Personal Data Access Control Through Distributed Authorization

Abstract: This paper presents an architecture of a Personal Information Management System, in which individuals can define the access to their personal data by means of smart contracts. These smart contracts, running on the Ethereum blockchain, implement access control lists and grant immutability, traceability and verifiability of the references to personal data, which is stored itself in a (possibly distributed) file system. A distributed authorization mechanism is devised, where trust from multiple network nodes is necessary to grant the access to the data. To this aim, two possible alternatives are described: a Secret Sharing scheme and Threshold Proxy Re-Encryption scheme. The performance of these alternatives is experimentally compared in terms of execution time. Threshold Proxy Re-Encryption appears to be faster in different scenarios, in particular when increasing message size, number of nodes and the threshold value, i.e. number of nodes needed to grant the data disclosure.