Blockchain-Based Privacy-Preserving Vaccine Passport System

In this study, we propose a blockchain-based privacy-preserving vaccine passport system for the global prevention and control of infectious diseases. (e system operates a double-chain framework which consists of a public blockchain and a consortium blockchain. Among them, the combination of the immutability of the public blockchain and Internet of (ings (IoT) technology in the supply chain ensures the openness and transparency of the cold chain logistics records of the vaccines covering the stages from auditing to the target vaccination hospitals.(e system adopts the consortium blockchain to achieve the balance between the protection of users’ vaccination privacy and auditing by the government departments. Specifically, a distributed system-based threshold signature is adopted in the vaccine qualification phase to resist collusion between the vaccine manufacturing company and vaccine approval institutions. (e cryptographic tools such as the anonymous credentials, zero-knowledge protocols, and range proofs ensure that users do not disclose any private information other than proving that they have a legally valid vaccine passport when users display the vaccine passports to customs. At the same time, customs can apply various vaccine prevention policies based on the conditions on the specific vaccine passports. Regarding the security properties of the system, a formal security model is given along with the corresponding security proofs.


Introduction
With the outbreak of COVID-19 in early 2020, the global defense against the spread of COVID-19 has been severely tested. Following the outbreak, scientists, physicians, and vaccine manufacturers in various countries engaged in the development of vaccines for the coronavirus. On January 24, 2020, the Chinese Center for Disease Control and Prevention (CDC) successfully isolated the first coronavirus strain in China [1].
e National Pathogenic Microbial Resource Library released information and electron microscopy photos of this strain (Wuhan strain 01 of the novel coronavirus), as well as important authoritative information such as primers and probe sequences for nucleic acid detection of the novel coronavirus, all of which laid the foundation for vaccine development. On this basis, COVID-19 vaccines in each country were promoted from the R&D stage to the clinical trial stage. In the second half of 2020, COVID-19 vaccines developed in each country gradually were approved for marketing by various national approval authorities.
At the stage when COVID-19 vaccines were introduced into the market and society, vaccination would face social problems in various aspects. With the gradual introduction of COVID-19 vaccines, vaccine management and vaccination become important issues for national governments. Especially in emergency cases when the COVID-19 vaccine is not sufficient, it is vital for the privacy of vaccination information to be protected to prevent social conflicts. As the epidemic is effectively controlled in various regions, the people returning from various countries and regions are also a serious test for the prevention and control of the local epidemic.
erefore, the application of vaccine passports was born.
As countries around the world gradually recovered from the effects of the COVID-19 epidemic, urgent cultural communication and trade between countries led to the implementation of vaccine passports. On July 26, 2021, municipalities, wards, towns, and villages throughout Japan began accepting applications for the official certificate ("vaccine passport") for COVID-19 vaccine [2].
e key information of the vaccine certificate includes the individual's name, date of birth, passport number, type of vaccine used, and date of vaccination. e idea is that the certificates exempt travelers from Japan from quarantine and other antivirus measures after their arrival in overseas destinations. However, the Japanese government does not make such exemptions for people who enter Japan with vaccine passports issued by other nations for now, and the government is considering making vaccine passports digital. At 1 : 00 p.m. Vancouver time on August 23, the Premier of British Columbia held a press conference to announce the implementation rules for the British Columbia vaccine certificate. Starting from September 13, people attending indoor concerts, sporting events, movie theaters, and other nondiscretionary activities must receive at least one dose of the COVID-19 vaccine and show proof of it. On October 24, the vaccination requirement will be increased to 7 days after completing two doses of the vaccine before being allowed to enter certain public places with a vaccination card [3]. e vaccine passport should be an internationally recognized certificate of vaccination for COVID-19 [4] and possibly other types as well. In February 2021, the concept of the vaccine passport was still in the initial stages of controversy, and international opinion was divided. In the view of proponents, the emergence, use, and popularity of a vaccine passport would significantly mitigate the impact of the COVID-19 pneumonia outbreak on international travel and facilitate global economic recovery. In contrast, in the view of opponents, it is far from simple to establish a globally circulating and mutually recognized certification system that can effectively protect the privacy and ensure fairness. e purpose of this study is to design protocols to ensure the transparency and privacy of vaccination, as well as the privacy of vaccine passports through the technology of cryptography to address the issues of privacy protection. However, we point out that the vaccine passports are subjected to a global consensus. It assumes that the design, implementation, and operation of the vaccine passport system should be supported and accepted by countries around the world.

Prior and Related
Work. COVID-19 outbreak led to research on vaccine supply chain improvements. Many researchers in cryptography proposed blockchain-based systems for the distribution and management of vaccine supply chains. e idea is to take advantage of the nontamperability of blockchain, and the nature of jointly maintaining a unified ledger to ensure the supply of vaccines is regulated and transparent. Meanwhile, with the update and development of IoT technology, IoT in the field of traditional commodity logistics has been migrated to the field of logistics and transportation of pharmaceutical products. Among them, the monitoring and supervision of environmental conditions of vaccines belonging to biological products in the process of cold chain logistics transportation can combine IoT devices with sensors. Specific sensors feedback to the CDC, which monitors the logistics of biologics, about the humidity, temperature, light protection, and other transport conditions during the cold chain transportation of vaccines. As vaccination users, they also own the right to know that vaccine production and transportation meet quality control. Cui et al. [5] proposed a blockchain-based vaccine tracking system to protect the entire vaccine cycle. e blockchain is used as a global, unique, and verifiable database to store all circulating databases. Antal et al. [6] used Ethernet's smart contract technology to achieve the integrity of guaranteed vaccine data and the immutability of registration for vaccinators, avoiding identity theft and imitation. Yong et al. [7] applied machine learning techniques to analyze and process data in the vaccine blockchain.
Abid's proposed vaccine platform [8] provides a sovereign user identity that gives users full control over their data and encrypts personally identifiable information to enhance privacy. e platform also leverages W3C verifiable credential standards to facilitate instant verification of COVID-19 proofs and allow users to share selected information with trusted parties. However, the platform's privacy is protected by hashing sensitive information and then storing it on the blockchain, which is at risk when the data are broadcasted. Haque et al. [9], the authors proposed an architectural framework of a permission blockchainbased vaccination passport for the European Union's General Data Protection Regulations (GDPR). e scope of this regulation is broad, and any organization that collects, transfers, retains, or processes personal information involving all EU member states is subject to the regulation. en, the double-chain structured blockchain system proposed by Qiu and Zhu [10] combines a public blockchain and a private blockchain to manage and store data information in different processes of vaccine logistics and vaccination. However, the user privacy of this system relies too much on the authorization mechanism of the private blockchain.

