CN117910027A - Cloud-assisted private medical data sharing method, system, equipment and terminal - Google Patents
Cloud-assisted private medical data sharing method, system, equipment and terminal Download PDFInfo
- Publication number
- CN117910027A CN117910027A CN202310381842.5A CN202310381842A CN117910027A CN 117910027 A CN117910027 A CN 117910027A CN 202310381842 A CN202310381842 A CN 202310381842A CN 117910027 A CN117910027 A CN 117910027A
- Authority
- CN
- China
- Prior art keywords
- data
- cloud
- assisted
- medical data
- private medical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000004364 calculation method Methods 0.000 claims abstract description 31
- 238000012946 outsourcing Methods 0.000 claims abstract description 13
- 238000012545 processing Methods 0.000 claims abstract description 13
- 238000007781 pre-processing Methods 0.000 claims abstract description 12
- 230000008569 process Effects 0.000 claims abstract description 11
- 230000006870 function Effects 0.000 claims description 23
- 238000004422 calculation algorithm Methods 0.000 claims description 10
- 238000012795 verification Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 abstract description 9
- 238000005516 engineering process Methods 0.000 description 17
- 201000010099 disease Diseases 0.000 description 7
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 5
- 238000004088 simulation Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 230000000007 visual effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000003745 diagnosis Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000005728 strengthening Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000002790 cross-validation Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000002068 genetic effect Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 108090000623 proteins and genes Proteins 0.000 description 1
- 230000005180 public health Effects 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 208000024891 symptom Diseases 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of medical data privacy protection, and discloses a cloud-assisted private medical data sharing method, a cloud-assisted private medical data sharing system, cloud-assisted private medical data sharing equipment and a cloud-assisted private medical data sharing terminal, wherein a client A is provided with a privacy set X, and a client B is provided with a privacy set Y; in the data initialization stage, providing necessary public parameters, carrying out randomization processing on private data and authenticating the identity of a client; in the data preprocessing stage, after the identity is successfully verified, a public key from S is obtained, and the randomized data is encrypted; in the data outsourcing stage, the client B outsources the data to the cloud end, and the cloud end processes the data; in the intersection computation phase, the intersection of the collection is derived and published by client a. The invention encrypts the privacy data by utilizing the inadvertent pseudo random function (VOLE-OPRF) based on the VOLE, improves the efficiency of the protocol on the premise of providing privacy, and reduces the communication consumption and the calculation consumption; the control of cloud computing resource access is realized by using an unintentional pseudorandom function (DH-OPRF) based on DH, so that external malicious attackers are effectively resisted.
Description
Technical Field
The invention belongs to the technical field of medical data privacy protection, and particularly relates to a cloud-assisted private medical data sharing method, a cloud-assisted private medical data sharing system, cloud-assisted private medical data sharing equipment and cloud-assisted private medical data sharing terminal.
Background
In recent years, medical data leakage accidents frequently happen, the national security protection strength of data reaches a new height, in the medical aspect, the national worker department also emphasizes the need of strengthening personal privacy medical large data protection, the national medical care agency also provides guidance for strengthening network security and data protection work, and the requirement of medical data privacy protection is particularly remarkable. It is known that the physical data of a patient can be integrated into one sample, and the physical data can be predicted and suggested by analyzing the physical data through machine learning and artificial intelligence, so that nowadays, various data samples can develop scientific assumptions, and even the medical level of a hospital can be measured. If a large amount of personal information of a patient is collected by a medical device and is not securely applied by a data user, it is otherwise used, for example: hospitals achieve comprehensive analysis of past cases of a certain patient by sharing a patient list. If the sharing is not held with privacy protection, sensitive information can be leaked, on one hand, damage can be caused to patients, and on the other hand, risks of reimbursement can be brought to hospitals. However, data sharing is still necessary, and if a medical professional or a related researcher can perform data sharing under the premise of ensuring privacy safety, the data sharing not only brings great benefits to patients, but also breaks the current situation that a medical institution is relatively isolated.
