An agent-based secure privacy-preserving decentralized protocol for sharing and managing digital health passport information during crises

Digital crisis management platforms and their privacy preserving

Digital crisis management platforms have the incredible potential to respond in a timely way during a crisis. MicroMappers (MM), for example, is a digital volunteer platform that uses AI for disaster response. Its associated tools for mining crisis-related information were submitted via volunteers and placed on the map. Google Crisis map (GCM) contains a U.S.-based set of layers concerning crises related to hazards, weather, response, and emergency preparedness.

Other tools and platforms created by Google for crisis management are Google Person Finder, Google Maps Engine Lite, Google Earth, and Google Public Alerts. However, such crowdsensing platforms must be integrated with encryption technology, as they are vulnerable to security threats and data leakage, insecure data dissemination, and system malfunction (Halder, 2017).

Digital crisis management mainly relies on smartphones, since they have expanded worldwide and altered how people live. Owing to their enormous utility and usefulness, they have become must-have tools, particularly in crisis-ridden times like ours. Furthermore, they have played an essential role in assisting authorities in crisis management.

Smartphones, nevertheless, are associated with many risks that have been an ongoing concern regarding these apps (Chan et al., 2020). Examples include collecting information without permission (Gnadinger, 2014); and extracting unneeded personal information through mobile app services and sometimes without users’ knowledge, jeopardizing users’ sensitive data and making it vulnerable to data leakage and hardware control (Zhu et al., 2016). Furthermore, insecure software apps have been criticized on account of several well-known cases presented as follows: (i) poor implementation (Fischer et al., 2017) and authorization, (ii) session management issues (Jain & Shanbhag, 2012), (iii) weak encryption, including the misuse of cryptography APIs and deployment model (Egele et al., 2013), and (iv) poor-skills software programmers.

Privacy-preserving using mobile agent

Agent technology has been used extensively in crisis management (Tmnu et al., 2020; Zhou et al., 2021; Kadinski, Berglund & Ostfeld, 2022; Castro et al., 2021). In addition, agent and multiagent systems (MAS) have been used extensively by integrating several emerging technologies to model and provide solutions for complex problems. For example, during the crisis of COVID-19, mobile agent systems have been applied to deal with several issues related to the crisis, for water distribution system contamination response (Kadinski, Berglund & Ostfeld, 2022), to analyze the spread processes of the COVID-19 epidemics in open districts (Castro et al., 2021), and to provide visions for public health policies and interference (Hotton et al., 2022).

Furthermore, Tmnu et al. (2020) proposed a scheme that uses an IoT-based robotic agent for disabled and infected people. The agent uses sensors to identify the patient’s gestures. Finally, Zhou et al. (2021) integrated an agent-based solution with a susceptible-exposed-infected-recovered (SEIR) model to assess the transmission of the COVID-19 viruses inside the city and suggest a vaccine distribution strategy.

Privacy-preserving based digital health passport

A digital vaccine passport, digital health passport, or immune passport has been widely adopted post-COVID pandemic to respond to the need for resuming international travel. It is a type of official digital document that stores personal information related to individual personal information, including travel history, health information, vaccination status, and diagnostic tests (Angelopoulos, Damianou & Katos, 2020). Thus, the carried data must be anti-fraud, interoperable, privacy-preserved, and manageable (Karopoulos et al., 2021). Many digital health passport solutions (Angelopoulos, Damianou & Katos, 2020; Brown et al., 2020; Gao et al., 2022; Rashid et al., 2022) have been proposed during the COVID-19 pandemic to deal with travel policies, and other restrictive policies introduced during the pandemic.

Most of the proposed privacy-preserving underlying technologies solutions rely on traditional practical public key cryptography and blockchain technologies. However, they encounter many issues due to their implementation or deployment models. Hicks et al. (2020) proposed a decentralized-based public key cryptography scheme called “SecureABC” for immunity certificates. Bansal, Garg & Padappayil (2020) presented a blockchain-based immunity certificate that protects end-users privacy and store testing-related facilities and hospitals.

