Shi-Feng Sun,Man Ho Au,Joseph K. Liu,Tsz Hon Yuen

DOI: https://doi.org/10.1007/978-3-319-66399-9_25

2017-01-01

Abstract:In this work, we initially study the necessary properties and security requirements of Ring Confidential Transaction (RingCT) protocol deployed in the popular anonymous cryptocurrency Monero. Firstly, we formalize the syntax of RingCT protocol and present several formal security definitions according to its application in Monero. Based on our observations on the underlying (linkable) ring signature and commitment schemes, we then put forward a new efficient RingCT protocol (RingCT 2.0), which is built upon the well-known Pedersen commitment, accumulator with one-way domain and signature of knowledge (which altogether perform the functions of a linkable ring signature). Besides, we show that it satisfies the security requirements if the underlying building blocks are secure in the random oracle model. In comparison with the original RingCT protocol, our RingCT 2.0 protocol presents a significant space saving, namely, the transaction size is independent of the number of groups of input accounts included in the generalized ring while the original RingCT suffers a linear growth with the number of groups, which would allow each block to process more transactions.

Tsz Hon Yuen,Shifeng Sun,Joseph K. Liu,Man Ho Au,Muhammed F. Esgin,Qingzhao Zhang,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-51280-4_25

2020-01-01

Abstract:In this paper, we propose the most efficient blockchain ring confidential transaction protocol (RingCT3.0) for protecting the privacy of the sender's identity, the recipient's identity and the confidentiality of the transaction amount. For a typical 2-input transaction with a ring size of 1024, the ring signature size of our RingCT3.0 protocol is 98% less than the ring signature size of the original RingCT1.0 protocol used in Monero. Taking the advantage of our compact RingCT3.0 transcript size, privacy-preserving cryptocurrencies can enjoy a much lower transaction fee which will have a significant impact on the crypto-economy. In addition to the significant improvement in terms of efficiency, our scheme is proven secure in a stronger security model. We remove the trusted setup assumption used in RingCT2.0. Our scheme is anonymous against non-signing users who are included in the ring, while we show that the RingCT1.0 is not secure in this improved model. Our implementation result shows that our protocol outperforms existing solutions, in terms of efficiency and security.

Yanxue Jia,Shi-Feng Sun,Yuncong Zhang,Qingzhao Zhang,Ning Ding,Zhiqiang Liu,Joseph K. Liu,Dawu Gu

DOI: https://doi.org/10.1109/tdsc.2020.2998682

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Ring confidential transaction (RingCT) protocol is widely used in cryptocurrency to protect the privacy of both users' identities and transaction amounts. Most recently, a new RingCT protocol (called RingCT 2.0) was proposed by leveraging cryptographic accumulators, which can achieve a constant-size output theoretically but still far from being practical due to the heavy zero-knowledge associated with the accumulator. In this article, we revisit the design of ring confidential transaction protocol and put forward a more efficient privacy-preserving payment protocol, which is built upon an extended version of one-out-of-many proof and a special multi-signature. Compared with previous works, the new protocol is not only more practical, but also does not suffer from a trusted setup. Besides, we show that the protocol satisfies the security requirements provided that the underlying cryptographic primitives are secure in the random oracle model. We implement our new payment protocol in Java, and the experimental results show that it is efficient enough to be used in practice.

M. Au,Junbin Liang,Liantao Lan,Qiong Huang,Jianye Huang

DOI: https://doi.org/10.3390/info14030160

2023-03-02

Abstract:A ring signature (RS) scheme enables a group member to sign messages on behalf of its group without revealing the definite signer identify, but this also leads to the abuse of anonymity by malicious signers, which can be prevented by traceable ring signatures (TRS). Up until that point, traceable ring signatures have been secure based on the difficult problem of number-theoretic (discrete logarithms or RSA), but since the advent of quantum computers, traditional traceable ring signatures may no longer be secure. Thus Feng proposed a lattice based TRS, which are resistant to attacks by quantum computers. However, that works did not tackle the certificate management problem. To close this gap, a quantum-resistant certificateless TRS scheme was proposed in the study. To the best of our knowledge, this is the first lattice based certificateless TRS. In detail, a specific TRS scheme was combined with the lattice-based certificateless signature technology to solve the certificate management problem while avoid key escrow problem. Additionally, a better zero-knowledge protocol is used to improve the computational efficiency of the scheme, and by reducing the soundness error of the zero-knowledge protocol, the number of runs of the zero-knowledge protocol is reduced, so that the communication overhead of the scheme is reduced. Under random oracle model, the proposed scheme satisfies tag-linkability, anonymity, exculpability and is secure based on the SIS problem and the DLWE problem. In conclusion, the proposed scheme is more practical and promising in e-voting.

