An Immunity Passport Scheme Based on the Dual-Blockchain Architecture for International Travel

The implementation of immunity passport has been hampered by the controversies over vaccines in various countries, the privacy of vaccinators, and the forgery of passports. While some existing schemes have been devoted to accelerating this effort, the problems above are not well solved in existing schemes. In this paper, we present an immunity passport scheme based on the dual-blockchain architecture, which frees people from the cumbersome epidemic prevention process while traveling abroad. Specially, the dual-blockchain architecture is established to fit with the scenarios of immunity passport. Searchable encryption and anonymous authentication are utilized to ensure users’ privacy. In addition, the performance and security evaluations show that our scheme achieves the proposed security goals and surpasses other authentication schemes in communicational and computational overheads.


Introduction
The Coronavirus Disease 2019 (COVID-19) pandemic is undoubtedly an unprecedented disaster for human society [1][2][3]. The pandemic is rapidly spreading and getting worse in many countries and regions of the world, which has caused a large number of infections and deaths. Countries around the world are doing their utmost to curb the spread of the pandemic, enacting strict policies such as quarantine for infected people, prohibitions on mass gatherings, and restrictions on entry-exit and so on.
Vaccination, in combination with personal protection, is the most effective measure to prevent the COVID-19 [4]. However, the effectiveness of some vaccines remains controversial in countries because of differences in policies, technical standards, and religions. As shown by recent publications, not everyone holds a positive attitude towards the COVID-19 vaccine [5,6]. There are even discriminations against unvaccinated people in some areas, which is called stigmatization of vaccination [7,8].
Restoring the order of human society in the postepidemic era is one of the most important issues, among which lifting restrictions on people's entry-exit is particularly significant. The restrictions on the people who have been vaccinated could be relaxed [9]. Therefore, a number of countries and organizations have launched the immunity passport that allows them to work and travel abroad without compromising personal or public health [8,10]. However, some serious issues remain unresolved: (1) traditional passports are easy to falsify. (2) There are controversies about the effectiveness of some vaccines among different countries. (3) Under the premise of stigmatization, vaccinators' privacy is still at risk.
To effectively ensure the privacy of people traveling during the COVID-19 pandemic, we propose an immunity passport scheme in this paper. In our scheme, vaccinated people can show their passports to a staff of customs without compromising their privacy for entry and exit. Our contributions are summarized as follows: (1) In order to adapt our scheme to the international travel scenarios, we designed a dual-blockchain architecture with two different types of blockchain, domestic and international. Different countries participate in the consensus of the international blockchain, which is conducive to solving the controversies about vaccines.
(2) We leveraged the use of the inherent characteristics of blockchain to make the immunity passport traceable and nonrepudiable. And for the purpose that users can have control over their data, we combined searchable encryption and anonymous authentication with blockchain.
(3) Our scheme allows users to participate in vaccination, authentication, and other processes using legitimate pseudonyms, which can well solve the stigmatization of vaccination.
(4) To prove the feasibility and reliability of our scheme, we conducted a complete security analysis and simulation experiments, including computational overheads, communication overheads, and energy overheads.
The rest of this paper is organized as follows. Section 2 discusses some related research achievements. Section 3 describes the preliminary knowledge and introduces the design details of the system model. The immunity passport scheme is proposed in Section 4. Section 5 presents the correctness and security analysis. Section 6 presents the performance evaluation, and Section 7 concludes this paper.

