Privacy-Preserving Scheme in the Blockchain Based on Group Signature with Multiple Managers

College of Computer Science and Technology, Chongqing University of Posts and Telecommunications, Chongqing 400065, China School of Cyber Security and Information Law, Chongqing University of Posts and Telecommunications, Chongqing 400065, China School of Software Engineering, Chongqing University of Posts and Telecommunications, Chongqing 400065, China School of Information Engineering, Chongqing Electromechanical Vocational and Technical University, Chongqing 402760, China


Introduction
Blockchain is the core technology of the system [1]. Blockchain has the characteristics of anonymity, tamper resistance, decentralization, unforgeability, and traceability so that it has attracted extensive attention from the outside world. Moreover, the transaction content on the blockchain is transparent, so all consensus nodes in the blockchain can verify and record this transaction. However, it is due to the transparent characteristics of blockchain ledger that have brought about the problem of user privacy leakage. Research shows that, through a large amount of analysis of these transparent data, it is possible to design a deanonymity scheme, which will lead to the leakage of user privacy. In practical applications, users do not want their transaction information to be placed on the blockchain in a transparent manner. erefore, how to solve the privacy problem of users on the blockchain is an important challenge.

Privacy Preservation.
e problem that cannot be ignored in blockchain technology is privacy leakage [2]. e privacy preservation of the blockchain includes the anonymity of users and the confidentiality of the content. e privacy-preserving scheme of the blockchain is implemented mainly based on the following three technologies: (1) Shuffling technology: the purpose of shuffling is to disrupt the correspondence between the input and output so that other users do not know the information of the transaction user, so as to realize the untraceability of transactions. In 1981, Chaum [3] proposed the concept of a shuffling network, but the shuffling protocol requires the participation of trusted authority. Subsequently, in 2014, Bonneau et al. [4] proposed a Mixcoin mechanism with trusted authority. As long as one of the nodes is honest, the privacy of the scheme can be guaranteed.
During the same period, Maxwell [5] proposed the decentralized shuffling protocol named Coinjoin. It places the transactions of multiple users in one bitcoin transaction so that others do not know the relationship between multiple input addresses and output messages. After that, the researchers also proposed CoinShuffle [6] and CoinShuffle ++ [7] according to the scheme in [5]. (2) Zero-knowledge proof: in order to provide better anonymity, Miers et al. [8] proposed Zerocoin, a digital currency scheme with anonymity based on zero-knowledge proof. eir scheme ensures the nonrelevance of the transaction by hiding the user's address and cutting off the contact between the two parties in this transaction. Subsequently, in 2014, Ben-Sasson et al. [9] proposed a new digital currency scheme Zerocash, which uses a more concise, noninteractive, zero-knowledge proof.
(3) Ring signature: the purpose of ring signature is to hide the real transactions in a collection so that other users do not know the identity of the actual participants. In 2016, Shen and Adam [10] proposed a blockchain secret transaction scheme based on the ring signature. In their scheme, they randomly selected irrelevant addresses and then performed ring signature together with the transaction party to achieve the purpose of confusing the identity of the transaction party. At present, ring signature has been widely used in the blockchain, for example, Monero [11].