Mathematics,Computer Science

Zhen Liu,Khoa Nguyen,Guomin Yang,Huaxiong Wang,Duncan S. Wong

DOI: https://doi.org/10.1007/978-3-030-29959-0_35

2019-01-01

Abstract:First proposed in CryptoNote, a collection of popular privacy-centric cryptocurrencies have employed Linkable Ring Signature and a corresponding Key Derivation Mechanism (KeyDerM) for keeping the payer and payee of a transaction anonymous and unlinkable. The KeyDerM is used for generating a fresh signing key and the corresponding public key, referred to as a stealth address, for the transaction payee. The stealth address will then be used in the linkable ring signature next time when the payee spends the coin. However, in all existing works, including Monero, the privacy model only considers the two cryptographic primitives separately. In addition, to be applied to cryptocurrencies, the security and privacy models for Linkable Ring Signature should capture the situation that the public key ring of a signature may contain keys created by an adversary (referred to as adversarially-chosen-key attack), since in cryptocurrencies, it is normal for a user (adversary) to create self-paying transactions so that some maliciously created public keys can get into the system without being detected .In this paper, we propose a new cryptographic primitive, referred to as Linkable Ring Signature Scheme with Stealth Addresses (SALRS), which comprehensively and strictly captures the security and privacy requirements of hiding the payer and payee of a transaction in cryptocurrencies, especially the adversarially-chosen-key attacks. We also propose a lattice-based SALRS construction and prove its security and privacy in the random oracle model. In other words, our construction provides strong confidence on security and privacy in twofolds, i.e., being proved under strong models which capture the practical scenarios of cryptocurrencies, and being potentially quantum-resistant. The efficiency analysis also shows that our lattice-based SALRS scheme is practical for real implementations.

Xiaohua Wu,Hongji Ling,Huan Liu,Fangjian Yu

DOI: https://doi.org/10.1007/s12083-022-01317-4

2022-03-29

Abstract:The consortium blockchain has three challenges in terms of performance, security, and privacy when adopting the Practical Byzantine Fault Tolerance (PBFT) protocol. The throughput and scalability of consortium blockchain are focused on meanwhile the privacy protection can hardly be ignored. This work proposes a privacy-preserving multi-signature and hierarchical Byzantine consensus protocol. Specifically, the signature combines a ring signature and a Schnorr one to provide three levels of privacy protection. The consensus protocol layers the network nodes into different clusters, which overcomes the shortcomings of PBFT and Schnorr signature. The theoretical analysis proves the security and privacy of the protocol and expounds the application scenarios, and the efficiency evaluation shows that the signature verification speed is 6.28 times faster than the Schnorr scheme, and the consensus in a 250-nodes network is 51.3% faster than the Schnorr-based PBFT consensus.