Contributions.
In this study, we propose a double-chain framework with the vaccine cold chain logistics system and vaccination record system. We introduce threshold signature technology at the vaccine audit stage of public blockchain to deal with complicity between vaccine manufacturing companies and vaccine approval institutions. Second, it applies the consortium blockchain to record the information of vaccination hospitals to give vaccination to users. Its process ensures the privacy of vaccination hospitals, vaccination users, and vaccination vaccines and reserves the right to reveal and audit the vaccination information records by government departments under special circumstances.
In the issuance and presenting of the vaccine passport, the use of anonymous credential, ring signature, and range proofs ensures that the validity of the vaccine passport is proven without revealing the user's vaccination hospital and identity information during the process.

Paper Organization.
In the subsequent content of this study, we present the entities and the system threat model in the vaccine passport system in Section 2. We show the cryptographic techniques and tools used to build the system protocol in Section 3. Section 4 of this article provides the structural design of the system and the specific protocol design. We give the security analysis and proof of the protocols in this model in Section 5. We give a system evaluation in Section 6, and we finally conclude this article in Section 7.

Assumptions and Threat Model
2.1. Entities and Assumptions. Before presenting the system structure, we introduce the entity participants in the system.
(i) International coalition government, GV: it acts as the system's CA to manage the authorization and authentication of each participant. It acts as a trusted third party for threshold signatures in the vaccine approval process. In exceptional cases, it can audit the encrypted information in the consortium blockchain that records vaccinations. (ii) Hospital, HOSP: it issues a credential for the user's vaccine passport after completion of the vaccination and uploads the information recording the vaccination to the consortium blockchain. (iii) User: the user receives a vaccine passport after completion of vaccination at the hospital. When it is necessary to prove the legitimacy and validity of the vaccine passport to the vaccine passport checkpoint, zero-knowledge proof protocol is applied to protect their privacy. (iv) Vaccine manufacturing company: it sends samples of the vaccine to be tested to the vaccine approval institutions in each country for approval. Once the vaccine is approved, the batch is issued a certificate of authorization. (v) Vaccine approval institutions, AI: each country's approval body tests the submitted vaccine samples according to its own standards. e approved vaccine approval institution signs a threshold signature for the vaccine.
e GV issues a threshold signature certificate to the vaccine lot after (t, n) vaccine approval institutions have been met and approved simultaneously. (vi) Vaccine passport checkpoint: it verifies the user's identification and proof of the legitimacy and validity of the vaccine passport. It also takes the appropriate vaccination measures and policies for the fulfillment of the conditions of the user's vaccine passport.
(vii) Vaccine transit centers: they act as a transit point for vaccine shipments connecting vaccine companies to the CDC. Information on storage and transport conditions during cold chain logistics is uploaded.
(viii) CDC: it audits the vaccine cold chain logistics process for compliance with biologics-related regulations. If so, the vaccine is held in temporary storage and eventually shipped to the hospital where it is administered.
Considering the specific prerequisite assumptions for the application of the vaccine passport system to realistic scenarios and specific programs, the system provides the following reasonable assumptions.
(i) e authority of the international coalition government is recognized by every country in the world (ii) Countries strictly adhere to the normal operation of the system (iii) e number of corrupted institutions in vaccine approval institutions is less than half of the total number (iv) Authorized hospitals follow the hospital code of conduct and do not conspire with users (v) Users do not disclose or share their secret keys 2.2. reat Model. In this study, we do not consider networklevel security attacks, physical hardware-level damage, and software vulnerability penetration during the engineering implementation of the protocol. In this study, we only consider cryptographic attacks towards the protocol design.
(i) In the threat model of this study, we assume that GV and auditor are completely honest. ey operate according to the protocol algorithm and do not disclose the privacy parameters generated. (ii) In the threshold signature phase, adversary is allowed to corrupt up to t < n/2AI s. GV does not disclose institutional audit signatures to vaccine manufacturing companies. (iii) In the vaccination information record uploading consortium blockchain phase, all peers except the auditor and GV are assumed to be honest-but-curious; they try to break the privacy by passively eavesdropping on the inputs and outputs of the protocol but not actively violating the protocol process. (iv) In the vaccine passport display phase, vaccine passport checkpoint is assumed to be honest-butcurious; it tries to get the user's private data, but it still follows the protocols.

q-Strong Diffie-Hellman
Assumption. e q-SDH problem in (G 1 , G 2 ) is defined that for adversary A on input a (q + 2)-tuple (g 1 , 3.3. reshold Signature Scheme. e (t, n) threshold signature scheme allows any t signers among n signers to generate a signature for a message, but less than t signers participate to generate a valid signature. e threshold signature scheme can build a robust signature system to prevent the unlawful behavior of some signers. e threshold signature scheme consists of the following four algorithms: (i) resholdKeyGen (λ, n, t): for distributed systems, threshold key generation algorithm is a protocol that runs interactively among many participants.
With the input security parameters λ, number of users n, and threshold t, it outputs the secret share x i for each participant, such that (x 1 , . . . , x n ) ⟶ ( t, n) sk. (ii) Sign (x i , m): the signers in the participants output the signature share σ i based on the input secret share x i and the message m. (iii) Reconstruction (σ i ): the resulting signature σ can be generated by a trusted third party based on the signature share σ i of not less than t signers. (vi) Verify (pk, m, σ): the verification algorithm inputs the verification public key pk, message m, and resulting signature σ and outputs 1 when the signature is successfully verified; otherwise, it outputs 0.

