Computational Intelligence Techniques in MedicineView this Special Issue
Privacy-Preserving Self-Helped Medical Diagnosis Scheme Based on Secure Two-Party Computation in Wireless Sensor Networks
With the continuing growth of wireless sensor networks in pervasive medical care, people pay more and more attention to privacy in medical monitoring, diagnosis, treatment, and patient care. On one hand, we expect the public health institutions to provide us with better service. On the other hand, we would not like to leak our personal health information to them. In order to balance this contradiction, in this paper we design a privacy-preserving self-helped medical diagnosis scheme based on secure two-party computation in wireless sensor networks so that patients can privately diagnose themselves by inputting a health card into a self-helped medical diagnosis ATM to obtain a diagnostic report just like drawing money from a bank ATM without revealing patients’ health information and doctors’ diagnostic skill. It makes secure self-helped disease diagnosis feasible and greatly benefits patients as well as relieving the heavy pressure of public health institutions.
With the rapid development of science, more and more advanced technologies such as the internet of things and cloud computing are utilized in the area of modern medicine and this trend further pushes healthcare into the digital era [1–3]. Currently, numerous healthcare devices such as heart rate monitor, blood pressure monitor, and electrocardiogram are already popular in people’s normal life. It makes it convenient for people to be aware of their health situation by viewing the reports of these devices. Especially, by the growing use of sensor technology in telecare, the new field known as wireless body area networks (WBAN) [1, 4] has designed various sensor devices that can be used to supervise critical body parameters and activities anytime and anywhere. People can easily and conveniently get the health data by these advanced sensor devices  such as temperature measurement, respiration monitor, heart rate monitor, pulse oximeter SpO2, blood pressure monitor, pH monitor, glucose sensor, cardiac arrhythmia monitor/recorder, brain liquid pressure sensor, and endoscope capsule. What is more, these devices are becoming more functional and portable. More and more mobile medical monitors have already been used to serve us .
Therefore, people no longer worry about how to obtain the health data but are concerned about how to securely deal with these sensitive data to have disease diagnosis with a medical institution. Traditionally, the issue of privacy of medical data has been dealt with primarily as a policy problem [6, 7]. Many related laws have been issued to protect the privacy of patients. However, it is still far away from satisfactory and people still fear the leakage of their private data. Hence, the most efficient solution to this problem is to protect patients’ privacy in technology rather than in policy alone. In this aspect, most of previous literatures have introduced homomorphic encryption (HE) [8–10] to protect patients’ privacy in some privacy-preserving medical applications . However, HE will inevitably introduce tremendous cost and is not applicable to practical large-scale applications. Therefore, in this paper, we focus on building a secure and practical privacy-preserving medical diagnosis system that can serve us in our daily life. Starting from the aspiration of the patient, the most secure and plausible diagnostic method is to apply the processed data rather than the original data to interact with the hospital which owns a disease database to diagnose the health status privately. Moreover, it requires that after diagnosis, the hospital gets nothing about the patient’s health data and the patient has no idea of the hospital’s disease database.
Inspired by daily used bank automated teller machine (ATM), we introduce the privacy-preserving self-helped medical diagnosis ATM (MD-ATM) so that after obtaining a healthcare card that stores some information about the health data which is collected by various sensor medical devices, patients can privately diagnose himself by inserting the health card into the MD-ATM to obtain diagnostic report just like drawing money from a bank ATM without revealing patient’s health information and the disease database or doctors’ diagnostic skill. When needing local computing, storing, or inputting some information, the patient uses his own portable device, called portable medical diagnostic device (PMDD).
In this paper, we will show how to realize this modern diagnosis system without HE. The main idea and technology we used in this scheme are secure two-party computation (STC) and oblivious transfer (OT). Firstly, we assume that patients themselves collect related data by various wireless sensor medical devices and further process and store them in their own health cards using PMDD. When diagnosing, the patient firstly transforms the original data locally and then inserts the card into the MD-ATM of the hospital to check up his health. Operating following the instructions of the MD-ATM, the patient will finally obtain a diagnostic report through OT and the patient then completes the self-helped diagnosis. In brief, our main contributions can be summarized as follows.