Privacy preserving set intersection computing (PSI) technology originates from multiparty secure computing technology, and is a particular application problem of multiparty secure computing, namely, each party participating in computing has a respective privacy set, and obtains the intersection of the sets on the premise that the elements of the sets are not revealed. The application scene of PSI is very extensive, and the current known has credential leakage inspection, disease DNA detection, internet of vehicles trust management, feature matching and the like. From the perspective of whether there are trusted third parties, it is possible to divide into traditional PSI and cloud-assisted PSI. The PSI technology assisted by cloud computing can provide strong computing power through a third-party cloud, so that for a mechanism needing data sharing, the private computing can be performed by using the strong computing power of the cloud, and the private data can be stored on the cloud, so that the PSI technology is the most realistic solution at present. Different from other data sharing methods, the cloud-assisted PSI protocol with low communication overhead and calculation overhead is designed, so that the data sharing efficiency is improved, and meanwhile, the data security is protected.
With the vigorous development of the internet, the internet of things, big data and 5G technology, the demands for privacy protection are becoming urgent while the convenience brought by science and technology is felt. The privacy protection set intersection calculation (PSI) is used as an important technology of privacy protection, intersection of two or more private data can be obtained under the condition of guaranteeing the privacy of respective sets, the rest information of the sets is not revealed under the premise of disclosing the intersection, and the privacy can be guaranteed while medical data sharing is achieved. With the development of cloud service technology, more and more institutions choose to store data in the cloud, and cloud-assisted PSI technology gradually becomes a solution for medical data sharing.
But existing cloud-assisted PSI technology is inefficient. Currently available cloud-assisted PSI favors the use of sophisticated public key cryptography techniques to achieve privacy protection, such as semi-homomorphic encryption, bilinear peering. These complex cryptographic techniques, while providing reliable privacy, possess high computational and communication consumption. Although there are also cloud-assisted PSI protocols that utilize symmetric key technology to achieve privacy protection, there is a general problem of high communication consumption. The application of the existing cloud-assisted PSI technology on medical data sharing has the problem of low security. Medical data sharing mostly uses a cloud server to store and calculate private data, but in recent years, accidents in which the cloud server is hacked frequently occur. Although the cloud-assisted PSI technology can ensure the privacy of data transmission, the active attack of an external attacker cannot be effectively resisted.
Through the above analysis, the problems and defects existing in the prior art are as follows:
(1) In the existing cloud-assisted PSI technology, complex public key cryptography has higher calculation consumption and communication consumption and lower efficiency.
(2) The application of the existing cloud-assisted PSI technology on medical data sharing only considers the attack of an internal attacker, has the problem of lower safety, cannot effectively resist the pre-calculation attack of an external attacker, and has low practical availability.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a cloud-assisted private medical data sharing method, a cloud-assisted private medical data sharing system, cloud-assisted private medical data sharing equipment and a cloud-assisted private medical data sharing terminal.
The cloud-assisted private medical data sharing method is realized in such a way that collusion behavior between a server and any user is resisted, authentication of the server to the user is also supported, and besides, the method can resist pre-calculation attacks of external attackers while resisting internal semi-honest attackers. The cloud-assisted private medical data sharing method comprises the following steps: the client A has a privacy set X, and the client B has a privacy set Y, three hash functions H, H 0 and H 1; providing necessary public parameters in a data initialization stage, carrying out randomization processing on private data, and authenticating the identity of a client; in the data preprocessing stage, after the identity is successfully verified, a public key from S is obtained, and the randomized data is encrypted; in the data outsourcing stage, the client B outsources the data to the cloud end, and the cloud end processes the data; in the intersection computation phase, the intersection of the collection is derived and published by client a.
Further, the cloud-assisted private medical data sharing method includes the steps of:
step one, initializing data, which comprises generating a secret key, and performing password registration and authentication by using a DH-based random function without intention;
step two, data preprocessing: carrying out data randomization processing by using a VOLE-based careless random function, and encrypting the randomized data by using an EIGamal encryption algorithm;
step three, data outsourcing: the client B transmits the encrypted data to the server and decrypts the encrypted data;
Step four, intersection calculation: and respectively calculating the random value of each element in the privacy set and outputting an intersection.
Further, the initializing of the data in the first step includes:
(1) S generates a pair of key (sk, pk) and key K, where pk = g sk;
(2) Password registration and authentication
1) B randomly selecting a password t and a random number r, randomizing t into p=f DH-OPRF (t) by using a DH-based unintentional pseudo-random function (DH-OPRF), wherein p is the randomized password;
2) S calculates t=enc p (pk) and stores in the server;
3) B calculates a=h 1(t)r and sends it to S;
4) S calculates b=a K and sends to B, B calculates p 1=H0(t,b1/r) and returns to S for verification, and if verification fails, the login is terminated.
