A Blockchain Privacy Protection Scheme Based on Ring Signature

Blockchain is a point-to-point distributed ledger technology based on cryptographic algorithms. However, the open and transparent blockchain ledger supplemented by statistical methods such as sociological mining and data mining has caused users’ privacy to face major threats. Therefore, privacy protection has become a focus of current blockchain technology research. Ring signature technology is a commonly used encryption technology in the field of privacy protection. Therefore, this paper constructs a blockchain privacy protection scheme based on ring signature. This solution built a privacy data storage protocol based on the ring signature on the elliptic curve, and used the complete anonymity of the ring signature to ensure the security of data and user identity privacy in blockchain applications. The correctness and safety proof analysis of the proposed scheme were also carried out.


I. INTRODUCTION
The concept of blockchain first appeared in the Bitcoin white paper of Nakamoto [1] in 2009. It is a new technology system derived from the underlying technology of Bitcoin. In essence, the blockchain is a decentralized, tamper-resistant distributed database, and the bottom layer is a chain structure of data blocks arranged in chronological order. The security of each link of the system is guaranteed by technologies such as cryptography. Because the blockchain has the characteristics of decentralization, tamper resistance, anonymity, and public verifiability, it has become the core technology of digital cryptocurrencies such as Bitcoin and Ethereum. Through the use of P2P networks, data encryption, time stamping, distributed consensus, and incentive mechanisms, nodes in the system can complete point-to-point transactions. This solves the problems of high trust, low efficiency, and insecure data storage in the centralized system [2]. With the widespread circulation of bitcoin, the research and application of bitcoin's core technology blockchain has shown explosive growth.
The associate editor coordinating the review of this manuscript and approving it for publication was Wenbing Zhao .
It is considered to be the fifth disruptive innovation in the computing paradigm after mainframes, personal computers, the Internet, and mobile social networks [3].
The high-quality technical characteristics of the blockchain make it widely used in fields other than digital cryptocurrencies. In the financial field, central banks of various countries attach great importance to blockchain technology, design their respective digital currencies through reference to research or direct applications, and use blockchain technology to improve the problems of long reconciliation and clearing time, low cross-border settlement efficiency, and high maintenance cost of central ledger data in traditional financial systems. In the field of the Internet of Things, the characteristics of point-to-point transactions and intelligent verification of blockchain technology are used to achieve different types of transactions between Internet of Things devices [4]. IBM has proposed to combine blockchain technology with IoT applications to form a ''decentralized autonomous IoT.'' In the field of intellectual property, researchers have used blockchain's time stamping, anti-tampering and antiforgery features to achieve data storage, copyright protection, and work identification. In addition, supply chain, judicial, VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ information authentication and other fields are gradually applying blockchain technology to improve existing industry problems [5].
With the deepening of research, while the blockchain has shown its vigorous vitality, its own security issues have gradually emerged. In the blockchain system, because there is no centralized organization to process and maintain data, all transactions in the system are open and transparent in order for each node to reach a consensus quickly. So it brings the problem of data privacy leakage. Although the address of the user in the blockchain is the hash value of its public key, which can avoid the exposure of the IP address of the transaction entity, the simplest pseudo anonymity mechanism is used to protect the privacy of the user's address in the blockchain. The attacker can speculate the real identity information of the user through big data analysis, cluster analysis and certain network attack means [6]. The inadequate protection of the privacy issues of the blockchain has led to frequent security issues such as blockchain privacy leakage in recent years. On June 17, 2016, more than 1/3 of the ETH in the Dao, a distributed autonomous organization with more than 150 million US dollars obtained through crowdfunding, were stolen by hackers, leading to the failure of the project [7]. On December 18, 2017, North Korean hackers attacked South Korea's cryptocurrency exchange, resulting in the theft of cryptocurrency worth 7.6 billion won (about 6.69 million US dollars) at the time and causing a large number of user privacy leaks. The open and transparent nature of the blockchain allows users to obtain all transaction information and material supply information, including amount, contract content, etc., thereby posing a threat to personal and national security. In the field of privacy protection, encryption is the most commonly used solution by researchers. Therefore, while using the blockchain technology, encryption technology should be used to provide a good solution for the privacy issue of the blockchain and ensure the user's information security.
The ring signature algorithm is a digital signature scheme, first proposed by Rivest et al. [8] in 2001. Ring signature technology belongs to a simplified group signature [9], which is a signature algorithm that leaks secrets anonymously. The ring signature contains only ring members and no managers. In this signature scheme, the signer randomly selects the public keys of multiple ring members, combines their public and private keys, random numbers, and other technologies to complete the signature. The verifier of the signature can only verify that the signature comes from this signature set, but does not know who signed the signature. Therefore, ring signature is very suitable for complaint reporting, election voting, electronic currency and other fields. Blockchain, as a public and transparent record ledger, brings open and transparent transactions as well as data privacy leaks. Therefore, this scheme adopts a ring signature transaction signature scheme to ensure the absolute anonymity of the user, thereby protecting the privacy of the users.
Aiming at the problem of data privacy leakage facing the current blockchain, combined with the characteristics of ring signature technology, this paper proposes a blockchain privacy protection scheme based on ring signature. The ring signature is used to protect the information of the transaction initiator, thereby protecting the privacy of the blockchain. The remainder of this paper is organized as follows. Related works is reviewed in Section II. The preliminary knowledge and the scheme of this paper are given in Section III. In Section IV, the correctness and safety of the proposed scheme are theoretically proved. Finally, the conclusion is drawn in Section V.

