Practical Medical Files Sharing Scheme Based on Blockchain and Decentralized Attribute-Based Encryption

Medical files can help people prevent diseases, increase cure rates, promote medical development and help solve major public health crises. However, medical files are strongly private. It is an urgent problem needed to be solved that how to share medical files with privacy and data security. The existing models based on the centralized certificate authority is a feasible method, but it is possible to experience a single point failure. Besides there is a mismatch between the models and real-life scenario since they are only suitable for single patient. Therefore, this paper proposes a practical medical file sharing scheme based on blockchain and decentralized attribute-based encryption. The blockchain is used to record application and grant of authorizations. Smart contracts provide an interactive platform for all users in the system. By utilizing decentralized attribute-based encryption, fine-grained access control of medical files is carried out to ensure privacy and security as well as avoiding single point failure. Attribute-based algorithm that support multi-person democratic decision making and dynamic personnel changes are designed to make the model much closer to the real scene. Finally, through security, performance and comparing analysis with other solutions, the scheme in this paper can meet the needs of real-life scenarios in terms of security and practicability, and provides a new practical model for medical file sharing.


I. INTRODUCTION
In the traditional medical field, paper medical records and imaging materials have already begun to transform into computer-stored electronic data. Medical files such as electronic medical records, CT, B-ultrasound, and MRI images are mainly stored in the hospital database. Medical files can provide theoretical references for follow-up treatment, so that doctors can propose particular treatment methods based on changes in various indicators. At the same time, timely sharing of suspicious cases can provide data support for major public health crises such as the COVID-19 [1], enabling doctors and scholars around the world to conduct joint research and speed up the progress of the epidemic control.
However, data sharing between different hospitals is still in its initial stage. The electronic medical files of patients The associate editor coordinating the review of this manuscript and approving it for publication was Gautam Srivastava . cannot be carried out from the hospital. They can only rely on handwritten medical records and printed images. A large number of repeated examinations occur during referral, which increases the financial burden of patients. The lack of information exchange may even cause the patient miss the best treatment time. In addition, the patient's medical files are extremely private. Once disclosed, it will increase the patient's psychological burden, cause medical disputes and corresponding social problems. Therefore, there is an urgent need for a medical file sharing scheme that can not only ensure the safety of patient information, but also appropriately share medical files with specific targets.
In order to realize the sharing of medical files and allow patients to control their own medical files to the maximum extent at the same time, some scholars consider using Attribute-based Encryption (ABE) to control access to medical files. ABE has been used in many fields, such as Internet of Things [2] and cloud computing [3], it can reduce communication and computing overhead while sharing information VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ in one-to-many scenarios. It can also be used for access control and permission distribution. ABE can be divided into KP-ABE (Key-Policy Attribute-based Encryption) and CP-ABE (Ciphertext-Policy Attribute-based Encryption). Most medical file management scheme uses CP-ABE. Alshehri et al. [4] proposed a scheme which stores data in the cloud and use ABE to control the access list to achieve finegrained division. Gandikota and Reddy [5] used searchable symmetric encryption and ABE to generate hidden access control structures and keywords based on pseudo-random numbers to ensure data security. Mhatre and Nimkar [6] proposed a multi-authority ABE with a federal structure. Yang et al. [7] introduced a third-party authorization agency to control the distribution and grant of attribute keys, and handed over computing and storage to cloud service providers to reduce the pressure on ordinary users and hospital institutions. Tu et al. [8] adopted fixed-length keys and introduced version number marking and proxy re-encryption to achieve attribute revocation and improved efficiency. However, in these solutions, the data is stored in the data center of the cloud service provider where third-party service providers cannot be supervised. So the integrity and authenticity of the data cannot be guaranteed, which may cause data loss or tampering.
Blockchain is a popular emerging technology in recent years. Its origin can be traced back to 2008. A paper proposed by a researcher under the pseudonym Nakamoto [9] described the blockchain as a non-tamperable, decentralized, open, transparent and traceable ledger. Ethereum [10] and smart contracts [26] further improve the blockchain, allowing the blockchain that was originally used as the ledger to be applied in various industries, especially the medical industry [11]. Blockchain technology provides support for data security. Many scholars have combined the two technologies to propose a new medical file sharing scheme based on blockchain and ABE. Wang et al. [12] proposed an attribute-based blockchain data access control model, designed multiple roles including authorization center, enterprise, etc. and gave the overall process, but lacked specific algorithm implementation. Literature [13]- [16] used ABE and a centralized authority management agency, and stored data on the cloud, and literature [13] used the Inter Planetary File System (IPFS) for distributed storage of files. Literature [17]- [19] adopted a multi-authority scheme. Zhang et al. [17] used cloud-chain collaboration and searchable attribute encryption and supported attribute revocation. Guo et al. [18] put the scene in medical care and used KP-ABE instead of CP-ABE, so that it is convenient for the patients to update their key. Jin et al. [19] realized the revocation of permission by adding a software-defined network and called smart contracts to implement its business logic.
The literatures above all set up a key distribution center to control the permission. These centers generate and distribute the attribute key according to the requirements of the patients. However, there are two shortcomings in these schemes. One is that the centralized authority management agency is prone to single-point failures that will reduce the overall performance of the system. At the same time, there is a risk of inside job within the centralized agency. The second is that the file users and file owners in these papers are based on single-person model. However, in reality, the scientific research institutions, hospital departments and patient associations are all formed by multiple people. The decision to share medical records is the result of democratic discussions among participants. Therefore, a medical file sharing scheme that is closer to reality, supports multi-person negotiation and decentralized access control is needed.
Based on the two shortcomings of the above existing solutions, this paper proposes a practical medical file sharing solution based on blockchain and decentralized attribute encryption. The centralized authority management agency is canceled. We improve the decentralized attribute-based encryption and a multi-person collaboration mechanism is added to support democratic discussions and members to form an association. We take advantage of the construction of attribute keys and design sign and verification mechanism to ensure data integrity. Considering the mobility of personnel, an extensible (t, n) threshold secret sharing algorithm is introduced. We also propose a key update algorithm so that our scheme can finally achieves a flexible, efficient, scalable and more realistic medical file sharing solution.
The rest of this paper is arranged as follows. Section II introduces some preliminaries used in the paper. The system model are proposed in Section III. The detail of our medical files sharing scheme is presented in Section IV. In Section V, we conduct performance, security and comparative analysis. And in Section VI, we give out conclusion and future prospection.