Our Contributions.(i)We build a new “patient-centered” medical diagnosis model in wireless sensor networks where patients themselves collect health data by various sensor medical devices while the hospital provides a disease database to help patients to complete disease diagnosis by themselves. Compared with traditional “doctor-centered” medical diagnosis model where patients have to depend on the doctor, our system is more appropriate especially when people pay more and more attention to privacy in wireless sensor networks.(ii)We firstly propose the privacy-preserving self-helped MD-ATM to construct a secure medical diagnosis scheme following the idea of STC. It makes secure self-helped medical diagnosis feasible and convenient just like drawing money from a bank ATM. It will greatly benefit patients as well as relieving the heavy pressure of public health institutions.(iii)We construct the self-helped medical diagnosis system based on OT without expensive HE. It provides us with another perspective to consider the problem of secure medical diagnosis for patients.
The rest of this paper is organized as follows. In Section 2, we briefly give an overview of secure two-party computation and oblivious transfer, and then we present our medical diagnosis system model in Section 3. In Section 4, we propose our privacy-preserving self-helped medical diagnosis scheme in detail and give a strict proof based on real-ideal simulation paradigm in Section 5. Finally, we summarize our work of this paper in the last section.
2.1. Secure Two-Party Computation
Secure multiparty computation (SMC) is dedicated to deal with the problem of secure computation among distrustful participants. It was first introduced by Yao in 1982  and then was extended by Goldreich et al.  and many other researchers [14–19]. Generally speaking, SMC is a method to implement cooperative computation with participants’ private data, ensuring the correctness of the computation as well as not disclosing additional information except the necessary results. It has become a research focus in the international cryptographic community due to its wide applications in various areas and a mass of research results have been published one after another. Secure two-party computation (STC)  is a special case in SMC where there are only two participants. The well-known millionaires’ problem  put forward by Yao is the representative problem of STC. In our discussing, we will consider the two-party case.
Generally speaking, STC is dedicated to computing a certain function between two mutually distrusted participants on their private inputs without revealing their private information. Informally, assuming that there are 2 participants, , , each of them has a private number, , , respectively. They want to cooperate to compute the function . A STC protocol is dubbed secure if no participant can learn more from the description of the public function and the result of the global calculation than what he can learn from his own information.
Formally, we usually analyze the security of a STC protocol using the real-ideal paradigm in the semihonest model where both of the two parties act semihonestly, following the protocol but making effort to gain more information about other parties’ inputs, intermediate results, or overall outputs by the transcripts of the protocol . We can overview the real-ideal paradigm as follows.
Firstly, in the ideal world, we assume that the computation of the functionality on users private inputs is conducted by an additional trusted party, who receives from user , and returns the result to . However, there is no trusted party in the real world and so the two parties have to run a protocol to get the desired result. During executing protocol , both parties act semihonestly. Herein, the view of the th party during an execution of on is denoted as , which contains ’s input, random tape, and the messages received from the other party. For a deterministic private function , we say that privately computes if there exist probabilistic polynomial-time algorithms , such that the simulated distribution is indistinguishable to , . That is,
2.2. Oblivious Transfer
In cryptography, OT is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver but remains oblivious as to which piece has been transferred. It was firstly introduced by Rabin  in 1981. Therein, the sender sends a message to the receiver with probability 1/2, while the sender remains oblivious as to whether or not the receiver received the message. Rabin’s oblivious transfer scheme is based on the RSA cryptosystem. In 1985, Even et al.  proposed a more useful OT called 1-out-of-2 OT () to build protocols for secure multiparty computation.
Afterwards, it has been generalized to 1-out-of- OT ()  where the receiver gets exactly one message without the sender getting to know which message was queried and the receiver getting to know anything about the other messages that were not retrieved. has become a fundamental tool in cryptography and is usually used as a black-box when constructing protocols.