Group Signatures.
Group signature is a kind of privacypreserving authentication scheme which was introduced by Chaum and Van Heyst [12] in 1991. It is widely used in privacy-preserving authentication due to its anonymity. In 2007, Guo et al. [13] proposed a conditional privacy-preserving authentication security framework based on the group signature for vehicle communication networks. Guo et al. mentioned that a security authentication scheme using a group signature can satisfy message integrity, privacy, and traceability. Park et al. [14] proposed distributed key management based on RSU in 2011 to manage group keys, dividing the entire VANET into several subareas, which are managed by the group manager in each area. In addition to having a management entity, RSU is also responsible for managing part of the group key in a distributed manner. In 2012, Sun et al. [15] designed a distributed key management scheme, which divides the entire domain of VANET into several subareas. At the same time, each regional group manager provides distributed key management services for vehicles. is scheme restricts authorization to specific areas and is continuous in time, but the anonymous nature of the group signature makes it possible for malicious users to broadcast forged messages. In 2017, Islam et al. [16] proposed an effective password-based conditional privacypreserving authentication and group key generation protocol for VANET to provide group key generation, user leave, user join, and password change features. Since the scheme is bilinear-pairing free, it is lightweight in terms of calculation and communication. In 2018, Cui et al. [17] proposed a conditional privacy-preserving authentication scheme based on the hash function, which does not use complex bilinear mapping and elliptic curve encryption to reduce authentication efficiency. At the same time, a group key agreement mechanism based on the Chinese remainder theorem (CRT) is proposed to distribute the group key of authenticated vehicles. When vehicles join and leave the group, the group key can be updated. In addition, researchers studied the identity-based group signature schemes according to Shamir's concept [18]. An identity-based group signature is a combination of identitybased signature [19] and group signature [12]. us, it has the advantages of these two types of signatures. Many schemes have been proposed so far. For example, Cheng et al. [20] constructed an identity-based group signature scheme by using bilinear pairing. Zhang and Ye [21] proposed an identity-based threshold group signature based on the discrete logarithm problem. Ma [22] gave a generic construction of the identity-based group signature. Pulagara and Alphonse [23] proposed an identity-based conditional privacy-preserving authentication method based on elliptic curve cryptography and proposed a group key management scheme. Any vehicle joining or leaving the group will modify the group key to ensure forward security and backward security.

Our Motivation and Contributions.
Group signature can not only protect privacy of transaction participants but also in the event of a transaction dispute. Group manager can open the signature and reveal the true identity of the transaction participants. us, group signature has application value in the blockchain, but generally speaking, group manager in the group signature scheme is a single authority so that the group signature will have a single point of failure and key escrow problem. erefore, in order to solve the above problems, we propose a privacy-preserving scheme in the blockchain based on the group signature with multiple managers. We use the multiauthority key distribution mechanism to implement the identity-based group signature so that the key generation of group members no longer depends on a single authority. Our scheme can not only realize the privacy preservation of group members but also solve the single point of failure and key escrow problem. In addition, we specifically apply our scheme to the field of blockchain-based provable data possession. Under the multicloud architecture, our scheme realizes the anonymous authentication of the cloud server, which can protect the privacy of the cloud service provider while providing PDP authentication. When the PDP fails to verify, the data owner can apply to find the real signer to protect the interests of the data owner.

Paper Organization.
e rest of the paper is organized as follows. Section 2 introduces some preliminaries including bilinear pairing, blockchain, and definitions. Section 3 presents the scheme of the multimanager group signature. Section 4 analyzes the security of the proposed scheme. Section 5 gives an application of our scheme. Finally, Section 6 concludes the paper.

Bilinear Pairings.
Let G 1 and G 2 be two cyclic additive groups, respectively, whose orders are a prime p. Let e: G 1 × G 1 ⟶ G 2 be a bilinear pairing with the following properties: (1) Bilinearity: for any a, b ∈ Z p and R, S ∈ G 1 , the equation e(R a , S b ) � e(R, S) ab holds (2) Nondegeneracy: there are R, S ∈ G 1 such that e(R, S) ≠ 1 G 2 (3) Computability: there are effective algorithms to compute the value of e(R, S) for any R, S ∈ G 1

Blockchain.
Blockchain is the underlying technology of Bitcoin [1], which is essentially a distributed database. e blockchain adopts the linked list data structure. e block is composed of the block head and block body. All blocks form a chain structure according to the hash value. Blockchain is a very new network form, which uses cryptography, hash function, and proof of work (Pow). e miners package the legitimate transactions into the "Merkle tree" of the candidate block, fill the hash of the previous block into the new block header, and finally run the consensus mechanism to find the random value suitable for the new block. In summary, in each block head in the blockchain, there is the hash value of the previous block Pre Hash, the timestamp Timestamp indicating the time when the block was generated, the hash Hash Root of the root of the "Merkle tree," and the random value Nonce. e basic structure is shown in Figure 1. With the rapid development of the blockchain, it is also used in many other fields, such as smart grid [24], IoT [25], anonymous authentication [26], and electronic health records [27].