A. BILINEAR MAPPING
Suppose G 1 , G 2 and G T are finite multiplicative cyclic groups of prime order q respectively.The bilinear mapping e : G 1 × G 2 = G T is established then: a. Bilinear: ∀g 1 ∈ G 1 , g 2 ∈ G 2 and ∀x, y ∈ Z q satisfy e(g x 1 , g y 2 ) = e(g 1 , g 2 ) xy . b. Non-degeneration: ∃g 1 ∈ G 1 , g 2 ∈ G 2 , such that e(g 1 , g 2 ) = 1 G T , where 1 G T represents the identity element in group G T . c. Computability: There exists an algorithm ∀g 1 ∈ G 1 , g 2 ∈ G 2 that can get e(g 1 , g 2 ) through calculation.
B. EXTENSIBLE (t, n) THRESHOLD SECRET SHARING SCHEME Shamir [20], Blakley [21] respectively proposed two (t, n) hreshold secret sharing schemes. In the scheme, the secret Y to be shared is decomposed into n sub-secrets containing partial information and handed over to n individuals. Only when t or more of n individuals cooperate to solve the secret Y . In this paper, an extensible threshold secret sharing that does not require a trusted third party is applied to meet the needs of decentralized attribute-based encryption and dynamic changes of personnel. The scheme are presented as follows.
Let the secret shared by the association be Y = n i=1 x i , the members of the association P i randomly selects a poly- and sends it to all other members P j , j = 1, 2 . . . n through a trusted channel. After P j receives all f i (j)(i = j), he calculates key j = n i=1 f i (j) as his part of secret. Let X (x) = n i=1 f i (x), then the secret to be shared is can be obtained through Lagrange interpolation from any t of n parts of shares.
When a new member P z participates in, and sends it to P j . P j calculates a temporary key j,temp = key j + n i=1 h i (j) and sends it to P z . After P z receives any t of n key j,temp , he can obtain X (z), which is his part of secret through Lagrange interpolation as When a member P u leaves, P i generates a new polynomial of t − 1 order g i (x) = g i1 x + · · · + g i,t−1 x t−1 , where the constant term is 0. Then P i sends g i (j) to P j (j = i, u). P j calculates key j,new = key j + n i=1 g i (j) as his new part of secret. Since the constant term is 0, it is ensured that the partial secret of leaving member P u loses its effect while the secret Y remains unchanged.
When the threshold value t needs to be increased to t , P i generates a new polynomial of t − 1 order k i (x) = k i,t x t + · · · + k i,t −1 x t −1 . Then P i sends P i sends k i (j) to P j (j = i). P j calculates key j,new = key j + n i=1 k i (j) as his new part of secret.Since the constant term has not changed, the secret Y remains unchanged. Meanwhile, the threshold is raised to t , which means at least t people's permission is required to reconstruct secret Y .