II. RELATED WORKS
Blockchain privacy leaks and other security issues have prevented the development of blockchain technology in existing industries. In order to improve the anonymity of blockchain technology and protect the privacy of user identity and transaction data privacy, a variety of blockchain privacy protection schemes have been proposed. The currency mixing mechanism in digital currencies borrows from the idea of Chaum [10] published in 1981, mixing multiple unrelated inputs between the input address and the output address, making it impossible for the outside world to correlate the input and output of the transaction, so the flow of digital currency cannot be distinguished. Currently, Bitlaunder [11], Bitcoin Flog [12], Blockchain.inf [13] and other websites provide this mixed currency technology. Bonneau et al. [14] proposed a centralized coin mixing solution with audit function Mixcoin. As long as the third party node operates illegally, the user can publish the signature data and the funds can be returned to the user. At the same time, the third party node will lose its credibility and cannot provide services as a trusted third party. Valenta and Rowan [15]proposed a Blindcoin scheme using blind signature technology [16] to improve Mixcoin. The user uses a blind signature for the output address, so that a third party can provide coin mixing services without connecting the user's input address to the output address. Maxwell Gregory [17] proposed the CoinJoin scheme. The core of the scheme is to combine multiple transaction inputs to form a transaction. When the output address required by the user appears in the output address list, the user will sign the transaction. This scheme hides the relationship between transaction input addresses and output addresses. However, all the above-mentioned coin mixing schemes require the participation of a third party. As a third party providing mixed currency services, grasping the connection between the user's input address and the output address cannot evade cheating by third parties, and the problem of leaking user privacy still exists.
Dash [18] is a kind of ''digital currency'' for the purpose of protecting user privacy. It adopts chained hybrid and blind technology to realize the process of coin mixing and reduce the correlation between addresses. But Dash is a centralized method of mixing coins, which is vulnerable to attacks by malicious master nodes. Ruffing et al. [19] proposed a decentralized coin mixing scheme, CoinShuffle, which added the output address shuffle mechanism on the basis of Coin-Join, which can guarantee the completion of the coin mixing function without the need for a third-party nodes to join. However, during the coin mixing process, participants are required to be online at the same time, so they are vulnerable to denial of service attacks.
Miersr et al. [20] proposed a zero-coin protocol based on zero-knowledge proof [21]to solve the problem of user transaction address leakage. Users can hide the addresses of both parties to the transaction through Zerocoin, making the transaction un-link-able. However, Zerocoin can only mint and exchange fixed-value currency, and the data of Zerocoin's zero-knowledge proof is relatively large, which requires additional blockchain storage space and computing resources. Sasson et al. [22] proposed a new type of digital currency Zerocash based on Zerocoin. Zerocash encapsulate the trend and transaction amount of each transaction as a number of parameters into a commitment function to achieve the purpose of keeping the addresses and transaction amounts of both parties of the transaction confidential. At the same time, Zerocash applied the simple non-interactive zero-knowledge proof technology (zk-SNARK) to ''digital currency'' to achieve the highest degree of privacy and anonymity in current ''digital currency'' transactions. However, the process of generating a proof using a zero-knowledge proof algorithm is very slow. It usually takes 1 minute to generate a new proof, and there is a bottleneck in efficiency.
The data in the blockchain is stored in the public distributed ledger. As long as the user's private information and transaction information are deleted from the public database, the privacy issue of the blockchain will be fundamentally solved. Based on this idea, many off-chain payment schemes were proposed. Lightning network [23], two-way micro payment channel [24], Sprites [25], Bolt [26]and other off-chain payment technologies are used to provide reliable off-chain transactions, that is, most of the transaction details between users are in completed off-chain, users only need to record the first transaction and the last transaction process in the blockchain ledger. However, the existing off-chain transaction technologies all implement anonymous transactions between users through third parties, so there are still many shortcomings. For example, when an error occurs in a transaction, the user's transaction information needs to be publicly verified, and how to ensure the fairness of the transaction without leaking the user's privacy needs further improvement by researchers.
Ring signature is a special group signature. Compared to a general group signature, the unconditional anonymity and unforgeability of the ring signature make it more prominent in terms of privacy. Among digital currencies, Monero [27]used ring signature, ring confidential transactions, and encrypted addresses to obfuscate the source, amount, and destination of all transactions, providing users with greater privacy. Ring signature also play a very important role in business activities such as electronic payments and auctions. Thomas and Boyen [28] proposed a practical remote voting scheme called VOTOR, which used linkable ring signature and product anonymity channels to provide a higher level of privacy for this setting. Mourad et al. [29] introduced a new supply chain traceability system based on the existence of privacy-sensitive information. The system used the MLSAG ring signature protocol to achieve confidentiality of privacy-sensitive information, and achieves traceability by hiding participants in public information of past transactions. Patil and Wasnik [30] used the ID-based ring signature technology to delete the certificate verification process and built a secure and reliable data sharing system, which guaranteed the privacy of the applicant. Aiming at the bottleneck of current PKI system that cannot support many users and their data, [31] adopted identity-based ring signature technology to protect personal anonymity during data sharing, and used forward security together with identity ring signature to improve data security. Reference [32] proposed a new ring signature scheme based on lattice difficulty to protect the privacy in the Internet of Vehicles. This scheme was different from the traditional public-key cryptography scheme for privacy protection, but was designed based on the problem of false learning on a lattice ring, which can ensure its security under the quantum algorithm attack. Compared with other schemes, the Gregory ring signature scheme achieves unconditional anonymity, and can also provide traceability for authorized parties when necessary. Surmila and Dilip [33] proposed an effective audit scheme based on CDH's ring signature for checking the integrity of dynamic data shared between a group of static and static users outsourced in untrusted cloud storage. This solution enabled third-party auditors to audit customer data without knowing the content, while retaining the privacy of the identity of auditors and members of the group who signed the data from the cloud server.
To sum up, this paper analyzes the related theories of ring signatures, uses the anonymity of ring signature technology, proposes a ring signature scheme based on Elliptic Curve Cryptography (ECC), and applies it to the privacy protection of blockchain.The advantages of this scheme are listed as following.
1. Compared with the bilinear pair-based scheme, it has better security under a key of the same length. 2. The protection of the identity of the signer is strengthened and improved 3. Compared with the scheme based on bilinear pairings, the unforgeability of the scheme is strengthened, which makes the probability of the attacker successfully cracking the key reduced.