5) If the login is successful, S sends T to B, and B decrypts T by using p 1 to obtain pk.
Further, the data preprocessing in the second step includes:
(1) Data randomization process
The private data of B is randomized F (y i)=H(i,ki-Δyi) using a VOLE-based unintentional pseudo-random function (VOLE-OPRF).
(2) Data encryption computation
B calculationAfter that, the/>, is obtained by using an ElGamal encryption algorithm
Further, the data outsourcing in the third step includes:
B transmits I and r to a server S, and S decrypts the I, then:
Generating a polynomial and sending the polynomial to A, wherein the polynomial generating formula is as follows:
Further, the intersection calculation in the step four includes:
After receiving the polynomial, A calculates the random value f (x) of each element in the privacy set respectively; calculation of Sequentially into P (x), if P (x) =0, an intersection is output.
Another object of the present invention is to provide a cloud-assisted private medical data sharing system applying the cloud-assisted private medical data sharing method, the cloud-assisted private medical data sharing system comprising:
The data initialization module is used for generating a secret key and performing password registration and authentication by using DH-OPRF;
the data preprocessing module is used for carrying out randomization processing by utilizing VOLE-OPRF and encrypting the randomized data by utilizing an ElGamal encryption algorithm;
The data package module is used for transmitting the encrypted data to the server by using the client B, decrypting the encrypted data and constructing a polynomial;
and the intersection calculating module is used for calculating the random value of each element in the privacy set and outputting an intersection.
It is a further object of the present invention to provide a computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of the cloud assisted private medical data sharing method.
It is a further object of the present invention to provide a computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of the cloud-assisted private medical data sharing method.
The invention further aims to provide an information data processing terminal which is used for realizing the cloud-assisted privacy medical data sharing system.
In combination with the technical scheme and the technical problems to be solved, the technical scheme to be protected has the following advantages and positive effects:
First, aiming at the technical problems in the prior art and the difficulty of solving the problems, the technical problems solved by the technical proposal of the invention are analyzed in detail and deeply by tightly combining the technical proposal to be protected, the results and data in the research and development process, and the like, and some technical effects brought after the problems are solved have creative technical effects. The specific description is as follows:
The cloud-assisted PSI protocol designed by the invention utilizes the inadvertent pseudo random function (VOLE-OPRF) based on the VOLE to encrypt the private data, improves the efficiency of the protocol on the premise of providing privacy, and reduces the communication consumption and the calculation consumption; before intersection calculation is carried out by the cloud-assisted PSI protocol, the identity of the user is verified by using a DH-based unintentional pseudo random function (DH-OPRF), so that the access control of cloud computing resources is realized, and external malicious attackers are effectively resisted; the medical data sharing scheme based on the cloud-assisted PSI protocol can resist both internal attacks and external pre-computing attacks.
Secondly, the technical scheme is regarded as a whole or from the perspective of products, and the technical scheme to be protected has the following technical effects and advantages:
According to the cloud-assisted private medical data sharing method, firstly, the cloud-assisted private medical data sharing method is based on a cloud-assisted PSI protocol, and the protocol randomizes sensitive data before data is outsourced to a server by using a VOLE-based careless pseudo-random function (VOLE-OPRF) and a DH-based careless pseudo-random function (DH-OPRF), so that user identity is verified, and privacy and safety of sensitive data of a patient are ensured when medical data is shared; secondly, aiming at the problem that medical data faces to internal and external threats at the same time, the cloud-assisted privacy medical data sharing method can resist internal attackers and external attackers at the same time, and has good robustness; finally, the data sharing efficiency can be improved by designing a cloud-assisted PSI protocol with low communication overhead and calculation overhead.
