An efficient and scalable vaccine passport verification system based on ciphertext policy attribute-based encryption and blockchain

Implementing a trust and secure immunity or vaccine passport verification system is now crucial for many countries. The system typically aims to enable the secure access control and verification of vaccination records which will be used by trusted parties. However, the issues related to the system scalability in supporting a large number of data access requests, the enforcement of the user consent for data sharing, and the flexibility in delegating the access capability to trusted parties have not been resolved by existing works. In this paper, we propose a Universal Vaccine Passport Verification System (UniVAC) to support a decentralized, scalable, secure, and fine-grained, access control for Covid-19 vaccine passport data sharing and verification. At a core of our scheme, we employ the ciphertext policy attribute-based encryption (CP-ABE) to support secure and fine-grained access control and use the blockchain to record access transactions and provide data indexing. Furthermore, we propose a ciphertext retrieval method based on regional blockchain segmentation and introduce the outsourced CP-ABE decryption as a part of the proxy re-encryption (PRE) process to enable scalable and secure ciphertext delivery of the encrypted vaccine passport under the requestor’s public key. Finally, we conducted the extensive experiments in real cloud environment and the results showed that our proposed scheme is more efficient and scalable than related works.

The outbreak of Coronavirus-19 has caused millions of hospitalizations and deaths worldwide. Each country tries its best to reduce the number of deaths. One of the most efficient ways to curb the danger of the virus is by letting each country vaccinate its citizens with a trustable department. It is visible that after each nation provides the vaccine to its citizens, the number of deaths has been dropping.

Although vaccination has been intensively invoked to alleviate the outbreak, some people do not want to get vaccinated. This is because there are controversies in some countries regarding the effectiveness and long-term effect of the vaccines. To encourage their people to get vaccinated, many countries have exposed the strategies to enforce their citizens to get vaccinated through the issuance of certificates of vaccination. Providing the efficient verification of an individual’s COVID-19 vaccination would improve cross-border mobility and limit the outbreak of the virus [1].

People who have a certificate depicting the qualified types of vaccine and sufficient quantity will gain several advantages in using public services. Specifically, the restrictions on the people to enter or leave the countries could be relaxed. Most countries issue the Covid-19 vaccine passport in either the form of hard copy or electronic format. In the latter technique, the certificate is usually encrypted and stored in the cloud and it can be simply retrieved via QR code or barcode. Even though the electronic vaccine passport seems usable as valid proof, the interoperability and the trust of the vaccine passport is still an issue. This is because it lacks the valid verification for guaranteeing the authenticity and integrity of the vaccine passport. To deal with this problem, an efficient and reliable vaccine verification scheme is essential.

Existing works [1,2,3,4,5] have generally employed cloud computing and blockchain to construct the secure vaccine passport sharing and verification. However, they have the following common issues:

1. (1)

   they do not fully support fine-grained and scalable access control with flexibility for granting third parties the access right to vaccine passports.

2. (2)

   they do not support the consent of the vaccine record’s owner before the passport is published and shared.

3. (3)

   they do not provide the mechanism that enables trust between the international immigration offices and system entities.

Regarding the first problem, most approaches emphasize the privacy of the vaccine certificate where the personal data and vaccination records are encrypted and stored in the data outsourcing environment such as a cloud storage. They generally overlook the scalability and the performance of the system in supporting the large number of verification queries. The decryption delegation to other trusted parties has not been supported in a scalable manner. Second, existing access control and verification schemes have not taken the consent of the vaccination records’ owners into their data sharing protocol. This brings the issue related to data privacy compliance mandated by data privacy regulations such as General Data Protection Regulation (GDPR). Therefore, most solutions cannot be implemented in real practice. Finally, the provable security and trust mechanism between the requestors such as immigration offices and system entities such as cloud, and blockchain have not been incorporated in their design.

To encounter the privacy issue of the vaccine passport information, many research works have proposed the access control systems that support secure data sharing with the provision of authentication and encryption. Importantly, the data sharing is usually done through the blockchain and cloud storage. Most works leverage blockchain to support user authentication and store access transactions, and use cloud storage to keep the encrypted form of identity documents and the digital health passport. Regarding the cryptographic methods used to support the data privacy, traditional encryption methods such as symmetric encryption and public key encryption are not suitable to support data sharing in such environment since the symmetric encryption renders expensive key management cost while the PKI yields the overheads in dealing with multiple copies of ciphertexts.

Consequently, most works opt to consider other cryptographic-based access controls that offer both encryption and access control enforcement. Ciphertext policy attribute-based encryption (CP-ABE) proposed by Bethencourt [6] has been considered as an effective solution for supporting a secure and fine-grained access control for data outsourcing environment. To date, CP-ABE has been adopted by many cloud-based access control schemes. In CP-ABE, the data owner encrypts the data by using the access policy constructed from the formulation of a set of attributes and logical threshold gates OR, AND, and MofN. Data users who have a secret key that satisfies the access policy structure can decrypt the ciphertext.