III. ALGORITHM DESCRIPTION A. PRELIMINARIES 1) ELLIPTIC CURVE
Suppose that there is a large prime number q, the integer field F q takes q as the module, and there is a nonsingular elliptic curve E q (a, b) on the integer field F q . The equation is as follows: them, a, b, x, y ∈ F q and = (4a 3 + 27b 2 ) mod q = 0. VOLUME 8, 2020 If a point P(x, y) satisfies the E q (a, b) equation, then the point P(x, y) is a point on an elliptic curve, and the point Q(x, −y) is the negative point of P(x, y), that is P = −Q. Let points P(x 1 , y 1 ) and Q(x 2 , y 2 ) be points on the elliptic curves E q (a, b) and P = Q, the line l passes through the point P, Q and intersects the elliptic curve at the point R = (x 3 , −y 3 ), the points of R symmetrical about the x-axis are R =(x 3 , y 3 ) and R = P + Q.
The points on the elliptic curve E q (a, b) and the infinite point O together form an additive cyclic group of prime order q as follows: (a, b).
Correspondingly, the double point operation defined on G q is:
Definition 2 (Elliptic Curve Discrete Logarithm Problem (ECDLP)): P is the generator of G q , there are P, aP ∈ G q , the probability of the polynomial algorithm A solving the ECDLP problem in a limited time is Adv ECDLP A,G q (k) = P r A(P, aP) = a : a ∈ Z * q Definition 3 Discrete Logarithmic Assumption of Elliptic Curve): For all polynomial algorithms A within a limited time, there are some ignoring functions ε, Adv ECDLP A,G q (k) ≤ ε exists, so the probability Adv ECDLP A,G q (k) is negligible.

