119878119894119892119899 120590 larr997888 119888ℎ119900119900119904119890 119904119894119892119899119890119903 isin 11987711990411989211989931 119877119894119899119892119862119879larr997888 119888ℎ119900119900119904119890 119901119903119890V 119905119909119904 isin 11986211987711987832 119872119904119892 larr997888 119886119905119905119886119888ℎ11989011988910158401198701198901199101198681198981198861198921198901015840 lowastKeyImage to prevent storing the same data33 119862119906119903119903119872119904119892 larr997888 119878119894119892119899 120590 119877119894119899119892119862119879 11987011989011991011986811989811988611989211989034 end procedure35 Procedure 119878119890119899119889 119905119900 119861119897119900119888119896119888ℎ119886119894119899 11987311989011990511990811990011990311989636 119866119890119905 119862119906119903119903119872119904119892 oplus 119874119879119875(119891119903119900119898 119878119905119890119886119897119905ℎ119860119889119889119903)37 119878119890119899119889 119905119900 119887119897119900119888119896119888ℎ119886119894119899 11989911989011990511990811990011990311989638 119882119886119894119905 1198981198941198991198901199031015840119904 11988811990011989911989111989411990311989811988611990511989411990011989939 119894119891 119862119906119903119903119872119904119892 119894119904 V119886119897119894119889 119905ℎ119890119899 119903119890119905119906119903119899 True lowasttransaction is success40 119860119889119889 119899119890119908119861119897119900119888119896 119905119900 119861119862 11989911989011990511990811990011990311989641 119860119889119889119862119906119903119903119872119904119892 997888rarr 119878ℎ119886119903119890119889 11987811990511990011990311988611989211989042 119890119897119904119890119903119890119905119906119903119899 False43 End

Algorithm 1 Shared Storage of PHI Data

address received Only patients can access data storedin shared storage by using his knowledge 119875119903120572(119886120572 119887120572)

119874119879119875 = 119867119904 (119903119860120572) 119866 + 119861120572 (8)

(v) The sender unpacks the address received which con-tains the public address of the recipient 119875119906119887120572(119860120572 119861120572)The sender picks the random value 119903 isin [1 119897 minus 1] togenerate one-time public key and attaches119861120572 as a viewaddress in the shared storage

(vi) For certain types of data the sender can use confiden-tial ring signatures (RingCT) to disguise informationof the data by adding value to transactions that have

occurred before such as 119877119862119879120573 = 119905119909119894119889(3) 119905119909119894119889(7) 119905119909119894119889(5) 119905119909119894119889(9) 119905119909119894119889(119899)

(vii) The hospital signs the diagnosis data 119898119904119892 usingthe member key from the ring signature asfollows 119878119894119892119899120590(119898119904119892 119910120572 119910120573 119910120574 119910120575 11991013 119910 119910 119910119899)which consists of the public keys of the members119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887

(viii) Key image is attached by the sender to prevent doublespending It can be interpreted as a scheme to preventthe same data stored twice in blockchain storageThe hospital sends the following series of data tothe blockchain network to be confirmed by miners119878119894119892119899 120590 119898119904119892 119874119879119875 119877119894119899119892119862119879 119896119890119910119894119898119886119892119890

10 Wireless Communications and Mobile Computing

(ix) The diagnosis data from the hospital along withattachments of the files are then sent to the blockchainnetwork to be verified by the miners before thedata are stored in a decentralized shared storageWhenever the data has been stored successfully thepatient traces one by one the transaction on theblockchain network until the patient finds hisherview keys 119861119899 which correspond to the patient

(x) The patient with hisher knowledge decrypts andcompares the value of the data received with thedecrypted value 119886120572119877 = 119886120572119903119866 = 119903119860120572 1198751015840 = 119875

The Algorithm 1 presents an overall model of the systemwhich starts with generating key pairs for the parties creatinga ring signature group and stealth addresses signing PHIdata until data are confirmed and stored in the decentralizedshared storage The observer is unlikely to track the senderrsquostransaction since the sender uses a signature on behalf ofa group in which the senders signature is obscured Fur-thermore the observer cannot associate one transaction withanother so it is indistinguishable whether the transactionwas sent by the same sender In other words the identityof the sender remains a secret Likewise the identity of therecipient cannot be tracked by the observer nor maliciousproviders because the recipient sends the stealth address tothe sender thereafter the sender creates a one-time addressto protect the privacy of the recipient The value of a PHI datais kept from being seen because it is combined with the valueof previous transactions through the RingCT The identityof the user along with the information of the transactionson the blockchain network is paramount therefore thedecentralized shared storage systems need to manage theconfidentiality as well as ensure the integrity of the PHI data

Apart from the model that has been described there isanother important factor which plays the role to a decen-tralized system called transaction propagation A numer-ous number of transactions are distributed to the entirenodes in the blockchain peer-to-peer network resulting inpropagation delay The structure of a P2P network allowsthe peer to disseminate information to the other nodesthat are connected to the sender [24] There are severalstudies conducted by researchers to measure how effectivethe block distribution in the peer-to-peer networks such asexperiments in which the goal is to find out the numberof successful connections and experiments to determine theeffect of the number of nodes against the block

One among parameters that affect transaction propa-gation is block size Block size can be understood as themaximum limit of a block to be filled up with varioustransactions on it It also can be thought of as a bundleof transactions with each block needing to get verificationbefore it can be accepted by the network Each block hasits own size depending on the type of transaction called theblock sizeThemaximum block size in Bitcoin stands at 1MBMiners enable to choose the number of transactions to beprocessed in a block If Bitcoin miners commit a transactionthat exceeds the maximum limit then the block will berejected by the network The motivation of block size is toprevent the attack such as denial-of-service attacks The size

of a block also affects the length of confirmation time Whena node receives a new transaction the recipient confirms thevalidity of the block before accepting it The duration of theconfirmation process depends on the size of the block Bydesign the larger the size of a block is the longer it takesto confirm Therefore the size of a block plays an importantrole in the blockchain in general because it directly affects thedelay time

Propagation delay is inseparable from the size of a blockThere is a correlation between block size and the propagationdelay until the node receives the blockThe larger the size of ablock themore transactions that can be done yet it affects thepropagation time and sacrifice the security The influence ofa block size to the propagation time can be seen in Figure 10[25] The block size in the transaction is varied up to 350 KBin order to find out how long it takes for the node to receivethe block To reach 25 of total transaction is visualized witha red line 50 for the green line and 75 for the blue lineThe results are in line with the theory which states the largerthe size of a block the greater the propagation time

We take measurements for orphaned blocks by followingthe withholding attack (selfish mining) strategy that was firstdiscovered in 2014 In this study we do not elaborate onthe details of withholding attack strategy we recommendthat readers refer to the references [26ndash28] The intuitionof this attack is to keep the finding block secret untilthe attackers network becomes the longest chain in theblockchain network For a particular condition this attackdoes not possess any benefit because the block is stored inthe attackers network which is only known by the attacker(nonprofit) The attackers get the reward if only the blockfound is propagated to the public and get confirmed by otherminers

The simulation is carried out in order to know theperformance of dishonest miners which follow the selfishmining protocol The aims of this strategy are to discoverthe new block till becoming the longest chain and gainingthe revenue after publishing the block to the public network[29] In our setting we arrange the selfish miners to competewith honest miners in 14 days to solve the proof-of-workand discover the new block The maximum of mining powerof selfish miner is 04 and it is running randomly from00 through 04 within 14 days in the simulation as shownin Figure 11 There are 12 nodes of dishonest miners withdifferent mining power from 00 to 04 We set the maximumnumber of mining power at 04 of total mining power inthe network Based on the simulation result we concludethat whenever the dishonest miner has 0322 mining powerit is enough to get the unfair revenue and allows gainingthe revenue larger than it should be In general there are51 new blocks successfully added as well as 4 orphanedblocks recorded The average of block generation time is 772minutes

To the extent we obtained the information related to theparameters that affect the propagation time in the blockchainpeer-to-peer network based on our findings and the priorworks of literatureThere are numerous articles proposing theimprovement of propagation delays by changing the networktopology minimizing the verification time of a transaction

Wireless Communications and Mobile Computing 11

50

45

40

35

30

25

20

15

10

5

00 50 100 150 200 250 300 350

Block size (KB)

Tim

e (se

c)

25

50

75

Figure 10 Relationship between block size and the time

50

40

30

20

10

0

Bloc

k H

eigh

t

0 200000 400000 600000 800000 1000000 1200000

Time (s)

08

06

04

02

00

Rew

ard

000 005 010 015 020 025 030 035 040Mining Power

Figure 11 Block height against time in the P2P network (left) the performance of selfish mining attack (right)

and reconstructing the message exchange protocol in theblockchain network Generally speaking the presence ofhaving the propagation of delays can cause a lot of damagein the blockchain network [30 31]

There are many considerations to increase the effective-ness of the blockchainTherefore we select block propagationand block size parameters to be discussed as follows

(i) Speeding up the block generation In theory it would beremarkably beneficial if the block generation time isresetting as fast as possible for each transaction so thateach user will get faster payments The propagationtime includes the length of time for the distributionof transactions in the peer-to-peer network and thetime for verification of a block But the problem isthat if the block generation time is speeding up there

will be a lot of orphaned blocks It can be understoodbecause each node will receive many new blocks thatare spread through peer-to-peer networks The tie-breaking protocol causes each node to only acceptone valid block for the same type of transaction sothat it will reject transactions from other nodes thatcause the orphaned block to appear Due to manynew orphaned blocks that will emerge it will motivaterational miners to adopt the selfish mining strategythat rivals the main network and causes the forkedchain [32]

(ii) Decrease block generation Slowing down the blockgeneration time for each transaction will reduce thespeed of transactions on the peer-to-peer networkPositively it gives some merits such as providing a

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 4: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

4 Wireless Communications and Mobile Computing

Alice sends 1 BTCon 240318 at 30257

pm to x

One time use address x

Charlie receives 1 BTCon 240318 at35503 pm from x

Figure 4 One-time use transaction

address is in the pseudonymous form Since the new addressdoes not have a track record in the blockchain metadata theobserver is unlikely to track information from a transactionHowever one-time use transaction address provides privacyfor the users by extending the address to the counter-partieswhich detail information of the transaction still publiclyavailable on the blockchain network Roughly speaking thesender enables the recipient to spend the funds that he justreceived even though the recipient identity remains hiddenas can be seen in Figure 4

For instance an address X is a one-time address but theobserver has knowledge that Alice sent 1BTC toX andCharliereceived from X It can be used by the observer to inferthat X corresponds to Alice and Charlie By gathering thedetails on where Charlies fund originated and where Alicesfunds were passed on to it could avail deanonymize the one-time use transaction This scheme is also called transactiongraph analysis Therefore in order to develop privacy on thedecentralized blockchain system a new protocol is necessarysuch as stealth address protocol In otherwords it is a securityprotocol that has become ubiquitous almost by stealth [17]

232 Stealth Address One-time use address for transactionmight be inconvenient to manage since the new address mustbe generated by the recipient for every transaction that willbe carried out Unlike the one-time use payment address thestealth addresses get rid of this requirement In short stealthaddresses can be generated as follows

(i) The recipient generates a parent key pair 119875119906119887(119860 119861)and publishes hisher public key (the published key iscalled stealth address)

(ii) The sender will be able to use the stealth address ofthe recipient to commit a new one-time use paymentaddress for a particular transaction

(iii) At this stage the recipient uses their parent privatekey 119875119904(119886 119887) which is generated in advance to spendthe funds received The generating process of stealthaddress can be seen in Figure 5

The addresses are generated using trapdoor permuta-tion such as Diffie-Hellman key exchange protocol [18] Byleveraging the stealth address protocol the system allowseliminating the possibility for observers to link a one-time address to another In this sense the observer cannotdetermine the recipients address and is unlikely to link thetransaction to the recipient due to the new address beinggenerated based on hisher stealth address for every trans-action Stealth address protocol is used in CryptoNote and

Zcash combined with various other techniques such as zk-SNARKs in order to provide the stronger privacy for the userin the decentralized blockchain network The cryptographicapproaches can prevent ad hoc networks against externalattackers using node authentication and data encryption[19]

3 Our System Model

In this section we elaborate the model of decentralized PHIdata (the model is from our prior work) the sequences of thestandard blockchain transaction the group of ring signatureand the ring confidential transaction of PHI

31 Decentralized PHI Data A decentralized personal healthinformation model originally came from our previousresearch [12] In our predecessor work blockchain tech-nology is used to manage the personal health information(PHI) data of the patient which obtain from several health-care providers as can be seen in Figure 6 Based on thedecentralized PHI model we conducted testing in order tofind out information about data communication in peer-to-peer networks (see Figure 7) The results obtained show thehigh level of success in sending data among the parties inthe blockchain network that reaches 100 and the averageof propagation message is 118ms for 100 bytes of InternetControl Message Protocol Echo By leveraging the modelof our previous research the patients and the healthcareproviders allow to collect effectively the PHI data ontoa single view with integrity guarantee Data integrity isessential for the patient in the blockchain network since itis a fundamental component of information security whichverifies that the data has remained unaltered in transit fromcreation and reception [20] By design blockchain is tamper-proof immutability (the data stored are unchanging overtime or unable to be changed) so it is suitable for managingsensitive data such as personal health information digitalmedical record and other similar data

In the decentralized healthcare system model the patientand the providers are on the same blockchain network Thehealthcare providers preserve a diagnosis from the patientand then store it into sharing storage right after the data isconfirmed by the miner The patient afterwards enables tofind the data stored by the provider in the storage by searchingone by one based on the patients public key 119875119906119887(119860 119861)attached into the transaction The patient whose public keyis attached to the transaction is the only party who knows thedata stored in the storage because heshe has knowledge ofthe secret key 119875119904(119886 119887) to access the PHI data

Wireless Communications and Mobile Computing 5

Parent Private Key

Parent Public Key(ldquoStealth Addressrdquo)

Recipient generates a Parent Key Pair

Ephemeral Key+

Sender generates an Ephemeral Key

Ephemeral Key

One-time AddSecret Key=

Ephemeral Key+One-time Addr

Secret Key=

Figure 5 Generating process of stealth address

Patient

National Provider

Health and Social care professionalChiropractor

Clinical Psychologist

Hospital Laboratories

National Provider

Health and Socialcare professionalChiropractor

Clinical Psychologist

Hospital Laboratories

Figure 6 The model of decentralized personal health information data

As with the security model in general every party inthe system has the unique parent keys The public keyis used to commit transactions which later will be usedto generate a stealth address for every transaction A pairof keys is obtained from trapdoor permutation functionssuch as RSA algorithm and Rabin [21] which are generated

beforehand The parent keys of the parties can be defined asfollows

(i) The patient (119875119906119887120572 119875119903120572) the pair of patients publickey to commit the transaction can be defined as(119860120572 119861120572) and the pair of secret keys (119886120572 119887120572)

6 Wireless Communications and Mobile Computing

Figure 7 Propagating the personal health information data to the entire nodes

(ii) Hospital (119875119906119887120573 119875119903120573) the pair of hospitals public key(119860120573 119861120573) and the pair of secret keys(119886120573 119887120573)

(iii) Chiropractor (119875119906119887120574 119875119903120574) Chiropractors public key(119860120574 119861120574) and the pair of secret keys(119886120574 119887120574)

(iv) Clinical psychologist (119875119906119887120575 119875119903120575) clinical psycholo-gists public key (119860120575 119861120575) and the pair of secret keys(119886120575 119887120575)

(v) National provider (11987511990611988713 11987511990313) the public key ofnational provider (11986013 11986113) and the pair of secret keys(11988613 11988713)

(vi) Health and social care provider (119875119906119887 119875119903) healthand social providers public key (119860 119861) and the pairof secret keys (119886 119887)

(vii) Laboratories(119875119906119887 119875119903) the pair of public keys oflaboratories can be defined (119860 119861) and the pair ofsecret keys (119886 119887)

119875 = 119867119904 (119903119860120572)119866 + 119861120572 (1)

1198751015840 = 119867119904 (119886120572119877)119866 + 119861120572 119905ℎ119890119899 (2)

119886120572119877 = 119886120572119903119866 = 119903119860120572

1198751015840 = 119875(3)

The sequence of a standard transaction in decentralizedPHI data starts from the provider who wants to store the

patientrsquos data in the storage where the patient has publishedhis address to the provider beforehandThe provider unpacksthe address and gets the patients public key (119860120572 119861120572) Theprovider picks a random 119903 isin [1 119897 minus 1] where 119897 is a primeorder of the base point 119866 The provider then generates a one-time public key based on the pair public key (1) of the patient(the process is signified by Figure 3)

The patient and the healthcare providers possess a pair ofpublic keys (119860119899 119861119899) for different purposes The first publickey 119860119899 is used to generate a one-time public key whilstthe public key 119861119899 is attached to the transaction as thetracking value used by the patient to find the data addressedto himher The provider uses 119875 as a destination key forthe output and attaches the new value 119877 = 119903119866 into thetransaction The PHI data with attachments to119875 and 119877 valuesare stored into shared storage after being validated by theminer The patient later checks every transaction using hisprivate key (119886120572 119887120572) and calculates the new value1198751015840 (2) Finallythe patient compares the value 119875 received with the value 1198751015840decrypted (3)

32 The Group of Ring Signature In the decentralized PHIsystem there is a group ring signature consisting of patientand several healthcare providers In order to generate a groupthe system does not demand special requirements and alsounlikely require a manager to manage the group All that isneeded to create a ring signature group is the public key ofeach party (119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887)

Wireless Communications and Mobile Computing 7

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

SH+1 = AH+1(RH+1)

Figure 8 The group of ring signature which is derived from the public keys of the member

Once a ring signature group has been generated all membersof the group are allowed to use the signature and combine itwith the private key of the sender It grants users fine-grainedcontrol over the level of anonymity associated with a certainsignature [22]

The signer enables to choose the number of signaturesthat they want to use in the transaction to provide anambiguous signer Later the public key is used for encryption119910119899 = 119892119899(119909119899) as shown in Figure 8 Intuitively 119892119899 is definedby the extended trapdoor permutation function such as RSAandRabin algorithm In practice for Rabins functions119892119899 (119909119899)extends to 119891119894(119909119894) = 1199091198942 mod 119899119894 over 0 1119887 where 2119887 is thepower of two which is larger than all modulo 1198991198941015840119904 The bucketconsists of b-bit numbers 119908 = 119902119894119899119894 + 119903119894 where 119903119894 isin Zlowast119899119894and (119902119894 + 1)119899119894 le 2119887 For any b-bit numbers 119908 is nonnegativeintegers 119902119894 and 119903119894 The bucket values are mapped by theextended Rabinmapping 119892119899 So the value of 119892119894(119908) is signifiedby (4)

119892119894 (119908) =

119902119894119899119894 + 119891119894119903119894 if (119902119894 + 1) 119899119894 le 2119887

119908 else(4)

Intuitively 119892119894(119908) is a permutation function over 0 1119887 whichis also a one-way trapdoor function because only a personknows the inverted value of 119891119894 for a given input Thereforewe can define the public keys for the prospective members asfollows

(i) The patientlarr997888 119910120572 = 119892120572(119909120572)(ii) Hospital larr997888 119910120573 = 119892120573(119909120573) Chiropractor larr997888 119910120574 =

119892120574(119909120574) whilst the clinical psychologist larr997888 119910120575 =119892120575(119909120575)

(iii) National providerlarr997888 11991013 = 11989213(11990913) health and socialcare providerlarr997888 119910 = 119892(119909) Laboratorieslarr997888 119910 =119892(119909)

(iv) For additional members of a group it can be gener-ated at any time as long as the public key of the newmember is known 119910119899+1 = 119892119899+1(119909119899+1)

119877119904119892 = 119910120572 oplus 119910120573 oplus 119910120574 oplus 119910120575 oplus 11991013 oplus 119910 oplus 119910 oplus oplus 119910119899+1 (5)

As can be seen in (5) a group of ring signature isconstructed based on encryption of the members public key

By design the sender signs the message for the individualtransaction using the signature of the group without asingle group manager involved Because the sender uses thesignature of the group the observer cannot judge the identityof the real sender for the corresponding transaction Thesender enables to choose the number of signatures that heshewants to use in the transaction The signature of a groupcan be used at any time in a transaction without havingpermission from the owner of the key For instance in aparticular transaction the provider 119910120573 uses the following keysto sign a message ℎ(119898119904119892 119910120574 119910120575 119910120572 and his key 119910120573)