Provable Data Possession.
Storage services are an important part of the cloud computing field. Users store their data in cloud servers, and thus, they can provide a convenient data sharing method. Data stored on the cloud server may be damaged due to external or internal security threats. erefore, the first provable data possession (PDP) scheme was proposed by Ateniese et al. [28] in 2007. It enables users to know whether the files stored on cloud servers are complete. As time goes on, researchers have proposed some other PDP schemes and their variants based on Ateniese's work, such as [29][30][31].
A provable data possession scheme includes two different entities, client and cloud server, and its specific protocol is a collection of four polynomial-time algorithms (KeyGen, TagBlock, GenProof, and CheckProof ) such that (1) Key Gen(1 k ) ⟶ (pk, sk) is a probabilistic key generation algorithm run by the client. It takes a security parameter k as the input and returns a pair of public and secret keys (pk, sk). (2) Tag Block(pk, sk, m) ⟶ T m is an algorithm run by the client. It takes as inputs a public key pk, a secret key sk, and a file block m and returns the verification metadata T m . (3) Gen Proof(pk, F, chal, Σ) ⟶ P is run by the cloud server in order to generate a proof of possession. It takes a public key pk, an ordered collection F of blocks, a challenge chal, and an ordered collection Σ which is the verification metadata corresponding to the blocks in F as the input and returns a proof of possession P. (4) Check Proof(pk, sk, chal, P) ⟶ 1/0 is run by the client. It takes as inputs a public key pk, a secret key sk, a challenge chal, and a proof of possession P and returns an integer to indicate whether the verification is passed.

Group Signatures without a Trusted Party.
Traditional group signature is limited in some aspects. For example, the downtime of the group manager may lead to the collapse of the whole group; the untrusted group manager may cause the anonymity of group members not to be guaranteed. us, we present the system model of the multimanager group signature, which changes the group manager from a single trusted party to multiple trusted parties and realizes the distributed generation of each group member's private key. Our scheme includes two kinds of different entities: group manager and group member.
(1) Group manager: it is an entity consisting of multiple authorities. Its main function is to distribute the private keys of the group members who join this group and find out who is the signer accurately when the group signature needs to be opened. (2) Group member: it is an entity that has its own public key and private key distributed from the group member. It can sign messages anonymously on behalf of the entire group.

Definitions.
We give the formal definition of the multimanager group signature scheme. Subsequently, we present the security requirements that our scheme needs to meet. Our scheme consists of six algorithms: Setup, Extract, Join, Sign, Verify, and Open. e following is a detailed formal description of the six algorithms: (1) Setup(1 λ ) ⟶ (params, F ID , A ID , mpk, msk): it takes a security parameter λ as the input and returns public parameters params, each authority's public and private key pair (F ID , A ID ), and system's master public and secret key pair (mpk, msk) (2) Extract(msk, id) ⟶ (pk, sk, sk id ): it takes as inputs the master secret key msk and a group member's Security and Communication Networks identity id and returns the group member's public key pk and two secret keys (sk, sk id ) (3) Join(pk, id, sk id ⟶ cert id ): it takes as inputs a group member's public key pk, identity id, and one private key sk id and returns a member certificate cert id (4) Sign(m, sk) ⟶ σ: it takes as inputs messages m and one secret key sk and returns a group signature σ (5) Verify(pk, σ, m) ⟶ 1/0: it takes as inputs a group member's public key pk, a group signature σ, and messages m and returns whether σ is a correct signature of these messages (6) Open(msk, cert id , σ) ⟶ id: it takes as inputs the master secret key msk, a member certificate cert id , and a group signature σ and returns the group member's identity id

Security Requirements.
A practical multimanager group signature scheme must satisfy the following security requirements: (1) Correctness: our scheme must be able to complete the verification of the signature. In other words, when the signature is correct, it must be able to pass verification. (2) Unforgeability: a user who has not registered with the group manager cannot forge the correct group signature even if it can get the public parameters. In short, as long as it is not a member of this group, it is impossible to forge a group signature. (3) Anonymity: no matter how many times a group member signs, it is impossible for an external member to know who signed it. In the group, the anonymity of group members is guaranteed, except that the group manager can determine the group membership. (4) Collusion attack prevention: when there are some authorities in the system who want to collusion to leak the data and key of group members, the group members may suffer huge losses, but our scheme can prevent this from happening unless the number of authorities participating in the collusion attack exceeds the threshold.

Multimanager Group Signature Scheme
In this section, we consider the multimanager id-based group signature scheme from bilinear pairings, and our scheme consists of six algorithms: Setup, Extract, Join, Sign, Verify, and Open. e detailed description is given below.