Ring Signature Scheme.
A ring signature is a digital signature that can be executed by any member of a group of users that each have a pair of keys, so that a message with a ring signature is recognized by someone in a particular group. But, it is computationally infeasible to determine which group member's key is used to generate the signature, which is one of the security properties of ring signatures. All possible signers are formed into a ring. Each possible signer is called a ring member. e ring member that generates the signature is called a signer, and each other ring member is called a nonsigner. e ring signature scheme consists of the following three algorithms: (i) KeyGen (λ, n): let ring R � R 1 , . . . , R n . With the input security parameters λ, it outputs each user public-secret key pair (sk i , pk i ). Assume that the signing member is R s . (ii) Sign (sk s , m, pk i i∈ 1,...,n { },i≠s ): the signer R s generates a ring signature σ ring on message m with its own secret key sk s and the public keys pk i of other members. (iii) Verify ( pk i i∈ 1,...,n { } , m, σ ring ): the verification algorithm is with the input of public keys pk i i∈ 1,...,n { } , message m, and ring signature σ ring and outputs 1 when the signature is successfully verified; otherwise, it outputs 0.

Zero-Knowledge Proof.
A zero-knowledge proof is a protocol that the prover P can convince the verifier V that an argument is correct without providing any useful information to the verifier. A zero-knowledge proof is essentially an agreement involving two or more parties, i.e., a series of steps that two or more parties need to take to accomplish a task. e prover convinces the verifier that he or she knows or has a certain message, but the proof process cannot divulge any information about the proven message to the verifier. In our system protocol design, we focus on zero- where ω is a witness for statement y. A zeroknowledge proof protocol between P and V satisfies the following three properties: his statement is true with probability 1 − negl(λ). (ii) Soundness: if the prover's statement y ∉ L R , then any malicious prover P * convinces an honest verifier of his statement with probability negl(λ). (iii) Honest verifier zero-knowledge (HVZK): after the proof is executed, the verifier only knows whether the statement of the verifier is true or not, but he does not have access to any other information during the proof. It can also be said that there exists a simulator algorithm Sim that simulates interaction scripts that are nondistinguishable with the real interaction scripts between P and V.
Range proof: range proof is proof that a secret value x, which is encrypted or committed to, lies in a certain interval [a, b]. In this study, the secret value x is hidden by Pedersen commitment, such that C � g x h r . Range proof does not leak any information about the secret value other than the fact that they lie in the interval. e prover needs to provide zeroknowledge proof to the verifier PK (x, r):

Our Proposed System
Before showing the overview of our system model, we present the reasons for choosing the double chain as the basis of the system. e generation of the vaccine passport and the vaccine itself are indivisible. Given the biomedical properties of the vaccine itself, we need a public blockchain to store the production and logistics information of the vaccine. e choice of the consortium blockchain is that vaccination records are information with privacy properties and are required to be privacy protected and regulated. So, it is uncomplicated to achieve the intended effect in a blockchain under authorization.

Overview.
Our system consists of three main phases in the vaccine cold chain logistics phase, as shown in Figure 1.
Step 1. It is for the vaccine manufacturing company to send a batch of vaccine samples that need to be checked to ensure quality to the vaccine approval institutions in each country.
Step 2. It consists of each country's vaccine approval institution passing its review results through a (t, n) threshold (if a total of n vaccine approval institutions are satisfied with the approval of t vaccine approval institutions, then the batch of vaccine is approved). If the batch meets the audit requirements, a certificate is issued for the batch through the threshold signature.
Step 3. It is that the vaccine manufacturing company entrusts the cold chain logistics company with the approved batch of vaccine to send to the target hospital. e sender is the vaccine production company. e receiver is the first vaccine transit center. e transported goods are batches of vaccines. e logistics information is uploaded to the public blockchain after the logistics are completed.
Step 4. It is the uploading of cold chain logistics information between vaccine transfer centers. e sender is the previous vaccine transfer center. e receiver is the next vaccine transfer center. e transported goods are batches of vaccines with the environmental conditions of the temporary storage of vaccines and the signature of the person in charge.
Step 5. It is when the vaccine is delivered at the last logistics transit center; the CDC under whose jurisdiction the target hospital is located audits the entire cold chain logistics storage and transportation for compliance with the logistics requirements for biologics. If the batch of the vaccine cold chain logistics process meets the requirements, the CDC issues a certificate of conformity signature to the batch of vaccine.
Step 6. It is to upload the logistics information between the last vaccine transfer center and the CDC to the public blockchain after the approval of the vaccine cold chain logistics. e sender is the last vaccine transfer center. e receiver is the local CDC, and the transported goods are batches of vaccines with the CDC's certificate for vaccine cold chain logistics.
Step 7. It is to upload the logistics information of the final vaccine delivery from the local CDC to the target hospital to the public blockchain. e sender is the local CDC, and the receiver is the target vaccination hospital. e transported goods are batch of vaccines with a certificate from the CDC for the cold chain logistics of the vaccine and a threshold signature certificate from the vaccine approval institutions. Users are given the right and ability to know the approval results of vaccinations and vaccine cold chain logistics information by viewing the information recorded on the public blockchain before vaccination in hospitals. is helps to achieve openness and transparency of vaccine information to vaccination users.
In the vaccination phase shown in Figure 2, the local hospital completes the uploading of vaccination information to the consortium blockchain while protecting the privacy of the vaccination information.
Step 8. It is after the last injection of the user's vaccine at the local hospital, the hospital creates vaccination information signed by it and sends the vaccination information to the endorser. e sender of the vaccination information is the local hospital. e receiver is the vaccination user. e information transmitted is the details of the vaccine.
Step 9. It is for the endorser to verify the uploaded vaccination information and generate an endorsement signature.
Step 10. It is that the submitting local hospital broadcasts the collected endorsement signatures and the vaccination information itself to the orderers.
Step 11. It is for orderers to broadcast the sorted set of vaccination information to all peers.
Step 12. It is for the committing peer to check if the vaccination information submitted by the orderers has a legitimate certificate issued by the endorser. e committing peer also detects malicious cases where the same vaccination is included in the vaccination information more than once. In this case, the first valid vaccination information will be accepted. Once the uploaded vaccination information is verified by the committing peer, the vaccination information is submitted and the committing peer maintains the state and a copy of the ledger. For the privacy-preserving vaccination information on the consortium blockchain, it is necessary to audit it in case of special circumstances. Auditors have the ability to open the encrypted vaccination information on the consortium blockchain to audit the vaccination details, such as the time of vaccination and vaccine production date.
In the vaccine passport phase in Figure 2.
Step 13. It is where the local hospital opens the vaccination user's commitment to the vaccine production date, vaccine shelf life, vaccine immunity lasting time, and vaccination date. After the hospital confirms that the commitment is correct, a ring signature is generated for the commitment and the international coalition government-issued user identity card. Finally, the ring signature, commitment, and user identity certificate together form the vaccine passport and are sent to the user.