33 Ring Confidential Transaction of PHI Ring confidentialtransaction (RingCT) is used in Monero cryptocurrency [16]in order to improve the privacy of the users Intuitively thering confidential transaction aims to hide the value of theactual amount in a transaction by combining the value ofthe current transaction with the value of the predecessortransactions By doing so the observer cannot tell the exactvalue of a transaction The value of the transaction canbe the number of coins sent or other data depending onthe type of system that applies RingCT [23] Unlike in theMonero transaction the value transaction in the Bitcoin ispublicly available in the plaintext The observer might beable to analyse the transaction values for certain purposes inthe particular period of time Therefore public data will bedangerous if misused maliciously

119877119862119879 = 119905119909119894119889 [(8) (2) (5) (11) (12) (15)] (6)

Suppose all outputs in Figure 9 exist whilst the transac-tion that provider enables to spend is highlighted in greenWhenever the provider creates a transaction he uses aRingCT to disguise which input is actually being spent Inthis regard the provider combines the current transactionwith the previous transactions (highlighted in gray) Theconfidential ring signature for the transaction is shown in(6) The provider allows using the RingCT directly withoutpermission and node manager involvement As well as thegroup signature the sender is free to use the value of previoustransactions in order to disguise the value of the currenttransaction By leveraging the model it is possible to createprivacy-preserving for users in the decentralized peer-to-peer shared storage in healthcare areawith the followingmainobjectives

8 Wireless Communications and Mobile Computing

1 txid (dfa89ad90)

2 txid (uio38939a)

3 txid (890dfla8df)

4 txid (dfa89add0)

5 txid (fga89ad90)

6 txid (5fa89ad45)

7 txid (twa845d90)

8 txid (pklsdf8900)

9 txid (78sd9ad91)

10 txid (dfa89ad90)

11 txid (sd71vcjjp)

12 txid (dzzqemfsa)

13 txid sywi22zmv)

14 txid (p4z24fh3g)

15 txid (tpa1vh9wz)

16 txid (wj023kt3w)

17 txid (vq6oxop4)

18 txid (z9i5mcsdu)

Figure 9 Ring confidential transaction based on the prior transactions

(i) Untraceability with the goal to protect the sendersinformation in the form of the address (publickey) The observer cannot trace where the coin wasreceived and where the coin originated from

(ii) Unlinkability to preserve the recipients identityThiscan be achieved by using a stealth address where therecipient makes two public keys that are used to createa one-time address and the other as the view key

(iii) Confidential Values to disguise the value of a trans-action The value of the current transaction is com-bined with the values of the transactions that havebeen carried out previously so it becomes an obscuredtransaction

4 Systems Analysis and the Dilemma

The main protocols for building privacy-preserving forblockchain shared storage model have been discussed inprevious section In this section we present the relationbetween each protocol The combination of the protocolsprovides a system that enables protecting the privacy ofusers in the decentralized shared storage The proceduresare displayed gingerly starting from generating the membersof ring signature through to mechanism of storing data inthe blockchain shared storage At the end of this section weelaborate on some dilemmas

We demonstrate a case study in which one of theproviders (hospital) wants to store diagnostic data of thepatient into the decentralized shared storage The providerhas known the address (public key) of the patient beforehandIn this sense the hospital acts as the sender whilst the patientacts as the recipient of the PHImessageTheprovider attachesthe address of the patient in the form of a view key for eachtransaction so that only patients likely enable to track datastored in shared storage using hisher knowledgeTheminershave a duty to validate the data from the sender before beingsaved into shared storage yet they are responsible for addingblocks to the blockchain network The miner gets a reward

after successfully adding the new block aswith the blockchainsystem in general Algorithm 1 is a description of the wholesystem process starting with making public keys throughto data stored in shared storage The process sequence forprivacy-preserving shared storage in untrusted blockchainP2P networks as follows

(i) The party possesses a pair of parent keys (119875119906119887119896119890119910119875119903119896119890119910) that have been generated beforehand basedon trapdoor permutation function such as RSARabin or Diffie-Hellman algorithmThepatient is therecipient(119875119906119887120572 119875119903120572) whilst the hospital is the sender(119875119906119887120573 119875119903120573) in this case study

(ii) The hospital is the sender of the patients diagnosisdata (in this case) The hospital constructs a ringsignature group based on public key from providersand patient that has been known previously Thehospital also added its public key to the group

119877119904119892120573 = 119892120572 (119909120572) oplus 119892120572 (119909120573) oplus 119892120574 (119909120574) oplus 119892120575 (119909120575)

oplus 11989213 (11990913) oplus 119892 (119909) oplus 119892 (119909) oplus

oplus 119892119899+1 (119909119899+1)

(7)

(iii) When the group of ring signature 119877119904119892120573 is generatedthe sender enables to use the signature of each groupmember without having to get permission from theowner of public keys In this case study the hospitalchooses to use all signatures from group members asshown in (7) The hospital can add new members atany time as long as the public key is known

(iv) The patient as the recipient later makes the stealthaddress based on a pair of parent keys The patientcreates a pair of public keys 119875119906119887120572(119860120572 119861120572) and sendsit to the hospital via secure channel The hospitalgenerates a new one-time address based on stealth

Wireless Communications and Mobile Computing 9

1 Procedure 119878ℎ119886119903119890119889 1198781199051199001199031198861198921198902 Trapdoor Function (parent keys) lowasttrapdoor permutation function eg RSA Rabin3 119875119886119905119894119890119899119905 larr997888 ℎ119886119904ℎ(119875119906119887120572 119875119903120572)4 119867119900119904119901119894119905119886119897 larr997888 ℎ119886119904ℎ(119875119906119887120573 119875119903120573) lowastforallparty has parent keys5 119862ℎ119894119903119900119901119903119886119888119905119900119903 larr997888 ℎ119886119904ℎ(119875119906119887120574 119875119903120574)6 119862119897119888119875119904119910119888ℎ119900119897119900119892119894119904119905 larr997888 ℎ119886119904ℎ(119875119906119887120575 119875119903120575)7 119873119886119905119894119900119899119886119897119875119903119900V119894119889119890119903 larr997888 ℎ119886119904ℎ(11987511990611988713 11987511990313)8 119878119900119888119894119886119897 119888119886119903119890 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)9 119871119886119887119900119903119886119905119900119903119894119890119904 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)10The sender creates a group of ring signature11 Procedure 119880119904119890 119875119906119887119897119894119888 119870119890119910 forall 119901119886119903119905119894119890119904 isin 119901119886119903119890119899119905119896119890119910119904 lowastuse public key of the parties as an input12 Create RS13 119877119904119892119899 larr997888 119892120572(119909120572) oplus 119892120573(119909120573) oplus 119892120574(119909120574) oplus oplus 119892119899+1(119909119899+1)14 AddNewMembers lowastin case add new members15 119880119901119889119886119905119890 119877119904119892119899 larr997888 119866119890119905 119873119890119908119875119906119887119896119890119910 oplus 119875119906119887119870119890119910(119899+1)16 end procedure17 Procedure 119862119903119890119886119905119890 119878119905119890119886119897119905ℎ119860119889119889119903(119887119910119877119890119888119894119901119894119890119899119905) lowastthe recipient creates stealth address18 119875119886119903119890119899119905119870119890119910 119875119906119887119870119890119910119899 997888rarr 119875119906119887119870119890119910119899(119860119899 119861119899)19 119878119890119899119889(119860119899) 997888rarr 119905119900 119904119890119899119889119890119903 (V119894119886 119878119890119888119906119903119890119862ℎ119886119899119899119890119897)20 (119860119899 119861119899)119903119890119888119890119894V119890119889 997888rarr 119862119903119890119886119905119890 119873119890119908 119874119879119875 lowastsender creates new OTP for recipient21 end procedure22 Procedure 119862119900119899119891119894119889119890119899119905119894119886119897 119877119894119899119892 119878119894119892119899119886119905119906119903119890 lowastconfidential ring signature as an option23 119894119891 forall119905119909119904 119861119862 119906119904119890 119862119877119878 119905ℎ119890119899 119903119890119905119906119903119899 True24 119873119890119908119881119886119897119906119890 larr997888 119862119906119903119903119890119899119905119881119886119897119906119890 oplus 119875119903119890V11988111988611989711990611989025 119868119899119888119897119906119889119890 119905119900 119905ℎ119890 119899119890119908 119905119909 larr997888 11987311989011990811988111988611989711990611989026 119890119897119904119890119903119890119905119906119903119899 False27 end procedure28 Procedure 119878119894119892119899 119905ℎ119890 119875119867119868 119863119886119905119886(119872119904119892) lowastin this case the PHI data is from the hospital29 119866119890119905 119872119904119892 isin 119863119894119886119892119899119900119904119894119904 119863119886119905119886(119867119900119904119901119894119905119886119897)30 119878119894119892119899 120590 larr997888 119888ℎ119900119900119904119890 119904119894119892119899119890119903 isin 11987711990411989211989931 119877119894119899119892119862119879larr997888 119888ℎ119900119900119904119890 119901119903119890V 119905119909119904 isin 11986211987711987832 119872119904119892 larr997888 119886119905119905119886119888ℎ11989011988910158401198701198901199101198681198981198861198921198901015840 lowastKeyImage to prevent storing the same data33 119862119906119903119903119872119904119892 larr997888 119878119894119892119899 120590 119877119894119899119892119862119879 11987011989011991011986811989811988611989211989034 end procedure35 Procedure 119878119890119899119889 119905119900 119861119897119900119888119896119888ℎ119886119894119899 11987311989011990511990811990011990311989636 119866119890119905 119862119906119903119903119872119904119892 oplus 119874119879119875(119891119903119900119898 119878119905119890119886119897119905ℎ119860119889119889119903)37 119878119890119899119889 119905119900 119887119897119900119888119896119888ℎ119886119894119899 11989911989011990511990811990011990311989638 119882119886119894119905 1198981198941198991198901199031015840119904 11988811990011989911989111989411990311989811988611990511989411990011989939 119894119891 119862119906119903119903119872119904119892 119894119904 V119886119897119894119889 119905ℎ119890119899 119903119890119905119906119903119899 True lowasttransaction is success40 119860119889119889 119899119890119908119861119897119900119888119896 119905119900 119861119862 11989911989011990511990811990011990311989641 119860119889119889119862119906119903119903119872119904119892 997888rarr 119878ℎ119886119903119890119889 11987811990511990011990311988611989211989042 119890119897119904119890119903119890119905119906119903119899 False43 End

Algorithm 1 Shared Storage of PHI Data

address received Only patients can access data storedin shared storage by using his knowledge 119875119903120572(119886120572 119887120572)

119874119879119875 = 119867119904 (119903119860120572) 119866 + 119861120572 (8)

(v) The sender unpacks the address received which con-tains the public address of the recipient 119875119906119887120572(119860120572 119861120572)The sender picks the random value 119903 isin [1 119897 minus 1] togenerate one-time public key and attaches119861120572 as a viewaddress in the shared storage

(vi) For certain types of data the sender can use confiden-tial ring signatures (RingCT) to disguise informationof the data by adding value to transactions that have

occurred before such as 119877119862119879120573 = 119905119909119894119889(3) 119905119909119894119889(7) 119905119909119894119889(5) 119905119909119894119889(9) 119905119909119894119889(119899)

(vii) The hospital signs the diagnosis data 119898119904119892 usingthe member key from the ring signature asfollows 119878119894119892119899120590(119898119904119892 119910120572 119910120573 119910120574 119910120575 11991013 119910 119910 119910119899)which consists of the public keys of the members119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887

(viii) Key image is attached by the sender to prevent doublespending It can be interpreted as a scheme to preventthe same data stored twice in blockchain storageThe hospital sends the following series of data tothe blockchain network to be confirmed by miners119878119894119892119899 120590 119898119904119892 119874119879119875 119877119894119899119892119862119879 119896119890119910119894119898119886119892119890

10 Wireless Communications and Mobile Computing

(ix) The diagnosis data from the hospital along withattachments of the files are then sent to the blockchainnetwork to be verified by the miners before thedata are stored in a decentralized shared storageWhenever the data has been stored successfully thepatient traces one by one the transaction on theblockchain network until the patient finds hisherview keys 119861119899 which correspond to the patient

(x) The patient with hisher knowledge decrypts andcompares the value of the data received with thedecrypted value 119886120572119877 = 119886120572119903119866 = 119903119860120572 1198751015840 = 119875

The Algorithm 1 presents an overall model of the systemwhich starts with generating key pairs for the parties creatinga ring signature group and stealth addresses signing PHIdata until data are confirmed and stored in the decentralizedshared storage The observer is unlikely to track the senderrsquostransaction since the sender uses a signature on behalf ofa group in which the senders signature is obscured Fur-thermore the observer cannot associate one transaction withanother so it is indistinguishable whether the transactionwas sent by the same sender In other words the identityof the sender remains a secret Likewise the identity of therecipient cannot be tracked by the observer nor maliciousproviders because the recipient sends the stealth address tothe sender thereafter the sender creates a one-time addressto protect the privacy of the recipient The value of a PHI datais kept from being seen because it is combined with the valueof previous transactions through the RingCT The identityof the user along with the information of the transactionson the blockchain network is paramount therefore thedecentralized shared storage systems need to manage theconfidentiality as well as ensure the integrity of the PHI data

Apart from the model that has been described there isanother important factor which plays the role to a decen-tralized system called transaction propagation A numer-ous number of transactions are distributed to the entirenodes in the blockchain peer-to-peer network resulting inpropagation delay The structure of a P2P network allowsthe peer to disseminate information to the other nodesthat are connected to the sender [24] There are severalstudies conducted by researchers to measure how effectivethe block distribution in the peer-to-peer networks such asexperiments in which the goal is to find out the numberof successful connections and experiments to determine theeffect of the number of nodes against the block

One among parameters that affect transaction propa-gation is block size Block size can be understood as themaximum limit of a block to be filled up with varioustransactions on it It also can be thought of as a bundleof transactions with each block needing to get verificationbefore it can be accepted by the network Each block hasits own size depending on the type of transaction called theblock sizeThemaximum block size in Bitcoin stands at 1MBMiners enable to choose the number of transactions to beprocessed in a block If Bitcoin miners commit a transactionthat exceeds the maximum limit then the block will berejected by the network The motivation of block size is toprevent the attack such as denial-of-service attacks The size

of a block also affects the length of confirmation time Whena node receives a new transaction the recipient confirms thevalidity of the block before accepting it The duration of theconfirmation process depends on the size of the block Bydesign the larger the size of a block is the longer it takesto confirm Therefore the size of a block plays an importantrole in the blockchain in general because it directly affects thedelay time

Propagation delay is inseparable from the size of a blockThere is a correlation between block size and the propagationdelay until the node receives the blockThe larger the size of ablock themore transactions that can be done yet it affects thepropagation time and sacrifice the security The influence ofa block size to the propagation time can be seen in Figure 10[25] The block size in the transaction is varied up to 350 KBin order to find out how long it takes for the node to receivethe block To reach 25 of total transaction is visualized witha red line 50 for the green line and 75 for the blue lineThe results are in line with the theory which states the largerthe size of a block the greater the propagation time

We take measurements for orphaned blocks by followingthe withholding attack (selfish mining) strategy that was firstdiscovered in 2014 In this study we do not elaborate onthe details of withholding attack strategy we recommendthat readers refer to the references [26ndash28] The intuitionof this attack is to keep the finding block secret untilthe attackers network becomes the longest chain in theblockchain network For a particular condition this attackdoes not possess any benefit because the block is stored inthe attackers network which is only known by the attacker(nonprofit) The attackers get the reward if only the blockfound is propagated to the public and get confirmed by otherminers

The simulation is carried out in order to know theperformance of dishonest miners which follow the selfishmining protocol The aims of this strategy are to discoverthe new block till becoming the longest chain and gainingthe revenue after publishing the block to the public network[29] In our setting we arrange the selfish miners to competewith honest miners in 14 days to solve the proof-of-workand discover the new block The maximum of mining powerof selfish miner is 04 and it is running randomly from00 through 04 within 14 days in the simulation as shownin Figure 11 There are 12 nodes of dishonest miners withdifferent mining power from 00 to 04 We set the maximumnumber of mining power at 04 of total mining power inthe network Based on the simulation result we concludethat whenever the dishonest miner has 0322 mining powerit is enough to get the unfair revenue and allows gainingthe revenue larger than it should be In general there are51 new blocks successfully added as well as 4 orphanedblocks recorded The average of block generation time is 772minutes

To the extent we obtained the information related to theparameters that affect the propagation time in the blockchainpeer-to-peer network based on our findings and the priorworks of literatureThere are numerous articles proposing theimprovement of propagation delays by changing the networktopology minimizing the verification time of a transaction

Wireless Communications and Mobile Computing 11

50

45

40

35

30

25

20

15

10

5

00 50 100 150 200 250 300 350

Block size (KB)

Tim

e (se

c)

25

50

75

Figure 10 Relationship between block size and the time

50

40

30

20

10

0

Bloc

k H

eigh

t

0 200000 400000 600000 800000 1000000 1200000

Time (s)

08

06

04

02

00

Rew

ard

000 005 010 015 020 025 030 035 040Mining Power

Figure 11 Block height against time in the P2P network (left) the performance of selfish mining attack (right)

and reconstructing the message exchange protocol in theblockchain network Generally speaking the presence ofhaving the propagation of delays can cause a lot of damagein the blockchain network [30 31]

There are many considerations to increase the effective-ness of the blockchainTherefore we select block propagationand block size parameters to be discussed as follows

(i) Speeding up the block generation In theory it would beremarkably beneficial if the block generation time isresetting as fast as possible for each transaction so thateach user will get faster payments The propagationtime includes the length of time for the distributionof transactions in the peer-to-peer network and thetime for verification of a block But the problem isthat if the block generation time is speeding up there

will be a lot of orphaned blocks It can be understoodbecause each node will receive many new blocks thatare spread through peer-to-peer networks The tie-breaking protocol causes each node to only acceptone valid block for the same type of transaction sothat it will reject transactions from other nodes thatcause the orphaned block to appear Due to manynew orphaned blocks that will emerge it will motivaterational miners to adopt the selfish mining strategythat rivals the main network and causes the forkedchain [32]

(ii) Decrease block generation Slowing down the blockgeneration time for each transaction will reduce thespeed of transactions on the peer-to-peer networkPositively it gives some merits such as providing a

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 5: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

Wireless Communications and Mobile Computing 5

Parent Private Key

Parent Public Key(ldquoStealth Addressrdquo)

Recipient generates a Parent Key Pair

Ephemeral Key+

Sender generates an Ephemeral Key

Ephemeral Key

One-time AddSecret Key=

Ephemeral Key+One-time Addr

Secret Key=

Figure 5 Generating process of stealth address

Patient

National Provider

Health and Social care professionalChiropractor

Clinical Psychologist

Hospital Laboratories

National Provider

Health and Socialcare professionalChiropractor

Clinical Psychologist

Hospital Laboratories

Figure 6 The model of decentralized personal health information data

As with the security model in general every party inthe system has the unique parent keys The public keyis used to commit transactions which later will be usedto generate a stealth address for every transaction A pairof keys is obtained from trapdoor permutation functionssuch as RSA algorithm and Rabin [21] which are generated

beforehand The parent keys of the parties can be defined asfollows

(i) The patient (119875119906119887120572 119875119903120572) the pair of patients publickey to commit the transaction can be defined as(119860120572 119861120572) and the pair of secret keys (119886120572 119887120572)

6 Wireless Communications and Mobile Computing

Figure 7 Propagating the personal health information data to the entire nodes

(ii) Hospital (119875119906119887120573 119875119903120573) the pair of hospitals public key(119860120573 119861120573) and the pair of secret keys(119886120573 119887120573)

(iii) Chiropractor (119875119906119887120574 119875119903120574) Chiropractors public key(119860120574 119861120574) and the pair of secret keys(119886120574 119887120574)

(iv) Clinical psychologist (119875119906119887120575 119875119903120575) clinical psycholo-gists public key (119860120575 119861120575) and the pair of secret keys(119886120575 119887120575)

(v) National provider (11987511990611988713 11987511990313) the public key ofnational provider (11986013 11986113) and the pair of secret keys(11988613 11988713)

(vi) Health and social care provider (119875119906119887 119875119903) healthand social providers public key (119860 119861) and the pairof secret keys (119886 119887)

(vii) Laboratories(119875119906119887 119875119903) the pair of public keys oflaboratories can be defined (119860 119861) and the pair ofsecret keys (119886 119887)

119875 = 119867119904 (119903119860120572)119866 + 119861120572 (1)

1198751015840 = 119867119904 (119886120572119877)119866 + 119861120572 119905ℎ119890119899 (2)

119886120572119877 = 119886120572119903119866 = 119903119860120572

1198751015840 = 119875(3)

