A Blockchain-Based Trustworthy Access Control Scheme for Medical Data Sharing

,


Introduction
In the era of big data, multisource heterogeneous, fastgrowing, accurate, and massive healthcare data are widely used in various fields, such as disease research, clinical treatment, new drug development, epidemic prevention, and control.It can substantially improve the efficiency and accuracy of medical research and significantly reduce the burden of social medical costs [1].However, due to the extensive collection and application of medical data, it also faces a series of security and privacy threats such as theft of personal data, phishing attacks, illegal user access, and ransomware attacks.All of these may lead to the leakage and loss of medical data, thus failing to ensure the privacy, integrity, and reliability of the data.
Patient-centered healthcare data exchange attempts to shift data ownership from the provider to the patient [2].When a patient needs to treat across medical institutions or provide data sources for disease research centers [3], they can authorize organizations to share their medical data.As an emerging Internet database technology, blockchain [4] has the characteristics of decentralization, transparency, and data tamperability.It provides an innovative method for storing information, executing transactions, and building trust in an open environment [5].It has become popular to employ blockchain technology to securely share patient data with different institutions.The existing methods [6][7][8][9][10] mainly focus on deploying access control policies on the blockchain to access medical data by identifying users authorized by patients.However, these schemes only consider the single authorized access between patients and users and do not take into account the multilayer access of data between institutions.As shown in Figure 1, there is still a risk of internal leakage of data in the organizations that have been authorized by patients.Furthermore, it would be a huge cost if access control operations were carried out for each internal personnel.Considering the cost of authorization management and malicious attacks on internal nodes, patients want to restrict the secondary authorization of personal health data within the organization.Therefore, in the face of these challenging issues, we need to quickly find solutions to securely access patient data within authorized institutions in order to maximize patient privacy.
The lack of fine-grained security access control models for authorized institutions (Ai) is vulnerable to attacks by malicious nodes with legitimate identities and privileges within the institution [11].Traditional access control models, such as role-based access control (RBAC) [12] and attribute-based encryption (ABE) [13], have been proven to be effective in detecting and preventing illegal access to data.However, the above methods cannot provide practical solutions to the security problems such as unknown user access, internal node attacks, and unaccountable data leakage that exist in Ai.To alleviate these troubles, trust-based access control (TBAC) [14] was then introduced to the authorization constraints within Ai.Patients delegate Ai to set trust thresholds for different permissions to identify sensitivity.For the staff from the delegated institution, only with a high trust level is granted authority to obtain the patient's medical information.
The trust of internal user (Iu) can be verified by designing smart contract on the blockchain [15].However, there is still a challenge for Iu to prove to Ai that its trust can activate data access without divulging privacy.As a novel and effective variant of zero-knowledge proofs, zero-knowledge-succinct non-interactive arguments of knowledge (zk-SNARKs) [16,17] can achieve verification without disclosing the content of the proof.Especially, zk-SNARKs are combined with smart contracts for authentication to ensure that the Iu trust matches the authority trust assigned by Ai and protect user privacy.
To overcome the abovementioned problems, a trustbased authorization access control (TAAC) scheme is proposed to solve the secure access of medical data within Ai though using blockchain technology and deploying smart contracts.Overall, our main contributions are summarized as follows.
(1) A trust-based authorization and verification scheme for medical data is designed, named TAAC.This approach can settle the difficulties of costly authorization constraitns and internal malicious node attacks caused by patient entities intervening in institutional entities.In our TAAC, Ai can send preassigned permission trust threshold ciphertexts to the blockchain through transactions for distributed access control.(2) In the proposed scheme, a dynamic trust calculation model (TCM) is constructed to evaluate the trust of end users.Then, utilizing zk-SNARKs, the user creates a reliable zero-knowledge proof and sends it to the smart contract for validation, which can ensure that the user does not reveal any privacy.The smart contract determines whether it can activate the permission by comparing the user's trust with the permission trust threshold set by the organization.The permission transactions between Iu and Ai will be broadcast in the blockchain for patient accountability and traceability after the verification is successful [18].(3) Through the comprehensive comparisons with the existing schemes, we find that the proposed scheme exhibits higher privacy and execution efficiency in terms of the metrics of data protection and resistance to attacks.The validation is carried out in terms of both theoretical security analysis and experimental performance evaluation, proving the superiority of TAAC.
The remainder of the paper is structured as follows.Related work is described in Section 2, and some early

IET Information Security
components are offered in Section 3. The proposed scheme is outlined in Section 4, and the specific implementation details of TAAC are introduced in Section 5. Section 6 summarizes the characteristics of the TAAC scheme and compares it with other schemes in terms of performance.Finally, Section 7 provides a summary of the work done in the paper.

Related Works
Conducting in-depth research on access control for medical data is an important tool for user privacy protection.In this section, the related work on trust-based access control and blockchain-based access control is presented.