Security and Communication Networks
Step 14. It is for the user to first present the vaccine passport to the passport checkpoint. e passport checkpoint verifies the legitimacy of the user's identity and vaccine passport. Next, the user proves the validity of the vaccine passport to the passport checkpoint. is includes the following three items: (i) e vaccine injected by the user is within the shelf life. If the vaccine injected by the user does not meet this condition, then first, the passport checkpoint needs to report this medical issue to a government authority. is requires a request for an audit of the vaccination information for the batch (including the local vaccination hospital) and a traceability audit of the vaccine batch. Also, the user needs to be reimbursed for the corresponding vaccination.
(ii) e user produces high titers of antibodies to create effective protection. is corresponds to the last date of vaccination plus 14 days [11], which needs to be greater than the current date. If the user's vaccination information does not meet this condition, the passport checkpoint needs to take a quarantine for 14 days before allowing the user to pass. (iii) e vaccinated user is in the duration of immunization for the vaccine. is is equivalent to the last date of vaccination plus the vaccine immunity lasting time that needs to be less than the current date. If the user's vaccination information does not meet this condition, the passport control point will need to adopt the vaccine again to stimulate an effective antibody prevention strategy.
None of the above proofs will reveal any information about the user's vaccination, including the production date and shelf life of the vaccine.

Vaccine Cold Chain Logistics.
is study adds Boldyreva's [12] threshold signature technique to other blockchainbased vaccine distribution management systems. Vaccine approval institutions in each country that adopt different standards act as participants in the threshold signature. e international coalition government acts as a trusted third party as the group administrator in the threshold signature group. is vaccine approval protocol effectively prevents collusion and corruption between vaccine approval institutions and vaccine manufacturing companies. e vaccine approval institutions approve samples of vaccines to be submitted for review in a distributed structure on a pershare basis. e distributed protocol allows for up to half of the vaccine approval institutions to be malicious. Once the approval of the submitted vaccine is complete, the vaccine manufacturer receives only the results of whether the submitted vaccine batch was approved or not and does not know the respective review opinions of the individual vaccine approval institutions. is prevents the vaccine manufacturing company from influencing the outcome of the approval, thereby, achieving fairness and equity in vaccine approval. Details are outlined as follows.
Setup (1 λ ): on input 1 λ , where λ ∈ N is a security parameter, let e: G 1 × G 2 ⟶ G T , a bilinear map, where G 1 is a GDH group and g is the generator of G 1 . G 2 and G T are the cyclic groups. e participants in our scheme are the set of n vaccine approval institutions AI 1 , . . . , AI n . All AIs are connected by a broadcast channel as well as by secure point-to-point channels including the international coalition government GV. Let H: 0, 1 { } * ⟶ G 2 be collisionresistant hash function.
Generating x (f i (y), f i ′ (y)): AI i chooses a i0 , . . . , a it ⟵ R Z p and a i0 ′ , . . . , a it ′ ⟵ R Z p to form the polynomials f i (y) and f i ′ (y) of degree t: f i (y) � a i0 + a i1 y + · · · + a it y t and f i ′ (y) � a i0 ′ + a i1 ′ y + · · · + a it ′ y t . AI i broadcasts commitment to polynomial coefficients C ik � g a ik h a it ′ mod p for k ∈ 0, . . . , t { }. AI i computes s ij � f i (j) and s ij ′ � f i ′ (j) mod q for j ∈ 1, . . . , n { } and sends s ij and s ij to AI j to verify. en, each AI j verifies if If the above equation is not satisfied, AI j will broadcast the complaint against AI i . According to the conditions satisfied by the distributed key generation protocol DKG for discrete-log based systems of Gennaro et al. [13], each AI i sets his share of the secret as x i � j∈ QUAL s ij mod q. e distributed secret value x equals x � i∈ QUAL a i0 mod q from the distributed secret polynomial: Vaccine approval (x i ): AI i decides whether to approve the batch of vaccine according to the criteria. If AI i approves it, a signature σ i � H(vaccine) xi and pk i � g x i are generated and sent to GV. GV verifies the signature by e(g, σ i ) � e(pk i , H(vaccine)). If the verification passes, AI i is assigned to the set APPR.
reshold signature (σ i ): if the number of AI i s in set APPR is greater than t, is public Lagrange coefficient for the set APPR according to the Lagrange interpolation method [13].
According to the above equation, the resulting signature is that σ vaccine � i∈ APPR (σ LB i (0) i ) � H(vaccine) x and public key is that pk � i∈ APPR (pk User verification (σ vaccine , pk, vaccine): the user checks that e(g, σ vaccine )� ? e(pk, H(vaccine)) for the vaccine. e user accepts the signature if e(g, σ vaccine ) � e(pk, H (vaccine)) holds or rejects it otherwise.
Logistics consignment (σ vaccine , vaccine): structure of vaccine includes the following attributes: ID � H(manufacturer, batch number, serial number), manufacturer, batch number, serial number, vaccine certificate σ vaccine , production date x p , shelf life x s , and the duration of immunization x d . e vaccine manufacturing company broadcasts the vaccine properties, the entrusted logistics company, and the certification certificate σ vaccine as a package to the public blockchain.
Cold chain logistics transit (σ vaccine , vaccine, σ r ): the responsible person for the cold chain logistics staging area broadcasts to the public blockchain the vaccine, the vaccine storage environment, its signature σ r , and the logistics destination package.
Distribution of CDC (public blockchain, sk CDC ): after checking that the cold chain logistics on the public blockchain meets the standards for transporting biologics, the CDC attaches a signature σ C DC and broadcasts the distribution to the destination vaccination hospital to the public blockchain.