Thirdly, as inventive supplementary evidence of the claims of the present invention, the following important aspects are also presented:
The technical scheme of the invention solves the technical problems that people are always desirous of solving but are not successful all the time:
It is counted that the health care organization is always the data leakage loss ranking army. After 2021, a series of technical regulations about data security and network security, such as "network security law", data security law, personal information protection law "are continuously issued in China, the balance of data service innovation and privacy information leakage is always a profound problem. The invention considers that the protection of the privacy information of the patient and the sharing of the multi-channel medical data have the same importance, and based on the thought of safe multiparty calculation, the invention breaks the island of data among the institutions on the premise of ensuring that the privacy data of the patient is not revealed by utilizing the intersection calculation of the privacy protection set, thereby being beneficial to promoting the medical care revolution on the basis of big data.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a cloud assisted private medical data sharing method provided by an embodiment of the present invention;
FIG. 2 is a schematic diagram of a cloud-assisted private medical data sharing method provided by an embodiment of the present invention;
FIG. 3 is a flow chart of a cloud assisted private medical data sharing system provided by an implementation of the present invention;
fig. 4 and 5 are diagrams of simulation results provided by the implementation of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the following examples in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Aiming at the problems in the prior art, the invention provides a cloud-assisted private medical data sharing method, a cloud-assisted private medical data sharing system, cloud-assisted private medical data sharing equipment and a cloud-assisted private medical data sharing terminal, and the invention is described in detail below with reference to the accompanying drawings.
The cloud-assisted private medical data sharing method provided by the embodiment of the invention comprises four parts, namely data initialization, data preprocessing, data outsourcing and intersection calculation; the method for sharing the private medical data comprises the steps that a client A is provided with a privacy set X, and a client B is provided with a privacy set Y, wherein the method for sharing the private medical data comprises the following steps: in the data initialization stage, providing necessary public parameters, carrying out randomization processing on private data, and authenticating the identity of a client; in the data preprocessing stage, after the identity is successfully verified, a public key from a server S is obtained, and the randomized data is encrypted; in the data wrapping stage, a client B wraps data to a cloud end, and the cloud end further processes the data; in the intersection calculation phase, the intersection of the collection is obtained and published by one of the clients a.
As shown in fig. 1, the cloud-assisted private medical data sharing method provided by the embodiment of the invention includes the following steps:
S101, initializing data: the method is used for generating a secret key and performing password registration and authentication by using DH-OPRF;
S102, data preprocessing: the method comprises the steps of carrying out randomization processing by utilizing VOLE-OPRF, and encrypting randomized data by utilizing an ElGamal encryption algorithm;
S103, data outsourcing: the client B transmits the encrypted data to the server, decrypts the encrypted data and constructs a polynomial;
S104, intersection calculation: and respectively calculating the random value of each element in the privacy set and outputting an intersection.
As a preferred embodiment, as shown in fig. 2, the cloud-assisted private medical data sharing method provided by the embodiment of the present invention specifically includes the following steps:
1. Data initialization
The data initialization phase is divided into three steps: the key generation, the data randomization processing and the identity authentication are carried out, and the specific implementation steps are as follows:
(1) S generates a pair of key (sk, pk) and key K, where pk = g sk;
(2) Password registration and authentication
A.B randomly selecting a password t and a random number r, randomizing t to p=f DH-OPRF (t) based on an unintentional pseudorandom function of DH (DH-OPRF) by using a pseudorandom function based on DH, p being the randomized password;
b.S calculate t=enc p (pk) and store in the server;
c.B calculates a=h 1(t)r and sends it to S;
d.S calculates b=a K and sends to B, and B calculates p 1=H0(t,b1/r) and returns to S for verification, and if verification fails, login is terminated.
E. if the login is successful, S sends T to B, and B decrypts T by using p 1 to obtain pk.
2. Data preprocessing
A. The private data of B is randomized F (y i)=H(i,ki-Δyi) using a VOLE-based unintentional pseudo-random function (VOLE-OPRF).
B.B calculationAnd then obtaining/>, by using an ElGamal encryption algorithm
3. Data packet
B transmits I and r to a server S, and S decrypts I:
And generating a polynomial:
the polynomial is sent to a.
4. Intersection calculation
A after receiving the polynomial, calculating the random value f (x) of each element in the privacy set, and then calculatingSequentially into P (x), if P (x) =0, an intersection is output.
