Blockchain-Based Privacy-Preserving Vaccine Passport System

Cao, Yangzhou; Chen, Jiageng; Cao, Yajun

doi:https://doi.org/10.1155/2022/4769187

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Special Issue

Security, Trust, and Privacy in Machine Learning and Internet of Things 2021

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 4769187 | https://doi.org/10.1155/2022/4769187

Blockchain-Based Privacy-Preserving Vaccine Passport System

Yangzhou Cao,¹Jiageng Chen,²and Yajun Cao³

Academic Editor: Weizhi Meng

Received11 Nov 2021

Accepted13 Jan 2022

Published21 Mar 2022

Abstract

In this study, we propose a blockchain-based privacy-preserving vaccine passport system for the global prevention and control of infectious diseases. The system operates a double-chain framework which consists of a public blockchain and a consortium blockchain. Among them, the combination of the immutability of the public blockchain and Internet of Things (IoT) technology in the supply chain ensures the openness and transparency of the cold chain logistics records of the vaccines covering the stages from auditing to the target vaccination hospitals. The system adopts the consortium blockchain to achieve the balance between the protection of users’ vaccination privacy and auditing by the government departments. Specifically, a distributed system-based threshold signature is adopted in the vaccine qualification phase to resist collusion between the vaccine manufacturing company and vaccine approval institutions. The cryptographic tools such as the anonymous credentials, zero-knowledge protocols, and range proofs ensure that users do not disclose any private information other than proving that they have a legally valid vaccine passport when users display the vaccine passports to customs. At the same time, customs can apply various vaccine prevention policies based on the conditions on the specific vaccine passports. Regarding the security properties of the system, a formal security model is given along with the corresponding security proofs.

1. Introduction

With the outbreak of COVID-19 in early 2020, the global defense against the spread of COVID-19 has been severely tested. Following the outbreak, scientists, physicians, and vaccine manufacturers in various countries engaged in the development of vaccines for the coronavirus. On January 24, 2020, the Chinese Center for Disease Control and Prevention (CDC) successfully isolated the first coronavirus strain in China [1]. The National Pathogenic Microbial Resource Library released information and electron microscopy photos of this strain (Wuhan strain 01 of the novel coronavirus), as well as important authoritative information such as primers and probe sequences for nucleic acid detection of the novel coronavirus, all of which laid the foundation for vaccine development. On this basis, COVID-19 vaccines in each country were promoted from the R&D stage to the clinical trial stage. In the second half of 2020, COVID-19 vaccines developed in each country gradually were approved for marketing by various national approval authorities.

At the stage when COVID-19 vaccines were introduced into the market and society, vaccination would face social problems in various aspects. With the gradual introduction of COVID-19 vaccines, vaccine management and vaccination become important issues for national governments. Especially in emergency cases when the COVID-19 vaccine is not sufficient, it is vital for the privacy of vaccination information to be protected to prevent social conflicts. As the epidemic is effectively controlled in various regions, the people returning from various countries and regions are also a serious test for the prevention and control of the local epidemic. Therefore, the application of vaccine passports was born.

As countries around the world gradually recovered from the effects of the COVID-19 epidemic, urgent cultural communication and trade between countries led to the implementation of vaccine passports. On July 26, 2021, municipalities, wards, towns, and villages throughout Japan began accepting applications for the official certificate (“vaccine passport”) for COVID-19 vaccine [2]. The key information of the vaccine certificate includes the individual’s name, date of birth, passport number, type of vaccine used, and date of vaccination. The idea is that the certificates exempt travelers from Japan from quarantine and other antivirus measures after their arrival in overseas destinations. However, the Japanese government does not make such exemptions for people who enter Japan with vaccine passports issued by other nations for now, and the government is considering making vaccine passports digital. At 1 : 00 p.m. Vancouver time on August 23, the Premier of British Columbia held a press conference to announce the implementation rules for the British Columbia vaccine certificate. Starting from September 13, people attending indoor concerts, sporting events, movie theaters, and other nondiscretionary activities must receive at least one dose of the COVID-19 vaccine and show proof of it. On October 24, the vaccination requirement will be increased to 7 days after completing two doses of the vaccine before being allowed to enter certain public places with a vaccination card [3].

The vaccine passport should be an internationally recognized certificate of vaccination for COVID-19 [4] and possibly other types as well. In February 2021, the concept of the vaccine passport was still in the initial stages of controversy, and international opinion was divided. In the view of proponents, the emergence, use, and popularity of a vaccine passport would significantly mitigate the impact of the COVID-19 pneumonia outbreak on international travel and facilitate global economic recovery. In contrast, in the view of opponents, it is far from simple to establish a globally circulating and mutually recognized certification system that can effectively protect the privacy and ensure fairness.

The purpose of this study is to design protocols to ensure the transparency and privacy of vaccination, as well as the privacy of vaccine passports through the technology of cryptography to address the issues of privacy protection. However, we point out that the vaccine passports are subjected to a global consensus. It assumes that the design, implementation, and operation of the vaccine passport system should be supported and accepted by countries around the world.

1.1. Prior and Related Work

COVID-19 outbreak led to research on vaccine supply chain improvements. Many researchers in cryptography proposed blockchain-based systems for the distribution and management of vaccine supply chains. The idea is to take advantage of the nontamperability of blockchain, and the nature of jointly maintaining a unified ledger to ensure the supply of vaccines is regulated and transparent. Meanwhile, with the update and development of IoT technology, IoT in the field of traditional commodity logistics has been migrated to the field of logistics and transportation of pharmaceutical products. Among them, the monitoring and supervision of environmental conditions of vaccines belonging to biological products in the process of cold chain logistics transportation can combine IoT devices with sensors. Specific sensors feedback to the CDC, which monitors the logistics of biologics, about the humidity, temperature, light protection, and other transport conditions during the cold chain transportation of vaccines. As vaccination users, they also own the right to know that vaccine production and transportation meet quality control. Cui et al. [5] proposed a blockchain-based vaccine tracking system to protect the entire vaccine cycle. The blockchain is used as a global, unique, and verifiable database to store all circulating databases. Antal et al. [6] used Ethernet’s smart contract technology to achieve the integrity of guaranteed vaccine data and the immutability of registration for vaccinators, avoiding identity theft and imitation. Yong et al. [7] applied machine learning techniques to analyze and process data in the vaccine blockchain.