C. CIPHERTEXT-POLICY ATTRIBUTE-BASED ENCRYPTION
Amit Sahai and Brent Waters first proposed the concept of ABE in the paper [22]. The key and ciphertext are respectively marked by several attributes, and each attribute can be defined by the user. In this article, we use the CP-ABE architecture proposed by Lewko and Waters [23] in 2011. In this scheme, all users are authorizing institutions with same authority. There is no administrator or third party involved. This scheme is more suitable for the decentralized property of the blockchain and real-life scenarios.
Lewko's key policy attribute-based encryption usually consists of the following steps: a. Global initialization: According to the algorithm, the security parameter λ is input and outputs global parameter GP.
b. Attribute Authority Initialization: Each authority inputs the global parameter GP, and output the public and private key pair of the authority.
c. Data encryption: Encryption algorithm takes in access control policy L, global parameters GP, plaintext m, attribute related public key PK and outputs ciphertext M . d. Access Grant: Algorithm takes in the authorized person's UID, the global parameter GP, a certain attribute attr of the grantor and the related private key SK of the attribute and outputs the attribute key Key UID,attr . e. Data decryption: Decryption algorithm takes in Key UID,attr , global parameters GP, ciphertext M and outputs either plaintext m when the key satisfies the attribute requirements of ciphertext or a fail warning.

III. SYSTEM MODEL A. SYSTEM NOTATION ILLUSTRATION
The notations related to the scheme in this paper are illustrated in Table 1.

B. SYSTEM ARCHITECTURE
The overall model of the practical medical file sharing scheme is shown in Figure 1. The entire system can be divided into four kinds of entities. They are member, association, blockchain and DSC.
Member (Mem) is the smallest unit in the system. Anybody such as patients and doctors can be member of the system. A member can both be a data owner who symmetrically encrypts and uploads his medical files and a data user who downloads medical files with others' permission. Each member is equal which means nobody has privilege. Association (Asso) is set in this paper in order to be closer to the real scene. It is composed of multiple members and can grant other person the authority of the association attribute. However, every decision requires joint democratic voting. Other person will be granted the authority only if a certain number of members agree to authorize.
Blockchain and smart contract are the basis of the system. Multiple hospitals can join together to form a consortium blockchain. A faster consensus algorithm such as PBFT can be applied to achieve quick transaction instead of power and time-consuming consensus algorithm like PoW in bitcoin. Data blocks of public parameters and digest information are stored on the blockchain after attribute encryption. Smart contracts are deployed to perform operations such as registration and authorization. The blockchain can be led by either the government or several large hospitals to achieve a more secure environment.
Data Storage Center (DSC) is responsible for storing the patient's medical files. Some researchers have proposed that data can be encrypted and stored in the interplanetary file system IPFS, such as paper [7] and paper [24]. In this paper, the data storage is still designed to be symmetrically encrypted and stored in the corresponding database of the hospital which can be extended to IPFS in future work.