computer science, information systems,telecommunications

Wenling Liu,Zhen Liu,Khoa Nguyen,Guomin Yang,Yu

DOI: https://doi.org/10.1007/978-3-030-59013-0_18

2020-01-01

Abstract:As a widely used privacy-preserving technique for cryptocurrencies, Stealth Address constitutes a key component of Ring Confidential Transaction (RingCT) protocol and it was adopted by Monero, one of the most popular privacy-centric cryptocurrencies. Recently, Liu et al. [EuroS&P 2019] pointed out a flaw in the current widely used stealth address algorithm that once a derived secret key is compromised, the damage will spread to the corresponding master secret key, and all the derived secret keys thereof. To address this issue, Liu et al. introduced Key-Insulated and Privacy-Preserving Signature Scheme with Publicly Derived Public Key (PDPKS scheme), which captures the functionality, security, and privacy requirements of stealth address in cryptocurrencies. They further proposed a paring-based PDPKS construction and thus provided a provably secure stealth address algorithm. However, while other privacy-preserving cryptographic tools for RingCT, such as ring signature, commitment, and range proof, have successfully found counterparts on lattices, the development of lattice-based stealth address scheme lags behind and hinders the development of quantum-resistant privacy-centric cryptocurrencies following the RingCT approach. In this paper, we propose the first lattice-based PDPKS scheme and prove its security in the random oracle model. The scheme provides (potentially) quantum security not only for the stealth address algorithm but also for the deterministic wallet. Prior to this, the existing deterministic wallet algorithms, which have been widely adopted by most Bitcoin-like cryptocurrencies due to its easy backup/recovery and trustless audits, are not quantum resistant.

Lingyue Zhang,Huilin Li,Yannan Li,Yong Yu,Man Ho Au,Baocang Wang

DOI: https://doi.org/10.1016/j.future.2019.05.081

IF: 7.307

2019-12-01

Future Generation Computer Systems

Abstract:<p>Cryptocurrencies, led by bitcoin launched in 2009, have obtained wide attention in recent years. Anonymous cryptocurrencies are highly essential since users need to preserve their privacy when conducting transactions. However, some users might misbehave with the cover of anonymity such as rampant trafficking or extortion. Thus, it is important to balance anonymity and accountability of anonymous cryptocurrencies. In this paper, we address this issue by proposing a linkable group signature for signing cryptocurrency transactions, which can be used to trace a payer's identity in consortium blockchain based anonymous cryptocurrencies, in case a payer misbehaves in the system. The anonymity can be retained if a user behaves honestly. We prove that the proposed scheme achieves full-anonymity, full-traceability and linkability in the random oracle model. Implementation of the proposed linkable group signature scheme demonstrates its high efficiency and thus, can be adopted in anonymous cryptocurrencies in reality.</p>

Ke Huang,Yi Mu,Fatemeh Rezaeibagha,Xiaosong Zhang,Xiong Li,Sheng Cao

DOI: https://doi.org/10.1109/tdsc.2023.3251735

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Monero is a privacy-centric cryptocurrency that allows users to obscure their transactions with multiple input and output addresses. Current research on Monero mainly focuses on identifying design vulnerabilities or optimizing towards stronger privacy, security, etc. For example, improving the design of ring confidential transaction (RingCT) protocol proposed by Noether et al. As revealed by Ali et al. in USENIX 2016, new blockchains have inadequate nodes and network computing resources to resist powerful attack (e.g., 51% attack). Obviously, Monero blockchain is not an exception. Ateniese et al. proposed the notion of redactable blockchain in EuroS $ \& amp;$ P 2017, which begins the trend of formalizing blockchain with extra cryptographic primitives. The motivation is to turn an immutable blockchain into a mutable ledger by adapting the blockchain design and integrating with new cryptographic schemes. In such a setting, users could use their private keys to perform the secure multi-party computation to reverse blockchain history. The idea of redactable blockchain has attracted many researchers to pursuit this topic. However, few works have considered the privacy-preserving setting. Even fewer have practised their designs in an actual cryptocurrency. In this paper, we seek to adapt the RingCT protocol with several building blocks. Our proposal achieves most of the desired properties for blockchain redaction. It allows multiple tracing authorities to collaboratively trace users’ identities, and a system manager to perform multi-grained (including block-level, transaction-level, accumulator-level and commitment-level) redaction on block contents. Our proposal can be seen as an extension of RingCT protocol. We give rigorous security requirements and comprehensive analysis of our scheme. The performance evaluation suggested that our scheme suffers from some unscalabilities in large-scale implementations. A more elegant design to achieve stronger security and ideal scalability is deemed as a challenging and interesting future work.