Trust-Based Access Control
Schemes.An access control model to evaluate the trust of interactive agents can improve the privacy and robustness of the medical system.Healthy-Broker [19] was a trust-building agent architecture specifically designed for eHealth services.It securely completes eHealth transactions by evaluating trust relationships and uses a distributed blockchain ledger for tracking to prevent potentially malicious behavior.Sahaana et al. [20] provided a trust assessment model for dynamically managing nodes, which uses trust to evaluate the behavior of each node, thus effectively avoiding the improper behavior of malicious nodes.Lewandowski et al. [21] improved the treatment effect and smoothed the overall function of the medical system by estimating patient trust.Jiang et al. [22] proposed a T-RBAC model utilizing role-attribute trust and physician-behavior trust for hierarchical authorization.Singh and Chatterjee [23] proposed an access control rule set, which can protect unauthorized access to medical data and dynamically control access views.Hu et al. [24] combined the entropy weight method with fuzzy theory to comprehensively evaluate the interactive trust value, and then used a two-way selection mechanism of roles and a third-party real-time monitoring mechanism to dynamically control access to the healthcare cloud system.The VARTE model [25] is based on vector auto-regressive (VAR) to effectively compute the trust value of user behavior in mobile health information systems.He et al. [26] discussed a distributed medical sensor network trust evaluation model, in which nodes can assess the credibility of each other to detect malicious nodes.Athanasiou et al. [27] introduced adaptive cloud inference system to fuzzy infer doctor credibility, which helps to ensure patient satisfaction in the universal medical environment.Xin et al. [28] used hierarchical analysis to determine trust evaluation index weights in medical big data and combined with whitening weight function to solve the problem of inaccurate trust evaluation results.
2.2.Blockchain-Based Access Control Schemes.Network attacks are prevalent in healthcare systems [29], and the application of blockchain technology to access control in medical data is also a hot topic of current studies.Siyal et al. [30] believed that the public verifiability of blockchain provides access control to electronic medical records without any third party but can not guarantee the reliability of data sources.Fan et al. [31] designed a blockchain-based electronic medical record framework named MedBlock for secure medical data sharing.Xia et al. [32] used smart contracts and access control mechanisms for data tracking to achieve auditable and secure sharing of medical data by revoking the access rights of illegal entities.However, it is impossible to avoid internal attacks by users with legal identities.Hussien et al. [33] proposed an access control scheme for outsourced encrypted medical data, which bridged the gap between personal health records and blockchain technology.Gan et al. [7] designed an incentive mechanism to encourage patients to share data and let patients act as supervisors to supervise unauthorized medical institutions to legally use their own medical data.Obviously, the data may have been maliciously compromised.Feng et al. [34] combined hierarchical attribute encryption with linear secret sharing, which avoided the security risk of submitting access policies to the blockchain network, and enabled authorized users to efficiently query the required data.Thwin and Vasupongayya [35] established a fine-grained access control model, which uses proxy re-encryption technology to protect medical data privacy and support access revocation.Sun et al. [36] stored the hash of medical data on the blockchain, while the specific data are stored in the IPFS.And only users who satisfy the attributes can decrypt the data.Saini et al. [37] proposed four types of smart contracts for user authentication and access control, and combined elliptic curve cryptography and Edwards curve digital signature algorithm technology to protect data privacy.However, these schemes mainly focus on single authorized access between patients and data users, while the risk of data leakage still exists in the institutions that have been authorized by patients.

Preliminaries
Theoretical knowledge and related techniques involving TAAC will be brought up in this section.For the sake of clear and concise presentation, the commonly used symbols are listed in Table 1.3.1.Blockchain.Blockchain is considered to be a distributed storage database that combines technologies such as cryptographic principles, consensus mechanisms, and smart contracts.These technologies can ensure that the information in the blockchain network is traceable, nontamperable, and timely verifiable [38,39].
3.1.1.Data Structure.Each block is composed of a block header and a block body.The block header contains three sets of metadata such as the previous block hash, Merkle tree root, and timestamp, which are used to ensure traceability and invariability.Transaction data are stored in the block body.Generally, cryptographic hashes and digital signatures are used to ensure the integrity and authenticity of transactions.
3.1.2.Consensus Protocol.It can effectively ensure that each node in the blockchain maintains the ledger according to the established rules, thus maintaining the consistency of transactions in the distributed network [40].
3.1.3.Smart Contract.The concept was first introduced by cryptographer Nick Szabo and applied to Ethereum by Vitalik Buterin.It is a computer protocol for trusted transactions without third-party supervision, which could additionally be self-executing and self-verifying [41].