In a cloud-based and blockchain-based access control, a symmetric encryption and CP-ABE are usually employed for fulfilling the privacy-preserving access control solution [7]. Specifically, existing works applying blockchain in their access control schemes [8,9,10,11,12,13,14,15] have a focus on improving the performance of the authentication and the auditability. These benefits could be a trade-off with the incurred communication cost related to the authentication and verification process occurring in the blockchain, cloud, and applications.

To the best of our knowledge, there are no blockchain-based access control schemes that provide the flexibility of the decryption of data access to authorized parties based on the data owner’s consent with fully traceable feature. Essentially, the delegation of decryption capability to authorized parties helps reduce the dependency on the availability of data owners as well as creates the trust of the data access verification. Such feature is even crucial for the data sharing service in which there is an authority that wants to verify or access the sensitive data through the trusted system rather than getting the confirmation from the data owner. Furthermore, there are no works that explicitly demonstrate the practicality in supporting the large volumes of verification requests. Accordingly, this paper provides the first attempt in delivering practical and secure Covid 19 vaccination data sharing and verification to the concern parties such as international immigration offices of many countries.

To this end, we proposed the design and the development of a universal vaccine passport verification system called UniVAC that aims to address all the above issues and entails an efficient and reliable access control and verification scheme. The UniVAC system is based on the integration of the CP-ABE, blockchain technology, proxy re-encryption (PRE), and cloud computing to enable privacy-preserving data and efficient sharing and verification of vaccine records. In our scheme, we designed a ciphertext retrieval method based on regional segmentation and introduced fully outsourced CP-ABE decryption as a part of proxy re-encryption process. The concept of outsourced decryption offloads expensive CP-ABE computation costs related to pairing and exponentiation cost to be executed by the semi-trusted proxy while the secrecy of the ciphertext is not compromised. In essence, our proposed PRE technique transforms the ciphertext designated for the requestor in the different access control domain to support secure delegation through the delivery of the encrypted vaccine passport under the requestor’s public key. In addition to the computation offload and secure transformation of the ciphertext into another form under the authorized recipient, combining PRE with CP-ABE and blockchain provides the fine-grained data sharing and full traceability with immutable transaction data.

In summary, our UniVAC system possesses the following contributions:

1. 1.

   We proposed a secure, fine-grained, and scalable privacy-preserving access control solution for the vaccine passport stored in the IPFS based on symmetric encryption and CP-ABE, and blockchain network segmentation.

2. 2.

   We introduced the outsourced CP-ABE decryption as a part of proxy re-encryption process to support the secure transfer of the encrypted vaccine passport to the authorized requestors without the dependency on data owner in an optimized communication cost.

3. 3.

   We provided the details of the design and implementation of the blockchain to enable the verification to be done in a decentralized way with the guarantee of traceability and immutable records of data. We also implemented the smart contracts to systematically manage user registration and flexible and secure enforcement of the consent. All consent histories are well kept in the blockchain.

4. 4.

   We conducted the extensive experiments in a real cloud and blockchain to demonstrate that our UniVAC is efficient for real implementation.

This paper is organized as follows. Related work section discusses related works. Our proposed system section presents the system model and the security model of our proposed system. Security properties section provides the security analysis of our scheme. Evaluation section provides the evaluation analysis and experiments. Concluding remark section gives conclusion and future work.

Current research works related to secure data sharing in cloud environment tend to apply blockchain technology to enable the authentication and permission validation, and access transaction to be done in the decentralization way. This plaform enhances the accessibility and functionality of access control management. Liu et al. [8] proposed a data sharing framework using smart contracts and blockchain technology for tracing and enforcing agreements. The smart contracts are generated from the parameters specified in the legal data sharing protocol. Lin et al. [9] introduced a secure mutual authentication based on blockchain technology to enforce fine-grained access control policies supporting data privacy and security. In this scheme, the authors applied attributed-based signature and multi-receiver encryption and MAC technique for guaranteeing authenticity and auditability.

Wang et al. [10] proposed an access control scheme to support secure data sharing in cloud. They employed Ethereum blockchain to store key information and access transactions through smart contracts. The ciphertexts are encrypted based on the CP-ABE while the user secret key is encrypted by the AES algorithm. In this scheme, the data owner can specify the period of data access in the policy through the smart contract. Therefore, the data user can decrypt the ciphertext if and only if the time is within the valid access period.

In [11], Yang et al. proposed a blockchain-based access control framework called AuthPrivacyChain by focusing on the privacy of shared resource while user authentication and authorization function are done by the smart contracts. In this scheme, the authentication source and authorization policy are encrypted and stored in the blockchain. Even though the proposed scheme fully supports the privacy of both data and access policy, the cost for validating encrypted credentials and the policies in the block bring the performance issue.

In [16], Fan et al. introduced a secure and traceable data sharing scheme using CP-ABE. In this scheme, the authors employed CP-ABE for encrypting the data and used a private blockchain to house the key generation function for generating the secret key. In the blockchain, the data owner can verify the data users’ identity and enforce the authorization based on the predefined access policy.