Electoral commission introduced the idea of implementing a standard for interoperability in the EUROPEAN PARLIAMENT. As a result, a public key infrastructure (PKI)-based digital COVID certificate (EUDCC) presented by the European commission includes the following features: (i) digital and/or article format, (ii) uses QR code, (iii) free of charge, (iv) bilingual, (v) safe and secure (vi) interoperable in all EU countries. Furthermore, such interoperable digital passport permits free movement within European countries (World Economic Forum, 2020).

Furthermore, the idea of protecting against fraud through tests and certificate validation processes is proposed by the CommonPass platform. The platform also validates if the digital certificates are acceptable for international cross-border entry requirements (AOKPass, 2023). AOKpass is a blockchain-based digital passport scheme introduced to enable cross-border interoperability in which users can officially provide digital and authenticated credentials through a QR code to a government authority (AOKPass, 2023).

In addition, Gao et al. (2022) proposed an immunity passport scheme that relies on dual-blockchain architecture using searchable encryption, anonymous authentication, and a decentralized storage network using the inter planetary file system (IPFS). While the scheme provides data privacy for the users and ensures unrestricted movement as claimed by the users, unlike our scheme, their proposed solution is not smart. It only shares immunity passport data but not other sensitive data. Furthermore, the solution relies on IPFS to store encrypted passport data, which is impractical for storing private data (Gao et al., 2022). Koyama et al. (2023) proposed a decentralized vaccine distribution scheme to track the vaccine route. The scheme relies on Blockchain as an underlying technology and consists of three components, including a “vaccine passport.” It is not fully practical compared to our scheme, and it has many limitations, as pointed out by the authors (Koyama et al., 2023).

Other solutions vs CONTRIBUTIONS OF THIS ARTICLE

The proposed secure mobile digital passport agent (SMDPA) includes the following features: It (i) securely shares personal and health information with international authorities; (ii) uses a mobile agent to disseminate data associated with their security and privacy policies; (iii) supports international privacy standards and regulations via the use of intelligent data minimization feature; (iv) uses privacy set intersection technique to provide confidentiality and integrity of the carried data and relies on a mobile agent fault tolerance feature to support data availability; (v) uses data evaporation feature to expire health vaccination information when applicable; (vi) supports interoperability to relax international travel; (vii) protects against discrimination by providing anonymous, secure interaction between users and authorities so limited information can be shown (viii) provides recommendation for safe travel zone based on a traveler stored health information and general health conditions.

Unlike other digital passport protocols, our protocol combines the following core features: (i) interoperability, (ii) fit privacy standards and regulations, (iii) fault tolerance, and (iv) data minimization.

Protocol design

The protocol security design in this research relies on public-key cryptography based unbalanced-private set intersection (PSI). The protocol deals with unbalanced datasets since the data carried by the secure mobile digital health passport agent (SMDPA) is less than those stored in an institutional distributed repository. Hence, despite many existing PSI protocols, a one-way PSI protocol seems the best to fulfill the requirement in this research; therefore, only SMDPA should know the intersection result. Bloom filter (Bloom, 1970 ), Cuckoo filter (CF) compressions, Cuckoo hashing (Fan et al., 2014), original quotient filter (QF), or rank and select based quotient filter (RSQF) (Pandey et al., 2017), can be integrated with the one-way PSI to decrease the amount of transmitted data or stored data by SMDPA. Measuring the best filter that suits our protocol’s design is outside this article’s scope and plans for future work. The setting of our protocol is as follows:

1. Use unbalanced PSI since we assume that one party has a set with 10 or few hundred of data (SMDPA) and the other party might have a set with a few million to billion data records.

2. Assume a one-way PSI protocol to interact with the server agent to minimize the amount of overhead inherited by the two parties (mutual).

Assume a PSI-based enrichment scenario since both parties, the SMDPA and the server agent, want to (i) apply joint between their datasets without revealing any unnecessary information and (ii) enrich joined records with variables from both SMDPA and the server agents. For example (see Table 5), Given set A = {age: 8–60, 4–80, 17–50, 17–45; DH: COVID-19, Ebola, Type2 Diabetes, Hepatitis C; HR: one-dose, two-doses, quarantine, health insurance; GZA: USA, Germany, KSA}, and set M = {PN: p12, age: 32, DH: COVID19, HC: one-dose, Date: 1/1/2023, TH: China, USA, KSA, UAE}. Thus, M ∩ A = {P12, 32, USA, Germany, KSA, Mall, Restaurants, Hospitals, one-dose, 1/1/2023, China, USA, KSA, UAE}. An example of elements that should remain outside the intersections {Nationality, Religion, and Travel history}; such information can be subject to discrimination, refusal of employment, social media, racial, religious profiling, advertisements, or scams.

