A Privacy-Preserving Data Transmission Scheme Based on Oblivious Transfer and Blockchain Technology in the Smart Healthcare

. With the development of the Internet of Things and the demand for telemedicine, the smart healthcare system has attracted much attention in recent years. As a platform for medical data interaction, the smart healthcare system is demanded to ensure the privacy of both the receiver and the sender, as well as the security of data transmission. In this paper, we propose a privacy-preserving data transmission scheme where both secure ciphertext conversion and malicious users identiﬁcation are supported. In particular, the ( OT ) nm protocol is introduced to guarantee the two-way privacy of communication parties. Meanwhile, we adopt proxy reencryption algorithm to support secure ciphertext conversion so as to ensure the conﬁdentiality of data in many-to-many communication pattern. In addition, by taking advantage of the concept of blockchain technology, a novel ( OT ) nm protocol is proposed to prevent data from being tampered with and eﬀectively identify malicious users. Theoretical and experimental analyses indicate that the proposed scheme is practical for smart healthcare with high security and eﬃciency.


Introduction
With the extension of average life expectancy and people's increasing demand for health, the demand for smart healthcare systems such as telemedicine and e-health system is more and more urgent [1][2][3]. e smart healthcare system is an IoT health system composed of cloud computing, smart wearable devices, an expert system based on artificial intelligence, and so on [4][5][6]. e deep learning technology and data mining technology also promote the development of smart healthcare system [7,8], which is convenient for doctors to quickly diagnose diseases and formulate medical plans and to ensure that everyone can get adequate medical resources [9]. In addition, some scholars introduce blockchain technology into the smart healthcare environment [10][11][12]. ey utilize the characteristics of blockchain such as decentralization and antitampering to design the smart healthcare schemes. ose schemes can realize data sharing and ensure the confidentiality and correctness of the data. During the research, scholars discovered that there were two security challenges in the process of medical data transmission [13,14]: e first is how to ensure the confidentiality of medical data during the interaction; that is, malicious users cannot obtain or tamper with the data. e second is how to realize the two-way privacy protection between the server and the client side. erefore, we need to discuss and solve the above two security challenges in this paper.
Consider the following situation: the patient who suffers from many diseases goes to different specialist hospitals for treatment, and so many medical records are stored by different servers of hospitals that are not connected in the same network. at is, it is difficult for doctors to obtain the data across the different networks. To settle the mentioned problem, we suppose that all the data are stored in the same server. However, all data in this server are returned to the doctor when he employs the oblivious transfer (OT) protocol to request the data, which leads to the high communication overhead. us, we assume that all data are stored in the distributed server, and the users, hospitals, and also servers are all in the smart healthcare system, where the patients' records can be accessed by the departments' doctors from the different hospitals. In fact, the stored data are susceptible to collusion or tampering because of the semitrusted server. e confidentiality of stored data cannot be ensured when users employ those data. Additionally, a user employs the amount of data to request it from the server, which can try to understand the corresponding relationship between the sequence number and the stored data. Some researchers utilize the oblivious random access memory (ORAM) protocol [15] to hide that relationship [16,17]. Meanwhile, it is only applied to some simple systems due to its complex ORAM structure and the great increase in cost overheads. us, how to ensure that the server makes users know the data without knowing the serial number is one of the main contents of our scheme. Moreover, the public keys of the distributed servers are different for users owing to those servers which belonged to different hospitals. In view of the above, the data in such servers can be comprehended by users, which exposes the privacy of stored data. en, some data are attacked by malicious users to focus on, in accordance with that private information. What is more, the authorities of the user can be faked or tampered with by the revoked or malicious users who can collude the data.
Motivation of is Paper. As is mentioned above, the existing data transmission schemes are not suitable for the smart healthcare environment. erefore, our goals are to protect user privacy and guarantee the security of data transmission based on OT and blockchain technology under the smart healthcare environment. To accomplish this goal, the three following crucial issues should be considered for us. First, the confidentiality of data should be assured during the process of data transmission. e medical data are related to the life safety of patients; once they are tampered with or faked, this will endanger the lives of patients and put the hospital in financial compensation. Second, while guaranteeing that a piece of accessed data is not known by the server, the other data in it cannot be learned by the user. In addition, the stored data in such servers cannot be figured out. In case of reveal, the privacy of stored data may be leaked out. Finally, the revoked or malicious users who try to collude should be discerned by the group manager. ey will go beyond their authority to access data or modify medical data, leading to medical accidents in the hospital.

