Blockchain-Empowered Secure and Privacy-Preserving Health Data Sharing in Edge-Based IoMT

Health data sharing, as a booming demand, enables the patients with similar symptoms to connect with each other and doctors to obtain the medical history of patients. Health data are usually collected from edge-based Internet of medical things (IoMT) with devices such as smart wearable devices, smart watches, and smartphones. Since health data are highly private and have great ﬁnancial value, adversaries ceaselessly launch diverse attacks to obtain private information. All these issues pose great challenges to health data sharing in edge-based IoMT scenarios. Existing research either lacks comprehensive consideration of privacy and security protection or fails to provide a proper incentive mechanism, which expels users from sharing data. In this study, we propose a novel blockchain-assisted data sharing scheme, which allows secure and privacy-preserving proﬁle matching. A bloom ﬁlter with hash functions is designed to verify the authenticity of keyword ciphertext. Key-policy attribute-based encryption (KP-ABE) algorithm and smart contracts are employed to achieve secure proﬁle matching. To incentivize users actively participating in proﬁle matching, we devise an incentive mechanism and construct a two-phase Stackelberg game to address pricing problems for data owners and accessing problems of data requesters. The optimal pricing mechanism is specially designed for encouraging more users to participate in health data sharing and maximizing users’ proﬁt. Moreover, security analysis illustrates that the proposed protocol is capable of satisfying various security goals, while performance evaluation shows high scalability and feasibility of the proposed scheme in edge-based IoMT scenarios.


Introduction
Internet of medical things (IoMT) can improve healthcare service quality by sharing health data among users and realize remote health care. Generally, profile matching is the prerequisite of health data sharing. For example, patients with similar symptoms may want to connect with others, exchange their experiences, and broaden the understanding of the symptoms helping them to get early diagnosis or better treatments in time [1,2].
Since IoMT devices are usually resource constraint, edge computing is introduced into the system to improve the efficiency [3,4]. Due to privacy-sensitive nature of health data, data security and privacy preservation are crucial in edge-based IoMT system. Although the existing schemes use cryptographic algorithms to achieve security, there are still some threats because the edge is a semi-trusted center and also faces a single point of failure. In addition, these works failed to take incentive problem into consideration for users. Even though incentive mechanism is considered in [5,6], the security issues in profile matching have hardly been solved.
Fortunately, emerging blockchain technology is tamperproof, decentralized, transparent, anonymous, and autonomous, which is a promising solution for the aforementioned problems [7]. Although blockchain is conducive to profile matching and health data sharing, there are still three following challenges: (1) how to realize privacy preservation through profile matching in blockchain environment? (2) How to ensure that the authenticity of the keyword is selected from a valid keyword set while not revealing users' private information? (3) How to design an incentive mechanism for motivating users to take an active part in the system?
To solve the above challenges, we put forward a secure and privacy-preserving profile matching scheme by employing key-policy attribute-based (KP-ABE) keyword search and bloom filter in edge-based IoMT. Blockchain is adopted to store the keyword ciphertext. It ensures that requesters access the desired data and protect data privacy. Moreover, the bloom filter verifies the authenticity of keyword ciphertext using various hash functions without disclosing any sensitive information. We design an optimal pricing mechanism to incentivize data owners and data requesters to participate in this system. e major contributions of the proposed scheme are summarized as follows.
We construct a new blockchain-based profile matching framework in edge-based IoMT with security and privacy preservation. We design a bloom filter based on many hash functions to verify whether the keyword is selected from a valid keyword set before storing the keyword ciphertext in blockchain. In this way, the computational cost is significantly reduced.
We present a key-policy attribute-based keyword search and bloom filter profile matching protocol in a blockchain-enabled edge-based IoMT. Only when data users' attribute set satisfies the access structure set, users are able to access the desired data. Data owners' original data are stored in local server, while the corresponding keyword ciphertext is kept in blockchain verified by a bloom filter. It greatly improves search efficiency.
We devise an optimal pricing mechanism to motivate users to actively participate in the system. e data owners take part in pricing and setting payment for matching data according to pricing list based on an optimal pricing mechanism. In particular, it provides an economic approach to analyze the incentive mechanism. By utilizing game-based optimal pricing mechanism, data owners and data requesters can obtain their maximum benefits. Furthermore, we implement smart contracts on the Ethereum platform and conduct extensive evaluations to demonstrate the superiority of the proposed scheme. e structure of the study is organized as follows. Related works about health data sharing with edge computing blockchain-based profile matching are elaborated in Section 2. Section 3 introduces preliminaries of the work. Section 4 presents system architecture, workflow, security threats, and design goals. Section 5 designs the detailed profile matching protocol for the proposed blockchain, proposes an optimal pricing mechanism to incentive data owner and data requester actively participating in data sharing, and presents the smart contracts. en, Section 6 analyzes how our scheme achieves the security goals. Section 7 carries out the proposed scheme on Ethereum platform to estimate the performance of protocol and smart contracts. Finally, Section 8 concludes this work.