3) SECURITY MODEL OF RING SIGNATURE
In this ring signature scheme, we will consider that the attacker A : A has not only the public keys of n signers, but also the private keys of some signers. * Gamer 1: the unforgeability of ring signature For A, Succ RS,A is defined as the probability that he and a challenger R will succeed in Game 1 below. 1. Initialization: Given a security parameter l, the challenger R runs the initialization algorithm to obtain the system parameters, and then the challenger R sends the system parameters to the attacker A; 2. Hash query: When the attacker A selects any value, challenger R returns the corresponding hash value to A. 3. User public key query: The attacker A selects and asks a user's private key sk i , and the challenger R returns the corresponding public key pk i to A; 4. Private key query: The attacker A queries a user's private key sk i , and the challenger R returns the corresponding private key sk i ; 5. Ring signature query: The attacker A selects and submits a message m, and the challenger R returns the corresponding ring signature σ to A; 6. Forgery: Finally, the attacker A outputs the signature σ * of another message m * that satisfies the following conditions: a. σ * is a valid ring signature generated by the attacker A; b. m * does not appear in the ring signature query; Definition 4: If the attacker A makes a maximum of q H hash queries, a maximum of q U user public key queries, a maximum of q P private key queries, and a maximum of q RS ring signature queries within the maximum time T , A can break the ring signature, then the probability of his success Succ RS,A is at least ε. If no attacker can have ( T , q H , q U , q P , q RS , ε) break a ring signature, then we call the ring signature is ( T , q H , q U , q P , q RS , ε) existence unforgeable under adaptive selection message attack. * Gamer 2: the anonymity of ring signature Let U =U 1 , U 2 , . . ., U n be n users. In game 2, A is an attacker and R is a challenger. 1. The challenger R performs initialization to calculate system parameters and sends it to the attacker A.

The attacker A adaptively makes a polynomial
limited-order ring signature query. 3. In the challenge phase, the adversary outputs a message m, the public key set R of n users, two different public keys pk 1 , pk 2 ∈ R, and sends all of them to the challenger R. The challenger R randomly selects a bit pk ∈ {0 , 1 } and returns the ring signature σ = Aring(m, R, sk u ) to the attacker A. 4. The attacker A adaptively makes a polynomial limited-order ring signature query. 5. In the end, the attacker A outputs a bit pk ∈ {0 , 1 }. 6. Rival A succeeded in this game if and only if pk = pk . Definition 5: Define the probability that an attacker A succeeds in game 2: Succ(A) = P r [pk = pk ] = 1/2+ε. The precondition for a ring signature to have unconditional anonymity is that no attacker can win Game 2 with a non-negligible probability advantage. In other words, for any polynomial time attacker, the advantage ε of winning Game 2 is negligible.

B. BLOCKCHAIN PRIVACY PROTECTION SCHEME BASED ON RING SIGNATURE
This section mainly introduces the use of ring signature technology to design a completely anonymous user data storage protocol under the blockchain architecture to ensure the privacy of user information in the blockchain. A smart contract is deployed in the blockchain network to monitor the dynamics in the network, and when preset conditions are met, a preset instruction is triggered to execute transaction T . As shown in Algorithm 1, the specific model is constructed as follows: 1. SetUp(l):Enter the safety parameter l. The safety parameter l is a large prime number large enough. Randomly select a large prime number q>l. G is a base point on the elliptic curve. G 1 is a large prime q-order cyclic addition group. Output system parameters par={ q, G, G 1 , P, H 0 , H 1 , H 2 }, where P is the generator of G 1 , and the hash function are: blockchain system randomly selects x i ∈ Z q * , calculate pk i ←− x i * P, the user's public key is defined as pk i ∈ G, and the private key is sk i = x i ∈ Z q * . 3. Aring → T σ : The transaction initiator s chooses a public key set R=pk 1 , pk 2 , . . ., pk n , R is a set of public keys of members participating in the ring signature, and R does not include the public key pk s of the transaction initiator, set the corresponding attribute values L i , R i for each public key pk i according to the following steps: • Randomly select u i , v i , w i ∈ Z q * , and then calculate: Among them: I s = sk s * H 0 (pk s ), which is a signature image of the message, is used to prevent double spend attacks in the system. H 0 (pk i ) maps pk i to a point on the elliptic curve of the finite field.
• Randomly select r ∈ Z q * and then calculate as follows: (3) Among them: m represents the content of the signature, and finally the ring signature of the transaction initiator s to the message m is output as T σ =(I s , c 1 , c 2 , . . ., c s , . . ., c n , d 1 , d 2 , . . ., d s , . . ., d n ).

