Blockchain as a CA: A Provably Secure Signcryption Scheme Leveraging Blockchains

Although encryption and signatures have been two fundamental technologies for cryptosystems, they still receive considerable attention in academia due to the focus on reducing computational costs and communication overhead. In the past decade, applying certificateless signcryption schemes to solve the higher cost of maintaining the certificate chain issued by a certificate authority (CA) has been studied. With the recent increase in the interest in blockchains, signcryption is being revisited as a new possibility. /e concepts of a blockchain as a CA and a transaction as a certificate proposed in this paper aim to use a blockchain without CAs or a trusted third party (TTP). /e proposed provably secure signcryption scheme implements a designated recipient beforehand such that a sender can cryptographically facilitate the interoperation on the blockchain information with the designated recipient. /us, the proposed scheme benefits from the following advantages: (1) it removes the high maintenance cost from involving CAs or a TTP, (2) it seamlessly integrates with blockchains, and (3) it provides confidential transactions. /is paper also presents the theoretical security analysis and assesses the performance via the simulation results. Upon evaluating the operational cost in real currency based on Ethereum, the experimental results demonstrate that the proposed scheme only requires a small cost as a fee.


Introduction
With the rapid development of information and network applications, confidentiality, integrity, and nonrepudiation are the main security concerns. us, encryption and digital signatures have become two main fundamental technologies for any well-defined cryptosystem.
In 1984, Shamir presented a novel identity-based cryptosystem (IBC) [18] in which a random string (identity) was set as the participant's public key, and the corresponding private key was generated by a trusted third party (TTP) called the key generation center (KGC). is design eliminated the high cost of maintaining a traditional certificatebased PKI. Later, Boneh and Franklin proposed their identity-based encryption (IBE) [19] that fully exploited Shamir's IBC; this method significantly decreased the computational overhead by eliminating the certificate management problem in the PKI. In 2002, Malone-Lee combined the concepts of the IBC and signcryption to present an identity-based signcryption scheme [5]. Unfortunately, the identity-based signcryption schemes in Ref. [4,5], to name a few, suffer the key escrow problem.
In 2003, Al-Riyami and Paterson proposed certificateless public key cryptography [20], in which the problems of either the utilization of certificate in PKI or the key escrow in IBC are eliminated. Consequently, Barbosa and Farshim proposed the first certificateless-based signcryption scheme [8]. A certificateless signcryption scheme consists of four phases: (1) setup-the KGC generates its key pairs; (2) key generation-a participant chooses his key pair under the assistance of the KGC; (3) signcryption; and (4) unsigncryption. Notably, the participant's private key is partially generated by the KGC in the key generation phase and the KGC is assumed to be trusted. Furthermore, the KGC's public key and the signer's public key are involved in the unsigncryption phase and the authentication of the public keys is necessary. It is obvious that the certificateless signcryption schemes in Ref. [13,16,17], to name a few, cannot avoid the high maintenance cost of TTP.
Herein, we briefly examine a traditional certificate-based digital signature. Certificates, used to authenticate public keys prior to adoption, are chained as an ordered list containing an entity certificate, a series of intermediate certificates in the middle, and a root certificate at the end of the chain. For example, when Alice intends to use Bob's public key, the public key will be authenticated by verifying Bob's certificate first. Bob's certificate, including his identity information and his public key, is protected by the certificate issuer's signature. Obviously, it is tamper-proof and unforgeable. However, if someone intends to verify the issuer's signature, Alice needs to take the next step to confirm the issuer's public key by verifying the corresponding certificate that is issued by another upper issuer called the intermediate certificate authority (CA). e signatures of the certificates in the certificate chain (see Figure 1) must be verified up to the root CA certificate.
It is clear that maintaining the certificate chain, along with the assumption of a TTP, will increase the overall computational overhead; thus, the use of a blockchain becomes more pertinent. Due to the emergence of Bitcoin [21] in 2009, Ethereum [22] in 2013, and Hyperledger Fabric [23] in 2016, blockchain technologies [21,22], providing a trusted mechanism without a CA and TTP, have received significant attention and interest in academia and the IT industry. e fundamental technology of blockchains, such as Bitcoin and Ethereum, has gained increasingly more attention and has begun to be applied to various fields, such as medical data access [24][25][26], the Internet of ings [27,28], and privacy preservation [29][30][31]. However, the high cost of certificate-based public key authentication is still problematic.
A blockchain is a continuously appending list of blocks (see Figure 2) that are linked and secured using cryptographic technologies, and the chain terminates in a genesis block. Each block typically contains an external hash pointer as a link to its previous block and an internal hash of all transactions (Tx). A transaction is a group of data, which includes the messages of "from" and "to" and the signatures. Figure 3 illustrates an instance of a transaction (Tx) in the block number 2752 in an Ethereum test blockchain.
Basically, an elliptic curve digital signature algorithm (ECDSA) [32] is what facilitates the blockchain concept in Bitcoin, Ethereum, and Hyperledger Fabric. e signature fields "r" and "s" in each transaction, as shown in Figure 3, are proven. For a user in a blockchain, his private key is regarded as his identity and security credential. It is worthwhile to note that the private key is generated and maintained by the user himself, not a trusted third party, and it is used to sign outgoing transactions. Instead of interacting with the blockchain, each user can directly interface with his blockchain node to deposit signed transactions and inspect the blockchain.