Wenqian Shang,Yulong Gao,Xueting Chen

DOI: https://doi.org/10.1109/SNPD61259.2024.10673921

2024-07-05

Abstract:This paper presents a new blockchain scheme using a linkable ring signature algorithm based on lattice cryptography. This scheme counters quantum attacks on blockchain transaction signatures. The signature algorithm ensures correctness, anonymity, and unforgeability using trap generation and rejection sampling. It’s resilient to quantum attacks due to lattice cryptography’s hardness. Compared to other lattice-based algorithms, it offers reduced signature generation and verification time, minimized signature length, lower storage requirements, and better scalability. Implementing this scheme supports blockchain transaction security and privacy, promoting blockchain’s sustainable development and widespread application. This research enhances blockchain security against quantum attacks, paving the way for more secure and efficient blockchain-based apps.

Computer Science

Hongyu Shi,Lunzhi Deng,Yan Gao

DOI: https://doi.org/10.1109/ACCESS.2020.2981360

IF: 3.9

IEEE Access

Abstract:Ring signature is an anonymous signature that both authenticates the message and protects the identity information of the signer. It is suitable for scenarios such as anonymous network access, online auctions, etc. However, there is a problem in a regular ring signature scheme. The signer can generate multiple different signatures for the same message without being discovered by the verifier. This will of course cause some confusion. Linkable ring signature (LRS) resolves the problem. The verifier can determine if multiple signatures were generated by the same signer, but he cannot determine the actual signer’s identity. In this paper, we first proposed the system model and security requirements for certificateless linked ring signature (CL-LRS). Then, we constructed a concrete CL-LRS scheme and gave the security proofs. Finally, we compared the efficiency of our scheme with several other LRS schemes. Our scheme does not use pairing operation and is more suitable for the computation-constrained environment.

Computer Science

Christopher D. Clack,Nicolas T. Courtois

DOI: https://doi.org/10.48550/arXiv.1902.02609

2019-02-07

Cryptography and Security

Abstract:Distributed ledger and blockchain systems are expected to make financial systems easier to audit, reduce counter-party risk and transfer assets seamlessly. The key concept is a token controlled by a cryptographic private key for spending, and represented by a public key for receiving and audit purposes. Ownership transfers are authorized with digital signatures and recorded on a ledger visible to numerous participants. Several ways to enhance the privacy of such ledgers have been proposed. In this paper we study two major techniques to enhance privacy of token transfers with the help of improved cryptography: M\"obius and CryptoNote. The comparison is illuminating: both techniques use "ring signatures" and some form of "stealth addressing" or key derivation techniques, yet each does it in a completely different way. M\"obius is more recent and operates in a more co-operative way (with permission) and is not yet specified at a sufficiently detailed level. Our primary goal is to explore the suitability of these two techniques for improving the privacy of payments on cryptographic ledgers. We explain various conflicting requirements and strategic choices which arise when trying to conceal the identity of participants and the exact details of transactions in our context while simultaneously enabling fast final settlement of tokens with a reasonable level of liquidity. We show that in these systems, third-party observers see obfuscated settlement. We finish with a summary of explicit warnings and advice for implementors of such systems.

Yongli Tang,Feifei Xia,Qing Ye,Mengyao Wang,Ruijie Mu,Xiaohang Zhang

DOI: https://doi.org/10.1155/2021/9992414

IF: 1.968

2021-09-16

Security and Communication Networks

Abstract:Although most existing linkable ring signature schemes on lattice can effectively resist quantum attacks, they still have the disadvantages of excessive time and storage overhead. This paper constructs an identity-based linkable ring signature (LRS) scheme over NTRU lattice by employing the technologies of trapdoor generation and rejection sampling. The security of this scheme relies on the small integer solution (SIS) problem on NTRU lattice. We prove that this scheme has unconditional anonymity, unforgeability, and linkability under the random oracle model (ROM). Through the performance analysis, this scheme has a shorter size of public/private keys, and when the number of ring members is small (such as N ≤ 8 ), this scheme has a shorter signature size compared with other existing latest lattice-based LRS schemes. The computational efficiency of signature has also been further improved since it only involves multiplication in the polynomial ring and modular operations of small integers. Finally, we implemented our scheme and other similar schemes, and it is shown that the time for the signature generation and verification of this scheme decreases roughly by 44.951% and 33.503%, respectively.

