Secure Ring Signature Scheme for Privacy-Preserving Blockchain

Abstract

Blockchain integrates peer-to-peer networks, distributed consensus, smart contracts, cryptography, etc. It has the unique advantages of weak centralization, anti-tampering, traceability, openness, transparency, etc., and is widely used in various fields, e.g., finance and healthcare. However, due to its open and transparent nature, attackers can analyze the ledger information through clustering techniques to correlate the identities between anonymous and real users in the blockchain system, posing a serious risk of privacy leakage. The ring signature is one of the digital signatures that achieves the unconditional anonymity of the signer. Therefore, by leveraging Distributed Key Generation (DKG) and Elliptic Curve Cryptography (ECC), a blockchain-enabled secure ring signature scheme is proposed. Under the same security parameters, the signature constructed on ECC has higher security in comparison to the schemes using bilinear pairing. In addition, the system master key is generated by using the distributed key agreement, which avoids the traditional method of relying on a trusted third authorizer (TA) to distribute the key and prevents the key leakage when the TA is not authentic or suffers from malicious attacks. Moreover, the performance analysis showed the feasibility of the proposed scheme while the security was ensured.

1. Introduction

Blockchain technology is the underlying technology of Bitcoin, a concept mentioned by Nakamoto [1] in his Bitcoin white paper published in 2008, which has triggered new industrial and technological revolutions and is a popular research area at present. In essence, blockchain is a kind of distributed database [2], and its underlying chain structure is the data blocks arranged in chronological order, which inherits the technologies of smart contracts [3], peer-to-peer networks (P2P) [4], the consensus mechanism [5], cryptography, etc., has the unique advantages of weak centralization, being tamper-proof, traceability, openness, transparency, etc., and is able to realize the direct circulation of value between untrusted nodes without the need for third-party institutions, which not only reduces the trust cost of transactions, but also greatly shortens the interaction time. It is considered as a key technology to realize the transformation of the “information Internet” to the “value Internet” [6].

Blockchain’s technical advantages make it applicable to various domains. One of them is digital currencies, where Bitcoin and its derivatives are expanding fast. According to a 2017 report by ARK Investments, there are more than 10 million Bitcoin users worldwide, with over USD 150-million in daily transactions [7]. In the financial sector, blockchain technology is highly valued by central banks, who design their own digital currencies by applying or studying it. They use blockchain technology to enhance the traditional financial system, which suffers from long delays and low efficiency in reconciliation, clearing, and cross-border settlement, as well as the high costs of maintaining central ledger data. In healthcare, the companies and stakeholders are benefiting from blockchain technology, which helps them streamline business processes, improve patient outcomes, manage patient data, comply with regulations, cut costs, and leverage healthcare-related data more effectively [8]. In the energy sector, blockchain technology, which is based on decentralization, is seen as a game-changing technology for creating distributed energy systems. It offers a decentralized trust mechanism that can be used for distributed energy operations and can help overcome management weaknesses and challenges in distributed energy systems [9]. In the field of cultural industry, the data inerrancy and high trustworthiness of the blockchain industry can be utilized to carry out many businesses such as certificate storage, digital property rights protection, and cultural relic identification. Furthermore, there are other fields such as justice, military, and supply chains that are gradually using blockchain to improve the problems existing in each field.

As blockchain technology continues to develop and become widely used, the privacy leakage concerns confronting it are becoming increasingly noticeable and must be given sufficient attention. While the blockchain mechanism avoids potential failures of individual servers and the exposure of data in terms of data storage, all transactions have to be made public to all nodes in order to reach consensus among the decentralized blockchain nodes. This exposes the privacy of the transactions greatly, and a main challenge is the safeguarding of users’ identity privacy. Identity privacy refers to the connection between a user’s real identity and the blockchain nodes. The blockchain stores data in an unchangeable way as a distributed ledger that any node can access. Transactions on the blockchain are somewhat anonymous, but not completely secure against privacy breaches. With advanced computing techniques, an attacker can track and analyze the correlation of public data in a global ledger to reveal sensitive information. For example, if there are consistent and correlated transactions, an attacker can extract some user characteristics using a graph of transactions between different addresses [10]. Moreover, an attacker can search all possible transactions to obtain the transaction addresses and estimate the balances, which can help to infer the user’s identity and location [11]. Cryptography is the prevalent method for privacy protection among researchers. Therefore, it should be combined with blockchain technology to offer a suitable solution for the blockchain’s privacy issue and guarantee the safety of users’ data.

A common security technique in blockchain systems is to use digital signatures to check the integrity of a document or a message. This ensures non-repudiation. The ring signature scheme [12] is a special type of group signature [13], which uses a group of L in a user’s private key and L in all the users’ public keys to complete the signature; the signature of the verifier can only verify that the signature comes from the group, but who signed the name is unknown. The ring signature does not need a trusted center and can hide the identity of the signer, which protects the user’s privacy. Considering its features, the scheme can be applied to anonymous payment applications or untraceable transactions and also to other scenarios that require privacy protection, such as elections, voting, and identity verification. Therefore, we propose a new privacy protection scheme by combining the ring signature algorithm and blockchain technology. However, the key generation link of traditional ring signature algorithms requires a secret key management center, which will face the risk of key leakage and increase the probability of attackers forging ring signatures. Moreover, most of the ring signatures are constructed based on bilinear pairing, and the computational complexity is usually high, which may lead to longer signing and verification time. It also lacks security. In order to improve the efficiency and security of ring signatures, we also made a new design of the scheme.

