Blockchain Tree as Solution for Distributed Storage of Personal ID Data and Document Access Control

This paper introduces a new method of Blockchain formation for reliable storage of personal data of ID-card holders. In particular, the model of the information system is presented, the new structure of smart ID-cards and information on these cards are proposed. The new structure of Blockchain, “Blockchain Tree”, allows not only to store information from ID-cards but also to increase the level of security and access control to this information. The proposed Subchains system allows us to integrate Blockchain of the lower level to Blockchain of the higher level, allowing us to create a multilevel protected system.


Introduction
The use of information resources and government services in the modern world implies unambiguous user identification. To this end, many states create so-called digital personalities. The most famous example of such a system in the EU is Estonia. In this country, every citizen can get not only the usual ID-card for the EU countries but also the mobile-ID. Using their digital ID, an ID-holder may get an online access to most government services, remotely open a bank account, register a company, make an appointment for a doctor, etc.
The physical medium of such an identifier is an ID card [1], [2], [3], [4], [5]. All countries of the European Union issue national ID-cards to citizens and residents.
The chip of the card stores information about its owner: full name, gender, national identification number, fingerprints, cryptographic keys and certificates.
A card holder has the right to use the ID-card as an identity card for travel through the territory of the European Union and for crossing its external borders both for entry and exit from the countries of the European Union, the European Economic Area, including Iceland, Norway and Switzerland.
We consider the issue of this cards security, because a single card contains a key to all personal data of a citizen.
Firstly, the chip on a smart card is a sufficiently protected microcomputer that has a microprocessor, a cryptographic co-processor, and some memory (flash or EEPROM). Unlike a standard micro-controller, an access to the memory of a smart card is strictly controlled by the processor. Thus, both reading and recording of the data are regulated by the software of the card itself. Moreover, chip manufacturers are taking measures to prevent unauthorized access (copying all the memory, reprogramming) to the card at electronic and physical levels.
Secondly, all the data in the card is encrypted (in the Estonian map 2048 bit encryption is used). Thirdly, the downloaded applications (applets) cannot be read from the card by anyone, including the cardholder (an applet can only be erased and a new one should be written instead of the erased one on its place).
You can only pass a command to the applet and get a response.
Fourth, you need a PIN-code for the card, and sometimes two: the first one for authorization and the second one for confirmation of operations.
However, despite all the advantages of such protection, the system is not secure from unauthorized changes of personal information from the inside (for example, due to server hacking, etc.), from creation of fake digital personalities on the basis of which can be used to obtain legal documents and from sale of per-sonal data to external interested organizations (a recent example of Facebook).
In addition, the analysis of Internet search results for buy EU ID-card shows an abundance of offers to sell clones of real EU documents. Using Blockchain technology [6] can help eliminate the first two threats and increase control over the use of such information by authorized users. Blockchain is a well known technology used in Bitcoin [7,8,9] and other cryptocurrencies [10,11]. Successful attempts are also being made to introduce this technology in areas of bank transfers [12], logistics [13], energy [14], IoT [15], [16] and healthcare [17].
Blockchain, by definition, is a distributed database in which each subsequent block containing information is associated with the previous one. The generation of each block must be confirmed by other participants. Nowadays there are several concepts of the Blockchain consensus algorithms -Proof of Work (POW) [18], [19], Proof of Stake (POS) [20], [21], Proof of Importance (POI) [22], Proof of Activity (POA) [23] etc. The most common algorithm is Proof of Work.
However, this algorithm uses too many resources to generate blocks; it is too slow and in many cases not necessary for building a block system. For example, when all nodes of a network are well known and are state organizations. This structure of chain may be used for implementation of Blockchain in systems for checking Smart Tickets in transport, driver licenses, education degree documents etc.
The structure of this paper is as follows. In Section 2 we analyze the model of information system utilizing ID-cards, ID-card structure and the structure of information in ID-card. The results obtained of the study are introduced in Section 3. Finally, we present the conclusions obtained from our research and discuss the possibilities for future work in Section 4.