computer science, information systems,telecommunications

Xiaofang Li,Yurong Mei,Jing Gong,Feng Xiang,Zhixin Sun

DOI: https://doi.org/10.1109/access.2020.2987831

IF: 3.9

2020-01-01

IEEE Access

Abstract:Blockchain is a point-to-point distributed ledger technology based on cryptographic algorithms. However, the open and transparent blockchain ledger supplemented by statistical methods such as sociological mining and data mining has caused users' privacy to face major threats. Therefore, privacy protection has become a focus of current blockchain technology research. Ring signature technology is a commonly used encryption technology in the field of privacy protection. Therefore, this paper constructs a blockchain privacy protection scheme based on ring signature. This solution built a privacy data storage protocol based on the ring signature on the elliptic curve, and used the complete anonymity of the ring signature to ensure the security of data and user identity privacy in blockchain applications. The correctness and safety proof analysis of the proposed scheme were also carried out.

computer science, information systems,telecommunications,engineering, electrical & electronic

Fengtong Wen,Jianing Kang

DOI: https://doi.org/10.1109/ECNCT63103.2024.10704287

2024-07-19

Abstract:In today's privacy-conscious world, considering the possible problems of duplicate voting and duplicate payments in voting systems, payment systems and other application scenarios, linked ring signature (LRS) is a reliable option to ensure the need for anonymity. At the same time, to ensure that LRS can effectively defend against potential future security threats such as quantum computers, we propose an improved identity-based linkable ring signature scheme named LDLRS. This scheme uses the lattice structure and the short integer solution (SIS) problem on the lattice, and constructs an efficient and secure ring signature scheme by using the techniques of preimage sampling and reject sampling. After that, we provide the security proof of LDLRS to ensure the security of the scheme in theory. Finally, by analyzing the computational cost, we demonstrate the efficiency advantages of LDLRS in signature generation and verification compared with existing schemes.

Mathematics,Computer Science

Shuhui Zhang,Ruiyao Zhou,Lianhai Wang,Shujiang Xu,Wei Shao

DOI: https://doi.org/10.3390/electronics12245010

IF: 2.9

2023-12-15

Electronics

Abstract:In recent years, the rapid development of blockchain technology has facilitated the transfer of value and asset exchange between different blockchains. However, achieving interoperability among various blockchains necessitates the exploration of cross-chain technology. While cross-chain technology enables asset flow between different blockchains, it also introduces the risk of identity privacy leakage, thus posing a significant threat to user security. To tackle this issue, this article proposes a cross-chain privacy protection scheme that leverages ring signature and relay chain technology. Specifically, this scheme utilizes RCROSS contracts based on ring signatures to handle cross-chain transactions, thereby ensuring the privacy of both parties involved in the transaction. This cross-chain solution demonstrates practicality and efficiency in facilitating cross-chain asset trading. Furthermore, it effectively combats reuse attacks and man-in-the-middle attacks at the application layer while also providing resistance against denial-of-service attacks at the network layer. To validate the proposed cross-chain solution, we conducted tests by constructing a specific cross-chain scenario and by focusing on the natural gas consumption values generated by the RCROSS contract function used in the application chain. The findings indicate that our proposed solution is highly practical in safeguarding the identity privacy of transaction participants. This article's framework guarantees reliability, security, and efficiency in cross-chain asset transactions. By incorporating ring-based signatures and relay chain technology, users can confidently protect their identity privacy, thus ensuring secure and smooth cross-chain transactions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Zhenshuai Yue,Haoran Zhu,Xiaolin Chang,Jelena Mišić,Vojislav B. Mišić,Junchao Fan

