Linkable Ring Signature Scheme Using Biometric Cryptosystem and NIZK and Its Application

Mao, Xuechun; You, Lin; Cao, Chengtang; Hu, Gengran; Hu, Liqin

doi:https://doi.org/10.1155/2021/7266564

Security and Communication Networks

On this page

Abstract Introduction Discussion Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Emerging Authentication, Identification, and Authorization Technologies

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 7266564 | https://doi.org/10.1155/2021/7266564

Linkable Ring Signature Scheme Using Biometric Cryptosystem and NIZK and Its Application

Xuechun Mao,¹Lin You,¹Chengtang Cao,¹Gengran Hu,¹and Liqin Hu¹

Academic Editor: David W. Chadwick

Received16 Apr 2021

Revised16 Sept 2021

Accepted27 Oct 2021

Published15 Dec 2021

Abstract

Biometric encryption, especially based on fingerprint, plays an important role in privacy protection and identity authentication. In this paper, we construct a privacy-preserving linkable ring signature scheme. In our scheme, we utilize a fuzzy symmetric encryption scheme called symmetric keyring encryption (SKE) to hide the secret key and use non-interactive zero-knowledge (NIZK) protocol to ensure that we do not leak any information about the message. Unlike the blind signature, we use NIZK protocol to cancel the interaction between the signer (the prover) and the verifier. The security proof shows that our scheme is secure under the random oracle model. Finally, we implement it on a personal computer and analyze the performance of the constructed scheme in practical terms. Based on the constructed scheme and demo, we give an anonymous cryptocurrency transaction model as well as mobile demonstration.

1. Introduction

With the advantages of decentralized control and anonymous payment, cryptocurrency is gradually replacing the traditional payment mode. However, the anonymity provided by bitcoin has been questioned in the sense that it offers pseudonymity instead of real anonymity. The research work [1] has shown that attackers can improperly obtain the actual identity of a bitcoin’s owner or even other users through proxy addresses. In order to improve anonymity, researchers have proposed various privacy protection schemes, such as Dash based on the mixed coins protocol, Monero based on the CryptoNote protocol, and Zerocoin [2] based on the Zero-Knowledge Succinct Non-interactive Arguments of Knowledge (zk-SNARK) protocol [3], etc.

In 2015, Noether [4] improved Monero’s original CryptoNote protocol by using a variant of linkable ring signature, which was called Ring Confidential Transactions (Ring CT). In the Ring CT protocol, Noether improved the “one-time ring signature” to linkable ring signature as the core cryptoprimitive to provide anonymity, which could not only meet the actual transaction needs, but also prevent the occurrence of double spending in transactions. Meanwhile, Monero also used stealth address to hide the recipient’s identity. Sasson et al. [2] proposed Zerocash, which used zk-SNARK protocol to construct the anonymous electronic cash system to protect the privacy of users and transaction amounts.

Along with the development of cryptocurrency applications, privacy protection has gradually become an important issue. How to authenticate users while ensuring their anonymity has always been an important challenge in the information age. Biometric encryption technology which combines the cryptographic schemes with biometrics is an important branch of biometric protection technology. It is designed to protect secrets by binding/retrieving secrets with biometrics rather than using passwords or tokens in conventional cryptographic systems. Compared with passwords or tokens, biometrics such as fingerprints are more convenient, stable, and unforgettable. Nowadays, many biometric encryption algorithms have been proposed [5, 6]. In a word, combining biometric encryption technology and NIZK protocol with ring signatures will provide a great potential advantage for the protection of users’ privacy.

1.1. Related Work

Linkable Ring Signature Schemes. In 2004, linkability property was first introduced in a ring signature scheme by Liu et al. [7]. Later, Franklin and Zhang [8] proposed a general framework for linkable ring signatures. Nowadays, there were many variants of linkable ring signatures based on different features. Deng et al. [9] presented a new identity-based linkable ring signature scheme which avoided certificate management. Sun et al. [10] formalized the syntax of Ring CT protocol and then put forward a new efficient Ring CT protocol (Ring CT 2.0) which could save significant space.

Non-Interactive Zero-Knowledge (NIZK) Protocol. In 1988, Blum et al. [11] firstly studied the NIZK proof system and presented the common reference string model which is generally applied to Zerocash. This construction is a NIZK range proof system based on a number theoretic assumption related to factoring. Using the Fiat-Shamir heuristic, Groth [12] suggested a NIZK argument for correctness of an approval vote. In order to optimize the size of NIZK proofs, Gentry et al. [13] constructed a fully homomorphic hybrid encryption scheme to minimize the communication cost. In 2019, Tsai et al. [14] proposed a new non-interactive ZKRP scheme to maintain high flexible range form.

