A Blockchain-Based Privacy Preservation Scheme in Mobile Medical

With the rapid development of mobile medical, how to establish an eﬀective security mechanism to protect data security and privacy while users enjoy medical services has become an urgent problem to be solved. Aiming at the easy leakage of privacy in mobile medical terminals and untrustworthy data, we make use of a role-separated mechanism to generate trusted anonymous certiﬁcates. We propose a lightweight identity authentication scheme and adopt blockchain to protect the security of medical data. Meanwhile, in view of the problems of transparency and visibility of blockchain information, we adapt the searchable encryption algorithm to realize ciphertext processing in the whole life cycle. Experiments show that our scheme can reduce the cost of computation on the basis of ensuring traﬃc. In the process of dynamic updating of ciphertext keywords, except the keyword identiﬁer, less information is leaked to the server, which protects privacy of users.


Introduction
Medical problems including medical care access and quality are common around the world. Medical resources are in short supply and it is difficult to distribute them evenly. Large numbers of individuals do not receive the quality care that they need [1]. Even geographical problems such as economic differences between different regions, topography, and topography bring various difficulties to medical health. ese problems are especially obvious in the developing countries with large populations. It is obvious that the traditional medical model with major hospitals as the core has been unable to adapt to the development needs of the current era. Mobile medical, which mainly uses mobile communication technologies such as PDAs, smart phones, and satellite communications to provide users with medical services and data exchange, has successfully replaced the traditional medical model as the new darling, with the help of cloud center [2]. e concept of mobile medical originated from the telemedicine monitoring and medical treatment for astronauts conducted by NASA. Later applications such as the use of portable mobile devices to collect various body data have it further developed. As an innovative technology in the Internet plus medical mode, mobile medical can realize applications such as medical rescue, remote monitoring, and intelligent medical care. It is of great significance for promoting medical reform.
Mobile service composition [3,4] meets the needs of people for medical services under the current social development. is demand is mainly reflected in the two aspects of distribution and data. To a certain extent, mobile medical has broken through the limitation of space and time in the traditional medical mode. Mobile medical empowers patients and health providers proactively to address medical conditions through near real-time monitoring and treatment, no matter the location of the patient or health provider.
In addition, a large amount of data (Internet traffic) is generated in the process of physical examination and treatment of patients, and doctors can use these data to make more reliable and accurate diagnoses. Mobile medical not only saves a lot of time spent on queuing up for registration, but also greatly reduces the pressure on the infrastructure brought by disease treatment.
rough mobile sensors, medical devices, and remote patient monitoring products, there are avenues through which medical care delivery can be improved. Mobile medical can help lower costs and connect people to care providers.
However, these mobile medical-related technologies are still incomplete [5]. ey have certain flaws in the preservation of privacy. With the development of mobile medical, medical data are showing exponential growth. Meanwhile, these data collected by terminal equipment in mobile medical mode are closely related to users' physiological characteristics, geographic locations, images, and other private information [6].
In addition, with the rapid development of network intrusion technologies, personal medical data are facing risks of intentional or unintentional intrusion and access by unauthorized users. Due to the incomplete privacy preservation technologies, lacks, data security, and privacy preservation have become the main reason restricting the development of modern medical services. Due to the limitation of terminal resources and the sensitivity of medical information, existing privacy preservation technologies are difficult to directly apply. e design of specific security authentication, information integration, data access control, and data integrity verification schemes for mobile health environment is an important topic in the field of mobile health at present and in the future, and it is also a key link for the large-scale application of mobile medical in practice.
In this paper, we mainly discuss privacy preservation solutions of mobile terminals in Internet medical, which integrates the application of lightweight authentication, blockchain technology, anonymous certificates, and searchable encryption technology to realize the encrypted calculation and ciphertext of mobile medical device data. Data sharing has been implemented, and privacy preservation of medical data has been implemented.