Zero-Knowledge Proof.
A zero-knowledge proof is one in which the prover is successful in persuading the verifier that a statement is true while withholding all relevant information from the verifier.It is also essentially an agreement involving two or more parties.Zero-knowledge proofs include both interactive and noninteractive types.Interactive proofs require multiple communications between the prover and verifier resulting in lower efficiency, while noninteractive proofs only require the prover to send a message to the verifier once according to the protocol, which makes them more efficient for blockchain applications [42].
3.3.zk-SNARKs.Zk-SNARKs are a special form of zeroknowledge proofs.A complete zk-SNARK scheme should consist of a key generation algorithm ZKKeyGen, a proof generation algorithm ZKProveGen and a verification algorithm ZKVerify.Specific definitions and explanations of these three algorithms are in Section 5.In addition to this, zk-SNARKs are distinguished from ordinary zero-knowledge proofs by the following properties.
(1) Noninteractive: One message from a prover can demonstrate to a verifier that they are aware of a certain piece of knowledge.
(2) Succinct: The time it takes to verify the proofs is minimal [40].(3) No matter how sophisticated the program is that needs to be proved, zk-SNARKs always produce the same amount of information [41].
3.4.Bilinear Mapping.Suppose that G 1 and G 2 are two multiplicative cyclic groups with q as their common prime order.

System Overview
This section initially describes the TAAC system concept before going over three roughly similar scenarios.Finally, we describe the overview process of the scheme.

System Model of TAAC.
The proposed TAAC model is shown in Figure 2 and mainly involves five entities: register authority (RA), hospital, doctor, TCM. and blockchain.
Their respective functions can be described as follows: (1) RA: In its capacity as a completely trusted entity, RA is in charge of configuring public parameters and keys required by the system.It is also responsible for assigning key pairs and individual identification identifiers to hospitals and doctors.(2) Hospital: In this paper, hospitals represent typical Ai instance and are also incompletely trusted medical data consumers.Hospitals are responsible for making access policies, which are manifested by setting a trust threshold for each permission to identify the sensitivity of the permission.The trust set is then encrypted and the ciphertext address is sent to the blockchain via a stored transaction Tx storage .(3) Doctor: Doctors are representative roles of Iu in the hospital who need to access the patient medical data.If a doctor wants to access medical data, he needs to first conduct a trust assessment and generate a zeroknowledge proof π based on the trust.Then submit the π to the smart contract for authorization verification.(4) TCM: It was designed to prevent malicious doctors from gaining permissions by forging trust.TCM calculates the doctor's trust by considering various quantitative factors, which are usually measured by those who have had direct or indirect interaction with the evaluated person.(5) Blockchain: Transactions recorded in the blockchain will be preserved as evidence for patients to pursue accountability due to its tamper-resistance and traceable.The smart contract was deployed in advance, and automatically judges the validity of π without the participation of a third party.

4.2.
The Overview Process of TAAC.Generally speaking, the intended TAAC's overview process maybe simply separated into the six steps, as shown in Figure 3, such as system initialization, broadcast in blockchain, trust evaluation, zero-knowledge proof generation, smart contract verification, and authorization recorded in blockchain.(1) System initialization: This phase initializes the parameters in the system, such as generating key pairs and unique identifiers.(2) Broadcast in blockchain: The patient delegates the authorized hospital to perform secondary access control.The hospital h i is responsible for assigning the trust value Pt i to each permission to identify the permission sensitivity, and then executes Enc algorithm to encrypt the set of trust values T by PK h for locally secure storage.And meanwhile, the hospital h i generates a zero-knowledge proof π 0 based on T and sends a storage transaction to the blockchain, and then broadcasts it in the blockchain network.(3) Trust evaluation: The doctor d i can provide the TCM with a unique identity identifier ID d , and then the TCM executes the Eva algorithm to calculate the trust value of the doctor d i .(4) Zero-knowledge proof generation: Based on their mutual trust, the hospital h i and the doctor d i can each generate a reliable zero-knowledge proof π using zk-SNARKs and record the corresponding computation result R and hash value H.These are combined into a zero-knowledge proof information set Proof for protecting the privacy of patient medical data transactions.( 5) Smart contract verification: The doctor d i transmits the zero-knowledge proof information set Proof to the blockchain.Then, the smart contract successively compares the zero-knowledge proof information set Proof with the corresponding information previously submitted by the hospital h i through ZKVerify algorithm to obtain a verification result.Permission can only be activated if the personal trust exceeds the permission trust threshold.(6) Authorization recorded in blockchain: The smart contract will inform the hospital h i to encrypt and transfer the permission list ðPLÞ to the doctor d i as soon as the verification is successful.Finally, a transaction Tx authorize records the authorization information between the doctor d i and the hospital h i and it will be published on the blockchain.

Specific Implementation of TAAC
Six phases comprise up the precise execution of our suggested strategy, each of which will be discussed in turn below.