Vaccination Record.
e framework of the vaccination record system is based on Hyperledger Fabric [14], which is a permissioned blockchain. e privacy protections of the identity of the vaccination hospitals and vaccination users in the vaccine record system are referred to the technique of one-time sender and receiver public key in PAChain [15]. e certificate of authority for the long-term public key (representing the identity of the hospital and the user) of the vaccination hospital and the vaccination user uses the BBS + signature [16] issued by the international joint government. However, in the vaccination record system of this study, the identity of the user and hospital is anonymous to the endorsement node. e endorsement of the vaccination record by the endorsing node uses the anonymous credential technique based on the Boneh-Boyen signature [17]. Vaccination information is encrypted with the auditor's public key using ElGamal encryption [18] to ensure that the information is hidden. If necessary, the auditor can reveal the encrypted vaccination information with his or her secret key. Details are outlined as follows.
(sk vc , sk re , sk sd , pk vc , pk re , pk sd )⟵ AuditorKeyGen(): auditor picks random secret keys sk vc , sk re , sk sd ⟵ R Z p and outputs their public keys pk vc � g sk vc 1 , pk re � g sk re 2 , pk sd � g (sk e , pk e )⟵ EndorserKeyGen(): endorser picks random a secret key sk e ⟵ R Z p and outputs its public key pk e � g sk e e . (sk U,1 , sk U,2 , pk U,1 , pk U,2 )⟵ UserKeyGen(): the user randomly picks a pair of long-term secret keys sk U,1 , sk U,2 ⟵ R Z p and computes a pair of long-term public keys pk U,1 � g sk U, 1 4 , pk U,2 � g sk U, 2 4 . HOSP is also a type of user, so it follows the same algorithm to generate (sk H,1 , sk H,2 , pk H,1 , pk H,2 ).
(Cert CA,U )⟵ CACertIssue (sk CA , pk U,1 ): first, the user needs proof to CA: PoK (sk U,1 ): pk U,1 � g sk U,1 . After passing CA verification, CA computes A CA,U � (g u · pk U,1 · g s u 5 ) 1/(sk CA,U +ω u ) using randomly selected s u , ω u ⟵ R Z p and its own sk CA,U . en, CA issues a certificate Cert CA,U � A CA,U , s u , ω u } to the user's pk U,1 . HOSP is also a type of user, so it follows the same algorithm to generate ( 6 , where r v � 7 i�0 r v,i ·(2 16 ) i . e user sends E i to the auditor. en, it proves in zero-knowledge proof that the knowledge of (m i , r v,i ) and }. Details of the zero-knowledge proof is as follows: (1) e HOSP randomly picks a i , b i ∈ Z p for i ∈ 0, . . . , 7 { } and a, b ∈ Z p and then computes commitments:  4 )⟵ OTpk-Gen (pk H,1 , pk H,2 ). HOSP encrypts user's long-term public key pk U,1 and long-term public key pk H,1 of HOSP to the auditor by picking random r re , r sd ⟵ R Z p and computing (E re � pk U,1 · pk r re re , R re � g r re 2 ) and (E sd � pk H,1 · pk r sd sd , R sd � g r sd 3 ). en, HOSP runs the following proof of knowledge for ensuring: (i) pk U,1 and pk H,1 are issued a valid certificate of identity by CA. (ii) otpk U is generated by pk U,1 . otpk H is generated by pk H,1 . otpk U is the one-time public key identity of the user whose public key is pk U,1 . otpk H is the onetime public key identity of HOSP whose public key is pk H,1 . (iii) e user's long-term public key pk U,1 and HOSP's long-term public key pk U,1 are encrypted by the auditor's public key pk re and pk sd .
HOSP needs to use proof of knowledge to endorser: PoK A CA,U , s u , ω u , pk U,1 , r re , H 2 pk r u U,2 : e A CA,U , g ω u 1 · pk CA � e g u · pk U,1 · g s u 5 , g 1 ∧otpk U � pk U,1 · g H 2 pk r u U,2 4 ∧R U � g r u 4 ∧E re � pk U,1 · pk r re re .
e details of the zero-knowledge proof is as follows: (1) HOSP randomly picks r a , r b , r c , r d , r e , r α , r β ⟵ R Z p and makes θ � A r a CA,U . It computes commitments: C U,1 � e((g u · E re ) r e g r β 5 θ − r c pk −r d re , g 1 ), 4 .
(2) It computes challenge c � H(E re , R re , θ, C U,1 , C U, 2, C U,3 , C U,4 ) and computes challenge response: , z c � r c + c · ω u , z d � r d + c· r f r a , z e � r e + c · r a , z α � r α + c · r re , z β � r β + c· r a s u . 8 Security and Communication Networks (3) It outputs π re � otpk U , E re , R re , c, θ, z b , z c , z d , z e , z α , z β } Likewise, HOSP proofs the above relationship to the endorser. e proof process π sd is very similar to that of the user, so it will not be explained in detail here.
(otsk H )⟵ OTskGen (sk H,1 , sk H . At the same time, HOSP sends R U to the vaccination user over a secure channel. e user then generates his own one-time secret key otsk U � sk U,1 + H 2 (R sk U,2 U ). (0/1)⟵ EndorserVerify (π re , π sd , π enc ): the endorser verifies the legitimacy of the vaccination information and the legitimacy of the one-time public key of the sender (HOSP) and the receiver (user). e details of the zero-knowledge proof is as follows: (1) First HOSP needs proof to endorser: PoK . It outputs 1 if the above equation holds or 0 otherwise.
(3) On input π re , endorser computes C U,1 ′ � e((g u · E re ) z e g z β 4 (otpk U /E re ) c . en, endorser computes c ′ � H(E re , R re , θ, C U,1 ′ , C U,2 ′ , C U,3 ′ , C U,4 ′ ) and checks c ′ � ? c. It outputs 1 if c ′ � c holds or 0 otherwise. (4) On input π sd , endorser does same as (3). e initiator of the vaccine record upload operation can only be the hospital. erefore, at this step, the endorser needs to verify that the initiator of the upload operation has a valid hospital identification credential.
(Cert e )⟵ EndorserCredIssue (otpk H , E, sk e ): after verifying the legitimacy of the vaccine information commitment and the legitimacy of the one-time public key of HOSP and the user, the endorser generates a certificate Cert e by endorsing the vaccination record (otpk H and E).
e endorser picks some random l, k⟵ R Z p and uses secret key sk e to compute Cert e � A e � (g 7 · g l 8 · E· otpk H ) 1/(sk e +k) , l, k} to HOSP.
(1/0)⟵ EndorserCredProof (Cert e , otsk H , M, r v ): after obtaining the endorser's certificate Cert e , HOSP needs zero-knowledge proof to the verifier that the vaccination record has a valid certificate. First, HOSP computes the tag T � f otsk H for detecting double recording. HOSP needs to use proof of knowledge to verifier: PoK otsk U , M, r v , A e , l, k : e A e , pk e · g k e � e g 7 · g l 8 · g M 0 · pk r v vc · g otsk H 4 , g e ∧T � f otsk H . (7) e details of the zero-knowledge proof are as follows: (1) HOSP randomly picks r a , r b , r c , r d , r e , r s , r α , r β ⟵ R Z p and makes S 1 � A e · u r a 1 , S 2 � g r a 8 . It computes commitments: C e,1 � e(u r d , g e ) · e(u 1 , pk e ), C e,2 � g (2) It computes challenge c � H(T, S 1 , S 2 , C e,1 , C e,2 , C e, 3 , C e,4 ) and computes challenge response (3) It outputs π e � Cert e , c, S 1 , S 2 , z b , z c , z d , z e , z s z α , z β (4) On input π e and pk e , verifier computes C e,1 ′ � e(u (1/0)⟵ Audit (E re , R re , E sd , R sd , E i , R i i∈ 0,...,7 { } ): on input a ciphertext (E re , R re ), (E sd , R sd ) and sk re , sk sd , auditor has the ability to reveal long-term public keys of users and HOSP by computing pk U,1 � E re /R sk re re , pk H,1 � E sd /R sk sd sd . On input a ciphertext E i , R i i∈ 0,...,7 { } and sk vc , auditor has the ability to reveal vaccination information by computing e auditor uses a precomputation table containing (g 0 , g 1 , . . . , g (2 16 − 1) ) to find out the message of m i and reveal vaccination information M � (m 7 ‖ . . . ‖m 0 ). e auditor uses the secret keys sk re , sk sd to reveal the longterm public key pk H,1 � E sd /R sk sd sd of the vaccination hospital and the long-term public key pk U,1 � E re /R sk re re of the vaccination user.