Related Work
Due to its outstanding characteristics, blockchain technology has attracted widespread attention in many fields including medical care, identity authentication, and finance [11][12][13]. Recently, there have been some studies applying blockchain technology to meet the challenges of COVID-19. Xu et al. [14] proposed a blockchain-enabled privacy preserving contact tracing scheme, in which users' privacy is ensured by the pseudonym. However, their scheme has a high demand for the intensive computation of blockchain nodes. In order to control the spread of COVID-19, a privacy anonymous IoT model using blockchain was presented in [15]. In this scheme, people who wear RFID tags will be notified if they are near to the possible or confirmed "hotspot" area. But the authors did not give a security analysis of the scheme in this paper. Song et al. [16] using Bluetooth technology designed a tracing and notification system based on blockchain and smart contract to ensure users' privacy. However, there is an unreasonable assumption that people always honestly upload their health status to the blockchain. Jacob and Lawarée [17] pointed out that apps such as to StopCovid (France), NHS Covid-19 (UK), and Coronalert (Belgium) have security, political, and other issues. Although these schemes and applications are focused on addressing the issues of privacy, the public is still reluctant to disclose their personal data for privacy reasons [18,19]. Moreover, contact tracing is a passive defense against the COVID-19 pandemic.
Hasan et al. [20] proposed a digital health passport system combining blockchain, proxy reencryption, and smart contracts. In this system, the data owner grants access to other entities so that the user has control over his data. Based on blockchain, a framework was proposed in [21] to ensure users' privacy, which uses a locality-sensitive hash function to generate a secure identifier. The identifier can only be derived if the user provides his biometric and personal information, whereas, although the authors give details of the pseudoidentity generation, the description of the vaccination certificate is very brief. Angelopoulos et al. [22] presented a framework that used a private blockchain to store the digital health passport. But the authors did not give details about how to ensure users' privacy, and the characteristics of private blockchain did not apply to the scenarios where people travel among multiple countries.
None of the above researches [20][21][22] addressed how the passport holder can verify the legality of inspectors, which is extremely important for users. Some existing authentication schemes are designed for scenarios such as the smart grid, the Internet of Things, and the smart medical [23][24][25][26]. Mahmood et al. [23] proposed an anonymous key agreement protocol for the smart grid infrastructure by using the identity-based signature. This protocol empowers the smart meters for anonymous information exchange with utility, which is proved secure under the random oracle model. A mutual authentication scheme focusing on mobile edge computing is proposed by Jia et al. [24], which only needs one massage exchange round to achieve mutual authentication. However, their scheme cannot achieve some security properties. Almadhoun et al. [25] proposed a decentralized and scalable authentication mechanism that utilizes blockchain-enabled fog nodes with connectivity to Ethereum smart contracts, which gives details of smart contracts involved. Although all the above schemes have advantages and highlights, these authentication schemes are not suitable for the scenarios of immunity passport.
It is noteworthy that the above schemes have some shortcomings when applied to epidemic prevention scenarios, which makes the privacy of users cannot be guaranteed well. Therefore, it is meaningful to design a secure, reliable, and efficient immunization passport scheme for the COVID-19 epidemic.

System Model and Security Goals
In this section, we give a brief introduction to the basic theoretical knowledge involved in this paper, such as blockchain, searchable encryption, and bilinear mapping. Subsequently, the system model and security goals are presented. The system model is depicted in Figure 1, and the main notations that appear in the scheme are listed in Table 1.

Preliminaries. Blockchain.
Blockchain is a special kind of data structure that arranges a large number of blocks into a chain in chronological order, where each block is composed of certain data [27]. Blockchain is categorized roughly into public blockchain, consortium blockchain, and private blockchain according to the degree of decentralization. Our scheme adopts the consortium blockchain because of the specific advantages: (1) it can be jointly controlled by multiple organizations or countries, which is suitable for the scenarios of our scheme. (2) Only the members of the consortium participate in the consensus, so it has high efficiency. (3) Not everyone can access the data on the consortium blockchain.
Searchable Encryption. Searchable encryption is a cryptographic primitive that supports users to conduct keyword search on encrypted data. It mainly solves how to complete the search for encrypted data when the data is encrypted and stored in the cloud, under the premise that the cloud server is not completely trusted. Similar to searching for plaintext data, a common method for searchable encryption is to establish a secure index for the entire dataset and then use the secure index to complete a secure search for encrypted data on the cloud server. Searchable encryption enhances the scalability of search while saving users a lot of network and computing overhead.
Bilinear Pairings. Let G 1 and G 2 be two multiplicative cyclic groups with the prime order as p. Let g be the gener-ator of G 1 , which means G 1 = hgi. We accept e as bilinear pairing if e : G 1 × G 1 ⟶ G 2 satisfies the following properties [28]: (3) Computability. For all g 1 , g 2 ∈ G 1 , there exists an efficient algorithm to compute eðg 1 , g 2 Þ.