The sequence of a standard transaction in decentralizedPHI data starts from the provider who wants to store the

patientrsquos data in the storage where the patient has publishedhis address to the provider beforehandThe provider unpacksthe address and gets the patients public key (119860120572 119861120572) Theprovider picks a random 119903 isin [1 119897 minus 1] where 119897 is a primeorder of the base point 119866 The provider then generates a one-time public key based on the pair public key (1) of the patient(the process is signified by Figure 3)

The patient and the healthcare providers possess a pair ofpublic keys (119860119899 119861119899) for different purposes The first publickey 119860119899 is used to generate a one-time public key whilstthe public key 119861119899 is attached to the transaction as thetracking value used by the patient to find the data addressedto himher The provider uses 119875 as a destination key forthe output and attaches the new value 119877 = 119903119866 into thetransaction The PHI data with attachments to119875 and 119877 valuesare stored into shared storage after being validated by theminer The patient later checks every transaction using hisprivate key (119886120572 119887120572) and calculates the new value1198751015840 (2) Finallythe patient compares the value 119875 received with the value 1198751015840decrypted (3)

32 The Group of Ring Signature In the decentralized PHIsystem there is a group ring signature consisting of patientand several healthcare providers In order to generate a groupthe system does not demand special requirements and alsounlikely require a manager to manage the group All that isneeded to create a ring signature group is the public key ofeach party (119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887)

Wireless Communications and Mobile Computing 7

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

SH+1 = AH+1(RH+1)

Figure 8 The group of ring signature which is derived from the public keys of the member

Once a ring signature group has been generated all membersof the group are allowed to use the signature and combine itwith the private key of the sender It grants users fine-grainedcontrol over the level of anonymity associated with a certainsignature [22]

The signer enables to choose the number of signaturesthat they want to use in the transaction to provide anambiguous signer Later the public key is used for encryption119910119899 = 119892119899(119909119899) as shown in Figure 8 Intuitively 119892119899 is definedby the extended trapdoor permutation function such as RSAandRabin algorithm In practice for Rabins functions119892119899 (119909119899)extends to 119891119894(119909119894) = 1199091198942 mod 119899119894 over 0 1119887 where 2119887 is thepower of two which is larger than all modulo 1198991198941015840119904 The bucketconsists of b-bit numbers 119908 = 119902119894119899119894 + 119903119894 where 119903119894 isin Zlowast119899119894and (119902119894 + 1)119899119894 le 2119887 For any b-bit numbers 119908 is nonnegativeintegers 119902119894 and 119903119894 The bucket values are mapped by theextended Rabinmapping 119892119899 So the value of 119892119894(119908) is signifiedby (4)

119892119894 (119908) =

119902119894119899119894 + 119891119894119903119894 if (119902119894 + 1) 119899119894 le 2119887

119908 else(4)

Intuitively 119892119894(119908) is a permutation function over 0 1119887 whichis also a one-way trapdoor function because only a personknows the inverted value of 119891119894 for a given input Thereforewe can define the public keys for the prospective members asfollows

(i) The patientlarr997888 119910120572 = 119892120572(119909120572)(ii) Hospital larr997888 119910120573 = 119892120573(119909120573) Chiropractor larr997888 119910120574 =

119892120574(119909120574) whilst the clinical psychologist larr997888 119910120575 =119892120575(119909120575)

(iii) National providerlarr997888 11991013 = 11989213(11990913) health and socialcare providerlarr997888 119910 = 119892(119909) Laboratorieslarr997888 119910 =119892(119909)

(iv) For additional members of a group it can be gener-ated at any time as long as the public key of the newmember is known 119910119899+1 = 119892119899+1(119909119899+1)

119877119904119892 = 119910120572 oplus 119910120573 oplus 119910120574 oplus 119910120575 oplus 11991013 oplus 119910 oplus 119910 oplus oplus 119910119899+1 (5)

As can be seen in (5) a group of ring signature isconstructed based on encryption of the members public key

By design the sender signs the message for the individualtransaction using the signature of the group without asingle group manager involved Because the sender uses thesignature of the group the observer cannot judge the identityof the real sender for the corresponding transaction Thesender enables to choose the number of signatures that heshewants to use in the transaction The signature of a groupcan be used at any time in a transaction without havingpermission from the owner of the key For instance in aparticular transaction the provider 119910120573 uses the following keysto sign a message ℎ(119898119904119892 119910120574 119910120575 119910120572 and his key 119910120573)

33 Ring Confidential Transaction of PHI Ring confidentialtransaction (RingCT) is used in Monero cryptocurrency [16]in order to improve the privacy of the users Intuitively thering confidential transaction aims to hide the value of theactual amount in a transaction by combining the value ofthe current transaction with the value of the predecessortransactions By doing so the observer cannot tell the exactvalue of a transaction The value of the transaction canbe the number of coins sent or other data depending onthe type of system that applies RingCT [23] Unlike in theMonero transaction the value transaction in the Bitcoin ispublicly available in the plaintext The observer might beable to analyse the transaction values for certain purposes inthe particular period of time Therefore public data will bedangerous if misused maliciously

119877119862119879 = 119905119909119894119889 [(8) (2) (5) (11) (12) (15)] (6)

Suppose all outputs in Figure 9 exist whilst the transac-tion that provider enables to spend is highlighted in greenWhenever the provider creates a transaction he uses aRingCT to disguise which input is actually being spent Inthis regard the provider combines the current transactionwith the previous transactions (highlighted in gray) Theconfidential ring signature for the transaction is shown in(6) The provider allows using the RingCT directly withoutpermission and node manager involvement As well as thegroup signature the sender is free to use the value of previoustransactions in order to disguise the value of the currenttransaction By leveraging the model it is possible to createprivacy-preserving for users in the decentralized peer-to-peer shared storage in healthcare areawith the followingmainobjectives

8 Wireless Communications and Mobile Computing

1 txid (dfa89ad90)

2 txid (uio38939a)

3 txid (890dfla8df)

4 txid (dfa89add0)

5 txid (fga89ad90)

6 txid (5fa89ad45)

7 txid (twa845d90)

8 txid (pklsdf8900)

9 txid (78sd9ad91)

10 txid (dfa89ad90)

11 txid (sd71vcjjp)

12 txid (dzzqemfsa)

13 txid sywi22zmv)

14 txid (p4z24fh3g)

15 txid (tpa1vh9wz)

16 txid (wj023kt3w)

17 txid (vq6oxop4)

18 txid (z9i5mcsdu)

Figure 9 Ring confidential transaction based on the prior transactions

(i) Untraceability with the goal to protect the sendersinformation in the form of the address (publickey) The observer cannot trace where the coin wasreceived and where the coin originated from

(ii) Unlinkability to preserve the recipients identityThiscan be achieved by using a stealth address where therecipient makes two public keys that are used to createa one-time address and the other as the view key

(iii) Confidential Values to disguise the value of a trans-action The value of the current transaction is com-bined with the values of the transactions that havebeen carried out previously so it becomes an obscuredtransaction

4 Systems Analysis and the Dilemma

The main protocols for building privacy-preserving forblockchain shared storage model have been discussed inprevious section In this section we present the relationbetween each protocol The combination of the protocolsprovides a system that enables protecting the privacy ofusers in the decentralized shared storage The proceduresare displayed gingerly starting from generating the membersof ring signature through to mechanism of storing data inthe blockchain shared storage At the end of this section weelaborate on some dilemmas

We demonstrate a case study in which one of theproviders (hospital) wants to store diagnostic data of thepatient into the decentralized shared storage The providerhas known the address (public key) of the patient beforehandIn this sense the hospital acts as the sender whilst the patientacts as the recipient of the PHImessageTheprovider attachesthe address of the patient in the form of a view key for eachtransaction so that only patients likely enable to track datastored in shared storage using hisher knowledgeTheminershave a duty to validate the data from the sender before beingsaved into shared storage yet they are responsible for addingblocks to the blockchain network The miner gets a reward

after successfully adding the new block aswith the blockchainsystem in general Algorithm 1 is a description of the wholesystem process starting with making public keys throughto data stored in shared storage The process sequence forprivacy-preserving shared storage in untrusted blockchainP2P networks as follows

(i) The party possesses a pair of parent keys (119875119906119887119896119890119910119875119903119896119890119910) that have been generated beforehand basedon trapdoor permutation function such as RSARabin or Diffie-Hellman algorithmThepatient is therecipient(119875119906119887120572 119875119903120572) whilst the hospital is the sender(119875119906119887120573 119875119903120573) in this case study

(ii) The hospital is the sender of the patients diagnosisdata (in this case) The hospital constructs a ringsignature group based on public key from providersand patient that has been known previously Thehospital also added its public key to the group

119877119904119892120573 = 119892120572 (119909120572) oplus 119892120572 (119909120573) oplus 119892120574 (119909120574) oplus 119892120575 (119909120575)

oplus 11989213 (11990913) oplus 119892 (119909) oplus 119892 (119909) oplus

oplus 119892119899+1 (119909119899+1)

(7)

(iii) When the group of ring signature 119877119904119892120573 is generatedthe sender enables to use the signature of each groupmember without having to get permission from theowner of public keys In this case study the hospitalchooses to use all signatures from group members asshown in (7) The hospital can add new members atany time as long as the public key is known

(iv) The patient as the recipient later makes the stealthaddress based on a pair of parent keys The patientcreates a pair of public keys 119875119906119887120572(119860120572 119861120572) and sendsit to the hospital via secure channel The hospitalgenerates a new one-time address based on stealth

Wireless Communications and Mobile Computing 9

1 Procedure 119878ℎ119886119903119890119889 1198781199051199001199031198861198921198902 Trapdoor Function (parent keys) lowasttrapdoor permutation function eg RSA Rabin3 119875119886119905119894119890119899119905 larr997888 ℎ119886119904ℎ(119875119906119887120572 119875119903120572)4 119867119900119904119901119894119905119886119897 larr997888 ℎ119886119904ℎ(119875119906119887120573 119875119903120573) lowastforallparty has parent keys5 119862ℎ119894119903119900119901119903119886119888119905119900119903 larr997888 ℎ119886119904ℎ(119875119906119887120574 119875119903120574)6 119862119897119888119875119904119910119888ℎ119900119897119900119892119894119904119905 larr997888 ℎ119886119904ℎ(119875119906119887120575 119875119903120575)7 119873119886119905119894119900119899119886119897119875119903119900V119894119889119890119903 larr997888 ℎ119886119904ℎ(11987511990611988713 11987511990313)8 119878119900119888119894119886119897 119888119886119903119890 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)9 119871119886119887119900119903119886119905119900119903119894119890119904 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)10The sender creates a group of ring signature11 Procedure 119880119904119890 119875119906119887119897119894119888 119870119890119910 forall 119901119886119903119905119894119890119904 isin 119901119886119903119890119899119905119896119890119910119904 lowastuse public key of the parties as an input12 Create RS13 119877119904119892119899 larr997888 119892120572(119909120572) oplus 119892120573(119909120573) oplus 119892120574(119909120574) oplus oplus 119892119899+1(119909119899+1)14 AddNewMembers lowastin case add new members15 119880119901119889119886119905119890 119877119904119892119899 larr997888 119866119890119905 119873119890119908119875119906119887119896119890119910 oplus 119875119906119887119870119890119910(119899+1)16 end procedure17 Procedure 119862119903119890119886119905119890 119878119905119890119886119897119905ℎ119860119889119889119903(119887119910119877119890119888119894119901119894119890119899119905) lowastthe recipient creates stealth address18 119875119886119903119890119899119905119870119890119910 119875119906119887119870119890119910119899 997888rarr 119875119906119887119870119890119910119899(119860119899 119861119899)19 119878119890119899119889(119860119899) 997888rarr 119905119900 119904119890119899119889119890119903 (V119894119886 119878119890119888119906119903119890119862ℎ119886119899119899119890119897)20 (119860119899 119861119899)119903119890119888119890119894V119890119889 997888rarr 119862119903119890119886119905119890 119873119890119908 119874119879119875 lowastsender creates new OTP for recipient21 end procedure22 Procedure 119862119900119899119891119894119889119890119899119905119894119886119897 119877119894119899119892 119878119894119892119899119886119905119906119903119890 lowastconfidential ring signature as an option23 119894119891 forall119905119909119904 119861119862 119906119904119890 119862119877119878 119905ℎ119890119899 119903119890119905119906119903119899 True24 119873119890119908119881119886119897119906119890 larr997888 119862119906119903119903119890119899119905119881119886119897119906119890 oplus 119875119903119890V11988111988611989711990611989025 119868119899119888119897119906119889119890 119905119900 119905ℎ119890 119899119890119908 119905119909 larr997888 11987311989011990811988111988611989711990611989026 119890119897119904119890119903119890119905119906119903119899 False27 end procedure28 Procedure 119878119894119892119899 119905ℎ119890 119875119867119868 119863119886119905119886(119872119904119892) lowastin this case the PHI data is from the hospital29 119866119890119905 119872119904119892 isin 119863119894119886119892119899119900119904119894119904 119863119886119905119886(119867119900119904119901119894119905119886119897)30 119878119894119892119899 120590 larr997888 119888ℎ119900119900119904119890 119904119894119892119899119890119903 isin 11987711990411989211989931 119877119894119899119892119862119879larr997888 119888ℎ119900119900119904119890 119901119903119890V 119905119909119904 isin 11986211987711987832 119872119904119892 larr997888 119886119905119905119886119888ℎ11989011988910158401198701198901199101198681198981198861198921198901015840 lowastKeyImage to prevent storing the same data33 119862119906119903119903119872119904119892 larr997888 119878119894119892119899 120590 119877119894119899119892119862119879 11987011989011991011986811989811988611989211989034 end procedure35 Procedure 119878119890119899119889 119905119900 119861119897119900119888119896119888ℎ119886119894119899 11987311989011990511990811990011990311989636 119866119890119905 119862119906119903119903119872119904119892 oplus 119874119879119875(119891119903119900119898 119878119905119890119886119897119905ℎ119860119889119889119903)37 119878119890119899119889 119905119900 119887119897119900119888119896119888ℎ119886119894119899 11989911989011990511990811990011990311989638 119882119886119894119905 1198981198941198991198901199031015840119904 11988811990011989911989111989411990311989811988611990511989411990011989939 119894119891 119862119906119903119903119872119904119892 119894119904 V119886119897119894119889 119905ℎ119890119899 119903119890119905119906119903119899 True lowasttransaction is success40 119860119889119889 119899119890119908119861119897119900119888119896 119905119900 119861119862 11989911989011990511990811990011990311989641 119860119889119889119862119906119903119903119872119904119892 997888rarr 119878ℎ119886119903119890119889 11987811990511990011990311988611989211989042 119890119897119904119890119903119890119905119906119903119899 False43 End

Algorithm 1 Shared Storage of PHI Data

address received Only patients can access data storedin shared storage by using his knowledge 119875119903120572(119886120572 119887120572)

119874119879119875 = 119867119904 (119903119860120572) 119866 + 119861120572 (8)

(v) The sender unpacks the address received which con-tains the public address of the recipient 119875119906119887120572(119860120572 119861120572)The sender picks the random value 119903 isin [1 119897 minus 1] togenerate one-time public key and attaches119861120572 as a viewaddress in the shared storage

(vi) For certain types of data the sender can use confiden-tial ring signatures (RingCT) to disguise informationof the data by adding value to transactions that have

occurred before such as 119877119862119879120573 = 119905119909119894119889(3) 119905119909119894119889(7) 119905119909119894119889(5) 119905119909119894119889(9) 119905119909119894119889(119899)

(vii) The hospital signs the diagnosis data 119898119904119892 usingthe member key from the ring signature asfollows 119878119894119892119899120590(119898119904119892 119910120572 119910120573 119910120574 119910120575 11991013 119910 119910 119910119899)which consists of the public keys of the members119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887

(viii) Key image is attached by the sender to prevent doublespending It can be interpreted as a scheme to preventthe same data stored twice in blockchain storageThe hospital sends the following series of data tothe blockchain network to be confirmed by miners119878119894119892119899 120590 119898119904119892 119874119879119875 119877119894119899119892119862119879 119896119890119910119894119898119886119892119890

10 Wireless Communications and Mobile Computing

(ix) The diagnosis data from the hospital along withattachments of the files are then sent to the blockchainnetwork to be verified by the miners before thedata are stored in a decentralized shared storageWhenever the data has been stored successfully thepatient traces one by one the transaction on theblockchain network until the patient finds hisherview keys 119861119899 which correspond to the patient

(x) The patient with hisher knowledge decrypts andcompares the value of the data received with thedecrypted value 119886120572119877 = 119886120572119903119866 = 119903119860120572 1198751015840 = 119875

The Algorithm 1 presents an overall model of the systemwhich starts with generating key pairs for the parties creatinga ring signature group and stealth addresses signing PHIdata until data are confirmed and stored in the decentralizedshared storage The observer is unlikely to track the senderrsquostransaction since the sender uses a signature on behalf ofa group in which the senders signature is obscured Fur-thermore the observer cannot associate one transaction withanother so it is indistinguishable whether the transactionwas sent by the same sender In other words the identityof the sender remains a secret Likewise the identity of therecipient cannot be tracked by the observer nor maliciousproviders because the recipient sends the stealth address tothe sender thereafter the sender creates a one-time addressto protect the privacy of the recipient The value of a PHI datais kept from being seen because it is combined with the valueof previous transactions through the RingCT The identityof the user along with the information of the transactionson the blockchain network is paramount therefore thedecentralized shared storage systems need to manage theconfidentiality as well as ensure the integrity of the PHI data

Apart from the model that has been described there isanother important factor which plays the role to a decen-tralized system called transaction propagation A numer-ous number of transactions are distributed to the entirenodes in the blockchain peer-to-peer network resulting inpropagation delay The structure of a P2P network allowsthe peer to disseminate information to the other nodesthat are connected to the sender [24] There are severalstudies conducted by researchers to measure how effectivethe block distribution in the peer-to-peer networks such asexperiments in which the goal is to find out the numberof successful connections and experiments to determine theeffect of the number of nodes against the block

One among parameters that affect transaction propa-gation is block size Block size can be understood as themaximum limit of a block to be filled up with varioustransactions on it It also can be thought of as a bundleof transactions with each block needing to get verificationbefore it can be accepted by the network Each block hasits own size depending on the type of transaction called theblock sizeThemaximum block size in Bitcoin stands at 1MBMiners enable to choose the number of transactions to beprocessed in a block If Bitcoin miners commit a transactionthat exceeds the maximum limit then the block will berejected by the network The motivation of block size is toprevent the attack such as denial-of-service attacks The size

of a block also affects the length of confirmation time Whena node receives a new transaction the recipient confirms thevalidity of the block before accepting it The duration of theconfirmation process depends on the size of the block Bydesign the larger the size of a block is the longer it takesto confirm Therefore the size of a block plays an importantrole in the blockchain in general because it directly affects thedelay time

Propagation delay is inseparable from the size of a blockThere is a correlation between block size and the propagationdelay until the node receives the blockThe larger the size of ablock themore transactions that can be done yet it affects thepropagation time and sacrifice the security The influence ofa block size to the propagation time can be seen in Figure 10[25] The block size in the transaction is varied up to 350 KBin order to find out how long it takes for the node to receivethe block To reach 25 of total transaction is visualized witha red line 50 for the green line and 75 for the blue lineThe results are in line with the theory which states the largerthe size of a block the greater the propagation time

We take measurements for orphaned blocks by followingthe withholding attack (selfish mining) strategy that was firstdiscovered in 2014 In this study we do not elaborate onthe details of withholding attack strategy we recommendthat readers refer to the references [26ndash28] The intuitionof this attack is to keep the finding block secret untilthe attackers network becomes the longest chain in theblockchain network For a particular condition this attackdoes not possess any benefit because the block is stored inthe attackers network which is only known by the attacker(nonprofit) The attackers get the reward if only the blockfound is propagated to the public and get confirmed by otherminers

The simulation is carried out in order to know theperformance of dishonest miners which follow the selfishmining protocol The aims of this strategy are to discoverthe new block till becoming the longest chain and gainingthe revenue after publishing the block to the public network[29] In our setting we arrange the selfish miners to competewith honest miners in 14 days to solve the proof-of-workand discover the new block The maximum of mining powerof selfish miner is 04 and it is running randomly from00 through 04 within 14 days in the simulation as shownin Figure 11 There are 12 nodes of dishonest miners withdifferent mining power from 00 to 04 We set the maximumnumber of mining power at 04 of total mining power inthe network Based on the simulation result we concludethat whenever the dishonest miner has 0322 mining powerit is enough to get the unfair revenue and allows gainingthe revenue larger than it should be In general there are51 new blocks successfully added as well as 4 orphanedblocks recorded The average of block generation time is 772minutes