The goal of this protocol is to prove eligibility while hiding an individual no essential identity. While several existing PSI protocols and variations encounter many computational and communication overhead issues, SMDPA should overcome communication and computation overhead as a mobile agent. An agent can allow code and data to carry their security or protection mechanisms wherever they travel. This improves traditional security solutions, where a stationary platform manages security and protection. Let us consider the following examples. An immigration and immunization service department or health care agency:

1. Want to ensure that passengers have no severe health cases so that they can be allowed entry but denied or directed to an international event. Neither the passenger nor the agency wants to disclose their data, but both want to know the intersection.

2. Compare their databases of common health diseases with tourists while respecting international and local privacy laws that prevent them from exchanging or revealing information. Thus, they can share minimum allowed information related to subjects of interest matter.

3. Identify visitors who visited countries with high infection rates without identifying the countries or placing travel restrictions.

4. Check its database of hazardous diseases against foreign air carrier-passenger digital health passports without both parties revealing their set of data. Such passengers might be denied flying into a particular restricted zone.

To design the PSI protocol, the following points are to be taken into consideration:

1. The size of the dataset in both parties. For example, the size of M and A. SMDPA datasets M is expected to be small compared to those owned by an institution or interacted agency.

2. The level of privacy and security needed to tackle any adversarial attacks.

3. The resource-constrained or computational power for smart mobile devices since multiple cycles of interactions are not recommended. SMDPA is not required to download large datasets nor perform an intensive computation that might drain the battery.

Example 1

In this example, let’s assume there are two datasets. Set A contains private data that are encoded as integers and have {0, 5,10, 15, 20, 25, 30, 35, 40, 45, 50}, and Set B includes information related to site restriction and health requirements that are also encoded as integers as follows {0, 4, 8, 12,16, 20, 24, 28, 32, 36, 40}. So set A $\cap$ Set B = {0, 20, 40} and hence the intersection size (IS) is 3.

We assume that IS a factor that determines the place of visit for an individual in a crisis-based situation. Based on IS and the intersection matching result (IMR) values, three levels of bit passing coin (BPC) are generated. BPC is a single access permit value that permits an individual to access an institutional area (say, an airport, hospital, school, etc.).

Each level of BPS is represented by a color described as follows: (i) green: an individual is fully permitted to enter any place in the green zone based on his health status determined by the set intersections. BPC_G denotes BPC passing for green zone areas. (ii) Yellow means an individual can access the yellow zone area. BPC_Y symbolizes BPC passing in yellow zone areas. (iii) Red indicates an individual is permitted to access the red zone area. BPC_R implies a passing permit in red zone areas. IMR contains interesting elements describing specific medical and personal data. Note that the number of generated BPCs varies from person to person, considering individual health and personal information such as medical history, age, vaccination, etc. Therefore, it depends on a particular health condition. There is a threshold TH value that manages the generated BPC. TH categorizes BPC into three levels described above, which are represented as Level 1 (L1), Level 2 (L2), and Level 3 (L3), as shown in Algorithm 1, Table 6.

Example 2

Let us assume a scenario where IS & IMR indicates an individual can visit the green zone area, assuming IS & IMR $\le$ L1. In this case, an individual is granted nBPC_G to be deposited in his coin passing wallet (CPW) as n(BPC_G). This means he can access only n green zone areas daily. Note that the number of generated BPCs depends on other factors, such as individual health, data records, and vaccinations. It is specifically determined during the first privacy set intersection, which is assumed to be at the airport’s first entry point. Let A be an encoded dataset of ten elements {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}, B encoded dataset of nine elements {0, 1, 3, 4, 5, 6, 7, 8, 9, 10}. A $\cap$ B = {1, 3, 4, 5, 6, 7, 8, 9, 10}. Assume the threshold TH sets its first level L1 to be nine or more for a green zone. In this case, n BPC_G is generated and deposited into CPW since IS $\le$ L1, (9 $\le$ 9 ) and IS {elements} € IMR. TH can also be arranged to generate the number of allowed BPCs for L2 and L3, described as the yellow and red zones.