As shown in fig. 3, the cloud-assisted private medical data sharing system provided by the embodiment of the invention includes:
(1) The initialization module is used for initializing the public parameters;
(2) The password registration module is used for carrying out user password registration;
(3) The login module is used for user identity verification during login;
(4) A data encryption module for randomizing data using a VOLE-based careless pseudo-random function (VOLE-OPRF) and encrypting the randomized data using an ElGamal encryption algorithm;
(5) The computing outsourcing module is used for transmitting the encrypted data to the server by using the client B and decrypting the encrypted data;
(6) And the intersection calculating module is used for calculating the random value of each element in the privacy set and outputting an intersection.
When actually applied to medical data sharing, since both a and B are likely to initiate intersection computation, both institutions a and B need to generate a random string t and randomize t respectively. Both sides can use the resources of the server only after the verification of the server, and then the encryption key pk generated by the cloud server is obtained. More practically, a third party trusted authority TTP needs to be introduced.
The protocol model contains three parts: cloud server (S), third party trusted authority (TTP), hospital (HA and HB).
Medical cloud server (S): the present invention assumes that S is trusted and possesses a large amount of computing and storage resources. When performing PSI calculations, S will not have any input, but just provide computing resources, and will not learn intersection and hospital privacy information.
And (3) hospitals: in this scenario, the present invention assumes that the patient has authorized the data to the hospital, so the hospital is both the data owner and the data user. For example, in the diagnosis and treatment process of a certain disease, the private data of patients can be subjected to intersection calculation between hospitals to share the treatment means and data of the patients suffering from the disease, so that the diagnosis efficiency is improved.
Third party trusted authority (TTP): the invention assumes that the TTP is trusted, and in the initialization phase of the scheme, the TTP initializes the required common parameters and broadcasts to the S and hospitals.
The specific application can be divided into six steps: the method comprises an initialization stage, a password registration stage, a login stage, a data encryption stage, a calculation outsourcing stage and a calculation intersection result stage. Among them, for external users who do not register and attackers who log in maliciously, the subsequent operations cannot be performed. In the invention, two hospitals are respectively called HA and HB without loss of generality, and have privacy sets X= { X 0,x1,..xn-1},Y={y0,y1,...yn-1 }, and an intersection set is SI.
(1) Initialization phase
To initialize the system, the trusted third party TTP first sets a security parameter λ, building a finite field Fq for the cloud server, where q is a large prime number.
The common parameter N is then set to the maximum cardinality of the set. A random sequence { Delta 0,Δ1,k0,k1,k2,···,kN-1 } is randomly sampled and a cyclic group G of generator q is generated.
Next, a key K and a pseudo-random function generator PRF K(x)=H0(x,H1(x)K) are generated for S), here three hash functions:
H0:{0,1}*×{0,1}l
H1:{0,1}*→G
H2:{0,1}*→{0,1}v
Finally, the TTP issues system parameters (Δ, F, G, q, K i, K, F).
(2) Password registration stage
First, HA and HB set character strings respectivelyAs its own password, calculate p i=fK(tk)=H0(tki,H1(tki)K) sends S the password for immediate processing.
Next, S randomly selects PS to calculate pk=g PS. In particular, when a user registers, S needs to resample PS.
And finally, S uses an encrypter-then-MAC framework and p is used as PK to carry out encryption processing to obtain c. In this process, S does not store the actual password of the HA, only the randomized password.
S does the same for HB.
(3) Login phase
Taking HA as an example, HA selects the random number r≡z q first, and calculates. a=h 1(tk)r to S.
Next, S calculates b=a K, sends to HA, HA calculates p' =h 0(tk,b1/r), sends to S to verify, and if verification fails, the login is terminated.
And finally, sending c to the HA by the S, decrypting the c by the HA by using p' to obtain a secret key PK, and in the process, recovering the public key of the S by the HA only by using a password, decrypting the c to be empty, and ending login. HB performs the same.
(4) Data encryption stage
First, for the privacy set Y, S of HB, N VOLE instances are generated, and the pseudo-random function values F (Y i)=H2(i,ki-Δyi) of the N privacy data are batch-calculated.
Secondly, in order to further ensure that the private data is not learned by the cloud server, the encrypted data is subjected to re-encryption operation by using an ElGamal encryption algorithm, and calculation is performed
Finally, I and r are sent to S, where r, PK is the random number and decrypted key of the login phase.