System
Model. In the model of the immunity passport scheme, it is assumed that various epidemic prevention agencies (EPAs) in each country form an alliance and jointly maintain a domestic consortium blockchain, that is the "Domestic Blockchain (DBC)." Every country selects an institution with high credibility on behalf of the country to maintain an international consortium blockchain, that is the "International Blockchain (IBC)." Since we use consortium blockchains to design the system model, popular consensus mechanisms adapted to consortium blockchains can be run on our scheme, such as Practical Byzantine Fault Tolerance (PBFT) and Delegated Proof of Stake (DPoS) [29,30]. Thus, our scheme focuses on how to efficiently authenticate the identity and verify the validity of the passport. The seven entities and two structures of transaction in this model are described in detail as follows: Key Generate Center (KGC). KGC is an organization with high credibility in this system, which is responsible for generating system parameters and distributing partialprivate keys for all users.
Users. The user is vaccinated at EPA by virtue of the legal pseudoidentity. The user generates a trapdoor and a decryption key for the staff when he needs the immunity passport; the ciphertext of passport is then searched by the IBC node and returned by the IPFS.
Inter-Planetary File System (IPFS). IPFS is a decentralized file storage network used to store the ciphertext of passports generated by the EPAs.
Epidemic Prevention Agency (EPA). EPAs maintain a DBC in each country, responsible for vaccinating, generating  Domestic Blockchain (DBC). There are many DBCs in our model. The role of DBC nodes is played by EPAs of each country and the transaction on DBC is broadcast by EPAs.
International Blockchain (IBC). Only one IBC exists in our model. The role of IBC nodes is played by institutions on behalf of countries, such as the ministry of health.
Customs. The staff of customs gets the ciphertext of passport and decrypt it after achieving mutual authentication with the user, where a session key is negotiated for transferring the trapdoor and the decryption key.
Structure of Transaction. We deployed two types of blockchain in our scheme, thus we designed different structures of transaction.
The structure of transactions on DBCs is shown in Table 2, including identity of EPA ID EPA that generates the DBC-transaction, pseudoidentity of the inoculator ID′, the keyword-index fidx, wg, hash of the ciphertext of the passport hashðC p Þ, and signature of the EPA sig EPA .
The structure of transactions on the IBC is shown in Table 3, including identity of the country ID ctry that generates the IBC-transaction, signature of the country sig ctry , and search-index ðID DB , ID′, fidx, wg, hashðC p ÞÞ. The searchindex is composed of ID of the DBC-block, pseudoidentity of the inoculator, the keyword-index, and hash of the ciphertext of the passport.

Security Goals.
We assumed that all blockchain nodes and customs staffs are semihonest, and attackers can eavesdrop on messages while users are communicating with other entities. Based on the assumption, we propose the following security goals.
Confidentiality and Privacy. Our scheme is based on the blockchain, and data stored on the blockchain is shared and transparent. The scheme needs to satisfy user's personal privacy and the confidentiality of immunity passports.
Mutual Authentication. In the proposed scheme, users need to communicate with customs staff. In order to ensure the legitimacy of two parties, they need to achieve mutual authentication before communication.
Traceability and Nonrepudiation. The EPA is responsible for user's health after vaccination. Accordingly, the goals of traceability and nonrepudiation should be achieved in our scheme.
Other Attacks. Furthermore, our scheme should also be able to resist other attacks, such as impersonation attack and insider attack.