System Initialization.
Step 1: RA first takes a security parameter λ as input and selects the multiplicative cycle groups G 1 and G 2 , which are produced by the same prime q, then defines e : G 1 × G 1 → G 2 as a cryptographic bilinear map.In addition, RA sets two secure hash functions H 0 : f0; 1g * → G 1 and H 1 : Step 2: RA randomly selects x; y; z 2 Z q , g; h 2 G 1 are the different generators of G 1 , then executes Setupð1 λ Þ: → ðMPK; MSKÞ: to generate the public key and the master secret key, where MPK ¼ ðq; e; g; h; G 1 ; G 2 ; H 0 ; H 1 Þ: ; MSK ¼ ðx; y; zÞ: .
Step 3: The hospital h i provides RA with a special identification number ID h so that RA can create the key pair ðPK h ; SK h Þ: for the hospital using algorithm RegðMPK; MSK; ID h Þ: → ðPK h ; SK h Þ: .
Step 4: RA randomly chooses a i 2 Z q ði ¼ 1; 2; 3Þ: and Finally, the public key PK h ¼ ðfa i g 1≤i≤3 Þ: and the private key SK h ¼ ðfA i g 1≤i≤3 Þ: of the hospital h i will be generated.

Broadcast in Blockchain.
Step 1: The hospital h i sets a trust threshold Pt i for each permission to obtain the permission trust threshold set T ¼ fPt 1 ; Pt 2 ; …; Pt n g: .Then, the hospital h i will encrypt the T by EncðMPK;PK h ; TÞ: → CT to get the ciphertext CT ¼ fct 1 ; ct 2 ; …; ct n g: .
Step 2: The hospital h i is going to generate a zeroknowledge proof information set Proof h ¼ fπ 0 ; R 0 ; H 0 g: by zk-SNARKs depending on T when the permission trust set T has been established.The same method can be implemented by doctors to obtain personal private information relating to zero-knowledge proof.
Step 3: The hospital h i computes the message digest of T and produces a digital signature by σ h ¼ SigðSK h ; H 0 ðTÞÞ: .The hospital h i will utilize a storage transaction Tx storage ¼ PTStoreAddress; π 0 ; R 0 ; H 0 ; σ h g to submit the ciphertext address to the blockchain in order to accomplish trust matching.PTStoreAddress represents the ciphertext storage location that is used to index the ciphertext CT.
Step 4: The other nodes in the blockchain will use the signature σ h to determine whether the transaction is valid after the Tx storage is generated.The transaction between the hospital h i and the doctor d i will be uploaded to the blockchain after the verification is completed.
A storage transaction's entire generating process is shown in Algorithm 1.

Trust Evaluation.
In the medical background, the definition of trust for a specific user is the entire assessment of the credibility.Typically, the assessment is based on people who Input: The permission trust threshold set T; The

6
IET Information Security have had direct or indirect interactions with the person being assessed and uses a trust model to calculate the user's trust value based on user feedback, prior behavior, and daily observations.In the proposed scheme, TCM offers an efficient method for calculating user trust value.
The procedure employed by TCM to determine each doctor's trust by using a variety of quantitative indicators is shown in Figure 4.The arrows in Figure 4 illustrate how one factor depends on another.A doctor can provide a set of information <ID d ; t > to TCM to calculate the personal trust value, where ID d is used to identify the doctor and t represents the local timestamp.Supposed the hospital assessor h needs to calculate the reliability of the doctor d, the specific process is made up of the following components.
Step 1: The satisfaction Sat tþ1 ðh; dÞ: denotes the job appraisal of the assessor h on the doctor d in the recent period, and the trust is positively related to the satisfaction.It can be computed as Formula (1): where if β ¼ 0, then Sat tþ1 ðh; dÞ: ¼ Sat t−1 ðh; dÞ: ; if β ¼ 1, then Sat tþ1 ðh; dÞ: ¼ Sat cur .Let Sat t−1 ðh; dÞ: represents the satisfactory value of h to d within t − 1 time interval, which is determined by the exponential average of the prior satisfaction in Formula (1).For the recent satisfaction Sat cur 2 ½0; 1: , Sat cur ¼ 1 indicates that h is completely satisfied with d, while Sat cur ¼ 0 indicates that h is completely dissatisfied with d.In addition, β is a carefully selected relative weight value to ensure that Sat cur has a higher weight value than Sat t−1 ðh; dÞ: .
Step 2: As shown in Formula (2), the similarity Sim tþ1 ðh i ; h j Þ: measures the degree of similarity between the feedback given by two different assessors h i and h j to the same doctor d.The higher similarity leads to the higher precision of trust calculation.The similarity is calculated based on the feedback from people who have contact with the doctor d: where ED tþ1 ðh i ; h j Þ: is defined as the evaluation difference and Δ is a similarity deviation constant indicating the upper limit of the permissible variation, as shown in Formula (3).The difference value no greater than the fluctuation constant Δ would indicate that the feedback from the two assessors was closer.SA is the evaluator set of d except h i .What's more, the reward and punishment coefficients φ and ϑ for updating the similarity are respectively set to reward evaluators for their work and prevent evaluators from providing fake feedback on d.Since it is more difficult to establish trust than to lose it, the punishment coefficient is assigned a greater weight value than the reward coefficient, that is 0<φ<ϑ<1.