To the extent we obtained the information related to theparameters that affect the propagation time in the blockchainpeer-to-peer network based on our findings and the priorworks of literatureThere are numerous articles proposing theimprovement of propagation delays by changing the networktopology minimizing the verification time of a transaction

Wireless Communications and Mobile Computing 11

50

45

40

35

30

25

20

15

10

5

00 50 100 150 200 250 300 350

Block size (KB)

Tim

e (se

c)

25

50

75

Figure 10 Relationship between block size and the time

50

40

30

20

10

0

Bloc

k H

eigh

t

0 200000 400000 600000 800000 1000000 1200000

Time (s)

08

06

04

02

00

Rew

ard

000 005 010 015 020 025 030 035 040Mining Power

Figure 11 Block height against time in the P2P network (left) the performance of selfish mining attack (right)

and reconstructing the message exchange protocol in theblockchain network Generally speaking the presence ofhaving the propagation of delays can cause a lot of damagein the blockchain network [30 31]

There are many considerations to increase the effective-ness of the blockchainTherefore we select block propagationand block size parameters to be discussed as follows

(i) Speeding up the block generation In theory it would beremarkably beneficial if the block generation time isresetting as fast as possible for each transaction so thateach user will get faster payments The propagationtime includes the length of time for the distributionof transactions in the peer-to-peer network and thetime for verification of a block But the problem isthat if the block generation time is speeding up there

will be a lot of orphaned blocks It can be understoodbecause each node will receive many new blocks thatare spread through peer-to-peer networks The tie-breaking protocol causes each node to only acceptone valid block for the same type of transaction sothat it will reject transactions from other nodes thatcause the orphaned block to appear Due to manynew orphaned blocks that will emerge it will motivaterational miners to adopt the selfish mining strategythat rivals the main network and causes the forkedchain [32]

(ii) Decrease block generation Slowing down the blockgeneration time for each transaction will reduce thespeed of transactions on the peer-to-peer networkPositively it gives some merits such as providing a

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 6: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

6 Wireless Communications and Mobile Computing

Figure 7 Propagating the personal health information data to the entire nodes

(ii) Hospital (119875119906119887120573 119875119903120573) the pair of hospitals public key(119860120573 119861120573) and the pair of secret keys(119886120573 119887120573)

(iii) Chiropractor (119875119906119887120574 119875119903120574) Chiropractors public key(119860120574 119861120574) and the pair of secret keys(119886120574 119887120574)

(iv) Clinical psychologist (119875119906119887120575 119875119903120575) clinical psycholo-gists public key (119860120575 119861120575) and the pair of secret keys(119886120575 119887120575)

(v) National provider (11987511990611988713 11987511990313) the public key ofnational provider (11986013 11986113) and the pair of secret keys(11988613 11988713)

(vi) Health and social care provider (119875119906119887 119875119903) healthand social providers public key (119860 119861) and the pairof secret keys (119886 119887)

(vii) Laboratories(119875119906119887 119875119903) the pair of public keys oflaboratories can be defined (119860 119861) and the pair ofsecret keys (119886 119887)

119875 = 119867119904 (119903119860120572)119866 + 119861120572 (1)

1198751015840 = 119867119904 (119886120572119877)119866 + 119861120572 119905ℎ119890119899 (2)

119886120572119877 = 119886120572119903119866 = 119903119860120572

1198751015840 = 119875(3)

The sequence of a standard transaction in decentralizedPHI data starts from the provider who wants to store the

patientrsquos data in the storage where the patient has publishedhis address to the provider beforehandThe provider unpacksthe address and gets the patients public key (119860120572 119861120572) Theprovider picks a random 119903 isin [1 119897 minus 1] where 119897 is a primeorder of the base point 119866 The provider then generates a one-time public key based on the pair public key (1) of the patient(the process is signified by Figure 3)

The patient and the healthcare providers possess a pair ofpublic keys (119860119899 119861119899) for different purposes The first publickey 119860119899 is used to generate a one-time public key whilstthe public key 119861119899 is attached to the transaction as thetracking value used by the patient to find the data addressedto himher The provider uses 119875 as a destination key forthe output and attaches the new value 119877 = 119903119866 into thetransaction The PHI data with attachments to119875 and 119877 valuesare stored into shared storage after being validated by theminer The patient later checks every transaction using hisprivate key (119886120572 119887120572) and calculates the new value1198751015840 (2) Finallythe patient compares the value 119875 received with the value 1198751015840decrypted (3)

32 The Group of Ring Signature In the decentralized PHIsystem there is a group ring signature consisting of patientand several healthcare providers In order to generate a groupthe system does not demand special requirements and alsounlikely require a manager to manage the group All that isneeded to create a ring signature group is the public key ofeach party (119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887)

Wireless Communications and Mobile Computing 7

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

SH+1 = AH+1(RH+1)

Figure 8 The group of ring signature which is derived from the public keys of the member

Once a ring signature group has been generated all membersof the group are allowed to use the signature and combine itwith the private key of the sender It grants users fine-grainedcontrol over the level of anonymity associated with a certainsignature [22]

The signer enables to choose the number of signaturesthat they want to use in the transaction to provide anambiguous signer Later the public key is used for encryption119910119899 = 119892119899(119909119899) as shown in Figure 8 Intuitively 119892119899 is definedby the extended trapdoor permutation function such as RSAandRabin algorithm In practice for Rabins functions119892119899 (119909119899)extends to 119891119894(119909119894) = 1199091198942 mod 119899119894 over 0 1119887 where 2119887 is thepower of two which is larger than all modulo 1198991198941015840119904 The bucketconsists of b-bit numbers 119908 = 119902119894119899119894 + 119903119894 where 119903119894 isin Zlowast119899119894and (119902119894 + 1)119899119894 le 2119887 For any b-bit numbers 119908 is nonnegativeintegers 119902119894 and 119903119894 The bucket values are mapped by theextended Rabinmapping 119892119899 So the value of 119892119894(119908) is signifiedby (4)

119892119894 (119908) =

119902119894119899119894 + 119891119894119903119894 if (119902119894 + 1) 119899119894 le 2119887

119908 else(4)

Intuitively 119892119894(119908) is a permutation function over 0 1119887 whichis also a one-way trapdoor function because only a personknows the inverted value of 119891119894 for a given input Thereforewe can define the public keys for the prospective members asfollows

(i) The patientlarr997888 119910120572 = 119892120572(119909120572)(ii) Hospital larr997888 119910120573 = 119892120573(119909120573) Chiropractor larr997888 119910120574 =

119892120574(119909120574) whilst the clinical psychologist larr997888 119910120575 =119892120575(119909120575)

(iii) National providerlarr997888 11991013 = 11989213(11990913) health and socialcare providerlarr997888 119910 = 119892(119909) Laboratorieslarr997888 119910 =119892(119909)

(iv) For additional members of a group it can be gener-ated at any time as long as the public key of the newmember is known 119910119899+1 = 119892119899+1(119909119899+1)

119877119904119892 = 119910120572 oplus 119910120573 oplus 119910120574 oplus 119910120575 oplus 11991013 oplus 119910 oplus 119910 oplus oplus 119910119899+1 (5)

As can be seen in (5) a group of ring signature isconstructed based on encryption of the members public key

By design the sender signs the message for the individualtransaction using the signature of the group without asingle group manager involved Because the sender uses thesignature of the group the observer cannot judge the identityof the real sender for the corresponding transaction Thesender enables to choose the number of signatures that heshewants to use in the transaction The signature of a groupcan be used at any time in a transaction without havingpermission from the owner of the key For instance in aparticular transaction the provider 119910120573 uses the following keysto sign a message ℎ(119898119904119892 119910120574 119910120575 119910120572 and his key 119910120573)

33 Ring Confidential Transaction of PHI Ring confidentialtransaction (RingCT) is used in Monero cryptocurrency [16]in order to improve the privacy of the users Intuitively thering confidential transaction aims to hide the value of theactual amount in a transaction by combining the value ofthe current transaction with the value of the predecessortransactions By doing so the observer cannot tell the exactvalue of a transaction The value of the transaction canbe the number of coins sent or other data depending onthe type of system that applies RingCT [23] Unlike in theMonero transaction the value transaction in the Bitcoin ispublicly available in the plaintext The observer might beable to analyse the transaction values for certain purposes inthe particular period of time Therefore public data will bedangerous if misused maliciously

119877119862119879 = 119905119909119894119889 [(8) (2) (5) (11) (12) (15)] (6)

Suppose all outputs in Figure 9 exist whilst the transac-tion that provider enables to spend is highlighted in greenWhenever the provider creates a transaction he uses aRingCT to disguise which input is actually being spent Inthis regard the provider combines the current transactionwith the previous transactions (highlighted in gray) Theconfidential ring signature for the transaction is shown in(6) The provider allows using the RingCT directly withoutpermission and node manager involvement As well as thegroup signature the sender is free to use the value of previoustransactions in order to disguise the value of the currenttransaction By leveraging the model it is possible to createprivacy-preserving for users in the decentralized peer-to-peer shared storage in healthcare areawith the followingmainobjectives

8 Wireless Communications and Mobile Computing

1 txid (dfa89ad90)

2 txid (uio38939a)

3 txid (890dfla8df)

4 txid (dfa89add0)

5 txid (fga89ad90)

6 txid (5fa89ad45)

7 txid (twa845d90)

8 txid (pklsdf8900)

9 txid (78sd9ad91)

10 txid (dfa89ad90)

11 txid (sd71vcjjp)

12 txid (dzzqemfsa)

13 txid sywi22zmv)

14 txid (p4z24fh3g)

15 txid (tpa1vh9wz)

16 txid (wj023kt3w)

17 txid (vq6oxop4)

18 txid (z9i5mcsdu)

Figure 9 Ring confidential transaction based on the prior transactions

(i) Untraceability with the goal to protect the sendersinformation in the form of the address (publickey) The observer cannot trace where the coin wasreceived and where the coin originated from

(ii) Unlinkability to preserve the recipients identityThiscan be achieved by using a stealth address where therecipient makes two public keys that are used to createa one-time address and the other as the view key

(iii) Confidential Values to disguise the value of a trans-action The value of the current transaction is com-bined with the values of the transactions that havebeen carried out previously so it becomes an obscuredtransaction

4 Systems Analysis and the Dilemma

The main protocols for building privacy-preserving forblockchain shared storage model have been discussed inprevious section In this section we present the relationbetween each protocol The combination of the protocolsprovides a system that enables protecting the privacy ofusers in the decentralized shared storage The proceduresare displayed gingerly starting from generating the membersof ring signature through to mechanism of storing data inthe blockchain shared storage At the end of this section weelaborate on some dilemmas

We demonstrate a case study in which one of theproviders (hospital) wants to store diagnostic data of thepatient into the decentralized shared storage The providerhas known the address (public key) of the patient beforehandIn this sense the hospital acts as the sender whilst the patientacts as the recipient of the PHImessageTheprovider attachesthe address of the patient in the form of a view key for eachtransaction so that only patients likely enable to track datastored in shared storage using hisher knowledgeTheminershave a duty to validate the data from the sender before beingsaved into shared storage yet they are responsible for addingblocks to the blockchain network The miner gets a reward

after successfully adding the new block aswith the blockchainsystem in general Algorithm 1 is a description of the wholesystem process starting with making public keys throughto data stored in shared storage The process sequence forprivacy-preserving shared storage in untrusted blockchainP2P networks as follows

(i) The party possesses a pair of parent keys (119875119906119887119896119890119910119875119903119896119890119910) that have been generated beforehand basedon trapdoor permutation function such as RSARabin or Diffie-Hellman algorithmThepatient is therecipient(119875119906119887120572 119875119903120572) whilst the hospital is the sender(119875119906119887120573 119875119903120573) in this case study

(ii) The hospital is the sender of the patients diagnosisdata (in this case) The hospital constructs a ringsignature group based on public key from providersand patient that has been known previously Thehospital also added its public key to the group

119877119904119892120573 = 119892120572 (119909120572) oplus 119892120572 (119909120573) oplus 119892120574 (119909120574) oplus 119892120575 (119909120575)

oplus 11989213 (11990913) oplus 119892 (119909) oplus 119892 (119909) oplus

oplus 119892119899+1 (119909119899+1)

(7)

(iii) When the group of ring signature 119877119904119892120573 is generatedthe sender enables to use the signature of each groupmember without having to get permission from theowner of public keys In this case study the hospitalchooses to use all signatures from group members asshown in (7) The hospital can add new members atany time as long as the public key is known

(iv) The patient as the recipient later makes the stealthaddress based on a pair of parent keys The patientcreates a pair of public keys 119875119906119887120572(119860120572 119861120572) and sendsit to the hospital via secure channel The hospitalgenerates a new one-time address based on stealth

Wireless Communications and Mobile Computing 9

1 Procedure 119878ℎ119886119903119890119889 1198781199051199001199031198861198921198902 Trapdoor Function (parent keys) lowasttrapdoor permutation function eg RSA Rabin3 119875119886119905119894119890119899119905 larr997888 ℎ119886119904ℎ(119875119906119887120572 119875119903120572)4 119867119900119904119901119894119905119886119897 larr997888 ℎ119886119904ℎ(119875119906119887120573 119875119903120573) lowastforallparty has parent keys5 119862ℎ119894119903119900119901119903119886119888119905119900119903 larr997888 ℎ119886119904ℎ(119875119906119887120574 119875119903120574)6 119862119897119888119875119904119910119888ℎ119900119897119900119892119894119904119905 larr997888 ℎ119886119904ℎ(119875119906119887120575 119875119903120575)7 119873119886119905119894119900119899119886119897119875119903119900V119894119889119890119903 larr997888 ℎ119886119904ℎ(11987511990611988713 11987511990313)8 119878119900119888119894119886119897 119888119886119903119890 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)9 119871119886119887119900119903119886119905119900119903119894119890119904 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)10The sender creates a group of ring signature11 Procedure 119880119904119890 119875119906119887119897119894119888 119870119890119910 forall 119901119886119903119905119894119890119904 isin 119901119886119903119890119899119905119896119890119910119904 lowastuse public key of the parties as an input12 Create RS13 119877119904119892119899 larr997888 119892120572(119909120572) oplus 119892120573(119909120573) oplus 119892120574(119909120574) oplus oplus 119892119899+1(119909119899+1)14 AddNewMembers lowastin case add new members15 119880119901119889119886119905119890 119877119904119892119899 larr997888 119866119890119905 119873119890119908119875119906119887119896119890119910 oplus 119875119906119887119870119890119910(119899+1)16 end procedure17 Procedure 119862119903119890119886119905119890 119878119905119890119886119897119905ℎ119860119889119889119903(119887119910119877119890119888119894119901119894119890119899119905) lowastthe recipient creates stealth address18 119875119886119903119890119899119905119870119890119910 119875119906119887119870119890119910119899 997888rarr 119875119906119887119870119890119910119899(119860119899 119861119899)19 119878119890119899119889(119860119899) 997888rarr 119905119900 119904119890119899119889119890119903 (V119894119886 119878119890119888119906119903119890119862ℎ119886119899119899119890119897)20 (119860119899 119861119899)119903119890119888119890119894V119890119889 997888rarr 119862119903119890119886119905119890 119873119890119908 119874119879119875 lowastsender creates new OTP for recipient21 end procedure22 Procedure 119862119900119899119891119894119889119890119899119905119894119886119897 119877119894119899119892 119878119894119892119899119886119905119906119903119890 lowastconfidential ring signature as an option23 119894119891 forall119905119909119904 119861119862 119906119904119890 119862119877119878 119905ℎ119890119899 119903119890119905119906119903119899 True24 119873119890119908119881119886119897119906119890 larr997888 119862119906119903119903119890119899119905119881119886119897119906119890 oplus 119875119903119890V11988111988611989711990611989025 119868119899119888119897119906119889119890 119905119900 119905ℎ119890 119899119890119908 119905119909 larr997888 11987311989011990811988111988611989711990611989026 119890119897119904119890119903119890119905119906119903119899 False27 end procedure28 Procedure 119878119894119892119899 119905ℎ119890 119875119867119868 119863119886119905119886(119872119904119892) lowastin this case the PHI data is from the hospital29 119866119890119905 119872119904119892 isin 119863119894119886119892119899119900119904119894119904 119863119886119905119886(119867119900119904119901119894119905119886119897)30 119878119894119892119899 120590 larr997888 119888ℎ119900119900119904119890 119904119894119892119899119890119903 isin 11987711990411989211989931 119877119894119899119892119862119879larr997888 119888ℎ119900119900119904119890 119901119903119890V 119905119909119904 isin 11986211987711987832 119872119904119892 larr997888 119886119905119905119886119888ℎ11989011988910158401198701198901199101198681198981198861198921198901015840 lowastKeyImage to prevent storing the same data33 119862119906119903119903119872119904119892 larr997888 119878119894119892119899 120590 119877119894119899119892119862119879 11987011989011991011986811989811988611989211989034 end procedure35 Procedure 119878119890119899119889 119905119900 119861119897119900119888119896119888ℎ119886119894119899 11987311989011990511990811990011990311989636 119866119890119905 119862119906119903119903119872119904119892 oplus 119874119879119875(119891119903119900119898 119878119905119890119886119897119905ℎ119860119889119889119903)37 119878119890119899119889 119905119900 119887119897119900119888119896119888ℎ119886119894119899 11989911989011990511990811990011990311989638 119882119886119894119905 1198981198941198991198901199031015840119904 11988811990011989911989111989411990311989811988611990511989411990011989939 119894119891 119862119906119903119903119872119904119892 119894119904 V119886119897119894119889 119905ℎ119890119899 119903119890119905119906119903119899 True lowasttransaction is success40 119860119889119889 119899119890119908119861119897119900119888119896 119905119900 119861119862 11989911989011990511990811990011990311989641 119860119889119889119862119906119903119903119872119904119892 997888rarr 119878ℎ119886119903119890119889 11987811990511990011990311988611989211989042 119890119897119904119890119903119890119905119906119903119899 False43 End

Algorithm 1 Shared Storage of PHI Data

address received Only patients can access data storedin shared storage by using his knowledge 119875119903120572(119886120572 119887120572)

119874119879119875 = 119867119904 (119903119860120572) 119866 + 119861120572 (8)

(v) The sender unpacks the address received which con-tains the public address of the recipient 119875119906119887120572(119860120572 119861120572)The sender picks the random value 119903 isin [1 119897 minus 1] togenerate one-time public key and attaches119861120572 as a viewaddress in the shared storage

(vi) For certain types of data the sender can use confiden-tial ring signatures (RingCT) to disguise informationof the data by adding value to transactions that have

occurred before such as 119877119862119879120573 = 119905119909119894119889(3) 119905119909119894119889(7) 119905119909119894119889(5) 119905119909119894119889(9) 119905119909119894119889(119899)

(vii) The hospital signs the diagnosis data 119898119904119892 usingthe member key from the ring signature asfollows 119878119894119892119899120590(119898119904119892 119910120572 119910120573 119910120574 119910120575 11991013 119910 119910 119910119899)which consists of the public keys of the members119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887

(viii) Key image is attached by the sender to prevent doublespending It can be interpreted as a scheme to preventthe same data stored twice in blockchain storageThe hospital sends the following series of data tothe blockchain network to be confirmed by miners119878119894119892119899 120590 119898119904119892 119874119879119875 119877119894119899119892119862119879 119896119890119910119894119898119886119892119890

10 Wireless Communications and Mobile Computing

(ix) The diagnosis data from the hospital along withattachments of the files are then sent to the blockchainnetwork to be verified by the miners before thedata are stored in a decentralized shared storageWhenever the data has been stored successfully thepatient traces one by one the transaction on theblockchain network until the patient finds hisherview keys 119861119899 which correspond to the patient

(x) The patient with hisher knowledge decrypts andcompares the value of the data received with thedecrypted value 119886120572119877 = 119886120572119903119866 = 119903119860120572 1198751015840 = 119875

The Algorithm 1 presents an overall model of the systemwhich starts with generating key pairs for the parties creatinga ring signature group and stealth addresses signing PHIdata until data are confirmed and stored in the decentralizedshared storage The observer is unlikely to track the senderrsquostransaction since the sender uses a signature on behalf ofa group in which the senders signature is obscured Fur-thermore the observer cannot associate one transaction withanother so it is indistinguishable whether the transactionwas sent by the same sender In other words the identityof the sender remains a secret Likewise the identity of therecipient cannot be tracked by the observer nor maliciousproviders because the recipient sends the stealth address tothe sender thereafter the sender creates a one-time addressto protect the privacy of the recipient The value of a PHI datais kept from being seen because it is combined with the valueof previous transactions through the RingCT The identityof the user along with the information of the transactionson the blockchain network is paramount therefore thedecentralized shared storage systems need to manage theconfidentiality as well as ensure the integrity of the PHI data