The Proposed Scheme
In order to facilitate readers to better understand the application scenario, we have made a brief overview of the scheme before describing the details. For the convenience of presentation, it is assumed that the entire process takes user U 1 as an example, referring to Figure 1.
(1) Firstly, U 1 will get his legal pseudoidentity and his full public-private key pair by interacting with KGC.
(2) Then, U 1 is vaccinated at the EPA 1 after mutual authentication with the EPA 1 .
(3) Subsequently, EPA 1 generates an immunity passport for U 1 and stores the ciphertext of the passport in IPFS, and two different transactions will be uploaded to DBC 1 and IBC, respectively.
(4) When U 1 travels through the customs, send the decryption key and trapdoor to the staff through the negotiated session key after mutual authentication. The staff will issue a request to the IBC node to search for the corresponding transaction.
(5) Finally, IPFS sends the ciphertext of the passport to the staff, who can verify user's vaccination information.
The detail scheme mainly contains the following phases.

System Setup and User-Registration.
In this phase, KGC generates system parameters and its public-private key pair. The user obtains a legal pseudoidentity and generates his full public-private key pair through the partial-private key generated by KGC (as shown in Figure 2).  System-Setup. To generate system parameters, KGC chooses two multiplicative cyclic groups G 1 and G 2 with a prime order p, an element g, which is the generator of G 1 , and a bilinear map e : G 1 × G 1 ⟶ G 2 . KGC chooses a secret value SK = x ∈ ℤ * P and calculates PK as The IBC node chooses a secret value SK c = x c and calculates PK c as Then, KGC selects some secure hash functions H 1 : User-Registration. KGC randomly picks μ ∈ ℤ * P , calculates g μ , and sends g μ to the user. The user chooses a secret value x i ∈ ℤ * P and calculates X i and his pseudo-identity ID i ′ as then sends ID i ′ and X i to KGC. KGC checks whether formula (5) is valid.
If the equality holds, KGC picks r i ∈ ℤ * P and calculates R i , k i , and d i according to KGC sends the partial-private key D i = ðR i , d i Þ to the user through a secure channel. The user sets his full public-private key pair to: pk i = ðR i , X i Þ and sk i = ðx i , d i Þ.
Once the user has his legal pseudoidentity and full public-private key pair, he will use the pseudoidentity to participate in the next phases.

Passport Generation and Storage.
In this phase, the EPA vaccinates the user and generates an immunity passport after authenticating user's pseudoidentity, then stores the ciphertext of the passport on IPFS. Subsequently, different types of transaction will be uploaded to IBC and DBC.
User-Authentication. The user chooses a secret value u i ∈ Z * q , calculates U i , h i , and V i according to and sends a signature sig i ðU i , V i Þ to EPA. EPA calculates k i , h i as and checks Equation (14). If the equation holds, the user is considered legitimate.
Passport-Storage. EPA generates the immunity passport passpt ∈ f0, 1g * for the user, randomly picks l i ∈ Z * q , and calculates L i , the ciphertext of the passport C p according to and the hash of the ciphertext hashðC p Þ = H 4 ðC p Þ. EPA gets sig EPA by signing the hashðC p Þ, extracts the ID of vaccine ID v ∈ f0, 1g * as the keyword w = ID v , and calculates the index of keyword idx as idx = H 5 e g l i , g w k : ð17Þ EPA stores C p in IPFS and broadcasts fID EPA , ID i ′, fidx, wg, hashðC p Þ, sig EPA g as a new transaction. Then, the transaction is uploaded to DBC after being verified by other EPAs. After a new block is generated on the DBC, the IBC node sets ðID DB , ID ′ , fidx, wg, hashðC p ÞÞ as the search-index and broadcasts fID ctry , ðID DB , ID ′ , fidx, wg, hashðC p ÞÞ, sig ctry g as a new transaction. After being verified by other countries, the transaction is uploaded to IBC.
After the end of this phase, the ciphertext of user's passport is stored in IPFS, the corresponding keyword-index and search-index are also uploaded to the blockchain as transaction information.

Identity Authentication and Key Agreement.
In this phase, the user and customs staff perform identity authentication to confirm both of them are legitimate, and a secure session key is negotiated for subsequent data transmission, as depicted in Figure 3.