Biometric Encryption Schemes. In 1994, combining with fingerprint recognition, Tomoko firstly proposed the concept of biometric encryption and applied it for patents. Since then, various biometric cryptographic algorithms have been proposed. Juels and Sudan [15] put forward the concept of fuzzy vault whose security is based on the hardness of the polynomial reconstruction. However, Osadchy and Dunkelman [16] found that many of the existing schemes do not consider the privacy and security aspects of the feature extraction and binarization processes which have a huge risk for user privacy. Therefore, Lai et al. [5] proposed a novel biometric cryptosystem for vectorial biometrics called symmetric keyring encryption (SKE) by using an index of maximum hashed vectors, simple filtering mechanism, and Shamir’s secret-sharing scheme. They also formalized and analyzed the threat model for SKE, which involved four major security attacks.

1.2. Contributions

In this work, we firstly use a simplistic biometric secret-binding scheme called SKE to encrypt the secret key which can protect user’s secret key and authenticating user’s identity at the same time. Second, we utilize a NIZK protocol to provide anonymity for the message. Unlike the blind signatures [17, 18] which have similar property, no interaction is required during the signing and validation process of our scheme. The security analysis shows that our proposed scheme is provably secure under the random oracle model. Third, we analyze the performance of the proposed scheme and also implement it based on the fingerprint model. The encouraging results indicate that our scheme is practicable. Finally, we propose an anonymous cryptocurrency transaction model with a corresponding mobile demo.

1.3. Structure of the Paper

The rest of this paper is organized as follows. In Section 2, some notations are introduced, and SKE and NIZK protocols are described. System framework and security model are presented in Section 3. We describe the signature scheme in Section 3. And its security analysis is provided in Section 5. In Section 6, some experimental results are given. The anonymous cryptocurrency transaction model is given in Section 7. Finally, the last section gives the conclusion.

2. Preliminary

First, we give some notations in Table 1 which are used in the rest of this paper.

2.1. SKE Model

The SKE model is a novel simplistic biometric secret-binding scheme for vectorial biometrics which is based on the notion of symmetric key cryptosystems [5]. First, the SKE model uses IoM hashing [19] which can generate abundant IoM hashed entries as genuine entries without being restricted by the original biometric vector size. We use as an enrolled biometric vector and as a random projection matrix. Given , the IoM hashing operations as follows: .

During enrollment, there is a user with an enrolled biometric vector , parameter , two different nonces , , and a finite field polynomial of order to generate and . Then, we perform polynomial projection to generate and yield a public secure sketch . Finally, we generate authentication tag , where is the one-way hashed output. We store as the public helper data.

During secret retrieval, given the query biometric vector and the public helper data above, we generate and as well as and following the steps above.

When , we can get a genuine pair , where is a genuine set. If we have a sufficient number of revealed genuine pairs with , the secret key can be retrieved via polynomial interpolation using the unlocking set . A high-level overview of SKE is shown in Figure 1.

2.2. NIZK Protocol

NIZK protocols can be used to demonstrate the truth of a statement without revealing anything else. We briefly state the NIZK protocol [12] which we will use below. First, we set the system parameters . We also denote , to be secure hash functions and individually output . Randomizer and are prover’s input. Then, we simply discuss this NIZK as follows.(i)Argument:(1)Compute and .(2)Randomly choose ; compute and .(3)Set , .(4)The argument is .(ii)Verifier:(1)Compute as above.(2)Verify whether .

In this instance, it is easy to see that prover can convince the verifier that he/she knows without revealing knowledge and interacting with the verifier.

NIZK proofs are usually use in the common reference string (CRS) model, where in a string of a special structure is generated in a setup phase and made available for everyone to prove/verify statements.

Definition 1 (NIZK Argument [20]). A NIZK argument for an NP relationconsists of a triple of polynomial time algorithmsdefined as follows:(1) takes a security parameter and outputs a CRS .(2) takes as input the CRS , a statement , and a witness and outputs an argument .(3) takes as input the CRS , a statement , and a proof and outputs either 1 accepting the argument or 0 rejecting it.The algorithms above should satisfy the following three properties.(1)Completeness. For all , , .(2)Computational soundness. For all adversaries , the following probability is negligible in :(3)Zero-knowledge. There exists a simulator such that outputs a simulated CRS and trapdoor ; takes as input , a statement and and outputs a simulated proof ; and, for all adversaries , the following probability is negligible in :

Definition 2 (NIZK Argument of Knowledge [20]). A NIZK argument of knowledge for a relation is a NIZK argument for with the following additional extractability property.
(1) Extraction. For any adversary , random string , there exists a algorithm outputting such that the following probability is negligible in :

2.3. (, )-Threshold Secret-Sharing Scheme

In this section, we describe a (, )-threshold scheme [21] which enables making shares (distribution) and recovering the secret from or more shares (recovery) using just XOR operations, for arbitrary threshold and the number of participants . We will only use the distribution algorithm which is described in Algorithm 1. In this algorithm, the secret needs to be divided equally into blocks , where is a prime number, and denotes the bit-size of every divided piece of the secret. Also, it uses shares, , of a -threshold scheme to construct a (, )-threshold scheme if the desired number of participants is a composite number (in our scheme, we set ).

	Input: .
	Output:
(1)	, .
(2)	for do
(3)	for do
(4)	Choose ;
(5)	end
(6)	end
(7)	for do
(8)	for do
(9)	Choose ;
(10)	end
(11)
(12)	end
(13)	return .

These XORed terms are circulated in a specific pattern with dimensions and do not overlap with each other because the properties of prime numbers are used. By an implementation on a PC, they showed that the proposed scheme is able to make shares from the secret and recover the secret from shares more quickly than Shamir’s scheme [22] if is not extremely large.

2.4. UTXO Ledger Model

Bitcoin, the most valuable and popular cryptocurrency, uses a graph-based ledger model built on the concept of UTXOs (unspent transaction outputs). In the UTXO ledger model, individual transactions consist of a list of inputs and a list of outputs. Each of the transactions can merge the bitcoins in the previous multiple accounts and transfer them to another one or more accounts. Figure 2 shows how UTXO model works, where Tx1 contains one input and two outputs, and Tx2 contains three inputs and two outputs.

2.5. Linkable Ring Signature

The biometric cryptosystem can be found in [5] and the NIZK scheme can be found in [12]. Our definitions are in the spirit of [4, 5, 12].

Definition 3. A linkable ring signature scheme based on SKE and NIZK consists of five algorithms:(1): on input of the user’s biometric vectorand a finite field polynomial order, output public helper data.(2): on input of the user’s biometric vectorand public helper data, output the secret key-vectorsand its corresponding public key-vectors.(3): on input of a message, the parameters, and the setwhereis a valid key pair output byand, output a signature.(4): on input of the purported signatures, anyone can verifyand output a bit.(5): on input of two messagesas well as two signaturesand, output a bit.

2.6. Complexity Assumptions and Lemma

Definition 4 (Discrete Logarithm (DL) Assumption). Given a generatorof, whereor, and, for every adversary,.

Definition 5 (Decision Diffie-Hellman (DDH) Assumption). Distinguish the distributionsandwithand. The DDH assumption is the intractability of the problem for anydistinguisher.

Lemma 1 (From Liu et al. [7]). Letbe an attacker andbe a challenger;invokesto obtain a transcript; ifis successful, thenrewindsto a headerand resimulatesto obtain transcript. If Pr, then Pr.

3. Security Model

In consideration of the security, our scheme should satisfy four fundamental properties: unforgeability, anonymity, linkability, and zero-knowledge which are very similar to the definitions given by [4, 7].

Before giving the definition, we give the definitions of the following queries at first. They will be carried out between a challenger and an adversary , which together simulate the ability of the adversary.(1)Hash functions query: may request the values of the hash functions for any input.(2)Key query: requests the key of a user; responds with the secret key.(3)Signature query: submits a tuple ; outputs a signature.

3.1. Unforgeability

We give the adversary model about unforgeability, which follows a similar structure as [4, 7].

For any PPT adversary , the advantage that wins the following game can be ignored; then our scheme is said to be unforgeable.

Game I: an adversary plays a game with a challenger as follows.

Initialization: running the algorithm, obtains the public helper data and then gives it to .

Query: performs a polynomially bounded number of queries.

Forge: submits a new tuple . will win if the following conditions hold:(1) is a legal signature.(2) did not query the key of anyone in .(3) did not query the tuple .

The advantage of the unforgeability is denoted by

If for any algorithm , the advantage of is negligible, we say the scheme is unforgeable.

3.2. Anonymity

Our scheme is said to be signer anonymity if for any adversary , is negligible.

Game II: an adversary plays a game with a challenger as follows.

Initialization: it is the same as that in Game I.

Query: performs a polynomially bounded number of queries.

Challenge: outputs a new tuple . flips a coin and then returns with the signature .

Guess: outputs a bit . If , is considered to succeed with the probability of .

The anonymity advantage of our scheme is denoted by .

3.3. Linkability

If for any adversary , the advantage of is ignorable in the following game, our scheme is said to be linkable.

Game III: an adversary plays a game with a challenger as follows.

Initialization, Query: it is the same as that in Game I.

Unlink: outputs two valid signatures and with respect to secret keys and , respectively. wins if the following conditions hold:(1)Verify Verify .(2).(3)Link unlink.

The advantage of the linkability is denoted by .

3.4. NIZK Argument

In ROM, if our scheme is proved to be completeness, computational soundness, and zero-knowledge, our protocol is a NIZK argument where the plaintext space is .

4. Signature Scheme

4.1. Our Construction

The detailed steps of our scheme are given as follows.

Setup.

On input of , two random nonces , parameter , a finite field polynomial which encodes the secret key , and a one-way hash function , the algorithm does as follows:(1)Run IoM to generate vectors and , where , .(2)Compute .(3)For , compute , such that the secure sketch .(4)For , compute , such that .(5)Output the public helper data .

A formal description of this algorithm is shown Algorithm 2.

	Input: , , , ,
	Output: PP = {, , , }
(1)	Let , .
(2)	Call to obtain
(3)	.
(4)	for do
(5)	Compute ,
(6)	.
(7)	end
(8)	Let , .
(9)	return PP = {, , , }.

KeyGen.

On input , , the public helper data with parameter , generator , and the set . The algorithm does as follows:(1)Run to generate vectors and .(2)For , compute , such that .(3)For , compute while , and then add to an unlocking set .(4)If , perform polynomial reconstruction with and output the secret key ; else repeat step 1.(5)Run DisThreshold (, , ) to obtain , output .(6)For , compute . The and are the public key-vectors and the secret key-vectors, respectively.

A formal description of this algorithm is shown as Algorithm 3.

	Input: , , , , , .
	Output: .
(1)	Compute , .
(2)	Let .
(3)	for do
(4)	Compute .
(5)	if then
(6)	Compute
(7)	if then
(8)	Let
(9)	end
(10)	end
(11)	end
(12)	Let .
(13)	if then
(14)	Call function to obtain
(15)	Run to obtain
(16)	for do
(17)	Compute .
(18)	end
(19)	end
(20)	return , .

Sign.

On input the , generators , , and public key-matrix containing public key-vectors of length , user’s secret key corresponding to . We do as follows:(1)Let , choose , compute ; ; .(2)Compute , .(3)For , , choose ; when , choose .(4)For , compute the key image .(5)When , for , compute ; .(6)When , for , compute ; ; .(7)When , for , compute .(8)Output .

A formal description of this algorithm is shown as Algorithm 4.

	Input: , , , , .
	Output: .
(1)	Let .
(2)	Compute , and where
(3)	.
(4)	Compute , .
(5)	for do
(6)	Choose
(7)	Compute ; ;
(8)	;
(9)	end
(10)	Compute .
(11)	for do
(12)	for do
(13)	Choose
(14)	Compute ;
(15)	;
(16)	end
(17)	Compute ;
(18)	end
(19)	for do
(20)	Compute ;
(21)	end
(22)	return .

Verify(1)The verifier computes . Then, checking whether . If the congruence holds, return , otherwise .(2)For , the verifier regenerates all the and verifies whether . If the congruence holds, return , otherwise .

A formal description of this algorithm is shown Algorithm 5.

	Input: ,
	, .
	Output: 0 or 1.
(1)	Compute .
(2)	if then
(3)	for do
(4)	for do
(5)	Compute ;
(6)
(7)	end
(8)	Compute ;
(9)	end
(10)	else
(11)	0
(12)	end
(13)	if then 1;
(14)	else 0;
(15)	return 0 or 1.

Link.

For a fixed set of public key-vectors, given two messages , two valid signatures and , the verifier outputs if the key image ; otherwise the verifier outputs .

5. Security Analysis

In this section, the security proofs of our scheme are given, which follow similarly to the security proofs of [4, 7].

Theorem 1. In ROM, the scheme is unforgeable if DL problem is hard.

Proof. (Similar proof to Theorem 6 of [4] and Theorem 1 of [7]) We follow the notation introduced above. Suppose that an adversary can forge signature with nonnegligible probability; then we certainly can construct a simulator which can extract a solution to the DL problem. Given a random instance of the DL problem with security level , is asked to solve the DL problem in polynomial time.
First of all, maintains 4 lists in its local storage to store the outputs of -, -, -, key query, and sign query, initially setting to be empty. The interaction between and does as follows:
Initialization: Running the algorithm; gives parameters.
Query: is allowed to make the following queries (supposed that will not initiate repeated queries).(1) query: maintains list of tuple . For a request of , if contains list , returns the corresponding tuple to ; otherwise, randomly chooses and returns it to ; meanwhile, it stores the tuple into list .(2) query: maintains list of tuple . For a request of , if contains list , returns the corresponding tuple to ; otherwise, randomly chooses and returns it to ; meanwhile, it stores the tuple into list .(3) query: maintains list of tuple . For a request of , a set has public key-vectors and randomly chooses ; if contains list returns the corresponding tuple to ; otherwise, randomly chooses and returns it to ; meanwhile, it stores the tuple into list .(4)Key query: for a request of , if the tuple contains list performs polynomial reconstruction function to generate and the secret key and returns it to . Meanwhile, stores the tuple into the .(5)Sign query: for a request of , the user’s biometric vector , and a set of public key-vectors where is the real secret index, generates a signature:(a)Check list , if there exists , the real secret key .(b)Check list , if there exists , the secret message is .(c)For , compute .(d)For , choose and .(e)When : For , choose ; compute ; Compute , add into . If collision occurs, repeat steps 3 and 5.(f)Output as a signature. It can be seen from the signing process that is a valid signature.Forge: outputs a forged signature . Assume that makes no more than queries to the signing oracles and .
From Lemma 1, for each successful forgery completes with transcript , there are queries to matching the queries used to verify the signature. Let denote the forgery and let be the index for the last verification query; we have .
If , produces an attempted forgery that is an -forgery. By assumption, there exists for giving a successful forgery; satisfiesThen, rewinds before the query and again attempts a forgery on the same set of keys that satisfiesand also a successful forgery, where is a polynomial inputting a security parameter .
Therefore, the probability that both and correspond to verifying forgeries and is nonnegligible:In the way above, we again obtain a forged signature . For each , we have , and we can solve aswhich contradicts the DL assumption.

Theorem 2. In ROM, the proposed scheme is signer-anonymous under the DDH assumption.

Proof (similar proof to Theorem 8 of [4]). Assume that the DDH problem is hard in the cyclic group generated by and suppose there exists a PPT adversary against signer ambiguity. After that, given a set of public key-vectors of length , a set of biometric vectors , and a valid signature on signed by a user with respect to a key-vector such that the corresponding biometric vector satisfies , then, can win the game above with probabilityfor some polynomial . We certainly can construct a simulator which takes as inputs a tuple , where is randomly chosen and not a priori known to , , and is a random scalar; then can output and solve the DDH problem with probabilityfor some polynomial .
Inputting scalars , the user’s biometric vector , a set of public key-vectors of length , index , and message , we act as follows.
Initialization, Query: it is the same as that in Theorem 1.
Challenge: submits a new tuple , where the public key-vectors corresponding to are in . flips a coin and then returns with the signature .
Guess: outputs a bit .
Given a tuple where are randomly selected scalars, with , is a random scalar, , takes the following steps to solve the DDH problem with nonnegligible probability.
Firstly, grabs a key-vector pair from and a random and computes . Then, performs SIMNIZKP [4] with arbitrarily selected key-vectors such that , , , some message , and .
If , then ; and due to the fact that is assumed to be able to find with nonnegligible probability, then there is a nonnegligible probability over that returns 1 (upon which returns 1). Meanwhile, if , then returns 1 only with probability , and so for some nonnegligible probability over , returns the same value as and thus solves the DDH problem for randomly chosen scalars with nonnegligible probability over , which is a contradiction.

Theorem 3. In ROM, our scheme satisfies linkability.

Proof (similar proof to Theorem 7 of [4]). Suppose that a adversary can produce two unlinkable signatures and with nonnegligible probability, and they signed with respect to public key-matrices and such that there exists a public key in both and that is negligible.
Suppose to the contrary that and both signed with respect to public key-matrices and such that there exists a public key in both and , then with overwhelming probability, there exists the indexes and for the public keys in and , respectively, such thatThus, we haveFor and , it follows that and ; the private key is related to the user’s biometric vector within . In this way, two signatures and include ; since the duplicate key images are rejected, one of them must not verify.

Theorem 4. In ROM, our scheme is a NIZK argument of plaintext knowledge.

Proof. In the above scheme, we have completeness, computational soundness, and zero-knowledge. Proving procedures is as described in [12].

6. Efficiency Analysis

In this section, we give a brief efficiency comparison among the scheme of ours [4, 10]. The communication complexity of our scheme is almost where is the number of public key vectors in each set. As shown in [4], the communication complexity of its scheme is also . In contrast, it is in [10].

As shown in Table 2, the cost of time and communication in our scheme is larger than [4, 10]. However, our scheme constructs a linkable ring signature scheme based on NIZK and SKE protocols to enhance the status of privacy-preserving, which is the vital improvement of our scheme.

[] ““: the number of public key-vectors in each set; ““: the length of each public key-vector; ““: the length of element in ; ““: an exponentiation operation in group ; ““: an exponentiation operation in group ; ““: an exponentiation operation in group ; ““: a bilinear pairing operation; : a map-to-point hash function; : the output size of a hash function H; : the length of element in group , similarly for , and .

7. Experiments and Discussion

In this section, we present a simple demonstration of our scheme by using Python.

7.1. Parameters

In order to get fingerprint vectors, we adopt the idea of fingerprint image conversion to fingerprint vector which is consisted of several sequential stages: getting fingerprint image, preprocessing, and taking attribute values for feature key points. For each user, one of the fingerprint vectors is used for , and other fingerprint vectors from the same user are used to retrieve the secret key with the procedure described in Section 5.

In order to preserve the accuracy performance at the same level as in the original fingerprint in [5], we choose the appropriate parameters of SKE algorithm to control FAR, FRR, and EER within a suitable range in our experiments. Meanwhile, these parameters can also get a theoretically favorable level of the computational security to resist the brute-force and false-accept attacks. For all the experiments, we choose , , for the dataset (FVC 2002 subset DB1, DB2) with .

As for the signing process, we make improvements based on the original Ring CT [4] codes by adding the SKE and NIZK protocols. In this way, we generate a new code for our scheme. Specifically, we use Keccak-256 hash function to generate the secret keys as well as the public keys and set parameters of the elliptic curve as same as Ed25519. We implemented our scheme in Intel Core i GHz, 4 Gb RAM, MacOS 10.13.6. Each element in is represented by 32 bytes.

7.2. Experimental Results

For a small ring size, we repeat the signing and verification process separately with and . The experimental results are presented in Table 1.

For a relatively large ring size, we repeat the signing and verification process; the experimental results are presented in Figure 3.

(a)

(b)

As shown in Figure 3, the running time of signature in our scheme increases linearly with the number of group accounts. Meanwhile, the running times of signing and verification process are almost the same. It also can be concluded from the construction of our scheme.

As shown in Table 3, when we use a small ring size in our signature scheme, the simulation experiment can be carried out by using an ordinary personal computer. The result of experiment may have some abnormal deviations for different computer hardware, but overall it represents the results of our scheme where we run the scheme on our personal computer. This is useful for mobile demonstration in section 7. According to the experimental results above, we can see that our scheme can meet the needs of practical applications.

8. Anonymous Cryptocurrency Transaction Model Based on LRS Scheme

Based on the proposed scheme and demonstration above, we propose a relatively private cryptocurrency model. Based on the experimental results on PC and private cryptocurrency model, we design a mobile simulation interface which means it may have a practical application value in mobile phone.

In the transaction schematics (Figure 4), we suppose that Alice sends money to Bob. In this process, Alice’s anonymity is protected by ring signature and NIZK protocol. One-time address is used to protect Bob’s anonymity. Moreover, we use SKE algorithm to protect secret key on both sides and use linkable tag to prevent double spending.(1)During the registration phase (Figure 5(a)), while Alice enters the personal information and password as prompted, she also takes the fingerprint photo at the same time. On the input information above, the system runs the biometric encryption algorithm SKE to encrypt Alice's password. In other words, the system runs () algorithm and stores the public helper data PP.(2)In the login page (Figure 5(b)), Alice uses the new fingerprint to unlock the interface. On input of the new fingerprint (the query biometric vector in the Section 2 part A), the system runs () algorithm to recover the password through the public helper data PP in step 1. Similarly, Bob does the same operations.(3)As shown in Figure 5(c), Alice transfers the money to Bob. In addition, for multilayer ring signature scheme, Alice chooses the number . Note could be indicated in remarks column, if it has. Finally, Alice clicks on the sign button to sign for this transaction. For system, Alice generates a one-time address for Bob, and no one other than Bob (including Alice) can recover the full signature key. Then, the system selects the addresses to get the equivalent amount of currency. Thus, the system inputs all Alice’s previous transactions into a hash function and obtains the hash value. Using the NIZK algorithm stated above to blind the message in Figure 4(c), the system runs signature algorithm to obtain . Finally, the system generates a transaction Tx and broadcasts Tx throughout the P2P network (Figure 5(d)).(4)In the verification phase (Figure 5(e)), everyone in the P2P network can verify our transactions without knowing our plain message.

(a)

(b)

(c)

(d)

(e)

However, we do not use an authentication mechanism in the registration phase which will reduce the security of cryptocurrency transactions model. To deal with this issue, we consider using the following two-factor or three-factor authentication mechanisms. Stanislaw et al. [23] presented a secure two-factor authentication system based on the possession by the user of a password and a cryptocapable device which can achieve end-to-end security. Qiu et al. [24] put forward a provably secure three-factor protocol for mobile lightweight devices, which can achieve truly three-factor security while providing password change friendliness. Wang et al. [25] advanced a new two-factor authentication mechanism to resolve the various issues arising from user corruption and server compromise. Jiang et al. [26] proposed a cloud-centric three-factor authentication and key agreement protocol integrating passwords, biometrics, and smart cards to ensure secure access to both cloud and autonomous vehicles.

9. Conclusion

In this paper, we construct a linkable ring signature scheme based on NIZK and SKE protocols to enhance the status of privacy-preserving. In our signature scheme, we use the SKE algorithm to protect the secret key. Simultaneously, we also use the NIZK protocol to encrypt the plain message without revealing redundant information of the message in the verification process. With respect to the NIZK part, the NIZK protocol we used satisfies three characteristics: completeness, soundness, and zero-knowledge. At the same time, our scheme holds unforgeability, anonymity, and linkability in ROM. We also demonstrate the practical performance of our scheme on a personal computer. The result provides us with strong confidence in applying our scheme in practice.

However, since we apply the SKE and NIZK protocols to original Ring CT scheme to encrypt the secret key and the message, the running time and communication cost of our scheme have slightly increased. Although our signature scheme may meet a real need, we will improve our scheme to reduce the running time and communication cost in our future work. In addition, the security of our scheme is based on the hardness of the DL problem, which is vulnerable to quantum attacks. In the future research, we will improve our scheme based on postquantum cryptography.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was partially supported by the Key Program of the Nature Science Foundation of Zhejiang Province of China (no. LZ17F020002) and the National Science Foundation of China (no. 61772166).

References

p. Koshy, D. Koshy, and P. Mcdaniel, “An analysis of anonymity in bitcoin using P2P network traffic,” Financial Cryptography and Data Security, vol. 8437, pp. 469–485, 2014.
View at: Publisher Site | Google Scholar
E. B. Sasson, A. Chiesa, and C. Garman, “Zerocash: decentralized anonymous payments from bitcoin (extended version),” in Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP), pp. 459–474, IEEE, Berkeley, CA, USA, May 2014.
View at: Google Scholar
B. S. Eli, C. Alessandro, T. Eran, and M. Virza, “Succinct non-interactive zero knowledge for a von Neumann architecture,” in Proceedings of the 23rd USENIX conference on Security Symposium (SEC’14), pp. 781–796, USENIX, San Deigo, CA, August 2014.
View at: Google Scholar
S. Noether, Ring Signature Confidential Transactions for Monero, Cryptology ePrint Archive, 2015, https://eprint.iacr.org/.
Y.-L. Lai, J. Y. Hwang, Z. Jin, S. Kim, S. Cho, and A. B. J. Teoh, “Symmetric keyring encryption scheme for biometric cryptosystem,” Information Sciences, vol. 502, pp. 492–509, 2019.
View at: Publisher Site | Google Scholar
D. Chang, S. Garg, M. Hasan, and S. Mishra, “Cancelable multi-biometric approach using fuzzy extractor and novel bit-wise encryption,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 3152–3167, 2020.
View at: Publisher Site | Google Scholar
J. K. Liu, V. K. Wei, and D. S. Wong, “Linkable spontaneous anonymous group signature for ad hoc groups,” Information Security and Privacy, vol. 3108, pp. 325–335, 2004.
View at: Publisher Site | Google Scholar
M. Franklin and H. Zhang, “A framework for unique ring signatures,” Financial Cryptography and Data Security, vol. 7859, pp. 162–170, 2012.
View at: Google Scholar
L. Deng, Y. Jiang, and B. Ning, “Identity-based linkable ring signature scheme,” IEEE Access, vol. 7, pp. 153969–153976, 2019.
View at: Publisher Site | Google Scholar
S.-F. Sun, M. H. Au, J. K. Liu, and T. H. Yuen, “RingCT 2.0: a compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency Monero,” Computer Security - ESORICS, vol. 10493, pp. 456–474, 2017.
View at: Publisher Site | Google Scholar
M. Blum, P. Feldman, and S. Micali, “Non-interactive zero-knowledge and its applications,” in Proceedings of the twentieth annual ACM symposium on Theory of computing, pp. 103–112, ACM, New York, NY, United States, Jan 1988.
View at: Google Scholar
J. Groth, “Non-interactive zero-knowledge arguments for voting,” in Proceedings of the Applied Cryptography and Network Security, Third International Conference, pp. 7–10, Springer, UCLA, USA, June 2005.
View at: Google Scholar
C. Gentry, J. Groth, Y. Ishai, C. Peikert, A. Sahai, and A. Smith, “Using fully homomorphic hybrid encryption to minimize non-interative zero-knowledge proofs,” Journal of Cryptology, vol. 28, no. 4, pp. 820–843, 2015.
View at: Publisher Site | Google Scholar
Y. C. Tsai, R. Tso, and Z. Y. Liu, “An improved non-interactive zero-knowledge range proof for decentralized applications,” in Proceedings of the 2019 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPCON), pp. 129–134, IEEE, Newark, CA, USA, April 2019.
View at: Google Scholar
A. Juels and M. Sudan, “A fuzzy vault scheme,” in Proceedings of the IEEE International Symposium on Information Theory, p. 408, IEEE, Lausanne, Switzerland, July 2002.
View at: Google Scholar
M. Osadchy and O. Dunkelman, “It is all in the system's parameters: privacy and security issues in transforming biometric raw data into binary strings,” IEEE Transactions on Dependable and Secure Computing, vol. 16, no. 5, pp. 796–804, 2019.
View at: Publisher Site | Google Scholar
H. D. Dung, S. Willy, and T. H. T. Nguyen, “A multivariate blind ring signature scheme,” The Computer Journal, vol. 8, pp. 1194–1202, 2019.
View at: Google Scholar
H. Q. Le, D. H. Duong, and W. Susilo, “A blind ring signature based on the short integer solution problem,” Information Security Applications, vol. 11897, pp. 92–111, 2020.
View at: Publisher Site | Google Scholar
Z. Jin, J. Y. Hwang, Y.-L. Lai, S. Kim, and A. B. J. Teoh, “Ranking-based locality sensitive hashing-enabled cancelable biometrics: index-of-max hashing,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 2, pp. 393–407, 2018.
View at: Publisher Site | Google Scholar
S. Agrawal, C. Ganesh, and P. Mohassel, “Non-interactive zero-knowledge proofs for composite statements,” Lecture Notes in Computer Science, vol. 10993, pp. 643–673, 2018.
View at: Publisher Site | Google Scholar
J. Kurihara, S. Kiyomoto, K. Fukushima, and T. Tanaka, “A new (k,n)-Threshold secret sharing scheme and its extension,” Information Security, vol. 5222, 2012.
View at: Google Scholar
A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979.
View at: Publisher Site | Google Scholar
J. Stanislaw, K. Hugo, S. Maliheh, and S. Nitesh, “Two-factor Authentication with end-to-end password security,” PKC, vol. 10770, pp. 431–461, 2018.
View at: Google Scholar
S. Qiu, D. Wang, G. Xu, and S. Kumari, “Practical and provably secure three-factor Authentication protocol based on extended chaotic-maps for mobile lightweight devices,” IEEE Transactions on Dependable and Secure Computing, 2020.
View at: Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor Authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2016.
View at: Google Scholar
Q. Jiang, N. Zhang, J. Ni, J. Ma, X. Ma, and K.-K. R. Choo, “Unified biometric privacy preserving three-factor Authentication and key agreement for cloud-assisted autonomous vehicles,” IEEE Transactions on Vehicular Technology, vol. 69, no. 9, pp. 9390–9401, 2020.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Xuechun Mao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

353

Downloads

506

Citations