IET Information Security
Step 3: As shown in Formula (4), the assessment credibility AC tþ1 ðh; dÞ: indicates the accuracy of the feedback provided by the evaluator.The more similar result of two assessors implies a higher assessment credibility.It is calculated according to the direct logarithm function of similarity, and θ ¼ 0:01 represents the minimum allowable value of similarity.
Step 4: The direct trust Dir tþ1 ðh; dÞ: is defined as the assessor h calculating the trust value for doctor d from personal experience, which is obtained in accordance with Formula (5): Step 5: When the assessor h has insufficient direct interactions with doctor d, h can request others to provide their evaluations of d.Then, the assessor h will calculate the indirect trust value by combining the direct trust of other evaluators and the assessment credibility, where W denotes the set of evaluators f who have had contact with d.The indirect trust Ind tþ1 ðh; dÞ: is computed as Formula (6): Step 6: The present trust Pre tþ1 ðh; dÞ: means the trust of the assessor h to the doctor d at the most recent time, which is calculated based on the number of interactions between h and d, according to the direct trust and the indirect trust, as shown in Formulas ( 7)-( 9): Assuming that D tþ1 ðh; dÞ: is the number of direct interactions between h and d, I tþ1 ðh; dÞ: is the average number of interactions between evaluators other than h and d, and α is the weight of direct trust.
Step 7: The historical trust His tþ1 ðh; dÞ: is the trust calculated from what happened in the past, as shown in Formula (10).Over time, the present trust has become the historical trust.∂ 2 ½0; 1: is defined as a neglected factor that prevents the appraiser h from attempting to forget the past malicious behavior with the current behavior if the appraiser had malicious behavior in the past: Step 8: The predicted trust PT doc reflects the future expectation of the assessor h on the doctor d, which is calculated from present trust and historical trust, as shown in Formula (11): The relative weight γ 2 ð0:5; 1:0Þ: is dynamically adjusted based on present trust and historical trust to ensure a higher weight is given to present trust Pre tþ1 ðh; dÞ: .
Step 9: The trust level L tþ1 2 f0; 1; 2; 3; 4g: is defined as the evaluation of patient to the work of doctor, where the number represents the respective ratings of terrible, poor,

8
IET Information Security average, good, and best.Then, the trust level score LS tþ1 can be computing, as shown in Formulas ( 12) and ( 13): Formula ( 12) indicates a single value result, while Formula (13) calculating the normalized result.
Step 10: As shown in Formula ( 14), the biased trust BT doc is used to handle malicious trust fluctuation of the evaluator h, so as to prevent h from wavering in the evaluation of doctor d and thus affecting the network performance: Step 11: The medical malpractice decay trust DT doc is expressed as a trust deduction mechanism.In this process, each doctor was initially assigned to K trust points, with fixed trust points reduced for each medical incident.In this mechanism, the trust decay coefficient ω is introduced, and the doctor's i th medical malpractice is recorded as MR doc ðiÞ: , then the decay trust value of the doctor is calculated, as shown in Formula (15): Step 12: The overall trust OT doc is calculated by combining predicted trust PT doc , biased trust BT doc , and medical malpractice decay trust DT doc , as shown in Formula ( 16): For the relative weights , the trust threshold OT doc 2 ½0:0; 1:0: , where OT doc ¼ 1:0 indicates that the doctor d is completely trusted, and OT doc ¼ 0:0 indicates that the doctor d is completely untrusted.5.4.Zero-Knowledge Proof Generation.After obtaining the personal trust value from the TCM, the doctor d i completes an initial determination of whether the trust level meets the trust thresholds set by the hospital h i for medical data access privileges.To create zero-knowledge proof π, the doctor must affix his digital signature σ d to the trust.The digital signature σ d and zero-knowledge proof information set Proof d ¼ fπ; R; Hg: of the doctor will be generated according to the following processes and elaborated by Algorithm 2.
Step 1: The additional parameter δ ¼ ðID d ; t; OT doc Þ: can be calculated according to the unique identifier ID d of the doctor d i , the timestamp t, and the assessed trust OT doc .
Step 2: The additional parameter δ ¼ ðID d ; t; OT doc Þ: and a random number r are used as the input conditions for the hash operation H 0 ðδ; rÞ: .Then the digital signature σ d by executing σ d ¼ SigðSK d ; H 0 ðδ; rÞÞ: is generated.
Step 3: Assuming c1 2 C 1 is the proposition and c2 2 C 2 is the proof, let C : the associated logic computational relationship.The doctor d i constructs the circuit C, as shown in Figure 5.It takes the public key set <PK 1 ; PK 2 ; …; PK n >, the doctor trust value set OT doc ¼ <Ot 1 ; Ot 2 ; …; Ot n ; r > and the extended data <ID d ; t > as inputs.In order to confirm the accuracy and accessibility of the data, a circuit computation result R and a hash value H are respectively output.
Step 4: The security parameter λ and the circuit C will be taken as input parameters to execute ZKKeyGenð1 λ ; CÞ: → ðGK; VKÞ to compute the key pair.The zero-knowledge proof is created with the help of the key GK, and it is verified with the help of the key VK.
Step 5: The key GK, the doctor trust value OT doc , the digital signature σ d , the circuit result R, and the hash value H are utilized as inputs to generate a reliable zero-knowledge proof π by ZKProveGenðGK; OT doc ; R; H; σ d Þ: → π.