Wireless Communications and Mobile Computing
Authentication and Negotiation. The user randomly picks u i ′ ∈ Z * q and calculates U i ′, h i ′, V i ′ to authenticate with the customs staff as in the "User-Authentication". After authenticating user's identity, the staff picks u j ∈ Z * q and calculates U j , h j , and V j to obtain the signature sig j ðU j , V j Þ according to Calculates: R i = g r i , Figure 2: Generation of pseudoidentity and public-private key pair.

User Customs
Calculates: U i = g u i ,

Wireless Communications and Mobile Computing
Then, the staff calculates the session key K, the key confirmation message Confir, and sends fsig j ðU j , V j Þ, Conf irg to the user. K and Confir can be computed as The user calculates k j , h j according to checks Equation (25). If the equation holds, the staff is considered legitimate.
The user then calculates K and verifies whether Equation (22) is established. And the session key K is accepted if the equation is established. The K can be computed as The user has completed the mutual authentication with the staff, and both of them have obtained the same session key for the transmission of important information.

Passport Search and Access.
In this phase, the staff gets a trapdoor and a decryption key from the user through the session key and uses the trapdoor to get the ciphertext of passport from IPFS. Then, with the decryption key, the staff decrypts the ciphertext to obtain the passport.
Passport-Search. The user calculates the trapdoor T, and the decryption key K p according to sends fT, K p g to the staff with the support of K. The staff sends fT, U i g to an IBC node. The IBC node calculates T ′ as and checks Equation (30), and locates the specific block on the DBC according to the ID DB if the equation holds. Then, IPFS searches corresponding C p according to the hashðC p Þ and sends it to the staff.
Passport-Access. The staff decrypts the C p with the decryption key K p , where passport = C p /K p .
At this point, the staff uses user's trapdoor to search for the ciphertext of the passport. Through the decryption key, user's passport is finally obtained by the staff.

Correctness and Security Analysis.
In this section, we analyse the correctness of critical steps in our scheme. Authentication-Correctness: Decryption-Correctness: 5.2. Security Analysis. Confidentiality and Privacy. In our scheme, the user interacts with other entities by virtue of a legal pseudoidentity. The attacker cannot infer user's real identity through the ID ′ unless he cracks user's secret key x i or the random number μ picked by the KGC. The attacker also cannot obtain effective data even if the IPFS is hacked, because the IPFS stores the ciphertext of passport. In the step of "Passport-Search," only the user can generate a trapdoor and send it to the staff for searching, and then, IPFS returns the corresponding C p to the staff. Thus, users have full control over their data. Mutual Authentication. In the phase of "Authentication and Negotiation," the user signs his identity information with the private key The customs staff verifies V i with user's public key pk i = ðR i , X i Þ. The correctness of this step has been given above. Therefore, the scheme achieves the goal of mutual authentication.
Traceability and Nonrepudiation. In our scheme, the information of each user's vaccination is uploaded to DBC and IBC. Each transaction contains the identity of the producer, known as ID EPA or ID ctry . Once the user has a health problem due to the vaccine, it can be traced back to the corresponding country or EPA, and the corresponding sig EPA and sig ctry can avoid producer repudiation.
Impersonation Attack. It is impossible for an attacker to pose as a legitimate user unless he cracks user's private key sk i , and the attacker cannot impersonate the staff as well. Assume that an attacker wants to impersonate a legitimate entity, he must sign with user's private key in the "Authentication and Negotiation" phase, which is hard because only the user knows the secret value x i .
Insider Attack. KGC cannot reveal the private key sk i of users because it is only responsible for generating partialprivate keys in the phase of "User-Registration." In addition, all the vaccination records will be uploaded to blockchain, and the traceability and nonrepudiation characteristics ensure that blockchain nodes will not upload fake information.