Related Work
In this section, we introduce existing relevant researches on health data sharing with edge computing, profile matching, and incentive mechanisms.

Health Data Sharing with Edge
Computing. Privacy issues emerge with the fast development of edge computing and IoMT [8,9]. e edge node was the closest to the restricted resource devices and had strong computing power. erefore, some edge-based healthcare systems were proposed [10]. Pustokhina et al. [11] presented an effective scheme in edge computing-enabled IoMT system. e IoMT devices sensed patient's data and transferred the captured data to edge computing. Aiming at guaranteeing data security and flexible right control simultaneously, an efficient attribute-based encryption (ABE) scheme was proposed to outsource part of encryption and decryption to edge nodes [12]. It supported attribute updates and reduced the computing cost of resource-constrained devices for edge-enabled smart health care. To rely on a trusted center, Akkaoui et al. [13] proposed a blockchain-based secure health data sharing framework in edge computing, named "EdgeMediChain." e work promoted the necessary requirements for scalability, security, and privacy of medical ecosystem. Similarly, Nguyen et al. [14] proposed a new decentralized health architecture that integrates mobile edge computing and blockchain for data offloading and data sharing in distributed hospital networks. ey utilized a decentralized authentication mechanism associated with a distributed IPFS storage to improve service quality. e ongoing study [15] proposed a ubiquitous healthcare framework that leveraged edge computing, big data, deep learning, high-performance computing, and the IoMT to solve the above challenges. e framework made use of four layers. ree main components improved network service quality. However, these works did not provide profile matching and incentive mechanisms for these health data.

Profile
Matching. Some cloud-assisted solutions have been proposed to address the problems of data security and privacy preservation for profile matching [16][17][18]. Li et al. [17] put forward a privacy-preserving and scalable matching protocol without disclosing the users' personal data to the cloud. To achieve secure communication between users, He et al. [18] designed an efficient Cross-Domain HandShake (CDHS) scheme with symptom matching in hierarchical identity-based cryptosystem. Compared with the existing profile matching schemes, their schemes used cloud computing to conduct most of the computation, which effectively reduced user's computation complexity. However, the cloud is a semi-trusted center, which may collude with other malicious users to obtain the sensitive data.
Blockchain has drawn considerable interests in research and industrial communities [19][20][21][22] due to its advantages. Yang et al. [23] designed a distributed matching mechanism based on blockchain. Furthermore, their scheme transformed the social welfare maximization problem into a matching game of bilateral matching and unilateral preference. Meng et al. [24] proposed a blockchain-enabled signature matching while achieving data security and privacy preservation. In [25], a matching scheme based on hierarchical blockchain was proposed to protect users' privacy. e scheme combined ciphertext-policy attributebased (CP-ABE) encryption and bloom filter to meet users' requirements to search friends. e aforementioned works proposed heuristic blockchain-based profile matching schemes with data security and privacy preservation. In fact, some researches presented a structure or concept for profile matching based on blockchain without technically proposing a solution in detail for a specific application scenario. In this work, we present a novel blockchain-based profile matching framework by employing (key-policy attribute-based encryption) KP-ABE and bloom filter to achieve data security and privacy preservation. In addition, we design a detailed profile matching protocol and implement the devised smart contracts on Ethereum test platform.