Smart Contract Verification.
The zero-knowledge proof information set Proof d is provided to the blockchain by the doctor d i .Without the involvement of a third-party, the smart contract will immediately confirm whether the relevant attestation information of the doctor d i meets the IET Information Security permission trust threshold set by the hospital h i .The verification steps are shown as follows.
Step 1: The smart contract utilizes the public key PK d of the doctor d i to verify the electronic signature σ d and return a result SigResult.
Step 2: Then, the verification key VK generated by zk-SNARKs is adopted to contrast the zero-knowledge proof π and return a result ZKResult.
Step 3: Assuming that both validations have been successfully passed, the smart contract further compares the proof information set Proof h ¼ fπ 0 ; R 0 ; H 0 g: generated by the hospital h i based on T with the proof information set Proof d ¼ fπ; R; Hg: generated by the doctor d i based on OT doc in correspondence.A result such as True or False will be output if all of the verifications have been successful.
The verification procedure is illustrated in Algorithm 3.

Authorization Recorded in Blockchain.
Step 1: The smart contact in blockchain returns the verification result to the hospital h i .If the returned result is True, the hospital will encrypt and store the list of grantable permissions PL ¼ fP 1 ; P 2 ; ⋯; P n g: and the ciphertext address is PLStoreAddress.
Step 2: After receiving the authorization notification from the blockchain, the doctor d i retrieves the encrypted permission list CPL ¼ fCP 1 ; CP 2 ; …; CP n g: through PLStoreAddress.
Step 3: Then the doctor d i gets the private key SK h of the hospital h i through the secure key channel and decrypts the ciphertext by DecðSK h ; CPLÞ: → PL to obtain the permission list PL.
Step 4: Finally, the hospital h i generates a transaction to record the authorization information between the doctor d i and the hospital h i , which is described by Algorithm 4. The authorization transaction Tx authorize ¼ fID A ; ID d ; PK h ; PLStoreAddress; t; σ h g: will be published on the blockchain, where ID A is used to identify authorization transaction and t represents the Tx authorize generated time.

Scheme Analysis
We primarily assess the TAAC method from three angles in this section.First, we analyze whether the scheme meets the basic security and privacy requirements of blockchain operations.Furthermore, the TAAC scheme is comprehensively compared with some existing methods in related work.Finally, extensive experiments are conducted to demonstrate the efficiency.
6.1.Security Analysis.The security of the TAAC scheme is analyzed in five aspects, including trustworthiness, traceability, privacy, integrity, and against DDoS attack.return True; 7: return False; ALGORITHM 3: Verify the zero-knowledge proof.

10
IET Information Security 6.1.1.Trustworthiness.In this paper, our TAAC transmits the ciphertext address with digital signature to the blockchain by a storage transaction, and broadcasts it throughout the network nodes.From beginning to end, the entire encrypted broadcast process only involves the hospital and the blockchain, thus guaranteeing the trustworthiness of authorization management with avoiding the possibility of any other intermediate entities trying to steal permission data.In addition, in the verification phase, the blockchain platform automatically verifies whether the doctor 0 s trust conforms to the authority trust level set by the hospital through a predeployed smart contract, further realizing a trustworthy authorization delegation without manual intervention.
6.1.2.Traceability.Our system can monitor and validate the access data in the blockchain.Any operations related to the blockchain are recorded as an immutable storage transaction and authorization transaction, respectively.Once the storage transactions and authorization transactions are validated by the smart contract, the doctors will be notified of the categories of medical data access rights open to the hospital, and the hospital will query what authorizations have been granted to each doctor.Therefore, if it is detected that the medical data have been maliciously disclosed or changed, neither the hospital nor the doctor can deny it, and can be held accountable retroactively based on the authorization transactions recorded on the blockchain.
6.1.3.Privacy.Most of the existing trust evaluation models directly output the trust value, which poses a great threat to privacy leakage.Our scheme ensures that doctors 0 s identity information will not be disclosed during trust evaluation by generating a unique identity for each doctor.To solve the problem of trust privacy leakage, the smart contract can only obtain a zero-knowledge proof generated based on trust but not directly get individual trust during the verification process.In terms of authority information privacy, storing permission data in encrypted form can prevent malicious users from stealing sensitive data.
6.1.4.Integrity.In order to increase the scalability of the TAAC, the hospital may sporadically change the authorization data, and the ciphertext connected to the ciphertext address will also be altered.The additional digital signature in the storage transaction and proof generation can verify the ciphertext at any time and ensure the authenticity of the zero-knowledge proof.In addition, the information of authorized transactions between doctors and hospital is recorded on the chain through the consensus algorithm.The blockchain can ensure data are not tampered with by using the Merkle tree feature.
6.1.5.Against DDoS Attack.It is fairly straightforward that our scheme can resist DDoS attack as the blockchain-based architecture is decentralized.Even if the blockchain nodes are attacked maliciously, users can access the network normally as long as one node exists.In this scheme, both storage transactions and authorization transactions must be verified before recording.They need to provide valid digital signatures when interacting with the blockchain network, which is an effective method to thwart DDoS attack.