Related Works
For the storage and transmission of medical data, scholars around the world have conducted a lot of researches. In 2012, Patra et al. [7] proposed a cloud-based model to process private data for patients. rough his framework, medical personnel and policy makers can use the cloudbased model to provide remote medical services to patients.
is model stores all necessary data in a single cloud. By encouraging patients to share data in the cloud, patients can obtain medical staff services. Disease diagnosis and control can be performed through remote treatment. In 2014, Ye et al. [8] proposed a well-organized authentication and access control scheme based on the attributes of the perceived IoT access control layer.
In 2015, Zyskind et al. [9] proposed a privacy preservation platform, which uses third-party equipment to provide services and allows users to modify authorization while following the access control policies reserved on the blockchain. e proposed decentralized platform contains three objects: service providers, mobile phone users, and nodes that maintain the blockchain. Two types of transactions can be defined in the blockchain network in the platform: Tdata for data storage and recovery and access time and Taccess for access control management. e data collected through the user's mobile phone is encrypted and saved outside the blockchain. In the public chain, only data hashes are saved. Both users and services can query the data in Tdata transactions. In 2016, to solve the problems of slow medical record information access, data fragmentation, and user privacy preservation, Azaria et al. [10] completed a medical data sharing platform MedRec based on Ethereum. Peterson et al. proposed a blockchain-based participant in advance. A medical data sharing plan with a well-defined rule structure is agreed. Although this solution realizes the sharing of medical data, it lacks a universal access control strategy.
In 2017, Omar et al. [11] proposed data management system for patient healthcare. By adopting blockchain to protect privacy storage, it solves the problem of losing control when storing encrypted data in the system. In addition, by using encryption on the blockchain, the framework will not be affected by data preservation vulnerabilities. Do and Ng [12] proposed a system that uses blockchain technology to provide secure distributed data storage with keyword search services.
In 2018, Magyar [13] designed an integrated health information model that builds a decentralized and openly scalable network based on the blockchain operating environment, making access to data more secure. In order to handle the protected health information (PHI) generated by these devices, Griggs et al. [14] proposed utilizing blockchain-based smart contracts to facilitate secure analysis and management of medical sensors. Using a private blockchain based on the Ethereum protocol, they created a system where the sensors communicate with a smart device that calls smart contracts and writes records of all events on the blockchain. is smart contract system would support realtime patient monitoring and medical interventions by sending notifications to patients and medical professionals, while also maintaining a secure record of who has initiated these activities. is would resolve many security vulnerabilities associated with remote patient monitoring and automate the delivery of notifications to all involved parties in a HIPAA compliant manner. Liang et al. [15] proposed an innovative user-centric health data sharing solution, which uses the blockchain mechanism to protect privacy, strengthen identity management, and collect data in conjunction with mobile applications. Zhang and Lin [16] proposed a personal health record sharing scheme based on blockchain. is solution builds two different blockchains to realize the safe sharing of medical data. e plan separately builds a private chain and a consortium chain. e private chain realizes the encrypted storage of personal medical data. e consortium chain saves the security index corresponding to the personal medical data and secures the data sharing by verifying the doctor's identity token, which protects the medical data. However, using two types of blockchains will not only increase costs, but also reduce their execution efficiency. Ji et al. [17] investigated the location sharing based on blockchains for telecare medical information system. Firstly, they define the basic requirements of blockchain-based location sharing, including decentralization, unforgeability, confidentiality, multilevel privacy preservation, retrievability, and verifiability. en, using order-preserving encryption and Merkle tree, they proposed a blockchain-based multilevel location sharing scheme.
In 2019, Wang et al. [18] combined homomorphic encryption and proxy reencrytion technology to implement outsourcing computing solutions in healthcare systems. In this solution, there are several clients with different public keys, an electronic medical cloud platform, and an auxiliary cloud server. e electronic medical cloud platform can provide services to patients and regularly analyze data to provide better services. e HGD architecture based on blockchain proposed by Yue et al. [19] enables patients to safely control and share medical data. Aiming at the privacy of medical data, Tian et al. [20] proposed to establish a shared key that can be reconstructed by legitimate parties before the diagnosis and treatment process begins.
At present, a large number of excellent schemes [21][22][23] have emerged in mobile medical, and their security and flexibility have been continuously enriched. e characteristics of activity and diversification can better meet the needs of practical application, but there are still some deficiencies. Some schemes encrypt the patient information and store it on the blockchain, and some schemes use anonymous certificates to protect user information. But the doctor cannot read the relevant information. erefore, it is necessary to design a scheme that can authenticate the device. Figure 1, the local computer of the mobile medical model generates the relevant parameters and sends them to the smart wearable device to start the authentication scheme. After a series of simple calculations, the smart wearable device feeds back the relevant parameters to the local computer. e local computer and the local blockchain node undergo a similar calculation process, and the blockchain node obtains the relevant parameters and sends them to the local computer; the local computer forwards the parameters to the smart wearable device. e smart wearable device performs decryption calculation and passes the verification, and the identity authentication ends smoothly. ere are many kinds of mobile medical devices, including bracelets, watches, mobile phones, portable computers, etc. ese devices can collect a variety of physiological signals of users, such as blood pressure, blood glucose, blood oxygen, body temperature, etc. After the authentication, the intelligent devices will upload those collected information to the blockchain. e alliance chain is a blockchain that is jointly managed by multiple institutions, and the joining of network nodes requires the approval of the organization. It completes mutual authentication of the internal membership of the system through the PKI system. e user binds his real identity with the self-signed certificate issued by the CA in the PKI system. We divide the authority of CA into TCA and regulator, and TCA and regulator jointly issue anonymous certificates. After the anonymous certificate is generated, the local device successfully joins the blockchain network.