Background
We further consider the methodology we propose for constructing Blockchain for the network, all nodes of which are verified servers of "Migration Police" that store personal information about citizens and existing ID-cards. 3

Information system model
The model of information system utilizing ID-cards handling consists of the following major entities: • citizen ID-cards; • data of registered citizens (database in a wide sense); • tools for ID-cards verification; • tools for database administration; • tools for new ID-cards issuing.
The interaction between them can be presented schematically (Fig. 1). where: P D is a set of EU citizen's personal data that concerns citizenship; DB 4 is a set of database elements used by legal officers during performance of their duties; ID is a set of all ID-cards issued so far.
It is obligatory for ID and DB to contain corresponding data for a given citizen.
The latter is possible only in case, when these sets are isomorphic in relation to contained data DB ⇔ ID . Consequently, their power should be the same DB = ID and for the given i ≤ DB , i ∈ N the following isomorphic equality is to take place db i ⇔ id i , where db i ∈ DB and id i ∈ ID. The latter is correct only when DB and ID are both particular instances of sets lists, i.e.
bounded ordered sets. As it was mentioned above, ID-card issuing process is an object of ID-card forgery attack, which mathematically can be described in the following form: ∀pd j ∈ P D, M anuf acturing(pd j ) / ∈ ID; ∃db i ∈ DB, ⇔ M anuf acturing(pd i ).
This presentation shows that it is essential to have unattached database entry index to the ID-card. Lists could solve this issue, but their ability isn't enough, because the given i-th element could be replaced. That's why we suggest using data structure, which allows adding information to the DB, but forbids its deletion, replacement or alteration of Blockchain, where data from the respective ID-card would be bonded to one block.
The other relation shown on Fig. 1 is ID-card verification. The process can be presented in the following form: In the case when a Blockchain is used for data storage, the verification operator includes block number comparison, addition to the usual data content and its hash digits comparison. Moreover, fixed Blockchain structure and distribution would help to prevent attacks focused on database content. Bearing in mind above mentioned results, the scheme presented on

ID-card structure
The ID-cards are used as citizen authentication factor as well as a tool for Blockchain interaction. The latter is essential in the case when Blockchain is created as shown on Fig. 4. In the case, ID-card user gains additional protection against intrusion into respective SubBlockchain. For instance, if intruder tries to fake his identity, he would have to break both country's security measures and signature, generated by ID-card. The signature is created by the key derived from user-specific data (e.g. fingerprints) and ID-card specific data.
To implement this feature ID-card should contain chip that provides inter-6 action with application interface of the Blockchain. The chip needs to have the following major blocks: • encrypted memory, which contains personal data (i.e. respective block or SubBlockchain's genesis block); • private key derivation block for avoiding private key leakage; • signature creation block for validating changes of personal data, which could be performed when certain personal data is changed; • interface for external interaction.
The generalized structure of ID-card processor is shown on Fig. 3. Interaction with ID-card could be performed in several ways, so certain protocol should be used. The most common task of an ID-card is providing data.
Therefore, in this case ID-card would function in the following way: • reading interface query and transmitting it to the interaction protocol support block; • validating the correctness of the query and determining the data fields of ROM, which are to be accessed; • sending respective addresses to ROM and transferring them to interface; • sending data according to the interface query.
Despite the comparative rarity of the cases, when data of the person is changed, still in most cases it shouldn't be performed without this person. To validation of this changing the person is to possess ability to sign such transactions for instance by using the card. For this purpose, the following steps should be performed: • receiving respective frame-command interaction protocol support block is to wait for additional personal data input; • after respective data input is received interaction protocol support block transfers it to private key derivation block and sends query to respective fields of ROM for ID-card specific data; • using inputs private key, derivation block yields key and sends it to signature creation block; • meanwhile, interaction protocol support block sends data to be signed to signature creation block, where respective signature is obtained and outputted via interface.

Block structure (Information structure on a chip)
The block consists of the following main parts: header, data, block hash.
Header structure is determined by Blockchain consensus rules and as such is heavily depend on particular protocol implementation. The most common fields of the block headers and the ones, used in particular cases are the following ones: • version -contains version of the block, which defines structure of other block's fields, used consensus protocol peculiarities, presumed forks markers etc; • hash value of previous block -the integral part of any Blockchain, which provides cryptographic proof of its integrity; • hash value of block content -generally is used for data integrity protection, but in the considered case of use it is also essential for rapid Blockchain content search; • creation Timestamp -primary intent is to boost protection by limiting potential forger by this field value (its value must be in time window between the blocks preceding and following creation timestamps (Creation Timestamps)), while the field could be used to aid stored data processing; • creator identifier of authentication data -is supposed to determine the source of the block (node) as for legal data all sources, i.e. nodes, are to be determined and be authorised by respective government structures.
In this particular case, several sources might act as creators of transaction.
For instance, in case of citizenship changing, the citizen and respective governments are such source. That's why the multisig technique should be used for this type of transactions.
Header may include other meta-data depending on the consensus, such as nonce and difficulty for PoW consensus or number of included transactions for Blockchains where this number can vary. The example of EU ID-card is Estonian ID-card.
The Table 1 shows the contents of a personal data file stored on an ID-card [18]. We suggest adding extra areas in the chip memory. Thus, the data part of the block will include holder's information as it is shown in the Table 2. In order to provide whole block integrity we suggest using extra hashing of its content, i.e. header and data. The latter hash value is to be used to alter of the blocks.