Yuan et al. [17] and Wu et al. [18] proposed a data privacy protection scheme to support secure and fine-grained data sharing based on CP-ABE and blockchain system. In these schemes, the blockchain stores access transactions and the access policy for controlling access permissions of users. If there are unauthorized accesses or any malicious activities occur, the system provides audit trails to support the traceability of cryptographic operations and transaction activities.

In [12], Yazdinejad et al. proposed a decentralized authentication scheme for patients in a distributed hospital network based on blockchain. The authentication protocol was proposed to authenticate the different users in the hospital based on the public key cryptosystem. However, the paper only focuses on the authentication issue, it does not entail the secure medical data sharing and verification issue.

In [2], S. Fugkeaw introduced a blockchain-based e-KYC scheme based on the ciphertext policy attribute-based encryption (CP-ABE) method binding with the client consent. The author proposed a lightweight cryptographic protocol based on the combination of a symmetric encryption and a public key encryption to encrypt the data. CP-ABE is used to encrypt the blockchain transactions. Smart contracts are proposed to automate and control the registration, consent enforcement, and document verification process.

In [19], Dinh et al. proposed a trusted authority to perform electronic health records (EHRs) encryption and decryption. The proposed scheme aims to minimize the workload of the user to make the scheme as lightweight as possible. Their work focuses on EHRs data access over mobile devices. In their scheme, the data will be encrypted with a trusted authority public–private key pair and stored on IPFS, a cloud storage service. When the user requests the data, the trust authority will access the requested ciphertext stored in the IPFS. Then the ciphertexts are decrypted before they are sent to the user via a secure channel.

Recently, there are research works focusing on the development of secure health passport data sharing by using blockchain and encryption techniques. Hasan et al. [3] proposed a digital health passport system based on the combination of blockchain model in [4], smart contracts, and proxy re-encryption (PRE). In this system, the data owners are able to grant access to their health passport to other users has control over his data. The proposed scheme used smart contracts based on the Ethereum blockchain to store a digital medical identity for test-takers that allows trusted authorities to verify their identity and direct them to the immunity records stored in the IPFS and only their hash values are stored in the smart contracts. Basically, the data owner encrypts their immunity-related documents or vaccination passport based on the symmetric encryption. Then, the documents are uploaded to the IPFS servers. When there is an access request, the data owner generates a new re-encryption key and send it to the proxy for re-encryption. After the re-encryption process, the new key encrypted with the requestor’s public key is sent to the requestor. The data requestor then decrypts the key using her private key to decrypt the encrypted symmetric key. The receiver finally uses the symmetric key to decrypt the content of the encrypted passport. Even though this scheme offers the confidentiality of the digital immunity documents, there is an overhead that the data owners need to deal with the re-encryption process. This cost will be very expensive if there are a high number of requestors.

In [20], Gao et al. proposed an immunity passport scheme based on the dual blockchain model and searchable encryption technique to support secure immunity passport data sharing and ciphertext search capability. In this scheme, the domestic blockchain and international blockchain are proposed to handle the immunity data storage and verification in the different levels. In this model, the user gets his pseudoidentity and his full public–private key pair from the key generation center (KGC). When the user gets vaccinated from the authorized agency, the agency issues an immunity passport and encrypts it by using public key and random encryption. Finally, the ciphertext is sent to store in the IPFS and its hash is stored in the blockchain. However, this scheme encounters high cost for calculating the authentication signature for every user.

In addition, some solutions [12, 21,22,23] were proposed to support the authentication for medical record tracing scenarios such as the smart grid, the IoTs, and the smart medical. However, these techniques have not addressed the scalable access control and secure delegation of the validation of vaccination records to trusted parties.

This section presents the system model, security model, and the cryptographic construct of our UniVAC system.

System model overview

Figure 1 presents the overview of our UniVAC System Model.

UniVAC system model

Full size image

UniVAC is designed to automatically verify the validity of Covid-19 vaccine passports for international travelers. Basically, the data owners who get vaccinated is asked to give the consent for allowing the epidemic prevention agencies (EPAs) to keep their vaccine record in the cloud for further access by the authorized parties. All vaccine records are encrypted based on the CP-ABE method. In our scheme, we use blockchain to store transaction records and support data indexing and develop and smart contract to perform user authentication and e-consent generation. The blockchain networks are segmented based on the EPAs location. In the cloud environment, we propose a UniVAC verification service (UVS) to manage the verification service where the requests are initiated from the trusted parties such as international immigration offices. The verification is done through the proxy re-encryption mechanism using the outsourced CP-ABE decryption and PKI method.

The system model consists of the following entities: Attribute Authority (AA), Certification Authority (CA), Epidemic Prevention Agencies (EPA), Inter-Planetary File System (IPFS), Users, International Immigration offices, Regional Domestic Blockchains (RDBCs), and UniVAC Verification Service (UVS). The detail of each entity is described below.

• Attribute Authority (AA): AA is a trusted authority that generates the public parameter PK and the master private key MSK of the system. The AA stores the MSK and publishes PK available for the users. The AA also issues a CP-ABE secret key generated and securely distributed to users.