Main Contributions.
We design a privacy-preserving scheme for data transmission based on oblivious transfer and blockchain technology in the smart healthcare environment which is to resolve the above issues. e main contributions are as follows: (1) A novel (OT) n m protocol supporting two-way privacy-preserving and distributed servers is proposed. Suppose that u 1 data is stored in multiple servers.
Once a doctor requires u 1 data, he needs to employ many private keys of servers to decrypt those ciphertexts. In that way, the privacy of servers where the data is stored will be exposed. By applying this novel (OT) n m protocol, a doctor can decrypt all the ciphertexts with only his key. In other words, this protocol not only queries data quickly but also protects the privacy of servers and doctors. In addition, the proposed (OT) n m protocol can efficiently support the access control of users and many-tomany data transmission pattern.
(2) A secure data transmission scheme supporting collusion resistance and to prevent data from being tampered with is proposed. Our scheme is a data secure transmission protocol based on blockchain technology and OT technology. We utilize the characteristics of blockchain structure to store the user's identity in blocks and then form three lists, namely, patient identity list, doctor identity list, and revocation user list. erefore, our protocol can effectively verify revocation or malicious users and resist their collusion attacks. Meanwhile, in terms of the hash value in blockchain, malicious users cannot modify the data.
(3) Data confidentiality is guaranteed and the computation of our scheme is effectively reduced. We analyze and prove the security of the proposed scheme. We provide a performance comparison between (OT) n m protocol and other (OT) k n protocols through a theoretical performance analysis and an experimental analysis.