Vaccine Passport.
e signing of the vaccine passport is accomplished by the vaccination hospital. is process uses ring signature [19] to ensure the anonymity of the vaccination hospital when issuing the authorization. During the presentation of the vaccine passport, the vaccination properties are proven using the Bulletproofs scheme [20] in range proofs to guarantee the validity of the vaccine without exposing the vaccine information. Before using Bulletproofs, it uses interactions to transform the relationships of vaccine attributes into relationships suitable for Bulletproofs range proofs [21]. e identity privacy of the owner of the vaccine passport is protected using the same one-time public key technique as that used to protect the identity of the user in the previous vaccination record system.
After the user received the last vaccination at the hospital, the hospital uploads the vaccination record information to the consortium blockchain. e hospital then issues a vaccine passport to the user.

Vaccine Passport Issue
(1) e user commits the date of vaccination x v , production date x p , shelf life x s , and the duration of immunization x d by selecting r v , r p , r s , r d ⟵ R Z p and e user sends C v , C p , C s , C d , r v , r p , r s , r d to the vaccination hospital. For the user identity certificate Cert CA,U � A CA,U � (g u · pk U,1 · g s u 5 ) 1/(sk CA +ω u ) , s u , ω u } issued by the CA, the user randomly selects r a ⟵ R Z p to send A r a CA,U to HOSP. (2) HOSP receives the user information and opens the commitment and checks: If one of the equations does not hold, HOSP refuses to issue a vaccine passport to its user. Otherwise, HOSP accepts to issue a vaccine passport for the user. (3) HOSP generates a ring signature σ ring for the vaccine passport information (C v , C p , C s , C d , A r a CA,U ). First, it lets m � H(C v , C p , C s , C d , A r a CA,U ) and selects (n − 1) public keys of other hospitals. en, it randomly picks seed α⟵ Suppose that f is a trapdoor one-way function such as RSA. It computes y i � f(x i , pk i ) and v (i s +1) � H(m‖α) to go along the ring from signer index i s . It closes the ring by computing and uses secret key sk H of signing HOSP to compute . HOSP randomly selects an index i 0 and outputs the ring signature σ ring � (i 0 , v i 0 , x 1 , . . . x n , pk 1 , . . . , pk n ). (4) HOSP outputs vaccine passport C v , C p , C s , C d , A r a CA,U , σ ring }