Motivation.
A blockchain can be viewed as a public decentralized ledger to record all of the transactions in a publicly verifiable and permanent way. e data in (Tx) are tamper-proof and cannot be changed retroactively without altering all subsequent blocks up to the genesis one. e cryptographic advantages of a blockchain are similar to those of a certificate chain such as providing public verification and being tamper-proof. e main difference is that the blockchain is a decentralized trusty mechanism requiring no trusted third party; however, the certificate chain is a centralized trust mechanism with a series of trusted third parties.
In this paper, new cryptographic paradigms called blockchain as a CA and transaction as a certificate are investigated to implement a blockchain without a CA or TTP. Precisely, users' public keys are extracted and authenticated directly from transactions in blockchains instead of by CAs or a TTP. is combination is named blockchain as a CA (BaaCA). BaaCA has the following advantages.
(1) Avoiding the high maintenance cost of CA and TTP: for a block in the blockchain, a transaction with its ECDSA signature can be treated as certificate-like and utilized to extract the ECDSA public key such that both the public key and the transaction itself are authenticated. In this way, the concepts of a blockchain as a CA and a transaction as a certificate become intriguingly analogous to that of a certificate chain in the PKI. (2) Seamlessly integrating with blockchains: due to the success of Bitcoin and Ethereum along with the promise of blockchain technologies, it is possible and feasible to combine blockchain technologies with signcryption to achieve the goals of confidentiality, integrity, and nonrepudiation simultaneously. (3) Providing transaction confidentiality: by combining encryption with a digital signature to achieve the goal of "lower computational cost and communication cost," a novel signcryption scheme based on a blockchain that provides more benefits is proposed in this paper.

Contribution.
In view of prior work, this paper proposes a provably secure BaaCA-based signcryption scheme. e main contributions of the proposed scheme are highlighted as follows.
(1) Using blockchain as a CA and transaction as a certificate to form a new signcryption scheme, it is feasible to eliminate the high maintenance cost from involving CAs or a TTP compared with the related works.
(2) e theoretical security analysis is demonstrated, and the experimental results show that the proposed scheme can work and interoperate with the Ethereum blockchain. In this way, the proposed scheme does seamlessly comply with a state-of-the-art blockchain. (3) By combining blockchain technologies with signature and encryption, the proposed scheme achieves the goals of confidentiality, integrity, and nonrepudiation simultaneously. It is worth noting that the proposed scheme presents a new paradigm of providing confidentiality to transactions in the Bitcoin and Ethereum blockchains with a minor impact. e rest of this paper is organized as follows. e related preliminaries are given in the next section. e proposed scheme with the formal system and security models are illustrated in Section 3. Section 4 presents the formal theoretical security proofs under the random oracle model along with the experimental results. e performance analysis is given in Section 5. Discussion and conclusions are given in Sections 6 and 7, respectively.

Signature via ECDSA.
e ECDSA algorithm [32] includes four phases; they are the setup, key generation, signature generation, and signature verification phases. ey are briefly described below.
Setup phase: Let E be the given curve with its default field and equation. en, base point P of a prime Tx (3) Tx (2) Tx (1) Tx (5) Tx ( (2) Choose an integer k such that 0 < k < n, where k is a cryptographically secure random number. (2) Compute w � s − 1 mod n, u 1 � e × w mod n, and u 2 � r × w mod n.
If it holds, the signature of m is successfully authenticated.