Comprehensive Comparisons of TAAC.
In Table 2, five related trust-based access control methods are contrasted with the TAAC.This analysis mainly focuses on five aspects such as the dynamics of the trust evaluation model, data encrypted storage, trust privacy, blockchain technology and whether it can resist malicious attacks.The access control scheme designed by Jiang et al. [22] and Hu et al. [24] sets influence factors to dynamically adjust the accuracy rate of the trust evaluation model, but they cannot guarantee the trust privacy.The HealthyBroker trust-building agent architecture designed by Kurdi et al. [19] conducts audit and tracking through the blockchain ledger to prevent potential malicious behavior, but this scheme does not consider the security of patient data.He et al. [26] used cryptographic technology to encrypt and store information without causing data leakage.However, this scheme relies too much on the cooperation and reliability of distributed nodes, which is prone to creating system crash.Lin et al. [14] introduced the Vickrey-Clark-Groves (VCG)-based adaptive reputation mechanism (VARM) into the access control scheme, which can effectively identify malicious users and resist internal attacks, but it does not take into account the security issues arising from transparency.
Overall, these trust-based access control mechanisms are unable to simultaneously protect trust privacy and impede malicious user behavior.The TAAC scheme designed in this paper enables data privacy protection and avoids access initiated by malicious nodes.By storing the encrypted data locally and sending the ciphertext address to the blockchain, the credibility of access authorization with blockchain characteristics can be guaranteed.In terms of privacy, trust verification through zero-knowledge proof can effectively prevent IET Information Security the privacy leakage of the permission trust and user trust.In addition, TCM uses trust decay coefficient, reward and punishment coefficients, and neglect factor to enhance the sensitivity and dynamics of the model, which can resist the access initiated by internal malicious nodes.
6.3.Performance Evaluation.Since TCM and zk-SNARK constitute two crucial components of the proposed system TAAC, the performance of trust evaluation and zeroknowledge proof are tested separately.For the performance analysis, the experiments are implemented on a computer with Intel(R) Core(TM) i7-4790 U CPU @3.60 GHz, 12 GB of RAM, and Ubuntu Linux 18.04 LTS.We publish the computed trust data and shared information on Hyperledger Fabric and write smart contracts in the Go language.Zeroknowledge proofs are implemented using libSNARK-based zk-SNARK provided by Electric Coin Company.
For the experimental evaluation of the proposed system, we used data from a medical database [43].One hundred virtual users are given random trust values, which represent their actual trust values.These assigned parameters are utilized to calculate the proposed system accuracy rate.The experiments initially began with 10 interactions, after which 10 interactions are added each time.Each experiment is repeated for 20 times and the average is calculated.To measure the performance of this scheme, we will compare it with RMTAC based on VARM [14] in terms of the accuracy rate, approval rate, and system malicious access rate.The theoretical analyses and performance comparisons between the schemes are shown in Figure 6.
6.3.1.Accuracy Rate.It is described as the proportion between the calculated trust value and the real trust value.According to Table 3 and Figure 6(a), TCM has a marginally greater accuracy rate than VARM.The accuracy rate of VARM basically remains around 90%, while that of TCM fluctuates slightly around 91.5%.The reason is that VARM only considers the reward factor to motivate users to provide more accurate recommendations but does not set a penalty factor to avoid users 0 dishonest recommendations.On the contrary, TCM establishes a tight system of rewards and penalties that can efficiently reward users who provide trustworthy suggestions and penalize harmful users who produce untruthful comments.Therefore, the accuracy rate of TCM is marginally higher than that of VARM.6.3.2.Approval Rate.It is defined as the ratio of the number of successful access that does not meet the security requirements to the total number of access requests.The results in Table 4 and Figure 6(b) illustrate that TCM has a lower approval rate compared to VARM.It is assumed that there are a fixed number of malevolent users at the beginning, and their trust does not satisfy the security requirements.As the quantity of user interactions grows, the approval rates of both VARM and TCM tend to a stable range.The approval rate of VARM is basically stable around 12%, while that of TCM fluctuates around 10%.This means that TCM exhibits better attack prevention ability than VARM under the same number of malicious users.There are two main reasons for the discrepancy in result.False comments cannot be avoided due to the existence of malicious users in the initial stage.VARM only adaptively adjusts the initial trust of unknown users according to the actual situation of the network, without considering the punishment of malicious behavior.In contrast, TCM adds the historical trust and introduces a neglect factor in calculating doctor trust, which can prevent the doctor from trying to cover up past irregularities with present compliance behaviors.In addition, TCM designs a trust deduction mechanism to reduce fixed trust points according to the trust attenuation coefficient if the doctor commit misconduct, which will curb the occurrence of malicious access to some extent.

