BSCI Session 1
Review of Techniques for Privacy-Preserving
Blockchain Systems
Abylay Satybaldy
abylay.satybaldy@ntnu.no
Norwegian University of Science and Technology
Gjøvik, Innland, Norway
ABSTRACT
Privacy plays a central role in many application domains that utilize
blockchain technology. It is central in Personal Data Management,
Electronic Health records, or systems that interact with any public
institution. However, blockchains are subject to potential privacy
issues such as transaction linkability, compliance with data protec-
tion regulations, on-chain data privacy, and malicious smart con-
tracts. To deal with these challenges, novel privacy-preserving solu-
tions based on crypto-privacy techniques are emerging. The goal of
this survey is to provide insights into the privacy-preserving tech-
niques associated with blockchain. We analyse the existing privacy-
preserving mechanisms for blockchain and propose a framework
that categorizes the main techniques examined. Furthermore, we
summarize some typical applications of blockchain where the pri-
vacy protection is the main requirement.
CCS CONCEPTS
• General and reference → Surveys and overviews; Evaluation;
• Security and privacy → Cryptography; Privacy-preserving
protocols; Cryptanalysis and other attacks; • Software and
its engineering → Peer-to-peer architectures; • Social and pro-
fessional topics → Identity theft.
KEYWORDS
blockchain technology, privacy-preserving techniques, cryptographic
protocols, self-sovereign identity, anonymous systems
ACM Reference Format:
Abylay Satybaldy and Mariusz Nowostawski. 2020. Review of Techniques
for Privacy-Preserving Blockchain Systems. In Proceedings of the 2nd ACM
International Symposium on Blockchain and Secure Critical Infrastructure
(BSCI ’20), October 6, 2020, Taipei, Taiwan. ACM, New York, NY, USA, 9 pages.
https://doi.org/10.1145/3384943.3409416
1 INTRODUCTION
Blockchain technology is a recent breakthrough of secure comput-
ing without centralized authority in an open networked system.
Originally invented as the underlying infrastructure of Bitcoin [60],
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specific permission and/or a
fee. Request permissions from permissions@acm.org.
BSCI ’20, October 6, 2020, Taipei, Taiwan
© 2020 Association for Computing Machinery.
ACM ISBN 978-1-4503-7610-5/20/10. . . $15.00
https://doi.org/10.1145/3384943.3409416
1
BSCI '20, October 6, 2020, Taipei, Taiwan
Mariusz Nowostawski
mariusz.nowostawski@ntnu.no
Norwegian University of Science and Technology
Gjøvik, Innland, Norway
blockchain’s potential application has reached far beyond cryp-
tocurrency and financial assets. As the technology gained wider
recognition in recent years, there has been a number of advance-
ments, new use cases and diverse novel applications. The blockchain
has high-impact potential in many different applications ranging
from cryptocurrencies and digital assets, to eHealth, identity man-
agement, supply chain, and data provenance.
However, there are a number of privacy challenges that appear in
the application of blockchain technology in different domains. The
main issues arising are the transaction linkability, compliance with
data protection regulations, on-chain data privacy, and malicious
smart contracts. To cope with these challenges, many researchers,
both in academia and industry, have been proposing different solu-
tions to improve the privacy and security of blockchain systems.
There are many published reviews associated with blockchain
and its future trends and most of the articles [52, 71, 95] discuss
the security and privacy challenges of this promising technology.
There are other surveys that consider privacy issues and solutions
but they mainly focus on cryptocurrencies [11, 21] and anonymity
issues in transactions [31]. Our review paper targets a broader
scope and examines privacy-preserving technologies employed in
different blockchain scenarios. As a result, we hope to gain a more
in-depth understanding of the current state-of-the-art, and identify
the limitations of existing privacy-preserving schemes.
In this article, we present a systematic review of the privacy-
preserving approaches and techniques that are used to overcome
the privacy challenges related to the blockchain technology. The
contributions of the article are multi-fold: 1) review the current
state-of-the-art and present the main privacy-preserving techniques
for blockchain, 2) analyze privacy-preserving mechanisms based
on their use cases in blockchain, 3) propose a framework that
categorizes the main techniques examined, and finally, 4) intro-
duce the main scenarios that can benefit from a privacy-preserving
blockchain.
The rest of the paper is organized as follows. In Section 2, we
present the results of a structured literature review that introduces
the main privacy-preserving technologies for blockchain and pro-
vides a detailed analysis. Section 3 classifies and compares privacy-
preserving mechanisms. Moreover, we summarize the applications
which require privacy-preserving blockchains and identify open
research challenges in Section 4. Finally, the conclusions are drawn
in Section 5.
2 PRIVACY-PRESERVING TECHNIQUES
In this section, we present a comprehensive overview of privacy-
preserving techniques that can be leveraged to enhance the privacy
and security of existing and future blockchain systems.
BSCI Session 1
2.1 Zero-knowledge proofs
Zero-knowledge proofs (ZKPs) [48] and arguments [15] are inter-
active protocols between a prover and a verifier, which informally
yield no knowledge except for the validity of the assertion. The orig-
inal formal definition of zero-knowledge considered a very minimal
context, and almost immediately, unexpected problems emerged
when attempting to apply the notion of zero-knowledge to more
practical contexts; the notion of zero-knowledge has been refined
accordingly. For example, to make zero-knowledge closed under
sequential composition, a number of researchers [48, 63, 87] have
proposed a modified definition, known as auxiliary zero-knowledge.
ZKPs have proven useful both in cryptography and complex-
ity theory. For example, in cryptography, zero-knowledge proofs
have played a major role in the proven completeness theorem for
protocols with honest majority [44]. In complexity theory, zero-
knowledge provides an avenue to demonstrate that certain lan-
guages are not NP-complete [13].
The following are the properties that are to be satisfied by a
zero-knowledge proof system:
(1) Correctness. For a statement s ∈ L (where L is a language in
N P) with given w as witness, the verifier will always accept
the proof, if the statement is true.
(2) Soundness. If the statement is false, a fraudulent prover
cannot convince an honest verifier that it is true, even
though he/she has infinite computational power.
(3) Zero-knowledge. A fraudulent verifier will not learn anything
about the statement other than the truthfulness of the state-
ment. The proof π given by the prover will not be sufficient
for the verifier to get the witness w.
Recently, zero-knowledge research has focused on achieving
an additional property, succinctness, requiring the proof to be very
short and easy to verify [6, 79, 91]. The succinctness property would
be quite desirable and it can play a vital role in several security
applications. The succinctness property can also help in reducing
the scalability problem faced in the earlier systems, due to their
space complexity [7].
There are several zero-knowledge proof systems, such
as interactive zero-knowledge [43, 45], non-interactive zero-
knowledge [6, 8], constant-round zero-knowledge [42], concurrent
zero-knowledge [25, 65, 74], resettable zero-knowledge [19, 37],
leakage-resilient zero-knowledge [38], multiple non-interactive
zero-knowledge [30].
