A kidney donor exchange enables a recipient in need of a kidney transplant who has a living donor that is not compatible with him to exchange the living donor with another recipient in the same situation. Such an exchange can take the form of a cross-over exchange between two pairs of recipients and non-matching donors or it done as a cyclic exchange between more than two pairs. Living donor exchanges have the potential to substantially increase the number of successful living donations and thus reduce the number of patients that need expensive and painful dialysis treatment while waiting for a compatible post-mortem donation. In many countries, including the US, the Netherlands, and South Korea, such living donor exchanges already take place on a regular basis. However, the unique legal situation in Germany and the high privacy-awareness of its society at large make it difficult to carry out such donor exchanges in Germany today.This proposal outlines a comprehensive research agenda to develop a distributed system that supports the finding and selecting of exchange structures between donors and recipients in the context of kidney donor exchanges in an automated, privacy-preserving, and fair fashion. In particular, we strive to: (1) Develop a system that is distributed between the transplant centers and does not require any central authority or database that stores data about recipients and prospective donors; (2) Ensure privacy of sensitive data in the process of finding compatible donors and recipients by exchanging an computing on data in an encrypted fashion even while the possible exchange structures are determined. This second goal substantially contributes to ensuring that (3) the system is resistant to manipulation of data to the advantage of a particular recipient. At the same time, the system will ensure (4) fairness of the selection process taking into account the medical, ethical, and legal situation in Germany. The correctness, fairness, and security of the technical realization will be ensured by means of suitable cryptographictechniques. This will allow for these properties of the system to be (5) rigorously proven andit will ensure that they can be checked and certified prior to deployment by an independent authority. Finally, the system will include (cryptographic) mechanisms that will allow for auditing (6) a deployed system according to audit criteria that will be defined with the help of medical experts and potentially additional regulatory bodies. We address these objectives with an interdisciplinary team including medical experts for kidney transplants from the University Hospital in Aachen, as well computer scientists from the Research Group for IT-Security at RWTH Aachen University. Also, we will seek feedback and support from the kidney transplant community across Germany. In addition, we plan to collaborate with a mirrored team (funded independently) lead by Professor Wetzel at Stevens Institute of Technology, USA.

DFG Programme Research Grants