Research on a New Signature Scheme on Blockchain

With the rise of Bitcoin, blockchain which is the core technology of Bitcoin has received increasing attention. Privacy preserving and performance on blockchain are two research points in academia and business, but there are still some unresolved issues in both respects. An aggregate signature scheme is a digital signature that supports making signatures on many different messages generated by many different users. Using aggregate signature, the size of the signature could be shortened by compressing multiple signatures into a single signature. In this paper, a new signature scheme for transactions on blockchain based on the aggregate signature was proposed. It was worth noting that elliptic curve discrete logarithm problem and bilinear maps played major roles in our signature scheme. And the security properties of our signature scheme were proved. In our signature scheme, the amount will be hidden especially in the transactions which contain multiple inputs and outputs. Additionally, the size of the signature on transaction is constant regardless of the number of inputs and outputs that the transaction contains, which can improve the performance of signature. Finally, we gave an application scenario for our signature scheme which aims to achieve the transactions of big data on blockchain.


Introduction
Since the emergence of Bitcoin [1], blockchain as the core technology of Bitcoin has attracted more and more attention.As a combination of a variety of technologies such as distributed data storage, peer-to-peer network, consensus mechanism, and cryptographic algorithm, blockchain has broad prospects of application.
There are still some flaws on blockchain where privacy preserving and performance are two important aspects.When achieving the characteristics of blockchain, preserving the privacy is the focus of academic research.In this field, Monero and Zcach are representative projects where ring signature, zero-knowledge proof, and other cryptographic technologies play important roles.In addition, achieving rapid trading to meet realistic demands is another challenge that blockchain faces.In this field, lightning network is widely recognized, but there are also some flaws in its theories and implement.
Meanwhile, we know big data has been used in many fields.However, there are still many flaws in the storage, transmission, transaction, and privacy preserving of big data.And blockchain was considered to be an ideal technology for solving these flaws.Thus, we applied our new signature scheme to the transactions of big data on blockchain.
Our Contributions.In this work, we make three contributions in view of the privacy preserving and performance on blockchain.
(1) We introduce some existing contributions to the privacy preserving on blockchain, including CoinJoin in Dash, ring signature in Monero, and zero-knowledge proof in Zcash.
(2) We introduce some cryptographic technologies which are favorable for privacy preserving and performance on blockchain, including elliptic curve cryptography (ECC), bilinear maps, and aggregation signature.And then we propose a new signature scheme for the transaction on blockchain in which the amount will be hidden especially in the transactions which include multiple inputs and outputs.Additionally, the size of the signature on transaction is constant regardless of the number of inputs and outputs that the transaction contains, which can improve the performance of the signature.And we give the security analysis of our new signature scheme.
(3) We propose an application scenario for our signature scheme which aims to achieve the transaction of big data on blockchain.
Paper Organization.The rest of the paper is organized as follows.Section 2 introduces some projects which aimed at the privacy preserving on blockchain.And the basic building blocks that will be used in our signature scheme are also introduced.In Section 3, the core of our new signature scheme which aimed at hiding the amount of transactions is introduced.The main contribution of this paper is the new signature scheme on blockchain based on aggregate signature that will be described in Section 4, and a formal security analysis for our proposed scheme will also be presented.In Section 5, a simple application of our signature scheme is introduced with respect to transactions of big data.Finally, Section 6 concludes the paper.