C. SYSTEM OPERATION PROCESS
The operation process of the system is shown in Figure 1 as number sequence. It is worth noting that the communication between members and between members and association is initiated by smart contracts.
Step 0 : Global initialization. This step is automatically completed when the smart contract is deployed, including initializing system generator, bilinear pair, etc.
Step 1 : Member registration. Members choose their own global UID and register to the blockchain through smart contract to obtain a public-private key pair and upload the public key to the blockchain.
Step 2 : Association registration. After negotiation, members who want to form the association cooperate and register to the blockchain. They set the total number of members n and the threshold t required to agree the voting. Then generate the public and private keys of the association through the smart contract and upload the public key to the blockchain.
Step 3 : Attribute registration. Members and Associations initiate attribute registration to the blockchain according to their own needs. Members can directly obtain the attribute public-private key pair. The association needs to cooperate and generate attribute public and private keys through the smart contract. Both member and association need to upload public key to the blockchain.
Step 4 : Data storage. Any member or association can upload the symmetrically encrypted medical files and store them in the DSC. They then upload attribute encrypted data block which contains the hash of the data, the uploader's signature, the uploader's public key and the symmetric encryption key to the blockchain.
Step 5 : Attribute apply and authorization. Members can apply to other members or associations for their registered attribute. Others can decide whether to grant permission or not. If they agree, a unique attribute key will be returned to the applicant. Applying for permission from an association requires the consent of a certain number of people in the association. The applicant collects permission from members so that he can calculates the unique attribute key and preserves it properly.
Step 6 : Obtain the data and decrypt. The member try to obtain the attribute ciphertext from the blockchain. If the corresponding attribute requirements are met, the ciphertext can be unlocked to obtain medical file related information in the DSC, and then medical files can be obtained after symmetric decryption.

IV. A PRACTICAL MEDICAL FILES SHARING SCHEME
This section will be divided into three sub-sections. The first sub-section introduces the practical characteristics of this scheme which is different from existing schemes. In the second part we will introduce the operation process and cryptographic structure of the scheme proposed in the section III in detail. The third sub-section proposes a key update algorithm considering the mobility of personnel in real-life scenes.

A. PRACTICAL CHARACTERISTICS OF OUR SCHEME
In order to solve the problems that may arise from traditional centralized authority granting agencies, this paper proposes a decentralized ABE scheme which uses attribute-based encryption to achieve fine-grained access control. Our scheme has the following characteristics comparing to existing schemes.

1) SUPPORT MULTI-PERSON DEMOCRATIC VOTING
Existing medical file sharing schemes are based on single patient model. However, in reality, there are many multi-person scenarios such as hospital departments, scientific research institutions, and concern groups with patients suffer from same disease. Sharing data between institutions requires multiple people to participate in decision-making. The concern group has gathered a large number of cases with the same symptoms but individual differences, which can be a valuable source of scientific research data. Therefore, by introducing threshold secret sharing, this solution realizes that authorization can only be obtained with the consent of a majority of people, which is more suitable for real-life scenarios.

2) DECENTRALIZATION OF THE AUTHORIZATION PROCESS
In order to cooperate with the decentralization of blockchain, decentralized attribute-based encryption is utilized in this paper, which avoids the single point failure and internal corruption of centralized CAs. All public-private key pairs are generated by smart contracts. The algorithm is transparent. The right of authorization is handed over to every single member so that each patient has full control of his medical files.

3) FLEXIBLE ATTRIBUTE REGISTRATION
Different from the system initialization in some solutions, our scheme can register attributes to the blockchain at any time according to the various need of patients or association. There is no need to pre-define attributes during system initialization which means it costs less time.

4) SUPPORT DYNAMIC PERSONNEL CHANGE
Our scheme takes into account the dynamic changes of personnel in the association, including participation and departure of members and increase of the voting threshold. Key update algorithm is designed so that the part held by the left member will automatically become invalid while the public-private key pairs of the association will not change, ensuring the security of the association secret as well as new members' right.

