Privacy-Preserving Self-Helped Medical Diagnosis Scheme Based on Secure Two-Party Computation in Wireless Sensor Networks

With the continuing growth of wireless sensor networks in pervasive medical care, people pay more and more attention to privacy in medical monitoring, diagnosis, treatment, and patient care. On one hand, we expect the public health institutions to provide us with better service. On the other hand, we would not like to leak our personal health information to them. In order to balance this contradiction, in this paper we design a privacy-preserving self-helped medical diagnosis scheme based on secure two-party computation in wireless sensor networks so that patients can privately diagnose themselves by inputting a health card into a self-helped medical diagnosis ATM to obtain a diagnostic report just like drawing money from a bank ATM without revealing patients' health information and doctors' diagnostic skill. It makes secure self-helped disease diagnosis feasible and greatly benefits patients as well as relieving the heavy pressure of public health institutions.


Introduction
With the rapid development of science, more and more advanced technologies such as the internet of things and cloud computing are utilized in the area of modern medicine and this trend further pushes healthcare into the digital era [1][2][3]. Currently, numerous healthcare devices such as heart rate monitor, blood pressure monitor, and electrocardiogram are already popular in people's normal life. It makes it convenient for people to be aware of their health situation by viewing the reports of these devices. Especially, by the growing use of sensor technology in telecare, the new field known as wireless body area networks (WBAN) [1,4] has designed various sensor devices that can be used to supervise critical body parameters and activities anytime and anywhere. People can easily and conveniently get the health data by these advanced sensor devices [5] such as temperature measurement, respiration monitor, heart rate monitor, pulse oximeter SpO2, blood pressure monitor, pH monitor, glucose sensor, cardiac arrhythmia monitor/recorder, brain liquid pressure sensor, and endoscope capsule. What is more, these devices are becoming more functional and portable. More and more mobile medical monitors have already been used to serve us [2]. Therefore, people no longer worry about how to obtain the health data but are concerned about how to securely deal with these sensitive data to have disease diagnosis with a medical institution. Traditionally, the issue of privacy of medical data has been dealt with primarily as a policy problem [6,7]. Many related laws have been issued to protect the privacy of patients. However, it is still far away from satisfactory and people still fear the leakage of their private data. Hence, the most efficient solution to this problem is to protect patients' privacy in technology rather than in policy alone. In this aspect, most of previous literatures have introduced homomorphic encryption (HE) [8][9][10] to protect patients' privacy in some privacy-preserving medical applications [11]. However, HE will inevitably introduce tremendous cost and is not applicable to practical large-scale applications. Therefore, in this paper, we focus on building a secure and practical privacy-preserving medical diagnosis system that can serve us in our daily life. Starting from the aspiration of the patient, the most secure and plausible diagnostic method is to apply the processed data rather than the original data to interact with the hospital which owns a disease database to diagnose the health status privately. Moreover, it requires that after diagnosis, the hospital gets nothing about the patient's health data and the patient has no idea of the hospital's disease database.
Inspired by daily used bank automated teller machine (ATM), we introduce the privacy-preserving self-helped medical diagnosis ATM (MD-ATM) so that after obtaining a healthcare card that stores some information about the health data which is collected by various sensor medical devices, patients can privately diagnose himself by inserting the health card into the MD-ATM to obtain diagnostic report just like drawing money from a bank ATM without revealing patient's health information and the disease database or doctors' diagnostic skill. When needing local computing, storing, or inputting some information, the patient uses his own portable device, called portable medical diagnostic device (PMDD).
In this paper, we will show how to realize this modern diagnosis system without HE. The main idea and technology we used in this scheme are secure two-party computation (STC) and oblivious transfer (OT). Firstly, we assume that patients themselves collect related data by various wireless sensor medical devices and further process and store them in their own health cards using PMDD. When diagnosing, the patient firstly transforms the original data locally and then inserts the card into the MD-ATM of the hospital to check up his health. Operating following the instructions of the MD-ATM, the patient will finally obtain a diagnostic report through OT and the patient then completes the selfhelped diagnosis. In brief, our main contributions can be summarized as follows.