Formally, we can describe an protocol as follows. There are 2 participants called the sender and the receiver . Specifically, has messages, and has an index . wishes to receive the th message of the sender’s messages without leaking to , while knowing nothing about the rest messages. A simplified protocol can be presented as in Algorithm 1.
3. System Model
In this section, we present the system model including the goals we aim to achieve in detail.
In this paper, we consider the privacy-preserving medical diagnosis system with two participants: the patient and the hospital. We assume that each patient can collect his own health data such as heart beat and blood pressure, in the form of a vector, called query vector, easily by various advanced medical devices. Herein, we call the heart beat, blood pressure, and so forth, as parameter items and the health data corresponding to heart beat, blood pressure, and so forth, as parameter values. For example, is the query vector of the patient , where all are the necessary parameters the hospital needs for diagnosis, and is the parameter value of the parameter item heart beat. Each patient has a health card to store related data and a portable device PMDD to read the data stored in the card and to do some related computations after inserting the card. The hospital has a disease database , which in fact is the standard to determine which disease the patient has got. Each record of the disease database is presented as a triple , where is the capacity of the disease database; is the index of a disease; , called the trait vector of the disease , is a vector that covers all necessary parameters the hospital needs for diagnosis; and is the disease diagnostic report including the disease name, doctors’ advices, and prescriptions corresponding to the th disease . Concerning these parameters, we have some illustrations as follows.(i): it includes all necessary parameter items the hospital needs for diagnosis such as heart beat and blood pressure. The query vectors of the same patient are different if goes to different hospitals since their medical levels are different. The query vectors of the same patient may be also different if goes to the same hospital at different time since the medical level of the hospital has been always keeping improving. The dimension and every parameter item of the query vector are determined by the trait vector of the hospital. After registering to the hospital, patient can know what parameter items are needed in this diagnosis by reading the health card.(ii): it concludes all diseases a hospital can diagnose. Different hospitals have different disease databases and the same hospital has different disease databases at different time since its medical level has been keeping improving. The dimension is determined by the hospital’s medical level.(iii): it includes all necessary parameter items the hospital needs for diagnosis such as heart beat and blood pressure. Different hospitals have different trait vectors and the trait vectors of the same hospital at different time may be different since the medical level of the hospital has been always keeping improving. The dimension and every parameter item of the trait vector are determined by the hospital’s medical level. In order to improve the precision of our diagnosis system, the hospital can consider as many factors as possible such as adding more personal feelings, symptoms, and previous medical features from the patient as parameter items. Although we only can diagnose some simple diseases currently, it is believed that it will be feasible for more complicated diseases in the future by extending the dimension of the parameter items.(iv): it includes the disease name, doctors’ advices, and prescriptions corresponding to the th disease . Each report may conclude many doctors' advices and prescriptions. Herein, we assume that every report obtained from the MD-ATM following the self-helped medical diagnosis is authorized by the hospital and all advices and prescriptions of a report are signed by corresponding doctors. After receiving the diagnostic report, patient can choose one doctor’s advice and prescription to treat himself.
In this paper, the system makes medical diagnosis according to the Euclidean distances of two vectors. Specifically, taking the query vector of the patient and a trait vector of the database as an example, given a patient’s query vector and a disease trait vector , their Euclidean distance  denoted by is
Herein, we compare the squares of the Euclidean distances,
It is obvious that we can figure out which one has smaller distance with patient’s query vector just by checking the sign of (3) without exact result of or . Assuming that the report corresponding to the trait vector , is the diagnosed disease report, we have the following result, for all :
In our scheme, we will compare the squares of the Euclidean distances of the query vector and the trait vectors to find the diagnostic report that satisfies (4).