Related Work.
Oblivious transfer (OT) has gradually become an important research direction in the field of multiparty computation (MPC). At present, according to the total amount of data and the number of choices, the research of OT protocol is mainly divided into four categories: classical oblivious transfer protocol [18], 1-out-of-2 oblivious transfer (OT) 1 2 protocol [19], 1-out-of-n oblivious transfer (OT) 1 n protocol [20], and k-out-of-n oblivious transfer (OT) k n protocol [21]. (OT) 1 n protocol was proposed by Brassard et al. [20] firstly in 1986; they invoked (OT) 1 2 protocol n times to implement (OT) 1 n protocol. On the basis of the above, Gertner et al. [22] firstly achieved a distributed version of (OT) 1 n protocol with information-theoretic security and sublinear communication complexity. In 2001, Naor et al. [23] described a novel (OT) 1 n protocol, which improved the efficiency of multiple invocations of OT applications. In 2004, Tzeng [24] designed a secure and efficient (OT) 1 n protocol under the assumption of the decisional Diffie-Hellman problem. After that, based on the above, an adaptive k-out-of-n oblivious transfer scheme was proposed by Chu and Tzeng [25], which allowed the receiver to choose the messages one by one adaptively. In 2015, the simplest and most efficient protocol for (OT) 1 n protocol was presented by Chou et al. [26] and it could resist some active attacks. en, in 2007, Hauck et al. [27] proposed an (OT) 1 n protocol under the CDH assumption, which was built on ideas from the CO protocol. In 2020, Wang et al. [28] presented an (OT) 1 n protocol and the Private Set Intersection (PSI) protocol to protect user privacy in the case of VANET feature matching.
(OT) k n protocol was proposed by Bellare et al. [21] firstly in 1989, where a receiver could select and receive multiple ciphertexts at one time. Naor et al. [29] described a novel construction for (OT) k n protocol which is more efficient than k repetitions of (OT) 1 n protocol. en, the classical and universal (OT) k n protocol was designed by Naor et al. [23]. In 2005, an (OT) k n protocol with adaptive queries was proposed by Naro et al. [30], and it was considerably more efficient than k repetitions of (OT) 1 n protocol. After that, Chu et al. [31] proposed several two-round (OT) k n protocols under the decisional Diffie-Hellman problem, in which a receiver sent O(k) data to a sender and he returned O(n) data. In 2010, a secure and low-bandwidth-consumption (OT) k n scheme based on bilinear pairings was proposed by Chen et al. [32]. A novel (OT) k n protocol for private information retrieval which was more suitable for smart cities was presented by Lou et al. [33]. In 2018, Lai el al. [34] proposed an (OT) k n scheme with the least communication cost, which preserved a sender's security and the privacy of a receiver's choice.
What is more, some researchers have integrated OT technology into blockchain scheme in order to solve the problem of easy exposure of private data in the blockchain. In 2017, Hsiao et al. [35] combined the advantages and properties of blockchain and secret sharing scheme, Paillier's homomorphic encryption, and oblivious transfer to construct a decentralized e-voting system. is scheme could protect the anonymity of voter's identity, the privacy of data transmission, and verifiability of ballots during the billing phase. In 2019, Tso et al. [36] proposed the decentralized electronic voting and bidding systems based on a blockchain and smart contract, which uses cryptographic techniques such as oblivious transfer and homomorphic encryptions to improve privacy protection. en, in 2021, Li et al. [37] presented a fair scheme for big data exchanging that allows buyers and sellers to autonomously and fairly complete transactions, without involving any third-party middle person. is scheme employed OT technology to preserve the privacy of transactions.

Organization.
e structure of the paper is organized as follows. Some preliminaries in cryptographic are presented in Section 2.
e system model, design goals, and threat model are described in Section 3. e proposed scheme is introduced in detail in Section 4. e security and performance analyses are provided in Sections 5 and 6, respectively. Section 7 concludes this paper and our work.

Proxy Reencryption Technology.
We adopt the key-private proxy reencryption scheme which was proposed by Ateniese et al. [38].
is algorithm applies proxy reencryption technology to achieve ciphertext conversion, which converts a ciphertext m a of u a to a ciphertext m b of u b . e specific design of this scheme is as follows.
(i) Step 1. Setup(1 k ) ⟶ par: is is the initialization phase for generating parameters. Input security parameter 1 k and then the public parameters par are output by this algorithm. (ii) Step 2. KeyGen(par) ⟶ (pk, sk): is algorithm is applied to generate the public-private key pair for users. Public parameter par is input, and then the key pair (pk, sk) is produced for users. (iii) Step 3. Enc(par, pk a , m) ⟶ m a : is algorithm is employed to encrypt the message via a public key pk a from u a . pk a and message m are input, and then an original ciphertext m a is produced by this algorithm. (iv) Step 4. Re − KeyGen(par, sk a , pk b ) ⟶ rk a⟶b : is algorithm generates the conversion key, which realizes the transformation from m a to m b . A private key sk a of u a and a public key pk b of u b (a ≠ b) are provided, and the conversion key rk a⟶b is output.
is phase is crucial for reencryption data.