Our Contributions.
(i) We build a new "patient-centered" medical diagnosis model in wireless sensor networks where patients themselves collect health data by various sensor medical devices while the hospital provides a disease database to help patients to complete disease diagnosis by themselves. Compared with traditional "doctorcentered" medical diagnosis model where patients have to depend on the doctor, our system is more appropriate especially when people pay more and more attention to privacy in wireless sensor networks.
(ii) We firstly propose the privacy-preserving self-helped MD-ATM to construct a secure medical diagnosis scheme following the idea of STC. It makes secure self-helped medical diagnosis feasible and convenient just like drawing money from a bank ATM. It will greatly benefit patients as well as relieving the heavy pressure of public health institutions.
(iii) We construct the self-helped medical diagnosis system based on OT without expensive HE. It provides us with another perspective to consider the problem of secure medical diagnosis for patients.
The rest of this paper is organized as follows. In Section 2, we briefly give an overview of secure two-party computation and oblivious transfer, and then we present our medical diagnosis system model in Section 3. In Section 4, we propose our privacy-preserving self-helped medical diagnosis scheme in detail and give a strict proof based on real-ideal simulation paradigm in Section 5. Finally, we summarize our work of this paper in the last section.

Preliminaries
2.1. Secure Two-Party Computation. Secure multiparty computation (SMC) is dedicated to deal with the problem of secure computation among distrustful participants. It was first introduced by Yao in 1982 [12] and then was extended by Goldreich et al. [13] and many other researchers [14][15][16][17][18][19]. Generally speaking, SMC is a method to implement cooperative computation with participants' private data, ensuring the correctness of the computation as well as not disclosing additional information except the necessary results. It has become a research focus in the international cryptographic community due to its wide applications in various areas and a mass of research results have been published one after another. Secure two-party computation (STC) [20] is a special case in SMC where there are only two participants. The wellknown millionaires' problem [12] put forward by Yao is the representative problem of STC. In our discussing, we will consider the two-party case.
Generally speaking, STC is dedicated to computing a certain function between two mutually distrusted participants on their private inputs without revealing their private information. Informally, assuming that there are 2 participants, 1 , 2 , each of them has a private number, 1 , 2 , respectively. They want to cooperate to compute the function = ( 1 , 2 ). A STC protocol is dubbed secure if no participant can learn more from the description of the public function and the result of the global calculation than what he can learn from his own information.
Formally, we usually analyze the security of a STC protocol using the real-ideal paradigm in the semihonest model where both of the two parties act semihonestly, following the protocol but making effort to gain more information about other parties' inputs, intermediate results, or overall outputs by the transcripts of the protocol [15]. We can overview the real-ideal paradigm as follows.
Firstly, in the ideal world, we assume that the computation of the functionality on users private inputs is conducted by an additional trusted party, who receives from user , = 1, 2, and returns the result ( 1 , 2 ) to , = 1, 2. However, there is no trusted party in the real world and so the two parties have to run a protocol Π to get the desired result. During executing protocol Π, both parties act semihonestly. Herein, the view of the th party during an execution of Π on 1 , 2 is denoted as VIEW Π ( 1 , 2 ), which contains 's input, random tape, and the messages received from the other party. For a deterministic private function , we say that Π privately computes if there exist probabilistic polynomialtime algorithms 1 , 2 , such that the simulated distribution Computational and Mathematical Methods in Medicine 3 OT 1 Inputs: inputs a set of messages: ( 1 , 2 , . . . , ); inputs an index: ; Outputs: obtains , which means . obtains . (1)