In real application, the hospital provides a MD-ATM, which is connected with the disease database and can read the data of the card, to direct patients to complete self-helped disease diagnosis. Specifically, we assume that each patient registers to the hospital for the first time and gets a health card. The hospital provides a self-helped MD-ATM in public just like a bank ATM. Whenever wants to have a diagnosis, inserting his health card into the MD-ATM and following the instructions, can complete the self-helped diagnosis by himself. The basic model can be illustrated in Figure 1.
Apart from the above, to enable a privacy-preserving medical diagnosis system, our scheme should simultaneously fulfill the following two security goals.(i)Confidentiality of disease database should be protected during the self-helped diagnosis process.(ii)Confidentiality of patient’s private health data should be protected during the self-helped diagnosis process.
4. Our Scheme
In this section, we propose our privacy-preserving self-helped medical diagnosis scheme (PP-SH-MDS) in detail to show how a patient can diagnose by himself using his PMDD and the self-helped MD-ATM. The core of our construction can be summarized in Figure 2.
Specifically, the patient executes as follows to make a self-helped diagnosis using his PMDD and the MD-ATM.
In the setup phase, registers to a hospital as traditional medical diagnosis and gets a health card.
In the diagnosis phase, there are three subphases.
(1) Local Preprocessing. Whenever wants to have a diagnosis, he firstly conducts the following two transformations on PMDD locally.(i)Vector-to-Vector.(a) firstly extends his original health data from an -vector to an -vector , where and .(ii)Vector-to-Matrix.(a) randomly chooses a password and then generates a matrix where .(b)By blinding using the matrix , further extends to a matrix
After completing the above steps, stores the matrix in the health card.
(2) Diagnosis.(i)After local preprocessing, inserts his health card into the MD-ATM and then the MD-ATM reads the card to get the matrix and randomly chooses two trait vectors and and, respectively, extends them to -vectors and , where and . Then the MD-ATM computes , and writes in the card and indicates the patient to get back his card.(ii)Following the instructions of the MD-ATM, the patient gets the card back and inserts it into PMDD. After inputting his password, PMDD begins to compute , and finds the index so that for all . is the input of the following protocol.
(3) 1-out-of-m OT Protocol.(i) inserts his card into the MD-ATM and invokes an protocol, where ’s input is the index and the MD-ATM’s input is the diagnostic report set of the database.
After executing the protocol, gets the diagnostic report corresponding to the disease according to the index , while the MD-ATM gets , denoted by .
In this section, we analyze our scheme in detail. We firstly have a look at the correctness and then give a strict security proof following the real-ideal simulation paradigm of STC in the scenarios of semihonest adversaries.
In this aspect, we follow the steps of our scheme and make sure that the patient indeed finds out the most possible disease from the disease database of the hospital using his health data by comparing Euclidean distances.
Following the scheme, we can see that the patient transforms the health data in two steps. Firstly, he extends his original health data from an -vector to an -vector , where and and then blinds and extends using the matrix to a matrix On the other hand, the MD-ATM randomly selects two trait vectors and and, respectively, extends them to -vectors and , where and . After receiving , for , the MD-ATM computes
After receiving the returned message , for , uses PMDD to compute Thus, we have
Obviously, if for all , , then , is the trait vector of the diagnosed disease. The report corresponding to the trait vector is the diagnosed report. Taking the index as the input of the following protocol, the patient can finally get the disease report from the set of the database.
Therefore, our scheme is correct.
In this subsection, we strictly prove the security of our scheme. From the whole process, we can specify that the two parties in our system are the patient and the hospital. They cooperate to compute the function , where is the disease diagnostic report corresponding to the disease and the distance satisfies the condition . As mentioned in Section 3, we should achieve two security goals, that is, keeping both parties’ inputs private. We apply the real-ideal simulation paradigm to prove that our scheme has achieved the two goals in the scenarios of semihonest adversaries assuming the protocol we used is secure.
Theory 1. Our privacy-preserving self-helped medical diagnosis scheme is secure against semihonest adversaries if the protocol is secure.
Proof. Notice that the view of , , in the real execution consists of three parts, the private input, random tape, and the messages received from the other party including the output. Therefore, we can get the views of and , respectively, in the real execution as follows:
where and are the views produced in the execution of protocol.