Structure. As shown in
In order to ensure the privacy of users' medical and health data, the data on the chain is encrypted. For users who need to perform operations such as searching encrypted data, we adopt searchable encryption technology. It can support users to carry out keyword retrieval in ciphertext and realize keyword based secure search. It enables users to store encrypted data in the blockchain, perform keyword search through the ciphertext domain, and selectively retrieve relevant documents from it, so as to ensure the security of data.

Anonymous Certificate Generation.
A user submits the real-name certificate application and his real identity information to the CA. After the CA verifies, the real-name certificate Ecert will be issued by the user and saved in the CA database U. en he generates his own anonymous identity AID, public and private key pair (APK, SPK), and random numbers p, r 1 and calculates the serial number of the anonymous certificate: SN � H(APK, p). en anonymous certificate header b � (AID, SN, APK) and content M � (b, h(Ecert)) are generated. After calculating the formula u � g r 1 , the user sends u and the real-name public key signature SigPK(u) to the supervisor Admin. Verifying the signature information sent by the user, Admin calculates the formula w � u d 1 and sends w to the user, which will be saved in the supervisor database in the form of key-value pairs <E d 1 (u): ID> . After the user accepts w, he uses ASK to perform signature calculation on M which is Sig ASK (M) and send random numbers r 1 and w to TCA. en the TCA verifies the parameters sent by the user and, after the verification passes, calculates the formula z � w d 2 and judges whether Q � zr 1 − 1 is true. If Q � zr 1 − 1 , save <SN: E d 2 (z)>. in the database in the form of key-value pairs. en it generates a random number r 2 , calculates the joint signature: , and sends it to the user. en the user gets the anonymous certificate (M, Usigd). Table 1.

