Privacy-preserving Kidney Donor Exchange

Abstract

Kidney exchange enables patients with medically incompatible living donors to still receive a compatible kidney transplant, by finding matches between multiple patient-donor pairs such that these can exchange their donors among each other. The existing kidney exchange systems today face significant security challenges, as they neither prevent manipulation of the exchange computation nor adequately protect the sensitive data of patients and donors. In this project, we devised a new model of a privacy-preserving kidney exchange system that protects against these security issues. Our model follows a decentralized approach in that the computation of exchanges is distributed among a set of computing peers. At discrete points in time the computing peers then execute a secure multi-party computation (SMPC) protocol among each other in order to compute a set of exchanges among the patients’ and donors’ that are registered with the system. This setup guarantees that a computing peer is neither able to learn any information on the input data of the patients and donors nor to manipulate the computation of exchanges. We developed, implemented, and evaluated five different SMPC protocols for kidney exchange, using different algorithmic approaches. All of them are able to cover all desirable functional requirements discussed with medical transplant experts w.r.t. the exchange structures, the matching criteria, and the prioritization criteria supported by them. To evaluate the impact of the run time overhead induced by SMPC and the influence of the different algorithmic approaches on the number of transplants that can be achieved over time, we developed a simulation framework that accounts for the many different parameters that influence the performance of a kidney exchange system (e.g., the interval at which new patients are registered). We used a real-world data set, which we obtained from the United Network for Organ Sharing (UNOS) in the USA, to simulate both the performance of our model of a privacypreserving kidney exchange system as well as the performance of the non-privacy-preserving reference model that mimics the existing centralized kidney exchange systems. Based on these simulations, we were able to show that our approach only induces a small and sometimes even negligible impact on the number of found transplants over time for most parameter combinations that are found in practice. At the same time it provides for significantly stronger security guarantees compared to the existing centralized systems. This project was carried out between RWTH Aachen University, the University Hospital of RWTH Aachen University, and Stevens Institute of Technology. It was independently funded by the DFG (project number 419340256) and the NSF (grant CCF-1646999).