Incentive Mechanisms.
To encourage more users to join the system, some incentive mechanisms have been designed. Jiao et al. [26] proposed a profit maximization mechanism to maximize the profit under different users' valuation distributions. e pricing mechanism effectively solved the profit maximization problem and provided useful strategies for users. Game-theoretic methods had been extensively used in pricing mechanism [27,28]. e uncertainty of future prices with a single-leader, multiple-follower Stackelberg game was proposed to maximize profits by setting optimal pricing strategy [27]. It provided a simple distributed algorithm for finding the unique Stackelberg equilibrium point. Chen et al. [28] proposed a pricing approach for incentive mechanisms and considered a two-stage game in a three-layer architecture. ey formulated a Markov decision process (MDP)-based social welfare maximization model and studied a convex optimization pricing problem.
Some works adopted blockchain technology to design incentive mechanisms. Liu et al. [29] designed an optimal pricing mechanism and adopted a two-phase Stackelberg game to address pricing and buying problem of the users. Furthermore, they used backward induction to investigate the quantity of purchased data and pricing strategies. Li et al. [30] put forward an incentive mechanism to encourage users to participate in sharing data through price-aware top-k matching queries. Xiong et al. [31] proposed multi-leader multi-follower game-based alternating direction method of multipliers algorithm for pricing to accomplish optimum results in a distributed manner. Zhang et al. [32] designed a dynamic, hierarchical pricing mechanism based on economic modeling methods and heterogeneous agent theory. Nie et al. [33] proposed an optimal incentive mechanism of users using backward induction and applied a Stackelberg game to analyze users' participation level. e existing work failed to apply the incentive mechanism to encourage data owners and data requesters to share health data. In this scheme, we combine blockchain technology and smart contract to design an optimal pricing mechanism with the guarantee of data security and privacy preservation for motivating users to actively join the system and maximizing their profits.

Preliminaries
In this section, we provide preliminaries required in this work.

Cryptographic Assumptions
Definition 1. Decisional Bilinear Diffie-Hellman Problem (DBDH). We denote an elliptic curve as E and consider a cycle group G of prime order q. Let P be a generator in G 1 and a, b, c, z ∈ Z * q . e DBDH problem is defined as follows: given an input tuple (P ∈ G 1 , aP ∈ G 2 , bP ∈ G 2 , cP ∈ G 2 ), e(P, P) abc is computed. Assume that an attacker A can successfully distinguish between e(P, P) abc and e(P, P) z with the advantage Adv DB DH A (λ). If the DBDH assumption holds, the advantage Adv DB DH A (λ)⩽ε must be ignored.

Linear Secret-Sharing Schemes (LSSS).
Adv DBDH Pr A e, P, P, P, P, e(P, P) abc � 1 − Pr A e, P, P, P, P, e(P, P) z � 1 ⩽ ε. (1) An LSSS access structure is denoted as (N, ρ), where N is an l × n matrix and ρ is an injective function from 1, 2, . . . , l { }. to attributes. Let S ∈ N be an authorized set, defined as I � i | ρ(i) ∈ S . Let T r be the set of distinct attributes in N. Here, q is the secret to be shared and r 2 , . . . , r n ∈ Z * q is randomly chosen.
Given an attribute set S and N i , π i ∈ Z q , i ∈ I is found and i∈I π i N i � (1, 0, . . . 0) is formulated. [34] is a data structure for validating whether an element comes from a set. are set to 0, it represents that the element w does not belong to the set. Otherwise, all the bits in the positions are set to 1, which means the element is in the set. ere exists a possibility that w ∉ W, and all bits in the corresponding positions are all 1, termed as the false-positive error. Its probability is (1 − (1 − 1/m) kn ) k . Here, k � m/nln2. Hash functions are able to minimize false-positive probability (0.6185) m/n . ere are two algorithms, shown as follows:

Blockchain and Smart Contract.
Blockchain is a distributed ledger, which records numerous transactions [35]. All nodes in the network have the same copy of the ledger. Blockchain has the features of decentralization, privacy preservation, immutability, fault tolerance, and the ability to implement smart contracts. In blockchain, consensus algorithm is used to address the consistency issue of untrusted systems [36]. Current proposed consensus mechanisms include proof of work (PoW), proof of stake (PoS), and delegated proof of stake (DPoS) [37][38][39]. In our system, we design a proof of existence consensus mechanism for the proposed system.
Smart contract is a computer program that can be selfexecuted, self-verified, and tamper-resistant without trusted parties. e credibility of smart contract drives from its unforgeability. It cannot be modified or altered once it is deployed on blockchain. Ethereum is a decentralized application platform of smart contract, which supports application of Turing complete. It allows users to create, deploy, and run smart contract on blockchain. In our scheme, we design and deploy the smart contracts on Ethereum to test its availability and evaluate its performance.

System Model
In this section, we first propose the system architecture built upon edge-based IoMT. en, we analyze the security threats and set the security goals.

System Architecture.
e proposed model is made up of different entities: attribute authority (AA), IoMT devices, data owners (DOs), data requesters (DRs), and edge nodes, as shown in Figure 1. e major symbols used in the system architecture are listed in Table 1.

Attribute
Authority. AA takes charge of system initialization and registration for DO and DR. It is a trustworthy center in this system. Furthermore, AA generates attribute keys for authorized entities.

