A pill box with biometric access control and web connection (work in progress) Eiji Okamoto (okamoto@is.tsukuba.ac.jp) 1 René Peralta (peralta@cs.yale.edu) 2 1 Institute of Information Sciences and Electronics, University of Tsukuba 2 Department of Computer Science Yale University 1 Introduction Because of the increased connectivity of households to the Internet it is now possible to consider the latter as a medium for delivery of a variety of social services. In this work, we propose dispensing prescription drugs remotely via specialized internet-enabled devices. To our knowledge, there are no such medication delivery devices in use at this time, although the idea has most probably been considered by the pharmaceutical industry. 2 Smart pill boxes We envision a class of smart, portable devices equiped with biometric access controls. These devices will be brought home by the patient and will be connected to the Internet in a variety of possible ways. They will perform on-line and off-line tasks that will translate into more effective controls at reduced costs. They will help the patient follow prescribed treatments by keeping track of medication dispensed, issuing audio and/or visual alarms when a dosage is missed, and refuse to dispense more than the prescribed amount of medication. They will reduce the number of pharmacy visits for medication pick-up. The number of pills dispensed at each pharmacy visit is often constrained by the danger that the patient may take too many of the pills at once. The biometric access controls will prevent this. The number of pills is also constrained by the vendor s need to be assured of payment. Since these devices will be connected to the Internet, the system can remotely lock the pill box due to lack of payment (or other contingencies, such as recalls). They will safeguard the supply of medication from undetected theft by third parties (usually household members). Some of the drugs that end up for sale, say, at high schools are stolen, in small amounts, by children from household medicine cabinets. The biometric access controls would prevent this.
They will increase the level of confidence of the health professional in the medication being taken as prescribed. In particular, the system will be capable of issuing a remote warning when the patient stops taking the medication. This is important in the case of some psychiatric patients, the elderly, the mentally impaired, and those patients taking drugs that must be taken for a period of time after the patient is asymptomatic (for example, tuberculosis patients). They will communicate with automated control and data-gathering systems. In this way, they will support the compilation of aggregate medical data to be used by public health policy makers. Clearly, deployment of these devices raises security issues pertaining to patients s rights such as privacy and freedom from coercion. Under what circumstances a patient should be coerced into taking medication is a medical, legal and moral issue outside the scope of this work. Patients s privacy, however, can be protected by using modern cryptographic communication protocols. These protocols ensure that messages on the net are both inaccessible to unauthorized parties and carry no more information that is necessary for the message s specific purpose. We will expand on this below. 3 Selective Disclosure envelopes Modern cryptology offers powerful techniques for the controlled release of information. The devices we propose will use a variant of zero-knowledge proofs called discreet proofs [1]. Discreet proofs are short and non-interactive. They exist for any Boolean predicate whose associated language is in the class NP. Although a discreet proof is simply a string of bits. The details of how it is constructed, and what properties it has, are quite complex. Thus it is useful to create an abstract object which embodies the essential properties of a discreet proof. We suppose that a document is a string of bits containing identifiable fields. A selective disclosure envelope (SD envelope) is an abstract envelope in which a document can be inserted for digital transaction purposes. When a document D is inserted in an SD envelope by a person P, then the following holds: by default D is completely hidden by the SD envelope; once in the SD envelope, P can not alter the contents of D; at insertion time, P can choose to disclose (make readable) any field of D. for a field D that is not fully disclosed at insertion time, P can issue a discreet proof of any Boolean predicate f(d) (Note that f may be chosen after the SD envelope has been sealed and is in circulation). The role of the SD-envelope abstraction can perhaps best be understood by considering the information contained in one of our pill boxes. All these are possible:
name of drug; dosage information; name/address of prescribing physician; name/address of patient; name/address of health professional directly responsible for monitoring use of the device (the idea is that it should not require a medical doctor s degree to perform this task); biometric identification fields (e.g. the patient s fingerprint template); medication vendor information; patient s medical insurance information; payment history; history of missed doses; and many more, depending on the particular patient and condition. Now consider a communication between the pill box and the medication vendor. The vendor might want to know if payment for this month s supply has been received 1 and whether the pill box contains enough medication for next month. If so, then no more information need be exchanged. If there is a problem with payment, the vendor may trigger a no payment exception which would possibly involve other parties; involve exchange of other information (e.g. the medication name, the health professional in charge, and so on); produce vendor-activated actions (anything from a polite warning to a locking of the box), and corresponding audit trail; If the box needs refilling, then a completely different exchange of information would be triggered. The point of using SD-envelopes is that it allows for these information exchanges to exclude all information not relevant to the immediate need. For example, most of these communications would not reveal the identity of the patient, the identity of the prescribing doctor, or even the name of the medication in the pill box. This is a powerful tool for protecting the privacy of the patient while at the same time enforcing the patient s responsibilities. 4 Some technical challenges Discreet proofs are most efficient in what is known as the random oracle model. In practice, this requires the availability of an independent, publically accessible, source of random bits. Such a 1 This is for illustration purposes only. In practice, collection tasks are usually delegated to a third party: a payment gateway. This natural compartmentalization of tasks in E-commerce further helps with the patient s privacy goal being discussed here.