To solve the above-mentioned issues in the blockchain system, this paper studied and analyzed the related ring signature schemes and designed a new ring signature scheme suitable for the blockchain environment by using the anonymity feature of the ring signature. The scheme is based on Shamir verification secret sharing theory [14] and the Feldmanprotocol [15]; the key generation link in the scheme was improved, and the main body of the scheme adopted the elliptic curve cryptography principle.

The main contributions of the paper are stated as follows:

• The algorithm exploits the concept of distributed key generation to create a system master key, which enhances the process of distributing the key by a trusted authorizer (TA) in traditional signature algorithms and eliminates the risk of key leakage when the TA is untrustworthy or subjected to malicious attacks.
• This scheme is a ring signature constructed based on ECC, which provides better security with the same length of key compared to the scheme based on bilinear pairing. This algorithm strengthens the signature’s unforgeability, which reduces the attackers’ probability of succeeding in cracking the key.
• This scheme improves the efficiency of ring signature generation and verification and is more compatible with the environment of blockchain systems.

The rest of this paper is organized as follows. In Section 2, we review different blockchain privacy-preserving schemes. In Section 3, we provide some preliminary concepts, including general ring signature algorithms and security model definitions. Section 4 describes the algorithms and system models of secure ring signature schemes. Section 5 proves the security of the proposed scheme, and Section 6 gives the efficiency and performance comparison of the signature schemes. Finally, the paper is summarized in Section 7.

2. Related Works

Blockchain technology faces challenges in its development in existing industries due to privacy breaches and other security issues. To protect users’ identity privacy in blockchain, different schemes have been suggested to increase the anonymity level. In order to resist the book analysis technique, researchers propose a defense mechanism for exchanging assets and obfuscating addresses, i.e., the address obfuscation mechanism, in response to the assumptions on which the technique is based. In 2014, Bonneau et al. [16] proposed the Mixcoin protocol, which enhances asset security through an electronic-signature-based commitment mechanism. In 2015, Valenta et al. [17] proposed the Blindcoin protocol, which guarantees the internal privacy of centralized hybrid coin schemes by using blind signature techniques. In 2018, Ziegeldorf et al. [18] proposed CoinParty; it occupies a unique position in the design space of hybrid services by decrypting the novel combination of hybrid nets and threshold signatures, combining the advantages of previously proposed centralized and decentralized hybrid services into a single system. The address obfuscation mechanism can protect the privacy of the ledger to a certain extent; however, the result of address obfuscation will still be stored in the public ledger, and an attacker can threaten user privacy to a certain extent by analyzing the obfuscated transactions with features.

Ledger information hiding mainly preserves the confidentiality of the ledger by encrypting the private data in the ledger and provides “credentials” through cryptographic techniques to keep the correctness of the blockchain ledger verifiable. Most of the existing techniques for the implementation of the ledger-information-hiding mechanism belong to zero-knowledge proof techniques [19], which means that zero-knowledge proofs do not convey any proof of knowledge other than the correctness of the proposition under discussion. Li et al. [20], based on the ring-zero-proof-of-knowledge and blockchain technology, proposed a secure and efficient fair transaction mechanism for a sharing environment. The mechanism utilizes ring-zero-knowledge proofs to hide transaction contents and relationships without affecting authentication by adding a new trusted player. However, zero-knowledge proofs have a high computational cost and storage space, require the use of complex cryptographic algorithms and a large number of data structures, and may affect the performance and scalability of blockchain systems.

Ring signature schemes allow participants to sign messages with the group name and preserve the confidentiality of the signer’s identity from disclosure. The ring signature technique has two main features: first, any member of the group can issue the correct signature alone; second, any member of the group only knows whether he or she has initiated the signature, and members outside the group only know whether the signer belongs to the group. A higher level of privacy is achieved by VOTOR, a practical remote voting scheme that uses product anonymization channels and linkable ring signatures. It was proposed by Thomas et al. [21]. An information sharing system that ensures the confidentiality of applicants was created by Patil et al. [22] using an ID-based ring signature technique. They removed the certificate validation process to make the system secure and reliable. A new ring signature scheme based on elliptic curves was proposed by Li et al. [23], which improves the signature unforgeability and anonymity compared with the traditional ring signature scheme. Wang et al. [24] proposed a flexible threshold ring signature scheme in chronological order, which in practice has the advantage of solving both the update problem and the chronological order problem. In addressing the difficulty of sharing medical records between healthcare organizations, Lai et al. [25] introduced a secure medical-data-sharing scheme based on traceable ring signatures and blockchain. Samra et al. [26] proposed a new framework, a certificate-less aggregation scheme based on traceable ring signatures (CLA-TRS), which ensures conditional privacy-preserving authentication in vehicular ad-hoc network (VANET) communications.

Table 1. Comparison of ring signature schemes.

Scheme	Scenario	Techniques	Advantages	Drawbacks
[21]	Vote	Bilinear Hash Anonymous- channel	Linkable Practical	Relies on trusted center Lack of efficiency analysis
[22]	Cloud computing	Bilinear Hash ID-based	Simplified management High efficiency	Relies on trusted center Does not support key revocation and update
[23]	Blockchain	ECC Hash	Improves unforgeability Improves anonymity	Lack of efficiency analysis Relies on trusted center
[24]	Edge computing	Bilinear Hash Threshold	Flexible Renewable	Relies on trusted center Lack of efficiency comparison of related schemes
[25]	Medical sharing	Bilinear Hash DKG	Traceable Controllable	High computational cost
[26]	VANET	Bilinear Hash ECC	Traceable High efficiency	Relies on trusted center

summarizes the application scenarios, techniques, advantages, etc., of the above schemes. It can be seen that most of the above schemes are based on bilinear pairing construction, and their security needs to be improved. Moreover, most of them rely on a trusted key generation center (KGC), which cannot avoid attacks and reduces the difficulty of forging signatures.