IoMT Devices.
IoMT devices contain smart devices, such as smartphone, smart watch, and other wearable devices. ey are used to collect the data, especially health data in this context. Furthermore, the collected data are uploaded to DOs who can share their data with others within the edge-based IoMT infrastructure.

Data Owners.
Data owners refer to patients who construct a community to share their medical experiences and symptoms with others for broadening healthcare information.
ese DOs can form a social Internet. Additionally, they can earn fees by sharing their symptoms and experiences.
ey must register at the AA for obtaining attribute keys and joining the system. Moreover, DOs encrypt the keywords of their symptoms using attribute keys. ey participate in pricing smart contract to derive an optimal price according to their own pricing strategies.

Data Requesters.
Data requesters refer to patients who want to seek similar patients. Similar patients can share medical experiences, so that data requesters can better understand their health states. e DR should firstly register at the AA for attribute keys to take part in the system. e DR can generate search tokens using attribute keys and search relevant symptoms on blockchain. Once DRs receive the matching result from pricing and payment smart contract, they will select the intending data according to the matching results and pay fees to the corresponding DO by pricing and payment smart contract. Furthermore, they earn the fee by providing feedback to feedback smart contract.

Edge Nodes.
Edge nodes are used to maintain the blockchain. Edge nodes are also responsible for packaging transactions into blocks in the blockchain.
ere are three smart contracts deployed in our proposed blockchain: verification smart contract (VSC), pricing and payment smart contract (PPC), and feedback smart contract (FSC). Firstly, verification smart contract is used to verify whether the profile keywords are valid. Secondly, pricing and payment smart contract is used to set price based on the optimal pricing mechanism and transfer fee to corresponding user's account. Finally, feedback smart contract is used to reward data requester.

Workflow.
Firstly, data requesters and data owners register at the AA for gaining attribute keys to join the system. Patients (data owners) construct a community to share their medical experiences and symptoms with others. ey encrypt and upload their profile keywords. KP-ABE and verification smart contract verify whether the keywords belong to a keywords set. If the keywords are valid, they will be uploaded to blockchain for users to search. A data requester, who wants to seek similar patients without real identities, uses the master public key, keywords, and his/her private key to generate a token for searching. After that, if there are matching keywords, they will be sent to pricing and payment smart contract. e results of pricing will be sent to the DR. Furthermore, the DR is able to access DOs' data by paying fees to them. DRs send feedback information to feedback smart contract. Moreover, a small fee is rewarded to the DR by feedback smart contract.

Security reats and Design Goals.
In our scheme, the AA is completely trusted for performing registration and generating attribute keys, but unauthorized entities may access the encrypted profile keywords and tokens to gain DOs' private information such as identity and address during its transmission in the system. Furthermore, there may be some dishonest requesters who access DOs' data without paying fees. Some DOs may provide false/fake information to requesters. us, we aim to achieve the following security goals.

Privacy Preservation.
DOs' identities contain some significant privacy information, which cannot be leaked or learned by unauthorized opponents. Besides, feedback information from requesters cannot reveal the DOs' identity information.

Secure
Match. In our scheme, the eavesdroppers attempt to guess attribute keys or search tokens for accessing data. erefore, it is of great significance to protect keys and tokens from revealing during matching process.

Fairness and Incentive.
DRs must pay a reasonable fee to a DO for accessing the DOs' data. On the other hand, DOs should provide true information for DRs. Smart contract could realize payment with fairness and verify the authenticity of the matched profile keywords. To incentivize more DRs and DOs to participate in sharing health data, we design an optimal pricing mechanism to maximize their profits. When DRs and DOs accomplish data sharing, they will obtain corresponding rewards.

Access Control.
DOs have the ability to control data access and establish access policy. Access control ensures that requesters satisfying access policy can access the DOs' information. Malicious attackers cannot eavesdrop or modify patients' profile keywords, which are transmitted in the public channel of edge-based IoMT. e attribute-based encryption algorithm is adopted to achieve data confidentiality and integrity in this system.

The Proposed Protocol
In this section, we firstly describe the proposed protocol based on blockchain.
en, we demonstrate the optimal pricing mechanism.

