Hindawi Wireless Communications and Mobile Computing Volume 2019, Article ID 6219868, 13 pages https://doi.org/10.1155/2019/6219868 Research Article Toward Privacy-Preserving Shared Storage in Untrusted Blockchain P2P Networks Sandi Rahmadika 1 and Kyung-Hyune Rhee 2 1 Interdisciplinary Program of Information Security, Graduate School, Pukyong National University, Republic of Korea 2Department of IT Convergence and Application Engineering, Pukyong National University, Republic of Korea Correspondence should be addressed to Kyung-Hyune Rhee; [email protected] Received 18 January 2019; Revised 9 March 2019; Accepted 2 April 2019; Published 16 May 2019 Academic Editor: Ilsun You Copyright © 2019 Sandi Rahmadika and Kyung-Hyune Rhee. Tis is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Te shared storage is essential in the decentralized system. A straightforward storage model with guaranteed privacy protection on the peer-to-peer network is a challenge in the blockchain technology. Te decentralized storage system should provide the privacy for the parties since it contains numerous data that are sensitive and dangerous if misused by maliciously. In this paper, we present a model for shared storage on a blockchain network which allows the authorized parties to access the data on storage without having to reveal their identity. Ring signatures combined with several protocols are implemented to disguise the signer identity thereby the observer is unlikely to determine the identity of the parties. We apply our proposed scheme in the healthcare domain, namely, decentralized personal health information (PHI). In addition, we present a dilemma to improve performance in a decentralized system. 1. Introduction system. Te surveys indicate that users ofen do not fully trust to store their data to third parties [5]. Tere are decentralized Since being introduced to the public through the rise of storage providers that provide the alternative services to Bitcoin, blockchain has attracted a lot of attention among protect the user's privacy such as Freenet [6] and GNUnet researchers, especially the way it deals in a transaction with- [7]. However, those services still have some drawbacks such out involving the third parties. Te blockchain technology as free-rider problem. More precisely, the provider is less reduces the transaction costs and it improves the efciency motivated to keep improving system reliability due to the and reliability of the decentralized system in general [1]. Due fact that there is no signifcant beneft for the provider to to its merits, blockchain has been developed in various felds preserve the users' data. Apart from the free-rider problem, of study such as logistics, e-commerce, trading activity, and the main issue in the decentralized shared storage is related healthcare, to name a few. Blockchain in the healthcare area is to the privacy of users [8]. An observer may be able to see the growing rapidly [2] as a future trend of substantial impact [3]. contents of online activities or metadata of the user since the It aims at improving the quality of service and maintaining data is publicly available. the integrity of information. Blockchain must be mature enough in all aspects, especially in security matters before To deal with the issues, we propose a model of the blockchain being applied to a sensitive system (healthcare decentralized shared storage system on the blockchain that domain) [4] since it consists of valuable data for patients, provides the privacy of the users without the involvement of providers, and all parties involved. third parties. Ring signature algorithm is applied to disguise Te shared storage between healthcare providers and the original identity of the signer. Te parties involved use the patients is one of the factors that must be considered signatures on behalf of a group; hence, the original identity when determining the scheme of the decentralized healthcare of the signer is unknown called signer ambiguous. In order 2 Wireless Communications and Mobile Computing Loop counter = i rt Merkle Tree Generate Proof Generate new C ’ at i Output challenge C POST POST Repeat t times Parameter Data Flow Function Hash Figure 1: Te iterative proof of Filecoin, adapted from [9]. to keep the identity of the parties to remain untraceable, one- originates from the concept signature group proposed by time use address (from the stealth address) is adapted so Chaum et al. [14] which in the group signature each member that the observer cannot link the user address based on the agrees to sign the message. In short, the data is signed transaction that has been carried out in advance. on behalf of the group. In the group signature, there is a Te predecessor approaches to design the sharing storage manager who organizes each activity in a group. As opposed system in the blockchain have been started by researchers to the group signature, the