Setup.
e setup algorithm consists of two phases.

System Setup.
Let G and G T be two groups with the same big prime order p, and define a bilinear map e: G × G ⟶ G T . Let g be the generator of G. Define the following cryptographic hash functions H 0 : 0, 1 { } * ⟶ G and H 1 : 0, 1 { } * ⟶ Z * p . e system server assigns a different identity ID i to each authority and defines the number of given authorities as n, and the threshold in key generation is t. Finally, publish the parameters params � G, G T , p, g, e, H 0 , H 1 , n, t, ID i . (1)

Authority Setup.
For each authority, randomly select c i ∈ Z * p , compute C i � g c i , and finally send C i to other authorities. After all authorities receive C i , they compute h � n i�1 C i and publish it. For each authority, randomly select two polynomials with the order t − 1 on Z * p : After that, each authority calculates and broadcasts B ik � g a ik h b ik , where k � 0, 1, . . . , n − 1. Each authority takes the identity ID of other authorities to calculate the secret value  j � 1, 2, . . . , n. en, send them to ID j , where j ≠ i. When the authority receives the secret value, it verifies whether the following equation holds: If the equation holds, ID i considers ID j to be the authority of honesty. Otherwise, ID i requires ID j to resend the secret value. After authority ID i receives the secret value s ji (j � 1, . . . , i − 1, i + 1, . . . n) from other n − 1 authorities, it generates its own secret value F ID i � n j�1 s ji and sets its private key as F ID i . Correspondingly, the public key of ID i is A ID i � g F ID i . en, the system server generates the system main public key y, according to the public key of all authorities, where s is the main private key. Ultimately, both the main public key y and the public key A ID i are public. In the group signature scheme, all authorities work together to act as the group manager (GM).

Extract.
Firstly, the user chooses a random value x ∈ Z * p for signing, then calculates the public key y 1 � g x , and sends (y 1 , id) to the GM. Secondly, the user applies to the GM for the secret key. e user applies to authority ID j to join the system with id i , and ID j returns authorization information S ij � H 0 (id i ) F ID j . After that, id i sends S ij to other authorities ID k , where k ∈ S, S ⊂ [1, N], |S| � t. en, ID k verifies whether the equation e(S ij , g) � e(H 0 (id ij ), A ID j ) holds. If the equation holds, ID k sends partial secret key S ik � H 0 (id i ) F ID k to id i . When id i receives the partial key from ID k , it verifies whether the equation e(S ik , g) � e(H 0 (id i ), A ID k ) holds. After id i receives and verifies T partial secret keys from ID k , it calculates its own secret key sk id i for opening: Finally, the user has two secret keys (x, sk id ).

Join.
When a user wants to join this group, it chooses a random value d ∈ Z * p , then calculates g d and g xd , and then sends y 1 , g d , g xd , id, sk id to the GM. e GM verifies whether the equation e g xd , g � e y 1 , g d (6) holds. If the equation holds, the user becomes a member of this group; otherwise, the user fails to join this group. Among them, (g xd , sk id ) is defined by the GM as a member certificate of the user.

Sign.
Firstly, the user confirms that it needs to sign the information m ∈ 0, 1 { } r and chooses an integer k ∈ Z * p . Secondly, the user calculates the following values, respectively: 1 r x Finally, the signature of the message m is (u, v, r, w).

Verify.
After receiving the signature, the verifier can verify the correctness of the signature based on public information.
Firstly, the verifier computes h 1 ′ � H 1 (m ‖ u + v + r) and determines whether it is equal to h 1 and then verifies whether the equation holds or not. If it holds, output 1; otherwise, output 0.

Open.
If there is a problem with the signature and the verifier wants to know who the signer is, then t managers can cooperate to track the identity of the signer.
e g xd , g � e y 1 , g d ,

Security Analysis
In this section, we analyze the security of our multimanager group signature scheme.