Oblivious Transfer.
In cryptography, OT is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver but remains oblivious as to which piece has been transferred. It was firstly introduced by Rabin [21] in 1981. Therein, the sender sends a message to the receiver with probability 1/2, while the sender remains oblivious as to whether or not the receiver received the message. Rabin's oblivious transfer scheme is based on the RSA cryptosystem. In 1985, Even et al. [22] proposed a more useful OT called 1-out-of-2 OT (OT 2 1 ) to build protocols for secure multiparty computation.
Afterwards, it has been generalized to 1-out-of-OT (OT 1 ) [23] where the receiver gets exactly one message without the sender getting to know which message was queried and the receiver getting to know anything about the other messages that were not retrieved. OT 1 has become a fundamental tool in cryptography and is usually used as a black-box when constructing protocols.
Formally, we can describe an OT 1 protocol as follows. There are 2 participants called the sender and the receiver . Specifically, has messages, and has an index . wishes to receive the th message of the sender's messages without leaking to , while knowing nothing about the rest − 1 messages. A simplified OT 1 protocol can be presented as in Algorithm 1.

System Model
In this section, we present the system model including the goals we aim to achieve in detail.
In this paper, we consider the privacy-preserving medical diagnosis system with two participants: the patient and the hospital. We assume that each patient can collect his own health data such as heart beat and blood pressure, in the form of a vector, called query vector, easily by various advanced medical devices. Herein, we call the heart beat, blood pressure, and so forth, as parameter items and the health data corresponding to heart beat, blood pressure, and so forth, as parameter values. For example, = ( 1 , . . . , ) is the query vector of the patient , where all { } =1,..., are the necessary parameters the hospital needs for diagnosis, and is the parameter value of the parameter item heart beat. Each patient has a health card to store related data and a portable device PMDD to read the data stored in the card and to do some related computations after inserting the card. The hospital has a disease database DB = { } =1,..., , which in fact is the standard to determine which disease the patient has got. Each record of the disease database is presented as a triple = ( , , ), = 1, . . . , , where is the capacity of the disease database; is the index of a disease; , called the trait vector of the disease , is a vector that covers all necessary parameters the hospital needs for diagnosis; and is the disease diagnostic report including the disease name, doctors' advices, and prescriptions corresponding to the th disease . Concerning these parameters, we have some illustrations as follows.
(i) : it includes all necessary parameter items the hospital needs for diagnosis such as heart beat and blood pressure.
(4) Figure 1: Self-helped medical diagnosis model of our scheme.
factors as possible such as adding more personal feelings, symptoms, and previous medical features from the patient as parameter items. Although we only can diagnose some simple diseases currently, it is believed that it will be feasible for more complicated diseases in the future by extending the dimension of the parameter items.
(iv) : it includes the disease name, doctors' advices, and prescriptions corresponding to the th disease . Each report may conclude many doctors' advices and prescriptions. Herein, we assume that every report obtained from the MD-ATM following the self-helped medical diagnosis is authorized by the hospital and all advices and prescriptions of a report are signed by corresponding doctors. After receiving the diagnostic report, patient can choose one doctor's advice and prescription to treat himself.
In this paper, the system makes medical diagnosis according to the Euclidean distances of two vectors. Specifically, taking the query vector of the patient and a trait vector of the database as an example, given a patient's query vector = ( 1 , . . . , ) and a disease trait vector = ( 1 , . . . , ), ∈ {1, . . . , }, their Euclidean distance [3] denoted by dist ↔ is Herein, we compare the squares of the Euclidean distances, It is obvious that we can figure out which one has smaller distance with patient's query vector just by checking the sign of (3) without exact result of dist ↔ or dist ↔ . Assuming that the report corresponding to the trait vector , ∈ {1, . . . , }, is the diagnosed disease report, we have the following result, for all = 1, . . . , , ̸ = : In our scheme, we will compare the squares of the Euclidean distances of the query vector and the trait vectors to find the diagnostic report that satisfies (4).
In real application, the hospital provides a MD-ATM, which is connected with the disease database and can read the data of the card, to direct patients to complete self-helped disease diagnosis. Specifically, we assume that each patient registers to the hospital for the first time and gets a health card. The hospital provides a self-helped MD-ATM in public just like a bank ATM. Whenever wants to have a diagnosis, inserting his health card into the MD-ATM and following the instructions, can complete the self-helped diagnosis by himself. The basic model can be illustrated in Figure 1.
Apart from the above, to enable a privacy-preserving medical diagnosis system, our scheme should simultaneously fulfill the following two security goals.
(i) Confidentiality of disease database should be protected during the self-helped diagnosis process.
(ii) Confidentiality of patient's private health data should be protected during the self-helped diagnosis process.