Apart from the model that has been described there isanother important factor which plays the role to a decen-tralized system called transaction propagation A numer-ous number of transactions are distributed to the entirenodes in the blockchain peer-to-peer network resulting inpropagation delay The structure of a P2P network allowsthe peer to disseminate information to the other nodesthat are connected to the sender [24] There are severalstudies conducted by researchers to measure how effectivethe block distribution in the peer-to-peer networks such asexperiments in which the goal is to find out the numberof successful connections and experiments to determine theeffect of the number of nodes against the block

One among parameters that affect transaction propa-gation is block size Block size can be understood as themaximum limit of a block to be filled up with varioustransactions on it It also can be thought of as a bundleof transactions with each block needing to get verificationbefore it can be accepted by the network Each block hasits own size depending on the type of transaction called theblock sizeThemaximum block size in Bitcoin stands at 1MBMiners enable to choose the number of transactions to beprocessed in a block If Bitcoin miners commit a transactionthat exceeds the maximum limit then the block will berejected by the network The motivation of block size is toprevent the attack such as denial-of-service attacks The size

of a block also affects the length of confirmation time Whena node receives a new transaction the recipient confirms thevalidity of the block before accepting it The duration of theconfirmation process depends on the size of the block Bydesign the larger the size of a block is the longer it takesto confirm Therefore the size of a block plays an importantrole in the blockchain in general because it directly affects thedelay time

Propagation delay is inseparable from the size of a blockThere is a correlation between block size and the propagationdelay until the node receives the blockThe larger the size of ablock themore transactions that can be done yet it affects thepropagation time and sacrifice the security The influence ofa block size to the propagation time can be seen in Figure 10[25] The block size in the transaction is varied up to 350 KBin order to find out how long it takes for the node to receivethe block To reach 25 of total transaction is visualized witha red line 50 for the green line and 75 for the blue lineThe results are in line with the theory which states the largerthe size of a block the greater the propagation time

We take measurements for orphaned blocks by followingthe withholding attack (selfish mining) strategy that was firstdiscovered in 2014 In this study we do not elaborate onthe details of withholding attack strategy we recommendthat readers refer to the references [26ndash28] The intuitionof this attack is to keep the finding block secret untilthe attackers network becomes the longest chain in theblockchain network For a particular condition this attackdoes not possess any benefit because the block is stored inthe attackers network which is only known by the attacker(nonprofit) The attackers get the reward if only the blockfound is propagated to the public and get confirmed by otherminers

The simulation is carried out in order to know theperformance of dishonest miners which follow the selfishmining protocol The aims of this strategy are to discoverthe new block till becoming the longest chain and gainingthe revenue after publishing the block to the public network[29] In our setting we arrange the selfish miners to competewith honest miners in 14 days to solve the proof-of-workand discover the new block The maximum of mining powerof selfish miner is 04 and it is running randomly from00 through 04 within 14 days in the simulation as shownin Figure 11 There are 12 nodes of dishonest miners withdifferent mining power from 00 to 04 We set the maximumnumber of mining power at 04 of total mining power inthe network Based on the simulation result we concludethat whenever the dishonest miner has 0322 mining powerit is enough to get the unfair revenue and allows gainingthe revenue larger than it should be In general there are51 new blocks successfully added as well as 4 orphanedblocks recorded The average of block generation time is 772minutes

To the extent we obtained the information related to theparameters that affect the propagation time in the blockchainpeer-to-peer network based on our findings and the priorworks of literatureThere are numerous articles proposing theimprovement of propagation delays by changing the networktopology minimizing the verification time of a transaction

Wireless Communications and Mobile Computing 11

50

45

40

35

30

25

20

15

10

5

00 50 100 150 200 250 300 350

Block size (KB)

Tim

e (se

c)

25

50

75

Figure 10 Relationship between block size and the time

50

40

30

20

10

0

Bloc

k H

eigh

t

0 200000 400000 600000 800000 1000000 1200000

Time (s)

08

06

04

02

00

Rew

ard

000 005 010 015 020 025 030 035 040Mining Power

Figure 11 Block height against time in the P2P network (left) the performance of selfish mining attack (right)

and reconstructing the message exchange protocol in theblockchain network Generally speaking the presence ofhaving the propagation of delays can cause a lot of damagein the blockchain network [30 31]

There are many considerations to increase the effective-ness of the blockchainTherefore we select block propagationand block size parameters to be discussed as follows

(i) Speeding up the block generation In theory it would beremarkably beneficial if the block generation time isresetting as fast as possible for each transaction so thateach user will get faster payments The propagationtime includes the length of time for the distributionof transactions in the peer-to-peer network and thetime for verification of a block But the problem isthat if the block generation time is speeding up there

will be a lot of orphaned blocks It can be understoodbecause each node will receive many new blocks thatare spread through peer-to-peer networks The tie-breaking protocol causes each node to only acceptone valid block for the same type of transaction sothat it will reject transactions from other nodes thatcause the orphaned block to appear Due to manynew orphaned blocks that will emerge it will motivaterational miners to adopt the selfish mining strategythat rivals the main network and causes the forkedchain [32]

(ii) Decrease block generation Slowing down the blockgeneration time for each transaction will reduce thespeed of transactions on the peer-to-peer networkPositively it gives some merits such as providing a

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 7: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

Wireless Communications and Mobile Computing 7

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

S = A(R)

SH+1 = AH+1(RH+1)

Figure 8 The group of ring signature which is derived from the public keys of the member

Once a ring signature group has been generated all membersof the group are allowed to use the signature and combine itwith the private key of the sender It grants users fine-grainedcontrol over the level of anonymity associated with a certainsignature [22]

The signer enables to choose the number of signaturesthat they want to use in the transaction to provide anambiguous signer Later the public key is used for encryption119910119899 = 119892119899(119909119899) as shown in Figure 8 Intuitively 119892119899 is definedby the extended trapdoor permutation function such as RSAandRabin algorithm In practice for Rabins functions119892119899 (119909119899)extends to 119891119894(119909119894) = 1199091198942 mod 119899119894 over 0 1119887 where 2119887 is thepower of two which is larger than all modulo 1198991198941015840119904 The bucketconsists of b-bit numbers 119908 = 119902119894119899119894 + 119903119894 where 119903119894 isin Zlowast119899119894and (119902119894 + 1)119899119894 le 2119887 For any b-bit numbers 119908 is nonnegativeintegers 119902119894 and 119903119894 The bucket values are mapped by theextended Rabinmapping 119892119899 So the value of 119892119894(119908) is signifiedby (4)

119892119894 (119908) =

119902119894119899119894 + 119891119894119903119894 if (119902119894 + 1) 119899119894 le 2119887

119908 else(4)

Intuitively 119892119894(119908) is a permutation function over 0 1119887 whichis also a one-way trapdoor function because only a personknows the inverted value of 119891119894 for a given input Thereforewe can define the public keys for the prospective members asfollows

(i) The patientlarr997888 119910120572 = 119892120572(119909120572)(ii) Hospital larr997888 119910120573 = 119892120573(119909120573) Chiropractor larr997888 119910120574 =

119892120574(119909120574) whilst the clinical psychologist larr997888 119910120575 =119892120575(119909120575)

(iii) National providerlarr997888 11991013 = 11989213(11990913) health and socialcare providerlarr997888 119910 = 119892(119909) Laboratorieslarr997888 119910 =119892(119909)

(iv) For additional members of a group it can be gener-ated at any time as long as the public key of the newmember is known 119910119899+1 = 119892119899+1(119909119899+1)

119877119904119892 = 119910120572 oplus 119910120573 oplus 119910120574 oplus 119910120575 oplus 11991013 oplus 119910 oplus 119910 oplus oplus 119910119899+1 (5)

As can be seen in (5) a group of ring signature isconstructed based on encryption of the members public key

By design the sender signs the message for the individualtransaction using the signature of the group without asingle group manager involved Because the sender uses thesignature of the group the observer cannot judge the identityof the real sender for the corresponding transaction Thesender enables to choose the number of signatures that heshewants to use in the transaction The signature of a groupcan be used at any time in a transaction without havingpermission from the owner of the key For instance in aparticular transaction the provider 119910120573 uses the following keysto sign a message ℎ(119898119904119892 119910120574 119910120575 119910120572 and his key 119910120573)

33 Ring Confidential Transaction of PHI Ring confidentialtransaction (RingCT) is used in Monero cryptocurrency [16]in order to improve the privacy of the users Intuitively thering confidential transaction aims to hide the value of theactual amount in a transaction by combining the value ofthe current transaction with the value of the predecessortransactions By doing so the observer cannot tell the exactvalue of a transaction The value of the transaction canbe the number of coins sent or other data depending onthe type of system that applies RingCT [23] Unlike in theMonero transaction the value transaction in the Bitcoin ispublicly available in the plaintext The observer might beable to analyse the transaction values for certain purposes inthe particular period of time Therefore public data will bedangerous if misused maliciously

119877119862119879 = 119905119909119894119889 [(8) (2) (5) (11) (12) (15)] (6)

Suppose all outputs in Figure 9 exist whilst the transac-tion that provider enables to spend is highlighted in greenWhenever the provider creates a transaction he uses aRingCT to disguise which input is actually being spent Inthis regard the provider combines the current transactionwith the previous transactions (highlighted in gray) Theconfidential ring signature for the transaction is shown in(6) The provider allows using the RingCT directly withoutpermission and node manager involvement As well as thegroup signature the sender is free to use the value of previoustransactions in order to disguise the value of the currenttransaction By leveraging the model it is possible to createprivacy-preserving for users in the decentralized peer-to-peer shared storage in healthcare areawith the followingmainobjectives

8 Wireless Communications and Mobile Computing

1 txid (dfa89ad90)

2 txid (uio38939a)

3 txid (890dfla8df)

4 txid (dfa89add0)

5 txid (fga89ad90)

6 txid (5fa89ad45)

7 txid (twa845d90)

8 txid (pklsdf8900)

9 txid (78sd9ad91)

10 txid (dfa89ad90)

11 txid (sd71vcjjp)

12 txid (dzzqemfsa)

13 txid sywi22zmv)

14 txid (p4z24fh3g)

15 txid (tpa1vh9wz)

16 txid (wj023kt3w)

17 txid (vq6oxop4)

18 txid (z9i5mcsdu)

Figure 9 Ring confidential transaction based on the prior transactions

(i) Untraceability with the goal to protect the sendersinformation in the form of the address (publickey) The observer cannot trace where the coin wasreceived and where the coin originated from

(ii) Unlinkability to preserve the recipients identityThiscan be achieved by using a stealth address where therecipient makes two public keys that are used to createa one-time address and the other as the view key

(iii) Confidential Values to disguise the value of a trans-action The value of the current transaction is com-bined with the values of the transactions that havebeen carried out previously so it becomes an obscuredtransaction

4 Systems Analysis and the Dilemma

The main protocols for building privacy-preserving forblockchain shared storage model have been discussed inprevious section In this section we present the relationbetween each protocol The combination of the protocolsprovides a system that enables protecting the privacy ofusers in the decentralized shared storage The proceduresare displayed gingerly starting from generating the membersof ring signature through to mechanism of storing data inthe blockchain shared storage At the end of this section weelaborate on some dilemmas

We demonstrate a case study in which one of theproviders (hospital) wants to store diagnostic data of thepatient into the decentralized shared storage The providerhas known the address (public key) of the patient beforehandIn this sense the hospital acts as the sender whilst the patientacts as the recipient of the PHImessageTheprovider attachesthe address of the patient in the form of a view key for eachtransaction so that only patients likely enable to track datastored in shared storage using hisher knowledgeTheminershave a duty to validate the data from the sender before beingsaved into shared storage yet they are responsible for addingblocks to the blockchain network The miner gets a reward

after successfully adding the new block aswith the blockchainsystem in general Algorithm 1 is a description of the wholesystem process starting with making public keys throughto data stored in shared storage The process sequence forprivacy-preserving shared storage in untrusted blockchainP2P networks as follows

(i) The party possesses a pair of parent keys (119875119906119887119896119890119910119875119903119896119890119910) that have been generated beforehand basedon trapdoor permutation function such as RSARabin or Diffie-Hellman algorithmThepatient is therecipient(119875119906119887120572 119875119903120572) whilst the hospital is the sender(119875119906119887120573 119875119903120573) in this case study

(ii) The hospital is the sender of the patients diagnosisdata (in this case) The hospital constructs a ringsignature group based on public key from providersand patient that has been known previously Thehospital also added its public key to the group

119877119904119892120573 = 119892120572 (119909120572) oplus 119892120572 (119909120573) oplus 119892120574 (119909120574) oplus 119892120575 (119909120575)

oplus 11989213 (11990913) oplus 119892 (119909) oplus 119892 (119909) oplus

oplus 119892119899+1 (119909119899+1)

(7)

(iii) When the group of ring signature 119877119904119892120573 is generatedthe sender enables to use the signature of each groupmember without having to get permission from theowner of public keys In this case study the hospitalchooses to use all signatures from group members asshown in (7) The hospital can add new members atany time as long as the public key is known

(iv) The patient as the recipient later makes the stealthaddress based on a pair of parent keys The patientcreates a pair of public keys 119875119906119887120572(119860120572 119861120572) and sendsit to the hospital via secure channel The hospitalgenerates a new one-time address based on stealth

Wireless Communications and Mobile Computing 9

1 Procedure 119878ℎ119886119903119890119889 1198781199051199001199031198861198921198902 Trapdoor Function (parent keys) lowasttrapdoor permutation function eg RSA Rabin3 119875119886119905119894119890119899119905 larr997888 ℎ119886119904ℎ(119875119906119887120572 119875119903120572)4 119867119900119904119901119894119905119886119897 larr997888 ℎ119886119904ℎ(119875119906119887120573 119875119903120573) lowastforallparty has parent keys5 119862ℎ119894119903119900119901119903119886119888119905119900119903 larr997888 ℎ119886119904ℎ(119875119906119887120574 119875119903120574)6 119862119897119888119875119904119910119888ℎ119900119897119900119892119894119904119905 larr997888 ℎ119886119904ℎ(119875119906119887120575 119875119903120575)7 119873119886119905119894119900119899119886119897119875119903119900V119894119889119890119903 larr997888 ℎ119886119904ℎ(11987511990611988713 11987511990313)8 119878119900119888119894119886119897 119888119886119903119890 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)9 119871119886119887119900119903119886119905119900119903119894119890119904 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)10The sender creates a group of ring signature11 Procedure 119880119904119890 119875119906119887119897119894119888 119870119890119910 forall 119901119886119903119905119894119890119904 isin 119901119886119903119890119899119905119896119890119910119904 lowastuse public key of the parties as an input12 Create RS13 119877119904119892119899 larr997888 119892120572(119909120572) oplus 119892120573(119909120573) oplus 119892120574(119909120574) oplus oplus 119892119899+1(119909119899+1)14 AddNewMembers lowastin case add new members15 119880119901119889119886119905119890 119877119904119892119899 larr997888 119866119890119905 119873119890119908119875119906119887119896119890119910 oplus 119875119906119887119870119890119910(119899+1)16 end procedure17 Procedure 119862119903119890119886119905119890 119878119905119890119886119897119905ℎ119860119889119889119903(119887119910119877119890119888119894119901119894119890119899119905) lowastthe recipient creates stealth address18 119875119886119903119890119899119905119870119890119910 119875119906119887119870119890119910119899 997888rarr 119875119906119887119870119890119910119899(119860119899 119861119899)19 119878119890119899119889(119860119899) 997888rarr 119905119900 119904119890119899119889119890119903 (V119894119886 119878119890119888119906119903119890119862ℎ119886119899119899119890119897)20 (119860119899 119861119899)119903119890119888119890119894V119890119889 997888rarr 119862119903119890119886119905119890 119873119890119908 119874119879119875 lowastsender creates new OTP for recipient21 end procedure22 Procedure 119862119900119899119891119894119889119890119899119905119894119886119897 119877119894119899119892 119878119894119892119899119886119905119906119903119890 lowastconfidential ring signature as an option23 119894119891 forall119905119909119904 119861119862 119906119904119890 119862119877119878 119905ℎ119890119899 119903119890119905119906119903119899 True24 119873119890119908119881119886119897119906119890 larr997888 119862119906119903119903119890119899119905119881119886119897119906119890 oplus 119875119903119890V11988111988611989711990611989025 119868119899119888119897119906119889119890 119905119900 119905ℎ119890 119899119890119908 119905119909 larr997888 11987311989011990811988111988611989711990611989026 119890119897119904119890119903119890119905119906119903119899 False27 end procedure28 Procedure 119878119894119892119899 119905ℎ119890 119875119867119868 119863119886119905119886(119872119904119892) lowastin this case the PHI data is from the hospital29 119866119890119905 119872119904119892 isin 119863119894119886119892119899119900119904119894119904 119863119886119905119886(119867119900119904119901119894119905119886119897)30 119878119894119892119899 120590 larr997888 119888ℎ119900119900119904119890 119904119894119892119899119890119903 isin 11987711990411989211989931 119877119894119899119892119862119879larr997888 119888ℎ119900119900119904119890 119901119903119890V 119905119909119904 isin 11986211987711987832 119872119904119892 larr997888 119886119905119905119886119888ℎ11989011988910158401198701198901199101198681198981198861198921198901015840 lowastKeyImage to prevent storing the same data33 119862119906119903119903119872119904119892 larr997888 119878119894119892119899 120590 119877119894119899119892119862119879 11987011989011991011986811989811988611989211989034 end procedure35 Procedure 119878119890119899119889 119905119900 119861119897119900119888119896119888ℎ119886119894119899 11987311989011990511990811990011990311989636 119866119890119905 119862119906119903119903119872119904119892 oplus 119874119879119875(119891119903119900119898 119878119905119890119886119897119905ℎ119860119889119889119903)37 119878119890119899119889 119905119900 119887119897119900119888119896119888ℎ119886119894119899 11989911989011990511990811990011990311989638 119882119886119894119905 1198981198941198991198901199031015840119904 11988811990011989911989111989411990311989811988611990511989411990011989939 119894119891 119862119906119903119903119872119904119892 119894119904 V119886119897119894119889 119905ℎ119890119899 119903119890119905119906119903119899 True lowasttransaction is success40 119860119889119889 119899119890119908119861119897119900119888119896 119905119900 119861119862 11989911989011990511990811990011990311989641 119860119889119889119862119906119903119903119872119904119892 997888rarr 119878ℎ119886119903119890119889 11987811990511990011990311988611989211989042 119890119897119904119890119903119890119905119906119903119899 False43 End

Algorithm 1 Shared Storage of PHI Data

address received Only patients can access data storedin shared storage by using his knowledge 119875119903120572(119886120572 119887120572)

119874119879119875 = 119867119904 (119903119860120572) 119866 + 119861120572 (8)

(v) The sender unpacks the address received which con-tains the public address of the recipient 119875119906119887120572(119860120572 119861120572)The sender picks the random value 119903 isin [1 119897 minus 1] togenerate one-time public key and attaches119861120572 as a viewaddress in the shared storage

(vi) For certain types of data the sender can use confiden-tial ring signatures (RingCT) to disguise informationof the data by adding value to transactions that have

occurred before such as 119877119862119879120573 = 119905119909119894119889(3) 119905119909119894119889(7) 119905119909119894119889(5) 119905119909119894119889(9) 119905119909119894119889(119899)

(vii) The hospital signs the diagnosis data 119898119904119892 usingthe member key from the ring signature asfollows 119878119894119892119899120590(119898119904119892 119910120572 119910120573 119910120574 119910120575 11991013 119910 119910 119910119899)which consists of the public keys of the members119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887

(viii) Key image is attached by the sender to prevent doublespending It can be interpreted as a scheme to preventthe same data stored twice in blockchain storageThe hospital sends the following series of data tothe blockchain network to be confirmed by miners119878119894119892119899 120590 119898119904119892 119874119879119875 119877119894119899119892119862119879 119896119890119910119894119898119886119892119890

10 Wireless Communications and Mobile Computing

(ix) The diagnosis data from the hospital along withattachments of the files are then sent to the blockchainnetwork to be verified by the miners before thedata are stored in a decentralized shared storageWhenever the data has been stored successfully thepatient traces one by one the transaction on theblockchain network until the patient finds hisherview keys 119861119899 which correspond to the patient

(x) The patient with hisher knowledge decrypts andcompares the value of the data received with thedecrypted value 119886120572119877 = 119886120572119903119866 = 119903119860120572 1198751015840 = 119875