Encryption via ECC.
To encrypt or decrypt message m in ECC, the operations [33] are as follows.
Encryption phase: (1) Choose an integer k such that 0 < k < n, where k is a cryptographically secure random number.

The Proposed Signcryption Scheme
e proposed BaaCA-based signcryption scheme including its system and security models is illustrated in this section. e notations used in the proposed scheme are described first in Table 1.
e proposed BaaCA-based signcryption scheme includes three different entities: a sender, a recipient, and the blockchain.
(1) Sender: a sender called Alice, with her private/public key pair (d A , Pub B ), is sending data data A to a specified recipient. First, the data data A are split into two parts: data 1 A and data 2 A . Note that the privacysensitive part of data A is put into data 2 A and the other remaining part of data A will be packaged into data 1 A . Second, Alice executes the BaaCA-based signcryption algorithm to generate the encryption key key, which is used to transform data 2 A into ciphertext c and to create the signature (r A , s A ) at the same time. Finally, Alice posts the transaction Tx A � data 1 A , c, r A , s A to the recipient via the blockchain.
(2) Recipient: a recipient called Bob, with his private/public key pair (d B , Pub B ), will perform the decryption and verification processes when he gets transaction Tx A to obtain the original data data A . To decrypt ciphertext c, Bob has to execute the signcryption algorithm first to generate the decryption key key ′ , which is the same as Alice's encryption key. Consequently, Bob uses key ′ to decrypt c to obtain the privacy-sensitive data data 2 A and then recover the original data data A . When performing verification, first, Bob uses both the signature (r A , s A ) and data A to generate Alice's public key Pub A ′ . erefore, Bob can use Pub A ′ to extract Alice's account address and check whether the account address is the same as that in transaction Tx A . Please note that each account address is transformed from the relative public key in the blockchain. If they are the same, Bob can ensure that data data A are sent by sender Alice.
(3) Blockchain: the blockchain acts as a digital ledger that records all transactions that have ever happened. at is, the blockchain is treated as a CA and the tamper-proof transactions are treated as the certificates to extract the related public keys. e proposed scheme consists of five algorithms. ey are system setup, key generation, public-key extraction, signcryption, and unsigncryption. For simplicity, we denote them as Setup, KeyGen, PKExtract, Signcryption, and Unsigncryption, respectively. e details are described below.
(i) Setup: it is a probabilistic algorithm for generating the public parameters params of the system using a security parameter k as the input. It can be represented as (params)←Setup(k). (ii) KeyGen: it is a probabilistic algorithm that randomly chooses private key d i as its input to generate its corresponding public key Pub i and its relative account addressPseudonym i . It can be represented as

Security Model.
ere are two security concerns about the security model of the proposed BaaCA-based signcryption scheme in this paper. ey are confidentiality and unforgeability.
e property of confidentiality in the proposed BaaCA-based signcryption scheme is essentially provided since it is only the specified recipient that knows data data A . e following experiment Exp IND−BaaCA−CCA A (k), played with the adversary IND-BaaCA-CCA denoted as A and a challenger denoted as C, proves the property of confidentiality under chosen ciphertext attacks. (i) Setup: C runs this algorithm to obtain public parameters params and then distributes the public parameters to the adversary A. (ii) Queries (phase 1): A makes a number of oracle queries to C and C would give some information to A. In the experiment, the following queries are allowed: (a) KeyGen queries: A sends d A to C, and then C runs (iii) Challenge: after finishing phase 1, adversary A chooses two data data A 0 and data A 1 with an arbitrary private key d * A , which he wishes to challenge. C randomly chooses a bit b ∈ 0, 1 { } for the two challenged data and then runs signcryption queries to obtain the result ω * . Finally, C sends it to A. (iv) Queries (phase 2): after receiving ω * , adversary A asks a number of queries similar to those in phase 1 but (ω * , d * B , Pub * A ) will be not sent to C under unsigncryption queries.
We can define the advantage of A in this (2) Unforgeability. In the proposed BaaCA-based signcryption scheme, unforgeability is essential to ensuring that the signature is secure against adaptively chosen message attacks. e following experiment Exp EU−BaaCA−CMA A (k), played with an adversary EU-BaaCA-CMA denoted as A and a challenger denoted as C, proves the existential property of unforgeability under the chosen message attack.
is never sent to C as inputs for the signcryption queries, where data * A are the data corresponding to the forgery.  e elliptic curve discrete logarithm problem (ECDLP): if a ∈ F * n is unknown, compute a by giving P and aP.