3. Preliminaries

In this context, we will present some preliminary knowledge including elliptic curves, difficult assumptions, and the general ring signature algorithm and its security models below.

3.1. Elliptic Curve

An elliptic curve is not an ellipse; it is called an elliptic curve because the equation for the curve is similar to the equation for calculating the perimeter of an ellipse. In general, the curve equation of an elliptic curve is a cubic equation of the following form:

$$y^2+axy+by=x^3+c{x}^2+dx+e,$$

where $a,b,c,d$, and e are real numbers satisfying some simple conditions.

Elliptic curves over finite fields are commonly used in cryptography, which refers to the curve defined by Equation (1) in which all coefficients are elements in a finite field $GF\left(q\right)$, where q is a large prime number. The most-commonly used of these is the curve defined by Equation (2):

$$y^{2}modq=(x^3+ax+b)modq,$$

where $a,b\in GF\left(q\right)$ and $△=(4a^3+27b^2)$ mod $q\ne 0$.

An elliptic curve is symmetric with respect to the X-axis, and the addition operation on it is defined as follows: if three points lie on the same line, the sum of them is O. Addition on an elliptic curve is defined as follows:

• O is the additive identity element, that is, for any point P of the elliptic curve, $P+O=P$.
• Let $P_1=(x,y)$ be a point on an elliptic curve whose additive inverse element is defined as $P_2=P_1=(x,y)$. This is because, when the connection of $P_1$ and $P_2$ is extended to infinity, another point O on the elliptic curve is obtained, that is the three points $P_1,P_2$, and O on the elliptic curve are collinear, so $P_1+P_2+O=O$, $P_1+P_2=O$, that is $P_2=-P_1$.
• Let $P=(x_p,y_p),Q=(x_q,y_q)$ and $P\ne -Q$, then $R=P+Q=(x_r,y_r)$ is determined by the following rule:

  $$x_r\equiv ({\lambda }^2-x_p-x_q)modq,$$

  (1)

  $$y_r\equiv ({\lambda }^2(x_p-x_r)-y_p)modq,$$

  (2)

  where

  $$\lambda =\left\{\begin{array}{c}\hfill \frac{y_q-y_p}{x_q-x_p}modq,ifP\ne Q\\ \hfill \frac{3x_p^2+a}{2y_p}modq,ifP=Q\end{array}\right.$$

  (3)
• The multiple of a point P is defined as $2P=P+P$.

3.2. Problem Assumptions

Definition 1.

Elliptic curve discrete logarithm problem (ECDLP): Given any two points P, Q on an elliptic curve $E\left(F_p\right)$, solving for the value x satisfying the equation $Q=x·P$ is unsolvable in polynomial time.

3.3. Ring-Signature-Generation Algorithm

The ring signature is a unique type of group signature that uses a set of public keys instead of one. It hides the identity of the actual signer from the verifier. Unlike other group signatures, ring signatures do not require a manager or any coordination among the members. The basic ring signature has three components: KeyGen(), Sign(), and Verify():

• KeyGen(): This algorithm needs to input a security parameter l and, then, generate a key pair $(pk,sk)$ for each user, where $pk$ is the public key and $sk$ is the private key.
• Sign(): This algorithm takes the message m, which needs to be encrypted, the private key $sk$ of a ring member, and the public key set $L=\{p{k}_1,p{k}_2,\cdots ,p{k}_n\}$ of the selected ring members and generates a signature $\sigma$ for the message m. One of the parameters in the signature $\sigma$ follows a ring according to certain rules.
• Verify(): This algorithm is a deterministic algorithm, which takes the public key set $L=\{p{k}_1,p{k}_2,\cdots ,p{k}_n\}$, the message m, and the signature $\sigma$ as the input and outputs “accept” if the verification passes and “reject” otherwise.

3.4. Security Models

The ring signature scheme is supposed to satisfy the requirements of correctness, unconditional anonymity, and unforgeability.

3.4.1. Game I Correctness

The output of the ring-signature-generation algorithm serves as the input for the ring signature verification algorithm, which always outputs acceptance. The unforgeability and unconditional anonymity of a ring signature scheme are defined by a game between a simulator $\mathcal{R}$ and an adversary $\mathcal{A}$. To begin with, we introduce $\mathcal{A}$’s inquirable oracle machines JO, CO, and SO:

• Join oracle machine (JO(⊥) →$PK$): With this query, a new user is added to the system and the public key $PK$ of the new user is output.
• Corruption oracle machine (CO($P{K}_i$) →$s{k}_i$: The user’s public key $P{K}_i$ is input, and the corresponding private key $s{k}_i$ is output.
• Signed oracle machine (SO($m,n,L,PK$) →$\sigma$): Input signed message m, and set $L=\{P{K}_1,P{K}_2,\cdots ,P{K}_n\}$ of public keys of size n; the signer’s public key $P{K}_{\pi }$$(1\le n\le \pi )$ returns a valid ring signature $\sigma$.