The Algorithm 1 presents an overall model of the systemwhich starts with generating key pairs for the parties creatinga ring signature group and stealth addresses signing PHIdata until data are confirmed and stored in the decentralizedshared storage The observer is unlikely to track the senderrsquostransaction since the sender uses a signature on behalf ofa group in which the senders signature is obscured Fur-thermore the observer cannot associate one transaction withanother so it is indistinguishable whether the transactionwas sent by the same sender In other words the identityof the sender remains a secret Likewise the identity of therecipient cannot be tracked by the observer nor maliciousproviders because the recipient sends the stealth address tothe sender thereafter the sender creates a one-time addressto protect the privacy of the recipient The value of a PHI datais kept from being seen because it is combined with the valueof previous transactions through the RingCT The identityof the user along with the information of the transactionson the blockchain network is paramount therefore thedecentralized shared storage systems need to manage theconfidentiality as well as ensure the integrity of the PHI data

Apart from the model that has been described there isanother important factor which plays the role to a decen-tralized system called transaction propagation A numer-ous number of transactions are distributed to the entirenodes in the blockchain peer-to-peer network resulting inpropagation delay The structure of a P2P network allowsthe peer to disseminate information to the other nodesthat are connected to the sender [24] There are severalstudies conducted by researchers to measure how effectivethe block distribution in the peer-to-peer networks such asexperiments in which the goal is to find out the numberof successful connections and experiments to determine theeffect of the number of nodes against the block

One among parameters that affect transaction propa-gation is block size Block size can be understood as themaximum limit of a block to be filled up with varioustransactions on it It also can be thought of as a bundleof transactions with each block needing to get verificationbefore it can be accepted by the network Each block hasits own size depending on the type of transaction called theblock sizeThemaximum block size in Bitcoin stands at 1MBMiners enable to choose the number of transactions to beprocessed in a block If Bitcoin miners commit a transactionthat exceeds the maximum limit then the block will berejected by the network The motivation of block size is toprevent the attack such as denial-of-service attacks The size

of a block also affects the length of confirmation time Whena node receives a new transaction the recipient confirms thevalidity of the block before accepting it The duration of theconfirmation process depends on the size of the block Bydesign the larger the size of a block is the longer it takesto confirm Therefore the size of a block plays an importantrole in the blockchain in general because it directly affects thedelay time

Propagation delay is inseparable from the size of a blockThere is a correlation between block size and the propagationdelay until the node receives the blockThe larger the size of ablock themore transactions that can be done yet it affects thepropagation time and sacrifice the security The influence ofa block size to the propagation time can be seen in Figure 10[25] The block size in the transaction is varied up to 350 KBin order to find out how long it takes for the node to receivethe block To reach 25 of total transaction is visualized witha red line 50 for the green line and 75 for the blue lineThe results are in line with the theory which states the largerthe size of a block the greater the propagation time

We take measurements for orphaned blocks by followingthe withholding attack (selfish mining) strategy that was firstdiscovered in 2014 In this study we do not elaborate onthe details of withholding attack strategy we recommendthat readers refer to the references [26ndash28] The intuitionof this attack is to keep the finding block secret untilthe attackers network becomes the longest chain in theblockchain network For a particular condition this attackdoes not possess any benefit because the block is stored inthe attackers network which is only known by the attacker(nonprofit) The attackers get the reward if only the blockfound is propagated to the public and get confirmed by otherminers

The simulation is carried out in order to know theperformance of dishonest miners which follow the selfishmining protocol The aims of this strategy are to discoverthe new block till becoming the longest chain and gainingthe revenue after publishing the block to the public network[29] In our setting we arrange the selfish miners to competewith honest miners in 14 days to solve the proof-of-workand discover the new block The maximum of mining powerof selfish miner is 04 and it is running randomly from00 through 04 within 14 days in the simulation as shownin Figure 11 There are 12 nodes of dishonest miners withdifferent mining power from 00 to 04 We set the maximumnumber of mining power at 04 of total mining power inthe network Based on the simulation result we concludethat whenever the dishonest miner has 0322 mining powerit is enough to get the unfair revenue and allows gainingthe revenue larger than it should be In general there are51 new blocks successfully added as well as 4 orphanedblocks recorded The average of block generation time is 772minutes

To the extent we obtained the information related to theparameters that affect the propagation time in the blockchainpeer-to-peer network based on our findings and the priorworks of literatureThere are numerous articles proposing theimprovement of propagation delays by changing the networktopology minimizing the verification time of a transaction

Wireless Communications and Mobile Computing 11

50

45

40

35

30

25

20

15

10

5

00 50 100 150 200 250 300 350

Block size (KB)

Tim

e (se

c)

25

50

75

Figure 10 Relationship between block size and the time

50

40

30

20

10

0

Bloc

k H

eigh

t

0 200000 400000 600000 800000 1000000 1200000

Time (s)

08

06

04

02

00

Rew

ard

000 005 010 015 020 025 030 035 040Mining Power

Figure 11 Block height against time in the P2P network (left) the performance of selfish mining attack (right)

and reconstructing the message exchange protocol in theblockchain network Generally speaking the presence ofhaving the propagation of delays can cause a lot of damagein the blockchain network [30 31]

There are many considerations to increase the effective-ness of the blockchainTherefore we select block propagationand block size parameters to be discussed as follows

(i) Speeding up the block generation In theory it would beremarkably beneficial if the block generation time isresetting as fast as possible for each transaction so thateach user will get faster payments The propagationtime includes the length of time for the distributionof transactions in the peer-to-peer network and thetime for verification of a block But the problem isthat if the block generation time is speeding up there

will be a lot of orphaned blocks It can be understoodbecause each node will receive many new blocks thatare spread through peer-to-peer networks The tie-breaking protocol causes each node to only acceptone valid block for the same type of transaction sothat it will reject transactions from other nodes thatcause the orphaned block to appear Due to manynew orphaned blocks that will emerge it will motivaterational miners to adopt the selfish mining strategythat rivals the main network and causes the forkedchain [32]

(ii) Decrease block generation Slowing down the blockgeneration time for each transaction will reduce thespeed of transactions on the peer-to-peer networkPositively it gives some merits such as providing a

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 8: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

8 Wireless Communications and Mobile Computing

1 txid (dfa89ad90)

2 txid (uio38939a)

3 txid (890dfla8df)

4 txid (dfa89add0)

5 txid (fga89ad90)

6 txid (5fa89ad45)

7 txid (twa845d90)

8 txid (pklsdf8900)

9 txid (78sd9ad91)

10 txid (dfa89ad90)

11 txid (sd71vcjjp)

12 txid (dzzqemfsa)

13 txid sywi22zmv)

14 txid (p4z24fh3g)

15 txid (tpa1vh9wz)

16 txid (wj023kt3w)

17 txid (vq6oxop4)

18 txid (z9i5mcsdu)

Figure 9 Ring confidential transaction based on the prior transactions

(i) Untraceability with the goal to protect the sendersinformation in the form of the address (publickey) The observer cannot trace where the coin wasreceived and where the coin originated from

(ii) Unlinkability to preserve the recipients identityThiscan be achieved by using a stealth address where therecipient makes two public keys that are used to createa one-time address and the other as the view key

(iii) Confidential Values to disguise the value of a trans-action The value of the current transaction is com-bined with the values of the transactions that havebeen carried out previously so it becomes an obscuredtransaction

4 Systems Analysis and the Dilemma

The main protocols for building privacy-preserving forblockchain shared storage model have been discussed inprevious section In this section we present the relationbetween each protocol The combination of the protocolsprovides a system that enables protecting the privacy ofusers in the decentralized shared storage The proceduresare displayed gingerly starting from generating the membersof ring signature through to mechanism of storing data inthe blockchain shared storage At the end of this section weelaborate on some dilemmas

We demonstrate a case study in which one of theproviders (hospital) wants to store diagnostic data of thepatient into the decentralized shared storage The providerhas known the address (public key) of the patient beforehandIn this sense the hospital acts as the sender whilst the patientacts as the recipient of the PHImessageTheprovider attachesthe address of the patient in the form of a view key for eachtransaction so that only patients likely enable to track datastored in shared storage using hisher knowledgeTheminershave a duty to validate the data from the sender before beingsaved into shared storage yet they are responsible for addingblocks to the blockchain network The miner gets a reward

after successfully adding the new block aswith the blockchainsystem in general Algorithm 1 is a description of the wholesystem process starting with making public keys throughto data stored in shared storage The process sequence forprivacy-preserving shared storage in untrusted blockchainP2P networks as follows

(i) The party possesses a pair of parent keys (119875119906119887119896119890119910119875119903119896119890119910) that have been generated beforehand basedon trapdoor permutation function such as RSARabin or Diffie-Hellman algorithmThepatient is therecipient(119875119906119887120572 119875119903120572) whilst the hospital is the sender(119875119906119887120573 119875119903120573) in this case study

(ii) The hospital is the sender of the patients diagnosisdata (in this case) The hospital constructs a ringsignature group based on public key from providersand patient that has been known previously Thehospital also added its public key to the group

119877119904119892120573 = 119892120572 (119909120572) oplus 119892120572 (119909120573) oplus 119892120574 (119909120574) oplus 119892120575 (119909120575)

oplus 11989213 (11990913) oplus 119892 (119909) oplus 119892 (119909) oplus

oplus 119892119899+1 (119909119899+1)

(7)

(iii) When the group of ring signature 119877119904119892120573 is generatedthe sender enables to use the signature of each groupmember without having to get permission from theowner of public keys In this case study the hospitalchooses to use all signatures from group members asshown in (7) The hospital can add new members atany time as long as the public key is known

(iv) The patient as the recipient later makes the stealthaddress based on a pair of parent keys The patientcreates a pair of public keys 119875119906119887120572(119860120572 119861120572) and sendsit to the hospital via secure channel The hospitalgenerates a new one-time address based on stealth

Wireless Communications and Mobile Computing 9

1 Procedure 119878ℎ119886119903119890119889 1198781199051199001199031198861198921198902 Trapdoor Function (parent keys) lowasttrapdoor permutation function eg RSA Rabin3 119875119886119905119894119890119899119905 larr997888 ℎ119886119904ℎ(119875119906119887120572 119875119903120572)4 119867119900119904119901119894119905119886119897 larr997888 ℎ119886119904ℎ(119875119906119887120573 119875119903120573) lowastforallparty has parent keys5 119862ℎ119894119903119900119901119903119886119888119905119900119903 larr997888 ℎ119886119904ℎ(119875119906119887120574 119875119903120574)6 119862119897119888119875119904119910119888ℎ119900119897119900119892119894119904119905 larr997888 ℎ119886119904ℎ(119875119906119887120575 119875119903120575)7 119873119886119905119894119900119899119886119897119875119903119900V119894119889119890119903 larr997888 ℎ119886119904ℎ(11987511990611988713 11987511990313)8 119878119900119888119894119886119897 119888119886119903119890 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)9 119871119886119887119900119903119886119905119900119903119894119890119904 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)10The sender creates a group of ring signature11 Procedure 119880119904119890 119875119906119887119897119894119888 119870119890119910 forall 119901119886119903119905119894119890119904 isin 119901119886119903119890119899119905119896119890119910119904 lowastuse public key of the parties as an input12 Create RS13 119877119904119892119899 larr997888 119892120572(119909120572) oplus 119892120573(119909120573) oplus 119892120574(119909120574) oplus oplus 119892119899+1(119909119899+1)14 AddNewMembers lowastin case add new members15 119880119901119889119886119905119890 119877119904119892119899 larr997888 119866119890119905 119873119890119908119875119906119887119896119890119910 oplus 119875119906119887119870119890119910(119899+1)16 end procedure17 Procedure 119862119903119890119886119905119890 119878119905119890119886119897119905ℎ119860119889119889119903(119887119910119877119890119888119894119901119894119890119899119905) lowastthe recipient creates stealth address18 119875119886119903119890119899119905119870119890119910 119875119906119887119870119890119910119899 997888rarr 119875119906119887119870119890119910119899(119860119899 119861119899)19 119878119890119899119889(119860119899) 997888rarr 119905119900 119904119890119899119889119890119903 (V119894119886 119878119890119888119906119903119890119862ℎ119886119899119899119890119897)20 (119860119899 119861119899)119903119890119888119890119894V119890119889 997888rarr 119862119903119890119886119905119890 119873119890119908 119874119879119875 lowastsender creates new OTP for recipient21 end procedure22 Procedure 119862119900119899119891119894119889119890119899119905119894119886119897 119877119894119899119892 119878119894119892119899119886119905119906119903119890 lowastconfidential ring signature as an option23 119894119891 forall119905119909119904 119861119862 119906119904119890 119862119877119878 119905ℎ119890119899 119903119890119905119906119903119899 True24 119873119890119908119881119886119897119906119890 larr997888 119862119906119903119903119890119899119905119881119886119897119906119890 oplus 119875119903119890V11988111988611989711990611989025 119868119899119888119897119906119889119890 119905119900 119905ℎ119890 119899119890119908 119905119909 larr997888 11987311989011990811988111988611989711990611989026 119890119897119904119890119903119890119905119906119903119899 False27 end procedure28 Procedure 119878119894119892119899 119905ℎ119890 119875119867119868 119863119886119905119886(119872119904119892) lowastin this case the PHI data is from the hospital29 119866119890119905 119872119904119892 isin 119863119894119886119892119899119900119904119894119904 119863119886119905119886(119867119900119904119901119894119905119886119897)30 119878119894119892119899 120590 larr997888 119888ℎ119900119900119904119890 119904119894119892119899119890119903 isin 11987711990411989211989931 119877119894119899119892119862119879larr997888 119888ℎ119900119900119904119890 119901119903119890V 119905119909119904 isin 11986211987711987832 119872119904119892 larr997888 119886119905119905119886119888ℎ11989011988910158401198701198901199101198681198981198861198921198901015840 lowastKeyImage to prevent storing the same data33 119862119906119903119903119872119904119892 larr997888 119878119894119892119899 120590 119877119894119899119892119862119879 11987011989011991011986811989811988611989211989034 end procedure35 Procedure 119878119890119899119889 119905119900 119861119897119900119888119896119888ℎ119886119894119899 11987311989011990511990811990011990311989636 119866119890119905 119862119906119903119903119872119904119892 oplus 119874119879119875(119891119903119900119898 119878119905119890119886119897119905ℎ119860119889119889119903)37 119878119890119899119889 119905119900 119887119897119900119888119896119888ℎ119886119894119899 11989911989011990511990811990011990311989638 119882119886119894119905 1198981198941198991198901199031015840119904 11988811990011989911989111989411990311989811988611990511989411990011989939 119894119891 119862119906119903119903119872119904119892 119894119904 V119886119897119894119889 119905ℎ119890119899 119903119890119905119906119903119899 True lowasttransaction is success40 119860119889119889 119899119890119908119861119897119900119888119896 119905119900 119861119862 11989911989011990511990811990011990311989641 119860119889119889119862119906119903119903119872119904119892 997888rarr 119878ℎ119886119903119890119889 11987811990511990011990311988611989211989042 119890119897119904119890119903119890119905119906119903119899 False43 End

Algorithm 1 Shared Storage of PHI Data

address received Only patients can access data storedin shared storage by using his knowledge 119875119903120572(119886120572 119887120572)

119874119879119875 = 119867119904 (119903119860120572) 119866 + 119861120572 (8)

(v) The sender unpacks the address received which con-tains the public address of the recipient 119875119906119887120572(119860120572 119861120572)The sender picks the random value 119903 isin [1 119897 minus 1] togenerate one-time public key and attaches119861120572 as a viewaddress in the shared storage

(vi) For certain types of data the sender can use confiden-tial ring signatures (RingCT) to disguise informationof the data by adding value to transactions that have

occurred before such as 119877119862119879120573 = 119905119909119894119889(3) 119905119909119894119889(7) 119905119909119894119889(5) 119905119909119894119889(9) 119905119909119894119889(119899)

(vii) The hospital signs the diagnosis data 119898119904119892 usingthe member key from the ring signature asfollows 119878119894119892119899120590(119898119904119892 119910120572 119910120573 119910120574 119910120575 11991013 119910 119910 119910119899)which consists of the public keys of the members119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887

(viii) Key image is attached by the sender to prevent doublespending It can be interpreted as a scheme to preventthe same data stored twice in blockchain storageThe hospital sends the following series of data tothe blockchain network to be confirmed by miners119878119894119892119899 120590 119898119904119892 119874119879119875 119877119894119899119892119862119879 119896119890119910119894119898119886119892119890

10 Wireless Communications and Mobile Computing

(ix) The diagnosis data from the hospital along withattachments of the files are then sent to the blockchainnetwork to be verified by the miners before thedata are stored in a decentralized shared storageWhenever the data has been stored successfully thepatient traces one by one the transaction on theblockchain network until the patient finds hisherview keys 119861119899 which correspond to the patient

(x) The patient with hisher knowledge decrypts andcompares the value of the data received with thedecrypted value 119886120572119877 = 119886120572119903119866 = 119903119860120572 1198751015840 = 119875

The Algorithm 1 presents an overall model of the systemwhich starts with generating key pairs for the parties creatinga ring signature group and stealth addresses signing PHIdata until data are confirmed and stored in the decentralizedshared storage The observer is unlikely to track the senderrsquostransaction since the sender uses a signature on behalf ofa group in which the senders signature is obscured Fur-thermore the observer cannot associate one transaction withanother so it is indistinguishable whether the transactionwas sent by the same sender In other words the identityof the sender remains a secret Likewise the identity of therecipient cannot be tracked by the observer nor maliciousproviders because the recipient sends the stealth address tothe sender thereafter the sender creates a one-time addressto protect the privacy of the recipient The value of a PHI datais kept from being seen because it is combined with the valueof previous transactions through the RingCT The identityof the user along with the information of the transactionson the blockchain network is paramount therefore thedecentralized shared storage systems need to manage theconfidentiality as well as ensure the integrity of the PHI data

Apart from the model that has been described there isanother important factor which plays the role to a decen-tralized system called transaction propagation A numer-ous number of transactions are distributed to the entirenodes in the blockchain peer-to-peer network resulting inpropagation delay The structure of a P2P network allowsthe peer to disseminate information to the other nodesthat are connected to the sender [24] There are severalstudies conducted by researchers to measure how effectivethe block distribution in the peer-to-peer networks such asexperiments in which the goal is to find out the numberof successful connections and experiments to determine theeffect of the number of nodes against the block

One among parameters that affect transaction propa-gation is block size Block size can be understood as themaximum limit of a block to be filled up with varioustransactions on it It also can be thought of as a bundleof transactions with each block needing to get verificationbefore it can be accepted by the network Each block hasits own size depending on the type of transaction called theblock sizeThemaximum block size in Bitcoin stands at 1MBMiners enable to choose the number of transactions to beprocessed in a block If Bitcoin miners commit a transactionthat exceeds the maximum limit then the block will berejected by the network The motivation of block size is toprevent the attack such as denial-of-service attacks The size

of a block also affects the length of confirmation time Whena node receives a new transaction the recipient confirms thevalidity of the block before accepting it The duration of theconfirmation process depends on the size of the block Bydesign the larger the size of a block is the longer it takesto confirm Therefore the size of a block plays an importantrole in the blockchain in general because it directly affects thedelay time

Propagation delay is inseparable from the size of a blockThere is a correlation between block size and the propagationdelay until the node receives the blockThe larger the size of ablock themore transactions that can be done yet it affects thepropagation time and sacrifice the security The influence ofa block size to the propagation time can be seen in Figure 10[25] The block size in the transaction is varied up to 350 KBin order to find out how long it takes for the node to receivethe block To reach 25 of total transaction is visualized witha red line 50 for the green line and 75 for the blue lineThe results are in line with the theory which states the largerthe size of a block the greater the propagation time

We take measurements for orphaned blocks by followingthe withholding attack (selfish mining) strategy that was firstdiscovered in 2014 In this study we do not elaborate onthe details of withholding attack strategy we recommendthat readers refer to the references [26ndash28] The intuitionof this attack is to keep the finding block secret untilthe attackers network becomes the longest chain in theblockchain network For a particular condition this attackdoes not possess any benefit because the block is stored inthe attackers network which is only known by the attacker(nonprofit) The attackers get the reward if only the blockfound is propagated to the public and get confirmed by otherminers

The simulation is carried out in order to know theperformance of dishonest miners which follow the selfishmining protocol The aims of this strategy are to discoverthe new block till becoming the longest chain and gainingthe revenue after publishing the block to the public network[29] In our setting we arrange the selfish miners to competewith honest miners in 14 days to solve the proof-of-workand discover the new block The maximum of mining powerof selfish miner is 04 and it is running randomly from00 through 04 within 14 days in the simulation as shownin Figure 11 There are 12 nodes of dishonest miners withdifferent mining power from 00 to 04 We set the maximumnumber of mining power at 04 of total mining power inthe network Based on the simulation result we concludethat whenever the dishonest miner has 0322 mining powerit is enough to get the unfair revenue and allows gainingthe revenue larger than it should be In general there are51 new blocks successfully added as well as 4 orphanedblocks recorded The average of block generation time is 772minutes