Correctness
Theorem 1. If e(w, g) � e(g h 1 ′ , u)e(r, y 1 ) is correct, the signature is valid. e correctness can be proved by the following equation. Proof.
e(w, g) � e y khd 1 r x , g � e y khd 1 , g e r x , g � e g xkh 1 d , g e r, g x � e g h 1 , g xk d e r, y 1 � e g h 1 , u e r, y 1 � e g h 1 ′ , u e r, y 1 .
□ 4.2. Unforgeability. Because a part of the user's key is generated by the multiple authorities, the detection of the user's part of the key also needs multiple authorities to complete the inspection. In other words, if the user is not a Security and Communication Networks member of this group, it is absolutely impossible to forge this part of the key. Furthermore, due to the difficulty of discrete logarithm, it is impossible for an invalid user or group manager to find the secret key from the valid user's public key. erefore, it is also impossible for a user who does not belong to the group to forge signatures, and the group manager cannot forge a legal signature.

Anonymity.
We cannot find any information about the identity of the signer from the group signature (u, v, r, w). In our scheme, every element in the group signature is generated by modular exponentiation, so it is impossible to determine the identity of a group member by the group signature. At the same time, in the process of signature generation, the group manager cannot know who signed the message unless it performs Open operation to find the signer by traversing.

Collusion Attack Prevention.
Our scheme can resist two kinds of collusion attack. First, multiple group members disclose the key of other members. Second, the group manager divulges the group member's key. For the first case, due to the difficulty of discrete logarithms, even if other group members can discover who generated the group signature, it is impossible to get any information about the key of the signer. For the second case, because the user's secret key is generated by the distributed key generation algorithm, all authorities do not know the user's specific key.
In this paper, we need at least T authorities to recover the user's secret key, so the scheme can resist the collusion attack of T authorities in key protection.

Application to PDP
is section takes the PDP scheme as an example to apply the multimanager group signature scheme. PDP scheme is divided into two phases: data upload and verification. A PDP scheme is a collection of four algorithms (KeyGen, TagBlock, GenProof, and CheckProof ). Among them, the function of KeyGen is to generate the public key and private key of the data owner, and the function of TagBlock is to preprocess the data to be stored. ey all exist in the data upload phase. Naturally, GenProof and CheckProof exist in the verification phase. eir function is to generate the proof and verify the proof. Next, we integrate our scheme with PDP and blockchain.
With the rapid development of internet media, a large number of original contents such as text, pictures, audio, and video have been produced, and a large number of copyright certificates are needed. Especially for enterprise users, cloud storage is an effective way to protect digital rights. In this case, cloud service providers or third-party depositors will provide PDP certification. However, in some specific cases, the data owner often lacks the original identification of data copyright, and it is very likely to upload some secondary processed infringing works to cloud storage. If cloud service providers or third-party depositors provide PDP certification for these data, it will become fixed infringement evidence for data owners. Based on the business relationship between cloud service providers and enterprise users, cloud service providers may not want the data owners to know that it is the infringement proof provided by themselves but hope that their privacy will be protected, not that the cloud service providers intend to provide infringement certificates. In this way, it is beneficial for cloud service providers to maintain trust relationship with enterprise users. In this scenario, PDP services can be provided by a third-party depository institution integrating multiple cloud servers, and the cloud storage of multiple service providers can also form a blockchain to solve the privacy problem instead of a single service provider which provides PDP certification. Multicloud service providers provide PDP certification to data owners through the group signature, and key distribution depends on the group manager. It effectively avoids the privacy problem when a single organization provides PDP certification to the data owner. e PDP model based on multiauthorities, ID, and blockchain is shown in Figure 2.
(1) Register: multicloud service providers form the blockchain alliance chain, register with the group manager, and apply for the key. (2) Data upload: the data owner uploads data to the multicloud alliance chain, which runs the storage algorithm of the PDP scheme and saves the data on cloud storage. (3) Integrity verification: the data owner or other thirdparty organizations run the challenge algorithm of the PDP scheme to the cloud server, and the cloud server runs the PDP certification algorithm and returns the proof. e data owner or a third party runs a validation algorithm to verify its integrity. If the verification is successful, the data owner does not know which cloud service provider has completed the signature, so the scheme can protect the privacy of the cloud service provider. If the verification is not successful, go to Step 4. (4) Open: if the data owner or a third party finds that the data integrity verification fails, the data owner sends a request to the group manager, who performs the Open operation to determine which cloud service provider implements the signature.

Conclusion
In this paper, we propose a multimanager group signature scheme and analyze its security. At the same time, we apply the proposed scheme to the multicloud storage environment based on the blockchain to support the authentication of provable data possession.

Data Availability
No data were used during this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.