Protocol Description.
e proposed protocol contains three phases: system setup, index generation, and profile matching. e process of the proposed protocol is shown in Figure 2.
where G 1 and G 2 are two additive cyclic groups of the same prime order q. G T is a multiplicative cyclic group of prime order q. P 1 is the generator of G 1 , and P 2 is the generator of G 2 . AA chooses a hash function In addition, the AA randomly chooses μ 1 , μ 2 , and θ i ∈ Z * q , g � e(P 1 , P 2 ) μ 2 . In the system, it defines the attribute space as U ∧ . Let m be the number of bits in a bloom filter (BF) and k be the amount of hash functions in a BF. e AA selects U � |U| random group elements h 1 , h 2 , . . . , h U ∈ G 1 . It generates k hash functions H 1 ′ , H 2 ′ , . . . , H k ′ , which are used to add an element into corresponding positions in a BF. e master public key MPK � (H 1 , e, g, P 1 , P 2 , μ 1 P 1 , μ 2 P 2 , θ i P 1 , θ i P 2 , h 1 , h 2 , . . . , h U , H 1 ′ , H 2 ′ , . . . , H k ′ ), and the master secret key MSK � (μ 1 , μ 2 , θ i ).
e AA generates a secret key when a requester registers at the AA. ere is an LSSS access structure (N, ρ) for the requester, where N is an l × n matrix and T r is a set of diverse attributes in N. It means T r � b: ∃i ∈ [1, l], ρ(i) � b , and ∀b ∈ T r /ρ(i). e function ρ makes a row of matrix N map to attributes. It chooses a random vector ( v → ) ∈ Z * q . is vector's values will be used to share μ 1 .

Phase 2: Index Generation.
Firstly, consensus users from edge nodes participating in profile matching are selected to participate in the network consensus, shown in Figure 3. Assume that the number of all consensus users is N c in the blockchain network.
e system generates a random number as the index of the consensus users to be the selected as the miner.
Secondly, an edge node selects a random value χ ∈ Z * q . He/she computes the keyword ciphertext c w � (I 1 , I z , I 2 ), where I 1 � χP 1 , I z � θ z χP 1 , z ∈ Att, and I 2 � g H 1 (w)χ . en, the miner sends c w to blockchain and generates transaction data stored in the transaction pool, packs them into a block, and sends the block to all the consensus users who can verify that the keyword of secure index in the new generating block is selected from W according to Algorithm 1. If w ∈ W, it returns 1, otherwise it returns 0. e bloom filter is used to verify the authenticity of keywords, shown in Algorithm 2.

Phase 3: Profile
Matching. Keyword search. e DR searches desired data using the DR's private key ak to generate a keyword trapdoor T w in blockchain. e trapdoor T w � (T 1,i , T 2,i , T 3,i,b ) is generated as follows.

Security and Communication Networks
Test. Assume that attributes Att associated with c w satisfy (N, ρ).
Given an original ciphertext c w , a keyword w, and a search token T w , the following equation is verified: If (2) holds, the matching keyword w ′ is sent to pricing and payment smart contract. e DO sets payment according to the optimal pricing mechanism. e incentive mechanism is expected to encourage more data owners and data requesters to participate in the process of profile matching. Otherwise, it aborts.
Correctness: when the encrypted keyword is the same as the keyword in the trapdoor, the correctness of the test algorithm is verified as follows:

Security and Communication Networks
Based on PBFT, if not less than 2/3 consensus users verify the new block, following the basic setting of 2/3, etc. [41], the new block will be added into the blockchain as a new valid block. In this round, the generation of a valid block marks the completion of consensus. e miner will generate a random number R ′ ∈ [0, N c − 1] to determine the next miner in the next round. en, the DO participates in pricing and sets the fees. When the DR wants to access the desired data, he/she needs to pay the fee to the corresponding DO by PPC. e specific pricing process can be seen in the following optimal pricing mechanism.

Optimal Pricing Mechanism.
When a data requester matches the profile keyword in blockchain, he/she accesses the corresponding data by paying fees to the data owner. In this section, we design an optimal pricing mechanism based on a Stackelberg game. Optimal price maximizes the profits of the data owners and the data requesters. e data owners determine their own prices of data based on profit functions as the leaders. e data requesters determine the access quantity of data as followers. e Stackelberg game is between data owners and data requesters, shown in Figure 4.