The definition of the general ring signature and the ring signature defined in this paper contains four basic algorithms: system initialization algorithm, key-generation algorithm, ring signature generation, and ring signature verification. The key point is that the general ring signature puts forward more-specific requirements for the signature-value-generation process: Given a message M, the public key ($P{K}_1,P{K}_2,\cdots ,P{K}_n$) of n members, the signer’s private key $s{k}_{\pi }(1\le \pi \le n)$, and a secure hash function, produce a set $r_1,r_2,\cdots ,r_n,h_1,h_2,\cdots ,h_n$, and finally, output the signature value $\sigma$, where $r_i\ne r_j,i\ne j,h_i(1\le i\le n)$ are the hash values determined by $m,r_i(1\le i\le n)$ and the public keys of the ring members, the signature value $\sigma$ is completely determined by $r_1,r_2,\cdots ,r_n,h_1,h_2,\cdots ,h_n$, and message m is decided.

3.4.2. Game II Unforgeability

The unforgeability of a ring signature is defined by the following game between a simulator $\mathcal{R}$ and an adversary $\mathcal{A}$:

• $\mathcal{R}$ generates the system parameters params and sends them to $\mathcal{A}$.
• $\mathcal{A}$ adaptively queriesoracles JO, CO, and SO and random oracles $\mathcal{H}$.
• $\mathcal{A}$ outputs a signature message $M^{*}$, a set $S^{*}$ consisting of n user public keys, and two forged signature values ${\sigma }_0^{*}$, ${\sigma }_1^{*}$.

$\mathcal{A}$ is said to have won the above game if the following four conditions are met:

Step 1: ${\sigma }_0^{*}$, ${\sigma }_1^{*}$ are valid ring signatures on the message $M^{*}$, that is RVerify($M^{*}$, $S^{*}$, ${\sigma }_i^{*}$), ($i\in \{0,1\}$) → accept.

Step 2: All public keys in $S^{*}$ are obtained by querying the oracle JO.

Step 3: All the public keys in $S^{*}$ are not corrupted, that is the adversary cannot obtain the private keys of any ring member in $S^{*}$.

Step 4: ${\sigma }^{*}$ is not obtained by querying the signed oracle machine SO.

A ring signature scheme is said to be unforgeable if, for any PPT adversary $\mathcal{A}$, the probability of winning the above game is negligible.

3.4.3. Game III Unconditional Anonymity

The unconditional anonymity of a ring signature scheme is defined by a game between a simulator $\mathcal{R}$ and an adversary $\mathcal{A}$ with infinite computational power as follows:

• $\mathcal{R}$ generates the system parameters params and sends them to $\mathcal{A}$.
• $\mathcal{A}$ can adaptively query join oracle machine JO.
• $\mathcal{A}$ sends a signature message $M^{*}$ and a set $S^{*}=P{K}_1,P{K}_2,\cdots ,P{K}_n$ consisting of public keys of n users to $\mathcal{R}$, where all public keys are obtained by the JO query. $\mathcal{R}$ randomly selects $\pi \in \{1,2,\cdots ,n\}$ and computes a signature ${\sigma }_{\pi }=Sign(M^{*},n,S^{*},s{k}_{\pi })$, where $s{k}_{\pi }$ is the private key corresponding to $P{K}_{\pi }$. Finally, $\mathcal{R}$ sends ${\sigma }_{\pi }$ to $\mathcal{A}$.
• $\mathcal{A}$ outputs a guess ${\pi }^{\prime }\in \{1,2,\cdots ,n\}$.

A ring signature is said to satisfy unconditional anonymity if, for an adversary $\mathcal{A}$ with infinite computing power, the probability of guessing the correct signer $\pi$ is at most $\frac{1}{n}$, where n is the cardinality of the public key set S.

4. Secure Ring Signature Scheme

In this section, a secure blockchain ring signature scheme is proposed by incorporating the idea of distributed key generation. The following is a detailed description of the system model and the signature algorithm.

4.1. System Description

The system model is shown in Figure 1 and contains entities such as the group users, the distributed generation center KDC, and the blockchain network. The purpose of the KDC here is to generate the system parameters, validate and manage the cluster personnel, and verify the signature. The specific scheme is described as follows:

Step 1: The KDC picks the security parameter l and generates the system parameters for the signature.

Step 2: The user $A_{\pi }$ applies to the KDC to become a member of the group; $A_{\pi }$ sends $I{D}_{\pi }$ to the KDC; the KDC passes the verification, returns $Q_{\pi }$, and adds the user $A_{\pi }$ to the group; the user completes the registration.

Step 3: The member $A_{\pi }$ interacts with other group members $A_i$ ($i=1,2,\cdots ,n,i\ne \pi$) through a secure channel to generate the system’s master private key and master public key.

Step 4: The member $A_{\pi }$ signs the data message m to generate signature ${\sigma }_{\pi }$.

Step 5: All KDCs in the blockchain system verify the signature ${\sigma }_{\pi }$ and upload the data information and signatures to the blockchain database after verification.

Miner nodes in the blockchain network pack the set of transactions for a period of time and then continuously calculate the random numbers that meet the conditions to construct blocks that meet the predefined conditions for confirming the transactions. The KDCs mentioned in this paper can be considered as miner nodes, also known as full nodes, and users as regular nodes. Full nodes act as servers in the distributed network, and they maintain consensus rules among other nodes, as well as transaction validation. Ordinary nodes retain some of the information on the block. After the group users sign the data information, all KDCs verify the signatures and upload them into the blockchain network.