Definition 4.
e elliptic curve computational Diffie-Hellman problem (ECCDHP): if a, b ∈ F * n is unknown, compute abP by giving P, aP, and bP.
In this paper, the appropriate G is determined by blockchains where the ECDLP and ECCDHP are assumed to be computationally difficult.

e Proposed Scheme.
According to the benefits of the blockchain as a CA concept, the proposed scheme uses a variant of the ECDSA to produce a new signcryption scheme. Since the ECDSA is the default signature algorithm in Bitcoin, Ethereum, and Hyperledger Fabric, the proposed scheme is seamlessly compliant with the blockchains. e proposed model consists of two participants of a blockchain: Alice as a sender and Bob as a recipient. Both of the participants are external actors of the blockchain and have their relative blockchain accounts and some recordedin-block transactions. Suppose Alice and Bob, denoted as Pseudonym A and Pseudonym B , respectively, with the addresses in the fields "from" or "to" in Figure 3 have their private and public key pairs (d A , Pub A � d A × P) and (d B , Pub B � d B × P) in the blockchain network, respectively. e main design comes from the method that generates the private key from the existing transactions signed by Bob and Alice in the blockchain. Herein, a transaction is regarded as a certificate of Alice or Bob.
Alice is connected with the blockchain, receives Bob's previous signature from a transaction stored in the blockchain, and then extracts Bob's public keyPub B . e encryption key is obtained by executing k × Pub B , where k is a one-time padded random number generated by Alice since Bob can extract this key by performing d B × R when he has R, where R � k × P. e proposed signcryption scheme consists of five phases: the setup phase, key generation phase, public-key extraction phase, signcryption phase, and unsigncryption phase.
(i) Setup phase: (1) Determine the elliptic curve E in the finite field F q , where q is a prime number such that all the points on E represent a finite group, e.g., G, with the prime multiplicative order n and a generator P. For example, the ECDSA curve used in Bitcoin and Ethereum is secp256k1, which refers to the curve E: y 2 � x 3 + 7 [34] defined over the field F * n , while the curves ECC P256 and P384 are adopted by Hyperledger Fabric.
Actually, Bitcoin and Ethereum transactions require an extra parameter, i.e., the field "v" in Figure 3, to identify which point is correct. (4) Check if the generated node address from Pub B via equations (1) or (2) for Bitcoin or Ethereum, respectively, is equal to Bob's account address. If it is, Pub B is Bob's public key and Bob's transaction Tx B in the blockchain is also authenticated. (iv) Signcryption phase: suppose Alice's transaction is Tx A � data A , r A , s A , where data A are composed of two parts: data 1 A are public and data 2 A are privacysensitive. Alice does the following operations to generate the signature of Tx A and the ciphertext of data 2 A . Note that the signature in this algorithm is designed to be verified by the designated verifier, i.e., Bob. k∈ R Return ω � data 1 A , c, r A , s A . (5)-(7) are the operations of both key agreement and encryption. Finally, Alice broadcasts the transaction Tx A � ω into the blockchain and discards the random number k and the encryption key key.
(v) Unsigncryption phase: upon interacting with the blockchain to obtain Tx A � ω � data 1 A , c, r A , s A , Bob verifies the validation of the signature and simultaneously decrypts the ciphertext to obtain data 2 A by doing the following operations. (1) Find two points R A and R A ′ of the same value r A as the x-coordinate. e transaction practically involves an extra parameter, say v in Figure 3, to identify R A and R A ′ , say Check if the generated node address from Pub A ′ by equation (1) or (2) is equal to Alice's account address.
(2)-(4) are both key agreement and decryption operations. If (7) is true, Pub A ′ is Alice's public key and this transaction Tx A is also authenticated. en, the data data A are output; otherwise, we get Reject.

Correctness of Public-Key Extraction, Encryption, and
Signature.
e correctness of public key extraction in the proposed protocol is derived from the precision of the hash value of the extracted public key h(Pub B ′ ) to the address h(Pub B ) indicated in the transaction on the blockchain, where h(.) represents equation (1) or (2). We have e correctness of the encryption in the proposed protocol is derived from the situation key ′ � key. If it holds, data 2 ′ A � data 2 A . In the signcryption phase, Alice's encryption key is key � H 2 (k × Pub B , Pseudonym A , Pseudonym B , data 1 A ). In addition, in the unsigncryption phase, the decryption key that Bob obtains is key we have key � key ′ , and thus data 2 ′ A � c⊕key ′ � (data 2 A ⊕key)⊕key ′ � data 2 A . e correctness of the signature in the proposed protocol is derived from the same proof as that of correctness of public-key extraction. In this way, the signature r A , s A is also authenticated. us, the proof is omitted here.