Vaccine Passport Proof
(1) User generates new one-time public and secret keys pair by (otpk U ′ , R U ′ )⟵ OTpkGen (pk U,1 , pk U,2 ) and (otsk U ′ )⟵ OTskGen (sk U,1 , sk U,2 , R U ′ ). e user needs proof to vaccine passport checkpoint: PoK A CA,U , s u , ω u , pk U,1 , r re , H 2 pk r u U,2 : e A CA,U , g ω u 5 · pk CA � e g u · pk U,1 · g (2) Vaccine passport checkpoint verifies the legitimacy of the ring signature σ ring . e verification is straightforward; the vaccine passport checkpoint e user produces high titers of antibodies to create effective protection. is corresponds to the last date of vaccination plus 14 days [11], which needs to be greater than the current date. It requires that the inequality (x v + x d ) < t be satisfied, where t is the current date. e vaccinated user is in the duration of immunization for the vaccine. is is equivalent to the last date of vaccination plus the vaccine immunity lasting time needs to be less than the current date. It requires that the inequality x v > (t − 14) be satisfied.
PoK x p , x s , x d , x v , r p , r s , r d , r v , C p , C s , C d , C v : C p � g x p h r p , C s � g x s h r s , (4) After vaccine passport checkpoint returns g t , g (t− 14) , g 2 l , the above range proof translates to PoK x p , x s , x d , x v , r p , r s , r d , r v ,

Security Analysis
Definition 1. reshold signature scheme is called secure robust threshold signature scheme if the following two conditions hold: (i) Unforgeability: for every PPT adversary A, it is allowed to corrupt up to t participants in the threshold system and is given the oracle channel to ask a finite number of messages m i and threshold signatures σ i . Eventually, it forges with negligible probability a valid (m, σ), and m is not in the set of previous queries (m i , σ i ). (ii) Robustness: for every PPT adversary A, it is allowed to corrupt up to t participants in the threshold system, and threshold signature protocol runs successfully.
Theorem 1. (t, n)-threshold signature scheme under the GDH group is a secure threshold signature scheme in the random oracle model against an adversary which is allowed to corrupt any t < n/2 participants.
Definition 2 (Soundness). e vaccination information privacy protocol is sound if for all PPT adversary A with oracle to query polynomial level times (E i , R i , E, R v )⟵ VaccInfoEnc (vaccination, pk vc ), and then, Pr 1⟵EndorserVerify π enc : Theorem 2. e vaccination information privacy protocol is sound if DLP is hard, and the protocol provides knowledge of soundness.

Proof.
It □ Definition 3 (Privacy). e vaccination information is private in the protocol if for all PPT adversary A: Theorem 3. e vaccination information is private in the protocol if DDH is hard in G 1 , and the protocol is HVZK.
) used in this protocol is the ElGamal encryption algorithm. e security of this encryption is based on the DDH assumption. If the DDH assumption is difficult on G 1 , the vaccination information of this protocol is private during transmission. e simulator of this protocol randomly picks E i , R i , z 1,i , z 2,i i∈ 0,...,7 en, it computes where they are indistinguishable from real protocol interactions. e simulator sets c ′ as H( E i , R i , C v,i , D v, i} i∈ 0,...,7 { } , E, R v , C v , D v ) in the random oracle model. erefore, this protocol provides zero-knowledge of vaccination information.

Security and Communication Networks
Definition 4 (Soundness). e users (including hospitals and vaccination users) privacy protocol is sound if for all PPT adversary A with oracle to query polynomial level times (Cert CA,U )⟵ CACertIssue (pk U,1 ), and then, (i) e public key of the user (including hospital and vaccination user) is issued a valid certificate (A CA,U , s u , ω u ): Pr 1⟵EndorserVerify π re or π sd : Cert CA,U ′ ⟵A pk U,1 where Cert CA,U ′ , pk U,1 ∉ oracle queries, otpk U , π re or π sd ⟵OTpkGen pk U,1 , pk U,2 (ii) otpk U is computed from a public key pk U,1 and the public key pk U,1 is encrypted to the auditor: Pr 1⟵EndorserVerify π re ′ or π sd ′ : Cert CA,U ⟵CACertIssue pk U,1 , otpk U ′ , π re ′ or π sd ′ ⟵A pk U,1 ′ , pk U,2 ′ where pk U,1 ′ ≠ pk U,1

Theorem 4. e users (including hospitals and vaccination users) privacy protocol is sound if the q-SDH assumption
BBS + signature is unforgeable against adaptively chosen message attack under the q-SDH assumption. otpk U , R U (0),(1) ⟵OTpkGen pk U,1 , Theorem 5.

e anonymity of users (including hospitals and vaccination users) is enabled in the protocol if CDH is hard in G 1 , and the protocol is HVZK.
Proof.
e encryptions (E re � pk U,1 · pk r re re , R re � g r re 2 ) and (E sd � pk H,1 · pk r sd sd , R sd � g r sd 3 ) used in this protocol are the ElGamal encryption algorithm. e security of this encryption is based on the DDH assumption. e one-time public key (otpk U � pk U,1 · g H 2 (pk r u U,2 ) , R U � g r u 4 ) and (otpk H � pk H,1 · g H 2 (pk r h H,2 ) , R H � g r h 4 ) generation algorithm is based on the CDH assumption. If the CDH assumption is difficult on G 1 , the anonymity of users (including hospitals and vaccination users) is enabled during transmission. e simulator of this protocol randomly picks c ′ , θ, z b , z c , z d , z e , z α , z β ⟵ R corresponding domain. en, it computes C U,1 � e g u · E re z e g z β 5 θ − z c pk −z d re , g 1 · e θ, pk CA c , where they are indistinguishable from real protocol interactions. e simulator sets c ′ as H(E re , R re , θ, C U,1 , C U,2 , C U,3 , C U,4 ) in the random oracle model. erefore, this protocol provides zero-knowledge of CA certificate for the user's long-term public key and the user's long-term public key.