Averify:
Anyone who has the public keys of all members participating in the ring signature can verify the transaction signature T σ as follows: . . , γ n , δ 1 , δ 2 , . . . , δ n ) (7) Calculate γ i , δ i by formula 6, and then verify whether formula 7 is true. If it is true, verify whether the signature image I s in the signature has been used. If it has not been used, the signature is valid, otherwise it is considered invalid signature.
The miner nodes in the blockchain network package the transaction set T = (T 1 , T 2 , . . ., T n ) for a period of time, and then continuously calculate the random numbers that meet the conditions to construct blocks that meet the preset conditions for confirming transactions. After the new block is successfully constructed within the specified time, it is broadcast to the blockchain network. The node verifies the legality of the new block according to the block construction mechanism. If the new block is legal, the new block is added to the blockchain, other nodes in the blockchain network need to synchronize new blocks to get the next billing.

IV. ANALYSIS OF CORRECTNESS AND SAFETY PROOF
A secure ring signature scheme should meet the three aspects of correctness, unconditional anonymity, and unforgeability.

A. CORRECTNESS ANALYSIS
The verifier verifies the transaction signature T σ according to the formula, and if it is true, the verification is passed.
When i = s, the conversion of γ i , δ i is as follows: When i = s, the conversion of γ i , δ i is as follows: Therefore, according to the above relationship, the correctness of the ring signature scheme proposed in this paper can be verified as follows:  calculate (pk i , sk i ) ← KeyGen(par); 3: end for 4: for each U i involved in the transactions do 5: select ring signature members, and follow the steps below to generate a ring signature 6: randomly select u i , v i , w i ∈ Z q * , and then calculate: 7: randomly select r ∈ Z q * and then calculate as follows: 10: h = H 2 (m||r) 11: 13: end for 14: for anyone who owns the public keys of all participating ring signing members do 15: while . . , γ n , δ 1 , δ 2 , . . . , δ n ) do 16: receive this signature and complete the transaction 17: end while 18: end for that the ECDLP game is successfully won within a valid polynomial time T , ECDLP can be successfully solved with a non-negligible probability.
Proof: If the challenger R receives a random instance of the discrete logarithm problem(P, a * P), the purpose is to calculate the value of a. The challenger R sets the public key of the signer U * as: pk i * = a * P. R is a subroutine of A and plays the challenger of A in Game 1. Without loss of generality, we assume that all inquiries are different. Now we will show how the challenger responds to the attacker A's query. 1. Initialization: Given a security parameter l, the challenger R runs the initialization algorithm to obtain the system parameters, and then the challenger R sends the system parameters to the attacker A; 2. Hash query: The challenger R has an L list (α i , β i ).
This list is initially empty. When the opponent A asks H (αi), the challenger R chooses a random value β i and sets H 1 (αi) = β i . The challenger R adds (α i , β i ) to the L list and returns β i to A. 3. User public key query: The challenger R has an L list (α i , β i ). This list is initially empty. When the opponent A asks H (αi), the challenger R chooses a random value β i and sets H 1 (αi) = β i . The challenger R adds (α i , β i ) to the L list and returns β i to A. 4. Private key query: When the attacker A makes a public key query to the user, if pk i = pk i * , then R stops operating, otherwise the challenger R returns the corresponding private key sk i to A. 5. Ring signature query: The attacker A submits a message m and the public key set R of n users, and the challenger R outputs a ring signature T σ , if a user identity pk s ∈ R satisfies pk s = pk i * , then the challenger A performs a signature algorithm to reply to the signature T σ , where pk s is the real signer. Otherwise, the challenger A performs the following steps: • Randomly select u i , v i , w i ∈ Z q * , and then calculate: h = H 2 (m||r).