Security Analysis
Two theorems are described in detail before the security analytics and proofs of the proposed BaaCA-based signcryption scheme are given. with a nonnegligible probability ε based on Definition 1. A challenger C is designed to take A as the subprogram to solve the ECCDHP problem based on Definition 4 with a nonnegligible probability. Challenger C is assigned an instance 〈G, n, P, q, E, F * n , F q , kP, d B P〉 and tries to compute the value k × d B P ∈ G.
At first, challenger C maintains four lists L 1 , L 2 , L S , and L u , respectively, corresponding to H 1 , H 2 , signcryption, and unsigncryption query oracles. en, C plays the following experiment Exp IND−BaaCA−CCA A with A. In addition, we assume that A queries oracle H 2 q 2 times and queries KeyGen q K times.
(1) Setup: C sends A params: � 〈G, n, P, q, E, F * n , F q , H 1 , H 2 〉, which is an instance for solving the ECCDHP problem. Two hash functions H i (.), i � 1, 2, controlled by C, are regarded as random oracles.
(2) Queries (phase 1): A makes a number of oracle queries to C and C should answer to give A some information. In the experiment, the following queries are allowed. where taken from the KeyGen queries. Unsigncryption queries: (ω, d B , Pub A ) (a) Find two points R and R ′ with the same value r as their x coordinate. e transaction practically involves an extra parameter to identify R and R ′ , say R.
otherwise, return Reject. (1) Challenge: after finishing phase 1, A chooses two datasetsdata A 0 and data A 1 with an arbitrary private key d * A , which are to be challenged. Here, d A � d A with probability (1/q K ). en, C randomly chooses a bit b ∈ 0, 1 { }for the two challenged datasets and then runs the signcryption algorithm to obtain a result ω * � data 1 * A , c * , r * A , s * A . Finally, C sends ω * to A. (2) Queries (phase 2): after receiving ω * , adversary A asks a number of queries that are the same as in phase 1 but ω * is never sent to C for unsigncryption queries. (3) Guess: adversary A produces a bit b ′ from 0, 1 { }. C ignores the bit that A produces and randomly chooses K, which is stored in L 2 , as the solution for the given instance of ECCDHP problem. If A does not query oracle H 2 , C will terminate. In contrast, if A has some advantages to produce the bit correctly, it means that the query to H 2 is required. erefore, there is enough information in L 2 to help C obtain the correct K with probability (1/q 2 ) because A queries oracle H 2 q 2 times and only one K is right. If so, K � d B × R � d B × kP is the solution with probability (ε/(q K q 2 )) for the given instance of ECCDHP problem.
is is contradictory to our hypothesis at the beginning of the security proof.
us, this concludes the proof of eorem 1.
□ Theorem 2 (EU-BaaCA-CMA). The proposed BaaCAbased signcryption scheme is existentially unforgeable against an adaptively chosen message attack when the ECDLP problem is hard to resolve.
Proof. Assume there is an EU-BaaCA-CMA adversary, who wins the defined experiment Exp EU−BaaCA−CMA A with a nonnegligible probability ε. We will design a challenger C to take A as its subprogram for solving the ECDLP problem with a nonnegligible probability. e instance 〈G, n, P, q, E, F * n , F q , kP〉 of the ECDLP problem is given to challenger C, and C will try to compute the value k ∈ F * n .