Oblivious Transfer
Protocols. e concept of OT was first proposed by Rabin [18] in 1981. In Rabin's protocol, the sender only wanted the receiver to get the message he chooses, and the receiver did not want the sender to know about other messages, which guaranteed the privacy of both parties.
en, the 1-out-of-2 data transmission protocol under the semihonest model through three public key cryptography operations was implemented by Naro and Pinkas [23]. e steps of (OT 2 1 ) protocol are as follows: (i) Setup: e system generates two prime orders q and p, where q|p − 1 holds. G p is a p-order subgroup of Z * p ; and the system sets g as the generator of Z * p . (ii) Input: e sender inputs (X 0 , X 1 ), and receiver inputs r. (iii) Output: e receiver outputs X r .
(a) Step 1. e sender generates a random number C and a, computes g a and C a , and broadcasts C.
e receiver generates a random number k(1 ≤ k ≤ q); and two public keys pk r and pk 1−r are generated, where pk r � g k and pk 1−r � C/g k hold.
en, the number pk 0 is sent to the sender. (c) Step 3. e sender calculates (pk a 0 ) and (pk a 1 ) � C a /pk a 0 . At the same time, he encrypts the Security and Communication Networks 3 data (X 0 , X 1 ), respectively. e equations are as follows: Step 4. e receiver computes hash(pk a r ) � hash((g a ) k ) and x r ; that is, E r � hash pk r a , r ⊕x r ⊕hash pk a r , r .
(2) e concept of (OT n k ) protocol is presented as follows. e sender encrypts the n secret messages M 0 , M 1 , . . . , M n−1 and sends them to the receiver; and the receiver can only recover k of them: where α 1 , . . . , α k ∈ Z * p holds. However, the receiver cannot determine which

Blockchain Technology.
Blockchain is a kind of ledger technology that is jointly maintained by multiple parties, can achieve consistent data storage, is difficult to tamper with, and prevents denial [39,40]. It has also become a distributed ledger technology. e blockchain is classified into the permissioned blockchain and the unlicensed blockchain according to whether the system has the node access mechanism. e fabric is employed in our paper, which belongs to the consortium Blockchain and is also the first distributed system of blockchain with an access mechanism [41]. Fabric is a modular, extensible, general-purpose blockchain with an access mechanism that supports the execution of distributed applications written in standard programming languages.
e key components of fabric are as follows [42].
(i) Peers: ere are four kinds of peers in Fabric.
(a) Committing peer: Each peer in the channel is the committing peer. It receives the generated transaction block, obtains the block structure, and verifies the legitimacy of the block structure. (b) Endorsing peer: e client application must use its smart contract to complete the verification of the transaction, simulate the operation of the transaction, and generate a transaction response containing a digital signature. (c) Leader peer: When the channel has multiple peers, the leader peer is responsible for distributing transactions from the ordering peer to other committing peers. (d) Anchor peer: It helps to communicate with peers in other organizations.
(ii) Channel: e channel includes many authorized users, and each user can belong to different channels. (iii) Consensus mechanism: It is defined as the comprehensive verification of the correctness of the blockchain transaction. It includes the SOLO, Kafka, PBFT, and SBFT.

System Model.
Our proposed scheme can be utilized to securely transfer data and also realize the privacy-preserving of the clients and servers. On the one hand, the private information of client side is protected. at is, a user has permission in virtue of the data's serial number to access data, yet he does not know which server the data is stored in.
On the other hand, the private information of servers is protected. at is, a user only can obtain the requested data, and the other data are cannot be learned. is scheme is mainly designed in accordance with the actual situation of the smart healthcare environment. Both doctors and other healthcare workers look forward to acquiring treatment records about a patient in all hospitals as soon as possible. Moreover, the confidentiality of data can be ensured in our scheme, in which a user employs his private key to decrypt the stored data in servers rather than private keys of servers. In addition, this scheme also resists collusion attacks by revoked or malicious users. e system model contains three entities, doctors/ patients (client side), a proxy (blockchain), and servers. Figure 1 shows a system model of the proposed scheme.
A patient cures his diseases in different hospitals or in the same hospitals. In general, the data is stored in the nearest server, which is a server of the current hospital. is means that if a patient has seen a disease in different hospitals, multiple servers (different hospitals) store the patient's data. Our scheme implements a many-to-many model with users and servers. Firstly, doctors and patients register their identities with the blockchain. e blockchain generates a list of user identities and a list of revoked users so that it can verify their identities. Secondly, a doctor uses the private key of user to encrypt the medical records and then uploads them to a server of his hospital. When a patient goes to a hospital to treat his heart disease, his doctor of this department can gain his past medical records in servers.
irdly, a doctor sends a request to blockchain for obtaining a patient's records. e blockchain verifies and checks his identity. If yes, the ciphertext encrypted with the patient's key needs to be converted into ciphertext which can be decrypted by doctors. e patient and blockchain run the encryption phase to complete the transformation of ciphertext. Fourthly, the blockchain transmits a request which includes some serial numbers of data to servers. Only servers that store the corresponding data respond to that request. Finally, the OT protocol is implemented between the doctor and the server to transmit and decrypt the request data.