Privacy Preserving on Blockchain
Dash.Dash uses a technique known as CoinJoin.In a nutshell, the CoinJoin mixes multiple transactions of multiple users to a single transaction through some master nodes.In Dash, each user picks an address and then sends it to the master node to mix with other addresses.Transactions can only be made with amount of 0.1, 1, 10, and 100 which increases the difficulty for the attackers to guess the relevance of transactions from the amount of transactions.At the same time, the master nodes are required to ensure out-oforder output.As shown in Figure 1, different lines represent different users and every amount is 10 DASH.DASH is the currency unit in this system.By mixing, the user who is represented by the vertical line makes a transaction of 10 DASH to the user who is represented by the line from top left to bottom right, while it is hard for others to find this transaction from the confused transactions.
Monero.In Dash, there is still the risk that the master nodes are controlled by malicious attackers, which may lead to the disclosure privacy of the users.In order to solve this problem, a hybrid cryptographic scheme that does not depend on the central nodes was proposed in Monero.There are two technologies in Monroe: one is called stealth address and the other is called ring signature [2,3].
Stealth address is to solve the problem of relevance of input addresses and output addresses.Each time the sender makes a transaction, a one-time public key using the elliptic curve via the receiver's address will be computed.The sender then sends out this public key along with an additional message on blockchain.And the receivers can detect each transaction based on its own private key to determine whether the sender has already sent out the transaction.When the receiver wants to use the transaction, it can calculate a private key of signature based on their own private key and transaction information.Then the transaction is signed by the private key of signature.
In addition, Monroe proposed a ring signature scheme.Whenever the sender wants to make a transaction, the transaction will be signed by the sender's private key and the public keys of other users randomly selected.When verifying a signature, the public keys of the other users and the parameters in the signature are needed.Zcash.A new scheme with zero-knowledge proof was proposed in Zcash, which allows users to hide transaction information only by interacting with the cryptographic algorithm itself, so that all transactions are created equally [4].
In Zcash, a noninteractive zero-knowledge proof [5,6] was used, which is called zk-SNARK.Here we do not go into the details of zk-SNARK but generally describe how to use this technology in Zcash.Let us discuss the simplest case, assuming that the amount in Zcash is fixed, such as 1BTC.Then the process of coinage is equivalent to the fact that the user pours 1BTC into an escrow pool and then writes a commitment which can be calculated by the serial number and user's private key to a list.When the user wants to spend the money, two steps need to be done: (1) Give the serial number.
(2) Use zk-SNARK to prove that it holds the user's private key to generate this commitment.(iii) Computability: there is an efficient algorithm to compute (, V) for all  ∈ G 1 , V ∈ G 2 .

Aggregate Signature.
There, U means a set of users, each user  ∈ U has a signature key pair (PK  , SK  ), and U 1 ⊆ U means the users whose signatures will be aggregated.Each user  ∈ U 1 generates a signature   for the message   they select, and then these signatures are grouped into a single signature by an aggregate community, which cannot be in the set U or can be distrusted by the user in the collection U, who has access to the user's public key, message, and their home signature but cannot access any private key.
The result of the aggregate signature is  whose length is the same as any single signature.Aggregate signatures have the property that a verifier can make sure that each user signs their own messages [7,8] when  and each message are obtained.

Elliptic Curve.
Assume that F  has characteristic greater than 3.An elliptic curve  over F  is the set of all solutions (, ) ∈ F  ×F  to an equation  2 =  3 ++, where ,  ∈ F  , and 4 2 + 27 2 ̸ = 0, together with a special point ∞ called the point at infinity.It is well known that  is an abelian group with the point ∞ serving as its identity element.The rules for group addition are summarized below [9]. ( If F  is a field of characteristic 2, an elliptic curve  of zero -invariant over F  is the set of all solutions (, ) ∈ F  × F  to an equation  2 +  =  3 +  + , where , ,  ∈ F  ,  ̸ = 0, together with the point at infinity ∞.The rules for group addition are summarized below. ( where If F  is a field of characteristic 2, an elliptic curve  of nonzero j-invariant over F  is the set of all solutions (, ) ∈ F  × F  to an equation  2 +  =  3 +  2 + , where ,  ∈ F  ,  ̸ = 0, together with the point at infinity ∞.The rules for group addition are summarized below. ( where (3)