4.2. Algorithm Description

4.2.1. Setup Algorithm

The system server selects security parameters l and randomly picks a large prime number $q>l$. G is a base point on the elliptic curve. Let $G_1$ be an additive group of order q generated by the generating element P. The hash functions are: $H_0:{\{0,1\}}^{*}\to E\left(F_q\right),H_1:{\{0,1\}}^{*}\to Z_q^{*},H_2:{\{0,1\}}^{*}\times G_1\to Z_q^{*},H_3:{\{0,1\}}^{*}\to G_1$. N represents the number of authorized users; $\{q,G,G_1,H_0,H_1,H_2,H_3,N\}$ is the public parameter. When the system parameters are determined, every authorized user $A_i,(i=1,2,\cdots N)$ picks a random polynomial of degree $\mathit{N}-1$, $f_i\left(x\right)=a_{i0}+a_{i1}x+a_{i2}{x}^2+\cdots +a_{i(N-1)}{x}^{(N-1)}$ over $Z_q^{*}$, where $f_i\left(0\right)=a_{i0}$. Each $A_i$ computes and broadcasts $T_{ij}=P^{a_{ij}}\left(modq\right)(j=0,1,\cdots ,N-1)$. Meanwhile, every authorized user $A_i$ transmits the calculated secret value $s_{ik}=f_i\left(k\right)$ through a secure channel to the other $A_k=(k=0,1,2,\cdots ,N-1,k\ne i)$ in the group. After that, every $A_k$ receives the secret value $s_{ik}$ and determines if it is correct by using the formula $P^{s_{ik}}\stackrel{?}{=}{\displaystyle \prod _{j=0}^{N-1}}{\left(T_{ij}\right)}^{i^j}\left(modq\right)$. If the equation is not satisfied, the secret value is wrong, and $A_k$ sends an error message to $A_i$, who has to resend the right secret value until the equation holds. Then, the master key $S={\displaystyle \sum _{i=1}^{N-1}}{b}_{i0}\left(modq\right)$ and the master public key $P_0=S·P$ are established by the N authority members.

4.2.2. Key Generation

For each authorized signer of the system, $A_i$ transmits its identity information $I{D}_i$ to the KDC. Then, the KDC randomly selects $k_i\in Z_q^{*}$, computes $Q_i=H_3(I{D}_i\left|\right|k_i)$, and secretly transmits it to $A_i$ over a secure channel. Next, signer $A_i$ computes $D_i=S·Q_i$, randomly picks $x_i\in Z_q^{*}$, and computes its private key $s{k}_i=H_2(x_i·D_i)$ and public key $p{k}_i=s{k}_i\ast G$.

4.2.3. Signature Generation

Assuming that the signature user in the system is $\pi$, the public key is $p{k}_{\pi }=s{k}_{\pi }\ast G$, and the private key is $s{k}_{\pi }=H_2(x_{\pi }·D_s)$. Choose a set $L=\{I{D}_1,I{D}_2,\cdots ,I{D}_n\}$ consisting of n identities of other authorized users of the system, and if the public key $p{k}_{\pi }$ of the system is not in L, assign the attribute values $Y_i,A_i$ for each public key $p{k}_i$ as follows:

Step 1: Randomly chose $v_i,t_i,r_i\in Z_q^{*}$, and compute:

$$Y_i=\left\{\begin{array}{cc}(v_i+t_i)\ast G,\hfill & ifi=\pi \hfill \\ (t_i+r_i)\ast p{k}_i+v_i\ast G\hfill & ifi\ne \pi \hfill \end{array}\right.$$

(4)

$$A_i=\left\{\begin{array}{cc}(v_i+t_i)\ast H_0\left(p{k}_i\right),\hfill & ifi=\pi \hfill \\ v_i\ast H_0\left(p{k}_i\right)+(t_i+r_i)\ast I_{\pi }\hfill & ifi\ne \pi \hfill \end{array}\right.$$

(5)

where: $I_{\pi }=s{k}_{\pi }\ast H_0(p{k}_{\pi })$ is a message signature image that prevents double-spending attacks in the system. It is obtained by mapping $p{k}_i$ to a curve point in the finite field using $H_0\left(p{k}_i\right)$.

Step 2: Randomly select $s\in Z_q^{*}$, and then, calculate:

$$h=H_2\left(m\right|\left|s\right).$$

(6)

$$\begin{array}{c}\hfill c_i=\left\{\begin{array}{cc}{H}_1(h,Y_1,\cdots ,Y_n,A_1,\cdots ,A_n)-{\displaystyle {\sum }_{i=1,i\ne \pi }^n}{c}_i\hfill & ifi=\pi \hfill \\ t_i+r_i\hfill & ifi\ne \pi ,\hfill \end{array}\right.\end{array}$$

(7)

$$\begin{array}{c}\hfill d_i=\left\{\begin{array}{cc}(v_i+t_i)-c_i\ast s{k}_i\hfill & ifi=\pi \hfill \\ v_i,\hfill & ifi\ne \pi \hfill \end{array}\right.\end{array}$$

(8)

where: m stands for the content of the signature, and the final output of the transaction initiator $\pi$’s ring signature for the message m is $\sigma =(I_{\pi },c_1,c_2,\cdots ,c_{\pi },\cdots ,c_n,d_1,d_2,\cdots ,d_{\pi },\cdots ,d_n)$.

4.2.4. Verify

The following steps can be used to verify the transaction signature $\sigma$ by anyone who possesses the public keys of all the members in the ring signature.

$$\left\{\begin{array}{c}{\zeta }_i=c_i\ast p{k}_i+d_i\ast G\hfill \\ {\eta }_i=c_i\ast I_{\pi }+d_i\ast H_0\left(p{k}_i\right)\end{array}\right.$$

(9)

$${\displaystyle \sum _{i=1}^n}{c}_i=H_1(h,{\zeta }_1,{\zeta }_2,\cdots ,{\zeta }_n,{\eta }_1,{\eta }_2,\cdots ,{\eta }_n)$$

(10)

Compute ${\zeta }_i,{\eta }_i$ using Equation (9), and check if Equation (10) holds. If it does, the signature image $I_{\pi }$ in the signature is not used, and the signature is valid. If it does not, the signature image $I_{\pi }$ is used and the signature is invalid.