Lightweight Authentication. Relevant parameters in this section are shown in
First the local computer generates a random number x and a timestamp t R and sends them to the smart wearable device. After receiving the parameters, the device calculates whether |t R − t R * | ≤ ΔT is true. If not, the communication delay is greater than the maximum delay allowed by the system, so the authentication stops. If |t R − t * R | ≤ ΔT, the smart wearable device generates a random number y and a timestamp t T and performs the following calculations based on ID and K: Security and Communication Networks e smart wearable device feeds N 1 , N 2 , EPD, t T , x to the local computer. When receiving those parameters, the local computer calculates whether |t T − t * T | ≤ ΔT is true. If true, the local computer generates a timestamp t r and sends N 1 , N 2 , t r , x, and EPD to the blockchain node. If not, the authentication stops.
When |t T − t * T | ≤ ΔT and the blockchain node receives the parameters, the node calculates whether |t T − t * T | ≤ ΔT is true. If |t T − t * T | ≤ ΔT, the blockchain node starts to search for data that matches EPD; else the authentication stops. If there is no matching data, we can obtain the matching ID and K for decryption operation. Perform the following calculations y 1 � ROR(N 1 , x)⊕K and y 2 � ROR(N 2 , x)⊕ID. en judge whether y 1 and y 2 X are equal. If y 1 ≠ y 2 , it indicates that the data is not credible, and the authentication stops. If y 1 � y 2 , the blockchain node authentication continues and assigns y � y 1 � y 2 . e blockchain node generates a random number z and a timestamp t J to perform the following calculations: N 3 � ROL(K⊕z, y) and N 4 � ROL(ID⊕z, y). After that, the following operation formulas EPD next � ROL(EPD⊕y, z) and K next � ROL(K⊕z, y) can be obtained. e blockchain node sends N 3 , N 4 , t T to the local computer. After the local computer receives the parameters, it first calculates whether |t J − t J * | ≤ ΔT is true. If not, the communication delay is greater than the maximum delay allowed by the system, and the authentication fails. Otherwise, the local computer will send N 3 , N 4 to the smart wearable device. After receiving the parameters, the smart wearable device decrypts N 3 and N 4 . en, it is judged  whether z 1 � z 2 is true while z 1 � ROR(N 3 , y)⊕K, and z 2 � ROR(N 4 , y)⊕ID. If not, it indicates that the data is not credible, and the authentication stops. If z 1 � z 2 , the smart wearable device authentication is passed, and the value z � z 1 or z � z 2 is assigned. Perform the following calculations: EPD next � ROL(EPD⊕y, z) and K next � ROL(K⊕z, y). Finally, the update and the identity authentication are finished.

Searchable Encryption.
Relevant parameters in the section are shown in Table 2.
We first perform the formula PAS(1 α ) which is just a probabilistic algorithm, and then we can get the key K � For any c i ∈ c, 1 ≤ i ≤ lenth(c), set c i � l i ||r i , and verify whether H τ w (r i ) � l i is true. If true, insert the file identifier ID(f) which is corresponding to c into I w , and add τ w to c d [ID(f)]. Update c w [τ w ] � I w , and set updated indexes as c ′w and c ′d . We get I w and c ′ � (c f , c ′ w , c ′ d ) at last. For the file f to be added and its unique keyword set f, a series of pseudorandom sequences s 1 , ......, s lenth(f) is generated by the pseudorandom number generator. Create an empty list X, for any w i ∈ f, 1 ≤ i ≤ lenth(f). Calculate the formula below.
If τ w i ∈ σ, it means this keyword has been searched. Insert τ w i into list X, and its formula can be expressed as follows: c � (c 1 , . . . . . . , c lenth(f) ) is sorted by dictionary order which means c � SKE.Enc k 2 (f). While τ α � (ID(f), c, c, X) and Add c to c. e updated ciphertext collection is marked as c ′ and then (c ′ , c ′ ) will be output where c ′ � (c f , c w ′ , c d ′ ). When we want to decrypt the file ciphertext c, we input the key, and then we get the decrypted file; the formula can be expressed as follows: f � SKE.DSF k 2 (c).