Blockchain with ZKPs. There is considerable interest, both in
academia and industry, to preserve the privacy of users in
blockchain systems by applying different variants of zero-
knowledge proofs. One application of zero-knowledge proofs in the
blockchain are the anonymous credentials for identity management
systems. The public blockchains used in blockchain-based identity
systems can expose some personal information of users. There-
fore, a new privacy preserving scheme based on zero-knowledge
proofs and decentralized identifiers (DIDs) [72] was introduced by
Sovrin [84]. The proposed identity system enables the creation of
2
BSCI '20, October 6, 2020, Taipei, Taiwan
unlinkable pseudonyms and a selective disclosure of attributes and
sensitive personal information.
Since 2013, academic researchers have proposed to implement
succinct non-interactive zero-knowledge protocols including zk-
Garbled Circuits [51], Pinocchio [66], zk-SNARKs [6], zk-STARKs
[5], Bulletproofs [16], and ZKBoo [41]. The main objective of these
schemes is to allow completely anonymous currency transactions
with the use of a blockchain network. However, due to the complex-
ity of these schemes, only two, Bulletproofs and zk-SNARKs, are
implemented in Monero [89] and Zcash [80] systems, respectively.
Recently, Cornell Blockchain group created ZoKrates toolbox[22,
27] which is used to integrate zk-SNARKs into Ethereum by creat-
ing pre-compiled smart contracts with built-in verification. More
specifically, they introduced an off-chaining model for computa-
tions based on zero-knowledge verifiable computation schemes
to address the challenges of scalability and privacy in Ethereum
network.
Example. We want to explain the basic mechanism of zk-SNARK.
The protocol consists of three algorithms G, P, V defined as follows:
• The key generator G takes a secret parameter λ and a pro-
gram C, and generates two publicly available keys, a proving
key pk , and a verification key vk . These keys are public pa-
rameters that only need to be generated once for a given
program C.
• The prover P takes as input the proving key pk , a public
input s and a private witness w. The algorithm generates a
proof π = P(pk , s, w) that the prover knows a witness w and
that the witness satisfies the program.
• The verifier V computes V (vk , s, π ) which returns true if
the proof is correct, and false otherwise. Thus this func-
tion returns true if the prover knows a witness w satisfying
C(s, w) == true.
Note, here the secret parameter λ can be used to generate fake
proofs. Specifically, given any program C and public input s a per-
son who knows λ can generate a fake proof π f such that V (vk , s, π f )
evaluates to true without knowledge of the secret w. Thus running
the generator requires a very secure process to make sure no-one
learns the secret parameter. This was the reason for the design of
specific protocol based on multi-party computation (MPC) by Zcash
team [32] which allows multiple independent parties to collabora-
tively construct the parameters and ensures that the "toxic waste"
parameter λ is destroyed in the process.
2.2 Secure multi-party computation
Since its introduction by Andrew Yao in the 1980s, multi-party com-
putation has developed from a theoretical curiosity to an important
tool for building large-scale privacy-preserving distributed applica-
tions [69]. Secure multi-party computation (SMPC) enables a group
to jointly perform a computation without disclosing any of the
participants’ private inputs. The participants agree on a function
to compute, and then can use an SMPC protocol to jointly compute
the output of that function on their secret inputs without revealing
them. SMPC can be described as n participants P 1 , P 2 , · · ·, Pn , where
party Pi only knows his own input x i , to jointly computing task
f (x 1 , x 2 , · · · , x n ) = (y1 , y2 , · · · , yn ) (1)
BSCI Session 1
in such a way that party Pi only learns his own output yi . SMPC
has the following two security requirements:
• Privacy: participant P j cannot get any other input x i (j , i).
• Consistency: all honest participants can finally get the same
output result y1 = y2 = · · · = yn .
While many single purpose SMPC protocols were proposed, the
main interest was in the creation of a general purpose framework
which allows the computation of arbitrary functions. Basic con-
cepts were identified which allowed approaching this aim, most
notably garbled circuits, homomorphic encryption and secret shar-
ing schemes [29, 90]. Its theory flourished early in the 80âĂŹs while
implementations have only been developed in the last decade. A few
examples include privacy-preserving network security monitoring,
privacy-preserving data analysis systems, and anonymously shar-
ing cyber-crime evidence [3, 54]. The first large-scale deployment
of MPC was in 2008 for an actual auction problem in Denmark [9].
Despite the extensive SMPC-optimization researches proposed
recently, there are still unsolved challenges. Examples of these
problems include implementing more efficient and faster SMPC
protocols for large datasets, building confidence and correctness in
the system that will execute the protocol, and securing the confiden-
tial processing of data. Moreover, while the use of SMPC solutions
reduces the risk of large-scale data leakage, it complicates analysis
of potential data leakage and statistical studies that require linking
data over multiple databases. Depending on the SMPC protocol
design and the number of parties involved, computing power, tim-
ing and bandwidth use can still be potential constraints. Recently,
several multi-party computation techniques have been proposed tar-
geting resource-efficiency (in terms of bandwidth, computation, and
latency) for large networks. Although much theoretical progress
has been made to achieve scalability, practical progress is slow.
In particular, most known schemes suffer from either poor or un-
known communication and computation costs when used in real
practical contexts [78].
Blockchain with SMPC. Due to its privacy-preserving character-
istics SMPC can be used as baseline to enhance the security and
privacy of blockchain systems. Andrychowicz et al. [2] designed and
implemented secure multi-party computation protocols on Bitcoin
system in 2014. They constructed protocols for secure multi-party
lotteries without any trusted authority. Their protocols are able to
guarantee fairness for the honest users regardless of how dishonest
ones behave. If a user violates or interferes with the protocol, then
he will be penalized financially.
A decentralized secure multi-party computation platform, called
Enigma, is proposed by Zyskind et al. in 2015 [83]. By using an
advanced version of SMPC, Enigma employs a verifiable secret
sharing scheme to guarantee privacy of its computational model.
Enigma encodes shared secret data using a modified distributed
hash table for efficient storage. Moreover, it leverages an external
blockchain as a corruption-resistant recording of events and the
regulator of the peer to peer network for identity management
and access control. Similar to Bitcoin system, Enigma provides au-
tonomous control and protection of personal data while eliminating
the necessity and dependency of a trusted third party.
In [97], the authors use SMPC to implement secure smart con-
tract system which achieves privacy protection for contract data
3
BSCI '20, October 6, 2020, Taipei, Taiwan
and parties’ inputs. Moreover, the proposed system guarantees the
correctness and consistency of contract execution results even if
the attacker corrupts several participants. The proposed smart con-
tract model is evaluated by simulation experiments with private
currency transfers, and the results indicate the system is efficient
and secure enough for common smart contracts.