Algorithms description

Tables 6 and 7 show the algorithms presented in this scheme. Table 6 algorithm is described as follows: (i) The result of the sets intersection size of the secure mobile digital passport agent (SMDPA) and the airport agent stored in variable IS. (ii) There are three levels of threshold presented as L1, L2, and L3 such that L1 is the largest, L2 the second largest, and L3 the lowest. (iii) Using the random number generation function to generate n BPC, then getting stored in CPW according to the three branching logic to determine the order. The logic compares the largest, median, and smallest threshold with the set intersection size. It generates n BPC because the larger the intersection, the more BPCs will be generated to be stored in CPW. CPW is modeled as an ArrayList object. Table 7 shows algorithm 2. It presents an enhancement for algorithm 2. It takes the average of L1 and L2 and compares the result with IS. Else takes the average of L2 and L3 and compares the result with IS.

To accelerate Algorithm 1, we used the dichotomy strategy to find the middle point between L1 and L2 and then compare the result with the intersection size IS. We use dichotomy to determine the optimal threshold value that speedup up the comparison process between intersection size and the set thresholds. The dichotomy is used for sorting, but we use it in our algorithm due to its success in solving other problems. We set L1 = 17 and L2 = 12. The proposed protocol assumes that the set stored at the airport authority is static. Hence to prove the proposed scheme’s concept or practicality, the size of the ArrayList that represents the airport’s authority or data repository was 23 values encoded as integers. The size of datasets sent by SMDPA was between 1 to 5. We did not implement the encryption and decryption process. However, we simulated the set intersection using two agents one is SMDPA, and the other is the Agent that represents the airport authority.

System model

This sub-section presents the components of the proposed SMDPA solution (see Fig. 3).

(1) Secure mobile digital passport agent (SMDPA): is a software construct based on a mobile agent that encapsulates data and its privacy and security operations policy. The proposed scheme modified the solution proposed in Sarhan & Carr (2017) as follows: (i) private set intersection (PSI) is employed as a data protection scheme that also manages the privacy access policy and data evaporation. We assume the privacy policy contains two attributes labeled as time and location to control the trigger of the data minimization procedure in a specific time and geographical location. This should deal with issues related to privacy compliance. To balance the CIA-Triad, a self-destruction feature (Sarhan & Carr, 2017) was excluded as we feel that such a powerful feature is against the data security policy in maintaining data availability. The proposed solution inherits the data evaporation feature presented by Othmane & Lilien (2009), which we call data minimization. Data evaporation or data minimization is an essential feature of the proposed scheme. However, it is outside the scope of this article to discuss data evaporation in detail. In the Sarhan & Carr (2017) scheme, attribute-based encryption is used, so the logical network location and actual time are labeled as location and time attributes. Hence, the data evaporation was applicable when a specific time or location met certain conditions. The private set intersection scheme used in this article needs to be reconstructed to guarantee data evaporation while ensuring data privacy. For example, Sparka, Tschorsch & Scheuermann (2018) proposed a P2KMV algorithm that performs set computations to provide set intersection cardinality and data minimization.

SMDPA-sub-components & features

(1a-1) Java agent development framework (JADE): Jade is an open-source agent framework with numerous built-in and add-on functions and libraries. It can be utilized to develop distributed applications, support the J2ME platform and wireless environment, and provide decentralization environments in many operating systems. Its rich communication protocols can provide inter-platform and intra-platform messaging (Bellifemine, Caire & Greenwood, 2007).

(1a-2) Jade with lightweight extensible agent platform (Leap) Add-on: Jade Leap is a multiagent systems (MAS) environment combined with Jade to support mobile phones.

(1a-3) Java J2ME: Java 2 Platform, Micro Edition or (J2ME) is a Java version or edition designed to address limitations on the application running on embedded systems and mobile devices with limited processing power and memory. Many devices support J2ME because it is simple and easy to implement. It is used for portable code for embedded and mobile devices.