To the extent we obtained the information related to theparameters that affect the propagation time in the blockchainpeer-to-peer network based on our findings and the priorworks of literatureThere are numerous articles proposing theimprovement of propagation delays by changing the networktopology minimizing the verification time of a transaction

Wireless Communications and Mobile Computing 11

50

45

40

35

30

25

20

15

10

5

00 50 100 150 200 250 300 350

Block size (KB)

Tim

e (se

c)

25

50

75

Figure 10 Relationship between block size and the time

50

40

30

20

10

0

Bloc

k H

eigh

t

0 200000 400000 600000 800000 1000000 1200000

Time (s)

08

06

04

02

00

Rew

ard

000 005 010 015 020 025 030 035 040Mining Power

Figure 11 Block height against time in the P2P network (left) the performance of selfish mining attack (right)

and reconstructing the message exchange protocol in theblockchain network Generally speaking the presence ofhaving the propagation of delays can cause a lot of damagein the blockchain network [30 31]

There are many considerations to increase the effective-ness of the blockchainTherefore we select block propagationand block size parameters to be discussed as follows

(i) Speeding up the block generation In theory it would beremarkably beneficial if the block generation time isresetting as fast as possible for each transaction so thateach user will get faster payments The propagationtime includes the length of time for the distributionof transactions in the peer-to-peer network and thetime for verification of a block But the problem isthat if the block generation time is speeding up there

will be a lot of orphaned blocks It can be understoodbecause each node will receive many new blocks thatare spread through peer-to-peer networks The tie-breaking protocol causes each node to only acceptone valid block for the same type of transaction sothat it will reject transactions from other nodes thatcause the orphaned block to appear Due to manynew orphaned blocks that will emerge it will motivaterational miners to adopt the selfish mining strategythat rivals the main network and causes the forkedchain [32]

(ii) Decrease block generation Slowing down the blockgeneration time for each transaction will reduce thespeed of transactions on the peer-to-peer networkPositively it gives some merits such as providing a

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 9: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

Wireless Communications and Mobile Computing 9

1 Procedure 119878ℎ119886119903119890119889 1198781199051199001199031198861198921198902 Trapdoor Function (parent keys) lowasttrapdoor permutation function eg RSA Rabin3 119875119886119905119894119890119899119905 larr997888 ℎ119886119904ℎ(119875119906119887120572 119875119903120572)4 119867119900119904119901119894119905119886119897 larr997888 ℎ119886119904ℎ(119875119906119887120573 119875119903120573) lowastforallparty has parent keys5 119862ℎ119894119903119900119901119903119886119888119905119900119903 larr997888 ℎ119886119904ℎ(119875119906119887120574 119875119903120574)6 119862119897119888119875119904119910119888ℎ119900119897119900119892119894119904119905 larr997888 ℎ119886119904ℎ(119875119906119887120575 119875119903120575)7 119873119886119905119894119900119899119886119897119875119903119900V119894119889119890119903 larr997888 ℎ119886119904ℎ(11987511990611988713 11987511990313)8 119878119900119888119894119886119897 119888119886119903119890 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)9 119871119886119887119900119903119886119905119900119903119894119890119904 larr997888 ℎ119886119904ℎ(119875119906119887 119875119903)10The sender creates a group of ring signature11 Procedure 119880119904119890 119875119906119887119897119894119888 119870119890119910 forall 119901119886119903119905119894119890119904 isin 119901119886119903119890119899119905119896119890119910119904 lowastuse public key of the parties as an input12 Create RS13 119877119904119892119899 larr997888 119892120572(119909120572) oplus 119892120573(119909120573) oplus 119892120574(119909120574) oplus oplus 119892119899+1(119909119899+1)14 AddNewMembers lowastin case add new members15 119880119901119889119886119905119890 119877119904119892119899 larr997888 119866119890119905 119873119890119908119875119906119887119896119890119910 oplus 119875119906119887119870119890119910(119899+1)16 end procedure17 Procedure 119862119903119890119886119905119890 119878119905119890119886119897119905ℎ119860119889119889119903(119887119910119877119890119888119894119901119894119890119899119905) lowastthe recipient creates stealth address18 119875119886119903119890119899119905119870119890119910 119875119906119887119870119890119910119899 997888rarr 119875119906119887119870119890119910119899(119860119899 119861119899)19 119878119890119899119889(119860119899) 997888rarr 119905119900 119904119890119899119889119890119903 (V119894119886 119878119890119888119906119903119890119862ℎ119886119899119899119890119897)20 (119860119899 119861119899)119903119890119888119890119894V119890119889 997888rarr 119862119903119890119886119905119890 119873119890119908 119874119879119875 lowastsender creates new OTP for recipient21 end procedure22 Procedure 119862119900119899119891119894119889119890119899119905119894119886119897 119877119894119899119892 119878119894119892119899119886119905119906119903119890 lowastconfidential ring signature as an option23 119894119891 forall119905119909119904 119861119862 119906119904119890 119862119877119878 119905ℎ119890119899 119903119890119905119906119903119899 True24 119873119890119908119881119886119897119906119890 larr997888 119862119906119903119903119890119899119905119881119886119897119906119890 oplus 119875119903119890V11988111988611989711990611989025 119868119899119888119897119906119889119890 119905119900 119905ℎ119890 119899119890119908 119905119909 larr997888 11987311989011990811988111988611989711990611989026 119890119897119904119890119903119890119905119906119903119899 False27 end procedure28 Procedure 119878119894119892119899 119905ℎ119890 119875119867119868 119863119886119905119886(119872119904119892) lowastin this case the PHI data is from the hospital29 119866119890119905 119872119904119892 isin 119863119894119886119892119899119900119904119894119904 119863119886119905119886(119867119900119904119901119894119905119886119897)30 119878119894119892119899 120590 larr997888 119888ℎ119900119900119904119890 119904119894119892119899119890119903 isin 11987711990411989211989931 119877119894119899119892119862119879larr997888 119888ℎ119900119900119904119890 119901119903119890V 119905119909119904 isin 11986211987711987832 119872119904119892 larr997888 119886119905119905119886119888ℎ11989011988910158401198701198901199101198681198981198861198921198901015840 lowastKeyImage to prevent storing the same data33 119862119906119903119903119872119904119892 larr997888 119878119894119892119899 120590 119877119894119899119892119862119879 11987011989011991011986811989811988611989211989034 end procedure35 Procedure 119878119890119899119889 119905119900 119861119897119900119888119896119888ℎ119886119894119899 11987311989011990511990811990011990311989636 119866119890119905 119862119906119903119903119872119904119892 oplus 119874119879119875(119891119903119900119898 119878119905119890119886119897119905ℎ119860119889119889119903)37 119878119890119899119889 119905119900 119887119897119900119888119896119888ℎ119886119894119899 11989911989011990511990811990011990311989638 119882119886119894119905 1198981198941198991198901199031015840119904 11988811990011989911989111989411990311989811988611990511989411990011989939 119894119891 119862119906119903119903119872119904119892 119894119904 V119886119897119894119889 119905ℎ119890119899 119903119890119905119906119903119899 True lowasttransaction is success40 119860119889119889 119899119890119908119861119897119900119888119896 119905119900 119861119862 11989911989011990511990811990011990311989641 119860119889119889119862119906119903119903119872119904119892 997888rarr 119878ℎ119886119903119890119889 11987811990511990011990311988611989211989042 119890119897119904119890119903119890119905119906119903119899 False43 End

Algorithm 1 Shared Storage of PHI Data

address received Only patients can access data storedin shared storage by using his knowledge 119875119903120572(119886120572 119887120572)

119874119879119875 = 119867119904 (119903119860120572) 119866 + 119861120572 (8)

(v) The sender unpacks the address received which con-tains the public address of the recipient 119875119906119887120572(119860120572 119861120572)The sender picks the random value 119903 isin [1 119897 minus 1] togenerate one-time public key and attaches119861120572 as a viewaddress in the shared storage

(vi) For certain types of data the sender can use confiden-tial ring signatures (RingCT) to disguise informationof the data by adding value to transactions that have

occurred before such as 119877119862119879120573 = 119905119909119894119889(3) 119905119909119894119889(7) 119905119909119894119889(5) 119905119909119894119889(9) 119905119909119894119889(119899)

(vii) The hospital signs the diagnosis data 119898119904119892 usingthe member key from the ring signature asfollows 119878119894119892119899120590(119898119904119892 119910120572 119910120573 119910120574 119910120575 11991013 119910 119910 119910119899)which consists of the public keys of the members119875119906119887120572 119875119906119887120573 119875119906119887120574 119875119906119887120575 11987511990611988713 119875119906119887 and 119875119906119887

(viii) Key image is attached by the sender to prevent doublespending It can be interpreted as a scheme to preventthe same data stored twice in blockchain storageThe hospital sends the following series of data tothe blockchain network to be confirmed by miners119878119894119892119899 120590 119898119904119892 119874119879119875 119877119894119899119892119862119879 119896119890119910119894119898119886119892119890

10 Wireless Communications and Mobile Computing

(ix) The diagnosis data from the hospital along withattachments of the files are then sent to the blockchainnetwork to be verified by the miners before thedata are stored in a decentralized shared storageWhenever the data has been stored successfully thepatient traces one by one the transaction on theblockchain network until the patient finds hisherview keys 119861119899 which correspond to the patient

(x) The patient with hisher knowledge decrypts andcompares the value of the data received with thedecrypted value 119886120572119877 = 119886120572119903119866 = 119903119860120572 1198751015840 = 119875

The Algorithm 1 presents an overall model of the systemwhich starts with generating key pairs for the parties creatinga ring signature group and stealth addresses signing PHIdata until data are confirmed and stored in the decentralizedshared storage The observer is unlikely to track the senderrsquostransaction since the sender uses a signature on behalf ofa group in which the senders signature is obscured Fur-thermore the observer cannot associate one transaction withanother so it is indistinguishable whether the transactionwas sent by the same sender In other words the identityof the sender remains a secret Likewise the identity of therecipient cannot be tracked by the observer nor maliciousproviders because the recipient sends the stealth address tothe sender thereafter the sender creates a one-time addressto protect the privacy of the recipient The value of a PHI datais kept from being seen because it is combined with the valueof previous transactions through the RingCT The identityof the user along with the information of the transactionson the blockchain network is paramount therefore thedecentralized shared storage systems need to manage theconfidentiality as well as ensure the integrity of the PHI data

Apart from the model that has been described there isanother important factor which plays the role to a decen-tralized system called transaction propagation A numer-ous number of transactions are distributed to the entirenodes in the blockchain peer-to-peer network resulting inpropagation delay The structure of a P2P network allowsthe peer to disseminate information to the other nodesthat are connected to the sender [24] There are severalstudies conducted by researchers to measure how effectivethe block distribution in the peer-to-peer networks such asexperiments in which the goal is to find out the numberof successful connections and experiments to determine theeffect of the number of nodes against the block

One among parameters that affect transaction propa-gation is block size Block size can be understood as themaximum limit of a block to be filled up with varioustransactions on it It also can be thought of as a bundleof transactions with each block needing to get verificationbefore it can be accepted by the network Each block hasits own size depending on the type of transaction called theblock sizeThemaximum block size in Bitcoin stands at 1MBMiners enable to choose the number of transactions to beprocessed in a block If Bitcoin miners commit a transactionthat exceeds the maximum limit then the block will berejected by the network The motivation of block size is toprevent the attack such as denial-of-service attacks The size

of a block also affects the length of confirmation time Whena node receives a new transaction the recipient confirms thevalidity of the block before accepting it The duration of theconfirmation process depends on the size of the block Bydesign the larger the size of a block is the longer it takesto confirm Therefore the size of a block plays an importantrole in the blockchain in general because it directly affects thedelay time

Propagation delay is inseparable from the size of a blockThere is a correlation between block size and the propagationdelay until the node receives the blockThe larger the size of ablock themore transactions that can be done yet it affects thepropagation time and sacrifice the security The influence ofa block size to the propagation time can be seen in Figure 10[25] The block size in the transaction is varied up to 350 KBin order to find out how long it takes for the node to receivethe block To reach 25 of total transaction is visualized witha red line 50 for the green line and 75 for the blue lineThe results are in line with the theory which states the largerthe size of a block the greater the propagation time

We take measurements for orphaned blocks by followingthe withholding attack (selfish mining) strategy that was firstdiscovered in 2014 In this study we do not elaborate onthe details of withholding attack strategy we recommendthat readers refer to the references [26ndash28] The intuitionof this attack is to keep the finding block secret untilthe attackers network becomes the longest chain in theblockchain network For a particular condition this attackdoes not possess any benefit because the block is stored inthe attackers network which is only known by the attacker(nonprofit) The attackers get the reward if only the blockfound is propagated to the public and get confirmed by otherminers

The simulation is carried out in order to know theperformance of dishonest miners which follow the selfishmining protocol The aims of this strategy are to discoverthe new block till becoming the longest chain and gainingthe revenue after publishing the block to the public network[29] In our setting we arrange the selfish miners to competewith honest miners in 14 days to solve the proof-of-workand discover the new block The maximum of mining powerof selfish miner is 04 and it is running randomly from00 through 04 within 14 days in the simulation as shownin Figure 11 There are 12 nodes of dishonest miners withdifferent mining power from 00 to 04 We set the maximumnumber of mining power at 04 of total mining power inthe network Based on the simulation result we concludethat whenever the dishonest miner has 0322 mining powerit is enough to get the unfair revenue and allows gainingthe revenue larger than it should be In general there are51 new blocks successfully added as well as 4 orphanedblocks recorded The average of block generation time is 772minutes

To the extent we obtained the information related to theparameters that affect the propagation time in the blockchainpeer-to-peer network based on our findings and the priorworks of literatureThere are numerous articles proposing theimprovement of propagation delays by changing the networktopology minimizing the verification time of a transaction

Wireless Communications and Mobile Computing 11

50

45

40

35

30

25

20

15

10

5

00 50 100 150 200 250 300 350

Block size (KB)

Tim

e (se

c)

25

50

75

Figure 10 Relationship between block size and the time

50

40

30

20

10

0

Bloc

k H

eigh

t

0 200000 400000 600000 800000 1000000 1200000

Time (s)

08

06

04

02

00

Rew

ard

000 005 010 015 020 025 030 035 040Mining Power

Figure 11 Block height against time in the P2P network (left) the performance of selfish mining attack (right)

and reconstructing the message exchange protocol in theblockchain network Generally speaking the presence ofhaving the propagation of delays can cause a lot of damagein the blockchain network [30 31]

There are many considerations to increase the effective-ness of the blockchainTherefore we select block propagationand block size parameters to be discussed as follows

(i) Speeding up the block generation In theory it would beremarkably beneficial if the block generation time isresetting as fast as possible for each transaction so thateach user will get faster payments The propagationtime includes the length of time for the distributionof transactions in the peer-to-peer network and thetime for verification of a block But the problem isthat if the block generation time is speeding up there

will be a lot of orphaned blocks It can be understoodbecause each node will receive many new blocks thatare spread through peer-to-peer networks The tie-breaking protocol causes each node to only acceptone valid block for the same type of transaction sothat it will reject transactions from other nodes thatcause the orphaned block to appear Due to manynew orphaned blocks that will emerge it will motivaterational miners to adopt the selfish mining strategythat rivals the main network and causes the forkedchain [32]

(ii) Decrease block generation Slowing down the blockgeneration time for each transaction will reduce thespeed of transactions on the peer-to-peer networkPositively it gives some merits such as providing a

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 10: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

10 Wireless Communications and Mobile Computing

(ix) The diagnosis data from the hospital along withattachments of the files are then sent to the blockchainnetwork to be verified by the miners before thedata are stored in a decentralized shared storageWhenever the data has been stored successfully thepatient traces one by one the transaction on theblockchain network until the patient finds hisherview keys 119861119899 which correspond to the patient

(x) The patient with hisher knowledge decrypts andcompares the value of the data received with thedecrypted value 119886120572119877 = 119886120572119903119866 = 119903119860120572 1198751015840 = 119875

The Algorithm 1 presents an overall model of the systemwhich starts with generating key pairs for the parties creatinga ring signature group and stealth addresses signing PHIdata until data are confirmed and stored in the decentralizedshared storage The observer is unlikely to track the senderrsquostransaction since the sender uses a signature on behalf ofa group in which the senders signature is obscured Fur-thermore the observer cannot associate one transaction withanother so it is indistinguishable whether the transactionwas sent by the same sender In other words the identityof the sender remains a secret Likewise the identity of therecipient cannot be tracked by the observer nor maliciousproviders because the recipient sends the stealth address tothe sender thereafter the sender creates a one-time addressto protect the privacy of the recipient The value of a PHI datais kept from being seen because it is combined with the valueof previous transactions through the RingCT The identityof the user along with the information of the transactionson the blockchain network is paramount therefore thedecentralized shared storage systems need to manage theconfidentiality as well as ensure the integrity of the PHI data

Apart from the model that has been described there isanother important factor which plays the role to a decen-tralized system called transaction propagation A numer-ous number of transactions are distributed to the entirenodes in the blockchain peer-to-peer network resulting inpropagation delay The structure of a P2P network allowsthe peer to disseminate information to the other nodesthat are connected to the sender [24] There are severalstudies conducted by researchers to measure how effectivethe block distribution in the peer-to-peer networks such asexperiments in which the goal is to find out the numberof successful connections and experiments to determine theeffect of the number of nodes against the block

One among parameters that affect transaction propa-gation is block size Block size can be understood as themaximum limit of a block to be filled up with varioustransactions on it It also can be thought of as a bundleof transactions with each block needing to get verificationbefore it can be accepted by the network Each block hasits own size depending on the type of transaction called theblock sizeThemaximum block size in Bitcoin stands at 1MBMiners enable to choose the number of transactions to beprocessed in a block If Bitcoin miners commit a transactionthat exceeds the maximum limit then the block will berejected by the network The motivation of block size is toprevent the attack such as denial-of-service attacks The size

of a block also affects the length of confirmation time Whena node receives a new transaction the recipient confirms thevalidity of the block before accepting it The duration of theconfirmation process depends on the size of the block Bydesign the larger the size of a block is the longer it takesto confirm Therefore the size of a block plays an importantrole in the blockchain in general because it directly affects thedelay time

Propagation delay is inseparable from the size of a blockThere is a correlation between block size and the propagationdelay until the node receives the blockThe larger the size of ablock themore transactions that can be done yet it affects thepropagation time and sacrifice the security The influence ofa block size to the propagation time can be seen in Figure 10[25] The block size in the transaction is varied up to 350 KBin order to find out how long it takes for the node to receivethe block To reach 25 of total transaction is visualized witha red line 50 for the green line and 75 for the blue lineThe results are in line with the theory which states the largerthe size of a block the greater the propagation time

We take measurements for orphaned blocks by followingthe withholding attack (selfish mining) strategy that was firstdiscovered in 2014 In this study we do not elaborate onthe details of withholding attack strategy we recommendthat readers refer to the references [26ndash28] The intuitionof this attack is to keep the finding block secret untilthe attackers network becomes the longest chain in theblockchain network For a particular condition this attackdoes not possess any benefit because the block is stored inthe attackers network which is only known by the attacker(nonprofit) The attackers get the reward if only the blockfound is propagated to the public and get confirmed by otherminers

The simulation is carried out in order to know theperformance of dishonest miners which follow the selfishmining protocol The aims of this strategy are to discoverthe new block till becoming the longest chain and gainingthe revenue after publishing the block to the public network[29] In our setting we arrange the selfish miners to competewith honest miners in 14 days to solve the proof-of-workand discover the new block The maximum of mining powerof selfish miner is 04 and it is running randomly from00 through 04 within 14 days in the simulation as shownin Figure 11 There are 12 nodes of dishonest miners withdifferent mining power from 00 to 04 We set the maximumnumber of mining power at 04 of total mining power inthe network Based on the simulation result we concludethat whenever the dishonest miner has 0322 mining powerit is enough to get the unfair revenue and allows gainingthe revenue larger than it should be In general there are51 new blocks successfully added as well as 4 orphanedblocks recorded The average of block generation time is 772minutes

To the extent we obtained the information related to theparameters that affect the propagation time in the blockchainpeer-to-peer network based on our findings and the priorworks of literatureThere are numerous articles proposing theimprovement of propagation delays by changing the networktopology minimizing the verification time of a transaction

Wireless Communications and Mobile Computing 11

50

45

40

35

30

25

20

15

10

5

00 50 100 150 200 250 300 350

Block size (KB)

Tim

e (se

c)