Experiment and Analysis
In this section, we discussed the performance of our scheme and analyzed the results of simulated experiments. We tested and compared the performance efficiency and storage cost of the lightweight authentication with others. We also compared our lightweight searchable encryption with others.
We compared Fabric with Corda, FISCO BCOS, and Quorum. e result is shown in Table 3. Considering that our scheme is oriented to mobile medical, we chose "Fabric" as our blockchain framework in the end.
Hyperledger Fabric is managed by the Linux Foundation, hoping to change the single common network mode of the public chain. By establishing multiple interconnected blockchain networks to cover all kinds of different business scenarios, it realizes the flexibility of design, meets the diversified requirements, and realizes the interaction between networks.
is idea is reflected in its unique channel mechanism design. Hyperledger Fabric aims to build an open source framework for general blockchain regardless of industry and has the largest consensus in the consortium chain. FISCO BCOS originates from the enterprise blockchain platform BCOS. As a branch of the financial version, it pays more attention to the financial industry while retaining its universality and takes more account of the particularity of regulators. It is applicable to a wide range of distributed Security and Communication Networks 5 business scenarios. Corda is aimed at the financial industry and clearly stated that it will not consider other industries for at least a certain period of time. Corda hopes to provide a global logical account with uniqueness and authority that can record all the agreements between enterprises. e core is to achieve a noncentral database with the minimum trust mechanism between nodes. Corda advocates fully considering the combination with the existing business system rather than dismantling the existing business system. Quorum is an alliance chain scheme, an enterprise-level distributed ledger, and intelligent contract platform developed by JPMorgan. It is developed on the basis of Ethereum, providing private intelligent contract execution scheme and meeting the performance requirements of the enterprise, applicable to scenarios requiring high-speed transactions and private transactions between high-throughput processing alliances, designed primarily to address the special challenges of blockchain applications in finance and other industries.
In the current medical industry, we need to build licensed blockchains, such as hospitals, which need to operate under strict regulatory requirements, and cannot let unknown users view transaction data. In addition, medical information is very important, so unauthorized viewing will leak patient information in the future. At the same time, Fabric is a framework that requires prior permission. All participants have known identities and are verified according to the organization's identity management system. ere are no anonymous or pseudonymous users.
As a result, we chose Fabric finally. We analyzed the security and privacy of our proposed scheme. e details are as follows. e specific experimental environment is shown in Table 4.

Lightweight Authentication.
In this section, the performances of mobile medical devices are compared with classical authentication schemes.
Assume that the length of communication, traffic, and storage parameters are the same. ere are four kinds of information, that is, IDS, ID, K, and ΔK saved in mobile terminal devices in the medical system. In our scheme, there are 14 session messages in a complete session. At the same time, there are 14 session messages in [24] and 10 session messages in [25]. Reference [26] has 16 session messages. Reference [27] and reference [28] have 10 messages. erefore, the communication traffic size is 14 in our scheme. It can be seen from Figure 2 that our scheme can reduce the computing burden.
From the point of view of the computing burden, our scheme and the scheme in [28] are both ultralightweight. e algorithms used in other comparative references are all lightweight, so the scheme in this paper has great advantages in reducing the calculation time.
e result is shown in Table 5.
In the scheme of [28], the computation of shared secret key and pseudonym updating is more complex, which increases the number of CMO operations, so the overall calculation cost is higher than our scheme. In our scheme, the steps of calculation are as follows. Firstly, we generate a random number x(Δy/Δx) to operate RAN. Secondly, in the process of calculating messages N 1 and N 2 , we perform CMO operations on N 1 and N 2 , respectively. irdly, the third and fourth CMO operations and the first and second DIG operations are needed to decrypt messages N 3 and N 4 . Lastly, we perform the last two CMO operations to update the shared secret values and pseudonyms. erefore, the total computing burden in our scheme is 6CMO + 2DIG + 1RAN.    Table 6.