5. Security Analysis

5.1. Correctness Analysis

The verifier checks the transaction signature $\sigma$ using Equation (10), and if it holds, the signature is valid. When $i\ne \pi$, the conversion of ${\zeta }_i$ is given as Equation (11) and ${\eta }_i$ is given as Equation (12):

$$\begin{array}{cc}\hfill {\zeta }_i& =c_i\ast p{k}_i+d_i\ast G\hfill \\ \hfill & =(t_i+r_i)\ast p{k}_i+v_i\ast G\hfill \\ \hfill & =Y_i\hfill \end{array}$$

(11)

$$\begin{array}{cc}\hfill {\eta }_i& =d_i\ast H_0\left(p{k}_i\right)+c_i\ast I_{\pi }\hfill \\ \hfill & =v_i\ast H_0\left(p{k}_i\right)+(t_i+r_i)\ast I_{\pi }\hfill \\ \hfill & =A_i\hfill \end{array}$$

(12)

When $i=\pi$, the conversion of ${\zeta }_i,{\eta }_i$ is as follows:

$$\begin{array}{cc}\hfill {\zeta }_i& =c_i\ast p{k}_i+d_i\ast G\hfill \\ \hfill & =c_i\ast p{k}_i+[(v_i+t_i)-c_i\ast s{k}_i]\ast G\hfill \\ \hfill & =v_i\ast G+t_i\ast G\hfill \\ \hfill & =Y_i\hfill \end{array}$$

(13)

$$\begin{array}{cc}\hfill {\eta }_i& =d_i\ast H_0\left(p{k}_i\right)+c_i\ast I_{\pi }\hfill \\ \hfill & =[(v_i+t_i)-c_i\ast s{k}_i]\ast H_0\left(p{k}_i\right)+c_i\ast s{k}_{\pi }\ast H_0\left(p{k}_{\pi }\right)\hfill \\ \hfill & =v_i\ast H_0\left(p{k}_i\right)+t_i\ast H_0\left(p{k}_i\right)\hfill \\ \hfill & =A_i\hfill \end{array}$$

(14)

Therefore, based on the above relationship, the validity of our proposed scheme can be verified according to the following equation.

$$\begin{array}{cc}\hfill & H_1(h,{\zeta }_1,{\zeta }_2,\cdots ,{\zeta }_n,{\eta }_1,{\eta }_2,\cdots ,{\eta }_n)\hfill \\ \hfill & =H_1(h,Y_1,Y_2,\cdots ,Y_{\pi },\cdots ,Y_n,A_1,A_2,\cdots ,A_{\pi },\cdots ,A_n)\hfill \\ \hfill & =c_{\pi }+{\displaystyle \sum _{i=1,i\ne \pi }^n}{c}_i\hfill \\ \hfill & ={\displaystyle \sum _{i=1}^n}{c}_i\hfill \end{array}$$

(15)

5.2. Unforgeability Analysis

Theorem 1.

Under a randomized oracle model, the messages m can be chosen adaptively by adversary $\mathcal{A}$ in Game II to attack. If there exists an algorithm that can win the ECDLP game in polynomial time T, then it is shown that the ECDLP hard problem can be broken with a non-negligible probability.

Proof. 

The purpose of challenger $\mathcal{R}$ is to compute the value of a when provided with a random instance of the discrete logarithm problem $(P,aP)$. The challenger $\mathcal{R}$ sets the public key of the signer $U_{*}$ as: $p{k}_{i^{*}}=aP$. In this scenario, $\mathcal{R}$ acts as a subroutine within $\mathcal{A}$ and takes on the role of the challenger in Game II. To simplify the discussion, let us assume that all queries made by the attacker $\mathcal{A}$ are distinct. Next, we elaborate on how the challenger $\mathcal{R}$ deals with $\mathcal{A}$’s query:

Step 1, initialization: The challenger $\mathcal{R}$ proceeds to execute the initialized algorithm with a security parameter of l to obtain the system parameters. Subsequently, these system parameters are transmitted from $\mathcal{R}$ to the adversary $\mathcal{A}$.

Step 2, hash query: This step consists of the challenger $\mathcal{R}$ creating an empty table L, where L holds pairs of two values, such as $(x_i,y_i)$, where the challenger $\mathcal{R}$ randomly selects $y_i$ and sets $H_1\left(x_i\right)=y_i$. When the adversary $\mathcal{A}$ queries $H_1\left(x_i\right)$, $\mathcal{R}$ hands over $y_i$ to $\mathcal{A}$ and appends $(x_i,y_i)$ to list L.

Step 3, public key query: When the adversary $\mathcal{A}$ queries the public key of a user, the challenger $\mathcal{R}$ halts if $s{k}_i=s{k}_{i^{*}}$; otherwise, the challenger $\mathcal{R}$ gives the matching user public key $p{k}_i$ to adversary $\mathcal{A}$.

Step 4, private key query: When the adversary $\mathcal{A}$ queries the private key of a user, if $p{k}_i=p{k}_{i^{*}}$, then $\mathcal{R}$ stops operating, in the absence of this, the $\mathcal{R}$ sends the appropriate user private key $s{k}_i$ back to adversary $\mathcal{A}$.