2.3 Homomorphic encryption
The term homomorphism was used for the first time by Rivest et
al. [75] in 1978 as a possible solution to the computing without
decrypting problem. This fundamental research [75] has led to
numerous attempts by researchers around the world to design such
a homomorphic scheme with a larger set of operations. However, for
a long time proposed homomorphic encryption schemes have only
allowed simple computations on encrypted data. For example, the
encryption systems of Goldwasser and Micali [46], El Gamal [28],
Cohen and Fischer [20], and Paillier [64] support either adding or
multiplying encrypted ciphertexts, but not both operations at the
same time. Boneh et al. [10] were the first to construct a scheme
capable of performing both operations at the same time. Their
scheme can handle an arbitrary number of additions but just one
multiplication. In 2009, Gentry presented in his seminal work [39]
how to build the first fully homomorphic encryption (FHE) scheme.
FHE allows an unlimited number of operations for an unlimited
number of times. However, limitations on the efficiency of the FHE
schemes prompt researchers to find the somewhat homomorphic
encryption (SWHE) schemes that can be good enough to use in real-
world applications [1, 59]. SWHE schemes, which support a limited
number of homomorphic operations, can be much faster, and more
compact than FHE schemes. For example, the most recent solution
of Brakerski and Vaikuntanathan [14] is efficient and simple, it has
short ciphertexts, and its security is based on the standard learning
with errors LW E assumption [53]. Moreover, IBM recently released
FHE toolkit for MacOS, Linux and iOS/Android platforms [50]. This
will definitely make these concepts less abstract and more concrete,
and bring FHE technology into the hands of early adopters who
want to integrate it into real-world applications.
Blockchain with homomorphic encryption. There is an extensive in-
terest in applying the homomorphic encryption in the blockchain-
based systems to provide data privacy and secure access model.
Typical homomorphic cryptographic schemes which could be used
to protect privacy of blockchain include the Pedersen commit-
ment scheme [67] (which will be discussed in the next section),
Goldwasser-Micali encryption scheme [47] and Paillier cryptosys-
tem [64]. According to Yaji et al. [92], these homomorphic encryp-
tion schemes can enhance blockchain technology and make it more
suitable for security and privacy based applications. They experi-
mentally proved that some attacks such as collision, preimage and
attack on the digital wallet can be avoided through encrypting block
using Goldwasser-Micali and Paillier encryption schemes. More-
over, Paillier homomorphic encryption was used by Ghadamyari
et al. [40] to implement privacy-preserving data access model for
private blockchains which was used to perform statistical analysis
on encrypted health data stored on-chain. Similarly, She et al. [82]
designed an algorithm based on Paillier scheme which encrypts
sensitive data of all gateway peers before uploading them to the
BSCI Session 1
consortium blockchain. After homomorphic encryption processing
the network participants can validate the security of sensitive data
in a privacy-preserving manner.
2.4 Commitment schemes
A commitment scheme [15] is a cryptographic mechanism which
allows one to keep a piece of data secret and commit to it by pub-
lishing a hash of the data. A blinding factor [17] can be added when
the data size is short (e.g. a number) to minimize the risk of the data
being unmasked by brute force search. Having committed to the
piece of data by publishing the hash, the publisher can later reveal
both the blinding factor and the data, allowing others to verify that
the hash of the blinding factor and data matches the hash that they
published.
Furthermore, a commitment scheme can be based on, either
unconditional binding (Alice cannot open the commitment value
to a different value than the original one) or unconditional hiding
(Bob cannot guess to what value Alice committed) [68].
Blockchain with commitment schemes. The use of Pedersen commit-
ments [67] as a means of concealing the amount being transferred
in a Bitcoin transaction was first proposed by Adam Back in Octo-
ber 2013 [4]. It was subsequently formalized by Greg Maxwell [57]
under the name Confidential Transactions and was implemented in
Monero [58] and Blockstream’s Elements project [70].
Confidential transactions leverage the additive homomorphic
qualities of elliptic curve cryptography public keys, to prove that
the inputs and the outputs of a confidential transaction sum to zero.
Range proofs are a cryptographic mechanism used to prove that
a value lies within a certain range, without revealing the value. In
confidential transactions, they are used to prove that none of the
outputs is negative, which would otherwise allow the sender to
create money out of thin air.
The sender discloses the value of the transaction and the blinding
factor they used to the receiver, who can then verify the value of
the transaction. The receiver then has the option of using the confi-
dential value he has just received in a new confidential transaction.
The Pedersen commitment allows the concealed value to be spent
without revealing it.
Because confidential transactions only conceal the amount being
transferred, information leakage can theoretically occur if knowl-
edge that a specific transaction has taken place can be correlated
with the creation of a transaction on a blockchain.
2.5 Mixing
A mixing mechanism, first proposed by Chaum [18] in 1981, enables
hiding the information about the sender and the receiver as well as
the content of the communication.
Assume that one entity wants to send a message M to another
entity at address A. First, the sender will encrypt M with the re-
ceiver’s public key K A , append the address A, and then encrypt the
result with the intermediary’s public key K I . The left-hand of the
following expression denotes the ciphertext, which is passed to an
intermediary:
K I (n 0 , K A (n 1 , M), A) −→ K A (n 1 , M), A (2)
4
BSCI '20, October 6, 2020, Taipei, Taiwan
The right-hand side is another ciphertext transformed by the
intermediary. This transformation performs a decryption on the
original ciphertext by the intermediary with its private key. Then
the intermediary delivers the sub-ciphertext to A who then decrypts
it with his/her own private key. It is to note that n 0 and n 1 are
random numbers which ensure that no message is transferred more
than once.
When the intermediary gets many inputs and outputs, this mech-
anism will hide the correspondence between each message’s origin
and destination. The order of arrival is hidden by outputting the uni-
formly sized items in random patterns. Additionally, to minimize
the danger of the single intermediary being the attacker, multi-
ple intermediaries can be linked together thereby creating a mix
cascade.
Blockchain with Mixing. Over the last few years, various mixing
services have been developed and integrated into the blockchain
network to obfuscate the transaction history and reduce the risk
of de-anonymization. Mixing divide usersâĂŹ funds into smaller
parts; then, these parts are randomly mixed to make users and
transactions unlinkable.
Gregory Maxwell introduced a third party-based mixing protocol
for Bitcoin called CoinSwap [56]. The general flow of this protocol
is that many senders deliver transactions to many receivers with a
mixer acting as the intermediary. All the transactions between the
sender & mixer and the mixer & receiver are escrow transactions
that are protected by hash-lock and can only be spent by corre-
sponding redeeming transactions. This lock mechanism ensures
that no one can steal the user’s assets. However, the transactions
are sent in plaintext, the mixer can still track all the transaction
pairs and all the transactions’ information between them.
Mixcoin [12] was proposed by Bonneau et al. in 2014, which
uses a signature-based accountability mechanism to expose theft
so that users are able to unambiguously prove if the mixer has
misbehaved. Malicious operations will quickly have the mixer’s
reputation destroyed. Similar to CoinSwap, in this system mixer
can de-anonymize its users if it stores sufficient transaction records.