reat Model.
In this section, the security goals and the security models for OT n m are provided.

Definition 1.
A secure and privacy-preserving (OT) n m protocol should satisfy the following requirements: (1) e (OT) n m protocol should protect the privacy of servers; namely, the users cannot obtain data from the server other than what they requested.
(2) e (OT) n m protocol should protect the privacy of users; namely, the servers cannot figure out what data the users access. e security model for server privacy of the OT n m protocol is described as follows. In this model, adversary A plays the role of users and challenger C plays the role of servers (the servers are trusted). e advantage of A to break the server privacy is defined as follows: (i) Setup: e system generates system parameters and sends the private keys to the blockchain. en the blockchain generates several necessary parameters for servers. Adversary A chooses j data that it can access and chooses the corresponding a j from Z * p . Adversary A outputs its target t(t ∉ j ). en, the blockchain sends corresponding D j to adversary A and the servers send all ciphertexts c i . (iv) Decrypt: Adversary A outputs plaintext m t . If m t is right, adversary A breaks the server privacy of the OT n m protocol. e security model for user privacy of the OT n m protocol is described as follows. In this model, adversary A plays the role of servers and the challenger plays the role of users (the users are trusted). e advantage of A to break the server privacy is defined as follows: (i) Setup: e system generates system parameters and sends the private keys to the blockchain. en the blockchain generates several necessary parameters for adversary A. e users choose j data that they can access and choose corresponding a j from Z * p . en, the blockchain sends corresponding D j to the users and the servers sends all ciphertexts c i . Adversary A outputs its target t 0 , t 1 (t 0 , t 1 ∈ j ).

The Proposed Scheme
e proposed scheme is presented in detail in this section. Our scheme can be divided into four parts, in which the initialization phase is introduced in Section 4.1, the user registration phase is described in Section 4.2, the encryption phase is stated in Section 4.3, and the data access phase and (OT) n m protocol phase among three roles are illustrated in Sections 4.4 and 4.5, respectively.
In the smart healthcare system, in the face of complex diseases, the attending doctor will conduct multidepartment consultations or cross-hospital consultations, which are more common. In addition, a patient can treat diseases in different hospitals, a hospital has its own servers, and the users who have access permission can request the data of servers in the smart healthcare system. In our scheme, to protect the two-way privacy of the server and user, the data are allocated to the nearest server randomly, which obeys the principle of proximity; that is, the user with permission can store the data in which the server is near. We show the main idea of the system by giving an example. A patient suffers from high blood pressure, heart disease, and toothache. When he goes to the dental clinic, the doctor not only needs to diagnose his teeth but also prescribes medicine or prepares for surgery based on his other medical history. At this moment, an attending doctor verifies his permission to request all the data about that patient. e requests can be sent to the determined server which has stored the data of that patient. en, to protect the privacy information, only the determined server delivers all its data to the requester by using the designed (OT) n m protocol. is protocol guarantees that the server does not have idea about the accessed data, and the user cannot obtain the extra data and figure out the source of data. For instance, if the sequence number 5 is requested from the user, he sends the requirement to all the servers in the smart healthcare system. Only sever S y that has the data about that patient responds to the request. More comprehensively, assume that the sequence number d is accessed; the user sends the requests to servers S 1 , S 2 , . . . , S y (the needed data are in servers S a and S b ). At last, servers S a and S b have the opportunity to communicate with the user. In the meantime, blockchain technology is merged into our scheme, which maintains the attributes list and stops user attributes from being tampered with. Correspondence between symbols and definitions is shown in Table 1.