Our Scheme
In this section, we propose our privacy-preserving selfhelped medical diagnosis scheme (PP-SH-MDS) in detail to show how a patient can diagnose by himself using his PMDD and the self-helped MD-ATM. The core of our construction can be summarized in Figure 2. Specifically, the patient executes as follows to make a self-helped diagnosis using his PMDD and the MD-ATM.
In the setup phase, registers to a hospital as traditional medical diagnosis and gets a health card.
In the diagnosis phase, there are three subphases. (1) Local Preprocessing. Whenever wants to have a diagnosis, he firstly conducts the following two transformations on PMDD locally. (ii) Vector-to-Matrix.
After completing the above steps, stores the matrix in the health card.  After executing the OT 1 protocol, gets the diagnostic report corresponding to the disease according to the index , while the MD-ATM gets , denoted by .

Analysis
In this section, we analyze our scheme in detail. We firstly have a look at the correctness and then give a strict security proof following the real-ideal simulation paradigm of STC in the scenarios of semihonest adversaries.

Correctness.
In this aspect, we follow the steps of our scheme and make sure that the patient indeed finds out the most possible disease from the disease database of the hospital using his health data by comparing Euclidean distances.

Security.
In this subsection, we strictly prove the security of our scheme. From the whole process, we can specify that the two parties in our system are the patient and the hospital. They cooperate to compute the function ( , ( 1 , 2 , . . . , )) = , where is the disease diagnostic report corresponding to the disease and the distance dist ↔ satisfies the condition dist 2 ↔ = min{dist 2 ↔ } =1,..., . As mentioned in Section 3, we should Computational and Mathematical Methods in Medicine 7 achieve two security goals, that is, keeping both parties' inputs private. We apply the real-ideal simulation paradigm to prove that our scheme has achieved the two goals in the scenarios of semihonest adversaries assuming the OT 1 protocol we used is secure.

Theory 1.
Our privacy-preserving self-helped medical diagnosis scheme is secure against semihonest adversaries if the OT 1 protocol is secure.
Proof. Notice that the view of , {VIEW ( , { 1 , . . ., })} =1,2 , in the real execution consists of three parts, the private input, random tape, and the messages received from the other party including the output. Therefore, we can get the views of 1 and 2 , respectively, in the real execution as follows: where {VIEW In the following discussion, we follow the real-ideal simulation paradigm to construct such probabilistic polynomialtime algorithms 1 , 2 . We separately prove the case when 2 is semihonest and when 1 is semihonest.
Case 1 ( 2 is semihonest). In this case, we only need to construct a simulator 2 so that, given 2 's input { } =1,..., and output , 2 can simulate 2 's view in the real execution presented above as (12).
Firstly, since we assume that the OT 1 protocol used in our scheme is secure and can be taken as a black-box, there exists an algorithm Next, notice that 2 is given ({ } =1,..., ; ); it can easily simulate the remaining parts of (12) by randomly choosing a × ( + 2) matrix which is indistinguishable to the blinded matrix . Then, 2 outputs the simulated view, Obviously, we can conclude that Case 2 ( 1 is semihonest). Similar to Case 1, we only need to construct a simulator 1 so that given 1 's input and output , 1 can simulate 1 's view in the real execution presented above as (11).

Conclusions
In this paper, we consider the problem of how to securely make diagnosis without leaking patient's health data, diagnosed result, and hospital's disease database in wireless sensor networks. By applying the idea of secure two-party computation and the technology of oblivious transfer, we propose a privacy-preserving self-helped medical diagnosis scheme so that patients can privately diagnose themselves by inserting a health card into a self-helped MD-ATM to obtain the diagnostic report just like drawing money from a bank ATM. We also have a detailed analysis about the correctness and further strictly prove the security following the real-idea simulation paradigm. We expect to provide people another perspective on future medical care.