Security and Communication Networks
At first, challenger C maintains five lists L 1 , L 2 , L K , L S , and L u , respectively, corresponding to H 1 , H 2 , KeyGen, signcryption, and unsigncryption oracles. en, C plays the following experiment Exp IND−BaaCA−CCA A with A. In addition, we assume that A queries oracle H 2 q 2 times and queries KeyGen q K times.
(1) Setup: C sends params: � 〈G, n, P, q, E, F * n , F q , H 1 , H 2 〉 to A, where 〈G, n, P, q, E, F * n , F q 〉is an instance of the ECDLP problem. e hash functions H i (.), i � 1, 2, controlled by C, are regarded as random oracles.
(2) Queries (phase 1): A makes a number of oracle queries to C and C should answer to give A some information. In the experiment, the following queries are allowed: , e) ∈ L 1 and return e. Case 2: ((data 1 A , data 2 A ), e) ∉ L 1 , choose random e ∈ F * n , add ((data 1 A , data 2 A ), e) to L 1 , and then return e. where taken from the KeyGen queries.
A , c, r A , s A . (5) Unsigncryption queries: (ω, d B , Pub A ) (a) Find two points R and R ′ with the same value r as their x coordinate. e transaction practically involves an extra parameter to identify R and R ′ , say R.
otherwise, return Reject. (i) Output: after finishing phase 1, A produces the signature ), C picks the correct K from L 2 with probability(1/q 2 ) to recover data 2 * A . Finally, C can com- with the probability (2ε/q 2 q K (q K − 1)) to solve the ECDLP problem. is is contradictory to our hypothesis at the beginning of the security proof. us, this concludes the proof of eorem 2.
Considering the strength of the keys, which is one of the primary factors of cryptographic algorithms, the security analysis of the key strength is further illustrated. ere are three state-of-the-art algorithms for hard problems including integer factorization (such as RSA [35]), the discrete logarithm (such as DSA [35]), and the elliptic curve discrete logarithm (such as ECDSA). It is well known that the ECDSA achieves not only the same level of security with a smaller key size but also higher computational efficiency than those of the RSA and DSA. For example, ECC-256 (resp. ECC-224) provides comparable security to RSA-3072 (resp. RSA-2048) [36]. By employing the ECDSA over the standard elliptic curve "secp256k1," which Ethereum and Bitcoin blockchains have adopted, the proposed scheme also provides the same level of security.

Performance Analysis
In this section, the performance of the proposed BaaCAbased signcryption scheme is analyzed by comparing the computational costs with those of other related works and the experimental results of the operational costs based on the Ethereum blockchain.

Computational Cost of Signcryption.
e computational costs of the proposed scheme mainly come from two phases: the signcryption and unsigncryption phases. e operations executed in each phase are depicted in Table 2. In the signcryption phase, Alice will execute two elliptic curve scalar multiplication operations, one map-to-point hash function, and one modular inversion. In the unsigncryption phase, Bob will execute two elliptic curve scalar multiplication operations, one map-to-point hash function, and one modular inversion. It is noted that the proposed scheme does not adopt any pairing operation. Security and Communication Networks e proposed scheme is compared with several existing related works. e computational cost of primitive timeconsuming cryptographic operations is adopted from [4,37] and is summarized as follows. T P ≈ 87t m , T M ≈ 29t m , T H ≈ 23t m , T E ≈ 21t m , and T i ≈ 11.6t m are the times required to execute a bilinear pairing operation, an elliptic curve scalar point multiplication, a map-to-point hash function, an exponentiation, and a modular inversion, respectively, where t m is the time required to execute a scalar multiplication in F * n . e total computational cost required in the proposed scheme is (5T M + 2T i + 2T H ) � 214.2 t m . Table 2 shows that the computational cost of the proposed BaaCA-based signcryption scheme is nearly 49% that of Malone-Lee [5], 57% that of Karati et al. [4], 17% that of Zhou et al. [13], 71% that of Karati et al. [16], 22% that of Rastegari et al. [17], and 88% that of ECDSA + ECC. Figure 4 shows the computational overhead during signcryption and unsigncryption among the proposed scheme and the related works.