ring algorithm does not possess a lately such as Storj [10], storage with fnancial incentives, manager in the process and neither have special requirements and Filecoin (see Figure 1) which generates a proof-of- for creating groups as shown in Figure 2. spacetime (PoST) for the replica [11]. Tis paper presents In order to form a signature group, the signer requires the key concepts in the decentralized sharing storage in the public keys �� knowledge from prospective members. Te healthcare system. Te personal health information of the selected public keys are encrypted by using a trapdoor patient is propagated in the peer-to-peer blockchain network permutation function (RSA, Rabin, and Dife-Hellman). and the data are stored in a storage provider. Te model of Due to the nature of the ring signature protocol, there are decentralized healthcare system comes from our previous no specifc rules for the number of members in a group. research [12]. Te privacy-preserving for the user is beyond Te standard procedure of the ring signature protocol can be the topic at the time. Tis paper is ongoing research and defned as follows: interrelated with our previous research. (i) ���� �(���, ���,��1,��2,��3,...,���).Tesignature Te structure of the paper is organized as follows. consists of the public keys (���,��1,��2,��3,...,���) Section 2 describes the background and core system compo- of the members for every message ��� concatenated nent such as the ring signature, CryptoNote, and one-time with the secret key ��� of the signer to produce a use address (stealth address). Section 3 presents the system signature �. model of decentralized PHI data as well as the concept of ring Verify(���,�) confdential transaction. Section 4 presents the system anal- (ii) . Te verifcation process can be inter- � ysis including the dilemma of reparameterizing propagation preted as accepting a group signature which consists time and block size in order to improve the performance in of public keys of all the possible signers along with the ��� ���� ����� a transaction. Te limitations and future work are written in message . Te fnal output is or . Section 5. Finally, Section 6 concludes the paper. Generating a ring signature can be used directly by the signer without involving the group manager. Te initial ��� 2. Background step is the signer computes the symmetric key � as the hash value of the message ��� to be signed as ���� = In this section, we briefy present the essential information ℎ(���). Te more complicated variant generates ���� as of ring signature algorithm, CryptoNote protocol, one-time ℎ(���, ��1,��2,��3,...,��).However,thesimplercreation use transaction address, and stealth address which are basic is also secure. An initial random value �V (or “glue”) is � components for the privacy-preserving model in our system. chosen by the signer uniformly at random form {0, 1} , � where 2 is some power of two which is larger than all � 2.1. Te Essential of Ring Signature. Ring signature is frst modulo �� �. Furthermore, the signer selects the number introduced by Rivest et al. [13] in 2001 through the paper of signatures �� from the ring members 1<�< entitled “How to Leak a Secret”. Te idea of a ring signature �, � =�̸ ,where� is the ring members and � is the order Wireless Communications and Mobile Computing 3 Z = V ( ) y1 =g1 x1 Ek yr =gr(xr) Ek d ( ) y2 =g2 x2 Ek Ek ( ) y3 =g3 x3 Figure 2: Ring signature algorithm which is defned by any member of a group of parties each having keys. Transaction Tx public key R=rG r Tx output Sender’s random data Te Amount (A, B) Receiver’s Destination Key P=HS (rA)G+B Random data Figure 3: Te structure of CryptoNote standard transaction. of the member (�-th member) who is the actual signer. indicate the use of the same key image. Te destination of Hence, the signature gets a new value which is signifed each CryptoNote output is a public key (��1,��2,��3,...,���) by �� =�(��). Finally, the signature of the message ��� which is derived from the recipient's address combined with can be defned as (��1,��2,��3,...,���;�V;�1,�2,...,��). the sender's random value. In this regard, the sender asks the Te verifcation process is straightforward by describing recipient's public key (�, �) via secure channel and the sender the message received from the sender via secure channel generates the one-time public key �=��(��)� + � as can (��1,��2,��3,...,���;�V;�1,�2,...,��). be seen in Figure 3. Based on the key image that recipient belongs to, the recipient checks every passing transaction � using his/her secret key (�, �) and calculates � =��(��)� + 2.2. CryptoNote Protocol. Te use of the ring signature algo- � � {0, 1}∗ � rithm in blockchain transaction was frst introduced in 2012 ,where � is a cryptographic hash function and is a base point. Finally, the recipient can defne �� = ��� = which is part of the CryptoNote protocol [15] and updated in �� �� =� 2013.