Abstract
Biometric encryption, especially based on fingerprint, plays an important role in privacy protection and identity authentication. In this paper, we construct a privacypreserving linkable ring signature scheme. In our scheme, we utilize a fuzzy symmetric encryption scheme called symmetric keyring encryption (SKE) to hide the secret key and use noninteractive zeroknowledge (NIZK) protocol to ensure that we do not leak any information about the message. Unlike the blind signature, we use NIZK protocol to cancel the interaction between the signer (the prover) and the verifier. The security proof shows that our scheme is secure under the random oracle model. Finally, we implement it on a personal computer and analyze the performance of the constructed scheme in practical terms. Based on the constructed scheme and demo, we give an anonymous cryptocurrency transaction model as well as mobile demonstration.
1. Introduction
With the advantages of decentralized control and anonymous payment, cryptocurrency is gradually replacing the traditional payment mode. However, the anonymity provided by bitcoin has been questioned in the sense that it offers pseudonymity instead of real anonymity. The research work [1] has shown that attackers can improperly obtain the actual identity of a bitcoin’s owner or even other users through proxy addresses. In order to improve anonymity, researchers have proposed various privacy protection schemes, such as Dash based on the mixed coins protocol, Monero based on the CryptoNote protocol, and Zerocoin [2] based on the ZeroKnowledge Succinct Noninteractive Arguments of Knowledge (zkSNARK) protocol [3], etc.
In 2015, Noether [4] improved Monero’s original CryptoNote protocol by using a variant of linkable ring signature, which was called Ring Confidential Transactions (Ring CT). In the Ring CT protocol, Noether improved the “onetime ring signature” to linkable ring signature as the core cryptoprimitive to provide anonymity, which could not only meet the actual transaction needs, but also prevent the occurrence of double spending in transactions. Meanwhile, Monero also used stealth address to hide the recipient’s identity. Sasson et al. [2] proposed Zerocash, which used zkSNARK protocol to construct the anonymous electronic cash system to protect the privacy of users and transaction amounts.
Along with the development of cryptocurrency applications, privacy protection has gradually become an important issue. How to authenticate users while ensuring their anonymity has always been an important challenge in the information age. Biometric encryption technology which combines the cryptographic schemes with biometrics is an important branch of biometric protection technology. It is designed to protect secrets by binding/retrieving secrets with biometrics rather than using passwords or tokens in conventional cryptographic systems. Compared with passwords or tokens, biometrics such as fingerprints are more convenient, stable, and unforgettable. Nowadays, many biometric encryption algorithms have been proposed [5, 6]. In a word, combining biometric encryption technology and NIZK protocol with ring signatures will provide a great potential advantage for the protection of users’ privacy.
1.1. Related Work
Linkable Ring Signature Schemes. In 2004, linkability property was first introduced in a ring signature scheme by Liu et al. [7]. Later, Franklin and Zhang [8] proposed a general framework for linkable ring signatures. Nowadays, there were many variants of linkable ring signatures based on different features. Deng et al. [9] presented a new identitybased linkable ring signature scheme which avoided certificate management. Sun et al. [10] formalized the syntax of Ring CT protocol and then put forward a new efficient Ring CT protocol (Ring CT 2.0) which could save significant space.
NonInteractive ZeroKnowledge (NIZK) Protocol. In 1988, Blum et al. [11] firstly studied the NIZK proof system and presented the common reference string model which is generally applied to Zerocash. This construction is a NIZK range proof system based on a number theoretic assumption related to factoring. Using the FiatShamir heuristic, Groth [12] suggested a NIZK argument for correctness of an approval vote. In order to optimize the size of NIZK proofs, Gentry et al. [13] constructed a fully homomorphic hybrid encryption scheme to minimize the communication cost. In 2019, Tsai et al. [14] proposed a new noninteractive ZKRP scheme to maintain high flexible range form.
Biometric Encryption Schemes. In 1994, combining with fingerprint recognition, Tomoko firstly proposed the concept of biometric encryption and applied it for patents. Since then, various biometric cryptographic algorithms have been proposed. Juels and Sudan [15] put forward the concept of fuzzy vault whose security is based on the hardness of the polynomial reconstruction. However, Osadchy and Dunkelman [16] found that many of the existing schemes do not consider the privacy and security aspects of the feature extraction and binarization processes which have a huge risk for user privacy. Therefore, Lai et al. [5] proposed a novel biometric cryptosystem for vectorial biometrics called symmetric keyring encryption (SKE) by using an index of maximum hashed vectors, simple filtering mechanism, and Shamir’s secretsharing scheme. They also formalized and analyzed the threat model for SKE, which involved four major security attacks.
1.2. Contributions
In this work, we firstly use a simplistic biometric secretbinding scheme called SKE to encrypt the secret key which can protect user’s secret key and authenticating user’s identity at the same time. Second, we utilize a NIZK protocol to provide anonymity for the message. Unlike the blind signatures [17, 18] which have similar property, no interaction is required during the signing and validation process of our scheme. The security analysis shows that our proposed scheme is provably secure under the random oracle model. Third, we analyze the performance of the proposed scheme and also implement it based on the fingerprint model. The encouraging results indicate that our scheme is practicable. Finally, we propose an anonymous cryptocurrency transaction model with a corresponding mobile demo.
1.3. Structure of the Paper
The rest of this paper is organized as follows. In Section 2, some notations are introduced, and SKE and NIZK protocols are described. System framework and security model are presented in Section 3. We describe the signature scheme in Section 3. And its security analysis is provided in Section 5. In Section 6, some experimental results are given. The anonymous cryptocurrency transaction model is given in Section 7. Finally, the last section gives the conclusion.
2. Preliminary
First, we give some notations in Table 1 which are used in the rest of this paper.
2.1. SKE Model
The SKE model is a novel simplistic biometric secretbinding scheme for vectorial biometrics which is based on the notion of symmetric key cryptosystems [5]. First, the SKE model uses IoM hashing [19] which can generate abundant IoM hashed entries as genuine entries without being restricted by the original biometric vector size. We use as an enrolled biometric vector and as a random projection matrix. Given , the IoM hashing operations as follows: .
During enrollment, there is a user with an enrolled biometric vector , parameter , two different nonces , , and a finite field polynomial of order to generate and . Then, we perform polynomial projection to generate and yield a public secure sketch . Finally, we generate authentication tag , where is the oneway hashed output. We store as the public helper data.
During secret retrieval, given the query biometric vector and the public helper data above, we generate and as well as and following the steps above.
When , we can get a genuine pair , where is a genuine set. If we have a sufficient number of revealed genuine pairs with , the secret key can be retrieved via polynomial interpolation using the unlocking set . A highlevel overview of SKE is shown in Figure 1.
2.2. NIZK Protocol
NIZK protocols can be used to demonstrate the truth of a statement without revealing anything else. We briefly state the NIZK protocol [12] which we will use below. First, we set the system parameters . We also denote , to be secure hash functions and individually output . Randomizer and are prover’s input. Then, we simply discuss this NIZK as follows.(i)Argument:(1)Compute and .(2)Randomly choose ; compute and .(3)Set , .(4)The argument is .(ii)Verifier:(1)Compute as above.(2)Verify whether .
In this instance, it is easy to see that prover can convince the verifier that he/she knows without revealing knowledge and interacting with the verifier.
NIZK proofs are usually use in the common reference string (CRS) model, where in a string of a special structure is generated in a setup phase and made available for everyone to prove/verify statements.
Definition 1 (NIZK Argument [20]). A NIZK argument for an NP relationconsists of a triple of polynomial time algorithmsdefined as follows:(1) takes a security parameter and outputs a CRS .(2) takes as input the CRS , a statement , and a witness and outputs an argument .(3) takes as input the CRS , a statement , and a proof and outputs either 1 accepting the argument or 0 rejecting it.The algorithms above should satisfy the following three properties.(1)Completeness. For all , , .(2)Computational soundness. For all adversaries , the following probability is negligible in :(3)Zeroknowledge. There exists a simulator such that outputs a simulated CRS and trapdoor ; takes as input , a statement and and outputs a simulated proof ; and, for all adversaries , the following probability is negligible in :
Definition 2 (NIZK Argument of Knowledge [20]). A NIZK argument of knowledge for a relation is a NIZK argument for with the following additional extractability property.
(1) Extraction. For any adversary , random string , there exists a algorithm outputting such that the following probability is negligible in :
2.3. (, )Threshold SecretSharing Scheme
In this section, we describe a (, )threshold scheme [21] which enables making shares (distribution) and recovering the secret from or more shares (recovery) using just XOR operations, for arbitrary threshold and the number of participants . We will only use the distribution algorithm which is described in Algorithm 1. In this algorithm, the secret needs to be divided equally into blocks , where is a prime number, and denotes the bitsize of every divided piece of the secret. Also, it uses shares, , of a threshold scheme to construct a (, )threshold scheme if the desired number of participants is a composite number (in our scheme, we set ).

These XORed terms are circulated in a specific pattern with dimensions and do not overlap with each other because the properties of prime numbers are used. By an implementation on a PC, they showed that the proposed scheme is able to make shares from the secret and recover the secret from shares more quickly than Shamir’s scheme [22] if is not extremely large.
2.4. UTXO Ledger Model
Bitcoin, the most valuable and popular cryptocurrency, uses a graphbased ledger model built on the concept of UTXOs (unspent transaction outputs). In the UTXO ledger model, individual transactions consist of a list of inputs and a list of outputs. Each of the transactions can merge the bitcoins in the previous multiple accounts and transfer them to another one or more accounts. Figure 2 shows how UTXO model works, where Tx1 contains one input and two outputs, and Tx2 contains three inputs and two outputs.
2.5. Linkable Ring Signature
The biometric cryptosystem can be found in [5] and the NIZK scheme can be found in [12]. Our definitions are in the spirit of [4, 5, 12].
Definition 3. A linkable ring signature scheme based on SKE and NIZK consists of five algorithms:(1): on input of the user’s biometric vectorand a finite field polynomial order, output public helper data.(2): on input of the user’s biometric vectorand public helper data, output the secret keyvectorsand its corresponding public keyvectors.(3): on input of a message, the parameters, and the setwhereis a valid key pair output byand, output a signature.(4): on input of the purported signatures, anyone can verifyand output a bit.(5): on input of two messagesas well as two signaturesand, output a bit.
2.6. Complexity Assumptions and Lemma
Definition 4 (Discrete Logarithm (DL) Assumption). Given a generatorof, whereor, and, for every adversary,.
Definition 5 (Decision DiffieHellman (DDH) Assumption). Distinguish the distributionsandwithand. The DDH assumption is the intractability of the problem for anydistinguisher.
Lemma 1 (From Liu et al. [7]). Letbe an attacker andbe a challenger;invokesto obtain a transcript; ifis successful, thenrewindsto a headerand resimulatesto obtain transcript. If Pr, then Pr.
3. Security Model
In consideration of the security, our scheme should satisfy four fundamental properties: unforgeability, anonymity, linkability, and zeroknowledge which are very similar to the definitions given by [4, 7].
Before giving the definition, we give the definitions of the following queries at first. They will be carried out between a challenger and an adversary , which together simulate the ability of the adversary.(1)Hash functions query: may request the values of the hash functions for any input.(2)Key query: requests the key of a user; responds with the secret key.(3)Signature query: submits a tuple ; outputs a signature.
3.1. Unforgeability
We give the adversary model about unforgeability, which follows a similar structure as [4, 7].
For any PPT adversary , the advantage that wins the following game can be ignored; then our scheme is said to be unforgeable.
Game I: an adversary plays a game with a challenger as follows.
Initialization: running the algorithm, obtains the public helper data and then gives it to .
Query: performs a polynomially bounded number of queries.
Forge: submits a new tuple . will win if the following conditions hold:(1) is a legal signature.(2) did not query the key of anyone in .(3) did not query the tuple .
The advantage of the unforgeability is denoted by
If for any algorithm , the advantage of is negligible, we say the scheme is unforgeable.
3.2. Anonymity
Our scheme is said to be signer anonymity if for any adversary , is negligible.
Game II: an adversary plays a game with a challenger as follows.
Initialization: it is the same as that in Game I.
Query: performs a polynomially bounded number of queries.
Challenge: outputs a new tuple . flips a coin and then returns with the signature .
Guess: outputs a bit . If , is considered to succeed with the probability of .
The anonymity advantage of our scheme is denoted by .
3.3. Linkability
If for any adversary , the advantage of is ignorable in the following game, our scheme is said to be linkable.
Game III: an adversary plays a game with a challenger as follows.
Initialization, Query: it is the same as that in Game I.
Unlink: outputs two valid signatures and with respect to secret keys and , respectively. wins if the following conditions hold:(1)Verify Verify .(2).(3)Link unlink.
The advantage of the linkability is denoted by .
3.4. NIZK Argument
In ROM, if our scheme is proved to be completeness, computational soundness, and zeroknowledge, our protocol is a NIZK argument where the plaintext space is .
4. Signature Scheme
4.1. Our Construction
The detailed steps of our scheme are given as follows.
Setup.
On input of , two random nonces , parameter , a finite field polynomial which encodes the secret key , and a oneway hash function , the algorithm does as follows:(1)Run IoM to generate vectors and , where , .(2)Compute .(3)For , compute , such that the secure sketch .(4)For , compute , such that .(5)Output the public helper data .
A formal description of this algorithm is shown Algorithm 2.

KeyGen.
On input , , the public helper data with parameter , generator , and the set . The algorithm does as follows:(1)Run to generate vectors and .(2)For , compute , such that .(3)For , compute while , and then add to an unlocking set .(4)If , perform polynomial reconstruction with and output the secret key ; else repeat step 1.(5)Run DisThreshold (, , ) to obtain , output .(6)For , compute . The and are the public keyvectors and the secret keyvectors, respectively.
A formal description of this algorithm is shown as Algorithm 3.

Sign.
On input the , generators , , and public keymatrix containing public keyvectors of length , user’s secret key corresponding to . We do as follows:(1)Let , choose , compute ; ; .(2)Compute , .(3)For , , choose ; when , choose .(4)For , compute the key image .(5)When , for , compute ; .(6)When , for , compute ; ; .(7)When , for , compute .(8)Output .
A formal description of this algorithm is shown as Algorithm 4.

Verify(1)The verifier computes . Then, checking whether . If the congruence holds, return , otherwise .(2)For , the verifier regenerates all the and verifies whether . If the congruence holds, return , otherwise .
A formal description of this algorithm is shown Algorithm 5.

Link.
For a fixed set of public keyvectors, given two messages , two valid signatures and , the verifier outputs if the key image ; otherwise the verifier outputs .
5. Security Analysis
In this section, the security proofs of our scheme are given, which follow similarly to the security proofs of [4, 7].
Theorem 1. In ROM, the scheme is unforgeable if DL problem is hard.
Proof. (Similar proof to Theorem 6 of [4] and Theorem 1 of [7]) We follow the notation introduced above. Suppose that an adversary can forge signature with nonnegligible probability; then we certainly can construct a simulator which can extract a solution to the DL problem. Given a random instance of the DL problem with security level , is asked to solve the DL problem in polynomial time.
First of all, maintains 4 lists in its local storage to store the outputs of , , , key query, and sign query, initially setting to be empty. The interaction between and does as follows:
Initialization: Running the algorithm; gives parameters.
Query: is allowed to make the following queries (supposed that will not initiate repeated queries).(1) query: maintains list of tuple . For a request of , if contains list , returns the corresponding tuple to ; otherwise, randomly chooses and returns it to ; meanwhile, it stores the tuple into list .(2) query: maintains list of tuple . For a request of , if contains list , returns the corresponding tuple to ; otherwise, randomly chooses and returns it to ; meanwhile, it stores the tuple into list .(3) query: maintains list of tuple . For a request of , a set has public keyvectors and randomly chooses ; if contains list returns the corresponding tuple to ; otherwise, randomly chooses and returns it to ; meanwhile, it stores the tuple into list .(4)Key query: for a request of , if the tuple contains list performs polynomial reconstruction function to generate and the secret key and returns it to . Meanwhile, stores the tuple into the .(5)Sign query: for a request of , the user’s biometric vector , and a set of public keyvectors where is the real secret index, generates a signature:(a)Check list , if there exists , the real secret key .(b)Check list , if there exists , the secret message is .(c)For , compute .(d)For , choose and .(e)When : For , choose ; compute ; Compute , add into . If collision occurs, repeat steps 3 and 5.(f)Output as a signature. It can be seen from the signing process that is a valid signature.Forge: outputs a forged signature . Assume that makes no more than queries to the signing oracles and .
From Lemma 1, for each successful forgery completes with transcript , there are queries to matching the queries used to verify the signature. Let denote the forgery and let be the index for the last verification query; we have .
If , produces an attempted forgery that is an forgery. By assumption, there exists for giving a successful forgery; satisfiesThen, rewinds before the query and again attempts a forgery on the same set of keys that satisfiesand also a successful forgery, where is a polynomial inputting a security parameter .
Therefore, the probability that both and correspond to verifying forgeries and is nonnegligible:In the way above, we again obtain a forged signature . For each , we have , and we can solve aswhich contradicts the DL assumption.
Theorem 2. In ROM, the proposed scheme is signeranonymous under the DDH assumption.
Proof (similar proof to Theorem 8 of [4]). Assume that the DDH problem is hard in the cyclic group generated by and suppose there exists a PPT adversary against signer ambiguity. After that, given a set of public keyvectors of length , a set of biometric vectors , and a valid signature on signed by a user with respect to a keyvector such that the corresponding biometric vector satisfies , then, can win the game above with probabilityfor some polynomial . We certainly can construct a simulator which takes as inputs a tuple , where is randomly chosen and not a priori known to , , and is a random scalar; then can output and solve the DDH problem with probabilityfor some polynomial .
Inputting scalars , the user’s biometric vector , a set of public keyvectors of length , index , and message , we act as follows.
Initialization, Query: it is the same as that in Theorem 1.
Challenge: submits a new tuple , where the public keyvectors corresponding to are in . flips a coin and then returns with the signature .
Guess: outputs a bit .
Given a tuple