(2a) SMDPA-Security policy: SMDPA, like active data bundles using secure multi-party computation (ADB-SMC) (Sarhan & Carr, 2017), encapsulates a privacy and security policy with the digital health passport data. The policy protects and controls digital health passport data’s security, privacy, and anonymity. In addition, it controls how data are being intersected and minimized when interacting with other parties. The decentralized cryptographic protocol that protects data is described next:

(2a-1) Private set intersection (PSI): SMDPA protects its data using PSI, a robust, secure multiparty computation or privacy-preserving protocol that makes two parties compute the intersection of their data and output only the intersected data. The purpose of using PSI is to share and process data anonymously between two parties and guarantee flexible control of the movement of individuals during a crisis. For example, travel passengers might be directed partially to visit certain areas and restricted from entering others. PSI can ease travel while providing anonymity for the passengers. This should deal with profiling or any form of discrimination concerning race or other discriminatory cases. For example, Asian Americans have experienced anti-Asian discrimination fueled by the crisis of COVID-19 (Gover, Harper & Langton, 2020). Also, the SMDPA policy uses two attributes for privacy minimization service, described next.

(2a-1-a) Homomorphic encryption (HE): is a secure public key (PKI) encryption scheme that makes two parties perform computation on encrypted data. This should ensure privacy for the datasets where only one side needs to encrypt and decrypt. He is beneficial, especially in the case of multiple parties do not exist, or there were a limited number of participants to use secret sharing for secure multi-part computation as the case in our protocol.

(2a-1-b) Paillier cryptosystem: is a partially homomorphic encryption that permits two kinds of computation on ciphertext: (i) addition and (b)multiplication. The proposed protocol is extended based on the Paillier cryptosystem to reveal only the intersection size for SMDPA. In addition, both SMDAP and the server agent perform private cardinality matching. More detail is found in Freedman, Nissim & Pinkas (2004).

(2a-2) Time attribute: SMDPA is assumed to use time attribute to deal with specific lockdown scenarios or travel policies. The time attribute can be used as an example to remove any travel data restriction concerning vaccination against certain diseases. For instance, post-COVID-19, some countries imposed travel requirements for air passengers that requested travelers to wait 14 days after a specific dose of vaccine (CDC, 2019).

(2a-3) Location attribute: SMDPA is assumed to use location attributes to deal with travel policies imposed by some geographical regions and privacy policies like the general data protection regulation (EU GDPR), which address data transfer outside the EU. For example, the SMDPA data minimization feature can evaporate data concerning individual health status and data privacy under specific time and location requirements.

(2a-4) Bit passing coin (BPC): BPC is an idea that is presented from the coin vending game machine. It states that the result of a set intersection between SMDPA and the entry point (airport) distributed repository server agent should generate BPCs in three colors: Green, yellow, and Red. For example, Green BCP should permit a person to move freely and access a protected zone during a crisis. Yellow BCP should allow a person to pass through a particular area. Red BCP should restrict an individual from passing through most of the area and only access the effectively protected zone. Each person crossing a border should receive several BCPs in various colors. The BCPs are determined based on the crisis conditions.

(2) Blockchain: Blockchain is a peer-to-peer technology based on a distributed ledger. It can record the participants’ activities in its network. It relies on several cryptographic applications, such as encryption, hash functions, and digital signature. In Blockchain, data is signed digitally as transactions and then broadcasted. All broadcasted transactions are timestamped, grouped, and hashed orderly into blocks forming unique identifiers of blocks. Integrating multiagent systems (MAS) into Blockchain has many benefits, including (i) addressing scalability issues in Blockchain, (ii) managing the large datasets stored in the distributed database servers that SMDPA, for instance, has to interact with; and (iii) improving digital health passports and healthcare management; (iv) fixing any security limitations in MAS; and (v) adding more flexibility to MAS (Calvaresi et al., 2018). Details about integrating the proposed scheme with Blockchain are outside the scope of this research. However, for future work, we plan to study the serialization and deserialization of SMDPA agents in the form of a Blockchain. Serialization means turning SMDPA agents into a data format, which can be saved into storage and deserialized where applicable.