From the definition of security, we need to construct the probabilistic polynomial-time algorithm so that given the input and output of the patient /the hospital , , it can output a simulated view , which is indistinguishable to the view / in the real execution of the scheme; that is,
In the following discussion, we follow the real-ideal simulation paradigm to construct such probabilistic polynomial-time algorithms . We separately prove the case when is semihonest and when is semihonest.
Case 1 ( is semihonest). In this case, we only need to construct a simulator so that, given ’s input and output , can simulate ’s view in the real execution presented above as (12).
Firstly, since we assume that the protocol used in our scheme is secure and can be taken as a black-box, there exists an algorithm : given the input and the output , it can simulate ’s view of the execution and output so that
Next, notice that is given ; it can easily simulate the remaining parts of (12) by randomly choosing a matrix which is indistinguishable to the blinded matrix . Then, outputs the simulated view,
Obviously, we can conclude that
Case 2 ( is semihonest). Similar to Case 1, we only need to construct a simulator so that given ’s input and output , can simulate ’s view in the real execution presented above as (11).
As discussed above, since the protocol is secure, there exists an algorithm : given the input and the output , it can simulate ’s view of the execution and output so that
Next, given , then simulates the remaining parts of ’s view in the real execution as follows.
Firstly, as in the real execution, extends the original health data from an -vector to an -vector , where and . Then, randomly chooses a password and then generates a matrix where . By blinding using the matrix , further extends to a matrix
Then randomly selects vectors, , , and for all ; otherwise, reselects . Afterwards, computes . Thus, for .
Therefore, we have
Since for all , we have . Obviously, for all , and , is the trait vector of the diagnosed disease. The report corresponding to the trait vector is the diagnosed report, which matches the relationship in the real execution.
Now, can output the simulated view,
Since and are randomly chosen and , as and in the real view . Due to the randomness and relationship, it is easy to find that is indistinguishable to . From the construction process of , it is obvious to conclude that is indistinguishable to the set . Combined with (17), we have
In this paper, we consider the problem of how to securely make diagnosis without leaking patient’s health data, diagnosed result, and hospital’s disease database in wireless sensor networks. By applying the idea of secure two-party computation and the technology of oblivious transfer, we propose a privacy-preserving self-helped medical diagnosis scheme so that patients can privately diagnose themselves by inserting a health card into a self-helped MD-ATM to obtain the diagnostic report just like drawing money from a bank ATM. We also have a detailed analysis about the correctness and further strictly prove the security following the real-idea simulation paradigm. We expect to provide people another perspective on future medical care.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
This work is supported by NSFC (Grant nos. 61300181, 61272057, 61202434, 61170270, 61100203, and 61121061) and the Fundamental Research Funds for the Central Universities (Grant nos. 2012RC0612 and 2011YB01).
J. Wan, S. Ullah, C. Lai et al., “Cloud-enab led wireless body area networks for pervasive healthcare,” IEEE Network, vol. 27, no. 5, pp. 56–61, 2013.View at: Google Scholar
C. Doukas, T. Pliakas, and I. Maglogiannis, “Mobile healthcare information management utilizing Cloud Computing and Android OS,” in Proceedings of the 32nd Annual International Conference of the IEEE Engineering in Medicine and Biology Society (EMBC '10), pp. 1037–1040, September 2010.View at: Publisher Site | Google Scholar
J. Yuan and S. Yu, “Efficient privacy-preserving biometric identification in cloud computing,” in Proceedings of the 32nd IEEE International Conference on Computer Communications (INFOCOM '13), pp. 2652–2660, 2013.View at: Google Scholar
J. Liu, Q. Wang, J. Wan, J. Xiong, and B. Zeng, “Towards key issues of disaster aid based on wireless body area networks,” KSII Transactions on Internet and Information Systems, vol. 7, no. 5, pp. 1014–1035, 2013.View at: Publisher Site | Google Scholar
M. Al Ameen, J. Liu, and K. Kwak, “Security and privacy issues in wireless sensor networks for healthcare applications,” Journal of Medical Systems, vol. 36, no. 1, pp. 93–101, 2012.View at: Publisher Site | Google Scholar
P. M. Schwartzand and J. R. Reidenberg, Data Privacy Law: A Study of United States Data Protection, LEXIS Law, Dayton, Ohio, USA, 1996.
H. Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life, Stanford University, Stanford, Calif, USA, 2010.
C. Gentry, A fully homomorphic encryption scheme [doctoral dissertation], Stanford University.
Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” in Proceedings of the IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS '11), pp. 97–106, Palm Springs, Calif, USA, October 2011.View at: Publisher Site | Google Scholar
A. López-Alt, E. Tromer, and V. Vaikuntanathan, “On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption,” in Proceedings of the 44th Annual ACM Symposium on Theory of Computing (STOC '12), pp. 1219–1234, ACM, May 2012.View at: Publisher Site | Google Scholar
J. Bringer, H. Chabanne, and A. Patey, “Privacy-preserving biometric identification using secure multiparty computation: an overview and recent trends,” IEEE Signal Processing Magazine, vol. 30, no. 2, pp. 42–52, 2013.View at: Publisher Site | Google Scholar
A. C. Yao, “Protocols for secure computations,” in Proceedings of the 23rd Annual IEEE Symposium on Foundations of Computer Science, pp. 160–164, Chicago, Ill, USA, 1982.View at: Google Scholar
O. S. Goldreich, S. Mical, and A. Wigderson, “How to play any mental game,” in Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC '87), pp. 218–229, ACM, New York, NY, USA, 1987.View at: Google Scholar
O. S. Goldreich, “Secure multiparty computation,” Manuscript, Preliminary version, 1998.View at: Google Scholar
O. Goldreich, Foundations of Cryptography: Volume 2, Basic Applications, Cambridge University Press, Cambridge, UK, 2004.View at: Publisher Site | MathSciNet
M. M. Prabhakaran and A. Sahai, Eds., Secure Multiparty Computation, IOS Press, 2013.
D. Chaum, C. Crepeau, and I. Damgard, “Multi-party unconditionally secure protocols (extended abstract),” in Proceedings of the STOC, pp. 11–19, ACM, 1988.View at: Google Scholar
I. Damgard, V. Pastro, N. P. Smart, and S. Zakarias, “Multiparty computation from somewhat homomorphic encryption,” in Advances in Cryptology—Crypto 2012, vol. 7417 of Lecture Notes in Computer Science, pp. 643–662, Springer, 2012.View at: Google Scholar
Y. Lindell and B. Pinkas, “An efficient protocol for secure two-party computation in the presence of malicious adversaries,” in Advances in Cryptology—EUROCRYPT 2007, vol. 4515 of Lecture Notes in Computer Science, pp. 52–78, Springer, Berlin, Germany, 2007.View at: Google Scholar
B. Pinkas, T. Schneider, N. P. Smart, and S. C. Williams, “Secure two-party computation is practical,” in Advances in Cryptology—ASIACRYPT 2009, vol. 5912 of Lecture Notes in Computer Science, pp. 250–267, Springer, Berlin, Germany, 2009.View at: Google Scholar
M. O. Rabin, “How to exchange secrets b y oblivious transfer,” Tech. Rep. TR-81, Aiken Computation Laboratory, Harvard University, 1981.View at: Google Scholar
S. Even, O. Goldreich, and A. Lempel, “A randomized protocol for signing contracts,” Communications of the ACM, vol. 28, no. 6, pp. 637–647, 1985.View at: Publisher Site | Google Scholar
M. Naor and B. Pinkas, “Oblivious transfer with adaptive queries,” in Advances in Cryptology—CRYPTO’ 99, vol. 1666 of Lecture Notes in Computer Science, pp. 573–590, Springer, 1999.View at: Google Scholar