(5) Computing outsourcing stage
S, after receiving the re-encrypted data of HB privacy data and the random number r, firstly decrypting the re-encrypted data and calculating
Next, the decrypted data is generated as a polynomial
Finally, the polynomial is sent to the HA. At this stage, S cannot learn any private data due to the pseudo-randomness of the inadvertent pseudo-random function.
(6) Stage of calculating intersection result
After the HA receives the polynomial, first, for the privacy set X of the HA, a VOLE instance is generated for each element, and the pseudorandom function values F (X i)=H2(i,ki-Δxi) of the N privacy data are calculated.
Second, for all pseudo-random values, calculateAn empty set s= { } is generated.
Finally, willSubstituting into the polynomial P (x), if equal to 0, si=s ∈x i, and outputting the intersection SI.
In order to prove the inventive and technical value of the technical solution of the present invention, this section is an application example on specific products or related technologies of the claim technical solution.
The scheme mainly comprises the following application embodiments:
(1) Clinical trial: the medical data sharing scheme of the invention can integrate the respective mastered sensitive data under the condition of not exposing the identity and the sensitive data of the patient, thereby helping doctors and researchers to better know the diseases and further making the medical scheme;
(2) Cross-validation: when a medical study is conducted, data from different sources need to be cross-validated, wherein the sources comprise not only medical institutions, and the scheme can ensure the accuracy of results without revealing patient identity and sensitive data;
(3) Disease monitoring: the scheme can share disease data of different medical institutions, compare symptoms of patients, find potential transmission modes, help monitor the transmission and epidemic trend of diseases, and help to specify more effective public health strategies;
(4) Genetic study: the scheme can also be used for sharing gene data so as to find genetic mutations commonly occurring in different people;
With the development of machine learning and artificial intelligence, many application embodiments can save analysis cost and achieve ideal analysis effect by means of data analysis technology, but medical data is always sensitive, and by means of the invention, the medical data can be safely shared, and training of a machine learning model is facilitated.
The invention has the advantages of controllable computing resources, and high efficiency in resisting external pre-computing attack and internal attack through formal security analysis.
For an internal attacker, through formalized security analysis on a cloud-assisted PSI protocol, S, A, B in the scheme is assumed to be a semi-honest attacker respectively, three different viewing angles are simulated respectively by using simulation-based security certification, and the following three formulas are found to be satisfied:
View A(S(A),S(B),Λ)=(params,P(x),SI,)
ViewB(S(HA),S(HB),Λ)=(params,b,T,Λ)
I.e. the simulated viewing angle and the real viewing angle are found to be indistinguishable.
In a specific application, for internal attack, if S is a semi-honest attacker, comparing the simulation process with the real process finds that the same output can be obtained, and the simulator viewing angle is indistinguishable from the real viewing angle. And it can be noted that even if the edge server is corrupt, the actual password of the client is still unknown and only the randomized value p is stored. The privacy of the client can be protected even if the server leaks; if the HA is a semi-honest attacker, because the client HA and the client HB use the same random function, the HA is a self-contained client HAAnd/>Is indistinguishable in the case of x=y, and because the input parts of the real world and the simulated world are the same, the same output can be obtained, the simulator viewing angle is indistinguishable from the real viewing angle and the correct intersection can be output, and the HA cannot obtain additional privacy information; assuming HB is a dishonest attacker, tk is randomly chosen, randomized p' =h 0(tk,b1/r) is a pseudo-random value calculated by a DH-based unintentional pseudo-random function (DH-OPRF), indistinguishable from a real-world random value. The input of the simulation visual angle is the same as the input of the real world, the same output can be obtained, the simulator visual angle is indistinguishable from the real visual angle, and HB cannot obtain additional privacy information. Therefore, an attacker with various participation aspects on internal dishonest can be obtained, and under the condition that the private data is not disclosed, a safe execution scheme can be realized without any leakage of privacy.
For external attacks, two malicious behaviors are assumed:
1) An external attacker bypasses the registration to use the computing resources of the server;
2) An external attacker actively attacks the server S;
Suppose an external attacker tries to bypass the registration phase under action 1). Since the user sets the string tk as his own password during the registration phase, computing p=f K (tk) verifies the password for immediate processing and sending to the MES, and if it is not equal to P stored in the MES, the system will terminate, so that the computing resources of the server S cannot be used if it is a non-registered user.