Experimental Results Based on the Ethereum Blockchain.
To prove the computational cost of the BaaCA-based signcryption scheme compared with the ECDSA in the original transaction on the Ethereum blockchain, we implement the proposed scheme using the Python programming language and the Ethereum Ropsten Testnet environments [38]. All experiments are carried out with the following settings: (1) CPU: Intel Core i5-4440 CPU @ 3.1 GHz (quad core). Finally, the proposed scheme is executed 500 times and its average is taken as our experimental result. Figure 5 shows the computational costs of the signcryption and unsigncryption phases. We observe that the cost of the unsigncryption phase is higher than that of the signcryption phase. is is a reasonable result since unsigncryption executes one more elliptic curve scalar point multiplication operation, as shown in Table 2. Moreover, the interval among the test data size is set as 5 kB, and the ratio of the sensitive part to the public part is 1 : 4.
In addition to the computational cost, the proposed scheme is also evaluated in terms of its operational cost in real currency. In the proposed scheme, one transaction only is broadcasted into the blockchain in the signcryption phase. e operational cost is estimated by calculating the total amount of gas and then converting it into the real currency. We use the Ethereum Ropsten Testnet environment [38] since it is able to automatically calculate the amount of gas of the proposed scheme. After that, the amount of gas is converted into USD according to the CoinGecko conversion table [39]. At the time of inversion, the rate was 1 gas � 0.000000001 ETH � 1.65 × 10 − 7 USD. Figure 6 shows the operational costs for different amounts of data. It is observed that the cost increases when the amount of data increases. It is reasonable since more data will lead to greater amounts of gas. However, it seems useless for the result since the cost remains very low. Even if the amount of data increases to 30 kB, the cost in the real currency is still less than 0.35 USD.
at means that the proposed scheme is a suitable solution to protect transaction privacy and it only requires a small cost as a fee.

Discussion
Since the security model has been formally analyzed in Section 3, the main advantages of the proposed scheme compared with related works will be given in this section. e comparisons between the previous related works and the proposed method are given in Table 2. It is obvious that the superiority of the proposed scheme is demonstrated by achieving the following advantages: (1) Removing the high maintenance cost of involving CAs or a TTP: without having a CA or TTP to (2) Seamless compliance with blockchains: it is not necessary to maintain a KGC. In the proposed scheme, the signcryption scheme can exploit the ECDSA private/public keys without any modification of blockchains. Furthermore, the encryption key used for confidentiality is deduced under the Diffie-Hellman key exchange [40] such that both the prover and the verifier can obtain an identical secret key. In the signcryption phase, Alice's transaction is Karati et al. [4] Zhou et al. [13] Karati et al. [16] Rastegari et al. [17] # of t m Figure 4: Performance comparisons among the proposed and the related signcryption schemes in terms of signcryption, unsigncryption, and total costs.
Tx A � data A , r A , s A , where data A are composed of public data 1 A and privacy-sensitive data 2 A . e field "input" in Figure 3, which could be an arbitrary message, can be treated as a privacy-sensitive message while the rest of the fields are treated as public information. Precisely, the "input" field is the ciphertext instead (not the plaintext) in the proposed BaaCA-based scheme. is implies that Alice performs the regular operations of generating a common transaction of blockchains except for the additional encryption-related operations. In this way, the implementation of the proposed scheme affects the "input" field, and so the impact must be minimized.
Furthermore, the revisited applicability of the proposed scheme achieves the following advantages: (1) Preserving transaction confidentiality: the proposed scheme lowers the payload for only encrypting the privacy-sensitive part such that the other part of a transaction may remain as plaintext. us, the scheme is compliant with the design of blockchains and protects transaction confidentiality at the same time.
(2) Reducing computational and communication costs: as we know, a signcryption scheme is proven to achieve lower computational and communication costs [1]. us, the proposed blockchain-compliant signcryption scheme benefits from the advantages of confidentiality, integrity, and nonrepudiation simultaneously.
(3) Designated recipient: the proposed signcryption scheme sets a designated recipient. When trying to verify signature (r A , s A ), a recipient must check whether Pub A ′ is equal to r −1 A × (s A R A − e ′ P). Without knowing e ′ , the recipient cannot accomplish this task. Via eorem 1, attackers have no feasible way to deduce the decryption key to compute data 2 ′ A and then obtain e ′ � H 1 (data 1 A , data 2 ′ A ). us, the verification of (r A , s A ) must be performed by the designated verifier. Alternatively, if e ′ � H 1 (data 1 A , c) in the signcryption phase, every participant involved in the blockchain can be the verifier.

Conclusions
As mentioned above, the cryptographic advantages of a blockchain are similar to those of a certificate chain such as providing public verification and being tamper-proof. e main difference is that the blockchain is a decentralized trusty mechanism requiring no trusted third party; however, the certificate chain is a centralized trust mechanism with a series of trusted third parties. Because of the success of Bitcoin and Ethereum along with the promising blockchain technologies, it is possible and feasible to combine blockchain technologies with signcryption. us, the concept of blockchain as a CA proposed in this paper aims to skillfully leverage the blockchain and achieves the following advantages: (1) it removes the need to involve CAs or a TTP, (2) it seamlessly complies with blockchains, and (3) it preserves transaction privacy.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this article.