• Certification Authority (CA): CA is a trusted authority responsible for issuing a X.509 certificate to each EPA and UniVAC verification service, and international immigration officers.

• Epidemic Prevention Agencies (EPAs): The EPA creates a key pair and publishes its public key in the blockchain. EPA is authorized to vaccinate users, generate the vaccine record, and store the ciphertext of the vaccine record or the vaccine passport in the IPFS.

• Inter-Planetary File System (IPFS): IPFS is a protocol and peer-to-peer network for storing and sharing data in a distributed file system. It stores all ciphertexts of a vaccination record generated by EPAs. It leverages the modular P2P networking stack libp2p [24, 25].

• Regional Domestic Blockchains (RDBCs): RDBCs represent the domestic blockchain network divided into multiple segments based on the number of regions in the country. In our system, the RDBCs are used due to the restriction of data privacy and ease of participant control. We assume that RDBCs are private chains implemented by the responsible government unit such as Ministry of Health to control the vaccine or immunology transactions and to ensure compliance with data privacy regulations. RDBCs store the transactions made by EPAs in each region of the country.

• Smart Contracts (SCs) are programmable codes used to automate the logical function in the blockchain network. In our scheme, the smart contract is responsible for computing the hash value of the user’s credential data after the users are enrolled by the EPA. It also generates the e-consent upon the successful generation of hash value.

• UniVAC Verification Service (UVS) is an autonomous system located on cloud. UVS system consists of a cluster of servers that is responsible for managing RDBCs and coordinating with the host blockchain to support the access requests.

• Data owners (DOs) refers to individuals who got inoculated by the EPA. DOs provide the consent to EPA to allow their vaccine records to be published in the IPFS.

• International immigration offices are responsible for verifying the vaccine passport of the travelers. They make a request to the blockchain manager for the verification of the vaccination record of the travelers.

Basically, when individuals get vaccinated at the EPA, they become the owner of their vaccine records. They are able to delegate their right by giving the consent to the EPA to store their records in an encrypted format in the cloud and to transfer the passport to authorized parties. Then EPA will sign the record with its private key and send the ciphertexts of the record to IPFS. The IPFS generates hash of the received ciphertext to the domestic blockchain where the EPA is close to. We assume that all the epidemic prevention agencies (EPAs) jointly maintain RDBCs. To enable the efficient vaccine record verification process, the UVS located on the cloud takes the verification requests and communicates with the blockchain network to get the index of the ciphertext stored in the IPFS. Then, the ciphertext is re-encrypted by the proxy re-encryption service by using the immigration office’s public key. Hereafter, a new ciphertext is delivered to the immigration office. The immigration office can then decrypt the ciphertext and verify the content of the vaccine passport. As our proxy use the public key encryption for supporting the ciphertext transformation to deliver secure data transfer to the end user, the cost of key distribution is minimized [26].

Security model

In our model, we assume that AA and CA are trusted authorities. The cloud and proxies are honest but curious. They generally perform honestly for all tasks they are delegated, but they are curious about the outsourced data. The outsourced ciphertext may be compromised based on the brute force decryption or attribute collusion. In cloud environment, the adversary can be any entities who corrupt authorities only statically, but queries can be made adaptively. The attack of the security can be done by an adversary requesting a secret key from the attribute authority.

Since the vaccine record is encrypted with the CP-ABE method, it is proven to be secure against collusion attack. The detailed proof of cryptographic strength can be found in [6, 27]. The security model of our scheme is defined as a game-based in compromising the CP-ABE key to obtain the capability in accessing the plaintext. The game-based between an adversary A and a challenger C is defined as follows:

Setup. For uncorrupted authorities AA, the challenger C runs CreateAttributeAuthority algorithm and sends a public keys PK to the adversary A. For corrupted authorities AA^′ the challenger sends both the public key PK and the secret key SK to adversary A.

Phase1: The adversary A delivers SK which is a set of attributes issued by an uncorrupted authority AAk. The challenger C gives the secret key SK to the adversary A.

Challenge. Adversary A sends two challenge messages m1 and m2 to the simulator. The simulator flips a fair binary coin ν, and returns an encryption of mν. In this game, the CT_{VR_id} which is a ciphertext of the vaccine passport encrypted by a CP-ABE method. The ciphertext CT_{VR_id} is computed as follows:

CT_{VR_id} = (T, \(\hat{C}\) = m_ν\(z ,{CT}_{k}= {h}^{s}\),\(\forall y\in Y: {C}_{y}={g}^{{q}_{y}}(0)\), \({C{\prime}}_{y}=H(att({y))}^{{q}_{y \left(0\right)}}\)) where γ is a chosen set of attributes. If μ = 0 then \(z\) = \({e(g,g)}^{\alpha s.}\). Therefore, the ciphertext CT_K is a valid random encryption of message m_ν.