(3) Preliminaries: Fig. 4 shows the basic PSI protocol adapted from Angelou et al. (2020). The protocol combines Diffie-Hellman (DDH), based PSI, and PSI-Cardinality; and uses Bloom filter compression to minimize communication time. The proposed protocol develops set intersection cardinality (PSI-CA) on top of the Diffie-Hellman (DH) because PSI-CA-based DH gives lower communication costs. First, the airport agent server (AGS) and SMDPA agree on a large prime p. Then, the AGS generates private key α, hash its dataset values a1, a2, etc., and then calculates (ai)^α for each hashed value. Next, the AGS inserts the result “uj” into a bloom filter and then sends it to SMDPA. “uj” corresponds to the item mj (Trieu et al., 2020). On the other hand, SMDPA then generates private key r, hashed its datasets, and then calculates Dj = (mi)^r for each hashed value and sends the result to AGS, which uses its private key to compute Dj’, (Angelou et al., 2020; Trieu et al., 2020). Finally, this protocol is extended to reveal only the intersection size based on the Paillier cryptosystem. Additionally, using PSI-CA that decides if the intersection size is larger than a pre-specified threshold L is also detailed in Freedman, Nissim & Pinkas (2004).

Simulation setup

Table 8 lists the simulation environment specifications. The secure mobile digital passport agent (SMDPA) system is simulated using a personal desktop with a single processor with 8 GB of RAM. The desktop includes the Java agent development framework (JADE) platform and several add-on libraries described in the previous section. Since JADE cannot function properly on small devices, the LEAP add-on is integrated with JADE. Hence, the Jade runtime environment was modified to form JADE-LEAP that can be deployed thereafter on a wide range of small devices. J2ME Configuration uses either connected limited configuration (CLDC) or connected device configuration (CDC). Cell phones or PDA device versions can use either technology depending on memory availability. For example, devices with low memory use CLDC, and devices with better memory use CDC. The researcher used the CLDC of Java Micro Edition (J2ME CDC) to form the JADE-Leap. The configuration of JADE-Leap is based on MIDP, which runs on devices that support Java-enabled cell phones. The simulation management of the SMDPA and the distributed server agent is carried out through Agent.GUI. Agent.GUI also records the interaction performance measurements between SMDPA and the distributed server agent (Derksen, Branki & Unland, 2011).

SMDPA UML diagram design

In this experiment, JADE-LEAP is executed in a split execution mode. The Jade container, as shown in Fig. 5, is split into a backend that runs on a local host and a frontend that runs on a mobile device. Such split of execution suits wireless devices that demand resource constrained (LEAP User Guide, 2003). In this research, the proposed solution was designed using five JADE containers, as shown in Fig. 5. Besides the split container described above, four additional JADE containers were built to model an airport, a restaurant, a school, and hotel facilities.

An external agent manages each container. For instance, an airport officer agent represents an immigration officer at an airport and operates the airport container. Likewise, the hotel agent manages the hotel container while the restaurant agent manages the restaurant container, and so does the school agent to the school container.

Figure 6 shows a model interaction among the entities involved in the secure mobile digital passport agent (SMDPA) protocol. The process goes as follows. First, a passenger arrives at an airport and requests a border officer to digitally assess his digital health passport. Next, the officer performed a cross-border joint private set intersection (PSI) interaction with the passenger. Then, based on the intersection described above in Example 2, n BPCs are generated and deposited into the travel passenger CPW. Finally, the passenger uses one BPC_G to be granted safe entry.

Before interacting with the border immigration officer, a function might be triggered to evaporate data that does not comply with the privacy protection acts. The process is conducted through the location attributes that check the IP address of the destination, and that decide what data are needed to be evaporated before performing a joint privacy set intersection with the border officer. The travel passenger, afterward, moves freely. However, he might be restricted from visiting certain zones, or being granted a few visits to others. This depends on the PSI result of the first interaction with the border officer. For example, Fig. 6 demonstrates that if a traveler wants to visit a green zone area, say a restaurant, a request is sent to the restaurant agent. The restaurant agent demands a BPC_G, and the passenger checks his coin passing wallet (CPW) account and deposits one BPC_G. The restaurant agent then permits the passenger to enter the restaurant.