5) ENSURE DATA INTEGRITY
Based on the cryptographic structure, our scheme designs the file signature and verification algorithm to ensure the integrity of the file stored on the blockchain. Any visitor or data owner can check whether the file has been tampered at any time and make corresponding operation promptly.

B. OPERATION PROCESS AND CRYPTOGRAPHIC STRUCTURE
• Global Initialization(λ) → (GP): Let G 1 , G 2 and G T be cyclic multiplicative group of order big prime order q. In this paper, we use symmetric group where G 1 is the same as G 2 and let g be the generator of G 1 . Let e : G 1 , j = i for each other member Mem j and sends it to Mem j . Mem j computes Asso pri,j = n i=1 f i (UID j ) and Asso pubα,j = e(g, g) Asso pri,j , Asso pubβ,j = g Asso pri,j . Then uploads Asso pub,j = {Asso pubα,j , Asso pubβ,j } to the blockchain. 2) Association Key Assemble(Asso pub,j ∀j) → (Asso pub ): All members submit their part of association public keys to the smart contract so that the association public key Asso pub = {Asso pubα , Asso pubβ } can be calculated by the smart contract: Then the smart contract automatically uploads public key Asso pub to the blockchain.
Then calculates h i (UID j ), j = i for each other member Mem j and sends it them. Mem j computes AAttr pri,j = n i=1 h i (UID j ) and AAttr pub,j = g AAttr pri,j and uploads AAttr pub,j to the blockchain.

3) Association Attribute Key Assemble(AAttr pub,j
∀j) → (AAttr pub ): All members submit their part of association attribute public keys to the smart contract so that AAttr pub can be calculated by the smart contract: Then the smart contract automatically uploads AAttr pub to the blockchain. The signature algorithm has been proved safe in paper [25]. Finally, the data block {CT sym , Q(CT sym ), Sig} is uploaded and preserved in DSC.
The association uploading a medical file together requires each member to use his Asso pri,j to sign Sig j = e(Q(CT sym ), g) Asso pri,j , then upload the data block{CT sym , Q(CT sym ), {Sig j , ∀j}} to the DSC to preserve. The structure of each part is given as follows:

2) Digest Data Encryption(DDB
where Part 0 , Part 1 ∈ G T , Part 2 , Part 3 ∈ G 1 . For m attributes in the access control matrix, Part 1 , Part 2 , Part 3 are arrays of length m, which store the elements of each attribute separately. DDB is plaintext and s is randomly selected from Z q . M i is the i th row of the access control matrix which represents the access control policy of the attribute i. Vector v is a column vector of length d, in which the first element is s. e(g, g) γ i is the member or association public key related to attribute i. g τ i is the member or association attribute public key related to attribute i. z i is randomly selected from Z q . w is a column vector of length d, in which the first element is zero and the rest are randomly selected. Finally, CT attr is uploaded to the blockchain after encryption.

2) Association
Authorization(UID, Asso pri,j , AAttr pri,j ∀j) → (Key a,attr ): Mem a tries to apply for the attribute Aattr from Asso. n association members {Mem 1 . . . Mem n } will receive the request and decide whether to authorize Mem a . If Mem i i ∈ n agrees to the authorize, then calculates Key a,Aattr,j = g Asso pri,j Q(UID b ) AAttr pri,j and transmits it to Mem a . If Mem a receives the authorization of more than t members of Asso, he can calculate: Mem a preserves it properly for future decryption.
He then computes e(H (CT sym ), Asso pubβ ) = e(H (CT sym ), g γ ) and verifies whether it is the same as Sig. If same, then bool = True and the medical file is intact.

C. KEY UPDATE ALGORITHM
In real-life scenarios, the members within an association are not static. In order to ensure that part of the secrets held by the leaving members become invalid and to prevent the original threshold from being too low when there are too many members, our scheme sets up a key update algorithm.