Initialization Phase.
We hypothesize that there are y distributed servers, and the users with permission to manipulate data (e.g., the doctor, nurse, and healthcare worker) have n data, and each piece of data has the same bits.
Input the security parameter s, and then the system randomly selects the number k 1 , k 2 , . . . , k y , k 1 ′ , k 2 ′ , . . . , k y ′ ∈ Z * p , where the formal k 1 + k 1 ′ � κ (κ ∈ Z * p ) holds, server S i possesses k i , and κ, k 1 ′ , . . . k y ′ is stored in the blockchain. Set G � < g > , G T as the multiplicative cyclic groups, with bilinear mapping e: G × G ⟶ G T , randomly choose generator g 1 ∈ G, and compute α � e(g, g 1 ). Set the hash functions We initialize the device of proxy based on the blockchain.
e security parameter s is input; the blockchain computes the formulas f � g κ and w i � h 1 (i), where i represents the label of the patient's medical data. en, the blockchain computes R 1i � w k 1 ′ i , . . . , R yi � w k y ′ i and the following finite sets are satisfied, where 0 < i < n + 1 and i ∈ Z * p hold. f is sent to the user. en R 1 , R 2 , . . . , R y are sent to servers S 1 , S 2 , . . . , S y orderly.
e symbols and the corresponding meanings are shown in Table 1.

User Registration Phase.
We integrate blockchain technology into user registration phase to maintain the identity lists about users. e data is requested via proxy, while the blockchain inquires and verifies the user's identity in accordance with his tag. Only through the verification can the (OT) n m protocol be executed to transmit the data. ere are five functions of blockchain in our scheme; they are described briefly as follows: (i) e committing peer generates and maintains blocks for users. (ii) e identity of required users is verified. (iii) e endorsing peer verifies the legality of updated identities; if the transaction is legal, the peer simulates to perform the smart contract. en, it sends the updated lists to users. (iv) e attributes are prevented from being faked through utilizing the structural characteristics of the block. (v) e revoked and malicious users are distinguished to preclude them from colluding the data.  � (x p,1 , x p,2 ) and computes the patient's public key pk p � (pk p,1 � α x p,1 , pk p,2 � g x p,2 ). en, it sends (sk p , pk p ) to the patient through the secure channel.
e key generation center (KGC) chooses as the doctor's private key sk d � (x d,1 , x d,2 ) and computes the doctor's public key pk d � (pk d,1 � α x d,1 , pk d,2 � g x d,2 ). en, it sends (sk d , pk d ) to the doctor through the secure channel. (iii) Step 3. KGC inserts (pk p , p id ) into the patient list and inserts (pk d , d id ) into the doctor list. en KGC sends the above lists to the blockchain via the smart contract.

Encryption Phase.
After the doctor diagnoses the patient, he records the medical data on the computer. Subsequently, the encryption algorithm will be executed on the data. and g R 2 � ? Committ 2 · pk c d,2 . If the above equation holds, the blockchain checks whether the tuple (d id , pk d ) belongs to the doctors list. If yes, the verification process is completed. en, the doctor can upload data.
(ii) Step 2. GenTag(m kw , p id , dep): In order to facilitate users to accurately access data, the data needs to be classified in the light of departments and patients. Generate a tag tag m i � GenTag(m kw , p id , dep) corresponding to the departments dep and patients p id , and add it to m. e advantage of this is that the doctor can accurately acquire all the data about a certain department of this patient, and some invalid data are automatically removed, where the communication overhead of gained data by the OT protocol is reduced.
(iii) Step 3. Encrypt(m, pk p , tag m i ) � ct p : e doctor encrypts data m of patient, which employs the patent's public key pk p and encryption (Enc) algorithm from KP − PRE scheme [38]. en, upload the ciphertext to the server.