Suppose an external attacker tries to attack the server S under action 2), stealing the user password. Since only the randomized password p is stored at the server S, when the server S leaks, an attacker can only take the randomized password p and cannot find the mapping relationship between p and tk, so that the pre-calculation attack can be resisted. And because the sensitive data stored in the server S is randomized, the privacy is not revealed.
As shown in fig. 4 and 5, both the calculation consumption and the communication consumption are O (N) in performance, and it can be found by simulation that as the number of samples increases, the running time does not exceed 100 seconds and the communication consumption does not exceed 300MB. Has higher efficiency.
It should be noted that the embodiments of the present invention can be realized in hardware, software, or a combination of software and hardware. The hardware portion may be implemented using dedicated logic; the software portions may be stored in a memory and executed by a suitable instruction execution system, such as a microprocessor or special purpose design hardware. Those of ordinary skill in the art will appreciate that the apparatus and methods described above may be implemented using computer executable instructions and/or embodied in processor control code, such as provided on a carrier medium such as a magnetic disk, CD or DVD-ROM, a programmable memory such as read only memory (firmware), or a data carrier such as an optical or electronic signal carrier. The device of the present invention and its modules may be implemented by hardware circuitry, such as very large scale integrated circuits or gate arrays, semiconductors such as logic chips, transistors, etc., or programmable hardware devices such as field programmable gate arrays, programmable logic devices, etc., as well as software executed by various types of processors, or by a combination of the above hardware circuitry and software, such as firmware.
The foregoing is merely illustrative of specific embodiments of the present invention, and the scope of the invention is not limited thereto, but any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention will be apparent to those skilled in the art within the scope of the present invention.
Claims (10)
1. The cloud-assisted private medical data sharing method is characterized by comprising the following steps of: the client A has a privacy set X, and the client B has a privacy set Y; in the data initialization stage, providing necessary public parameters, carrying out randomization processing on private data, and authenticating the identity of a client; in the data preprocessing stage, after the identity is successfully verified, a public key from S is obtained, and the randomized data is encrypted; in the data outsourcing stage, the client B outsources the data to the cloud end, and the cloud end processes the data; in the intersection computation phase, the intersection of the collection is derived and published by client a.
2. The cloud-assisted private medical data sharing method of claim 1, wherein the cloud-assisted private medical data sharing method comprises the steps of:
Step one, initializing data, which comprises generating a secret key, and performing password registration and authentication by utilizing VOLE-OPEF;
step two, data preprocessing: randomizing by using VOLE-OPRF, and encrypting the randomized data by using an ElGamal encryption algorithm;
step three, calculating outsourcing: the client B transmits the encrypted data to the server and decrypts the encrypted data;
Step four, intersection calculation: and respectively calculating the random value of each element in the privacy set and outputting an intersection.
3. The cloud-assisted private medical data sharing method according to claim 2, wherein the data initialization in step one includes:
(1) And (3) key generation: s generates a pair of key (sk, pk) and key K, where pk = g sk;
(2) Password registration and authentication: b randomly selecting a password t and a random number r, randomizing t into p=f DH-OPRF (t) by using a DH-based unintentional pseudo-random function (DH-OPRF), wherein p is the randomized password; s calculates t=enc p (pk) and stores in the server; b calculates a=h 1(t)r and sends it to S; s calculates b=a K and sends to B, B calculates p 1=H0(t,b1/r) and returns to S for verification, and if verification fails, login is terminated; if the login is successful, S sends T to B, and B decrypts T by using p 1 to obtain pk.
4. The cloud-assisted private medical data sharing method according to claim 2, wherein the data preprocessing in the second step includes:
B randomizing B's private data with a batch VOLE-based inadvertent pseudorandom function (VOLE-OPRF) f B calculation/>After that, the/>, is obtained by using an ElGamal encryption algorithm
5. The cloud-assisted private medical data sharing method according to claim 2, wherein the data outsourcing in step three includes:
B transmits I and r to a server S, and S decrypts the I, then:
Generating a polynomial and sending the polynomial to A, wherein the polynomial generating formula is as follows:
6. The cloud-assisted private medical data sharing method according to claim 2, wherein the intersection calculation in step four includes:
After receiving the polynomial, A calculates the random value f (x) of each element in the privacy set respectively; calculation of Sequentially into P (x), if P (x) =0, an intersection is output.