Searchable Encryption.
e performances of our scheme are compared with other references, and the results are shown in Table 7.
Our scheme gradually builds indexes in the search process. At the beginning, maintain a regular index c f and store the encrypted keywords for each file. Once a keyword w is retrieved, the identifier of all the files containing the keyword is moved into a reverse index c w , and a delete index c d is constructed to store the keywords that have been searched for in the files appearing in c w . A search history is maintained at the client to record which keywords have been searched. e searched keywords can directly query the index c w to obtain the search results. is disperses the time and storage cost of building index tables into each search process, saving search time.
Descriptions of the relevant symbols are as shown in Table 8. e biggest improvement of our scheme compared with scheme [33] is the deletion of index c d , which reduces the execution time of deletion operation to a certain extent. We mainly compare the deletion operations of the two schemes.
For each file deleted in the scheme of [33], traverse each item in c w and find each node in c w [τ w i ] one by one until the identifier of the deleted file is found or the end node is reached. In this scheme, delete index c d is used. We select 51 English documents. First, we convert all uppercase to lowercase, remove all punctuation, and separate words only with space. According to statistics, there are 3711262 words in 51 documents, removing duplicate words in each document, leaving a total of 373221 unique words. We search for 5000 words; that is, there are 5000 input items in the search index c w , 51 documents are searched, and 51 input items in the index c d are deleted. We delete five files, respectively, and give the traversal times and time consumption of the two schemes when deleting files, as shown in Table 9. e traversal times are the comparison times of nodes in the list in tables c w and c d when deleting files. e result is shown in the following table.

Blockchain.
Due to the dependence and mobility on massive data, the performance index of blockchain is quite important, which includes latency, energy consumption, throughput, and scalability.
In our experiment, we used the Caliper to test the performance. Caliper is a blockchain performance testing framework that currently supports testing for processing traffic (TPS), latency, and resource utilization. After each round of test, users can obtain a series of test results and reports by Caliper. e result is shown in Figure 3.
As shown in Figure 4, the throughout increased steadily with the increase of transaction times. It reached the peak when the transaction times reached 5000, the throughput is

Security
(1) In design of the authentication scheme, the pseudonym of a smart wearable device is introduced, which is transferred during each communication, and the pseudonym is updated after each communication, so that the pseudonym of each round is different. Additionally, other private information that needs to be sent is encrypted before it can be sent, which makes it impossible for attackers to obtain useful and valid information. erefore, attackers cannot learn the real identity information of a smart wearable device user. Hence, this scheme can provide the anonymity of entities. At the same time, our scheme uses the method of mixing random numbers in the message encryption. e random number is randomly generated by the system, and it is unpredictable and inconsistent.
erefore, the attacker cannot analyze the value of the next round of communication messages by intercepting the current message or deduce the user's privacy information in the previous round of communication messages, which makes the scheme more secure.
(2) In process of anonymous certificate generation, TCA is visible to the content of the certificate but invisible to the user's identity, while regulators are visible to the user's identity but invisible to the content of the certificate, which enhances the anonymity of the user. In addition, in the process of tracking the user's real identity, TCA and regulators need to provide their own key information, which reduce the threat of unilateral dishonesty and single point attack on the security of anonymous certificates. In our scheme, we disclose specific information to the server during the operations of query and update. Next, we use the following leak functions L search , L add , L delete , L encrypt to give the leaked information.

Conclusion
As an intelligent product at this stage, mobile intelligent terminal integrates the existing information system of the hospital through mobile Internet technology, shares and exchanges clinical business data, and provides a new way of diagnosis and treatment for the hospital. To solve the problem of privacy leakage of medical patients, we design a privacy preservation scheme based on mobile terminals in Internet medical by combining privilege separation, authentication scheme, lightweight loop operation, and improved searchable encryption algorithm in the model system, and we conducted a comparative experiment on data from different systems. Compared with the original anonymous authentication system, we separate the regulator and TCA authority and improve the efficiency of certificate generation by 34.8% compared with the scheme. e results show that the model trained by our scheme has less calculation burden, better stability, and higher security. Further works are as follows.
(1) To improve the efficiency of searchable encryption.
(2) To expand the diversified search functions. Except the basic search function, we also need to support some special functions, such as approximate search, wildcard search, fuzzy search, multikeyword search, and so on. Increasing the diversity of search functions is an important research direction in the future.
Data Availability e data that support the findings of this study are available from the corresponding author upon reasonable request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.