□
Theorem 6. e vaccination information endorsement protocol is sound if the q-SDH assumption holds in (G 1 , G 2 ) in the random oracle model, where q is the maximum number of EndorserCredIssue oracle queries, and the protocol provides knowledge of soundness. erefore, this protocol provides zero-knowledge of vaccination information.
□ Lemma 1 (Ring lemma). Ring signature is unforgeable if the DL assumption holds. e anonymity of the ring signature is unconditional.

Lemma 2.
e Bulletproof has perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation.

Security and Privacy.
We compare the vaccine system proposed in this study with other solutions proposed in academia and platform systems that have been applied in practice, as given in Table 1. e main aspects of comparison are the blockchain structure, the domain covered by the system, the properties of user privacy protection, and auditability.
In terms of vaccine system structure, the nonblockchain-based vaccine system is represented by the China health code system, a digital vaccine certificate implemented by the Chinese government based on Alipay, a trusted third party. e authentication of the vaccine certificate is done by the verifier through the QR code in the Alipay wallet app. Another blockchain-based vaccine system mainly takes advantage of the immutability and decentralized property of blockchain to create a more credible and secure vaccine system, which is also the trend of vaccine system research. e main types of blockchains in vaccine systems are public blockchains, private blockchains, and consortium blockchains. In this study and [10], a double-chain structure is used. However, under the assumption of global recognition, the consortium blockchain has an advantage over the private blockchain in terms of use coverage.
In terms of privacy protection, we divide user privacy into user identity privacy, vaccination hospital privacy, and privacy of vaccination records. Systems with a single public blockchain structure, for example [5,6], are not user privacy protected. e blockchain of vaccination records in [7] keeps sensitive information of users out of the blockchain and protects user privacy to some extent. e [8,10,22,23] schemes use private blockchain or consortium blockchain for participant's identity authentication to protect user privacy. Qiu and Zhu [10] stored all the vaccination records in a private blockchain and Alabdulkarim et al. [24] stored the private data on the private database of the authorized specific peer. However, this does not guarantee the leakage of user vaccination privacy by the nodes in the private blockchain, and the storage of vaccination records would be centralized. In the study by Abid et al. [8], the vaccination certificate is issued by the healthcare provider (issuer) with a signature. erefore, this process can expose the privacy of the user's vaccination hospital. Also, this scheme cannot audit the vaccination information because it uses a private blockchain and a certain degree of information encryption. Both [22,23] used consortium blockchains structure, but do not have any encryption of user privacy information, so these two schemes guarantee the privacy of user personal information only to some extent. However, the privacy of vaccination hospitals cannot be guaranteed. "√ " represents that the privacy protection of this attribute of the vaccine system is based on stronger assumptions, such as storing the private data in a private database off-chain or increasing the restriction of database access, thus having a higher probability of privacy leakage. "?" represents that this attribute of the vaccine system is not mentioned from the open-source code or references.
e main objective of this study is to propose a framework for a double-chain-based vaccine passport system and to refine the design of the protocol between specific participants. is goal of this study is to provide a systematic solution to the vaccine passport which focuses more on the theoretical aspect. erefore, only a qualitative analysis of the system's performance is presented here.
e additional performance overhead of the public blockchain-based vaccine cold chain phase is mainly in the approval phase. For each approval process of vaccines sent for review, the approval institutions in each country need to participate in the distributed setting of threshold secret sharing of the value x. For each distributed key generation protocol, it is assumed that there are n approval institutions, and each institution needs to generate 2 random polynomials. At the same time, each approval authority broadcasts the commitment of polynomials to the other (n − 1) approval authorities. e communication data volume of the whole broadcast channel is O(n 2 ). e permission blockchain framework for the vaccination record phase of this study is based on the Hyperledger Fabric architecture. By referring to the idea of PAChain [15], the privacy of the vaccination records is protected among the endorsers, orderers, and committing peers.
is study removes the trust in the endorser compared to PAChain, thus increasing the authentication protocol. erefore, the system latency in this phase is slightly higher than PAChain. e performance bottleneck in the passport identification phase is mainly due to the range proof of the vaccine attributes. Benefiting from the efficiency and aggregability of Bulletproofs [20], the proof size of vaccine passports in the presentation phase is O(log(mn)) for a batch size of n users and the vaccine attribute length of m bits. For the specific case where the vaccine attribute is 64 bits (m � 64), the proof size for a single user is 3 × 675 � 2025 bytes; while, the aggregated proof size for 512 users is 3 × 1253 � 3759 bytes.
Based on the results of the above system performance analysis, we believe that the vaccine passport system proposed in this study is feasible for development and implementation. In future implementations, sacrificing acceptable system performance loss in exchange for abundant privacypreserving security properties is to be considered in advance.

Conclusion
is study makes improvements to the vaccine approval part of the previous vaccine distribution and management system. e introduction of a threshold signature scheme in distributed vaccine approval institutions has a certain degree of deterrence against collusive corruption between vaccine approval institutions and vaccine manufacturing companies. Second, the privacy protection in the previous double-chain system is optimized. In this study, the privacy protection of vaccination hospitals, vaccine trusts, and vaccination users is added to the audit function, which increases the controllability and auditability of the vaccination record system in practice. Finally, the vaccine passport proposed in this study protects the privacy of the user's vaccination hospital, the vaccine, and the user's identity while proving the validity and legitimacy of the passport to the vaccine passport checkpoint. Moreover, it is possible to differentiate and adopt targeted measures and policies for different conditions of the vaccine passport. Future work in this study lies in weakening the authority of local vaccination hospitals in the system. It can increase the link between the double chains using corresponding cryptographic techniques.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.