Abid’s proposed vaccine platform [8] provides a sovereign user identity that gives users full control over their data and encrypts personally identifiable information to enhance privacy. The platform also leverages W3C verifiable credential standards to facilitate instant verification of COVID-19 proofs and allow users to share selected information with trusted parties. However, the platform’s privacy is protected by hashing sensitive information and then storing it on the blockchain, which is at risk when the data are broadcasted. Haque et al. [9], the authors proposed an architectural framework of a permission blockchain-based vaccination passport for the European Union’s General Data Protection Regulations (GDPR). The scope of this regulation is broad, and any organization that collects, transfers, retains, or processes personal information involving all EU member states is subject to the regulation. Then, the double-chain structured blockchain system proposed by Qiu and Zhu [10] combines a public blockchain and a private blockchain to manage and store data information in different processes of vaccine logistics and vaccination. However, the user privacy of this system relies too much on the authorization mechanism of the private blockchain.

1.2. Contributions

In this study, we propose a double-chain framework with the vaccine cold chain logistics system and vaccination record system. We introduce threshold signature technology at the vaccine audit stage of public blockchain to deal with complicity between vaccine manufacturing companies and vaccine approval institutions. Second, it applies the consortium blockchain to record the information of vaccination hospitals to give vaccination to users. Its process ensures the privacy of vaccination hospitals, vaccination users, and vaccination vaccines and reserves the right to reveal and audit the vaccination information records by government departments under special circumstances.

In the issuance and presenting of the vaccine passport, the use of anonymous credential, ring signature, and range proofs ensures that the validity of the vaccine passport is proven without revealing the user’s vaccination hospital and identity information during the process.

1.3. Paper Organization

In the subsequent content of this study, we present the entities and the system threat model in the vaccine passport system in Section 2. We show the cryptographic techniques and tools used to build the system protocol in Section 3. Section 4 of this article provides the structural design of the system and the specific protocol design. We give the security analysis and proof of the protocols in this model in Section 5. We give a system evaluation in Section 6, and we finally conclude this article in Section 7.

2. Assumptions and Threat Model

2.1. Entities and Assumptions

Before presenting the system structure, we introduce the entity participants in the system.(i)International coalition government, : it acts as the system’s CA to manage the authorization and authentication of each participant. It acts as a trusted third party for threshold signatures in the vaccine approval process. In exceptional cases, it can audit the encrypted information in the consortium blockchain that records vaccinations.(ii)Hospital, : it issues a credential for the user’s vaccine passport after completion of the vaccination and uploads the information recording the vaccination to the consortium blockchain.(iii)User: the user receives a vaccine passport after completion of vaccination at the hospital. When it is necessary to prove the legitimacy and validity of the vaccine passport to the vaccine passport checkpoint, zero-knowledge proof protocol is applied to protect their privacy.(iv)Vaccine manufacturing company: it sends samples of the vaccine to be tested to the vaccine approval institutions in each country for approval. Once the vaccine is approved, the batch is issued a certificate of authorization.(v)Vaccine approval institutions, : each country’s approval body tests the submitted vaccine samples according to its own standards. The approved vaccine approval institution signs a threshold signature for the vaccine. The issues a threshold signature certificate to the vaccine lot after vaccine approval institutions have been met and approved simultaneously.(vi)Vaccine passport checkpoint: it verifies the user’s identification and proof of the legitimacy and validity of the vaccine passport. It also takes the appropriate vaccination measures and policies for the fulfillment of the conditions of the user’s vaccine passport.(vii)Vaccine transit centers: they act as a transit point for vaccine shipments connecting vaccine companies to the CDC. Information on storage and transport conditions during cold chain logistics is uploaded.(viii)CDC: it audits the vaccine cold chain logistics process for compliance with biologics-related regulations. If so, the vaccine is held in temporary storage and eventually shipped to the hospital where it is administered.

Considering the specific prerequisite assumptions for the application of the vaccine passport system to realistic scenarios and specific programs, the system provides the following reasonable assumptions.(i)The authority of the international coalition government is recognized by every country in the world(ii)Countries strictly adhere to the normal operation of the system(iii)The number of corrupted institutions in vaccine approval institutions is less than half of the total number(iv)Authorized hospitals follow the hospital code of conduct and do not conspire with users(v)Users do not disclose or share their secret keys

2.2. Threat Model

In this study, we do not consider network-level security attacks, physical hardware-level damage, and software vulnerability penetration during the engineering implementation of the protocol. In this study, we only consider cryptographic attacks towards the protocol design.(i)In the threat model of this study, we assume that and auditor are completely honest. They operate according to the protocol algorithm and do not disclose the privacy parameters generated.(ii)In the threshold signature phase, adversary is allowed to corrupt up to s. does not disclose institutional audit signatures to vaccine manufacturing companies.(iii)In the vaccination information record uploading consortium blockchain phase, all peers except the auditor and are assumed to be honest-but-curious; they try to break the privacy by passively eavesdropping on the inputs and outputs of the protocol but not actively violating the protocol process.(iv)In the vaccine passport display phase, vaccine passport checkpoint is assumed to be honest-but-curious; it tries to get the user’s private data, but it still follows the protocols.