Core of the New Signature Scheme
When transactions are generated on blockchain, cryptographic signatures are used to judge the legality of the transactions and the identities of the senders [10].Furthermore, the signature algorithms are aimed at privacy preserving of the transactions, including the addresses of both sides and transaction amount.For example, in Bitcoin, ECDSA [11,12], RIPEMD [13,14], and SHA256 [15,16] are used to make signatures for the transactions.In Section 3.1, we will design a scheme which is the core of our new signature scheme.The amount of transactions which include multiple inputs and outputs can be hidden using this scheme.
3.1.Basic Scheme.Without loss of generality, we deal with a single transaction, which is divided into inputs and outputs; the details are shown in Figure 2. As shown in Figure 2, the transaction contains  inputs and  outputs.Accessibly, we have ∑  =1 in  = ∑  =1 out  .For each  and , 1 ≤  ≤ , 1 ≤  ≤ ; in order to hide in  and out  , this paper uses ECC to make an operation for them.We choose  as the generator of F  , and the transfer forms of in  and out  are   = in  ⋅  and   = out  ⋅ .And according to the operation rules of the elliptic curve, the following equations are true [17]: According to (4), we can verify Because the attackers cannot get in  and out  through   and   , the amount of transaction can be hidden by this scheme.The following introduces the homomorphic proof and the drawback of this scheme [18].
Homomorphic Proof of the Signature Scheme.Homomorphic property is an important target to evaluate the security of an algorithm, especially considering that quantum computer gets rapid development.We can easily prove that our basic scheme satisfies additive homomorphism [19,20].
Proof.For each , 1 ≤  ≤ , as defined in basic scheme,   = in  ⋅ .According to the operation rules of the elliptic curve, the following equations are true: We can obtain that The left side of (6) means the addition followed by an encryption operation; correspondingly the right side means the encryption operation followed by addition.So we can obtain that our basic scheme is additive homomorphic.
The Drawback of the Basic Scheme.Our basic scheme can hide the amount of the transactions which contain multiple inputs and outputs.But there are also opportunities for the attackers to acquire the amount.On Bitcoin system, there has been mature attack algorithms, such as selfish mining attack [21,22], eclipse attack [23], and stubborn mining attack [24].There are similar drawbacks in our basic scheme.
A malicious attacker impedes  inputs and V outputs, which satisfy the fact that ∑  =1 in   = ∑ V =1 out   .And in the normal network, the sum of all the inputs is The sum of all the outputs is where the elements of sets {in   } 1≤≤ and {out   } 1≤≤V are contained in sets {in  } 1≤≤ and {out  } 1≤≤ .
Because we know that ∑  =1 in   = ∑ V =1 out   and ∑  =1 in  = ∑  =1 out  , it can be obtained that  = .So we can also verify that  ⋅  =  ⋅ .
In order to modify our basic scheme, this paper combines aggregate signature with the basic scheme to obtain a modified scheme.

Modified Scheme.
Recall that elliptic curve on the finite group F  is specified by tuple ⟨, , , , ⟩,  = (  ,   ) which is the generator of F  ,  ⋅  = O.The modified scheme is performed as follows.
(  Proof of the feasibility of the modified scheme will be given in the Appendix.

New Signature Scheme on Blockchain
In Section 3, we proposed a new scheme which aimed at hiding the amount of the transactions on blockchain which contain multiple inputs and outputs.Based on this, we designed a new signature scheme that can protect the amount of transactions and keep the size of signatures constant regardless of the number of inputs and outputs.Recall that elliptic curve  on the finite group F  is specified by tuple ⟨, , , , ⟩.The base groups are G 1 and G 2 , their respective generators are  1 and  2 , the computable isomorphism  is from G 2 to G 1 , and the bilinear map is  : Signing.We suppose that the sender wants to send a payment to a particular receiver whose payment public key is .The sender generates a random  ∈ [1,  − 1] and computes a onetime public key  = H()+ and then computes  =   .The signature is  ∈ G 1 . =  ⋅  is also packed somewhere into the transaction.
As shown in Figure 3, we give the basic signature scheme [2,25].In order to achieve the purpose of improving the performance of the signature scheme, we combine the aggregate signature with our basic signature scheme and propose a modified signature scheme in Section 4.2.

Modified Signature Scheme
Key Generation.For the aggregate subset of users U 1 ⊆ U, assign to each user an index , ranging from 1 to  = The signature public key and signature private key of   are V  ∈ G 2 and   ∈ Z  .The payment public key and payment private key of   are   ∈  and   ∈ .
Signing.For each , 1 ≤  ≤ , we suppose that   wants to send a payment to  particular receiver whose payment public key is   .And   generates a random   ∈ [1, −1] and computes a one-time public key   = H(    ) +   and then computes   =     .The signature is   ∈ G 1 .  =   ⋅  is also packed somewhere into the transaction.
Aggregate Verification.We are given an aggregate signature  ∈ G 1 for an aggregating subset U 1 ⊆ U indexed as before and are given the original   = H(  ⋅   ) ⋅  +   and public keys V  ∈ G 2 for all users   ∈ U 1 .To verify the aggregate signature , compute    = H(  ⋅   ) ⋅  +   for 1 ≤  ≤  and accept if (,  2 ) = ∏  =1 (   , V  ) holds.

Amount
Destination key Using the properties of the bilinear map, the left side of the verification equation expands: Figure 4 gives the structure of our aggregate transaction structure.
As shown in Figure 4, the signature is kept constant regardless of the number of inputs and outputs that the transaction contains.Then we combine the core of the new signature scheme proposed in Section 3.2 with the modified signature scheme to a new signature scheme which will be described in Section 4.3.