The weak point in the mixing services described above is the
third-party mixer who needs to be trusted. Coinjoin [55] is a mixing
technique that removes the third-party requirement. Coinjoin uses
the property that a single transaction can have multiple inputs
and multiple outputs. The joint transaction mixes the link between
inputs and outputs so that the exact direction of data flow will be
kept unknown to the other peers.
However, CoinJoin has a significant drawback as it lacks internal
unlinkability which means that participants will know the details
about the joint transaction, including the destinations of the trans-
actions with which the senders’ addresses are paired. This increases
the likelihood of a Sybil attack as the number of available partici-
pants increases. To achieve the internal unlinkability, CoinShuffle
was proposed by Ruffing et al. [77]. It utilizes an anonymous group
communication protocol to hide the participants’ identities from
each other. This method achieves the internal unlinkability by the
simple trick of layered encryption. However, this is achieved at the
cost of high communication and computational overhead.
In short, mixing services are relatively simple methods for pri-
vacy protection in blockchain. Most of them are compatible with
BSCI Session 1
existing blockchain networks without any particular consensus
mechanism, which means they need less resources to be imple-
mented. Furthermore, combined with a proper defensive technique,
mixing services can provide acceptable privacy protection.
2.6 Ring signature
Ring signature was initially designed by Rivest et al. [76] as a digital
signature that can be used to generate a valid but anonymous
signature from a group of possible signers without telling which
member actually produced the signature.
Figure 1: Ring signature anonymity
As shown in Figure 1, in a ring architecture, User As chooses
a set of participants including himself/herself and creates a ring
{A0 , A1 , . . . , An }. Each participant has a public key from a standard
signature scheme (e.g., RSA, ECDSA). User As signs a message with
his/her private key (S As ) and all the public keys (PA0 , · · ·, PAs , · ·
·, PAn ) of the members in the ring. The verifier can tell that one from
the set has signed the message but does not know who is the actual
signer. Therefore, this signature provides complete anonymity for
the signer.
One of the modified versions of ring signatures is the traceable
ring signature [33, 34]. This type of ring signature can detect if
two signatures were produced by the same user. Therefore, the
traceable ring signature can suit to many applications, such as an
anonymous voting and payment systems.
Blockchain with ring signature. The properties of anonymity and
unlinkability have led to the development of several ring-based
privacy preservation protocols for blockchain [61, 85, 88].
The use of ring signatures to conceal the origin of a blockchain
transaction was first described as part of the CryptoNote protocol,
first released in December 2012 and updated in October 2013, by
Nicolas van Saberhagen. The proposed protocol leverages trace-
able ring signatures which allows a user to sign only one valid
transaction with one private key.
With CryptoNote, a "key image" (effectively a hash of the private
key the signer used) is added to the transaction. Any attempt to
double-spend will result in the same key image being used. Nodes
maintain a list of all the key images ever used and reject any new
transactions where the key image has been used previously. A side-
effect of this approach is that addresses must never be reused. If
they are, only one of the transactions sent to that address would
5
BSCI '20, October 6, 2020, Taipei, Taiwan
be spendable. Moreover, the CryptoNote protocol is vulnerable to
analysis attacks based on the transaction amount.
A modification of the CryptoNote is Ring Confidential Trans-
actions (RinдCT ) proposed by Noether et al. [61]. The proposed
mechanism also conceals the amount being transferred by using
Greg Maxwell’s confidential transaction described above. To be
effective in concealing the source of a transaction, RinдCT rely on
the ability of the sender to find other keys holding the same amount
of funds in order to create the group of keys required to generate
the ring signature. The larger the group, the better; small groups
can facilitate transaction graph analysis. The most successful im-
plementation of this approach to date is the cryptocurrency named
Monero [85].
2.7 Differential Privacy
In 2006 the term differential privacy was coined by Cynthia
Dwork. She proposed a new definition of privacy as differential
privacy [24]. Differential privacy gives a mathematical proof that
individuals’ privacy will be preserved. It assures that the adversary
will not know anything new about an individual than it new
before working on the database. If there are two adjacent databases
D 1 and D 2 differing in just one record the probability of output
will be almost the same. The adversary cannot tell if it is coming
from D 1 or D 2 , hence the privacy is preserved and also with
the help of auxiliary information he/she can determine nothing new.
Differential Privacy definition. A randomized algorithm M
gives ϵ-differential privacy if for all data sets D 1 and D 2 differing
on at most one element, and all S ⊆ Range(M) [26],
Pr [M(D 1 ) ⊆ S] ≤ exp(ϵ) · Pr [M(D 2 ) ⊆ S], (3)
where the probability space is over the coin flips of the mechanism
M and ϵ is the privacy budget. A mechanism M satisfying this defi-
nition addresses concerns that any participant might have about
the leakage of her personal information x: even if the participant
removed her data from the data set, no outputs (and thus conse-
quences of outputs) would become significantly more or less likely.
For example, the presence or absence of an individual in a database
should not significantly affect their chance of receiving insurance
coverage.
Differential privacy has been applied to a wide range disparate
data sets and applications. One way that it has been applied is for
privacy preservation during location pattern mining [49]. The au-
thors of the paper propose an algorithm that provides differential
privacy for location pattern mining data sets. To achieve practical
differential privacy, they distribute the desired level for differen-
tial privacy to different steps. Health data is another area where
there is a push for differential privacy. Dankar and El Emam [23]
outline a number of characteristics that need to be considered in
a practical mechanism used to preserve privacy. While some of
their concerns are technological, and some are more social, these
concerns must all be considered before a practical health data dif-
ferential privacy system is developed and used to actually protect
the general publicâĂŹs private data.
Differential privacy is a relatively new privacy ensuring mech-
anism, but as the number and volume of databases with private
BSCI Session 1
Figure 2: Taxonomy of privacy-preserving techniques for blockchain.
data continues to grow, this will continue to be a powerful and
important tool.
Blockchain with differential privacy. In blockchain, differential pri-
vacy is applicable for accessing private databases via queries that
aggregate the data, and also to receive the user’s data with statisti-
cal variations from the sources while guaranteeing chosen privacy
levels for users. The first scenario is mainly applicable for private
blockchains that allow third-parties to use their anonymized data.
The second case is applicable to sensor’s data collecting blockchains,
where the whole chain can be used for statistical analysis, but a
single transaction has statistically shifted data.
Differential privacy is being applied to blockchain to protect
user’s privacy in different scenarios. For instance, in [94] authors
employ differential privacy to avoid an adversary can infer sensitive
personal information when performing federated learning, using
the blockchain to record crowd-sourcing activities. Gai et al. [36]
propose blockchain-based data-sharing approach which allows data
owners to control anonymization processes, as well as to prevent
information on blocks from data mining-based attacks.