1) PARTICIPATION OF NEW MEMBERS
When a new member P z joins, P i generates a new polynomial Then P i calculates h i (UID j ) and sends it to P j . P j makes up his discission on whether he agrees P z to become new member, if he agrees, he calculates temporary key j,temp = Asso pri,j + n i=1 h i (UID j ) and key j,temp,attr = AAttr pri,j + n i=1 h i (UID j ) and sends them to P z . If P z receives any t of n permissions, he can obtain his part of association private key through Lagrange interpolation as X (UID z ) = X (UID z ) + n i=1 h i (UID z ) and h i (UID z ) = 0 ∀z:

temp,attr
Then P z calculates Asso pubα,z = e(g, g) Asso pri,z , Asso pubβ,z = g Asso pri,z and AAttr pub,z = g AAttr pri,z . Now P z has his part of association public key and attribute public key while the association public key remains unchanged.

2) DEPARTURE OF MEMBERS
When a member P u exits, P i generates a new polynomial of t −1 order g i (x) = g i1 x +· · ·+g i,t−1 x t−1 , where the constant term is 0. Then P i sends g i (UID j ) to P j (j = i, u). P j calculates Asso pri,j,new = Asso pri,j + n i=1 g i (UID j ), Asso pubα,j,new = e(g, g) Asso pri,j,new , Asso pubβ,j,new = g Asso pri,j,new as his new part of association keys and AAttr pri,j,new = AAttr pri,j + n i=1 g i (UID j ), AAttr pub,j,new = g AAttr pri,j,new for each attribute as new association attribute keys. Since the constant term is 0, it is ensured that the part of public or private keys of leaving member P u become invalid while the association public key remains unchanged.

3) INCREASE OF THRESHOLD
When the threshold t needs to be increased to t , P i generates a new polynomial of t − 1 order k i (x) = k i,t x t + · · · + k i,t −1 x t −1 . Then P i sends k i (UID j ) to P j (j = i). P j calculates Asso pri,j,new = Asso pri,j + n i=1 k i (UID j ), Asso pubα,j,new = e(g, g) Asso pri,j,new , Asso pubβ,j,new = g Asso pri,j,new as his new part of association keys and AAttr pri,j,new = AAttr pri,j + n i=1 k i (j), AAttr pub,j,new = g AAttr pri,j,new for each attribute as new association attribute keys. Meanwhile, the threshold is raised to t , which means at least t peoples' permission is required to pass a vote.

V. MODEL ANALYSIS A. SECURITY ANALYSIS
The cryptographic security of the scheme proposed in this paper has been proven in the literature [23]. This section will analyze several possible attacks on this scheme.

1) CONSPIRACY ATTACK
A conspiracy attack refers to multiple members with different attributes conspiring to crack an encrypted file that they cannot decrypt individually. Suppose Mem a has the authority of attr 1 and Mem b has the authority of attr 2 . The encryption policy is (attr 1 AND attr 2 ). It must be guaranteed the file cannot be cracked if they cooperate together. In our scheme, the corresponding attribute authority is specific calculated with the UID of the applicant. Even if the conspirators have g γ Q(UID a ) τ attr 1 and g γ Q(UID a ) τ attr 2 , it is impossible to inversely compute private key τ and the attribute private key τ attr 1 and τ attr 2 within the polynomial time according to discrete logarithm problem. Therefore, they cannot complete the attack.
For a file encrypted with association attribute, it is more difficult for the attacker due to the existence of the threshold.

2) MAN-IN-THE-MIDDLE ATTACK
For each unique attribute registered by a member, the system will return a one-time random number as the attribute private key, so the key cannot be obtained by a repeated registration. The authorizer will verify the corresponding public key uploaded to the blockchain of the applicant while reviewing the apply and use the public key to encrypt and transmit Key a,attr so that only the applicant can decrypt the key.

3) DoS ATTACK
DoS attack refers to the blocking of access requests of ordinary users by establishing a large number of illegal requests at the same time. In a traditional centralized scheme, the singlepoint centralized authorization agency is the weak point of the entire system. Attackers can launch attacks on the agency and block normal requests. In this paper, our decentralized solution solves the problem. The robustness of the blockchain guarantees the system functioning normally from DoS attack as long as the attacker cannot compromise most of the nodes in the blockchain.