New Signature Scheme
Key Generation.For the aggregate subset of users U 1 ⊆ U, assign to each user an index , ranging from 1 to  = |U 1 |.  5 gives the structure of our new transaction structure.

4.4.
Security of the New Signature Scheme.It is easy to show that the security of our new signature scheme is equivalent to the traditional bilinear aggregate signature.As the aggregate chose-key security model which was proposed in [7], the security of aggregate signature schemes is equivalent to the nonexistence of an adversary capable of existentially forging an aggregate signature.Existential forgery here means that the adversary attempts to forge an aggregate signature on a subtransaction of his choice by other subtransactions in a particular transaction.The adversary A is given a single public key.His goal is the existential forgery of an aggregate signature.We give the adversary power to choose all public keys except the challenge public key.The adversary is also given access to a signing oracle on the challenge key.His advantage AdvAggSig A is defined to be his probability of success in the following game [7,26].
Setup.The aggregate forger A is provided with a public key PK 1 , generated at random.Queries.Proceeding adaptively, A requests signatures with PK 1 on the subtransaction of his choice.
Response.Finally, A outputs  − 1 additional public keys PK 2 , . . ., PK  .These keys, along with the initial key PK 1 , will be

Tx output Amount
Destination key n (1) A runs in time at most .
(2) A makes at most   queries to the hash function and at most   queries to the signing oracle.
(4) Forged aggregate signature is by at most  users.
An aggregate signature scheme is (,   ,   , , )-secure.It is against existential forgery in the aggregate chosen-key model if no forger (,   ,   , , )-breaks it.The next theorem shows that this simple constraint is sufficient for proving security in the chosen-key model.Theorem 2. Let (G 1 , G 2 ) be a (  ,   )-bilinear group pair for co-Diffie-Hellman, with each group of order , with respective generators  1 and  2 , with an isomorphism computable from G 2 to G 1 , and with a bilinear map  : Then the bilinear aggregate signature scheme on (G 1 , G 2 ) is (,   ,   , , )-secure against existential forgery in the aggregate chosen-key model for all  and  satisfying  ≥ (  +)⋅  and  ≤   −  G 1 (  + 2  +  + 4) − ( − 1), where  is the base of natural logarithms, and exponentiation and inversion on G 1 take time  G 1 .
Besides, the security of the scheme which is used to hide the amount of the transactions has been analyzed in Section 3.2.So, we can get that our signature scheme satisfies unforgeability and other security properties.

Application of Signatures Scheme
Big data brings many benefits to our lives.At the same time, there are some drawbacks in big data.Firstly, the utilization of data is poor.Large amounts of data are in the idle state, occupying a lot of storage space.Secondly, there are a lot of drawbacks in the security and privacy of the data.The use of big data exposes personal privacy and other security problems, while big data may be used to do illegal activities by criminals.At the same time, there are some drawbacks in the transmission efficiency and transmission accuracy of data.Blockchain is considered to be an ideal solution to these problems.Based on this, we try to apply our signature scheme to the transactions of big data [27].

Infrastructure of Transaction of Big Data on Blockchain.
Here, we consider the transactions of big data on blockchain.The infrastructure is based on the P2P network which is the network model of blockchain [28].And we give the model of the infrastructure in Figure 6.
We consider the inputs and outputs of a particular transaction, which consists of data inputs, data outputs, and the corresponding amount of outputs and amount of inputs which are described in Figure 7.
Setup.Recall that elliptic curve on the finite group F  is specified by tuple ⟨, , , , ⟩.Signing.For each , 1 ≤  ≤ , we suppose that   wants to send a payment to  particular receiver whose payment public key

Figure 2 :
Figure 2: Model of single transaction.

4. 1 .
Basic Signature Scheme Key Generation.A particular user picks random   ←  Z  ,  ∈  and computes V =   2 ,  = .The user's signature public key and signature private key are V ∈ G 2 and  ∈ Z  .The user's payment public key and payment private key are  ∈  and  ∈ .
Key Generation.For the aggregate subset of users U 1 ⊆ U, assign to each user an index , ranging from 1 to  = |U 1 |.Each user   ∈ U 1 picks random    ←  Z  ,   ∈  and computes V  =    2 ,   =   ⋅ .The signature public key and signature private key of   are V  ∈ G 2 and   ∈ Z  .The payment public key and payment private key of   are   ∈  and   ∈ .