Step 5, ring signature query: The adversary $\mathcal{A}$ transmits information m and a public key collection L of N users to $\mathcal{R}$, which returns a corresponding signature $\sigma$. Suppose there is a user identity $p{k}_{\pi }\in L$ such that $p{k}_s\ne p{k}_{i^{*}}$, then the adversary $\mathcal{A}$ signs the message using $p{k}_{\pi }$ as the real signer and gives the signature $\sigma$. Alternatively, the adversary $\mathcal{A}$ will conduct the next steps:

• Randomly choose $v_i,t_i,r_i,s\in Z_q^{*}$, and compute:

  $$Y_i=\left\{\begin{array}{cc}(v_i+t_i)\ast G,\hfill & ifi=\pi \hfill \\ v_i\ast G+(t_i+r_i)\ast p{k}_{i^{*}}\hfill & ifi\ne \pi \hfill \end{array}\right.$$

  (16)

  $$A_i=\left\{\begin{array}{cc}(v_i+t_i)\ast H_0\left(p{k}_{i^{*}}\right),\hfill & ifi=\pi \hfill \\ v_i\ast H_0\left(p{k}_{i^{*}}\right)+(t_i+r_i)\ast I_{\pi }^{*}\hfill & ifi\ne \pi \hfill \end{array}\right.$$

  (17)

  $$h=H_2\left(m\right|\left|s\right),$$

  (18)

  $$\begin{array}{c}\hfill c_i=\left\{\begin{array}{cc}{H}_1(h,Y_1,\cdots ,Y_n,A_1,\cdots ,A_n)-{\displaystyle {\sum }_{i=1,i\ne \pi }^n}{c}_i\hfill & ifi=\pi \hfill \\ t_i+r_i\hfill & ifi\ne \pi \hfill \end{array}\right.\end{array}$$

  (19)

  $$\begin{array}{c}\hfill d_i=\left\{\begin{array}{cc}(v_i+t_i)-c_i\ast s{k}_{i^{*}}\hfill & ifi=\pi \hfill \\ v_i,\hfill & ifi\ne \pi \hfill \end{array}\right.\end{array}$$

  (20)
• The ring signature is given as ${\sigma }^{*}=(I_{\pi }^{*},c_1,c_2,\cdots ,c_{\pi }^{*},\cdots ,d_1,d_2,\cdots ,d_{\pi }^{*},\cdots ,d_n)$.

Step 6, forgery: At last, the adversary $\mathcal{A}$ provides the signer $p{k}_{i^{*}}$ with a signature with different information $m^{*}$. This same result can be obtained by the challenger $\mathcal{R}$, while both signatures $\sigma$ and ${\sigma }^{*}$ are valid: $\sigma =(I_{\pi },c_1,c_2,\cdots ,c_{\pi },\cdots ,d_1,d_2,\cdots ,d_{\pi },\cdots ,d_n)$, ${\sigma }^{*}=(I_{\pi }^{*},c_1,c_2,\cdots ,c_{\pi }^{*},\cdots ,d_1,d_2,\cdots ,d_{\pi }^{*},\cdots ,d_n)$.

The challenger $\mathcal{R}$ returns the value corresponding to the private key $a=s{k}_{\pi }$.

Hence, the adversary $\mathcal{A}$ for the instantiation $(P,aP)$ can be found for $a=s{k}_{\pi }$, which means that the ECDLP is solved. □

Assuming that $\mathcal{A}$ can forge valid ring signatures with a non-negligible probability, there exists an algorithm $\mathcal{R}$ that addresses the ECDLP in polynomial time. However, the ECDLP is known to be hard, so the probability of forging the ring signatures in our scheme will be negligible with a random oracle model. For the ring signature $\sigma =(I_{\pi },c_1,c_2,\cdots ,c_{\pi },\cdots ,d_1,d_2,\cdots ,d_{\pi },\cdots ,d_n)$, the adversary needs to obtain the signer’s private key in the computation even if the adversary randomly selects $v_i,t_i,r_i$ to forge $Y_i,A_i,Y_{\pi },A_{\pi }$, and $d_{\pi }$. In the proposed scheme, the user’s public and private keys are calculated from the system’s master key pair, which is jointly generated by the authorized user group according to the distributed key-generation algorithm and is not issued by the trusted third party. Therefore, there is no third-party attack, so the user’s public and private keys are safe. Without knowing the key, it is infeasible to compute the key image $I_{\pi }=s{k}_{\pi }{H}_0\left(p{k}_{\pi }\right)$, so an attacker cannot create the signature $\sigma$. Therefore, the scheme in this paper is unforgeable.

5.3. Unconditional Anonymity

Theorem 2.

In the signature scheme proposed in this paper, the signer has unconditional anonymity, i.e., for any algorithm $\mathcal{T}$, any participant ensemble $L=p{k}_1,p{k}_2,\cdots ,p{k}_n$, and any $p{k}_{\pi }\in L$, the probability $P_r[pk=p{k}^{\prime }]$ is always $\frac{1}{2}$, where the signer of π creates a ring signature: $\sigma =(I_{\pi },c_1,c_2,\cdots ,c_{\pi },\cdots ,d_1,d_2,\cdots ,d_{\pi },\cdots ,d_n)$.

Proof. 

Step 1: The challenger $\mathcal{R}$ computes the system parameters and gives them to the adversary $\mathcal{A}$.

Step 2: The adversary $\mathcal{A}$ performs polynomially restricted ring signature queries adaptively.

Step 3: The adversary $\mathcal{A}$ outputs a message m, two different public keys $p{k}_1,p{k}_2$ selected from the set of public keys L consisting of authorized users in the challenge phase, and delivers all of this information to $\mathcal{R}$. Next, $\mathcal{R}$ randomly chooses one of the two public keys to generate the ring signature and transmits the ring signature $\sigma =(m,L,s{k}_u)$ to the adversary $\mathcal{A}$.