Otherwise, if μ = 1 then \(z\) = \({e(g,g)}^{z}\). We now have, \(\hat{C}\) = m_ν \({e(g,g)}^{z.}\). Since z is random, \(\hat{C}\) will be a random element of G₁ from the adversaries view and the message contains no information about m_ν.

Phase 2. The simulator does as it did in Phase 1.

Guess Adversary A sends a guess of ν’ of ν.

The advantage of A in this game is defined as:

Definition 3: Our proposed scheme is secure if all polynomial time adversaries have at most a negligible advantage in the above game.

Theorem 1: Suppose there is no polytime adversary who can break the security of CP-ABE with nonneglible advantage; then there is no polytime adversary who can break our crypto system with nonnegligible advantage.

Proof As we have shown how the adversary A has nonnegligible advantage against our scheme. Similar to A, we show how the adversary B, is created to break the CP-ABE scheme with nonnegligible advantage. The adversary B can play a similar game with the CP-ABE scheme to make private queries during the game to get the private keys in the CP-ABE scheme.

Initialization. The adversary B takes the PK of the authority k, PK’_k = \(\{{G}_{0}, g, h= {g}^{\beta }, f={g}^{\frac{1}{\beta }}, {e\left(g,g\right)}^{\alpha }\}\), and the corresponding secret key \(\left(\beta ,{g}^{\alpha }\right).\) is unknown to the adversary.

Setup. The adversary B gets the public parameters from PK’ as PK_k = \(\{{G}_{0}, g, h= {g}^{\beta }, f={g}^{\frac{1}{\beta }}, {e\left(g,g\right)}^{\alpha }\}\), then the public key PK_k is sent to the adversary.

Phase 1. B answers private key queries. Suppose the adversary is given a secret key query for a set of attributes S where S does not satisfy T. Here, B makes a query for obtaining SK for the same set S twice. Then, B obtains two different SKs as follows.

where i’s are attributes from S, and r, r′,\({r}_{i}\), \({r}_{i}{\prime}\) are random number in \({Z}_{p}\). With SK_k and SK′_k, B can obtain \({g}^{r-{r}{\prime}/\beta }\), and chooses random number t_i, t_i,j ∈ \({Z}_{p}\). Let \({r}^{*}\) = \({t}_{i}\)-\({r}_{i}\) and \({r}^{{\prime}{\prime}}\)= t_i,j -\({r}_{i}{\prime}\). Then B derives the SK requested by A as \({SK}^{*}\) = (\(D={g}^{({\alpha }_{k}+r{\prime})/{\beta }_{k ,}}\) \(\mathrm{D}={\mathrm{g}}^{({\mathrm{\alpha }}_{\mathrm{k}}+\mathrm{r})/{\upbeta }_{\mathrm{k },}}\) A_i ∈ S: D_i = \({g}^{{r}^{*}}.H{(i)}^{{r{\prime}{\prime}}_{i }}, {D{\prime}}_{i}\)  = \({g}^{{r{\prime}{\prime}}_{i}}\)). Then, the SK is returned to the adversary A.

Challenge. When A decides that Phase 1 is over, it outputs an access policy T and two messages m₁ and m₂, which it wishes to be challenged. B gives the two messages to the challenger, and is given the challenge ciphertext CT_K. Then B computes the challenges ciphertext for A from CT_K as \({{CT}_{K}}^{*}\). Finally, the challenge ciphertext \({{CT}_{K}}^{*}\) is returned to the adversary A.

Phase 2. A makes queries not issued in Phase 1. B responds as in Phase 1.

Guess. Finally, it outputs a guess ν’ ∈ {1,0}, and then B concludes its own game by generating ν’. According to the above security model, the advantage of the adversary B is:

Thus, B has nonnegligible advantage against the CP-ABE, which completes the proof of the theorem.

Enrollment

In our system, the users or the vaccine passport owners need to enroll to the system since they get the vaccination. First, the system verifies the identity of each user. Here, the EPA connects to the blockchain and runs the smart contract. The smart contract records the hash value of IDs and public key of the user for future matching with the corresponding ciphertext and user authentication. Simultaneously, the system asks users to submit their public key together their citizen or passport ID. Then, the smart contract generates the consent to ask the users (vaccine record owners) to allow the EPA to store their vaccination records in the cloud storage as well as to transfer their records to trusted parties.

Algorithm 1. User enrollment and consent generation smart contract

In our system, we assume that the user needs to have a key pair and submit the public key in the enrollment phase. The blockchain does not retain any plaintext of user identity and the smart contract can be only activated by the authorized EPA.

Cryptographic construct

This section presents the cryptographic construct of our UniVAC system. Table 1 presents the notations and their meaning used in our paper.

A concrete construction of UniVAC system consists of a set of algorithms organized in six phases as follows.

Phase 1: system setup

This phase is run by the AA to set up the system and security parameters necessary for supporting CP-ABE cryptographic process.