In another scenario, as shown in Fig. 6, the passenger wishes to enter a school and finds out it is modeled as a yellow zone area. The passenger sends a request to access the school campus. The school agent requests the passenger to deposit BPC_Y and then permits the passenger to access the school campus. In a third scenario, the passenger wishes to stay at a hotel. He sends a request and finds out that the hotel is modeled as a red zone area. He sends a bid and is asked to deposit BPC_R, which he deposits, and is granted access. Note that, as described above, the number of issued BPCs and their levels is predicated largely upon both the passenger’s personal and health information, on the one hand, and the visited countries’ rules and restrictions, on the other hand, and all interactions are expected in a secure private manner.

Results

SMDPA Prototype evaluation using JADE and Agent.Workbench

This research evaluated the proposed scheme’s integrated architecture prototype using Agent.Workbench (Derksen, Branki & Unland, 2011). The CPU usage is analyzed to track the agents’ CPU load on the machines. This should account for CPU resource consumption and help enhance interaction and intersection algorithms. Figures 7 and 8 show a performance chart for monitoring the experiment’s performance metrics. It measures the CPU Load’s performance during the interaction of the set between the AirportAgent and SMDPA. The performance metrics parameters are delta CPU time in milliseconds for the user, delta CPU time in milliseconds for the system, and the total CPU time for the user and total CPU time for the system. The idea is to track and observe the ways in which the proposed approach consumes CPU based on the set intersection.

The “Agent.Workbench” tool generated two hundred seventy-eight samples. The presented chart illustrates a slow increase in the CPU load during the interaction between the Airport Agent and the SMDPA. Hence, agents’ average CPU usage is lower than the device’s total CPU load.

Nevertheless, CPU user time refers to the processor’s time to execute agents’ code, such as intersection, messaging, migration, and code libraries. The CPU system time refers to the execution time for running code in the operating system kernel. Hence, the total CPU time combines the agent action CPU time, and the kernel system calls time. Likewise, CPU delta time represents CPU times spent during intervals. Note that the sampling interval in our experiment was 0.5 s.

To evaluate the efficiency of SMDPA, we created a Java scheduler class to schedule and run the system agents and used “Agent.Workbench” thread monitor to collect CPU load data at an interval of 0.5 s. The thread monitor collects performance data for the agent communication language (ACL) messages during the interaction between SMDPA and airport agent. The performance metrics parameters are delta CPU time in milliseconds for the user, delta CPU time in milliseconds for the system, and the total CPU time for the user and total CPU time for the system. The idea is to track and observe how the proposed approach consumes CPU based on the set intersection. The “Agent.Workbench” tool generated two hundred seventy-eight samples. The datasets recorded the following metrics: the Date, DELTA_CPU_SYSTEM_TIME, DELTA_CPU_USER_TIME, TOTAL_CPU_USER_TIME, TOTAL_CPU_SYSTEM_TIME.

The collected datasets are recorded into a file as comma separated values (CSV) or comma delimited. Then cleaned and transformed for analysis and visualization. The data symbolize the private set intersection between SMDPA and the airport agent.

Figure 7 shows the utilization rate, which is the percentage of CPU utilization or CPU total work for the set intersection and ACL exchange messaging or message interaction between Agent SMDPA and the airport agent. The figure also shows that the experiments involved 279 iterations (279 runs) which mean 279 set intersection and ACL messaging between the airport agent and different version of SMDPA. The figure shows during the execution or running of the experiment, the line graph for the percentage of CPU utilization when executing at the system level (kernel) grows exponentially compared to the percentage of CPU utilization at the application or user level. The CPU load is monitored to estimate and maintain application and system consistent performance to avoid system failures. This could indicate that the airport agent is recommended to run from a cloud environment relying on multiple hosts to avoid any causes for high CPU utilization.

Figure 8 shows the same data presented in Fig. 7 in different views. The date in the figure represents the point of time for capturing the CPU delta and the total time in milliseconds for the user and the system during the interaction between SMDPA and the airport agent or “AiAg”. Similarly to Fig. 7, the chart in Fig. 8 shows that CPU utilization at the user and system level increase almost linearly, and the gap between the two lines keeps increasing exponentially.

The main result is (i) creating a paradigm that integrates PSI-cardinality (PSI-CA) and agent-based solutions for an innovative digital passport. Then, (ii) developing a prototype implementation for the smart digital passport using JADE. Finally, (ii) measure the performance of SMDPA using “Agent.Workbench” and compare the result with the result of active data bundles using secure multi-party computation (ADB-SMC). The result showed the practicality of the proposed scheme since measuring multi-agent systems (MAS) is a challenge and requires agent infrastructure.