3. Preliminaries

3.1. Bilinear Pairing

Let a bilinear map where is a GDH group and in our protocol. are the two multiplicative cyclic groups of prime order . The bilinear pairing has the following three properties:(i)Bilinear: for all , , and , it holds that ;(ii)Computability: there exists an efficient algorithm to calculate , where , ;(iii)Nondegenerate: for , , where 1 is the unit element in the multiplicative cyclic group.

3.2. q-Strong Diffie–Hellman Assumption

The q-SDH problem in is defined that for adversary on input a -tuple

3.3. Threshold Signature Scheme

The threshold signature scheme allows any signers among signers to generate a signature for a message, but less than signers participate to generate a valid signature. The threshold signature scheme can build a robust signature system to prevent the unlawful behavior of some signers. The threshold signature scheme consists of the following four algorithms:(i)ThresholdKeyGen : for distributed systems, threshold key generation algorithm is a protocol that runs interactively among many participants. With the input security parameters , number of users , and threshold , it outputs the secret share for each participant, such that .(ii)Sign : the signers in the participants output the signature share based on the input secret share and the message .(iii)Reconstruction : the resulting signature can be generated by a trusted third party based on the signature share of not less than signers.(vi)Verify : the verification algorithm inputs the verification public key , message , and resulting signature and outputs 1 when the signature is successfully verified; otherwise, it outputs 0.

3.4. Ring Signature Scheme

A ring signature is a digital signature that can be executed by any member of a group of users that each have a pair of keys, so that a message with a ring signature is recognized by someone in a particular group. But, it is computationally infeasible to determine which group member’s key is used to generate the signature, which is one of the security properties of ring signatures. All possible signers are formed into a ring. Each possible signer is called a ring member. The ring member that generates the signature is called a signer, and each other ring member is called a nonsigner. The ring signature scheme consists of the following three algorithms:(i)KeyGen : let ring . With the input security parameters , it outputs each user public-secret key pair . Assume that the signing member is .(ii)Sign : the signer generates a ring signature on message with its own secret key and the public keys of other members.(iii)Verify : the verification algorithm is with the input of public keys , message , and ring signature and outputs 1 when the signature is successfully verified; otherwise, it outputs 0.

3.5. Zero-Knowledge Proof

A zero-knowledge proof is a protocol that the prover can convince the verifier that an argument is correct without providing any useful information to the verifier. A zero-knowledge proof is essentially an agreement involving two or more parties, i.e., a series of steps that two or more parties need to take to accomplish a task. The prover convinces the verifier that he or she knows or has a certain message, but the proof process cannot divulge any information about the proven message to the verifier. In our system protocol design, we focus on zero-knowledge proof for NP language , where is a witness for statement . A zero-knowledge proof protocol between P and V satisfies the following three properties:(i)Completeness: if , prover convinces that his statement is true with probability .(ii)Soundness: if the prover’s statement , then any malicious prover convinces an honest verifier of his statement with probability .(iii)Honest verifier zero-knowledge (HVZK): after the proof is executed, the verifier only knows whether the statement of the verifier is true or not, but he does not have access to any other information during the proof. It can also be said that there exists a simulator algorithm that simulates interaction scripts that are nondistinguishable with the real interaction scripts between and .

Range proof: range proof is proof that a secret value , which is encrypted or committed to, lies in a certain interval . In this study, the secret value is hidden by Pedersen commitment, such that . Range proof does not leak any information about the secret value other than the fact that they lie in the interval. The prover needs to provide zero-knowledge proof to the verifier .

4. Our Proposed System

Before showing the overview of our system model, we present the reasons for choosing the double chain as the basis of the system. The generation of the vaccine passport and the vaccine itself are indivisible. Given the biomedical properties of the vaccine itself, we need a public blockchain to store the production and logistics information of the vaccine. The choice of the consortium blockchain is that vaccination records are information with privacy properties and are required to be privacy protected and regulated. So, it is uncomplicated to achieve the intended effect in a blockchain under authorization.

4.1. Overview

Our system consists of three main phases in the vaccine cold chain logistics phase, as shown in Figure 1.

Step 1. It is for the vaccine manufacturing company to send a batch of vaccine samples that need to be checked to ensure quality to the vaccine approval institutions in each country.

Step 2. It consists of each country’s vaccine approval institution passing its review results through a threshold (if a total of vaccine approval institutions are satisfied with the approval of vaccine approval institutions, then the batch of vaccine is approved). If the batch meets the audit requirements, a certificate is issued for the batch through the threshold signature.

Step 3. It is that the vaccine manufacturing company entrusts the cold chain logistics company with the approved batch of vaccine to send to the target hospital. The sender is the vaccine production company. The receiver is the first vaccine transit center. The transported goods are batches of vaccines. The logistics information is uploaded to the public blockchain after the logistics are completed.

Step 4. It is the uploading of cold chain logistics information between vaccine transfer centers. The sender is the previous vaccine transfer center. The receiver is the next vaccine transfer center. The transported goods are batches of vaccines with the environmental conditions of the temporary storage of vaccines and the signature of the person in charge.

Step 5. It is when the vaccine is delivered at the last logistics transit center; the CDC under whose jurisdiction the target hospital is located audits the entire cold chain logistics storage and transportation for compliance with the logistics requirements for biologics. If the batch of the vaccine cold chain logistics process meets the requirements, the CDC issues a certificate of conformity signature to the batch of vaccine.

Step 6. It is to upload the logistics information between the last vaccine transfer center and the CDC to the public blockchain after the approval of the vaccine cold chain logistics. The sender is the last vaccine transfer center. The receiver is the local CDC, and the transported goods are batches of vaccines with the CDC’s certificate for vaccine cold chain logistics.

Step 7. It is to upload the logistics information of the final vaccine delivery from the local CDC to the target hospital to the public blockchain. The sender is the local CDC, and the receiver is the target vaccination hospital. The transported goods are batch of vaccines with a certificate from the CDC for the cold chain logistics of the vaccine and a threshold signature certificate from the vaccine approval institutions. Users are given the right and ability to know the approval results of vaccinations and vaccine cold chain logistics information by viewing the information recorded on the public blockchain before vaccination in hospitals. This helps to achieve openness and transparency of vaccine information to vaccination users.
In the vaccination phase shown in Figure 2, the local hospital completes the uploading of vaccination information to the consortium blockchain while protecting the privacy of the vaccination information.

Step 8. It is after the last injection of the user’s vaccine at the local hospital, the hospital creates vaccination information signed by it and sends the vaccination information to the endorser. The sender of the vaccination information is the local hospital. The receiver is the vaccination user. The information transmitted is the details of the vaccine.

Step 9. It is for the endorser to verify the uploaded vaccination information and generate an endorsement signature.

Step 10. It is that the submitting local hospital broadcasts the collected endorsement signatures and the vaccination information itself to the orderers.

Step 11. It is for orderers to broadcast the sorted set of vaccination information to all peers.

Step 12. It is for the committing peer to check if the vaccination information submitted by the orderers has a legitimate certificate issued by the endorser. The committing peer also detects malicious cases where the same vaccination is included in the vaccination information more than once. In this case, the first valid vaccination information will be accepted. Once the uploaded vaccination information is verified by the committing peer, the vaccination information is submitted and the committing peer maintains the state and a copy of the ledger. For the privacy-preserving vaccination information on the consortium blockchain, it is necessary to audit it in case of special circumstances. Auditors have the ability to open the encrypted vaccination information on the consortium blockchain to audit the vaccination details, such as the time of vaccination and vaccine production date.
In the vaccine passport phase in Figure 2.

Step 13. It is where the local hospital opens the vaccination user’s commitment to the vaccine production date, vaccine shelf life, vaccine immunity lasting time, and vaccination date. After the hospital confirms that the commitment is correct, a ring signature is generated for the commitment and the international coalition government-issued user identity card. Finally, the ring signature, commitment, and user identity certificate together form the vaccine passport and are sent to the user.

Step 14. It is for the user to first present the vaccine passport to the passport checkpoint. The passport checkpoint verifies the legitimacy of the user’s identity and vaccine passport. Next, the user proves the validity of the vaccine passport to the passport checkpoint. This includes the following three items:(i)The vaccine injected by the user is within the shelf life. If the vaccine injected by the user does not meet this condition, then first, the passport checkpoint needs to report this medical issue to a government authority. This requires a request for an audit of the vaccination information for the batch (including the local vaccination hospital) and a traceability audit of the vaccine batch. Also, the user needs to be reimbursed for the corresponding vaccination.(ii)The user produces high titers of antibodies to create effective protection. This corresponds to the last date of vaccination plus 14 days [11], which needs to be greater than the current date. If the user’s vaccination information does not meet this condition, the passport checkpoint needs to take a quarantine for 14 days before allowing the user to pass.(iii)The vaccinated user is in the duration of immunization for the vaccine. This is equivalent to the last date of vaccination plus the vaccine immunity lasting time that needs to be less than the current date. If the user’s vaccination information does not meet this condition, the passport control point will need to adopt the vaccine again to stimulate an effective antibody prevention strategy.None of the above proofs will reveal any information about the user’s vaccination, including the production date and shelf life of the vaccine.

4.2. Vaccine Cold Chain Logistics

This study adds Boldyreva’s [12] threshold signature technique to other blockchain-based vaccine distribution management systems. Vaccine approval institutions in each country that adopt different standards act as participants in the threshold signature. The international coalition government acts as a trusted third party as the group administrator in the threshold signature group. This vaccine approval protocol effectively prevents collusion and corruption between vaccine approval institutions and vaccine manufacturing companies. The vaccine approval institutions approve samples of vaccines to be submitted for review in a distributed structure on a per-share basis. The distributed protocol allows for up to half of the vaccine approval institutions to be malicious. Once the approval of the submitted vaccine is complete, the vaccine manufacturer receives only the results of whether the submitted vaccine batch was approved or not and does not know the respective review opinions of the individual vaccine approval institutions. This prevents the vaccine manufacturing company from influencing the outcome of the approval, thereby, achieving fairness and equity in vaccine approval. Details are outlined as follows.

Setup : on input , where is a security parameter, let , a bilinear map, where is a GDH group and is the generator of . and are the cyclic groups. The participants in our scheme are the set of vaccine approval institutions . All s are connected by a broadcast channel as well as by secure point-to-point channels including the international coalition government . Let be collision-resistant hash function.

Generating : chooses and to form the polynomials and of degree : and . broadcasts commitment to polynomial coefficients mod for . computes and mod for and sends and to to verify. Then, each verifies if

If the above equation is not satisfied, will broadcast the complaint against . According to the conditions satisfied by the distributed key generation protocol DKG for discrete-log based systems of Gennaro et al. [13], each sets his share of the secret as mod . The distributed secret value equals mod from the distributed secret polynomial:

Vaccine approval : decides whether to approve the batch of vaccine according to the criteria. If approves it, a signature and are generated and sent to . verifies the signature by . If the verification passes, is assigned to the set .

Threshold signature : if the number of s in set is greater than ,is public Lagrange coefficient for the set APPR according to the Lagrange interpolation method [13].

According to the above equation, the resulting signature is that and public key is that .

User verification : the user checks that for the vaccine. The user accepts the signature if holds or rejects it otherwise.

Logistics consignment : structure of vaccine includes the following attributes: ID = , manufacturer, batch number, serial number, vaccine certificate , production date , shelf life , and the duration of immunization . The vaccine manufacturing company broadcasts the vaccine properties, the entrusted logistics company, and the certification certificate as a package to the public blockchain.

Cold chain logistics transit : the responsible person for the cold chain logistics staging area broadcasts to the public blockchain the vaccine, the vaccine storage environment, its signature , and the logistics destination package.

Distribution of CDC : after checking that the cold chain logistics on the public blockchain meets the standards for transporting biologics, the CDC attaches a signature and broadcasts the distribution to the destination vaccination hospital to the public blockchain.

4.3. Vaccination Record

The framework of the vaccination record system is based on Hyperledger Fabric [14], which is a permissioned blockchain. The privacy protections of the identity of the vaccination hospitals and vaccination users in the vaccine record system are referred to the technique of one-time sender and receiver public key in PAChain [15]. The certificate of authority for the long-term public key (representing the identity of the hospital and the user) of the vaccination hospital and the vaccination user uses the BBS + signature [16] issued by the international joint government. However, in the vaccination record system of this study, the identity of the user and hospital is anonymous to the endorsement node. The endorsement of the vaccination record by the endorsing node uses the anonymous credential technique based on the Boneh-Boyen signature [17]. Vaccination information is encrypted with the auditor’s public key using ElGamal encryption [18] to ensure that the information is hidden. If necessary, the auditor can reveal the encrypted vaccination information with his or her secret key. Details are outlined as follows.

Setup: on input , where is a security parameter. Suppose and are collision-resistant hash functions. It randomly picks generators .

AuditorKeyGen(): auditor picks random secret keys and outputs their public keys .

CAKeyGen(): CA picks random secret keys and outputs their public keys .

EndorserKeyGen(): endorser picks random a secret key and outputs its public key .

UserKeyGen(): the user randomly picks a pair of long-term secret keys and computes a pair of long-term public keys . is also a type of user, so it follows the same algorithm to generate .

CACertIssue: first, the user needs proof to CA: . After passing CA verification, CA computes using randomly selected and its own . Then, CA issues a certificate to the user’s . is also a type of user, so it follows the same algorithm to generate CACertIssue.

VaccInfoEnc(,): vaccination information includes ID = , vaccine certificate , production date , shelf life , the date of vaccination , and the duration of immunization . Let , and it divides 128-bit into 8 segments of 16-bit messages by . It encrypts each into and , where . The encryption on can be generated by and , where . The user sends to the auditor. Then, it proves in zero-knowledge proof that the knowledge of and : .

Details of the zero-knowledge proof is as follows:(1)The randomly picks for and and then computes commitments: and .(2)It computes and for computes challenge response: , .(3)Then, it outputs

OTpkGen: randomly picks and outputs . uses the same algorithm to generate OTpkGen. encrypts user’s long-term public key and long-term public key of to the auditor by picking random and computing and . Then, runs the following proof of knowledge for ensuring:(i) and are issued a valid certificate of identity by CA.(ii) is generated by . is generated by . is the one-time public key identity of the user whose public key is . is the one-time public key identity of whose public key is .(iii)The user’s long-term public key and ’s long-term public key are encrypted by the auditor’s public key and .

needs to use proof of knowledge to endorser:

The details of the zero-knowledge proof is as follows:(1) randomly picks and makes . It computes commitments: , , .(2)It computes challenge and computes challenge response: , , .(3)It outputs

Likewise, proofs the above relationship to the endorser. The proof process is very similar to that of the user, so it will not be explained in detail here.

OTskGen: with , , and , calculates and lets . At the same time, sends to the vaccination user over a secure channel. The user then generates his own one-time secret key .

EndorserVerify: the endorser verifies the legitimacy of the vaccination information and the legitimacy of the one-time public key of the sender and the receiver (user).

The details of the zero-knowledge proof is as follows:(1)First needs proof to endorser: .(2)On input , for , endorser computes and checks , . It outputs 1 if the above equation holds or 0 otherwise.(3)On input , endorser computes , , . Then, endorser computes and checks . It outputs 1 if holds or 0 otherwise.(4)On input , endorser does same as (3). The initiator of the vaccine record upload operation can only be the hospital. Therefore, at this step, the endorser needs to verify that the initiator of the upload operation has a valid hospital identification credential.

If all four of the above verifications output 1, then EndorserVerify.

EndorserCredIssue: after verifying the legitimacy of the vaccine information commitment and the legitimacy of the one-time public key of and the user, the endorser generates a certificate by endorsing the vaccination record ( and ). The endorser picks some random and uses secret key to compute to .

EndorserCredProof: after obtaining the endorser’s certificate , needs zero-knowledge proof to the verifier that the vaccination record has a valid certificate. First, computes the tag for detecting double recording. needs to use proof of knowledge to verifier:

The details of the zero-knowledge proof are as follows:(1) randomly picks and makes . It computes commitments: , .(2)It computes challenge and computes challenge response , , , .(3)It outputs (4)On input and , verifier computes , , .

Then, verifier computes and checks . It outputs 1 if holds or 0 otherwise.

Link: on input, two vaccination records with two tags . If , it outputs 1. Otherwise, it outputs 0.

Audit: on input a ciphertext and , auditor has the ability to reveal long-term public keys of users and by computing . On input a ciphertext and , auditor has the ability to reveal vaccination information by computing . The auditor uses a precomputation table containing to find out the message of and reveal vaccination information . The auditor uses the secret keys to reveal the long-term public key of the vaccination hospital and the long-term public key of the vaccination user.

4.4. Vaccine Passport

The signing of the vaccine passport is accomplished by the vaccination hospital. This process uses ring signature [19] to ensure the anonymity of the vaccination hospital when issuing the authorization. During the presentation of the vaccine passport, the vaccination properties are proven using the Bulletproofs scheme [20] in range proofs to guarantee the validity of the vaccine without exposing the vaccine information. Before using Bulletproofs, it uses interactions to transform the relationships of vaccine attributes into relationships suitable for Bulletproofs range proofs [21]. The identity privacy of the owner of the vaccine passport is protected using the same one-time public key technique as that used to protect the identity of the user in the previous vaccination record system.

After the user received the last vaccination at the hospital, the hospital uploads the vaccination record information to the consortium blockchain. The hospital then issues a vaccine passport to the user.

4.4.1. Vaccine Passport Issue

(1)The user commits the date of vaccination , production date , shelf life , and the duration of immunization by selecting and generates commitments . The user sends to the vaccination hospital. For the user identity certificate issued by the CA, the user randomly selects to send to .(2) receives the user information and opens the commitment and checks: If one of the equations does not hold, refuses to issue a vaccine passport to its user. Otherwise, accepts to issue a vaccine passport for the user.(3) generates a ring signature for the vaccine passport information . First, it lets and selects public keys of other hospitals. Then, it randomly picks seed and . Suppose that is a trapdoor one-way function such as RSA. It computes and to go along the ring from signer index . It closes the ring by computing and uses secret key of signing to compute . randomly selects an index and outputs the ring signature .(4) outputs vaccine passport

4.4.2. Vaccine Passport Proof

(1)User generates new one-time public and secret keys pair by OTpkGen and OTskGen. The user needs proof to vaccine passport checkpoint: (2)Vaccine passport checkpoint verifies the legitimacy of the ring signature . The verification is straightforward; the vaccine passport checkpoint starts at index with value . If , it verifies that the vaccine passport has the hospital’s valid ring signature.(3)The vaccine injected by the user is within the shelf life. It requires that the inequality be satisfied. The user produces high titers of antibodies to create effective protection. This corresponds to the last date of vaccination plus 14 days [11], which needs to be greater than the current date. It requires that the inequality be satisfied, where is the current date. The vaccinated user is in the duration of immunization for the vaccine. This is equivalent to the last date of vaccination plus the vaccine immunity lasting time needs to be less than the current date. It requires that the inequality be satisfied.(4)After vaccine passport checkpoint returns , the above range proof translates to

5. Security Analysis

Definition 1. Threshold signature scheme is called secure robust threshold signature scheme if the following two conditions hold:(i)Unforgeability: for every PPT adversary A, it is allowed to corrupt up to participants in the threshold system and is given the oracle channel to ask a finite number of messages and threshold signatures . Eventually, it forges with negligible probability a valid , and is not in the set of previous queries .(ii)Robustness: for every PPT adversary A, it is allowed to corrupt up to participants in the threshold system, and threshold signature protocol runs successfully.

Theorem 1. -threshold signature scheme under the GDH group is a secure threshold signature scheme in the random oracle model against an adversary which is allowed to corrupt any participants.

Definition 2. (Soundness). The vaccination information privacy protocol is sound if for all PPT adversary with oracle to query polynomial level times VaccInfoEnc, and then,

Theorem 2. The vaccination information privacy protocol is sound if DLP is hard, and the protocol provides knowledge of soundness.

Proof. It rewinds , where and computes , . It extracts the knowledge of

Definition 3. (Privacy). The vaccination information is private in the protocol if for all PPT adversary :

Theorem 3. The vaccination information is private in the protocol if DDH is hard in , and the protocol is HVZK.

Proof. The encryption used in this protocol is the ElGamal encryption algorithm. The security of this encryption is based on the DDH assumption. If the DDH assumption is difficult on , the vaccination information of this protocol is private during transmission.
The simulator of this protocol randomly picks . Then, it computeswhere they are indistinguishable from real protocol interactions. The simulator sets as in the random oracle model. Therefore, this protocol provides zero-knowledge of vaccination information.

Definition 4. (Soundness). The users (including hospitals and vaccination users) privacy protocol is sound if for all PPT adversary with oracle to query polynomial level times CACertIssue, and then,(i)The public key of the user (including hospital and vaccination user) is issued a valid certificate :(ii) is computed from a public key and the public key is encrypted to the auditor:

Theorem 4. The users (including hospitals and vaccination users) privacy protocol is sound if the q-SDH assumption holds in in the random oracle model, where is the maximum number of CACertIssue oracle queries, and the protocol provides knowledge of soundness.

Proof. It rewinds , where , and computes . It extracts the knowledge ofBBS + signature is unforgeable against adaptively chosen message attack under the q-SDH assumption.

Definition 5. (Anonymity). The anonymity of users (including hospitals and vaccination users) is enabled in the protocol if for all PPT adversary ,

Theorem 5. The anonymity of users (including hospitals and vaccination users) is enabled in the protocol if CDH is hard in , and the protocol is HVZK.

Proof. The encryptions and used in this protocol are the ElGamal encryption algorithm. The security of this encryption is based on the DDH assumption. The one-time public key and generation algorithm is based on the CDH assumption. If the CDH assumption is difficult on , the anonymity of users (including hospitals and vaccination users) is enabled during transmission.
The simulator of this protocol randomly picks . Then, it computeswhere they are indistinguishable from real protocol interactions. The simulator sets as in the random oracle model. Therefore, this protocol provides zero-knowledge of CA certificate for the user’s long-term public key and the user’s long-term public key.

Definition 6. (Soundness). The vaccination information endorsement protocol is sound if for all PPT adversary with oracle to query polynomial level times EndorserCertIssue, and then, this vaccination information and is issued a valid certificate by the endorsement nodes:

Theorem 6. The vaccination information endorsement protocol is sound if the q-SDH assumption holds in in the random oracle model, where is the maximum number of EndorserCredIssue oracle queries, and the protocol provides knowledge of soundness.

Proof. It rewinds , where , and computes . It extracts the knowledge of BBS + signature is unforgeable against adaptively chosen message attack under the q-SDH assumption.

Definition 7. (Privacy). The vaccination information is private in the protocol if for all PPT adversary ,

Theorem 7. The vaccination information is private in the protocol if the protocol is HVZK.

Proof. The simulator of this protocol randomly picks . Then, it computeswhere they are indistinguishable from real protocol interactions. The simulator sets as in the random oracle model. Therefore, this protocol provides zero-knowledge of vaccination information.

Lemma 1. (Ring lemma). Ring signature is unforgeable if the DL assumption holds. The anonymity of the ring signature is unconditional.

Lemma 2. The Bulletproof has perfect completeness, perfect special honest verifier zero-knowledge, and computational witness extended emulation.

6. System Analysis

6.1. Security and Privacy

We compare the vaccine system proposed in this study with other solutions proposed in academia and platform systems that have been applied in practice, as given in Table 1. The main aspects of comparison are the blockchain structure, the domain covered by the system, the properties of user privacy protection, and auditability.

In terms of vaccine system structure, the nonblockchain-based vaccine system is represented by the China health code system, a digital vaccine certificate implemented by the Chinese government based on Alipay, a trusted third party. The authentication of the vaccine certificate is done by the verifier through the QR code in the Alipay wallet app. Another blockchain-based vaccine system mainly takes advantage of the immutability and decentralized property of blockchain to create a more credible and secure vaccine system, which is also the trend of vaccine system research. The main types of blockchains in vaccine systems are public blockchains, private blockchains, and consortium blockchains. In this study and [10], a double-chain structure is used. However, under the assumption of global recognition, the consortium blockchain has an advantage over the private blockchain in terms of use coverage.

In terms of privacy protection, we divide user privacy into user identity privacy, vaccination hospital privacy, and privacy of vaccination records. Systems with a single public blockchain structure, for example [5, 6], are not user privacy protected. The blockchain of vaccination records in [7] keeps sensitive information of users out of the blockchain and protects user privacy to some extent. The [8, 10, 22, 23] schemes use private blockchain or consortium blockchain for participant’s identity authentication to protect user privacy. Qiu and Zhu [10] stored all the vaccination records in a private blockchain and Alabdulkarim et al. [24] stored the private data on the private database of the authorized specific peer. However, this does not guarantee the leakage of user vaccination privacy by the nodes in the private blockchain, and the storage of vaccination records would be centralized. In the study by Abid et al. [8], the vaccination certificate is issued by the healthcare provider (issuer) with a signature. Therefore, this process can expose the privacy of the user’s vaccination hospital. Also, this scheme cannot audit the vaccination information because it uses a private blockchain and a certain degree of information encryption. Both [22, 23] used consortium blockchains structure, but do not have any encryption of user privacy information, so these two schemes guarantee the privacy of user personal information only to some extent. However, the privacy of vaccination hospitals cannot be guaranteed.

6.2. Performance Analysis

The main objective of this study is to propose a framework for a double-chain-based vaccine passport system and to refine the design of the protocol between specific participants. This goal of this study is to provide a systematic solution to the vaccine passport which focuses more on the theoretical aspect. Therefore, only a qualitative analysis of the system’s performance is presented here.

The additional performance overhead of the public blockchain-based vaccine cold chain phase is mainly in the approval phase. For each approval process of vaccines sent for review, the approval institutions in each country need to participate in the distributed setting of threshold secret sharing of the value . For each distributed key generation protocol, it is assumed that there are approval institutions, and each institution needs to generate 2 random polynomials. At the same time, each approval authority broadcasts the commitment of polynomials to the other approval authorities. The communication data volume of the whole broadcast channel is .

The permission blockchain framework for the vaccination record phase of this study is based on the Hyperledger Fabric architecture. By referring to the idea of PAChain [15], the privacy of the vaccination records is protected among the endorsers, orderers, and committing peers. This study removes the trust in the endorser compared to PAChain, thus increasing the authentication protocol. Therefore, the system latency in this phase is slightly higher than PAChain.

The performance bottleneck in the passport identification phase is mainly due to the range proof of the vaccine attributes. Benefiting from the efficiency and aggregability of Bulletproofs [20], the proof size of vaccine passports in the presentation phase is for a batch size of users and the vaccine attribute length of bits. For the specific case where the vaccine attribute is 64 bits , the proof size for a single user is bytes; while, the aggregated proof size for 512 users is bytes.

Based on the results of the above system performance analysis, we believe that the vaccine passport system proposed in this study is feasible for development and implementation. In future implementations, sacrificing acceptable system performance loss in exchange for abundant privacy-preserving security properties is to be considered in advance.

7. Conclusion

This study makes improvements to the vaccine approval part of the previous vaccine distribution and management system. The introduction of a threshold signature scheme in distributed vaccine approval institutions has a certain degree of deterrence against collusive corruption between vaccine approval institutions and vaccine manufacturing companies. Second, the privacy protection in the previous double-chain system is optimized. In this study, the privacy protection of vaccination hospitals, vaccine trusts, and vaccination users is added to the audit function, which increases the controllability and auditability of the vaccination record system in practice. Finally, the vaccine passport proposed in this study protects the privacy of the user’s vaccination hospital, the vaccine, and the user’s identity while proving the validity and legitimacy of the passport to the vaccine passport checkpoint. Moreover, it is possible to differentiate and adopt targeted measures and policies for different conditions of the vaccine passport. Future work in this study lies in weakening the authority of local vaccination hospitals in the system. It can increase the link between the double chains using corresponding cryptographic techniques.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

References

W. Tan, X. Zhao, X. Ma et al., “A novel coronavirus genome identified in a cluster of pneumonia cases—wuhan, China 2019- 2020,” China CDC weekly, vol. 2, no. 4, pp. 61-62, 2020.
View at: Publisher Site | Google Scholar
“Vaccination certification to be digitized by the end of this year for use in Japan,” 2021, https://www.nikkei.com/article/DGXZQOUA264980W1A820C2000000/.
View at: Google Scholar
L. Byers, “BC launches proof of vaccination to stop spread of covid-19,” 2021, https://news.gov.bc.ca/releases/2021HLTH0053-001659.
View at: Google Scholar
M. A. Hall and D. M. Studdert, “Vaccine passport” certification—policy and ethical considerations,” New England Journal of Medicine, 2021.
View at: Google Scholar
L. Cui, Z. Xiao, J. Wang et al., “Improving vaccine safety using blockchain,” ACM Transactions on Internet Technology, vol. 21, no. 2, pp. 1–24, 2021.
View at: Google Scholar
C. Antal, T. Cioara, M. Antal, and I. Anghel, “Blockchain platform for covid-19 vaccine supply management,” IEEE Open Journal of the Computer Society, vol. 2, pp. 164–178, 2021.
View at: Publisher Site | Google Scholar
B. Yong, J. Shen, X. Liu, F. Li, H. Chen, and Q. Zhou, “An intelligent blockchain-based system for safe vaccine supply and supervision,” International Journal of Information Management, vol. 52, Article ID 102024, 2020.
View at: Publisher Site | Google Scholar
A. Abid, S. Cheikhrouhou, S. Kallel, and M. Jmaiel, “Novidchain: blockchain-based privacy-preserving platform for covid-19 test/vaccine certificates,” Software: Practice and Experience, 2021.
View at: Google Scholar
A. B. Haque, B. Naqvi, A. K. M. N. Islam, and S. Hyrynsalmi, “Towards a gdpr-compliant blockchain-based covid vaccination passport,” Applied Sciences, vol. 11, no. 13, p. 6132, 2021.
View at: Publisher Site | Google Scholar
Z. Qiu and Y. Zhu, “A novel structure of blockchain applied in vaccine quality control: double-chain structured blockchain system for vaccine anticounterfeiting and traceability,” Journal of Healthcare Engineering, vol. 2021, Article ID 6660102, 10 pages, 2021.
View at: Google Scholar
F.-C. Zhu, Y.-H. Li, X.-H. Guan et al., “Safety, tolerability, and immunogenicity of a recombinant adenovirus type-5 vectored covid-19 vaccine: a dose-escalation, open-label, non-randomised, first-in-human trial,” The Lancet, vol. 395, no. 10240, pp. 1845–1854, 2020.
View at: Publisher Site | Google Scholar
A. Boldyreva, “Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme,” in Proceedings of the International Workshop on Public Key Cryptography, pp. 31–46, Springer, Miami, FL, USA, 6 January 2003.
View at: Publisher Site | Google Scholar
R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Secure distributed key generation for discrete-log based cryptosystems,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, pp. 295–310, Springer, Prague Czech Republic, 2 May 1999.
View at: Publisher Site | Google Scholar
E. Androulaki, A. Barger, V. Bortnikov et al., “Hyperledger fabric: a distributed operating system for permissioned blockchains,” in Proceedings of the thirteenth EuroSys conference, pp. 1–15, ACM, Porto Portugal, 23 April 2018.
View at: Google Scholar
T. H. Yuen, “Pachain: private, authenticated & auditable consortium blockchain and its implementation,” Future Generation Computer Systems, vol. 112, pp. 913–929, 2020.
View at: Publisher Site | Google Scholar
M. H. Au, W. Susilo, and Y. Mu, “Constant-size dynamic k-taa,” in Proceedings of the International conference on security and cryptography for networks, pp. 111–125, Springer, Maiori, Italy, 6 September 2006.
View at: Publisher Site | Google Scholar
D. Boneh and X. Boyen, “Short signatures without random oracles,” in Proceedings of the International conference on the theory and applications of cryptographic techniques, pp. 56–73, Springer, Interlaken, Switzerland, 2 May 2004.
View at: Publisher Site | Google Scholar
T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1985.
View at: Publisher Site | Google Scholar
E. Bresson, J. Stern, and M. Szydlo, “Threshold ring signatures and applications to ad-hoc groups,” in Proceedings of the Annual International Cryptology Conference, pp. 465–480, Springer, Santa Barbara, CA, USA, August 2002.
View at: Publisher Site | Google Scholar
B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell, “Bulletproofs: short proofs for confidential transactions and more,” in Proceedings of the IEEE Symposium on Security and Privacy (SP), pp. 315–334, IEEE, San Francisco, CA, USA, 20 May 2018.
View at: Publisher Site | Google Scholar
J. Camenisch, R. Chaabouni, and abhi shelat, “Efficient protocols for set membership and range proofs,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 234–252, Springer, Melbourne, VIC, Australia, 7 December 2008.
View at: Publisher Site | Google Scholar
M. Eisenstadt, M. Ramachandran, N. Chowdhury, A. Third, and J. Domingue, “Covid-19 antibody test/vaccination certification: there’s an app for that,” IEEE Open Journal of Engineering in Medicine and Biology, vol. 1, pp. 148–155, 2020.
View at: Publisher Site | Google Scholar
“A simple and secure certificate of covid-19 immunity,” 2020, https://www.immupass.org/.
View at: Google Scholar
Y. Alabdulkarim, A. Alameer, M. Almukaynizi, and A. Almaslukh, “Spin: a blockchain-based framework for sharing covid-19 pandemic information across nations,” Applied Sciences, vol. 11, no. 18, p. 8767, 2021.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Yangzhou Cao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

766

Downloads

570

Citations