• CreateAttributeAuthority(k)PK_k, SK_k, PK_x.k. This algorithm uses an attribute authority ID(k) and selects a bilinear group \({G}_{0}\) of prime order p with generator g. Then, it selects two randoms \(\alpha\), \(\beta\)∈\({Z}_{p} to\) compute the public key defined as follows:

  $${PK}_{k} =\left\{{G}_{0}, g, h= {g}^{\beta }, f={g}^{\frac{1}{\beta }}, {e\left(g,g\right)}^{\alpha }\right\}.$$

Then, the authority computes the secret key SK_k as \(\left(\beta ,{g}^{\alpha }\right).\)

Phase 2: key generation

This phase provides cryptographic keys consisting of RSA key pair and CP-ABE key to users and system entities.

• GenerateRSAKeyPair(RSAKeyGenFunction)( PubK_{EPA_id}, PrivK_{EPA_id}). Each EPA runs RSAKeyGen function to generate a RSA key pair. The EPAs’ public keys are published in the blockchain.

• DOKeyGen(S_{DO_id,}, MSK_k,)SK_{DO_id}. AA takes as input a set of attributes (S_{DO_id}) identifying the DO_id’s decryption key, AA’s public key (PK_k). For each DO DO_id, the AA chooses a random r and r_j ∈ \({Z}_{p}\), for each attribute j ∈ S. Then the DO decryption key (SK_{DO_id}) is computed as:

  $${SK}_{j,k }= (D={g}^{({\alpha }_{k}+r)/{\beta }_{k ,}}D={g}^{({\alpha }_{k}+r)/{\beta }_{k ,}}D={g}^{({\alpha }_{k}+r)/{\beta }_{k ,}}A_i\in S_k: D_i = {g}^{r}.H{(i)}^{{r}_{i }}, {D^{\prime}}_{i } = {g}^{{r}_{i}} ).$$

This key generation process is also applied for generating SK_UVS.

Phase 3: encryption

This phase describes how the data encryption step is performed in our system. In our scheme, data encryption is based on CP-ABE encryption because it provides fine-grained access control and one-to-many encryption. Data owners and UVS can use the secret key or a CP-ABE decryption key to decrypt the encrypted vaccine record. For UVS, it uses the secret key (CP-ABE key) to support re-encryption process. Therefore, our scheme allows the decryption to be performed by both data owners (vaccine record’s owners) and the proxy. The proxy decrypts it upon the request from authorized partiesThe detail of the algorithm is described as follows:

The encryption is done by the EPA staff to call the encryption functions which performs the following steps.

• Encrypt Vaccine Record VR_id: the algorithm takes as inputs authority public key PK_k, ACP, and VR_id. In our model, the ACP consists of the set of attributes < DO_id, EPA_id, and UVS_id > . Then, the encrypted vaccine passport CT_{VR_id} is produced by the following encryption function:

  $$VR\_id \mapsto {ENC}_{CP-ABE}({PK}_{k,} ACP, VR\_id) \equiv {CT}_{VR\_id}$$

Then, CT_{VR_id} is sent to store in the IPFS on cloud.

• Hash CT_{VR_id}, The function takes CT_{VR_id} and SHA-256 algorithm to hash the ciphertext of vaccine record. The function is defined as:

  $${CT}_{{VR\_id}^{\prime}}\mapsto hash({CT}_{VR\_id} ) \equiv MD\_{CT}_{VR\_id}$$

The message digest of ciphertext MD_ CT_{VR_id} is then produced and it is stored in the blockchain as an index tuple < EPA_id, DO_id, VR_id, MD_ CT_{VR_id} > .

Phase 4: index and ciphertext retrieval

This phase is for retrieving the index and the ciphertext of the vaccine record when the users authenticate themself at the foreign immigration office. Figure 2 presents simplified view of how the ciphertext is retrieved.

Index and Ciphertext Retrieval diagram

Full size image

Basically, the immigration officer makes a request to the UVS for checking the user’s vaccine status. UVS then checks the VR_id and gets the index tuple from the blockchain. The algorithm below shows how the indexing data is invoked and the ciphertext is retrieved based on multi-thread processing.

Algorithm 2. Retrieve index and ciphertext

After the respective encrypted vaccine record is retrieved, the UVS runs a proxy re-encryption function as described in the next phase.

Phase 5: proxy re-encryption

This phase is run by the proxy for re-encrypting the vaccine records based on the requester’s public key encryption before they are sent to the requester such as the immigration office. This phase is omitted if the decryption is done by the data owner as she has the CP-ABE decryption key to decrypt the ciphertext. The re-encryption algorithm conducted by the proxy is detailed as follows.

The proxy performs re-encryption by executing the following functions.

1. (1)

   Decrypt CT_{VR_id}(SK_UVS, CT_{VR_id}) VR_id. This function takes as inputs the UVS’s secret key and the encrypted vaccine record CT_{VR_id}. It outputs the VR_id.