Stackelberg Game Problem Formulation. e number of data owners is M. A set of data owners can be expressed by
Data owners provide the desired data for the data requester. In our optimal pricing mechanism, there is a DR determining access strategy, such as access amount of data. Meanwhile, each data owner j ∈ M determines the optimal price for corresponding data. e access amount of the data requester from data owner j is x j . e unit price of data owner j for the data requester is p j . We denote the access amount set and the optimal access amount set of the data requester from different data owners as X j � x 1 , . . . , x M and X * j � x * 1 , . . . , x * M , respectively. e unit price set and the optimal price set of the data requester from different data owners are denoted as P j � p 1 , . . . , p M and P * j p * 1 , . . . , p * M , respectively. e main symbols used in an optimal pricing mechanism are shown in Table 2.
To evaluate the access quality of data, an access quality factor is denoted by q. Data owner j provides data's quality, formulated as follows: e data requester's utility is expressed as follows: e data requester gives a feedback evaluation to the data of the data owner j and obtains small fees as rewards, denoted as f j . a j is the accessing willingness of the data requester. e data requester maximizes its utility based on the access quantity x j , forming its subgame, which is given as follows.
Problem 1 (data requester's subgame for data owner j): x min is the minimum amount of accessed data, and x max is the largest amount of accessed data. Data owner's utility can be expressed as follows: Here, c j represents the unit cost set by data owner j. e data owner's reputation score is expressed as s j , which changes dynamically according to the data requester feedback on the data owner's data and amount of files downloaded by the data requester. s j ∈ [s min , s max ]. e terms s min and s max are lower and upper bound reputation scores, respectively. s min < s bad < s init < s good < s max . s bad is the bad reputation score threshold. s init is the initial reputation score threshold. s good is the good reputation score threshold. e data owner j maximizes its utility based on the price p j , forming its subgame, which is given as follows. Problem 2 (data owner's subgame for the data requester): max p j U j x j , p j , s.t. p j ∈ c j , p max , ∀j ∈ M. (8) e data requester can accept the maximum price, denoted as p max . Problem 1 and problem 2 constitute the Stackelberg game, which aims for finding the equilibrium points. In other words, the profit of data owner comes up to maximization when the data requester obtains its largest profit.

Definition 2.
e points (x * j , p * j ) are an equilibrium if it satisfies both the following two conditions: To analyze the Stackelberg game, we use backward induction [28].

Data Requesters' Accessing Strategy in Stage II.
Data owner j provides data's unit price for the data requester (i.e., p j , for all j ∈ M). e data requester from data owner decides its optimal access strategy (i.e., x j , for all j ∈ M).
First, we take the derivative on the data requester's utility in (5) according to x j , which is expressed as follows: U r (x j , p j ) is a strictly concave function shown by the above derivatives. To obtain the optimal response function, we set [(zU r )/(zx j )] � 0, which is given as follows: en, According to (14), x * j is data requester's optimal quantity of accessed data.

Data Owners' Pricing Strategies in Stage I. Data owner
can obtain his/her largest profit based on the data requester's optimal access strategy. According to formulation (7)- (14), the optimal utility of data owner for the DR can be rewritten as follows: � s j f j a j q + s j c j − s j p j + s j f j a j qc j p j .

(15)
First, we take the derivative on data owner's utility in (15) according to p j , which is expressed as follows: U j (x * j , p j ) is a strictly concave function shown by the above derivatives. To obtain the optimal response function, we set [(zU j )/(zp j )] � 0, which is given as follows:   Notation Description M e set of data owners M e amount of data owners x j e amount of accessed data x max e largest amount of accessed data x min e minimum amount of accessed data x * j e optimal amount of accessed data X * j e optimal amount set of accessed data a j e accessing willingness of the data requester s j e data owner's reputation score f j e small fees as rewards c j e cost of assessed data of data owner j. p j e unit price set by data owner j. p max e maximum accepted price set by the data requester p * j e optimal price set by data owner j. P * j e set of optimal price Security and Communication Networks According to (19), when f j , a j , q, and c j are the active impact, it will get data owner's optimal price.
According to (7), we gain the data requester's optimal utility from data owner, given as follows: According to (5)- (19), we are able to get the optimal utility of the data requester from data owner j, given as follows: By finding the equilibrium point of the game, both the data requester and the data owners can obtain their own optimal utility. A Nash equilibrium reaches between them. Meanwhile, the incentive mechanism promotes the data owners to take an active part in sharing their experiences. ere will be some contradictions and conflicts of benefits if there is no balance between data requesters and data owners.

Smart Contract
Design. To satisfy the system's requirements, we design smart contracts with various functions. e interactions among contracts (programmed in Solidity\footnotehttps: // remix ethereum org/) for Ethereum include the following steps. e function is given in Algorithm 3.

KeywordCiphertext (CW):
is function is called to store keyword ciphertext in blockchain. Before storing the data in blockchain, the DO sends the keyword with k hash functions to invoke VSC for verifying that the keyword is selected from a valid keyword set. If the keyword is correct, the keyword ciphertext will be packed in a block.