2024-05-07

Abstract:Traditional covert transmission (CT) approaches have been hindering CT application while blockchain technology offers new avenue. Current blockchain-based CT approaches require off-chain negotiation of critical information and often overlook the dynamic session keys updating, which increases the risk of message and key leakage. Additionally, in some approaches the covert transactions exhibit obvious characteristics that can be easily detected by third-parties. Moreover, most approaches do not address the issue of decreased reliability of message transmission in blockchain attack scenarios. Bitcoin- and Ethereum-based approaches also have the issue of transaction linkability, which can be tackled by Monero-based approaches because of the privacy protection mechanisms in Monero. However, Monero-based CT has the problem of sender repudiation. In this paper, we propose a novel Monero-Based CT approach (MBCT), which enables on-chain session key dynamically updating without off-chain negotiation. MBCT can assure non-repudiation of transmission participants, confidentiality of keys, reliability of message transmission and less observable characteristics. There are achieved by the three components in MBCT, namely, a sender authentication method, a dynamically on-chain session key updating method and a state feedback method. We implement MBCT in Monero-

Cryptography and Security

Mingxing Hu,Zhen Liu,Xiaojun Ren,Yunhong Zhou

DOI: https://doi.org/10.1016/j.ins.2024.121164

IF: 8.1

2024-01-01

Information Sciences

Abstract:Ring signatures enable a user to sign messages on behalf of an arbitrary set of users, called the ring. The signer-anonymity property guarantees that the signature does not reveal which member of the ring signed the message. The notion of linkable ring signatures (LRS) is an extension of the concept of ring signatures such that there is a public way of determining whether two signatures have been produced by the same signer. However, the existing LRS schemes may not be competent in some scenarios since they exhibit a gap to bridge as reflected on the security guarantees such as the absence of quantum-resistance, inadequate security notions, and a reliance on the random oracle heuristic.In this paper, we present a framework for LRS that provides stronger security guarantees. We instantiate the framework from standard lattice assumptions and prove the security in the standard model. Furthermore, we implement our scheme and conduct experimental evaluations, which demonstrate that the performances are practical for typical settings.

Emanuele Scala,Changyu Dong,Flavio Corradini,Leonardo Mostarda

DOI: https://doi.org/10.1016/j.jisa.2024.103794

IF: 4.96

2024-05-31

Journal of Information Security and Applications

Abstract:The public blockchain lacks data confidentiality. Although a level of anonymity seems guaranteed, it is still possible to link transactions and disclose related information. A solution to the privacy problem is to use cryptography in transactions, however this can lead to increased costs and slowdown in network throughput. Recent works experiment with advanced cryptography, in particular Zero-Knowledge proofs (ZK-proofs) can be supplied within a transaction to prove its validity, without revealing sensitive information. We analyze solutions that adopt ZK-proofs, such as Confidential Transactions (CTs). Several challenges emerge depending on both the zero-knowledge system and the balance model considered (UTXO, hybrid or account model). For ZK-proofs, systems that do not introduce additional trust are required. On the other hand, the account model is the most flexible for addressing security challenges. Moreover, CTs do not fully exploit the potential of ZK-proofs, since each transaction comes with one or more ZK-proof for a single transfer. Within this paper, we present ZeroMT, a novel multi-transfer private payment scheme for account-based blockchains. Drawing inspiration from Zether, our approach extends their work to develop a payment model that supports multiple payees within a single transaction. This also benefits scalability: ZeroMT enriches the CTs with the aggregation property, i.e., the batch verification of multiple transfers from a single and aggregate proof. We show that in our extended model the overdraft-safety and privacy security properties still hold. We provide an implementation and evaluation of ZeroMT, which shows the benefits of aggregating multiple transfers.

computer science, information systems

Chunhua Jin,Chunxiang Xu,Linzhi Jiang,Fagen Li

DOI: https://doi.org/10.1109/hpcc-css-icess.2015.149

2015-01-01

Abstract:Deniable threshold ring authentication allows at least t members of a group participants to authenticate a message m without revealing which t members have generated the authenticator, and the verifier cannot convince any third party the message m is authenticated. It can be applied in anonymous and privacy communication scenarios. In this paper, we present a non-interactive identity-based deniable threshold ring authentication scheme. Our scheme is provably secure in the random oracle model under the bilinear Diffie-Hellman assumption. To the best of our knowledge, our scheme is the first identity based deniable threshold ring authentication scheme. Our scheme is very efficient since it only requires one pairing operation in authentication phase and one pairing operation in verification phase regardless of the number of the ring.