Step 4: The adversary $\mathcal{A}$ performs polynomially restricted ring signature queries adaptively.

Step 5: Finally, the adversary $\mathcal{A}$ gives a public key $p{k}^{\prime }\in \{0,1\}$.

Step 6: The adversary $\mathcal{A}$ succeeds in this game if and only if $pk=p{k}^{\prime }$.

The output signature cannot be seen by any third party until the signer has voluntarily disclosed all information himself/herself. In the ring signature generation, the signer computes the $Y_i$ and $A_i$ values needed to obtain $c_i$ and $d_i$ by randomly picking the corresponding $t_i,v_i,r_i\in Z_q^{*}$ and also obtains the private key by randomly choosing $x_i\in Z_q^{*}$ and computing $s{k}_i=H_2(x_i·D_i)\in Z_q^{*}$. Therefore, the ring signature $\sigma$ is uniformly distributed in G. The chance that a non-member can guess the real signer is at most $1/(n+1)$, and the chance that a member of the ring group can guess the real signer is at most $1/n$, so the ring signature scheme meets unconditional anonymity. □

6. Performance Evaluation

In this section, the computational efficiency of the secure ring signature scheme based on distributed key generation proposed in this paper is analyzed. To achieve a credible security level, we adopted the experiment that has been performed for the computation evaluation in [25]. The experimental environment was: an i58500$CPU$@3.00$GHz$, 8$GBRAM$ on an HP desktop, based on the Windows 10 operating system, under the Eclipse development environment, using JAVA Version 1.8.0 and JPBC Version 2.0.0 for the implementation, which uses the library Type A class curves to construct symmetric prime-order bilinear groups and performs Type A pairing on the super-singular elliptic curve E. The equation $y^2\equiv x^3+x$ mod p defines E, where $p\equiv 3$ mod 4, the embedding degree is two, and the order of $G_1$ is q. The order of the group is 512 bit, and the order of the Galawa domain is 160 bit. The signatures of our scheme in the cryptographic operations can be found in

Table 2. Notations of cryptography operation.

Notation	Crypto-Operation
$S{M}_E$	ECC-based scalar multiplication operation.
$A_E$	ECC-based point addition operation.
$H_P$	Map-to-point operation.
H	One-way hash function operation, which is negligible.
M	Multiplication operation.
P	Bilinear pair operation.
E	Exponential calculation time.

. We define the execution time of some notations of the cryptography operations in milliseconds (ms) in

Table 3. Cryptography operations’ time in milliseconds.

Cryptography Operation	${\mathit{T}}_{{\mathbf{SM}}_{\mathit{E}}}$	${\mathit{T}}_{{\mathit{A}}_{\mathit{E}}}$	${\mathit{T}}_{{\mathit{H}}_{\mathit{P}}}$	${\mathit{T}}_{\mathit{M}}$	${\mathit{T}}_{\mathit{P}}$	${\mathit{T}}_{\mathit{E}}$
Execution time (ms)	1.7090	0.0075	4.406	0.042	5.071	8.31

.

In our proposed scheme, the user signature requires the ECC-based scalar multiplication operation, a hash operation mapping to points on elliptic curves, a multiplication operation, and a one-way hash operation mapping to a finite field of prime numbers, with the last one having negligible computational overhead. Therefore, the computational overhead of generating a signature is:

$$T_{Sign}=(4n-2)T_{S{M}_E}+(2n-1)T_{H_P}+T_M$$

The signature verification process of this program mainly requires the ECC-based scalar multiplication operation. Thus, the computational cost is:

$$T_{Verify}=4n{T}_{S{M}_E}$$

The signature communication cost is $(2n+1)L$, where L is the bit length of the group $G_1$, based on the signature-generation phase of our scheme. This shows that the signature length increases linearly with the number of users.

To conclude, the time consumption of the three different ring signature schemes in the signature-generation and signature-verification steps is summarized in

Table 4. Efficiency analysis of ring signature algorithms.

Algorithm	Signature Generation	Signature Verification
[27]	$6n{T}_P+4n{T}_E$	$n{T}_E+2n{T}_P$
[28]	$(2n-1)T_M+4n{T}_E$	$2n{T}_E+2TP$
[25]	$(4n-1)T_M+(4n+6)T_E$	$n{T}_E+2T_P$
Ours	$(4n-2)T_{S{M}_E}+(2n-1)T_{H_P}+T_M$	$4n{T}_{S{M}_E}$

. It was observed that our scheme took less time than the other schemes, both in the signature-generation phase and the signature-verification phase. This indicates that our signature scheme possesses higher signing and verification efficiency.

7. Conclusions

To address the privacy leakage problem faced by users in blockchain systems, this paper proposes a ring signature scheme suitable for blockchain. The design of the scheme is based on the elliptic curve cryptography and distributed key generation ideas. First of all, by generating the system master key through the DKG, the risk of key leakage when a trusted authorizer (TA) is attacked can be effectively reduced. Furthermore, the security analysis of the ring signature showed that the scheme enhances the unforgeability and anonymity of the signature. Under the same security parameter length, the elliptic-curve-based ring signature design is more secure than the traditional bilinear pairing design. Finally, by comparing with related signature schemes, our scheme had a shorter signature generation and verification time and higher efficiency. In view of the problem of the efficiency and communication overhead of the scheme increasing with the increase of the users, we will study the aggregation scheme of the ring signature in the future to improve the verification and communication efficiency.