Pricing (Pricinglist, pricing):
is function is used to formulate pricing list for blockchain. Before generating the pricing list based on an optimal pricing mechanism provided by the DO, PPC will invoke VSC for verifying the validity of the keyword. If it is valid, the DO will take part in pricing built on an optimal pricing mechanism.
en, the pricing list will be stored in blockchain. setFee (Paymentstruct, payment): e function is called to set charges for desired data and feedback data. e fee is divided into two parts: the DO's data fee and the DR's reward fee. Payment (account, fee): e DR calls this function to transfer the fee to the intended DO's account. en, he/ she can access the desired data. If deposit of the DR's account is enough, it will be executed. Furthermore, PPC sends the payment result to FSC.

Security Proof
In this section, we analyze how the proposed scheme is able to effectively realize the goals defined in the section of system model.

Privacy Preservation.
Users send data to blockchain through their blockchain account during data transmissions in edge-based IoMT. Due to the immunity characteristics of blockchain, data in the blockchain are tamper-proof.
erefore, users' sensitive information can be protected. Furthermore, the encrypted keywords are stored in blockchain. ey will not divulge any information of users. Our scheme utilizes a bloom filter in smart contract to verify the validity of keywords, which reduces the unnecessary consumption. e optimal pricing mechanism is used to incentivize the DO and the DR to share their data. Malicious behaviors are prevented from getting illegal fees via the anonymous blockchain account.

Secure Match
Definition 3. Secure match. An adversary A cannot distinguish the keyword from keyword ciphertext or search trapdoor.

Theorem 1.
e proposed protocol can achieve secure match in the random oracle model on the DBDH assumption.
To avoid reinvent the wheel, we refer to [43] for the keyword secrecy game. Security proof is as follows. Proof.
e random oracles of algorithms Private key, Trapdoor, and Test are O ak , O trapdoor , and O test , respectively. Assume that A is an attacker who has advantage ε to attack the proposed chosen keyword attack game. We build a challenger C. He/she plays game with A to derive the solution to the DBDH problem as follows: List ak list : record ((N, ρ), ak (N,ρ) ). □ 6.2.1. Setup. Given a security parameter λ and an input tuple (r 1 P 1 , r 2 P 1 , r 3 P 1 ), challenger C generates the system master public key MPK � (H 1 , e, g, P 1 , P 2 , μ 1 P 1 , μ 1 P 2 , θ i P 1 , θ i P 2 , H 1 ) and the master secret key MSK � (μ 1 , μ 2 , θ i ). with c w is Att * , C outputs ⊥. Else, C can always compute a trapdoor T w as in O trapdoor . en, it proceeds to the test easily. If the test holds, C outputs 1 and 0 otherwise.

Phase 2.
e phase is the same as the Phase 1.

Guess.
A outputs a guess bit b ′ , if b � b ′ , and C outputs 1; else, it outputs 0.
In the guess phase, if Q ≠ r 1 r 2 r 3 P 1 , then we have the following: In addition, Input: the keyword array Keyword, the pricing's array pricing (1) function KEYWORDCIPHERTEXT (CW) public returns() (2) keyword.push(CW).

Fairness and Incentive.
e DO's attribute key is used to encrypt the profile keywords. e bloom filter and smart contract can verify the authenticity of keywords. By this way, only valid keywords can be uploaded to blockchain. To search the desired keyword, DR must generate a search trapdoor according to his/her selected access structure.
us, other entities cannot obtain any information about keywords and matching results during the process of keyword searching. Attackers cannot learn any information from encrypted keywords and trapdoors. erefore, our scheme can achieve secure match.

Access Control.
Our scheme utilizes key-policy attribute-based encryption (KP-ABE) in the proposed protocol. e keyword w is encrypted by the DO's attribute set Att. e DR uses his/her key ak to generate a search trapdoor T w , which is related to the access structure. It is used for searching the matching keyword. Only when the attribute Att of keyword ciphertext c w satisfies the access structure of search trapdoor T w , the DR can access the desired data after calling pricing and payment smart contract (PPC) to transfer fees to a specific DO's account. If the DR fails to pay fees to the DO's account, he/she cannot query the intended data.
us, DO is able to control the access of his/her data.

Implementation and Performance Evaluation
In this section, we implement the proposed algorithms in a simulated edge-based IoMT environment with Java programming and JPBC library. We deploy the designed smart contracts on Ethereum test platform. Firstly, we introduce the parameter settings. We compare the security properties of our solution with other relevant solutions. en, the computational overhead and communication overhead are analyzed for the proposed protocol. We design the smart contracts and evaluate the performance of the designed smart contracts on Ethereum test platform. Finally, we evaluate the performance of the proposed optimal pricing mechanism.