4) DATA INTEGRITY
In this paper, DSC is assumed to be semi-trusted, it will be curious about the data stored in it. Although DSC can freely obtain the data in it, DSC has no advantage over any other attacker as medical files are encrypted with a symmetric key and stored in a ciphertext form. At the same time, the hash of the file has been fixed through the blockchain. Due to the immutability of the blockchain, both the data owner and data user can inspect the files to prevent DSC from tampering the data.

B. PERFORMANCE ANALYSIS
We use a PBFT-based blockchain as the basis of the smart contract. The attribute encryption program is written in Python. The simulation is based on the virtual machine of Ubuntu 18.04LTS. The virtual machine uses an AMD R Ryzen 5800X (Zen3) @3.8GHz, 2 Cores 2 Threads and 4g DDR4 memory.
We use AES (advanced encryption standard) as the symmetric encryption function with a 256-bit key as the symmetric encryption is only used for digest data block of which typical data size is several kilobytes. At the cost of 10% more time which is tens of milliseconds, it is much more secure compared to 128 or 192 bits key.
The computational time cost of our scheme is mainly that of calculation in Z q , G 1 and G T . The notations in analysis are as follows: • u: number of attributes actually used for decryption • t, n: parameters in the threshold secret sharing algorithm The time of multiplication in G 1 or G T group is almost negligible compared to the time complexity above. At the same time, it ignores hash operation, signature, call of smart contract, network and other overheads. In order to reduce the fluctuation caused by randomness, the simulation runs 5 rounds, 1000 tests per round. Table 2 shows the time complexity of each operation as a benchmark for following analysis.  Table 3 shows the comparative analysis of the theoretical value of our scheme with Paper [14] and Paper [18] which also utilize blockchain-based ABE scheme. Paper [14] uses the attribute encryption of a centralized authorization agency, therefore the calculation process is simpler. But the centralized solution has some drawbacks and does not support multi-person association. In contrast, paper [18] supports the decentralized model of multiple authorization agencies. There are more steps and all the attributes in this scheme are registered at the beginning of initialization. Each step of authorization, encryption, and decryption contains all the attributes so it is more complicated. Besides, its model is also based on a single patient. In this paper, we use a different encryption method, and the cryptographic structure is different from other schemes. We have a leading position in member registration, member attribute registration, encryption and decryption. Our scheme also supports dynamic changes of personnel. The frequency of association-related operations is lower. It is not necessary to preset all the attributes during the initialization. Members can register at any time on demand. The last column of Table 3 shows the actual time of each step in the simulation. The threshold parameters n = 3, t = 2, t = 3. The number of attributes used for encryption m = 2 and the number of attributes used for decryption u = 2. As presented, the real time complexity is basically the same as the theoretical result, which can not only support the theoretical result, but meet the demand of real-life scenario as well.
Considering that association attribute registration is the most frequently used and time-consuming step in actual scenarios, Table 4 shows the time it takes to register and generate an association attribute public key. Consider the most severe case, that is, the time complexity of a member and smart contract when all members' permission is needed to pass a vote and threshold t = n. As shown in the table, it does not take the member much time to calculate h i (UID j . During programming implementation, multiplication and addition are used to take place of exponential operations, so the time complexity is proportional to the square of Mem number, which is consistent to the theoretic value in Table 3. Since that time complexity of exponential operation on Z q is rather low, it only takes about 500 ms in an association of 500 members.   The time cost of member calculating AAttr pub,j is nearly the same, which is an exponential operation in G 1 group. The time complexity of smart contract assembling AAttr pub is proportional to the number of members. Even in a large group of 500 people, it still remains at the second level. At the same time, it should be noticed that this part of the calculation is completed by the blockchain node, which can make use of the powerful computational power of the node to further reduce time consumption. Also, Table 4 considers the most severe condition. In most circumstances, decisions can be passed with the consent of some people in an association. Table 5 shows the time complexity of encryption and decryption with different number of attributes. We still consider the most severe case, that is, all attributes need to be satisfied and different attributes are connected with AND. It can be seen from the table that in the case of all AND, the time complexity of encryption and decryption is proportional to the number of attributes. When 64 attributes are involved, that is, 64 conditions need to be met at the same time, the encryption and decryption time still only takes about 1.5 seconds, indicating that our scheme is practical in actual scenarios. Considering that after the association is founded, new members may participate and old members may leave. Table 6 shows the time complexity of calculating new keys with different thresholds. The time complexity of increasing threshold means increase t ton. As shown in the table, the time complexity of member participation, member departure and increasing threshold are all at millisecond level, which won't cause heavy computational burden to the members. Comparing row 2, 3 and 4 of the table, it can be seen that the time cost of new member when he participates in the association is only related to t. When t is fixed, time complexity of former member is proportional to n and the fitting equation is y = 8.47053 + 0.03988n. The constant term 8.470 is exactly the time consumption of E 1 + E T and matches the theoretical analysis in Table 3. Comparing row 6, 7, and 8, when n is fixed, time complexity of former member is proportional to t and the fitting equation is y = 8.39667 + 0.4139t. The constant item 8.397 also conforms to the theoretical analysis in Table 3. Comparing row 4, 5, and 8, when the increase of the threshold is the same, the time consumption each member is proportional to n and the fitting equation is y = 8.57423 + 0.10045n. The constant term 8.574 is also the time complexity of E 1 + E T . Compared to the time cost of calculating association public key, operation in G 1 field is not unnecessary. So the time complexity is shorter.   Besides, Mem j can apply n i=1 h i (UID j ) to all new keys and attributes instead of generating a new polynomial for each attribute, which greatly reduce time consumption when members change.