2. (2)

   ReENCVR_id(PubKey_{immigration_id},VR_id) Enc_VR_id This function takes an inputs immigration office’s public key PubKey_{immigration_id} and the vaccine record VR_id. The encryption algorithm is based on RSA algorithm using 2048-bit key size. Finally, it outputs the final encrypted vaccine record Enc_VR_id. The re-encryption function is defined as:

   $$VR\_id \mapsto {ENC}_{RSA }({PubKey}_{immigration\_id}, VR\_id) \equiv Enc\_VR\_id$$

Then, UVS sends the Enc_VR_id to the international immigration who requests for the verification of the vaccine record of the traveler.

Phase 6: verification

This phase is to verify the vaccine record content through the decryption. In case of the verification request is initiated by the authorized party such as the immigration office, the public key decryption is done as follows.

• DecryptEnc_VR_id(Enc_VR_id,PriVKey_{immigration_i}): The immigration officer runs the decryption function which takes inputs immigration’s office’ private and the encrypted vaccine record. Finally, it outputs the vaccine record that can be used for the verification. The RSA decryption is defined as follows.

  $$Enc\_VR\_id \mapsto {DEC}_{RSA}({PriVKey}_{immigration\_id,}Enc\_VR\_id) \equiv VR\_id$$

Our proposed scheme achieves the following security properties.

Privacy-preserving vaccine records with data owner’s consent

Since our core cryptographic protocol for protecting the content of vaccine record is based on the CP-ABE method, the cryptographic strength is proven secure [6]. Also, our system generates an e-consent to satisfy privacy regulations in healthcare data privacy compliance.

Trust of proxy re-encryption

Even though the proxy is semi-trusted server, it is installed with the X.509 certificate. It is designed to run the function when it gets the legitimate request from the authorized entity based on the verification of the public key certificate. Therefore, no fake entity can execute the re-encryption function unless it has a valid certificate issued by the certification authority.

Traceability

All access activities initiated by EPAs, data owners, or international immigration offices are well recorded by the blockchain. All records are tamper-proof and chronologically ordered. Data owners or any third-party auditors can trace who performed the activities or accessed the locally stored vaccine records.

This section describes the evaluation of our proposed scheme through the comparative analysis and experiments.

Functional analysis

We compare the functional system between our proposed scheme, scheme [3] and scheme [20] which focused on the design and development protocol to support vaccine passport verification using blockchain. Table 2 exhibits the functional comparisons of three schemes.

As shown in Table 2, all schemes leveraged the cloud storage such as IPFS to store encrypted vaccine passport and used blockchain to support user authentication and store access transactions of which their integrity is well preserved by the hashing mechanism of the blockchain network.

Regarding the consent enforcement, only our scheme provides the e-consent through the smart contract and the consent is securely stored in the blockchain. For the capability in supporting scalability of ciphertext search, scheme [3] did not provide the indexing method. Scheme [20] generates a trapdoor to support the ciphertext search while our scheme used the hash-based indexing with the proposed segmentation of multiple blockchains to store the regional vaccine records created by the EPAs in the country. Therefore, it minimizes the cost of index search to all ciphertexts in the centralized source in the blockchain.

Finally, only our scheme applies CP-ABE to enable the fine-grained access control to the shared data. Our scheme also supports the delegation of data access based on the requests from international immigration offices by using proxy re-encryption technique.

Computation cost analysis

We compare the computation cost of our proposed scheme with two related works: [3] and [20]. To provide more understanding about the analysis, we use the following notations to describe the computation cost of all schemes.

• C_e: Exponentiation cost

• C_p: Pairing operation cost

• C_m: Multiplication operation cost

• C_h: Processing time for hashing

• |S|: The size of user attribute set

• |Att|: The number of attributes satisfying the policy.

• SymEnc/Dec: Symmetric Encryption/Decryption cost based on 256-AES

• PubEnc/Dec: Public key encryption cost based on 1024-bit RSA

Table 3 presents the comparison of the computation cost of our scheme, scheme [3], and scheme [20].

To compare the computation cost of related works and our scheme, we focus on analyzing the encryption cost that happens at the data owner and cloud and the decryption cost at the user side.

In [3], the authors applied a symmetric encryption to encrypt the vaccine records. Here, the data owner needs to generate a symmetric key to encrypt her own vaccine record before it is uploaded to the IPFS. When the authorized party wants to verify the vaccination records, the data owner needs to run the proxy re-encryption function to re-encrypt the encrypted vaccination record with the requestor’s public key. The user needs to use their private key to decrypt the ciphertext. However, this scheme relies on the availability of data owners to support the verification.

In [20], the authors use hashing and bilinear pairing method to generate the ciphertext of the vaccination passport together the creation of trapdoor for indexing. In addition to encrypting the vaccine passport, the data owner uses a session key to encrypt the decryption key and sends it to the immigration staff. To access the ciphertext, the immigration staff calculates the session key to access the decryption key and uses a trapdoor broadcasted in the blockchain for searching the ciphertext. The complexity of this scheme is high as the cost of hashing, pairing, and multiplication are required. This approach also relies on the data owner to encrypt and send the decryption key to the requestors upon the access requests. This is not practical for large-scale implementation. In our scheme, we used a CP-ABE method to encrypt the vaccine passport. We did not use a symmetric encryption because the size of vaccine passport is small, and the policy used to encrypt the data is deterministic based on a few set of identity attributes of EPA, user, and UVS. To this end, our scheme does not deal with handling the cost of key encryption. With the use of CP-ABE based access policy, the scheme provides flexibility to authorized parties to access the ciphertext without the assistance of the data owner. Also, our scheme outsources re-encryption cost to the proxy for performing public key encryption while the international immigration staffs can decrypt the encrypted vaccine passport by using their private key.