service was provided for some time by CCCNS (http://www.cccns.uwm.edu) at the University of Wisconsin. Entropy was obtained from white noise on radio waves and was expanded via standard cryptographic techniques. Several such sources can be posted on the web. This would help against denial of service attacks as well as serve the needs of users who are unwilling to trust any one source (two or more sources can be combined in such a way that all sources would have to be compromised in order to bias the bits in any way). Developing and maintaining a reliable and trusted public source of randomness with the necessary cryptographic properties (e.g. unpredictability) is not a trivial matter. However, the mathematics of doing so have been known since the 1980s. Another necessary task is to produce software that can help construct discreet proofs for predicates which are frequently encountered in E-commerce. These predicates relate to knowledge of secrets. Secrets, in this context, are bit-strings which satisfy functional equations of the type F (x) = y where F is a one-way function and y is public. The most commonly used one-way functions are based on substitution-permutation ciphers (e.g. DES), modular exponentiation, integer factorization (e.g. RSA, quadratic residuosity), and exponentiation over elliptic curves. Discreet proofs are circuit-based cryptographic primitives. In order to make these proofs as short as possible, circuits must be designed for each one-way function of interest. These circuits are special in that they should contain only addition and multiplication over GF (2). 2 Furthermore, the number of multiplications should be as small as possible. This is because the length of discreet proofs is proportional to the number of multiplications in the circuit but independent of the number of additions. The second author, along with Michael Fischer at Yale, have implemented selective disclosure envelopes for another E-commerce application (on-line Vickrey auctions). This work has provided us with a proof-of-concept as well as ballpark efficiency measures. Another task is related to circuit complexity: in [1] is is shown that the length of a discreet proof (of knowledge of a secret S which satisfies a circuit C) is at most 4rθ + 2rk = 4θ(log 2 (2θ) + r) + 2rk = 4θ log 2 (2θ) + r(4θ + 2k) where θ is the number of conjunctions in C. k is the length of one bit-commitment. r is a security parameter such that the probability of a false proof goes undetected is of the order (1/2) r. Thus, the minimum number of conjunctions necessary to build a circuit for a given function f over the base (, ) is of much interest to this work. We call this complexity measure on f the multiplicative complexity of f and we denote it by f (). In [2] it is shown that the multiplicative 2 Note that the Boolean operators (, ), correspond to (addition,multiplication) over GF (2).
complexity of a random function is approximately the square root of the Boolean complexity of the same function. The exact multiplicative complexity of classes of functions of interest to cryptology is not known. However, it is reasonable to expect that they too have a much lower multiplicative complexity than Boolean complexity. 5 Looking further ahead In Japan, remote sensor-based devices that perform automated lab work, such as urine analysis for diabetics, have been developed and are already in use. The technology that we propose should eventually be merged with the latter sensor-based technology. This will enable the amount of medication dispensed to vary according to the patient s condition. References 1. J. Boyar, I. Damgård, and R. Peralta. Short non-interactive cryptographic proofs. Journal of Cryptology, 13:449 472, 2000. 2. J. Boyar, R. Peralta, and D. Pochuev. On the multiplicative complexity of Boolean functions over the basis (,, 1). Theoretical Computer Science, 235:43 57, 2000.