Data Access Phase
(i) Step 1. When doctor d id sees a patient p id , he sends p id and pk d to the blockchain, along with the proof and g R 2 � ? Committ 2 · pk c d,2 . If the above equation holds, the blockchain checks whether the tuple (d id , pk d ) belongs to the doctors list. If yes, the blockchain executes the next step.
(iii) Step 3. e blockchain sends pk d to patient p id . e patient computes transform key tk p⟶d via Re − KeyGen(sk p , pk d ) in the KP − PRE scheme and sends it to the blockchain.
(iv) Step 4. e blockchain sends tk p⟶d and p id to all servers. e servers transform ciphertext m of patient p id , namely, compute ct d ←KP − PRE.ReEnc(tk p⟶d , ct p ).

(OT) n m Protocol Phase.
Assume that doctor d id treats p id 's heart disease; he sends a data request which includes all the serial numbers of data from different hospitals about this patient's heart treatment records to servers. Suppose that the doctor needs to require the data with the serial number s n � δ 1 , δ 2 , . . . , δ m , and those data are stored in servers S 1 , . . ., S i , . . . , S n . e steps of the (OT) n m algorithm are shown in Figure 2.
(i) Step 1. e doctor (client side) transmits request s n to the blockchain side. en, server S i responds and executes the following steps.
(ii) Step 2. e client side selects parameters a j ∈ Z * p randomly and computes all parameters A j of serial number of data; that is, A j � w j g a j , where 0 < j < m + 1(j ∈ Z * p ) holds and parameters w 1 , . . . , w m are calculated previously. en, (A j , g a ) is sent to the blockchain.
(iii) Step 3. e blockchain side computes D j � (A j ) κ and ϵ ′ � g ak 1 ′ , g ak 2 ′ , . . . , g ak y ′ and sends ϵ i ′ to server S i . en, it delivers D j and f to the client side. (iv) Step 4. e server side computes all the ciphertexts of its c i � ct d,i ⊕h 2 (w k y i R yy i ′ � � � � � g ak y ϵ y ′ ) and transmits c i to the client side.
(v) Step 5. Only if δ i ∈ s n meets, the formulas Y j � (D j /f a j ) � � � �f a and ct d,j � c j ⊕h 2 (Y j ) can be computed. After that, the ciphertexts of requested data s n are calculated. (vi) Step 6. Decrypt(ct d,j , sk d ) � m j . e doctor employs his key sk d to decrypt the above ciphertext.

Security and Communication Networks 7
Finally, the doctor obtains all the heart disease records about that patient.

Security Analysis
Theorem 1. e proposed OT n m is server privacy, if the CDH assumption holds. Assume that any probability polynomial time adversary A can break the server privacy of the scheme; it can be utilized to solve CDH problem. e definition of CDH problem is that, given a tuple (G, g, g α , g β ) where α, β← R Z * p , the adversary should compute g αβ .
(i) Setup: In this phase, after challenger C obtains the CDH tuple (G, g, g α , g β ) where α, β← R Z * p , it sets k � α and f � g α . en, it generates other system parameters to complete the setup of the whole scheme. (ii) Query: In the hash query phase, adversary A queries the value of w i . Challenger C sets and outputs w i to adversary A.
Proof:. We assume that the probability of challenger C obtaining Z � g αβ is 1/2 and the probability of obtaining Z← R G is also 1/2. We assume that the advantage of A winning is ϵ and denote by E challenger C solving the DDH problem. It is easily deduced that Pr[p � 1|Z � g αβ ] � 1/2 + ϵ and Pr[p � 0|Z← Proof:. Firstly, the user needs to get through the identity authentication at the data access phase. Whether this formula Committ u i · pk c d,u i , g R � ? Committ u r · pk c d,u r is satisfied is checked. In general, a malicious user's commitment value cannot meet the calculation formula, and he would be judged as an invalid user by scheme. Secondly, even if a malicious user tries to modify his identity, the list of user identities is stored in the blockchain. at is, the modified identity cannot satisfy the formula Hash 256 (d u i ) � Hash 256 (d u r ).
en, that malicious user would be judged as an invalid user.
(OT) m m ensures the two-way privacy of communication parties, and the proxy reencryption algorithm is secure. erefore, the confidentiality of data can be protected by our proposed scheme.