7. A cloud-assisted private medical data sharing system applying the cloud-assisted private medical data sharing method according to any one of claims 1 to 6, characterized in that the cloud-assisted private medical data sharing system comprises:
the initialization module is used for initializing the public parameters;
The password registration module is used for carrying out user password registration;
the login module is used for user identity verification during login;
A data encryption module for randomizing data using a VOLE-based careless pseudo-random function (VOLE-OPRF) and encrypting the randomized data using an ElGamal encryption algorithm;
The computing outsourcing module is used for transmitting the encrypted data to the server by using the client B and decrypting the encrypted data;
and the intersection calculating module is used for calculating the random value of each element in the privacy set and outputting an intersection.
8. A computer device comprising a memory and a processor, the memory storing a computer program that, when executed by the processor, causes the processor to perform the steps of the cloud-assisted private medical data sharing method of any of claims 1-6.
9. A computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of the cloud-assisted private medical data sharing method according to any of claims 1-6.
10. An information data processing terminal for implementing the cloud-assisted private medical data sharing system according to claim 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310381842.5A CN117910027A (en) | 2023-04-11 | 2023-04-11 | Cloud-assisted private medical data sharing method, system, equipment and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310381842.5A CN117910027A (en) | 2023-04-11 | 2023-04-11 | Cloud-assisted private medical data sharing method, system, equipment and terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117910027A true CN117910027A (en) | 2024-04-19 |
Family
ID=90686632
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310381842.5A Pending CN117910027A (en) | 2023-04-11 | 2023-04-11 | Cloud-assisted private medical data sharing method, system, equipment and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117910027A (en) |
-
2023
- 2023-04-11 CN CN202310381842.5A patent/CN117910027A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Renuka et al. | Design of a secure three-factor authentication scheme for smart healthcare | |
| Islam et al. | Cryptanalysis and improvement of authentication and key agreement protocols for telecare medicine information systems | |
| Al-Zubaidie et al. | Efficient and secure ECDSA algorithm and its applications: A survey | |
| Zhou et al. | PSMPA: Patient self-controllable and multi-level privacy-preserving cooperative authentication in distributedm-healthcare cloud computing system | |
| Nagaraju et al. | Trusted framework for online banking in public cloud using multi-factor authentication and privacy protection gateway | |
| CN110363030A (en) | For executing the method and processing equipment of the Password Operations based on lattice | |
| Attarian et al. | An anonymity communication protocol for security and privacy of clients in IoT-based mobile health transactions | |
| CN113487042B (en) | Federal learning method, device and federal learning system | |
| CN111886828B (en) | Online authentication based on consensus | |
| EP1763721A1 (en) | Systems and methods for performing secure communications between an authorized computing platform and a hardware component | |
| US11575501B2 (en) | Preserving aggregation using homomorphic encryption and trusted execution environment, secure against malicious aggregator | |
| CN111107094B (en) | Lightweight ground-oriented medical Internet of things big data sharing system | |
| Dharminder et al. | A construction of a conformal Chebyshev chaotic map based authentication protocol for healthcare telemedicine services | |
| CN114021164A (en) | Block chain-based credit investigation system privacy protection method | |
| Gupta et al. | User anonymity-based secure authentication protocol for telemedical server systems | |
| CN113747426A (en) | Data auditing method and system, electronic equipment and storage medium | |
| Singh et al. | TFAS: two factor authentication scheme for blockchain enabled IoMT using PUF and fuzzy extractor | |
| Wang et al. | Lightweight zero-knowledge authentication scheme for IoT embedded devices | |
| Liu et al. | ETAP: Energy-efficient and traceable authentication protocol in mobile medical cloud architecture | |
| Kumar et al. | A secure blockchain-assisted authentication framework for electronic health records | |
| CN101510875B (en) | Identification authentication method based on N-dimension sphere | |
| Xie et al. | Privacy-preserving location-based data queries in fog-enhanced sensor networks | |
| Rani et al. | Design of blockchain-based authentication and key agreement protocol for health data sharing in cooperative hospital network | |
| Meshram et al. | Conformal Chebyshev chaotic map-based remote user password authentication protocol using smart card | |
| CN117910027A (en) | Cloud-assisted private medical data sharing method, system, equipment and terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |