#### Abstract

With the rise of Bitcoin, blockchain which is the core technology of Bitcoin has received increasing attention. Privacy preserving and performance on blockchain are two research points in academia and business, but there are still some unresolved issues in both respects. An aggregate signature scheme is a digital signature that supports making signatures on many different messages generated by many different users. Using aggregate signature, the size of the signature could be shortened by compressing multiple signatures into a single signature. In this paper, a new signature scheme for transactions on blockchain based on the aggregate signature was proposed. It was worth noting that elliptic curve discrete logarithm problem and bilinear maps played major roles in our signature scheme. And the security properties of our signature scheme were proved. In our signature scheme, the amount will be hidden especially in the transactions which contain multiple inputs and outputs. Additionally, the size of the signature on transaction is constant regardless of the number of inputs and outputs that the transaction contains, which can improve the performance of signature. Finally, we gave an application scenario for our signature scheme which aims to achieve the transactions of big data on blockchain.

#### 1. Introduction

Since the emergence of Bitcoin [1], blockchain as the core technology of Bitcoin has attracted more and more attention. As a combination of a variety of technologies such as distributed data storage, peer-to-peer network, consensus mechanism, and cryptographic algorithm, blockchain has broad prospects of application.

There are still some flaws on blockchain where privacy preserving and performance are two important aspects. When achieving the characteristics of blockchain, preserving the privacy is the focus of academic research. In this field, Monero and Zcach are representative projects where ring signature, zero-knowledge proof, and other cryptographic technologies play important roles. In addition, achieving rapid trading to meet realistic demands is another challenge that blockchain faces. In this field, lightning network is widely recognized, but there are also some flaws in its theories and implement.

Meanwhile, we know big data has been used in many fields. However, there are still many flaws in the storage, transmission, transaction, and privacy preserving of big data. And blockchain was considered to be an ideal technology for solving these flaws. Thus, we applied our new signature scheme to the transactions of big data on blockchain.

*Our Contributions. *In this work, we make three contributions in view of the privacy preserving and performance on blockchain.

() We introduce some existing contributions to the privacy preserving on blockchain, including CoinJoin in Dash, ring signature in Monero, and zero-knowledge proof in Zcash.

() We introduce some cryptographic technologies which are favorable for privacy preserving and performance on blockchain, including elliptic curve cryptography (ECC), bilinear maps, and aggregation signature. And then we propose a new signature scheme for the transaction on blockchain in which the amount will be hidden especially in the transactions which include multiple inputs and outputs. Additionally, the size of the signature on transaction is constant regardless of the number of inputs and outputs that the transaction contains, which can improve the performance of the signature. And we give the security analysis of our new signature scheme.

() We propose an application scenario for our signature scheme which aims to achieve the transaction of big data on blockchain.

*Paper Organization*. The rest of the paper is organized as follows. Section 2 introduces some projects which aimed at the privacy preserving on blockchain. And the basic building blocks that will be used in our signature scheme are also introduced. In Section 3, the core of our new signature scheme which aimed at hiding the amount of transactions is introduced. The main contribution of this paper is the new signature scheme on blockchain based on aggregate signature that will be described in Section 4, and a formal security analysis for our proposed scheme will also be presented. In Section 5, a simple application of our signature scheme is introduced with respect to transactions of big data. Finally, Section 6 concludes the paper.

#### 2. Preliminaries

##### 2.1. Privacy Preserving on Blockchain

*Dash*. Dash uses a technique known as CoinJoin. In a nutshell, the CoinJoin mixes multiple transactions of multiple users to a single transaction through some master nodes. In Dash, each user picks an address and then sends it to the master node to mix with other addresses. Transactions can only be made with amount of 0.1, 1, 10, and 100 which increases the difficulty for the attackers to guess the relevance of transactions from the amount of transactions. At the same time, the master nodes are required to ensure out-of-order output. As shown in Figure 1, different lines represent different users and every amount is 10 DASH. DASH is the currency unit in this system. By mixing, the user who is represented by the vertical line makes a transaction of 10 DASH to the user who is represented by the line from top left to bottom right, while it is hard for others to find this transaction from the confused transactions.

*Monero*. In Dash, there is still the risk that the master nodes are controlled by malicious attackers, which may lead to the disclosure privacy of the users. In order to solve this problem, a hybrid cryptographic scheme that does not depend on the central nodes was proposed in Monero. There are two technologies in Monroe: one is called* stealth address* and the other is called* ring signature* [2, 3].

*Stealth address *is to solve the problem of relevance of input addresses and output addresses. Each time the sender makes a transaction, a one-time public key using the elliptic curve via the receiver’s address will be computed. The sender then sends out this public key along with an additional message on blockchain. And the receivers can detect each transaction based on its own private key to determine whether the sender has already sent out the transaction. When the receiver wants to use the transaction, it can calculate a private key of signature based on their own private key and transaction information. Then the transaction is signed by the private key of signature.

In addition, Monroe proposed a* ring signature* scheme. Whenever the sender wants to make a transaction, the transaction will be signed by the sender’s private key and the public keys of other users randomly selected. When verifying a signature, the public keys of the other users and the parameters in the signature are needed.

*Zcash*. A new scheme with zero-knowledge proof was proposed in Zcash, which allows users to hide transaction information only by interacting with the cryptographic algorithm itself, so that all transactions are created equally [4].

In Zcash, a noninteractive zero-knowledge proof [5, 6] was used, which is called zk-SNARK. Here we do not go into the details of zk-SNARK but generally describe how to use this technology in Zcash. Let us discuss the simplest case, assuming that the amount in Zcash is fixed, such as 1BTC. Then the process of coinage is equivalent to the fact that the user pours 1BTC into an escrow pool and then writes a commitment which can be calculated by the serial number and user’s private key to a list. When the user wants to spend the money, two steps need to be done:(1)Give the serial number.(2)Use zk-SNARK to prove that it holds the user’s private key to generate this commitment.

##### 2.2. Bilinear Pairings

There, and are two multiplicative cyclic groups of prime order , is a generator of , and is a generator of . is a computable isomorphism from to , with = . A bilinear pairing is defined to be *n**), *where , and are multiplicative groups of order . Let be a map with the following properties [7, 8]:(i)Bilinear: and .(ii)Nondegenerate: there exists , such that , where means the identity of .(iii)Computability: there is an efficient algorithm to compute for all , .

##### 2.3. Aggregate Signature

There, means a set of users, each user has a signature key pair (), and means the users whose signatures will be aggregated. Each user generates a signature for the message they select, and then these signatures are grouped into a single signature by an aggregate community, which cannot be in the set or can be distrusted by the user in the collection , who has access to the user’s public key, message, and their home signature but cannot access any private key.

The result of the aggregate signature is whose length is the same as any single signature. Aggregate signatures have the property that a verifier can make sure that each user signs their own messages [7, 8] when and each message are obtained.

##### 2.4. Elliptic Curve

Assume that has characteristic greater than 3. An elliptic curve over is the set of all solutions to an equation , where , and , together with a special point ∞ called the point at infinity. It is well known that is an abelian group with the point ∞ serving as its identity element. The rules for group addition are summarized below [9].

() Let ; then . If , then , where and

If is a field of characteristic 2, an elliptic curve of zero -invariant over is the set of all solutions to an equation , where , , together with the point at infinity ∞. The rules for group addition are summarized below.

() Let ; then . If , then , where

If is a field of characteristic 2, an elliptic curve of* nonzero j-invariant* over is the set of all solutions to an equation , where , together with the point at infinity ∞. The rules for group addition are summarized below.

() Let ; then . If , then , where

#### 3. Core of the New Signature Scheme

When transactions are generated on blockchain, cryptographic signatures are used to judge the legality of the transactions and the identities of the senders [10]. Furthermore, the signature algorithms are aimed at privacy preserving of the transactions, including the addresses of both sides and transaction amount. For example, in Bitcoin, ECDSA [11, 12], RIPEMD [13, 14], and SHA256 [15, 16] are used to make signatures for the transactions. In Section 3.1, we will design a scheme which is the core of our new signature scheme. The amount of transactions which include multiple inputs and outputs can be hidden using this scheme.

##### 3.1. Basic Scheme

Without loss of generality, we deal with a single transaction, which is divided into inputs and outputs; the details are shown in Figure 2.

As shown in Figure 2, the transaction contains inputs and outputs. Accessibly, we have .

For each and ; in order to hide and , this paper uses ECC to make an operation for them. We choose as the generator of , and the transfer forms of and are and . And according to the operation rules of the elliptic curve, the following equations are true [17]:

According to (4), we can verify by . Because the attackers cannot get and through and , the amount of transaction can be hidden by this scheme. The following introduces the homomorphic proof and the drawback of this scheme [18].

*Homomorphic Proof of the Signature Scheme*. Homomorphic property is an important target to evaluate the security of an algorithm, especially considering that quantum computer gets rapid development. We can easily prove that our basic scheme satisfies additive homomorphism [19, 20].

*Proof. *For each , as defined in basic scheme, . According to the operation rules of the elliptic curve, the following equations are true:We can obtain thatThe left side of (6) means the addition followed by an encryption operation; correspondingly the right side means the encryption operation followed by addition. So we can obtain that our basic scheme is additive homomorphic.

*The Drawback of the Basic Scheme*. Our basic scheme can hide the amount of the transactions which contain multiple inputs and outputs. But there are also opportunities for the attackers to acquire the amount. On Bitcoin system, there has been mature attack algorithms, such as selfish mining attack [21, 22], eclipse attack [23], and stubborn mining attack [24]. There are similar drawbacks in our basic scheme.

A malicious attacker impedes inputs and outputs, which satisfy the fact that . And in the normal network, the sum of all the inputs is

The sum of all the outputs iswhere the elements of sets and are contained in sets and .

Because we know that and , it can be obtained that . So we can also verify that .

In order to modify our basic scheme, this paper combines aggregate signature with the basic scheme to obtain a modified scheme.

##### 3.2. Modified Scheme

Recall that elliptic curve on the finite group is specified by tuple which is the generator of . The modified scheme is performed as follows.

() Compute , .

() For each , randomly select , and compute , , and . And randomly select , and compute , , and ; the transfer forms of inputs and outputs are and .

*Feasibility of the Modified Scheme*. Given , , , , and and the transfer form and , we can obtain that Proof of the feasibility of the modified scheme will be given in the Appendix.

The modified scheme greatly avoids the drawback in the basic scheme. If a malicious attacker impedes inputs and inputs, which satisfy the fact that , then , , , and will change as well. And we cannot get where is the set which is obtained from the set removing the elements impeded. The relationship also applies to and , and *, * and , and , and . So it will not pass verification; then the attack will not be successful.

#### 4. New Signature Scheme on Blockchain

In Section 3, we proposed a new scheme which aimed at hiding the amount of the transactions on blockchain which contain multiple inputs and outputs. Based on this, we designed a new signature scheme that can protect the amount of transactions and keep the size of signatures constant regardless of the number of inputs and outputs. Recall that elliptic curve on the finite group is specified by tuple . The base groups are and , their respective generators are and , the computable isomorphism * is *from to , and the bilinear map is with target group . Let , .

##### 4.1. Basic Signature Scheme

*Key Generation. *A particular user picks random , and computes , . The user’s signature public key and signature private key are and . The user’s payment public key and payment private key are and .

*Signing*. We suppose that the sender wants to send a payment to a particular receiver whose payment public key is . The sender generates a random and computes a one-time public key and then computes . The signature is . is also packed somewhere into the transaction.

*Verification.* Given the sender’s payment public key , and the signature , the receiver computes and then accepts if holds.

We know that ; then . And through the rules of the bilinear maps, we obtain that . Figure 3 gives the structure of our basic signature scheme.

As shown in Figure 3, we give the basic signature scheme [2, 25]. In order to achieve the purpose of improving the performance of the signature scheme, we combine the aggregate signature with our basic signature scheme and propose a modified signature scheme in Section 4.2.

##### 4.2. Modified Signature Scheme

*Key Generation.* For the aggregate subset of users , assign to each user an index , ranging from 1 to . Each user picks random , and computes , . The signature public key and signature private key of are and . The payment public key and payment private key of are and .

*Signing.* For each , we suppose that wants to send a payment to particular receiver whose payment public key is . And generates a random and computes a one-time public key and then computes . The signature is . is also packed somewhere into the transaction.

*Aggregation.* Compute ; the aggregate signature is .

*Aggregate Verification.* We are given an aggregate signature for an aggregating subset indexed as before and are given the original and public keys for all users . To verify the aggregate signature , compute for and accept if holds.

Using the properties of the bilinear map, the left side of the verification equation expands:

Figure 4 gives the structure of our aggregate transaction structure.

As shown in Figure 4, the signature is kept constant regardless of the number of inputs and outputs that the transaction contains. Then we combine the core of the new signature scheme proposed in Section 3.2 with the modified signature scheme to a new signature scheme which will be described in Section 4.3.

##### 4.3. New Signature Scheme

*Key Generation.* For the aggregate subset of users , assign to each user an index , ranging from 1 to . Each user , picks random , , and computes , . The user’s signature public key and signature private key are and . The user’s payment public key and payment private key are and .

*Signing.* For each , we suppose that wants to send a payment to a particular receiver whose payment public key is . And generates a random and computes a one-time public key and then computes . The signature is . is also packed somewhere into the transactions. And compute , .

*Aggregation.* Compute ; the aggregate signature is . For each , randomly select and compute , , and ; the transfer form of input is .

*Aggregate Verification.* We are given an aggregate signature for an aggregating subset indexed as before and are given the original and public keys for all users . To verify the aggregate signature , compute for and accept if holds. And randomly select , compute , , and ; the transfer form outputs are . Figure 5 gives the structure of our new transaction structure.

##### 4.4. Security of the New Signature Scheme

It is easy to show that the security of our new signature scheme is equivalent to the traditional bilinear aggregate signature. As the aggregate chose-key security model which was proposed in [7], the security of aggregate signature schemes is equivalent to the nonexistence of an adversary capable of existentially forging an aggregate signature. Existential forgery here means that the adversary attempts to forge an aggregate signature on a subtransaction of his choice by other subtransactions in a particular transaction. The adversary is given a single public key. His goal is the existential forgery of an aggregate signature. We give the adversary power to choose all public keys except the challenge public key. The adversary is also given access to a signing oracle on the challenge key. His advantage is defined to be his probability of success in the following game [7, 26].

*Setup.* The aggregate forger is provided with a public key , generated at random.

*Queries.* Proceeding adaptively, requests signatures with on the subtransaction of his choice.

*Response.* Finally, outputs additional public keys . These keys, along with the initial key , will be included in ’s forged aggregate. also outputs subtransaction , finally, an aggregate signature by the users, each on his corresponding subtransaction.

The forger wins if the aggregate signature is a valid aggregate on subtransactions under keys , and is nontrivial.

*Definition 1. *An aggregate forger -breaks an -user aggregate signature scheme in the aggregate chosen-key model if the following conditions are met:(1) runs in time at most .(2) makes at most queries to the hash function and at most queries to the signing oracle.(3) is at least *ϵ*.(4)Forged aggregate signature is by at most users.An aggregate signature scheme is -secure. It is against existential forgery in the aggregate chosen-key model if no forger -breaks it. The next theorem shows that this simple constraint is sufficient for proving security in the chosen-key model.

Theorem 2. *Let be a -bilinear group pair for co-Diffie-Hellman, with each group of order , with respective generators and , with an isomorphism computable from to , and with a bilinear map . Then the bilinear aggregate signature scheme on is -secure against existential forgery in the aggregate chosen-key model for all and satisfying and , where is the base of natural logarithms, and exponentiation and inversion on take time .*

Besides, the security of the scheme which is used to hide the amount of the transactions has been analyzed in Section 3.2. So, we can get that our signature scheme satisfies unforgeability and other security properties.

#### 5. Application of Signatures Scheme

Big data brings many benefits to our lives. At the same time, there are some drawbacks in big data. Firstly, the utilization of data is poor. Large amounts of data are in the idle state, occupying a lot of storage space. Secondly, there are a lot of drawbacks in the security and privacy of the data. The use of big data exposes personal privacy and other security problems, while big data may be used to do illegal activities by criminals. At the same time, there are some drawbacks in the transmission efficiency and transmission accuracy of data. Blockchain is considered to be an ideal solution to these problems. Based on this, we try to apply our signature scheme to the transactions of big data [27].

##### 5.1. Infrastructure of Transaction of Big Data on Blockchain

Here, we consider the transactions of big data on blockchain. The infrastructure is based on the P2P network which is the network model of blockchain [28]. And we give the model of the infrastructure in Figure 6.

We consider the inputs and outputs of a particular transaction, which consists of data inputs, data outputs, and the corresponding amount of outputs and amount of inputs which are described in Figure 7.

*Setup*. Recall that elliptic curve on the finite group is specified by tuple .

*Key Generation.* For the aggregate subset of users , assign to each user an index , ranging from 1 to . Each user picks random , and computes , . The signature public key and signature private key of are and . The payment public key and payment private key of are and .

*Signing.* For each , we suppose that wants to send a payment to particular receiver whose payment public key is . And generates a random and computes a one-time public key and then computes . The signature is . is also packed somewhere into the transactions. And compute , .

*Aggregation. *Compute ; the aggregate signature is . For each , randomly select and compute , , and ; the transfer form of input is .

*Aggregate Verification.* We are given an aggregate signature for an aggregating subset indexed as before and are given the original and public keys for all users . To verify the aggregate signature , compute for and accept if holds. And randomly select , compute , , and ; the transfer form outputs are .

##### 5.2. Performance of Signature Scheme on Transaction of Big Data

*Aggregate Signing Time*. In a single signature, one hash operation, one modular power multiplication, and one multiplication operation are implemented. Let be an aggregate of the signatures . The time to verify the aggregate signature is linear in . And one multiplication with aggregation is implemented [29].

*Aggregate Verification Time. *In a single verification, times hash operations and bilinear maps operations are implemented. Let be an aggregate of the signatures . The time to verify the aggregate signature is linear in .

*Signature Space*. Let be an aggregate of the signatures *.* The space of the signature will be of the normal signature.

#### 6. Concluding

In this paper, we have proposed a new signature scheme for the transactions on blockchain based on aggregate signature and ECC. Through our new signature scheme, the amount will be hidden when the transactions contain multiple inputs and outputs [30]. Besides, the size of the signature for the transactions will keep constant regardless of the number of inputs and outputs that the transaction contains. We have shown the validity of our new signature scheme. More importantly, the security of our new signature scheme is analyzed. Currently there is no scheme which achieves both hiding the amount of the transactions and constant-size signature when the transaction contains multiple inputs and outputs. Furthermore, we have given an application scenario for our signature scheme which aimed at achieving the transaction of big data on blockchain. And the performance of the signature scheme in the application scenarios was analyzed.

There are still many interesting problems to be solved. For example, it would be valuable to explore the possibility of achieving a signature scheme which combines our scheme with ring signature. Using our scheme to construct a practical complete application is also another interesting problem [31, 32].

#### Appendix

#### Proof of the Feasibility of the Modified Scheme

Because we know that , it can be obtained that .

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This paper is supported by National Key Research and Development Program (nos. 2016YFB0800101 and 2016YFB0800100), State Key Laboratory of Mathematics and Advanced Computing Open Topic (no. 2015A14), and National Natural Science Foundation of China (no. 61602512).