3 CLASSIFICATION OF
PRIVACY-PRESERVING TECHNIQUES
Based on the results of conducted literature review we can now cate-
gorize privacy-preserving techniques to three main areas according
to their use case. The first category is Identity Data Anonymization
that groups the privacy-preserving mechanisms used to conceal
the user’s personal identity information. These techniques include
ZKPs which enable the creation of unlinkable pseudonyms and
a selective disclosure of attributes, Mixing (to conceal the sender,
receiver), and Ring Signatures that can be used to anonymize signer.
The second area comprises the techniques that protect privacy
of the contents of the blockchain transactions. Transaction Data
Anonymization techniques are Mixing which enables unlinkable
6
BSCI '20, October 6, 2020, Taipei, Taiwan
transactions, Differential Privacy that anonymizes on-chain trans-
actions when accessing data via queries, Commitment schemes and
Homomorphic Hiding (e.g. can be used to conceal the amount being
transferred). The third category is privacy-preservation of Smart
Contracts by using SMPC techniques and ZKPs.
The resultant taxonomy of privacy-preserving techniques in
blockchain is illustrated in Figure 2. Some techniques such as Mix-
ing and ZKPs are being applied to achieve anonymization of both
identity and transaction data.
4 PRIVACY-PRESERVING BLOCKCHAIN
APPLICATIONS
This section describes the main blockchain use cases that require
privacy-preserving techniques. In particular, we discuss the role of
privacy in these scenarios and identify open research challenges.
4.1 Self-sovereign identity
From both IT industry and an academic research perspective,
blockchain-based identity management systems are gaining lot
of attention to introduce new solutions for digital identities. Be-
fore blockchains, privacy preserving was incomplete due to the
existence of centralized identity authorities. Service providers and
users need to grant full trust to their identity providers. In other
words, centralized identity providers could see activities between
users and service providers, which compromises the identity in-
formation privacy. Blockchains provide a promising operational
environment for the trend of Self-Sovereign Identity (SSI), charac-
terized by transformation from a non-user controlled centralized
model to a fully user-controlled decentralized model. Self-sovereign
identity management enables principals to prove validity of identi-
ties on the attribute level across identity issuers with little or no
involvement from identity authorities, which provides a promising
rights and identity proving methodology for applications deployed
on blockchain. Although users could have full control over their
BSCI Session 1
personal information in blockchain based identity management
systems, the public blockchains can still expose some identity in-
formation [81]. Therefore, we still need to introduce new privacy
preserving schemes into blockchains which could bring the selec-
tive disclosure of sensitive personal information and perfect online
identity privacy into reality.
4.2 IoT and Smart cities
The Internet of Things (IoT) aims at connecting everything, rang-
ing from individuals, companies, and organizations to things in
the virtual and physical world. With the significant development
of wireless networks, smart environments have gained a grown
interest as creating new opportunities for medical services, smart
homes, smart cities, smart energy production and safer transporta-
tion [35, 62, 96]. These services enhance the interaction of people
with objects and facilitate the way people communicate with others.
However, smart environments are susceptible to privacy related
attacks such as fake identities and Sybil attacks [93]. Therefore,
identifying and deploying the proper security requirements is a
prerequisite for smart environments, often operating with con-
strained devices. At the same time, privacy solutions should be in
place to preserve users’ privacy. This calls for a secure and privacy-
preserving identity management system in smart environments,
which will manage the usage of trustworthy and privacy-preserving
identifiers by users and devices. Moreover, the limitations associ-
ated to most of common IoT devices that are intended to act as data
sources in many smart city use cases make it difficult to adopt pri-
vacy solutions. Consequently, there could be different scenarios in
which a specific device is not able to manage blockchain-based op-
erations. Beyond practical considerations, these devices will often
operate on behalf of their owner; consequently, the application of
empowerment techniques for end users is crucial to ensure privacy
aspects are enforced in the next generation of IoT-enabled smart
cities.
4.3 eHealth
The application of blockchain technology is intended to be par-
ticularly valuable in the context of eHealth services. In particular,
the management of personal health records could be significantly
improved to provide a more effective and customized healthcare
assistance. At the same time, eHealth data are especially sensitive,
so they should be properly protected to avoid any potential pri-
vacy leakage. One of the promising blockchain-enabled eHealth
systems is currently used by the Estonian Government to lever-
age the advantages of blockchain in terms of decentralization and
data immutability [86]. Furthermore, given the nature of healthcare
data, the enforcement of GDPR and eHealth-specific regulations is
a challenging aspect to be overcome in the coming years through
the application of suitable privacy-enhancing technologies.
4.4 Cryptocurrencies
Since the rise of Bitcoin, the most representative blockchain-based
scenario is associated to the use of cryptocurrencies. Cryptocurren-
cies could represent the future of global payments and remittance
with overall projected market size of USD 1.40 trillion by 2024 [73].
7
BSCI '20, October 6, 2020, Taipei, Taiwan
In the context of cryptocurrencies, it is essential to protect the pri-
vacy of the entities involved in a transaction (i.e., payer and payee),
as well as to hide the amount of coins to be transferred. Recent ap-
proaches in this direction such as CoinShuffle, CoinJoin, Zerocash
and Ring Confidential Transactions were discussed in Section 2.
Current research trend of privacy-preserving cryptocurrencies is to
make computationally feasible the calculation of proofs when deal-
ing with certain demanding scenarios, as existing solutions relying
on cryptographic mechanisms such as zero-knowledge proofs have
high computational cost.
5 CONCLUSION
In this paper we have reviewed the current state-of-the-art and
presented the main privacy-preserving techniques for blockchain.
Based on this, we analyzed the current privacy-preserving mech-
anisms and categorized the techniques to three main areas. Fur-
thermore, the review has covered the main blockchain scenarios
that can benefit from privacy-preserving blockchains deployments,
including SSI, eHealth, smart cities and cryptocurrencies. We have
included examples of existing blockchain systems that employ some
of the existing techniques.
Despite wide variety of proposals for novel privacy-preserving
techniques, current blockchain solutions are still limited. There
exist open privacy challenges that existing systems are to address.
Novel research initiatives are needed with the aim to improve the
efficiency of current mechanisms, privacy usability and control,
thereby making blockchains implementations fully compliant with
privacy requirements and offering improved strengthen privacy
properties.
REFERENCES
[1] Abbas Acar, Hidayet Aksu, A Selcuk Uluagac, and Mauro Conti. 2018. A survey on
homomorphic encryption schemes: Theory and implementation. ACM Computing
Surveys (CSUR) 51, 4 (2018), 79.
[2] Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Lukasz
Mazurek. 2014. Secure multiparty computations on bitcoin. In 2014 IEEE Sympo-
sium on Security and Privacy. IEEE, 443–458.
[3] David W Archer, Dan Bogdanov, Yehuda Lindell, Liina Kamm, Kurt Nielsen,
Jakob Illeborg Pagter, Nigel P Smart, and Rebecca N Wright. 2018. From Keys to
Databases: Real-World Applications of Secure Multi-Party Computation. Comput.
J. 61, 12 (2018), 1749–1771.
[4] Adam Back. 2013. Bitcoins with homomorphic value. Available at
https://bitcointalk.org/index.php?topic=305791.0, Accessed 8 June 2020.
[5] Eli Ben-Sasson, Iddo Bentov, Yinon Horesh, and Michael Riabzev. 2018. Scalable,
transparent, and post-quantum secure computational integrity. IACR Cryptology
ePrint Archive 2018 (2018), 46.
[6] Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, and Madars Virza. 2014. Suc-
cinct non-interactive zero knowledge for a von Neumann architecture. In 23rd
{USENIX } Security Symposium ( {USENIX } Security 14). 781–796.
[7] Eli Ben-Sasson, Alessandro Chiesa, Eran Tromer, and Madars Virza. 2017. Scalable
zero knowledge via cycles of elliptic curves. Algorithmica 79, 4 (2017), 1102–1160.
[8] Manuel Blum, Paul Feldman, and Silvio Micali. 1988. Non-interactive zero-
knowledge and its applications. Ph.D. Dissertation. MIT.
[9] Peter Bogetoft, Dan Lund Christensen, Ivan Damgård, Martin Geisler, Thomas
Jakobsen, Mikkel Krøigaard, Janus Dam Nielsen, Jesper Buus Nielsen, Kurt
Nielsen, Jakob Pagter, et al. 2009. Secure multiparty computation goes live. In
International Conference on Financial Cryptography and Data Security. Springer,
325–343.
[10] Dan Boneh, Eu-Jin Goh, and Kobbi Nissim. 2005. Evaluating 2-DNF formulas on
ciphertexts. In Theory of Cryptography Conference. Springer, 325–341.
[11] Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A
Kroll, and Edward W Felten. 2015. Sok: Research perspectives and challenges for
bitcoin and cryptocurrencies. In 2015 IEEE Symposium on Security and Privacy.
IEEE, 104–121.
[12] Joseph Bonneau, Arvind Narayanan, Andrew Miller, Jeremy Clark, Joshua A Kroll,
and Edward W Felten. 2014. Mixcoin: Anonymity for Bitcoin with accountable
BSCI Session 1
mixes. In International Conference on Financial Cryptography and Data Security.
Springer, 486–504.
[13] Ravi B Boppana, Johan Hastad, and Stathis Zachos. 1987. Does co-NP have short
interactive proofs? Inform. Process. Lett. 25, 2 (1987), 127–132.
[14] Zvika Brakerski and Vinod Vaikuntanathan. 2014. Efficient fully homomorphic
encryption from (standard) LWE. SIAM J. Comput. 43, 2 (2014), 831–871.
[15] Gilles Brassard, David Chaum, and Claude Crépeau. 1988. Minimum disclosure
proofs of knowledge. Journal of computer and system sciences 37, 2 (1988), 156–
189.
[16] Benedikt Bünz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille, and
Greg Maxwell. 2018. Bulletproofs: Short proofs for confidential transactions and
more. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 315–334.
[17] David Chaum. 1983. Blind signatures for untraceable payments. In Advances in
cryptology. Springer, 199–203.
[18] David Chaum. 2003. Untraceable electronic mail, return addresses and digital
pseudonyms. In Secure electronic voting. Springer, 211–219.
[19] Kai-Min Chung, Rafail Ostrovsky, Rafael Pass, Muthuramakrishnan Venkitasub-
ramaniam, and Ivan Visconti. 2014. 4-round resettably-sound zero knowledge.
In Theory of Cryptography Conference. Springer, 192–216.
[20] Josh D Cohen and Michael J Fischer. 1985. A robust and verifiable cryptographically
secure election scheme. Yale University. Department of Computer Science.
[21] Mauro Conti, E Sandeep Kumar, Chhagan Lal, and Sushmita Ruj. 2018. A sur-
vey on security and privacy issues of bitcoin. IEEE Communications Surveys &
Tutorials 20, 4 (2018), 3416–3452.
[22] Cornell Blockchain. 2020. A Brief Dive Into zk-SNARKs and the
ZoKrates Toolbox on the Ethereum Blockchain. Available at
https://medium.com/cornellblockchain/a-brief-dive-into-zk-snarks-and-
the-zokrates-toolbox-on-the-ethereum-blockchain-cb7bd7f00fdc, Accessed 8
June 2020.
[23] Fida Kamal Dankar and Khaled El Emam. 2012. The application of differential
privacy to health data. In Proceedings of the 2012 Joint EDBT/ICDT Workshops.
ACM, 158–166.
[24] Cynthia Dwork. 2006. Differential privacy. Automata, Languages and Program-
ming. ser. Lecture Notes in Computer Scienc 4052 (2006), 112.
[25] Cynthia Dwork, Moni Naor, and Amit Sahai. 2004. Concurrent zero-knowledge.
Journal of the ACM (JACM) 51, 6 (2004), 851–898.
[26] Cynthia Dwork, Aaron Roth, et al. 2014. The algorithmic foundations of differ-
ential privacy. Foundations and Trends® in Theoretical Computer Science 9, 3–4
(2014), 211–407.
[27] Jacob Eberhardt. 2017. ZoKrates - A Toolbox For zkSNARKs on Ethereum.
(2017). https://github.com/JacobEberhardt/documents/raw/master/talks/
ZoKrates-EthereumDevcon3.pdf Devcon3.
[28] Taher ElGamal. 1985. A public key cryptosystem and a signature scheme based
on discrete logarithms. IEEE transactions on information theory 31, 4 (1985),
469–472.
[29] David Evans, Vladimir Kolesnikov, Mike Rosulek, et al. 2018. A pragmatic intro-
duction to secure multi-party computation. Foundations and Trends® in Privacy
and Security 2, 2-3 (2018), 70–246.
[30] Uriel Feige, Dror Lapidot, and Adi Shamir. 1990. Multiple non-interactive zero
knowledge proofs based on a single random string. In Proceedings [1990] 31st
Annual Symposium on Foundations of Computer Science. IEEE, 308–317.
[31] Qi Feng, Debiao He, Sherali Zeadally, Muhammad Khurram Khan, and Neeraj
Kumar. 2019. A survey on privacy protection in blockchain system. Journal of
Network and Computer Applications 126 (2019), 45–58.
[32] Zcash Foundation. 2020. Zcash protocol design. Available at https://z.cash/
technology/paramgen/, Accessed 10 July 2020.
[33] Eiichiro Fujisaki. 2011. Sub-linear size traceable ring signatures without random
oracles. In CryptographersâĂŹ Track at the RSA Conference. Springer, 393–415.
[34] Eiichiro Fujisaki and Koutarou Suzuki. 2007. Traceable ring signature. In Interna-
tional Workshop on Public Key Cryptography. Springer, 181–200.