Performance
In this section, we first analyze the proposed scheme and provide a simplified comparison in Table 2. en, an experimental evaluation of the proposed scheme is presented.
6.1. Performance Analysis. In our scheme, most of computation cost comes from the XOR operation, hash operation, Weil operation, power operation in G 1 , and power operation in G T , which are denoted as T x , T h , T e , T E 1 , and T E T . In Table 2, n d presents the number of doctors registered, n p describes the number of patients registered, n c is the number of patient ciphertexts, n y illustrates the number of servers, and n j states the number of j.
In registration phase, KGC generates the public-private key pairs for doctors and patients, and it costs computation overhead (n d + n p )(T E 1 + T E T ). In encryption phase, blockchain verifies and checks the identities of client via lists to discern malicious or revoked users, which costs 4T E 1 + 2T E T + T h computation overhead. Also, this phase is applied to encrypt the plaintext by using private key of patients, which defends the data confidentiality and costs 2T E 1 + T E T computation overhead. In data access phase, the ciphertext encrypted with the user's key should be converted into the ciphertext encrypted with the doctor's key, which costs 3T E 1 + T E T + T p computation overhead. Moreover, this phase is also not involved in the general OT protocol, mainly to hide the access path of the server. In the (OT) n m phase, it realizes the privacy-preserving of clients and servers.
We provide the computation comparison between doctors and patients in the (OT) n m protocol in Figure 3. e X-axis describes the number of j requested by doctors. e Y-axis represents the time cost to perform the (OT) n m protocol in doctor side and patient side. As shown in Figure 3, the time cost of doctors is higher than that of patients. e patient only needs to assist the blockchain to complete the transformation of the ciphertext. However, doctors need to participate in all the (OT) n m protocols and calculate the transmission ciphertext of j data. Meanwhile, if the length of the ciphertext is fixed, the cost of transforming the ciphertext is roughly the same. erefore, the patient's expenditure at this phase is approximately straight.
We provide the computation comparison of client side, blockchain, and servers in Figure 4. In order to make the comparison more obvious, the three entities are put in Figures 4 and 5. e computational overhead of the client side and blockchain is described in Figure 4; the X-axis represents the number of j and assumes that the number of  servers is 10. For the server side, the X-axis represents the number of patient ciphertexts in Figure 5. As shown in the figures, we find that the overhead of the client is much higher than that of other entities. e proposed (OT) n m protocol is an interactive protocol, which requires interaction between client side and servers to complete data transmission. At the meantime, this protocol uses the many-to-many data transmission pattern.

Conclusion
In this paper, a privacy-preserving data transmission scheme based on the oblivious transfer and blockchain technology in the smart healthcare system is proposed. Based on the proxy reencryption technology, the proposed (OT) n m protocol can implement the ciphertext conversion to ensure the privacy of servers. Meantime, the two-way privacy between the client side and servers is guaranteed via the proposed (OT) n m protocol, which also ensures the security and efficiency of data transmission. By taking advantage of blockchain technology, the proposed scheme can prevent data from being tampered with and effectively identify malicious users. After analyzing the protocol security, the confidentiality of data and security of our scheme are proved. Finally, the results of performance evaluation and experimental comparison can be considered as a validation of our protocol, making it substantially more convincing.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.