Parameter Settings and Platform.
e system security parameter λ � 128. For some prime p � 3mod4, we utilize type A pairing on the elliptic curve y 2 � x 3 + x over the field F p . e cryptographic primitives are implemented using JPBC library and Java on a laptop computer with Intel (R) Core (TM) i5-7400 CPU @3.00 GHz, 8 GB RAM, and Microsoft Windows 10 operating system.
In addition, we employ Ganache (client version) to build a local test chain on Linux system. We use solidity language to write data into smart contracts and then upload it to blockchain. Smart contract framework and solidity compiler are truffle @0.5.0 and solc @0.5.0, respectively. To gain time consumption of publishing smart contracts, we utilize Web3js library of Nodejs to interact with smart contracts on the blockchain and test the time cost of marking transactions. Due to the limited space, the specific deployment process is skipped.

Comparisons of Security Properties.
We compare the security properties of our scheme with other matching schemes in Table 3. e comparison results indicate that the proposed scheme is capable of providing a promising solution to improve profile matching service in edge-based IoMT scenarios [25,42,43]. eir scheme does not achieve security properties of blockchain-based and fairness and incentive. However, our scheme can provide all of the security properties.

Communication Overhead and Computational Cost.
In edge-based IoMT scenarios, the communication and computation resources are constrained. In this subsection, we show the improved performances of the proposed scheme. We denote |G 1 |, |G 2 |, |G T |, and |Q| as the size of elements in G 1 , G 2 , G T , and Z p . e communication overhead is caused by index generation phase and keyword search phase, shown in Table 4. In index generation phase, DO sends c w to blockchain for searching data, and the total length is (n + 1)|G 1 | + |G T | bytes. e DR sends search trapdoor T w using the secret key to blockchain for searching the desired data, and the total length is 3l|G 2 | bytes during the process of keyword search. We compare the communication overhead with [42,43], shown in Table 4. As can be seen from Table 4, the index generation overhead of the proposed scheme is lower. In addition, the overhead of keyword search phase in [42,43] is higher than our proposed scheme.
We compare the computational overhead in Table 5. e algorithm SystemInit simulates system setup phase. e generated keyword ciphertext is simulated by the algorithm Encrypt. Furthermore, the algorithm Trapdoor generates secret key and search trapdoor for the DR. e algorithm Test is used to test whether the keyword ciphertext and trapdoor match. From Table 5, we observe that our computational overhead is higher than that in [43] during the process of the algorithm Test. Nonetheless, our scheme's computational overhead is lower than other two schemes.

Time Consumption of Smart Contracts and Resource
Consumption of Nodes. Because the length of data affects the time consumption of transmitting a transaction to blockchain, we firstly discuss its length. According to Section 7.3, the length of index generation and keyword search is (n + 1)|G 1 | + |G T | and 3l|G 2 |. As can be seen from

Performance Analysis of Pricing Mechanism.
We evaluate the performance for data owners and data requesters under the proposed optimal pricing mechanism, as shown in Figure 5. We set some parameter values, denoted as follows: p max � 5, x min � 10, x max � 100, s j ∈ [0, 1], and f j ∈ [1,5]. e parameter a j represents the data requester's willingness to access the data. When a j values are different, we simulate the utility of data owners and data requesters, where a j is equal to B in [44]. In Figures 5(a) and 5(b), we compare optimal pricing mechanism with independent pricing scheme in [44]. We find that the amount of accessed data increases and data requester's utility increases. It shows that in our scheme, the data requester can have more utility than Liu's scheme in [44]. Figure 5(c) and 5(d) shows that the data owners can get more utility with the increase in unit price. Moreover, the results show that the data owners get more profits in our scheme than Liu's scheme in [44] when the accessing willingness of requester increases.

Conclusion and Future Work
In this work, we introduce a new blockchain-based profile matching scheme by utilizing KP-ABE algorithm and bloom filter, which guarantees privacy preservation and security of health data in edge-based IoMT. Firstly, we present a system framework based on blockchain for profile matching among different users. Secondly, we design a consensus mechanism for proposed blockchain to achieve the consensus of the system.
irdly, smart contract with an optimal pricing mechanism is designed to formulate pricing list and encourage more users to participate in the system. We evaluate the performance of communication overhead. We employ JPBC library to evaluate computational cost of the proposed protocol, compared with other schemes. Finally, we deploy the smart contracts on Ethereum platform and test the time consumption of smart contracts.
In our future work, we plan to deploy smart contracts on Hyperledger Fabric and store original data using encryption algorithm in IPFS for profile matching, which has a potential to improve the performances in edge-based IoMT scenarios.

Data Availability
No data were used to support this study. 14 Security and Communication Networks