[35] Keke Gai, Yulu Wu, Liehuang Zhu, Meikang Qiu, and Meng Shen. 2019. Privacy-
preserving energy trading using consortium blockchain in smart grid. IEEE
Transactions on Industrial Informatics 15, 6 (2019), 3548–3558.
[36] Keke Gai, Yulu Wu, Liehuang Zhu, Zijian Zhang, and Meikang Qiu. 2019. Differen-
tial Privacy-based Blockchain for Industrial Internet of Things. IEEE Transactions
on Industrial Informatics (2019).
[37] Kumkum Garg, Anil Kumar Dahiya, Jeril Kuriakose, et al. 2014. A review on host
vs. Network Mobility (NEMO) handoff techniques in heterogeneous network. In
Proceedings of 3rd International Conference on Reliability, Infocom Technologies
and Optimization. IEEE, 1–5.
[38] Sanjam Garg, Abhishek Jain, and Amit Sahai. 2011. Leakage-resilient zero knowl-
edge. In Annual Cryptology Conference. Springer, 297–315.
[39] Craig Gentry et al. 2009. Fully homomorphic encryption using ideal lattices.. In
Stoc, Vol. 9. 169–178.
[40] Mahdi Ghadamyari and Saeed Samet. 2019. Privacy-Preserving Statistical Analy-
sis of Health Data Using Paillier Homomorphic Encryption and Permissioned
Blockchain. In 2019 IEEE International Conference on Big Data (Big Data). IEEE,
5474–5479.
8
BSCI '20, October 6, 2020, Taipei, Taiwan
[41] Irene Giacomelli, Jesper Madsen, and Claudio Orlandi. 2016. Zkboo: Faster
zero-knowledge for boolean circuits. In 25th {USENIX } Security Symposium
( {USENIX } Security 16). 1069–1083.
[42] Oded Goldreich and Ariel Kahan. 1996. How to construct constant-round zero-
knowledge proof systems for NP. Journal of Cryptology 9, 3 (1996), 167–189.
[43] Oded Goldreich, Silvio Micali, and Avi Wigderson. 1986. Proofs that yield nothing
but their validity and a methodology of cryptographic protocol design. In 27th
Annual Symposium on Foundations of Computer Science (SFCS 1986). IEEE, 174–
187.
[44] Oded Goldreich, Silvio Micali, and Avi Wigderson. 1987. How to play any mental
game. In Proceedings of the nineteenth annual ACM symposium on Theory of
computing. ACM, 218–229.
[45] Oded Goldreich, Silvio Micali, and Avi Wigderson. 1991. Proofs that yield nothing
but their validity or all languages in NP have zero-knowledge proof systems.
Journal of the ACM (JACM) 38, 3 (1991), 690–728.
[46] Shafi Goldwasser and Silvio Micali. 1982. Probabilistic encryption & how to
play mental poker keeping secret all partial information. In Proceedings of the
fourteenth annual ACM symposium on Theory of computing. ACM, 365–377.
[47] Shafi Goldwasser and Silvio Micali. 1984. Probabilistic encryption. Journal of
computer and system sciences 28, 2 (1984), 270–299.
[48] Shafi Goldwasser, Silvio Micali, and Charles Rackoff. 1989. The knowledge
complexity of interactive proof systems. SIAM Journal on computing 18, 1 (1989),
186–208.
[49] Shen-Shyang Ho and Shuhua Ruan. 2011. Differential privacy for location pattern
mining. In Proceedings of the 4th ACM SIGSPATIAL International Workshop on
Security and Privacy in GIS and LBS. ACM, 17–24.
[50] IBM. 2020. IBM Releases Fully Homomorphic Encryption Toolkit. Avail-
able at https://www.ibm.com/blogs/research/2020/06/ibm-releases-fully-
homomorphic-encryption-toolkit-for-macos-and-ios-linux-and-android-
coming-soon/, Accessed 20 June 2020.
[51] Marek Jawurek, Florian Kerschbaum, and Claudio Orlandi. 2013. Zero-knowledge
using garbled circuits: how to prove non-algebraic statements efficiently. In
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications
security. ACM, 955–966.
[52] Xiaoqi Li, Peng Jiang, Ting Chen, Xiapu Luo, and Qiaoyan Wen. 2017. A survey
on the security of blockchain systems. Future Generation Computer Systems
(2017).
[53] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2010. On ideal lattices and
learning with errors over rings. In Annual International Conference on the Theory
and Applications of Cryptographic Techniques. Springer, 1–23.
[54] Andrea Margheri. 2017. Secure Multiparty Computation for Cyber Crime
Evidence. Available at https://medium.com/cybersoton/secure-multiparty-
computation-for-cyber-crime-searching-e40e2cc864f0, Visited 12 November
2019.
[55] Gregory Maxwell. 2013. CoinJoin: Bitcoin privacy for the real world. In Post on
Bitcoin forum.
[56] Gregory Maxwell. 2013. CoinSwap: Transaction graph disjoint trustless trading.
CoinSwap: Transaction graph disjoint trustless trading (2013).
[57] Gregory Maxwell. 2015. Confidential transactions. (2015). Available at
https://epic.tech/glossary/gregory-maxwell/, Accessed 20 May 2020.
[58] Monero. 2019. Pederson Commitment. (2019). Available
at https://www.getmonero.org/resources/moneropedia/pedersen-
commitment.html, Accessed 10 May 2020.
[59] Michael Naehrig, Kristin Lauter, and Vinod Vaikuntanathan. 2011. Can homo-
morphic encryption be practical?. In Proceedings of the 3rd ACM workshop on
Cloud computing security workshop. ACM, 113–124.
[60] Satoshi Nakamoto. 2017. Bitcoin: A Peer-to-Peer Electronic Cash System. Bit-
coin.org. https://bitcoin.org/bitcoin.pdf Available at https://bitcoin.org/bitcoin.
pdf, Accessed 19 March 2020.
[61] Shen Noether, Adam Mackenzie, et al. 2016. Ring confidential transactions. Ledger
1 (2016), 1–18.
[62] Martin Nuss, Alexander Puchta, and Michael Kunz. 2018. Towards Blockchain-
Based Identity and Access Management for Internet of Things in Enterprises.
In International Conference on Trust and Privacy in Digital Business. Springer,
167–181.
[63] Yair Oren. 1987. On the cunning power of cheating verifiers: Some observations
about zero knowledge proofs. In 28th Annual Symposium on Foundations of
Computer Science (sfcs 1987). IEEE, 462–471.
[64] Pascal Paillier. 1999. Public-key cryptosystems based on composite degree resid-
uosity classes. In International Conference on the Theory and Applications of
Cryptographic Techniques. Springer, 223–238.
[65] Omkant Pandey, Manoj Prabhakaran, and Amit Sahai. 2015. Obfuscation-based
non-black-box simulation and four message concurrent zero knowledge for np.
In Theory of Cryptography Conference. Springer, 638–667.
[66] Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova. 2013. Pinocchio:
Nearly practical verifiable computation. In 2013 IEEE Symposium on Security and
Privacy. IEEE, 238–252.