Performance evaluation

For the performance analysis, we conducted the experiments to measure the ciphertext retrieval time and compare encryption and decryption time between our proposed scheme and related works [3] and [20]. For the experimental setting, we use Open SSL as a core PKI service to generate key pairs to users and proxy in our system. The core CP-ABE toolkit (https://acsc.cs.utexas.edu/cpabe/) and Java Pairing-Based Cryptography [28] for constructing the crypto service used in all schemes. We conducted the test on the CP-ABE container run on the Microsoft Azure Cloud 1 vCPU, RAM 1024 MB for the proxy side, and MacBook Pro 2018, 2.3 GHz Quad-Core Intel Core i5, RAM 8 GB for the user side.

The major aim of our evaluation is to evaluate the efficiency and practicality of our proposed cryptographic-based access control and ciphertext retrieval time with our proposed design of blockchain network. Since we used the standard cryptographic methods with no technical restriction on the proprietary blockchain operations, our scheme can be implemented in any platforms supporting blockchain operations. However, we specifically chose Hyperledger for our simulation since it is a permissioned blockchain that is suitable for storing healthcare-related data or transactions. In Hyperledger platform, the authorized participants/users have to be predefined. Hence, the access to the network is restricted only to them. To this end, our simulation was done on a local Fabric network consisting of a channel with one ordering node, two-organizations with two peers. All system nodes (e.g., order, peer) were implemented in docker containers run on Intel Xeon 3.4 GHz with 16-GB RAM. The machine was installed with Ubuntu 16.04 LTS with Fabric V1.4.

In the experiment, we used a fixed size of vaccine passport file which is 20 KB and used the access policy containing 5 attributes and 10 attributes contain in the user secret key for the test. Blockchain network houses 10,000 blocks and the size of each block is 40 KB. In our experiments, we run the test 100 times for all performance test and used the average time to plot the graphs.

• Ciphertext retrieval time

As can be seen from Fig. 3, the ciphertext retrieval time is proportional to the number of the requests and the size of blockchain. Our scheme delivered smallest ciphertext retrieval time than [3] and [20]. This is because of the segmentation of multiple blockchains that store the regional vaccination records and multi-thread processing. The advantage of our proposed ciphertext retrieval is more obvious when there are a larger volume of access requests. Scheme [3] took highest time as it required the data owner to execute the re-encryption function in the ciphertext retrieval process.

Ciphertext Retrieval Time

Full size image

To demonstrate the performance of cryptographic operations, we also did the experiments to measure the encryption and decryption time of [3, 20] and our scheme.

• Encryption/Decryption Performance

As presented in Fig. 4, scheme [3] took highest time as it required the data owner to runs two encryption algorithms, public key encryption and symmetric key encryption, while scheme [20] uses hash operation, exponential operation, paring operation and multiplication operation for the encrypting process, the encryption cost of [20] is close to our scheme since both schemes relied on the exponential operation.

Encryption Time

Full size image

For the decryption time, as can be seen in Fig. 5, our scheme took least decryption time because our scheme only used public key decryption algorithm while scheme [20] required hash operation, exponential operation, pairing operation and multiplication operation for decrypting process. These operations took higher computation cost than the public key decryption alone. For [3], it took highest decryption time as it required the user to run two decryption algorithms, the public key decryption algorithm and the symmetric key decryption algorithm to decrypt the vaccine passport data.

Decryption Time

Full size image

In this paper, we have proposed the secure and scalable access control for outsourced vaccination records based on the blockchain technology, CP-ABE, and proxy re-encryption. We introduced a well-established design and implementation of our blockchain segmentation scheme and cryptographic model to deliver practical vaccination record validation requested by trusted parties such as international immigration offices. Our scheme also provides flexibility for rendering the vaccination status to the vaccination record owners based on the access policy enforced over the ciphertext. We conducted the experiments using Azure cloud and Hyperledger blockchain to substantiate that our proposed scheme is practical and efficient in providing comparable encryption time and decryption time as the state of the arts and giving higher efficiency for accommodating a large volume of vaccination status validation requests.

For future works, we will tackle the lightweight protocol for searchable encryption and public auditing of the vaccination records stored in the cloud.

Not applicable.

The authors received no specifc funding for this study.

Authors and Affiliations

1. Sirindhorn International Institute of Technology, Thammasat University, Pathum Thani, 12000, Thailand

   Somchart Fugkeaw

Contributions

This paper is written by Somchart Fugkeaw.

Corresponding author

Correspondence to Somchart Fugkeaw.

Competing interests

The authors declare no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions