A blockchain-based medical data sharing system and access permission proxy method
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- ANHUI NORMAL UNIV
- Filing Date
- 2022-04-14
- Publication Date
- 2026-07-07
AI Technical Summary
Existing cloud-based permission proxy solutions suffer from security issues such as single points of failure and collusion attacks in medical data sharing. Furthermore, data owners need to interact with users frequently, resulting in low data security and efficiency.
A blockchain-based medical data sharing system is adopted, which combines attribute encryption and proxy re-encryption technologies. Fine-grained access control and permission proxy are achieved through smart contracts. Data is stored using IPFS, and data owners can control the proxy depth and permission transfer.
It enables secure storage and fine-grained access control of medical data, improves data security and efficiency, reduces the burden on data owners, and protects data privacy.
Smart Images

Figure CN114708939B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of access control and privacy protection technology, specifically to a blockchain-based medical data sharing system and access permission proxy method. Background Technology
[0002] Electronic health record (EHR) sharing enables patients to access better and more efficient healthcare services, gradually alleviating problems such as uneven distribution of medical resources, high medical costs, low efficiency, and information silos in the traditional healthcare system. Due to the privacy-sensitive nature of EHRs, data security is a prerequisite for data sharing. Generally, access control is one of the key technologies for ensuring data security in data sharing systems. Most existing access control mechanisms rely on authorization from the data owner. These schemes require frequent interaction between the data owner and the data user, which is a significant challenge in EHR sharing systems because the data owner may often be offline. A promising solution is to delegate permissions to the delegated party, which helps alleviate the burden on the data owner.
[0003] Access control can be achieved by flexibly delegating patient permissions to other users (such as healthcare professionals). Most access control proxy solutions are implemented in the cloud. The cloud not only provides ample storage space but also facilitates data transfer between stakeholders. However, because the cloud is a semi-trusted entity that is not entirely trustworthy, cloud-based access control proxy solutions are susceptible to security issues such as single points of failure and collusion attacks. Summary of the Invention
[0004] The purpose of this invention is to provide a blockchain-based medical data sharing system and access permission proxy method. This system and method allow patients to set access control policies for encrypted data, enabling fine-grained access control. Data owners can control the proxy depth while granting permissions, thus improving data security. This invention combines blockchain technology with attribute-based proxy re-encryption to achieve secure data sharing, and uses IPFS to store medical data to compensate for the storage limitations of blockchain.
[0005] To achieve the above objectives, embodiments of the present invention provide a blockchain-based medical data sharing system, the blockchain-based medical data sharing system comprising:
[0006] The agent's endpoint is used for:
[0007] The original medical data is encrypted to obtain encrypted data, and the encrypted data is then sent to the InterPlanetary File System.
[0008] Set up an access control policy to encrypt the key of the encrypted data and the file hash address corresponding to the original medical data into ciphertext, and upload it to the blockchain for sharing;
[0009] Wherein, the agent's terminal can authorize the principal's terminal, so that the agent's terminal that meets the access policy can decrypt and obtain the original medical data from the blockchain;
[0010] Deploy smart contracts that include re-delegation permissions and delegation depth set for the principal;
[0011] The terminal where the principal is located is used for:
[0012] Send an access request to the client where the agent is located and obtain the agent's proxy permissions;
[0013] Obtain re-delegation permissions and proxy depth by invoking the smart contract;
[0014] The key used to decrypt the ciphertext is obtained through a decryption algorithm;
[0015] The encrypted data is retrieved from the InterPlanetary File System and then decrypted to obtain the original medical data.
[0016] In addition, the present invention also provides a blockchain-based medical data access permission proxy method, using the aforementioned blockchain-based medical data sharing system, wherein the blockchain-based medical data access permission proxy method includes:
[0017] Initialize the medical data sharing system;
[0018] Generate the private key of the proxied party;
[0019] Generate ciphertext corresponding to the agent's original medical data, obtain the file hash address, encrypt the key used to encrypt the medical data and the hash address, and generate ciphertext with a hidden access control policy.
[0020] The agent generates a re-encryption key for the principal and sets the agent depth. The blockchain performs re-encryption to transform the ciphertext into a ciphertext form that the principal can decrypt.
[0021] The principal decrypts the ciphertext to obtain the key and file hash address of the encrypted data, and the principal retrieves the encrypted data from the InterPlanetary File System and decrypts it to complete data sharing.
[0022] The principal can become a new agent to continue the agency authority until the agency depth is zero, at which point the multi-level agency process ends.
[0023] Preferably, initializing the medical data sharing system includes:
[0024] Configured with safety parameter χ, select two large prime numbers p, q and a bilinear pair e: G × G → G T Where G is the additive cyclic group, G T It is a multiplicative cyclic group; P1 and P2 are two generators on the elliptic curve of the cyclic group G. Choose from the following three hash functions:
[0025]
[0026] H2:{0,1} * →G,
[0027] H3:{0,1} * →G;
[0028] Randomly select a parameter And calculate h = aP1;
[0029] The common parameters for initializing the intelligent medical network system are:
[0030] param=(h,G,G T ,P1,P2,H1,H2,H3,e(P1,P1)).
[0031] Preferably, generating the private key of the proxied party includes:
[0032] The principal is randomly selected Calculate K1 = atP1 + P1, K2 = tP1, x is an attribute in attribute set S, where the private key of the proxied party is
[0033] Preferably, the step of generating ciphertext corresponding to the agent's original medical data, obtaining the file hash address, encrypting the key used to encrypt the medical data and the hash address, and generating ciphertext with a hidden access control policy includes:
[0034] The data owner selects a symmetric key k and randomly executes the algorithm Enc(·) to generate the ciphertext C of the encrypted data from the original medical data. m =Enc k (m), the data owner uploads C m Access the InterPlanetary File System and obtain the hash address of the original medical data.
[0035] The principal selects a linear secret sharing scheme to access the structure (M, ρ(i)), where M is an l×n matrix, ρ(i) is a function representing the mapping of row vectors of M to attributes, s = H1(k), and let vector v = (s, y2, ..., y n ),in For i = 1 to l, set λ i =v·M i M i It is the i-th row vector of M; choose Calculate A1 = k·e(P1,P1) s A2 = s·P1, A3 = s·P2, Obtain the ciphertext
[0036] Preferably, the agent generates a re-encryption key for the principal and sets the agent depth, and the blockchain re-encrypts the ciphertext to transform it into a ciphertext form that the principal can decrypt, comprising:
[0037] The agent assigns a secret value s to the principal j. j , j is the number of times the current permission can be delegated; if j=1, calculate If j>1, calculate The agent for s j Signature, will (s j ,sign(s j The agent sends the data to the principal; the agent deploys the smart contract and sets the agent depth D on the smart contract;
[0038] The blockchain calculates three equations. e(A j-1,2, P2)=e(P1,A j-1,3 ), Does the equation hold true? If it does, calculate A. j,1 =A j-1,1 ·rk j-1→j A j,2 =A j-1,2 A j,3 =A j-1,3 , The blockchain invokes a smart contract to make D = D-1; thus obtaining the j-th level ciphertext.
[0039] Preferably, the key and file hash address used by the principal to decrypt the ciphertext to obtain the encrypted data include:
[0040] The principal invokes a smart contract to determine whether D≥1 holds true; if true, it retrieves the j-th level ciphertext from the blockchain. The principal calculates using the private key. calculate Judge A j,3 If H1(k′)P2 is true, it means that the attributes of the principal j satisfy the access control policy set by the agent. Obtain the symmetric key k′ and the file hash address.
[0041] Preferably, the process of the principal obtaining and decrypting the encrypted data from the InterPlanetary File System to complete data sharing includes:
[0042] The agent uses a file hash address. Retrieve EHR Ciphertext C from InterPlanetary File System m ;
[0043] The original medical data m is obtained by calculating based on the symmetric key k' using the following formula: m = Dec k (C m ), to complete data sharing.
[0044] Preferably, the ability of the principal to become a new agent and continue the agency authority until the agency depth reaches zero includes:
[0045] If the smart contract fails to determine that D≥1, the multi-level permission delegation process ends.
[0046] In addition, the present invention also provides a machine-readable storage medium storing instructions for causing a machine to execute the above-described blockchain-based medical data access permission proxy method.
[0047] Through the above technical solutions, this invention achieves secure storage of medical data by combining the symmetric encryption algorithm (AES) and IPFS distributed storage. It employs attribute encryption with a ciphertext strategy to achieve fine-grained access control, uses an improved proxy re-encryption technique to achieve secure data sharing, and uses smart contracts to ensure that the proxy depth of permission delegation is controlled by the data owner. This invention not only achieves secure storage, access control, and sharing of medical data for the data owner, but also protects the owner's privacy and data security, achieving fine-grained access control and controllable permission delegation, aligning with the current development trend of medical data sharing in the context of the value internet.
[0048] Other features and advantages of the embodiments of the present invention will be described in detail in the following detailed description section. Attached Figure Description
[0049] The accompanying drawings are provided to further illustrate embodiments of the present invention and form part of the specification. They are used together with the following detailed description to explain the embodiments of the present invention, but do not constitute a limitation thereof. In the drawings:
[0050] Figure 1 This is an interactive block diagram illustrating a blockchain-based medical data sharing system according to the present invention;
[0051] Figure 2 This is a block diagram illustrating a blockchain-based medical data sharing system according to the present invention; and
[0052] Figure 3 This is a flowchart illustrating a blockchain-based access permission proxy method according to the present invention. Detailed Implementation
[0053] The specific embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are for illustration and explanation only and are not intended to limit the scope of the present invention.
[0054] Example 1
[0055] Figure 1 This is a module interaction diagram of a blockchain-based medical data sharing system provided in Embodiment 1 of the present invention. It should be noted that the "agent's end" in this invention refers to the end where the agent operates, while the "principal's end" refers to the end where the principal operates. For example... Figure 1 , 2 As shown, the blockchain-based medical data sharing system includes:
[0056] The agent's endpoint is used for:
[0057] Encrypt and send the encrypted raw data to the InterPlanetary File System;
[0058] Set up an access control policy to encrypt the key for encrypting the original data and the corresponding file identifier into ciphertext.
[0059] The encrypted data is uploaded to the blockchain for sharing, where an agent can authorize the principal to decrypt the data and obtain the original data if the access policy is met.
[0060] Deploy smart contracts to set re-delegation permissions and delegation depth for the principal;
[0061] The terminal where the principal is located is used for:
[0062] Send an access request to the agent and obtain proxy privileges;
[0063] Obtain re-delegation permissions and proxy depth by calling smart contracts;
[0064] The key used to decrypt the ciphertext of medical data is obtained through a decryption algorithm;
[0065] Retrieve encrypted medical data from the InterPlanetary File System and decrypt it to obtain the original medical data.
[0066] In summary, the system consists of four phases: In the system initialization phase, each user registers a blockchain account in the consortium blockchain to join the system. The Key Generation Center (KGC) generates system parameters and generates a private key for each user based on their attributes. In the data storage phase, the agent uploads the encrypted EHR to IPFS and receives the file hash address returned by IPFS. The agent then encrypts the symmetric key and hash address using attributes and uploads them to the blockchain, setting access control policies for the ciphertext. In the delegation phase, when the principal initiates a delegation request to the agent, the agent generates a corresponding one-to-one re-encryption key and uploads it to the blockchain. The agent can control the principal's re-delegation permissions by setting the delegation depth through a smart contract. When the smart contract receives the re-encryption key, it automatically verifies the delegation conditions. If the conditions are met, the smart contract re-encrypts the ciphertext, converting it into a form that the principal can decrypt. To achieve multi-hop delegation, an authorized principal can become a new agent and perform the same functions as above until the delegation depth reaches zero. In the data sharing phase, if the principal meets the access policy, it can decrypt the ciphertext to obtain the hash address and symmetric key. The original ciphertext is received from IPFS and decrypted. This invention enables efficient data sharing in a medical data sharing system, and achieves fine-grained access control and permission proxying.
[0067] Example 2
[0068] In Example 1, a blockchain-based medical data sharing system is disclosed. The establishment of this system and the method for implementing a blockchain-based access permission proxy method using this system require the following implementation: Figure 3 As shown, establishing and using the aforementioned blockchain-based medical data sharing system to implement the blockchain-based access permission proxy method includes:
[0069] S301, Initialize the medical data sharing system;
[0070] S302, Generate the private key of the proxied party;
[0071] S303, Generate ciphertext corresponding to the agent's original medical data, receive the file hash address, and encrypt it to generate ciphertext with a hidden access control policy;
[0072] S304, the agent generates a re-encryption key for the principal and sets the agent depth, and the blockchain performs re-encryption to convert the ciphertext into a ciphertext form that the principal can decrypt;
[0073] S305, the proxy decrypts and generates a symmetric key and file address; and the proxy obtains and decrypts the EHR from the InterPlanetary File System, completing data sharing; and
[0074] S306, the principal can become a new agent to further delegate authority until the agent depth is zero, and the multi-level authority delegation process ends.
[0075] Preferably, in step S301, initializing the medical data sharing system includes:
[0076] S3011, configured with the safety parameter χ, selects two large prime numbers p and q and a bilinear pair e: G×G→G T Where G is the additive cyclic group, G T It is a multiplicative cyclic group; P1 and P2 are two generators on the elliptic curve of the cyclic group G. Choose from the following three hash functions:
[0077]
[0078] H2:{0,1} * →G,
[0079] H3:{0,1} * →G;
[0080] S3012, the system randomly selects a parameter. And calculate h = aP1;
[0081] S3013, initialize the common parameters of the intelligent medical network system as follows:
[0082] param=(h,G,G T ,P1,P2,H1,H2,H3,e(P1,P1)).
[0083] Preferably, generating the private key of the proxied party in S302 includes:
[0084] S3021, the principal is randomly selected Calculate K1 = atP1 + P1, K2 = tP1, x is an attribute in the attribute set S, where the private key of the proxied entity is...
[0085] Preferably, in step S303, generating ciphertext corresponding to the agent's original medical data and generating a file hash address in IPFS, encrypting the key for encrypting the medical data with the hash address to generate ciphertext with a hidden access control policy includes:
[0086] S3031, the data owner selects a symmetric key k and randomly executes the algorithm Enc(·) to generate EHR ciphertext C for the original data. m =Enc k (m), the data owner uploads C m Access the InterPlanetary File System and obtain the hash address of the original data.
[0087] S3032, the principal selects a linear secret sharing scheme to access the structure (M, ρ(i)), where M is an l×n matrix, ρ(i) is a function representing the mapping of row vectors of M to attributes, s = H1(k) is set, and the vector v = (s, y2, ..., y...). n ),in For i = 1 to l, set λ i =v·M i M i It is the i-th row vector of M; choose Calculate A1 = k·e(P1,P1) s A2 = s·P1, A3 = s·P2, Obtain the ciphertext
[0088] Preferably, in S304, the agent generates a one-to-one re-encryption key for the principal and sets the agent depth, and the blockchain performs re-encryption to transform the ciphertext into a ciphertext form that the principal can decrypt, including:
[0089] S3041, the agent assigns a secret value s to the principal j. j , j is the number of times the current permission can be delegated; if j=1, calculate If j>1, calculate The agent for s j Signature, will (s j ,sign(s j The agent sends the data to the principal; the agent deploys the smart contract and sets the agency depth D on the smart contract; and
[0090] S3042, the blockchain calculates three equations e(A j-1,2, P2)=e(P1,A j-1,3 ), Does the equation hold true? If it does, calculate A. j,1 =A j-1,1 ·rk j-1→j A j,2 =A j-1,2 A j,3 =A j-1,3 , The blockchain invokes a smart contract to make D = D-1; thus obtaining the j-th level ciphertext.
[0091] Preferably, the key and file hash address for the proxy to decrypt the ciphertext to obtain the encrypted data in S305 include:
[0092] The principal invokes a smart contract to determine whether D≥1 holds true; if true, it retrieves the j-th level ciphertext from the blockchain. The principal calculates using the private key. calculate Judge A j,3 If H1(k′)P2 is true, it means that the attributes of the principal j satisfy the access control policy set by the agent, and the symmetric key k′ and file address can be obtained.
[0093] Preferably, the key and file hash address for the proxy to decrypt the ciphertext to obtain the encrypted data in S305 include:
[0094] S3051, the agent uses a file address Retrieve EHR Ciphertext C from InterPlanetary File System m ;
[0095] S3052, the original data m is obtained by calculating based on the symmetric key k' using the following formula: m = Dec k' (C m )
[0096] Preferably, the ability of the principal to become a new agent and continue the agency authority until the agency depth reaches zero includes:
[0097] If the smart contract fails to determine that D≥1, the multi-level permission delegation process ends.
[0098] In particular, Embodiment 2 includes the generation method of the blockchain-based medical data sharing system in Embodiment 1 and the sharing method of the entire data. The generation and sharing processes are executed synchronously, or the data can be established first and then shared.
[0099] For example, an agent could be patient A, who generates health records through interactions with a doctor. These records might attract the interest of other research institutes or companies. To protect their privacy and data security, patient A encrypts their raw data and sends it to IPFS. Upon receiving feedback from IPFS, patient A encrypts the symmetric key and file address information and uploads them to the blockchain for sharing. Only patient A can set access control policies for the ciphertext, delegate permissions to other users, and set the delegation depth. The principal could be a health center B, wishing to access patient A's health records. B can request access from A, who generates a one-to-one re-encryption key and sets the user's delegation depth. The smart contract converts the ciphertext into a form that B can decrypt, provided B meets the access control policies set by A. If B successfully obtains access, they can become a new agent and delegate permissions to other users (such as a medical representative C). If the delegation depth is 0, B does not have the permission to re-delegate; if the delegation depth is greater than 0, B can re-delegate access to C. The number of delegations is automatically calculated by the smart contract.
[0100] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0101] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0102] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1The function specified in one or more boxes.
[0103] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0104] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.
[0105] Memory may include non-persistent memory in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0106] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.
[0107] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element.
[0108] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0109] The above are merely embodiments of this application and are not intended to limit the scope of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of the claims of this application.
Claims
1. A blockchain-based method for proxying access to medical data, characterized in that, A blockchain-based medical data sharing system is used, the blockchain-based medical data sharing system comprising: The agent's endpoint is used for: The original medical data is encrypted to obtain encrypted data, and the encrypted data is then sent to the InterPlanetary File System. Set up an access control policy to encrypt the key of the encrypted data and the file hash address corresponding to the original medical data into ciphertext, and upload it to the blockchain for sharing; Wherein, the agent's terminal can authorize the principal's terminal, so that the principal's terminal that meets the access policy can decrypt and obtain the original medical data from the blockchain; Deploy smart contracts that include re-delegation permissions and delegation depth set for the principal; The terminal where the principal is located is used for: Send an access request to the client where the agent is located and obtain the agent's proxy permissions; Obtain re-delegation permissions and proxy depth by invoking the smart contract; The key used to decrypt the ciphertext of medical data is obtained through a decryption algorithm; The encrypted data is retrieved from the InterPlanetary File System and decrypted to obtain the original medical data; the blockchain-based medical data access proxy method includes: Initialize the medical data sharing system; Generate the private key of the proxied party; Generate ciphertext corresponding to the agent's original medical data, obtain the file hash address, encrypt the key used to encrypt the medical data and the hash address, and generate ciphertext with a hidden access control policy. The agent generates a re-encryption key for the principal and sets the agent depth. The blockchain performs re-encryption to transform the ciphertext into a ciphertext form that the principal can decrypt. The principal decrypts the ciphertext to obtain the key and file hash address of the encrypted data, and the principal retrieves the encrypted data from the InterPlanetary File System and decrypts it to complete data sharing. The principal can become a new agent to continue the agency authority until the agency depth is zero, and the multi-level agency process ends. The initialization of the medical data sharing system includes: Security parameters are configured Choose two large prime numbers , and a bilinear pair ,in, It is an additive cyclic group. It is a multiplication cyclic group; and It is a cyclic group Given two generators on an elliptic curve, choose one of the following three hash functions: , , ; Randomly select a parameter and calculate ; The common parameters for initializing the intelligent medical network system are: ; The generation of the private key of the proxies includes: The principal is randomly selected ,calculate , It is an attribute set The attribute in, wherein the private key of the proxied is ; The process of generating ciphertext corresponding to the agent's original medical data, obtaining the file hash address, encrypting the key used to encrypt the medical data and the hash address to generate ciphertext with a hidden access control policy includes: The data owner selects a symmetric key. Random execution algorithm The encrypted data is generated from the original medical data. The data is uploaded by the owner. Access the InterPlanetary File System and obtain the hash address of the original medical data. ; The agent selects a linear secret sharing scheme to access the structure. , It is matrix, Function representation The row vectors are mapped to attributes, and settings are made. Let vector ,in ;for arrive ,set up ,in yes The Row vectors; selection ,calculate , , , , Obtain the ciphertext ; The agent generates a re-encryption key for the principal and sets the agent depth, and the blockchain re-encrypts the ciphertext to transform it into a ciphertext form that the principal can decrypt, including: The agent is the principal. Assign secret value , This represents the number of times the current permissions can be delegated; if At that time, calculate ,like At that time, calculate The agent is Signature, will Send to the principal; the agent deploys the smart contract and sets the proxy depth on the smart contract. ; The blockchain calculates three equations. , , Does it hold true? If the equation holds true, calculate... , , , , , The blockchain calls the smart contract to enable... ; Obtain the first ciphertext .
2. The blockchain-based medical data access permission proxy method according to claim 1, characterized in that, The key and file hash address used by the principal to decrypt the ciphertext to obtain the encrypted data include: The principal invokes the smart contract to determine Whether it is valid; if valid, obtain the first [item] from the blockchain. ciphertext The principal calculates using the private key. ;calculate ;judge Whether it is valid or not, if valid, it means that the principal mentioned is not represented. The attributes satisfy the access control policy set by the agent to obtain the symmetric key. With file hash address .
3. The blockchain-based medical data access permission proxy method according to claim 2, characterized in that, The process of the principal obtaining and decrypting the encrypted data from the InterPlanetary File System to complete data sharing includes: The agent uses a file hash address. Retrieving EHR Ciphers from the InterPlanetary File System ; Based on symmetric key The original medical data is obtained by calculating using the following formula. m : To achieve data sharing.
4. The blockchain-based medical data access permission proxy method according to claim 2, characterized in that, The ability of the principal to become a new agent and continue the agency authority until the agency depth reaches zero includes: If the smart contract determines Failure; the multi-level permission proxy process has ended.
5. A machine-readable storage medium storing instructions for causing a machine to perform the blockchain-based medical data access proxy method according to any one of claims 1-4.