25

50

75

Figure 10 Relationship between block size and the time

50

40

30

20

10

0

Bloc

k H

eigh

t

0 200000 400000 600000 800000 1000000 1200000

Time (s)

08

06

04

02

00

Rew

ard

000 005 010 015 020 025 030 035 040Mining Power

Figure 11 Block height against time in the P2P network (left) the performance of selfish mining attack (right)

and reconstructing the message exchange protocol in theblockchain network Generally speaking the presence ofhaving the propagation of delays can cause a lot of damagein the blockchain network [30 31]

There are many considerations to increase the effective-ness of the blockchainTherefore we select block propagationand block size parameters to be discussed as follows

(i) Speeding up the block generation In theory it would beremarkably beneficial if the block generation time isresetting as fast as possible for each transaction so thateach user will get faster payments The propagationtime includes the length of time for the distributionof transactions in the peer-to-peer network and thetime for verification of a block But the problem isthat if the block generation time is speeding up there

will be a lot of orphaned blocks It can be understoodbecause each node will receive many new blocks thatare spread through peer-to-peer networks The tie-breaking protocol causes each node to only acceptone valid block for the same type of transaction sothat it will reject transactions from other nodes thatcause the orphaned block to appear Due to manynew orphaned blocks that will emerge it will motivaterational miners to adopt the selfish mining strategythat rivals the main network and causes the forkedchain [32]

(ii) Decrease block generation Slowing down the blockgeneration time for each transaction will reduce thespeed of transactions on the peer-to-peer networkPositively it gives some merits such as providing a

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 11: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

Wireless Communications and Mobile Computing 11

50

45

40

35

30

25

20

15

10

5

00 50 100 150 200 250 300 350

Block size (KB)

Tim

e (se

c)

25

50

75

Figure 10 Relationship between block size and the time

50

40

30

20

10

0

Bloc

k H

eigh

t

0 200000 400000 600000 800000 1000000 1200000

Time (s)

08

06

04

02

00

Rew

ard

000 005 010 015 020 025 030 035 040Mining Power

Figure 11 Block height against time in the P2P network (left) the performance of selfish mining attack (right)

and reconstructing the message exchange protocol in theblockchain network Generally speaking the presence ofhaving the propagation of delays can cause a lot of damagein the blockchain network [30 31]

There are many considerations to increase the effective-ness of the blockchainTherefore we select block propagationand block size parameters to be discussed as follows

(i) Speeding up the block generation In theory it would beremarkably beneficial if the block generation time isresetting as fast as possible for each transaction so thateach user will get faster payments The propagationtime includes the length of time for the distributionof transactions in the peer-to-peer network and thetime for verification of a block But the problem isthat if the block generation time is speeding up there

will be a lot of orphaned blocks It can be understoodbecause each node will receive many new blocks thatare spread through peer-to-peer networks The tie-breaking protocol causes each node to only acceptone valid block for the same type of transaction sothat it will reject transactions from other nodes thatcause the orphaned block to appear Due to manynew orphaned blocks that will emerge it will motivaterational miners to adopt the selfish mining strategythat rivals the main network and causes the forkedchain [32]

(ii) Decrease block generation Slowing down the blockgeneration time for each transaction will reduce thespeed of transactions on the peer-to-peer networkPositively it gives some merits such as providing a

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 12: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

12 Wireless Communications and Mobile Computing

better security system Roughly this happens due toa decreasing number of orphaned blocks that willeliminate the selfish mining attack

(iii) Increasing the block size The bigger the capacity of ablock the more the transactions that can be filled upinto the block It will slow the propagation of everytransaction to all nodes in the peer-to-peer networkThe slow propagation time will cause new problemsnamely double-spending attack Attacker could usethe same coin for two or more different transactionsSlower propagation of blocks on the peer-to-peernetwork resulted in the fact that the block cannot befully accepted by the nodes As a result when thetransaction is received the block will confirm thatthe block is valid even though the transaction hasbeen used and confirmed by other nodes in the samenetwork

(iv) Reducing the capacity of block size Because of onlya few transactions that occur within a block it willspeed up the propagation time for every transactionIt causes many orphaned blocks to emerge and allowfor the occurrence of selfish mining attacks that harmthe system Yet this decision gives the advantagessuch as fast payments and fast transaction Howeverit should ensure the immutability of the block andtransaction [33]

5 Limited and Future Work

We assume that shared storage is interconnected to ablockchain network where miners have access into it Interms of the type of shared storage we do not define itin detail instead we assume the shared storage has all thecapacity needed to support the proposed system One ofthe drawbacks of our system is related to the time neededby the recipient to find data in shared storage because therecipient must seek for data one by one based on the keyview so that the patient observes each transaction in theblockchain In the long run this might become an obstacleif the blockchain network is expanding There will be manytransactions occurring so that it will be difficult for therecipient to monitor every transaction which belongs tohimher

For future work the model and capacity of shared storageneed to be observed further The access control in the sharedstorage is also essential to ensure that system keeps safeIncentive mechanisms also need to be considered for thestorage providers It aims to motivate providers to contributeto protecting the privacy of the users as suggested by [34ndash36]Furthermore it is important to carefully consider the typeof block to be used including parameters directly involvedin the system such as block size and type of consensus toname a few Additionally the consensus selection mecha-nism is paramount in the blockchain For instance a newmethod by expanding the Byzantine consensus via hardware-assisted secret sharing can solve the scalability problem in theblockchain [37]

6 Conclusions

The model of privacy in the blockchain peer-to-peer sharedstorage has been fully presented The idea of ring signaturecombined with several protocols provides the solutions forprivacy issues on the blockchain transaction The identityof the sender and the recipient remains hidden unlinkableand untraceable from the observer The key image is attachedto prevent the same data from being stored multiple timesand it can be used as well to prevent double spending anddata duplication Based on our findings and informationfrom several literature reviews it can be said that increasingthe performance of the decentralized blockchain requires avery deep analysis since it is directly related to the securityThere are advantages and drawbacks for each decision takenFor future work a scheme that provides incentives needs tobe developed as a motivation to maintain the decentralizedsystem

Data Availability

No data were used to support this study

Conflicts of Interest

The authors declare that there are no conflicts of interestregarding the publication of this paper

Acknowledgments

This research was supported by the MSIT (Ministry ofScience and ICT) Korea under the ITRC (InformationTechnology Research Center) support program (IITP-2019-0-00403) supervised by the IITP (Institute for Informationamp Communications Technology Planning amp Evaluation) andpartially supported by the National Research Foundation ofKorea (NRF) grant funded by the Korea government (MSIT)(No NRF-2018R1D1A1B07048944)

References

[1] G Karame and E Androulaki Bitcoin and Blockchain SecurityArtech House Information Security and Privacy Series 2016

[2] R J Krawiec D Housman M White et al ldquoBlockchainOpportunities for health carerdquo in Proceedings of the NISTWorkshop Blockchain Healthcare pp 1ndash16 2016

[3] D E OrsquoLeary ldquoConfiguring blockchain architectures for trans-action information in blockchain consortiums The case ofaccounting and supply chain systemsrdquo Intelligent Systems inAccounting Finance and Management vol 24 no 4 pp 138ndash147 2017

[4] D Yang J Gavigan and ZWHearn ldquoSurvey of Confidentialityand Privacy Preserving Technologies for Blockchainsrdquo R3 pp1ndash32 2016

[5] HKoppDModinger FHauck F Kargl andC Bosch ldquoDesignof a privacy-preserving decentralized file storage with financialincentivesrdquo in Proceedings of the 2nd IEEE European Symposiumon Security and PrivacyWorkshops EuroS and PW 2017 pp 14ndash22 April 2017

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 13: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

Wireless Communications and Mobile Computing 13

[6] TW Clarke I Sandberg OWiley and B Hong ldquoA distributedanonymous information storage and retrieval systemrdquo Journalof Chemical Information and Modeling vol 53 no 9 pp 1689ndash1699 2001

[7] E Heilman L AlShenibr F Baldimtsi A Scafuro and SGoldberg ldquoTumbleBit an untrusted bitcoin-compatible anony-mous payment hubrdquo in Proceedings of the 2017 Network andDistributed System Security Symposium 2017

[8] S Wu Y Chen QWang M Li C Wang and X Luo ldquoCReama smart contract enabled collusion-resistant e-auctionrdquo IEEETransactions on Information Forensics 2018

[9] J Benet and N Greco ldquoFilecoin A Decentralized StorageNetworkrdquo Protoc Labs 2018

[10] S Wilkinson T Boshevski J Brandoff and V Buterin ldquoStorj apeer-to-peer cloud storage networkrdquo Technical report storjio2014

[11] B Fisch ldquoPoreps Proofs of space on useful datardquo Report2018678 Cryptology ePrint Archive 2018

[12] S Rahmadika and K Rhee ldquoBlockchain technology for pro-viding an architecture model of decentralized personal healthinformationrdquo International Journal of Engineering BusinessManagement vol 10 pp 1ndash12 2018

[13] R L Rivest A Shamir and Y Tauman ldquoHow to leak a secretrdquoin International Conference on the Theory and Application ofCryptology and Information Security vol 2248 of Lecture Notesin Comput Sci pp 552ndash565 Springer

[14] D Chaum E van Heyst and C Science ldquoGroup Signaturesrdquo inAdv CryptologymdashEUROCRYPTrsquo91 vol iii pp 257ndash265 1991

[15] N Van Saberhagen ldquoCryptoNote v 20rdquo Self-published pp 1ndash202013

[16] S Noether A Mackenzie and T M Research Lab ldquoRingconfidential transactionsrdquo Ledger vol 1 pp 1ndash8 2016

[17] E Gallery and C J Mitchell ldquoTrusted computing Security andapplicationsrdquo Cryptologia vol 33 no 3 pp 217ndash245 2009

[18] W Diffie andM E Hellman ldquoNew directions in cryptographyrdquoIEEE Transactions on Information Theory vol 22 no 6 pp644ndash654 1976

[19] A A Korba M Nafaa and S Ghanemi ldquoAn efficient intrusiondetection and prevention framework for ad hoc networksrdquoInformation and Computer Security vol 24 no 4 pp 298ndash3252016

[20] S Rahmadika P H Rusmin H Hindersah and K H RheeldquoProviding data integrity for container dwelling time in the sea-portrdquo in Proceedings of the 6th International Annual EngineeringSeminar InAES 2016 pp 132ndash137 Indonesia August 2016

[21] K Schmidt-Samoa ldquoA new rabin-type trapdoor permutationequivalent to factoringrdquo Electronic Notes in Theoretical Com-puter Science vol 157 no 3 pp 79ndash94 2006

[22] A Bender J Katz and R Morselli ldquoRing signatures strongerdefinitions and constructions without randomoraclesrdquo Journalof Cryptology The Journal of the International Association forCryptologic Research vol 22 no 1 pp 114ndash138 2009

[23] K Lee andAMiller ldquoAuthenticateddata structures for privacy-preserving monero light clientsrdquo in Proceedings of the 3rd IEEEEuropean Symposium on Security and PrivacyWorkshops EUROS and PW 2018 April 2018

[24] R Schollmeier ldquoA definition of peer-to-peer networking for theclassification of peer-to-peer architectures and applicationsrdquo inProceedings of the 1st International Conference on Peer-to-PeerComputing P2P 2001 pp 101-102 August 2001

[25] Y Sompolinsky and A Zohar ldquoAccelerating bitcoins trans-action processing fast money grows on trees not chainsrdquoEprintIacrOrg 2014

[26] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo Lecture Notes in Computer Science (includingsubseries LectureNotes in Artificial Intelligence and LectureNotesin Bioinformatics) Preface vol 8437 pp 436ndash454 2014

[27] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfishmining strategies in bitcoinrdquo in Financial Cryptography andData Security vol 9603 of Lecture Notes in Computer Sciencepp 515ndash532 Springer Berlin Germany 2017

[28] E Heilman ldquoOne weird trick to stop selfish miners freshbitcoins a solution for the honest miner (poster abstract)rdquo inLecture Notes in Computer Science (including subseries LectureNotes in Artificial Intelligence and Lecture Notes in Bioinformat-ics) Preface vol 8438 pp 161-162 2014

[29] S Rahmadika B J Kweka H Kim and K Rhee ldquoA scopingreview in defend against selfish mining attack in bitcoinrdquo ITConverg Pract vol 6 no 3 pp 18ndash26 2018

[30] AGervais H Ritzdorf GO Karame and S Capkun ldquoTamper-ing with the delivery of blocks and transactions in bitcoinrdquo inProceedings of the the 22nd ACM SIGSAC Conference pp 692ndash705 Denver Colo USA October 2015

[31] A Gervais G O Karame K Wust V Glykantzis H Ritzdorfand S Capkun ldquoOn the security and performance of Proof ofWork blockchainsrdquo in Proceedings of the 23rd ACM Conferenceon Computer and Communications Security CCS 2016 pp 3ndash16October 2016

[32] D T T Anh M Zhang B C Ooi and G Chen ldquoUntanglingblockchain a data processing view of blockchain systemsrdquo IEEETransactions on Knowledge and Data Engineering 2018

[33] D Mendez Mena I Papapanagiotou and B Yang ldquoInternet ofthings survey on securityrdquo Information Security Journal vol 27no 3 pp 162ndash182 2018

[34] O Ersoy Z Ren Z Erkin and R L Lagendijk ldquoTransac-tion propagation on permissionless blockchains incentive androuting mechanismsrdquo in Proceedings of the 2018 Crypto ValleyConference on Blockchain Technology (CVCBT) pp 20ndash30 June2018

[35] Y He H Li X Cheng Y Liu C Yang and L Sun ldquoAblockchain based truthful incentive mechanism for distributedP2P applicationsrdquo IEEE Access vol 6 pp 27324ndash27335 2018

[36] J Wang M Li Y He H Li K Xiao and C Wang ldquoAblockchain based privacy-preserving incentive mechanism incrowdsensing applicationsrdquo IEEE Access vol 6 pp 17545ndash17556 2018

[37] J Liu W Li G O Karame and N Asokan ldquoScalable Byzantineconsensus via hardware-assisted secret sharingrdquo Institute ofElectrical and Electronics Engineers Transactions on Computersvol 68 no 1 pp 139ndash151 2019

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

Page 14: Toward Privacy-Preserving Shared Storage in Untrusted ...downloads.hindawi.com/journals/wcmc/2019/6219868.pdf · WirelessCommunicationsandMobileComputing y r =g r(x r) Z = V E k E

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


JokoSuryana - Hindawi Publishing Corporationdownloads.hindawi.com/journals/wcmc/2017/6495145.pdf4 WirelessCommunicationsandMobileComputing Pulse in Pulse out Allpass IIR FIR Channel

Chapter 11: Coastal Margins - UNEP-WCMC

Game-Theoretic Social-Aware Resource Allocation for Device ...downloads.hindawi.com/journals/wcmc/2018/5084842.pdf · WirelessCommunicationsandMobileComputing 14.0 32.0 23.0 24.0

A Flow-Based and Operator-Centric Dynamic Mobility ...downloads.hindawi.com/journals/wcmc/2019/4567317.pdf · WirelessCommunicationsandMobileComputing LMA MME G H ANDF PCF 5 G 6 E

Shielding IoT against Cyber-Attacks: An Event-Based Approach …downloads.hindawi.com/journals/wcmc/2018/3029638.pdf · 2019-07-30 · WirelessCommunicationsandMobileComputing securitystrategyareconsideredinSection.Lastbutnot

FLECH: Fuzzy Logic Based Energy Efficient Clustering ...downloads.hindawi.com/journals/wcmc/2017/1214720.pdf6 WirelessCommunicationsandMobileComputing Cluster formation phase Data

Suppression of Mutual Interference in …downloads.hindawi.com/journals/wcmc/2017/1860134.pdf2 WirelessCommunicationsandMobileComputing In this paper, we propose two new techniques:

PROGRESS IN NEUROSCIENCE PINS - Feil Family Brain & Mind ... · Brain & Mind Research Institute Weill Cornell Medical College (WCMC) & The Graduate Program in Neuroscience of WCMC

Optimal Content Caching in Content-Centric Networksdownloads.hindawi.com/journals/wcmc/2019/6373960.pdf · WirelessCommunicationsandMobileComputing number of recipients/soware components

Wireless Communications and Mobile Computingpaginas.fe.up.pt/.../09_10/wcmc/slides/wcmc-mpr-fundaments+wlan+… · WCMC-MPR-A 1 Wireless Communications and Mobile Computing MAP-I

Phage therapy for multidrug-resistant bacterial infections ......Daniel Mora, TAMU Thomas Walsh, WCMC Rita Mavridou, WCMC Vidmantas Petraitis, WCMC Robert Danner, NIH CC Karen Frank,

WCMC ENTBrochure Oct23 FinalPDF

04 hilary allison-unep-wcmc-indicators-restoration-tree-diversity-day

ReviewArticledownloads.hindawi.com/journals/wcmc/2017/6802027.pdf · WirelessCommunicationsandMobileComputing 3 1 Train-to-infrastructure 2 Interwagon 3 Intrawagon 4 Inside station

UNEP-WCMC CAPACITY DEVELOPMENT ASSESSMENT …...Within UNEP-WCMC, support in developing this tool was provided by Marieke Sassen, Andy Arnell, Arnout van Soesbergen, Yara Shennan-Farpon,

Deep CNN-Assisted Personalized Recommendation over Big ...downloads.hindawi.com/journals/wcmc/2019/6082047.pdf · WirelessCommunicationsandMobileComputing 33 40 47 30 22 55 159 41

Wireless Communications and Mobile Computingpaginas.fe.up.pt/~mricardo/09_10/wcmc/slides/wcmc-qos.pdf · 2010-05-17 · WNP-MPR-qos 1 Wireless Communications . and . Mobile Computing

Chapter 14: Regulating Services - UNEP-WCMC

Ucsbrasil Mma Wcmc

ResearchArticledownloads.hindawi.com/journals/wcmc/2018/7852896.pdfWirelessCommunicationsandMobileComputing Contro lan (T n R) Dat lan (T R) N + N OFDM bols OFDM bols 1 ubframe time

Software-Defined Edge Cloud Framework for Resilient ...downloads.hindawi.com/journals/wcmc/2019/3947286.pdf · WirelessCommunicationsandMobileComputing e e DB Web Server l n/ s de

Recommendation of Crowdsourcing Tasks Based on Word2vec ...downloads.hindawi.com/journals/wcmc/2019/2121850.pdf · WirelessCommunicationsandMobileComputing 0 0.1 0.2 0.3 0.4 0.5 0.6

A Probabilistic Privacy Preserving Strategy for Word-of-Mouth Social Networksdownloads.hindawi.com › journals › wcmc › 2018 › 6031715.pdf · 2019-07-30 · WirelessCommunicationsandMobileComputing

Analysis of Nonstationary Characteristics for High-Speed Railway …downloads.hindawi.com/journals/wcmc/2018/1729121.pdf · 2019-07-30 · WirelessCommunicationsandMobileComputing

Mm wcmc v12

Wireless Sensor Network Dynamic Mathematics Modeling and ...downloads.hindawi.com/journals/wcmc/2018/1082398.pdf · WirelessCommunicationsandMobileComputing 10 15 20 25 30 35 40 45

Chapter 12: Marine - UNEP-WCMC

UNEP-WCMC technical report EU Wildlife Trade 2014ec.europa.eu/environment/cites/pdf/reports/Analysis_of_EU_annual... · UNEP-WCMC technical report EU Wildlife Trade 2014 Analysis

MaratZhanikeev - Hindawi Publishing Corporationdownloads.hindawi.com/journals/wcmc/2019/7317019.pdf · WirelessCommunicationsandMobileComputing −0.1 0.1 0.3 0.5 0.7 0.9 1.1 Speed

NTRU Implementation of Efficient Privacy-Preserving ...downloads.hindawi.com/journals/wcmc/2018/7823979.pdf · WirelessCommunicationsandMobileComputing whosecoe cientssatisfy > (6ˆ+1),

Transmission Strategy Design and Resource Allocation in ...downloads.hindawi.com/journals/wcmc/2018/6790978.pdfWirelessCommunicationsandMobileComputing PT PG;R T PG;R Pm m la lb

Wireless-overview Wcmc 2008 v1

UNEP - WCMC/GEF Project

Dynamic Traffic Prediction with Adaptive Sampling for 5G ...downloads.hindawi.com/journals/wcmc/2019/4687272.pdf · WirelessCommunicationsandMobileComputing 5G HetNet 5G core networks

Energy Efficient Downlink Transmission in Wireless LANs by ...downloads.hindawi.com/journals/wcmc/2017/2405381.pdf · WirelessCommunicationsandMobileComputing 3 WLAN CPU AP Emulated