C. COMPARING ANALYSIS
In this part, we will compare the scheme proposed in this article with the existing medical file management scheme in terms of function (Table 7). At the same time, we will give the solution to the various problems in a medical file sharing scheme (Table 8).
It can be seen from Table 7 that most of the existing solutions set a centralized CA, which is likely to experience a single point failure. Some early schemes didn't combine blockchain because they were limited by times. In some solutions, the blockchain is only used to preserve data from being tampered. These schemes ignore the functions that can be realized by smart contracts which is an enormous progress in blockchain technology. One important point is that our scheme supports multi-person. Patients can cooperate together as an association while in other schemes patients are irrelevant individuals and cannot make any contribute to medical development. At the same time, our key update algorithm is used to make sure that association key will not leak. While in other solutions, key update is controlled by CA which is also responsible for attribute revocation. Attribute revocation requires change in either ciphertext or attribute key. Our scheme is design for a decentralized environment, key authorization is conducted by members. Also, changing ciphertext means complete replacement of medical files which is time consuming. Therefore, our scheme does not support attribute revocation. However, we can achieve global backward revocation by changing the encryption key of subsequent files.

VI. CONCLUSION AND FUTURE PROSPECTION
In the future, the informatization in medical field will continue to advance. The sharing of medical files is a key point. It can help patients avoid repeated examinations and provide effective data for scientific research. This paper proposes a practical medical file sharing scheme based on blockchain and decentralized ABE. In our scheme, patients have complete control over their medical files and there is no need to worry about privacy leakage. The association mechanism of multi-person cooperation, democratic decision-making and support for dynamic changes of personnel makes the model closer to real-life scenarios. Our decentralized model not only matches the idea of decentralization of the blockchain, but also avoids the management problems caused by centralized institutions. Finally, safety analysis, performance analysis and comparison with other schemes prove that the scheme proposed in this paper is quite feasible and have advantage over existing schemes. In future work, we consider introducing proxy re-encryption and zero-knowledge proof to further simplify the management of patients' medical files and improve privacy protection. LI LING received the M.S. degree from the School of Computer Science, Fudan University, in 1992. He is currently an Associate Professor with the School of Information Science and Technology, Fudan University. His research interests include information security, cryptography, and blockchain technology. VOLUME 9, 2021