We observe that using PSI-cardinality (PSI-CA) can ensure higher privacy and performance, lower overhead, and better flexibility compared to the similar ADB-SMC that was modeled for a similar problem. Furthermore, SMDPA does not require continuous cryptographic services, as passengers can access restricted zones depending on the number and type of generated BPCs. Hence, there is no need to reveal identities, which should ensure higher security than ADB-SMC.

The utilization system time for the CPU grows exponentially compared to the percentage utilized by the agent application. Thus, using a cloud-based environment for SMDPA and the airport agent intersection and messaging might be a good solution and will be investigated in future work.

We compared the performance measurements of the proposed scheme SMDPA with the one presented by Sarhan & Carr (2017), the so-called ADB-SMC. We noted the followings:

1. Both SMDPA and ADB-SMC integrate agent-based solutions with PKI-based encryption solutions. However, the expected overhead in SMDPA is lower because its privacy policy encapsulates its data with a single layer of encryption compared with ADB-SMC.

2. SMDPA does not reveal data since it relies on PSI-CA, and ADB-SMC relies on attribute-based encryption (ABE), which allows the encryptor to decide who can decrypt the data based on attributes. Hence, SMDPA provides higher anonymity since it relies on intersection size rather than revealing or decrypting the data.

3. To measure the MAS effect on a host computer system, we measured CPU utilization data in SMDPA using “Agent.Workbench” since CPU resources can be variable and unpredictable. We observe the following:

The expected overhead in the proposed scheme is less than the one presented by ADB-SMC. This is due to the following reasons: (1) Although both methods are based on multiparty computations, the cryptographic service in the proposed scheme uses a single-layer PKI system, while the one proposed by Sarhan & Carr (2017) uses multiple layers encryption systems. (2) SMDPA performs PSI-CA only once, and then the generated BPCs control its interaction with other parties, while ADB-SMC, if employed to act similarly to SMDPA, would need to decrypt its data continuously or every time interacts with a party, so it is being observed that overall, SMDPA has lower overhead comparing to ADB-SMC.

Figure 9 shows the average CPU load for ten iterations(runs) of SMDPA. To compare the performance between SMDPA and ADB-SMC, compared with ADB-SMC (Sarhan & Carr, 2017), SMDPA has a lower average CPU load which is approximately 775 milliseconds (ms) compared to about 900 ms for ADB-SMC. Thus, SMDPA performs better than ADB-SMC.

SMDPA algorithms evaluations

The investigator described two algorithms for SMDPA communication and interaction with other agents in the architecture and design section. In this section, the performance of these algorithms is measured. The two algorithms are implemented using Java, and precisely measure the elapsed time for code execution using Java.System.nanoTime(). System.currentTimeMillis(). A Java random number generation function was used to model the stream generation of Bit Passing Coin (BPC) and used an ArrayList object to model CPW, so storing the generated stream of BPC. Three loops were used to create three BPC levels and measure their elapsed time. The researcher generated 250 instances for each of Algorithm 1 and Algorithm 2. Figure 10 indicates the enhanced SMDPA Algorithm 2 has a better average execution time than Algorithm 1.

Simulation limitation

The result shows the viability and practicality of the proposed approach; however, the researcher simulated the private set intersection (PSI) protocol using a set of integers on the grounds that he assumes data can be encoded as integers. It falls outside the scope of this work to extend any PSI protocol, as the main purpose of this article is to highlight the practicality of agent-based solutions in modeling crises. The researcher believes that the most suited PSI protocol for this work should be a one-way PSI in which interaction is performed at the SMDPA.

The emulator used is to prove the concept of the proposed solution. As for future inquiries, the researcher plans to use smart mobile device-based android. The split execution mode used to simulate the proposed work could affect the result in contrast to the stand-alone execution mode, where a complete container could be executed on the device execution mode. The investigator used the split execution mode as recommended by LEAP User Guide (2003) as the most effective when running JADE-LEAP on a personal CLDC device where mobility features are needed. This research focused on measuring the performance overhead of SMDPA and the airport agent or first agent to interact with SMDPA, asserting that the highest overhead time should occur during the set intersection process.