Performance Evaluation
In this section, we make a functional property comparison between the proposed scheme and the existing immunity passport schemes [20][21][22]. Then, the proposed scheme is compared with the existing authentication schemes [23,24] in terms of computational overheads, communicational overheads, and energy overheads. Table 4 shows the comparison of the functional properties of our scheme with other immunity passport schemes. From Table 4, we can see that all four schemes achieve access control of user data. Hasan et al.'s scheme [20] cannot provide anonymity, although blockchain is used in their scheme. Schemes in [21,22] did not consider the issue of coordination between different departments in multiple countries in the scenarios of immunity passport. Moreover, schemes in [20][21][22] all cannot provide mutual authentication between the user and the passport inspector. Our scheme achieves these functions well.

Overheads
Comparison. The computational complexity comparison of our scheme and schemes [23,24] in the phase of authentication is shown in Table 5. Among them, T h , T m , T e , T a , and T p , respectively, represents the time of hash function, point multiplication, modular exponentiation, point addition, and bilinear mappings.
For comparing the computational overheads, we conducted simulations on a PC with an Intel Core i5-7300HQ CPU at 2.50 GHz and 8 GB RAM, running Windows 10 Home (64 bit). Simulations show that the operation time of T h , T m , T e , T a , and T p , which are about 0.0018 ms, 0.0012 ms, 0.0021 ms, 0.0127 ms, and 2.7737 ms, respectively. The computational overhead comparison of the user, other devices, and the total are shown in Figures 4, 5, and 6.
As for the computation of users, user in our scheme requires to calculate fU i ′, h i ′, V i ′, k j , h j , eðV j , gÞ, Kg, that is 4 T h + 3T m + 3T e + T p (2.7908 ms). Similarly, Mahmood et al.'s scheme [23] requires 3T h + 2T m + 1T e + T p (2.7838 ms), and Jia et al.'s scheme [24] requires 5T h + 4T m + 1T e + T p (2.7908 ms). Figure 4 shows that our scheme is similar as other schemes in terms of users' computational overheads. Comparing the computational overheads of other devices, our scheme requires to calculate fk i , h i ′ , e ðV i ′ , gÞ, U j , h j , V j , K, Confirg, that is 4T h + 3T m + 3T e + T p (2.7908 ms). Similarly, scheme [23] requires 4T h + 2T m + 1 T e + 2T p (5.5591 ms), and scheme [24] requires 5T h + 5T m + 3T a + T p (22.8268 ms). As can be seen from Figure 5, our scheme and scheme [24] are significantly better than scheme [23], because the number of bilinear mappings operation is reduced, which is time-consuming. Furthermore, it can be seen that the computational overheads of our scheme are equal between the users and other devices. As for the total computational overheads, our scheme performs similarly to scheme [24], with a 33.10% reduction compared to scheme [23], which can be seen from Figure 6. The bit length of a signature, a public key pair, and the hash values are assumed 256 bits. The identity and the timestamp are, respectively, assumed 128 bits and 32 bits, respectively. Our scheme needs to transmit fjU i ′ j, jV i ′ j, jU j j, jV j j, jConfirjg, that is 1280 bits. Similarly, scheme [23] needs to transmit 1312 bits during authentication; scheme [24] needs to transmit 1472 bits. We can see from Figure 7 that the performance of the communicational overhead of our scheme is a little different from scheme [23]. However, our scheme only requires two rounds of massage exchange, whereas scheme [23] requires three rounds. And our scheme reduced 13.04% compared to scheme [24] because the transmission of unnecessary information is reduced in our scheme, such as timestamps.

Conclusion
In this paper, we propose an immunity passport scheme to mitigate the impact of COVID-19. This scheme helps people travel between different countries without going through tedious epidemic prevention procedures in this era of postepidemic. The highlight of this scheme is that it combines    Figure 4: Computational overheads comparison: users. 9 Wireless Communications and Mobile Computing searchable encryption and authentication with blockchain, which ensures users' privacy and allows them to have control over their data. According to the security analysis, our scheme can well meet the security requirements of the immunity passport scenarios. Furthermore, the evaluation results show that compared with other schemes, our scheme has better communication and computing performance while achieving the functional properties. In the next, designing an efficient consensus mechanism and detailed smart contracts for this scheme is our future research direction.

Data Availability
No data were used to support this study.

Conflicts of Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.