BSCI Session 1
[67] Torben Pryds Pedersen. 1991. Non-interactive and information-theoretic secure
verifiable secret sharing. In Annual International Cryptology Conference. Springer,
129–140.
[68] Josef Pieprzyk, Thomas Hardjono, and Jennifer Seberry. 2013. Fundamentals of
computer security. Springer Science & Business Media.
[69] Manoj M Prabhakaran and Amit Sahai. 2013. Secure multi-party computation.
Vol. 10. IOS press.
[70] Elements Project. 2019. Confidential Transactions. (2019). Available at
https://elementsproject.org/features/confidential-transactions, Accessed 8 June
2020.
[71] Md Arafatur Rahman, Saiful Azad, Muhammad Nomani Kabir, et al. 2017.
Blockchain security hole: Issues and solutions. In International Conference of
Reliable Information and Communication Technology. Springer, 739–746.
[72] Drummond Reed, Manu Sporny, Dave Longley, Christopher Allen, Ryan Grant,
and Markus Sabadello. 2017. Decentralized Identifiers (DIDs). W3C, Credentials
Community Group (2017).
[73] Research and Markets. 2019. Global Cryptocurrency Market: Analysis By Type.
[74] Ransom Richardson and Joe Kilian. 1999. On the concurrent composition of zero-
knowledge proofs. In International Conference on the Theory and Applications of
Cryptographic Techniques. Springer, 415–431.
[75] Ronald L Rivest, Len Adleman, Michael L Dertouzos, et al. 1978. On data banks
and privacy homomorphisms. Foundations of secure computation 4, 11 (1978),
169–180.
[76] Ronald L Rivest, Adi Shamir, and Yael Tauman. 2001. How to leak a secret.
In International Conference on the Theory and Application of Cryptology and
Information Security. Springer, 552–565.
[77] Tim Ruffing, Pedro Moreno-Sanchez, and Aniket Kate. 2014. Coinshuffle: Practical
decentralized coin mixing for bitcoin. In European Symposium on Research in
Computer Security. Springer, 345–364.
[78] Jared Saia and Mahdi Zamani. 2015. Recent results in scalable multi-party com-
putation. In International Conference on Current Trends in Theory and Practice of
Informatics. Springer, 24–44.
[79] E. B. Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza.
2014. Zerocash: Decentralized Anonymous Payments from Bitcoin. In 2014 IEEE
Symposium on Security and Privacy. 459–474. https://doi.org/10.1109/SP.2014.36
[80] Eli Ben Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers,
Eran Tromer, and Madars Virza. 2014. Zerocash: Decentralized anonymous
payments from bitcoin. In 2014 IEEE Symposium on Security and Privacy. IEEE,
459–474.
[81] Abylay Satybaldy, Mariusz Nowostawski, and Jørgen Ellingsen. 2019. Self-
Sovereign Identity Systems. In IFIP International Summer School on Privacy and
Identity Management. Springer, 447–461.
[82] WEI She, Zhi-Hao Gu, Xu-Kang Lyu, QI Liu, Zhao Tian, and Wei Liu. 2019.
Homomorphic consortium blockchain for smart home system sensitive data
privacy preserving. IEEE Access 7 (2019), 62058–62070.
BSCI '20, October 6, 2020, Taipei, Taiwan
[83] H. Shrobe, D. L. Shrier, and A. Pentland. 2018. CHAPTER 15 Enigma: De-
centralized Computation Platform with Guaranteed Privacy. MITP, 425–454.
https://ieeexplore.ieee.org/document/8333139
[84] Sovrin. 2019. Control Your Digital Identity. Available at https://sovrin.org,
Accessed 20 April 2020.
[85] Shi-Feng Sun, Man Ho Au, Joseph K Liu, and Tsz Hon Yuen. 2017. RingCT 2.0:
A compact accumulator-based (linkable ring signature) protocol for blockchain
cryptocurrency Monero. In European Symposium on Research in Computer Security.
Springer, 456–474.
[86] Taavi Einaste. 2020. Blockchain and healthcare: the Estonian experience. Avail-
able at https://e-estonia.com/blockchain-healthcare-estonian-experience/, Ac-
cessed 28 May 2020.
[87] Martin Tompa and Heather Woll. 1987. Random self-reducibility and zero knowl-
edge interactive proofs of possession of information. In 28th Annual Symposium
on Foundations of Computer Science (sfcs 1987). IEEE, 472–482.
[88] Nicolas Van Saberhagen. 2013. CryptoNote v 2.0.
[89] Nicolas van Saberhagen. 2019. Monero-Private Digital Currency. Available at
https://www.getmonero.org, Accessed 25 April 2020.
[90] Marcel von Maltitz and Georg Carle. 2018. A Performance and Resource Con-
sumption Assessment of Secret Sharing based Secure Multiparty Computation. In
Data Privacy Management, Cryptocurrencies and Blockchain Technology. Springer,
357–372.
[91] R. S. Wahby, I. Tzialla, A. Shelat, J. Thaler, and M. Walfish. 2018. Doubly-Efficient
zkSNARKs Without Trusted Setup. In 2018 IEEE Symposium on Security and
Privacy (SP). 926–943. https://doi.org/10.1109/SP.2018.00060
[92] Sharath Yaji, Kajal Bangera, and B Neelima. 2018. Privacy preserving in
blockchain based on partial homomorphic encryption system for AI applica-
tions. In 2018 IEEE 25th International Conference on High Performance Computing
Workshops (HiPCW). IEEE, 81–85.
[93] Kuan Zhang, Xiaohui Liang, Rongxing Lu, and Xuemin Shen. 2014. Sybil attacks
and their defenses in the internet of things. IEEE Internet of Things Journal 1, 5
(2014), 372–383.
[94] Yang Zhao, Jun Zhao, Linshan Jiang, Rui Tan, and Dusit Niyato. 2019. Mobile
Edge Computing, Blockchain and Reputation-based Crowdsourcing IoT Federated
Learning: A Secure, Decentralized and Privacy-preserving System. arXiv preprint
arXiv:1906.10893 (2019).
[95] Zibin Zheng, Shaoan Xie, Hong-Ning Dai, Xiangping Chen, and Huaimin Wang.
2018. Blockchain challenges and opportunities: A survey. International Journal
of Web and Grid Services 14, 4 (2018), 352–375.
[96] Xiaoyang Zhu and Youakim Badr. 2018. Identity Management Systems for the
Internet of Things: A Survey Towards Blockchain Solutions. Sensors 18, 12 (2018),
4215.
[97] Y. Zhu, X. Song, S. Yang, Y. Qin, and Q. Zhou. 2018. Secure Smart Contract System
Built on SMPC Over Blockchain. In 2018 IEEE International Conference on Internet
of Things (iThings) and IEEE Green Computing and Communications (GreenCom)
and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data
(SmartData). 1539–1544.