Blockchain for a database
The proposed network structure is a classical peer-to-peer (P2P) topology, in which all elements are interconnected (Fig.4).  The nodes of this network are servers of the regional branches of the migration service, which has the right to issue documents to residents (ID-cards, passports, etc.). All nodes are equal. The network has a fixed number of nodes.
Each node is verified and included in the list of approved nodes. This list is stored on each node and only devices from this list can create new blocks. The structure of the chain has the form shown on Fig.5. Each block contains information about one ID-card. Transactions are personal data of ID-card holders. Created block must be confirmed by more than 13 50%+1 of verified nodes. After that, information is written in the block, added to the chain and sent to other nodes. Thus, each element of the system stores a complete Blockchain. In the case of detecting a change in information in an existing block, this block will be automatically replaced with the "right" one that exists on at least 50%+1, of other nodes of the network. Given that the blocks in the chain are sequentially linked to each other, the alternation of one block will lead to change of the entire chain. This will be detected and corrected by the rest of the network nodes. Such an algorithm prevents the creation of fake personalities in the system with dates in the past.

Blockchain integration
It should be borne in mind that the EU is building a common system for recording and controlling issued documents while building a system for protection of personal data. Therefore, it is necessary to take into account the possibility of integration of the proposed system with a system of a higher level, for example, the EU. We offer two possible options for such integration. In the first variant, we take into account that the local Blockchain was created by each country separately and it is necessary to integrate them into a single system.
To do this, it is planned to create a single EU Blockchain, which will contain blocks of local chains as transactions. In this case, the order of recording specific blocks of each country will be specified separately (Fig. 6).  It should be noted, that in the case of the creation of a single system for all EU countries "from scratch", there will be no need to integrate national systems. It is enough to add a marker of the country that issued the document (the country of the creation of the block).

SubBlockchain for access control and evaluation of ID-cards
In addition to creating fake personalities, there is also a threat of unauthorized access to personal information as well as its transfer by users to third parties. To control access, it is proposed to create a SubBlockchain, which will record information about each access attempt to a specific block and the use of information from it. The structure of such a circuit is shown on Fig. 8. If the national chain will be integrated into a higher level system as described above, the scheme for constructing the Subchain has the form shown on Fig. 9. Specialized police scanners, smartphones with NFS module and fingerprint scanner may be used for checking the documents. In this case, the device receives HASH for the checked document from the closest node of the system and compares it with the HASH of the submitted document. Identification of the owner of the document is done by built-in fingerprint sensor.

Mathematical model
Mathematical structure of the main complete chain is: Here n -the modes number of main chain.
Analytic expression, describing the structure of the complete chain (Fig.7), will have the form of (1). (1) where the notation is as follows: m -number of elements in a Subchain; nnumber of elements of the main chain.
BC can be described by the following formula, in the case described in 3.3 of Fig.8: In the case of creating an additional Subchain for the control of personal data, the formula (3) will take the following form: The BC structure described on Fig. 6 can be represented as follows: here B 0 , B i -the blocks which constitute the main chain (EU chain); B jthe blocks which are constitute the chains of each member-country.
Then, taking into account the second Subchain storing information about access to personal data:

Summary and discussion
In this paper we introduce a novel methodology based on Blockchain for building storage, access control and document verification mechanisms for migration control area. The proposed work is based on Subchains, connected to a main Blockchain and each other. The solution is more security than currently existing due to use the mutual intersection of several Blockchains in the one system. This makes the process of hacking and falsification of critical information more difficult, since in the event of an attack it will be necessary to change not one but several Blockchains, which considerably increases the cost of such an attack and makes it unprofitable for the attacker. The noted above methodology for building a storage system, access control and document verification can be used not only for ID-cards but also for other documents, such as driver's licenses, education documents, personal medical information and social security cards, etc. The proposed methodology still requires further improvement in order to contribute to its reliable implementation and legal compliance (in particular referring to GDPR). For example, we left out some problems of building real networks, such as devices and communication lines delays. In our future work we will consider the problem of using various consensus algorithms with different types of Blockchains. Also, this work did not address the use of specialized equipment for checking documents in the field with the creation of a separate closed network and using these devices as nodes of such a network.