Malicious Access Rate.
It is used to evaluate the privacy protection capability of the proposed TAAC system.The malicious access rate is defined as the percentage of successful access to illegal information in the whole interaction, supposing that some access requests from malicious users have been granted in the experiment.The comparison result is demonstrated in Table 5 and Figure 6(c).Since RMTAC does not implement fine-grained division of permissions, that means, users can use ungranted access rights when legitimate identity users cheat.This will cause authorized users to tamper with or disclose information, thereby increasing the malicious access rate.TAAC verifies the trust of each permission by introducing zero-knowledge proof protocol.Only the doctor who meets the authority trust level can obtain the corresponding authority, and the encrypted authorization list can also prevent attackers from stealing access rights.Therefore, the average malicious access rate of TAAC is lower than that of RMTAC.
Next, the performance of zero-knowledge proof is evaluated.The time required to generate evidence is the main bottleneck of this technique since the noninteractive zeroknowledge proof model is utilized.By simulating the process of the model, this experiment focuses on evaluating the zk-SNARK key pair generation time, proof generation time, and proof verification time.The experiment starts with 100 permission trust values as the circuit inputs, and then the test is    IET Information Security repeated for 20 times.Finally, the average value of these indicators is then determined.As observed in Figures 7(a) and 7(b), the proposed scheme takes approximately 12.5 s to generate a zero-knowledge proof key pair and 28.3 s to produce a proof.This indicates that the time required to construct a zero-knowledge proof key pair and a proof will not vary much even when the authorization data used as circuit inputs increases, dramatically boosting the scalability of the scheme.Furthermore, Figure 7(c) illustrates when the quantity of input parameters expands, the verification time for zeroknowledge proofs similarly increases.The result indicates that the validation time does not exceed 0.6 s when the number of input parameters reaches 1,000, which is still an acceptable time limit and does not affect concurrency.

Conclusion
In this paper, we propose a TAAC scheme, which can resolve the issues of high-cost authorization management and internal malicious node attacks caused by the intervention of patient entities into the institutional entities.We first design an authorization verification model and describe in detail the specific processes of the entities and schemes involved in the model.Then, we construct a dynamic trust computation model TCM to evaluate the trust of users and elaborate on the zero-knowledge proof generation based on the trust and verification authorization process.Finally, the security analysis and performance comparisons between the proposed scheme and the existing schemes are carried out.The experimental results show that the scheme is more secure, reliable, and efficient in terms of privacy protection, trust evaluation, and resisting malicious access.Future research efforts will focus on further optimizing the trust evaluation model to improve the accuracy of trust calculation while reducing the malicious access rate.Meanwhile, the efficiency of zero-knowledge proof can be also improved by meliorating the implementation process.

FIGURE 3 :
FIGURE 3: The overview process of TAAC.
Input: The permission list PL;The identifier ID A of the authorization transaction;The identifier ID d of the doctor d i ;The key pair ðPK h ; SK h Þ: of the hospital h i ; The storage address PLStoreAddress of the permission list ciphertext CPL; Output: The authorization transaction Tx authorize ; 1: if result is valid then 2: / * Get the current time * / t ¼ TimeNowðÞ: ; 3: / * Compute the message digest for PL * / MD ¼ H 0 ðID A ; PLÞ: ; 4: / * Sign the message digest with the SK h * / σ h ¼ SigðSK h ; MDÞ: ; 5: / * Generate the authorization transaction * / Tx authorize ¼ fID A ; ID d ; PK h ; PLStoreAssress; t; σ h g; 6: return Tx authorize ; 7: return ⊥;

TABLE 2 :
Performance comparisons of different schemes.

TABLE 3 :
Accuracy rates of different interactions.

TABLE 4 :
Approval rates of different interactions.

TABLE 5 :
Malicious access rates of different interactions.